Play interactive tour

Edit tour

Windows Analysis Report fillProxy_for_terminal_20210702_v1.0.0.exe

Overview

General Information

Sample Name:	fillProxy_for_terminal_20210702_v1.0.0.exe
Analysis ID:	541378
MD5:	e744a9216199c95f313b5a9caff52306
SHA1:	e6895f247ec71e97db4eb75070408f171203919e
SHA256:	13d345e09772591b82023fb12d68e41158c865bfec60c017d50aff16486e07e1
Infos:
Most interesting Screenshot:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Infects executable files (exe, dll, sys, html)

Changes security center settings (notifications, updates, antivirus, firewall)

Uses regedit.exe to modify the Windows registry

Drops PE files to the application program directory (C:\ProgramData)

Contains functionality to query locales information (e.g. system language)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Uses the system / local time for branch decision (may execute only at specific dates)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Found evasive API chain checking for process token information

Sigma detected: Imports Registry Key From a File

PE file contains more sections than normal

Checks for available system drives (often done to infect USB drives)

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

Contains functionality to shutdown / reboot the system

Creates files inside the system directory

PE file contains sections with non-standard names

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality for execution timing, often used to detect debuggers

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

AV process strings found (often used to terminate AV products)

PE file does not import any functions

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Uses cacls to modify the permissions of files

Installs a global mouse hook

Found evaded block containing many API calls

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

fillProxy_for_terminal_20210702_v1.0.0.exe (PID: 7056 cmdline: "C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe" MD5: E744A9216199C95F313B5A9CAFF52306)

cmd.exe (PID: 5316 cmdline: C:\Windows\system32\cmd.exe /c ""C:\ztg\fillProxy\bin\run_startfill.bat"" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

regedit.exe (PID: 5348 cmdline: regedit /s "C:\ztg\fillProxy\bin\startFill.reg" MD5: 617538C965AC4DDC72F9CF647C4343D5)

cmd.exe (PID: 6512 cmdline: C:\Windows\system32\cmd.exe /c ""C:\ztg\fillProxy\bin\changePv.bat"" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cacls.exe (PID: 6596 cmdline: Cacls C:\ztg /t /e /c /g users:f MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)

cacls.exe (PID: 6548 cmdline: Cacls C:\ztg /t /e /c /g "Domain users":f MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)

cmd.exe (PID: 6540 cmdline: C:\Windows\system32\cmd.exe /c ""C:\ztg\fillProxy\bin\install_vc.bat"" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

vcredist_x86.exe (PID: 6976 cmdline: C:\ztg\fillProxy\bin\vcredist_x86.exe /q MD5: DE34B1C517E0463602624BBC8294C08D)

vcredist_x86.exe (PID: 6936 cmdline: "C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe" -burn.clean.room="C:\ztg\fillProxy\bin\vcredist_x86.exe" -burn.filehandle.attached=744 -burn.filehandle.self=816 /q MD5: 2F9D2B6CE54F9095695B53D1AA217C7B)

VC_redist.x86.exe (PID: 4476 cmdline: "C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{645B3868-9A7A-49FB-A8C1-BAE7792CA0E7} {A6CC766D-FCE7-4ED5-846F-2A3F82C8859D} 6936 MD5: 2F9D2B6CE54F9095695B53D1AA217C7B)

VC_redist.x86.exe (PID: 1860 cmdline: "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1176 -burn.embedded BurnPipe.{3DFA5E1E-FA14-4FA6-B845-2FEC294BCE10} {BF0E961E-0781-45C2-9B76-B54C300A2310} 4476 MD5: 77F9143FEEBC7782FE91336F104EC997)

VC_redist.x86.exe (PID: 6656 cmdline: "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.filehandle.attached=168 -burn.filehandle.self=776 -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1176 -burn.embedded BurnPipe.{3DFA5E1E-FA14-4FA6-B845-2FEC294BCE10} {BF0E961E-0781-45C2-9B76-B54C300A2310} 4476 MD5: 77F9143FEEBC7782FE91336F104EC997)

svchost.exe (PID: 6096 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6280 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5324 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6368 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6340 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5400 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 6260 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 3452 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 2228 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 4256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 6924 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

msiexec.exe (PID: 2952 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

svchost.exe (PID: 5400 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

VC_redist.x86.exe (PID: 5928 cmdline: "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" /burn.runonce MD5: 2F9D2B6CE54F9095695B53D1AA217C7B)

VC_redist.x86.exe (PID: 5912 cmdline: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211217060759.log MD5: 2F9D2B6CE54F9095695B53D1AA217C7B)

VC_redist.x86.exe (PID: 5704 cmdline: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.filehandle.attached=564 -burn.filehandle.self=584 /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211217060759.log MD5: 2F9D2B6CE54F9095695B53D1AA217C7B)

VC_redist.x86.exe (PID: 4404 cmdline: "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{36DB509C-8644-440C-B46D-D0502611EA71} {DAD621ED-08F2-4F98-B829-756C75226406} 5704 MD5: 2F9D2B6CE54F9095695B53D1AA217C7B)

VC_redist.x86.exe (PID: 5904 cmdline: "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1100 -burn.embedded BurnPipe.{66F04CCF-DF99-4716-9126-725C0AF2D3CA} {6E53EA31-B961-426F-8981-955415C328A5} 4404 MD5: 77F9143FEEBC7782FE91336F104EC997)

svchost.exe (PID: 6668 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: Imports Registry Key From a File

Show sources

Source: Process started

Author: Oddvar Moe, Sander Wiebing, oscd.community: Data: Command: regedit /s "C:\ztg\fillProxy\bin\startFill.reg", CommandLine: regedit /s "C:\ztg\fillProxy\bin\startFill.reg", CommandLine|base64offset|contains: v+, Image: C:\Windows\SysWOW64\regedit.exe, NewProcessName: C:\Windows\SysWOW64\regedit.exe, OriginalFileName: C:\Windows\SysWOW64\regedit.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\ztg\fillProxy\bin\run_startfill.bat"", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5316, ProcessCommandLine: regedit /s "C:\ztg\fillProxy\bin\startFill.reg", ProcessId: 5348

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000A9EB7 DecryptFileW,	20_2_000A9EB7
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000CF961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	20_2_000CF961
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000A9C99 DecryptFileW,DecryptFileW,	20_2_000A9C99
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_00029EB7 DecryptFileW,	21_2_00029EB7
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_0004F961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	21_2_0004F961
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_00029C99 DecryptFileW,DecryptFileW,	21_2_00029C99
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: 23_2_00FCF961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	23_2_00FCF961
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: 23_2_00FA9C99 DecryptFileW,DecryptFileW,	23_2_00FA9C99
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: 23_2_00FA9EB7 DecryptFileW,	23_2_00FA9EB7
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_012CF961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	27_2_012CF961
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_012A9C99 DecryptFileW,DecryptFileW,	27_2_012A9C99
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_012A9EB7 DecryptFileW,	27_2_012A9EB7

Source: fillClient.exe.0.dr

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: fillProxy_for_terminal_20210702_v1.0.0.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore SRInitDone
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore SRInitDone

Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1028\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1029\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1031\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1036\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1040\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1041\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1042\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1045\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1046\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1049\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1055\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\2052\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\3082\license.rtf	Jump to behavior
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1028\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1029\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1031\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1036\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1040\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1041\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1042\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1045\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1046\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1055\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\2052\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\3082\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1028\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1029\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1031\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1036\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1040\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1041\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1042\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1045\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1046\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1049\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1055\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\2052\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\3082\license.rtf

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: vcredist_x86.exe, 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp, vcredist_x86.exe, 00000014.00000000.317945274.00000000000DB000.00000002.00020000.sdmp, vcredist_x86.exe, 00000015.00000000.319764798.000000000005B000.00000002.00020000.sdmp, vcredist_x86.exe, 00000015.00000002.504265173.000000000005B000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000017.00000002.502138652.0000000000FDB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000017.00000003.353876139.0000000000C5D000.00000004.00000001.sdmp, VC_redist.x86.exe, 00000017.00000000.349522912.0000000000FDB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001B.00000000.375558674.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001B.00000002.377741004.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001C.00000002.495810433.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001C.00000000.376739504.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001D.00000000.377937053.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001D.00000002.494132180.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000029.00000000.439038822.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000029.00000002.491994463.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000002C.00000002.500102356.0000000000D1B000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000002D.00000002.499115879.0000000000D1B000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000002E.00000002.488931862.0000000000D1B000.00000002.00020000.sdmp, VC_redist.x86.exe.23.dr, vcredist_x86.exe.0.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFCM140.i386.pdb source: mfcm140.dll.25.dr
Source:	Binary string: D:\work\windows\wauditer1.0\fillProxy\Release\fixBoostIpcSharedMem6005issue.pdb source: fixBoostIpcSharedMem6005issue.exe.0.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140FRA.i386.pdb source: mfc140fra.dll.25.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcamp140.i386.pdb source: vcamp140.dll.25.dr
Source:	Binary string: D:\study\windows\libsigcplusplus-3.0.3\MSVC_NMake\vs16\release\Win32\sigc-vc142-3_0.pdb source: sigc-vc142-3_0.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcamp140.i386.pdbGCTL source: vcamp140.dll.25.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140_1.i386.pdbGCTL source: msvcp140_1.dll.25.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140CHS.i386.pdb source: mfc140chs.dll.25.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140_1.i386.pdb source: msvcp140_1.dll.25.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: vcruntime140.dll.25.dr
Source:	Binary string: D:\work\windows\wauditer1.0\fillProxy\Release\fillClient.pdb source: fillClient.exe.0.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140ENU.i386.pdb source: mfc140enu.dll.25.dr
Source:	Binary string: D:\work\windows\wauditer1.0\fillProxy\Release\fixBoostIpcSharedMem6005issue.pdb source: fixBoostIpcSharedMem6005issue.exe.0.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: msvcp140.dll.25.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140JPN.i386.pdb source: mfc140jpn.dll.25.dr
Source:	Binary string: D:\study\windows\libsigcplusplus-3.0.3\MSVC_NMake\vs16\release\Win32\sigc-vc142-3_0.pdb!! source: sigc-vc142-3_0.dll.0.dr
Source:	Binary string: spyxx.pdb source: spyxx.exe.0.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.25.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.25.dr

Spreading:

Infects executable files (exe, dll, sys, html)

Show sources

Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140esn.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140ita.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140deu.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\vcamp140.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140jpn.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140chs.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfcm140u.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\concrt140.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\msvcp140_1.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140fra.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\vcomp140.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140rus.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140cht.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfcm140.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\vccorlib140.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\msvcp140.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140u.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\vcruntime140.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140kor.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\msvcp140_2.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140enu.dll

Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File opened: z:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File opened: x:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File opened: v:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File opened: t:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File opened: r:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File opened: p:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File opened: n:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File opened: l:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File opened: j:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File opened: h:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File opened: f:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File opened: b:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File opened: y:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File opened: w:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File opened: u:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File opened: s:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File opened: q:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File opened: o:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File opened: m:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File opened: k:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File opened: i:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File opened: g:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File opened: e:
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File opened: c:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File opened: a:

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

Code function: 0_2_0040E4C1 GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetDriveTypeA,lstrlenA,

0_2_0040E4C1

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Code function: 0_2_0040E2EE lstrlenA,lstrlenA,lstrcpyA,lstrcatA,FindFirstFileA,FindClose,lstrlenA,FindClose,lstrcpyA,lstrcatA,lstrlenA,lstrcmpiA,FindNextFileA,FindClose,FindClose,lstrlenA,lstrcpyA,FindClose,	0_2_0040E2EE
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Code function: 0_2_0040B6B3 FindFirstFileA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,lstrcmpiA,SendDlgItemMessageA,FindNextFileA,FindClose,	0_2_0040B6B3
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Code function: 0_2_0041FB81 FindFirstFileA,GetFileAttributesA,lstrlenA,FindNextFileA,FindClose,	0_2_0041FB81
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_00093BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	20_2_00093BC3
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000D4315 FindFirstFileW,FindClose,	20_2_000D4315
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000A993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	20_2_000A993E
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000C7A87 FindFirstFileExW,	20_2_000C7A87
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_00054315 FindFirstFileW,FindClose,	21_2_00054315
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_0002993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	21_2_0002993E
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_00013BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	21_2_00013BC3
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_00047A87 FindFirstFileExW,	21_2_00047A87
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: 23_2_00FA993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	23_2_00FA993E
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: 23_2_00F93BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	23_2_00F93BC3
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: 23_2_00FD4315 FindFirstFileW,FindClose,	23_2_00FD4315
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_012D4315 FindFirstFileW,FindClose,	27_2_012D4315
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_01293BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	27_2_01293BC3

Source: libcurl.dll.0.dr	String found in binary or memory: http://.css
Source: libcurl.dll.0.dr	String found in binary or memory: http://.jpg
Source: VC_redist.x86.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: vcredist_x86.exe, 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp, vcredist_x86.exe, 00000014.00000000.317945274.00000000000DB000.00000002.00020000.sdmp, vcredist_x86.exe, 00000015.00000000.319764798.000000000005B000.00000002.00020000.sdmp, vcredist_x86.exe, 00000015.00000002.504265173.000000000005B000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000017.00000002.502138652.0000000000FDB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000017.00000003.353876139.0000000000C5D000.00000004.00000001.sdmp, VC_redist.x86.exe, 00000017.00000000.349522912.0000000000FDB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001B.00000000.375558674.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001B.00000002.377741004.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001C.00000002.495810433.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001C.00000000.376739504.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001D.00000000.377937053.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001D.00000002.494132180.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000029.00000000.439038822.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000029.00000002.491994463.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000002C.00000002.500102356.0000000000D1B000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000002D.00000002.499115879.0000000000D1B000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000002E.00000002.488931862.0000000000D1B000.00000002.00020000.sdmp, VC_redist.x86.exe.23.dr, vcredist_x86.exe.0.dr	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: svchost.exe, 0000001F.00000002.415612330.000001E288900000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000001F.00000003.394577434.000001E288992000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394599846.000001E2889D3000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394463199.000001E288970000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394481721.000001E288981000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394635188.000001E2889B3000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: libcurl.dll.0.dr	String found in binary or memory: http://html4/loose.dtd
Source: VC_redist.x86.exe, 0000002D.00000003.497727175.0000000002D8B000.00000004.00000001.sdmp, thm.xml.29.dr	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: svchost.exe, 00000007.00000002.308101188.0000021253013000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: fillProxy_for_terminal_20210702_v1.0.0.exe	String found in binary or memory: http://www.thraexsoftware.com
Source: svchost.exe, 00000004.00000002.538293848.000001ED4FE43000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000004.00000002.538293848.000001ED4FE43000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000004.00000002.538293848.000001ED4FE43000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000007.00000003.307814519.0000021253061000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000004.00000002.538293848.000001ED4FE43000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000004.00000002.538293848.000001ED4FE43000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: fillClient.exe.0.dr	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: libcurl.dll.0.dr	String found in binary or memory: https://curl.se/V
Source: libcurl.dll.0.dr	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: libcurl.dll.0.dr	String found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: libcurl.dll.0.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: libcurl.dll.0.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: svchost.exe, 00000007.00000003.307825910.000002125305A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000007.00000002.308155055.000002125305C000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.307825910.000002125305A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000007.00000003.307814519.0000021253061000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000007.00000002.308131259.000002125303D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000007.00000002.308155055.000002125305C000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.307825910.000002125305A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000007.00000002.308168717.000002125306A000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.307794748.0000021253068000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000007.00000003.307814519.0000021253061000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000007.00000003.307837115.0000021253040000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.308145704.000002125304E000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.307853364.0000021253047000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000007.00000002.308155055.000002125305C000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.307825910.000002125305A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000007.00000003.307814519.0000021253061000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000007.00000002.308131259.000002125303D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000007.00000003.307814519.0000021253061000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000007.00000003.307814519.0000021253061000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000007.00000003.307814519.0000021253061000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000007.00000003.307837115.0000021253040000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.308135959.0000021253042000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.307873493.0000021253041000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000007.00000003.307837115.0000021253040000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.308135959.0000021253042000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.307873493.0000021253041000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000007.00000003.307814519.0000021253061000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000007.00000003.307837115.0000021253040000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.308155055.000002125305C000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.307825910.000002125305A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000001F.00000003.394577434.000001E288992000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394599846.000001E2889D3000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394463199.000001E288970000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394481721.000001E288981000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394635188.000001E2889B3000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000007.00000003.307825910.000002125305A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000007.00000002.308155055.000002125305C000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.307825910.000002125305A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000007.00000003.307825910.000002125305A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000007.00000003.307863122.0000021253045000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.307825910.000002125305A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000007.00000003.307814519.0000021253061000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000007.00000002.308131259.000002125303D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000007.00000003.286141683.0000021253032000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000007.00000002.308131259.000002125303D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000007.00000002.308131259.000002125303D000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.308101188.0000021253013000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000007.00000003.286141683.0000021253032000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000007.00000003.307837115.0000021253040000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.307863122.0000021253045000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000007.00000003.307837115.0000021253040000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000007.00000003.286141683.0000021253032000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.308127074.000002125303B000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000007.00000003.307837115.0000021253040000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.308145704.000002125304E000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.307853364.0000021253047000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 0000001F.00000003.394577434.000001E288992000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394599846.000001E2889D3000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394463199.000001E288970000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394481721.000001E288981000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394635188.000001E2889B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001F.00000003.394577434.000001E288992000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394599846.000001E2889D3000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394463199.000001E288970000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394481721.000001E288981000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394635188.000001E2889B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001F.00000003.397528537.000001E28897C000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: svchost.exe, 0000001F.00000003.400248124.000001E288994000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001F.00000003.400248124.000001E288994000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001F.00000003.400258563.000001E2889A5000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.400248124.000001E288994000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-12-15T12:35:18.6138891Z\|\|.\|\|e217b6c4-7952-49aa-94f4-7f08eae9e9cb\|\|1152921505694292641\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 0000001F.00000003.400258563.000001E2889A5000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.400248124.000001E288994000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-12-15T12:35:18.6138891Z\|\|.\|\|e217b6c4-7952-49aa-94f4-7f08eae9e9cb\|\|1152921505694292641\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

Code function: 0_2_0040EE9C GetDC,AppendMenuA,GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,ReleaseDC,DeleteDC,SelectObject,DeleteDC,GetDC,BitBlt,ReleaseDC,DeleteObject,

0_2_0040EE9C

Source: fillProxy_for_terminal_20210702_v1.0.0.exe

Binary or memory string: DirectInput8Create

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT.DLL

Jump to behavior

System Summary:

Uses regedit.exe to modify the Windows registry

Show sources

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\regedit.exe regedit /s "C:\ztg\fillProxy\bin\startFill.reg"

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Code function: 0_2_0041938D	0_2_0041938D
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Code function: 0_2_004068F2	0_2_004068F2
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Code function: 0_2_004054FF	0_2_004054FF
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Code function: 0_2_00425D8E	0_2_00425D8E
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000BC0FA	20_2_000BC0FA
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_00096184	20_2_00096184
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000C022D	20_2_000C022D
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000CA3B0	20_2_000CA3B0
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000C0662	20_2_000C0662
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_0009A7EF	20_2_0009A7EF
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000CA85E	20_2_000CA85E
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000BF919	20_2_000BF919
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000A69CC	20_2_000A69CC
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000C0A97	20_2_000C0A97
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000C2B21	20_2_000C2B21
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000CED4C	20_2_000CED4C
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000C2D50	20_2_000C2D50
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000BFE15	20_2_000BFE15
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_000269CC	21_2_000269CC
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_0003C0FA	21_2_0003C0FA
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_00016184	21_2_00016184
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_0004022D	21_2_0004022D
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_0004A3B0	21_2_0004A3B0
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_00040662	21_2_00040662
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_0001A7EF	21_2_0001A7EF
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_0004A85E	21_2_0004A85E
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_0003F919	21_2_0003F919
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_00040A97	21_2_00040A97
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_00042B21	21_2_00042B21
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_0004ED4C	21_2_0004ED4C
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_00042D50	21_2_00042D50
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_0003FE15	21_2_0003FE15
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: 23_2_00FBC0FA	23_2_00FBC0FA
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: 23_2_00FCA85E	23_2_00FCA85E
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: 23_2_00FA69CC	23_2_00FA69CC
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: 23_2_00F96184	23_2_00F96184
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: 23_2_00FBF919	23_2_00FBF919
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: 23_2_00FCA3B0	23_2_00FCA3B0
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: 23_2_00FC2B21	23_2_00FC2B21
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: 23_2_00FC2D50	23_2_00FC2D50
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: 23_2_00FCED4C	23_2_00FCED4C
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: 23_2_00F9A7EF	23_2_00F9A7EF
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_012BF919	27_2_012BF919
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_01296184	27_2_01296184
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_012A69CC	27_2_012A69CC
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_012CA85E	27_2_012CA85E
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_012BC0FA	27_2_012BC0FA
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_012C2B21	27_2_012C2B21
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_012CA3B0	27_2_012CA3B0
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_012CED4C	27_2_012CED4C
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_012C2D50	27_2_012C2D50
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_0129A7EF	27_2_0129A7EF

Source: spyxx.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: spyxx.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: spyxx.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: spyxx.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: spyxx.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.25.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.25.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.25.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.25.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.25.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.25.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.25.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.25.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.25.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.25.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.25.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.25.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.25.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll	Jump to behavior
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: tsappcmp.dll

Source: libcurl.dll.0.dr	Static PE information: Number of sections : 11 > 10
Source: libcurl-x64.dll.0.dr	Static PE information: Number of sections : 12 > 10
Source: curl.exe.0.dr	Static PE information: Number of sections : 11 > 10

Source: fillProxy_for_terminal_20210702_v1.0.0.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\ztg\fillProxy\bin\vcredist_x86.exe

File deleted: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe

Jump to behavior

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

Code function: 0_2_00411D82 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00411D82

Source: C:\ztg\fillProxy\bin\vcredist_x86.exe

File created: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\

Jump to behavior

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Code function: String function: 0041CBF9 appears 36 times
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Code function: String function: 0041C467 appears 48 times
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Code function: String function: 00424A30 appears 46 times
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Code function: String function: 0041C047 appears 31 times
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: String function: 012937D3 appears 429 times
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: String function: 012D31C7 appears 83 times
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: String function: 012D012F appears 547 times
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: String function: 01291F20 appears 51 times
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: String function: 00F937D3 appears 465 times
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: String function: 00FD31C7 appears 83 times
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: String function: 00F91F20 appears 51 times
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: String function: 00FD012F appears 616 times
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: String function: 00FD061A appears 33 times
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: String function: 00091F20 appears 54 times
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: String function: 000D31C7 appears 85 times
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: String function: 000D012F appears 678 times
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: String function: 000937D3 appears 496 times
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: String function: 000D061A appears 34 times
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: String function: 0005061A appears 34 times
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: String function: 00011F20 appears 53 times
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: String function: 000531C7 appears 83 times
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: String function: 000137D3 appears 496 times
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: String function: 0005012F appears 679 times

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

Code function: 0_2_0041FEF9 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,NtProtectVirtualMemory,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,FreeLibrary,LoadLibraryA,FreeLibrary,CoInitialize,CoCreateInstance,CoUninitialize,FreeLibrary,FreeLibrary,FreeLibrary,

0_2_0041FEF9

Source: mfc140esn.dll.25.dr	Static PE information: No import functions for PE file found
Source: mfc140jpn.dll.25.dr	Static PE information: No import functions for PE file found
Source: mfc140kor.dll.25.dr	Static PE information: No import functions for PE file found
Source: mfc140enu.dll.25.dr	Static PE information: No import functions for PE file found
Source: mfc140rus.dll.25.dr	Static PE information: No import functions for PE file found
Source: mfc140fra.dll.25.dr	Static PE information: No import functions for PE file found
Source: mfc140ita.dll.25.dr	Static PE information: No import functions for PE file found

Source: fillProxy_for_terminal_20210702_v1.0.0.exe, 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp

Binary or memory string: OriginalFilenameSPYXXHK.DLL^ vs fillProxy_for_terminal_20210702_v1.0.0.exe

Source: fillProxy_for_terminal_20210702_v1.0.0.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\fillProxy

Jump to behavior

Source: classification engine

Classification label: mal52.spre.evad.winEXE@54/291@0/1

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

Code function: 0_2_00405408 GetLastError,FormatMessageA,GetActiveWindow,

0_2_00405408

Source: C:\ztg\fillProxy\bin\vcredist_x86.exe

Code function: 20_2_000B6945 ChangeServiceConfigW,GetLastError,

20_2_000B6945

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ztg\fillProxy\bin\run_startfill.bat""

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

File read: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

Jump to behavior

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe "C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ztg\fillProxy\bin\run_startfill.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\regedit.exe regedit /s "C:\ztg\fillProxy\bin\startFill.reg"
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ztg\fillProxy\bin\changePv.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe Cacls C:\ztg /t /e /c /g users:f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe Cacls C:\ztg /t /e /c /g "Domain users":f
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ztg\fillProxy\bin\install_vc.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\ztg\fillProxy\bin\vcredist_x86.exe C:\ztg\fillProxy\bin\vcredist_x86.exe /q
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Process created: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe "C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe" -burn.clean.room="C:\ztg\fillProxy\bin\vcredist_x86.exe" -burn.filehandle.attached=744 -burn.filehandle.self=816 /q
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Process created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe "C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{645B3868-9A7A-49FB-A8C1-BAE7792CA0E7} {A6CC766D-FCE7-4ED5-846F-2A3F82C8859D} 6936
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: unknown	Process created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" /burn.runonce
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211217060759.log
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.filehandle.attached=564 -burn.filehandle.self=584 /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211217060759.log
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{36DB509C-8644-440C-B46D-D0502611EA71} {DAD621ED-08F2-4F98-B829-756C75226406} 5704
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1176 -burn.embedded BurnPipe.{3DFA5E1E-FA14-4FA6-B845-2FEC294BCE10} {BF0E961E-0781-45C2-9B76-B54C300A2310} 4476
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.filehandle.attached=168 -burn.filehandle.self=776 -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1176 -burn.embedded BurnPipe.{3DFA5E1E-FA14-4FA6-B845-2FEC294BCE10} {BF0E961E-0781-45C2-9B76-B54C300A2310} 4476
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1100 -burn.embedded BurnPipe.{66F04CCF-DF99-4716-9126-725C0AF2D3CA} {6E53EA31-B961-426F-8981-955415C328A5} 4404
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ztg\fillProxy\bin\run_startfill.bat""	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ztg\fillProxy\bin\changePv.bat""	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ztg\fillProxy\bin\install_vc.bat""	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\regedit.exe regedit /s "C:\ztg\fillProxy\bin\startFill.reg"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe Cacls C:\ztg /t /e /c /g users:f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe Cacls C:\ztg /t /e /c /g "Domain users":f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\ztg\fillProxy\bin\vcredist_x86.exe C:\ztg\fillProxy\bin\vcredist_x86.exe /q	Jump to behavior
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Process created: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe "C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe" -burn.clean.room="C:\ztg\fillProxy\bin\vcredist_x86.exe" -burn.filehandle.attached=744 -burn.filehandle.self=816 /q	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Process created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe "C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{645B3868-9A7A-49FB-A8C1-BAE7792CA0E7} {A6CC766D-FCE7-4ED5-846F-2A3F82C8859D} 6936	Jump to behavior
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1176 -burn.embedded BurnPipe.{3DFA5E1E-FA14-4FA6-B845-2FEC294BCE10} {BF0E961E-0781-45C2-9B76-B54C300A2310} 4476
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211217060759.log
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.filehandle.attached=564 -burn.filehandle.self=584 /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211217060759.log
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1100 -burn.embedded BurnPipe.{66F04CCF-DF99-4716-9126-725C0AF2D3CA} {6E53EA31-B961-426F-8981-955415C328A5} 4404
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.filehandle.attached=168 -burn.filehandle.self=776 -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1176 -burn.embedded BurnPipe.{3DFA5E1E-FA14-4FA6-B845-2FEC294BCE10} {BF0E961E-0781-45C2-9B76-B54C300A2310} 4476
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25E609E4-B259-11CF-BFC7-444553540000}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Code function: 0_2_00411D82 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	0_2_00411D82
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000944E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	20_2_000944E9
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_000144E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	21_2_000144E9
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: 23_2_00F944E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	23_2_00F944E9
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_012944E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	27_2_012944E9

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

File created: C:\Users\user\AppData\Local\Temp\aiw6403531.EXE

Jump to behavior

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

0_2_0041FEF9

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

Code function: 0_2_0040DE4D LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetDiskFreeSpaceExA,FreeLibrary,FreeLibrary,FreeLibrary,

0_2_0040DE4D

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Mutant created: \Sessions\1\BaseNamedObjects\fillProxymutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4256:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5352:120:WilError_01

Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Command line argument: cabinet.dll	20_2_00091070
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Command line argument: msi.dll	20_2_00091070
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Command line argument: version.dll	20_2_00091070
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Command line argument: wininet.dll	20_2_00091070
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Command line argument: comres.dll	20_2_00091070
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Command line argument: clbcatq.dll	20_2_00091070
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Command line argument: msasn1.dll	20_2_00091070
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Command line argument: crypt32.dll	20_2_00091070
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Command line argument: feclient.dll	20_2_00091070
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Command line argument: cabinet.dll	21_2_00011070
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Command line argument: msi.dll	21_2_00011070
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Command line argument: version.dll	21_2_00011070
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Command line argument: wininet.dll	21_2_00011070
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Command line argument: comres.dll	21_2_00011070
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Command line argument: clbcatq.dll	21_2_00011070
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Command line argument: msasn1.dll	21_2_00011070
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Command line argument: crypt32.dll	21_2_00011070
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Command line argument: feclient.dll	21_2_00011070

Source: fillProxy_for_terminal_20210702_v1.0.0.exe	String found in binary or memory: %s installation couldn't be found. Try re-installing the application before running update.
Source: fillProxy_for_terminal_20210702_v1.0.0.exe	String found in binary or memory: The installation was not removed. Do you still want to re-install?
Source: fillProxy_for_terminal_20210702_v1.0.0.exe	String found in binary or memory: %s is already installed on your system. It is highly recommended to uninstall the application before re-installing. Do you want to uninstall %s before re-installing?
Source: vcredist_x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: vcredist_x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: VC_redist.x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: VC_redist.x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: fillProxy_for_terminal_20210702_v1.0.0.exe	String found in binary or memory: The installation was not removed. Do you still want to re-install?
Source: fillProxy_for_terminal_20210702_v1.0.0.exe	String found in binary or memory: %s is already installed on your system. It is highly recommended to uninstall the application before re-installing. Do you want to uninstall %s before re-installing?
Source: fillProxy_for_terminal_20210702_v1.0.0.exe	String found in binary or memory: %s installation couldn't be found. Try re-installing the application before running update.
Source: fillProxy_for_terminal_20210702_v1.0.0.exe	String found in binary or memory: BFile size mismatch: This file is corrupted; If you downloaded this file from the internet, try downloading it againChecksum mismatch. The installation is corrupt or has been tampered with. If you downloaded this file from the internet, try downloading it again.Initialization failed. Aborting. Error code: %dCouldn't read TOC. Aborting.The installation was not removed. Do you still want to re-install?<__Internal_InstallationNotRemoved__>Couldn't launch uninstaller. Previous installation was not removed!/SILENT /NOREMOVE"%s" Couldn't find uninstaller. Previous installation was not removed!<__Internal_AlreadyInstalled__>%s is already installed on your system. It is highly recommended to uninstall the application before re-installing. Do you want to uninstall %s before re-installing?.bakGraphics initialization failedAstrumInstaller\3rd-party\slideshow\installerFailed to launch installer. (CreateProcess failed) /revert /silent<IsAdmin><DS2000>C:\Progra~1\Common~1C:\Program Files\Common FilesCommonFilesDirC:\Progra~1C:\Program FilesSoftware\Microsoft\Windows\CurrentVersionProgramFilesDir<MyDocuments><DesktopNt><ProgramsDirNt><StartMenuNt><StartUpNt><Date><SystemDrive><SetupDir><ShortTempDir><TempDir><ShortSystemDir><SystemDir><ShortWindowsDir><WindowsDir><ShortCommonFiles><CommonFiles><ShortProgramFiles><ProgramFiles><ShortStartMenu><StartMenu><FontDir><ShortDesktop><Desktop><ShortStartUp><StartUp><ShortProgramsDir><ProgramsDir><IsUpdate>This setup program was created using unregistered shareware version of Astrum InstallWizard and distribution of this program is strictly forbidden.
Source: fillProxy_for_terminal_20210702_v1.0.0.exe	String found in binary or memory: (This message will not be shown in the registered version of Astrum InstallWizard.)Astrum InstallerGraphics initialization failed. Dialog image will not be shown<__Internal_InitializingTitle__><__Internal_Initializing__>RegisteredOrganizationSoftware\Microsoft\Windows NT\CurrentVersionGetUserNameExASecur32.dllOnMessageSystemInformationEntryPointCustomEntryPoint13EntryPoint12EntryPoint11EntryPoint10EntryPoint9EntryPoint8EntryPoint7EntryPoint6EntryPoint5EntryPoint4EntryPoint3EntryPoint2EntryPoint1_5EntryPoint1EntryPoint0AdvancedEntry.jpg/REVERT/SILENT"<ResourceDir>\3rd-party\Downloader.exe" /download /local "%s" /url "%s" /program "%s"<ResourceDir>\3rd-party\%s.exe"%s"%s /q:a /c:"dasetup.exe /q /n" /r:n /q:aDirectX9.08.18.07.0Microsoft Data Access ComponentsFullInstallVerSoftware\Microsoft\DataAccess2.80.1022.32.82.70.9001.02.72.60.6526.32.62.50.4403.122.5HTML Help Viewer 1.331.321.311.31.221.21a1.211.21.1b1.1a1.0\hhctrl.ocxJava .NET Framework 1.1.FOTmutexAutorunCommandCouldn't read destination directory from registry. Aborting<__Internal_DirNotFound__><ResourceDir><UninstallerName><ShortcutDir><InstallDir><ShortShortcutDir><ShortInstallDir><UserSerial><UserCompany><UserName><__Internal_FindingFile__>%sinst%dOut of memory%s installation couldn't be found. Try re-installing the application before running update.This update supports updates from version %s up to version %s. You have version %s and it cannot be updated by this program.<__Internal_UpdateCannotUpdate1__>This update updates to version %s which is already installed on your system.<__Internal_UpdateAlreadyInstalled__>This update supports updates from version(s) %s. You have currently version %s and it cannot be updated by this program.<__Internal_UpdateCannotUpdate2__>This update updates to version %s which is already installed on your system and , HKEY_USERSHKEY_LOCAL_MACHINEHKEY_CURRENT_USERHKEY_CLASSES_ROOTThis will install %s to your computer. Do you want to continue?<__Internal_InstallVerification__>This will update %s to version %s. Do you want to continue?<__Internal_UpdateVerification__>Do your really want to exit setup?JPGToBMPExJPGToBMPGetDllVersionBlit%b%sOut of boundsInvalid param

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

File written: C:\ztg\fillProxy\data\FlashFXP.ini

Jump to behavior

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Window detected: Number of UI elements: 23
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	Window detected: Number of UI elements: 23

Source: fillProxy_for_terminal_20210702_v1.0.0.exe

Static file information: File size 23653052 > 1048576

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: vcredist_x86.exe, 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp, vcredist_x86.exe, 00000014.00000000.317945274.00000000000DB000.00000002.00020000.sdmp, vcredist_x86.exe, 00000015.00000000.319764798.000000000005B000.00000002.00020000.sdmp, vcredist_x86.exe, 00000015.00000002.504265173.000000000005B000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000017.00000002.502138652.0000000000FDB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000017.00000003.353876139.0000000000C5D000.00000004.00000001.sdmp, VC_redist.x86.exe, 00000017.00000000.349522912.0000000000FDB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001B.00000000.375558674.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001B.00000002.377741004.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001C.00000002.495810433.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001C.00000000.376739504.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001D.00000000.377937053.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001D.00000002.494132180.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000029.00000000.439038822.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000029.00000002.491994463.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000002C.00000002.500102356.0000000000D1B000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000002D.00000002.499115879.0000000000D1B000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000002E.00000002.488931862.0000000000D1B000.00000002.00020000.sdmp, VC_redist.x86.exe.23.dr, vcredist_x86.exe.0.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFCM140.i386.pdb source: mfcm140.dll.25.dr
Source:	Binary string: D:\work\windows\wauditer1.0\fillProxy\Release\fixBoostIpcSharedMem6005issue.pdb source: fixBoostIpcSharedMem6005issue.exe.0.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140FRA.i386.pdb source: mfc140fra.dll.25.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcamp140.i386.pdb source: vcamp140.dll.25.dr
Source:	Binary string: D:\study\windows\libsigcplusplus-3.0.3\MSVC_NMake\vs16\release\Win32\sigc-vc142-3_0.pdb source: sigc-vc142-3_0.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcamp140.i386.pdbGCTL source: vcamp140.dll.25.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140_1.i386.pdbGCTL source: msvcp140_1.dll.25.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140CHS.i386.pdb source: mfc140chs.dll.25.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140_1.i386.pdb source: msvcp140_1.dll.25.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: vcruntime140.dll.25.dr
Source:	Binary string: D:\work\windows\wauditer1.0\fillProxy\Release\fillClient.pdb source: fillClient.exe.0.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140ENU.i386.pdb source: mfc140enu.dll.25.dr
Source:	Binary string: D:\work\windows\wauditer1.0\fillProxy\Release\fixBoostIpcSharedMem6005issue.pdb source: fixBoostIpcSharedMem6005issue.exe.0.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: msvcp140.dll.25.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140JPN.i386.pdb source: mfc140jpn.dll.25.dr
Source:	Binary string: D:\study\windows\libsigcplusplus-3.0.3\MSVC_NMake\vs16\release\Win32\sigc-vc142-3_0.pdb!! source: sigc-vc142-3_0.dll.0.dr
Source:	Binary string: spyxx.pdb source: spyxx.exe.0.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.25.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.25.dr

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Code function: 0_2_00425220 push eax; ret	0_2_0042524E
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000BE876 push ecx; ret	20_2_000BE889
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_0003E876 push ecx; ret	21_2_0003E889
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: 23_2_00FBE876 push ecx; ret	23_2_00FBE889
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_012BE876 push ecx; ret	27_2_012BE889

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

Code function: 0_2_00411811 lstrcpyA,LoadLibraryA,GetProcAddress,GetShortPathNameW,WideCharToMultiByte,lstrlenA,lstrlenA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrcatA,

0_2_00411811

Source: curl.exe.0.dr	Static PE information: section name: .eh_fram
Source: vcredist_x86.exe.0.dr	Static PE information: section name: .wixburn
Source: libcurl-x64.dll.0.dr	Static PE information: section name: .xdata
Source: libcurl.dll.0.dr	Static PE information: section name: .eh_fram
Source: sigc-vc142-d-3_0.dll.0.dr	Static PE information: section name: .00cfg
Source: spyxxhk.dll.0.dr	Static PE information: section name: .shdata
Source: vcredist_x86.exe.20.dr	Static PE information: section name: .wixburn
Source: VC_redist.x86.exe.21.dr	Static PE information: section name: .wixburn
Source: VC_redist.x86.exe.23.dr	Static PE information: section name: .wixburn
Source: mfc140u.dll.25.dr	Static PE information: section name: .didat
Source: msvcp140.dll.25.dr	Static PE information: section name: .didat

Persistence and Installation Behavior:

Infects executable files (exe, dll, sys, html)

Show sources

Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140esn.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140ita.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140deu.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\vcamp140.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140jpn.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140chs.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfcm140u.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\concrt140.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\msvcp140_1.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140fra.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\vcomp140.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140rus.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140cht.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfcm140.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\vccorlib140.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\msvcp140.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140u.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\vcruntime140.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140kor.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\msvcp140_2.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140enu.dll

Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe

File created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe

Jump to dropped file

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File created: C:\ztg\fillProxy\bin\sigc-vc142-d-3_0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140ita.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140deu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 62563f.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 625636.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File created: C:\ztg\fillProxy\bin\curl.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140chs.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 62563c.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 62562c.rbf (copy)	Jump to dropped file
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	File created: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 625640.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File created: C:\ztg\fillProxy\bin\SPYaaa.dll	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File created: C:\ztg\fillProxy\bin\registerNavicat.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\concrt140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File created: C:\ztg\fillProxy\bin\hb_terminal_code.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\msvcp140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File created: C:\ztg\fillProxy\Uninstall.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 62563a.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\aiw6403531.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File created: C:\ztg\fillProxy\spy++\spyxxhk.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140fra.dll	Jump to dropped file
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File created: C:\ztg\fillProxy\bin\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File created: C:\ztg\fillProxy\bin\sigc-vc142-3_0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 625638.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 625641.rbf (copy)	Jump to dropped file
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 62562a.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File created: C:\ztg\fillProxy\bin\SPY.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140rus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140cht.dll	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File created: C:\ztg\fillProxy\bin\fillServer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 625629.rbf (copy)	Jump to dropped file
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File created: C:\ztg\fillProxy\bin\fixBoostIpcSharedMem6005issue.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 625639.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File created: C:\ztg\fillProxy\bin\fillClient.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 625642.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140.dll	Jump to dropped file
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	File created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File created: C:\ztg\fillProxy\bin\cleanNavicatHistory.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vccorlib140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File created: C:\ztg\fillProxy\bin\boost_date_time-vc142-mt-gd-x32-1_72.dll	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File created: C:\ztg\fillProxy\bin\crt6.6.1_tmp.exe	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File created: C:\ztg\fillProxy\spy++\spyxx.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 62562b.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 625637.rbf (copy)	Jump to dropped file
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 625627.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 62563b.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File created: C:\ztg\fillProxy\bin\fillProxy.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140kor.dll	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File created: C:\ztg\fillProxy\bin\loadyyChannelCrt.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File created: C:\ztg\fillProxy\bin\instsrv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 62562e.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 62563e.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\msvcp140_2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File created: C:\ztg\fillProxy\bin\libcurl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140enu.dll	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File created: C:\ztg\fillProxy\bin\libcurl-x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 625635.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 62563d.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 625626.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File created: C:\ztg\fillProxy\bin\srvany.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 62562d.rbf (copy)	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140ita.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140deu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vccorlib140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140chs.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140u.dll	Jump to dropped file
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	File created: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140.dll	Jump to dropped file
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\concrt140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\msvcp140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140kor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140fra.dll	Jump to dropped file
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Jump to dropped file
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140enu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140rus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140.dll	Jump to dropped file

Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1028\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1029\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1031\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1036\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1040\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1041\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1042\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1045\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1046\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1049\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1055\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\2052\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	File created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\3082\license.rtf	Jump to behavior
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1028\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1029\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1031\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1036\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1040\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1041\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1042\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1045\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1046\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1055\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\2052\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\3082\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1028\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1029\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1031\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1036\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1040\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1041\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1042\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1045\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1046\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1049\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1055\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\2052\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	File created: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\3082\license.rtf

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\fillProxy

Jump to behavior

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

Code function: 0_2_00419D70 CreateMutexA,GetLastError,FindWindowA,IsIconic,ShowWindow,SetForegroundWindow,

0_2_00419D70

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

Code function: 0_2_004184A4 DeleteFileA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,DeleteFileA,

0_2_004184A4

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\cacls.exe Cacls C:\ztg /t /e /c /g users:f

Source: C:\Windows\System32\msiexec.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regedit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe TID: 1464	Thread sleep count: 147 > 30
Source: C:\Windows\System32\svchost.exe TID: 6764	Thread sleep time: -150000s >= -30000s

Source: C:\ztg\fillProxy\bin\vcredist_x86.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Code function: 0_2_0041DF41 GetSystemTime followed by cmp: cmp word ptr [ebp-0eh], 0002h and CTI: jbe 0041DFF9h	0_2_0041DF41
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000CFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 000CFE5Dh	20_2_000CFDC2
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000CFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 000CFE56h	20_2_000CFDC2
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_0004FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 0004FE5Dh	21_2_0004FDC2
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_0004FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 0004FE56h	21_2_0004FDC2
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: 23_2_00FCFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00FCFE5Dh	23_2_00FCFDC2
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: 23_2_00FCFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00FCFE56h	23_2_00FCFDC2
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_012CFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 012CFE5Dh	27_2_012CFDC2
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_012CFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 012CFE56h	27_2_012CFDC2

Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Dropped PE file which has not been started: C:\ztg\fillProxy\bin\sigc-vc142-d-3_0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Dropped PE file which has not been started: C:\ztg\fillProxy\bin\cleanNavicatHistory.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 62563f.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 625636.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Dropped PE file which has not been started: C:\ztg\fillProxy\bin\curl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Dropped PE file which has not been started: C:\ztg\fillProxy\bin\boost_date_time-vc142-mt-gd-x32-1_72.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 62563c.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Dropped PE file which has not been started: C:\ztg\fillProxy\bin\crt6.6.1_tmp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 62562c.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Dropped PE file which has not been started: C:\ztg\fillProxy\spy++\spyxx.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 625640.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 62562b.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 625637.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Dropped PE file which has not been started: C:\ztg\fillProxy\bin\SPYaaa.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 625627.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 62563b.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Dropped PE file which has not been started: C:\ztg\fillProxy\bin\registerNavicat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Dropped PE file which has not been started: C:\ztg\fillProxy\bin\fillProxy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Dropped PE file which has not been started: C:\ztg\fillProxy\bin\hb_terminal_code.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Dropped PE file which has not been started: C:\ztg\fillProxy\bin\loadyyChannelCrt.exe	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Dropped PE file which has not been started: C:\ztg\fillProxy\bin\instsrv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 62563a.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\aiw6403531.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Dropped PE file which has not been started: C:\ztg\fillProxy\spy++\spyxxhk.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 625638.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 625641.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Dropped PE file which has not been started: C:\ztg\fillProxy\bin\sigc-vc142-3_0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 62562e.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 62563e.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 62562a.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Dropped PE file which has not been started: C:\ztg\fillProxy\bin\libcurl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Dropped PE file which has not been started: C:\ztg\fillProxy\bin\SPY.dll	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Dropped PE file which has not been started: C:\ztg\fillProxy\bin\libcurl-x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 625629.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Dropped PE file which has not been started: C:\ztg\fillProxy\bin\fillServer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 625635.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Dropped PE file which has not been started: C:\ztg\fillProxy\bin\fixBoostIpcSharedMem6005issue.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 625639.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 625642.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Dropped PE file which has not been started: C:\ztg\fillProxy\bin\fillClient.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 62563d.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 625626.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Dropped PE file which has not been started: C:\ztg\fillProxy\bin\srvany.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 62562d.rbf (copy)	Jump to dropped file

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

Code function: 0_2_004068F2 rdtsc

0_2_004068F2

Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Registry key enumerated: More than 302 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Registry key enumerated: More than 152 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	Registry key enumerated: More than 152 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Evaded block: after key decision

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

Code function: 0_2_0040E4C1 GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetDriveTypeA,lstrlenA,

0_2_0040E4C1

Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	API call chain: ExitProcess graph end node
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: svchost.exe, 00000003.00000002.537944776.000002C21C402000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 0000001F.00000002.415470958.000001E2880EB000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.415378045.000001E288070000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: VC_redist.x86.exe, 0000002D.00000003.497902302.0000000000A4D000.00000004.00000001.sdmp	Binary or memory string: SI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000003.00000002.538117970.000002C21C429000.00000004.00000001.sdmp, svchost.exe, 00000004.00000002.538293848.000001ED4FE43000.00000004.00000001.sdmp, svchost.exe, 00000005.00000002.538190450.00000210D582A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

Code function: 0_2_0042037B GetSystemInfo,

0_2_0042037B

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Code function: 0_2_0040E2EE lstrlenA,lstrlenA,lstrcpyA,lstrcatA,FindFirstFileA,FindClose,lstrlenA,FindClose,lstrcpyA,lstrcatA,lstrlenA,lstrcmpiA,FindNextFileA,FindClose,FindClose,lstrlenA,lstrcpyA,FindClose,	0_2_0040E2EE
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Code function: 0_2_0040B6B3 FindFirstFileA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,lstrcmpiA,SendDlgItemMessageA,FindNextFileA,FindClose,	0_2_0040B6B3
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Code function: 0_2_0041FB81 FindFirstFileA,GetFileAttributesA,lstrlenA,FindNextFileA,FindClose,	0_2_0041FB81
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_00093BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	20_2_00093BC3
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000D4315 FindFirstFileW,FindClose,	20_2_000D4315
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000A993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	20_2_000A993E
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000C7A87 FindFirstFileExW,	20_2_000C7A87
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_00054315 FindFirstFileW,FindClose,	21_2_00054315
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_0002993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	21_2_0002993E
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_00013BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	21_2_00013BC3
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_00047A87 FindFirstFileExW,	21_2_00047A87
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: 23_2_00FA993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	23_2_00FA993E
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: 23_2_00F93BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	23_2_00F93BC3
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: 23_2_00FD4315 FindFirstFileW,FindClose,	23_2_00FD4315
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_012D4315 FindFirstFileW,FindClose,	27_2_012D4315
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_01293BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	27_2_01293BC3

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

Code function: 0_2_00411811 lstrcpyA,LoadLibraryA,GetProcAddress,GetShortPathNameW,WideCharToMultiByte,lstrlenA,lstrlenA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrcatA,

0_2_00411811

Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000C4812 mov eax, dword ptr fs:[00000030h]	20_2_000C4812
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_00044812 mov eax, dword ptr fs:[00000030h]	21_2_00044812
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: 23_2_00FC4812 mov eax, dword ptr fs:[00000030h]	23_2_00FC4812
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_012C4812 mov eax, dword ptr fs:[00000030h]	27_2_012C4812

Source: C:\ztg\fillProxy\bin\vcredist_x86.exe

Code function: 20_2_000BE625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

20_2_000BE625

Source: C:\ztg\fillProxy\bin\vcredist_x86.exe

Code function: 20_2_000938D4 GetProcessHeap,RtlAllocateHeap,

20_2_000938D4

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

Code function: 0_2_004068F2 rdtsc

0_2_004068F2

Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000BE773 SetUnhandledExceptionFilter,	20_2_000BE773
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000BE188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_000BE188
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000BE625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000BE625
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Code function: 20_2_000C3BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000C3BB0
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_0003E773 SetUnhandledExceptionFilter,	21_2_0003E773
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_0003E188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_0003E188
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_0003E625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_0003E625
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Code function: 21_2_00043BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00043BB0
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: 23_2_00FBE188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_2_00FBE188
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Code function: 23_2_00FC3BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_00FC3BB0
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_012BE188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	27_2_012BE188
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_012C3BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_012C3BB0

Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.filehandle.attached=564 -burn.filehandle.self=584 /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211217060759.log
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1176 -burn.embedded BurnPipe.{3DFA5E1E-FA14-4FA6-B845-2FEC294BCE10} {BF0E961E-0781-45C2-9B76-B54C300A2310} 4476
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.filehandle.attached=168 -burn.filehandle.self=776 -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1176 -burn.embedded BurnPipe.{3DFA5E1E-FA14-4FA6-B845-2FEC294BCE10} {BF0E961E-0781-45C2-9B76-B54C300A2310} 4476
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1100 -burn.embedded BurnPipe.{66F04CCF-DF99-4716-9126-725C0AF2D3CA} {6E53EA31-B961-426F-8981-955415C328A5} 4404
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1176 -burn.embedded BurnPipe.{3DFA5E1E-FA14-4FA6-B845-2FEC294BCE10} {BF0E961E-0781-45C2-9B76-B54C300A2310} 4476
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.filehandle.attached=564 -burn.filehandle.self=584 /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211217060759.log
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1100 -burn.embedded BurnPipe.{66F04CCF-DF99-4716-9126-725C0AF2D3CA} {6E53EA31-B961-426F-8981-955415C328A5} 4404
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.filehandle.attached=168 -burn.filehandle.self=776 -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1176 -burn.embedded BurnPipe.{3DFA5E1E-FA14-4FA6-B845-2FEC294BCE10} {BF0E961E-0781-45C2-9B76-B54C300A2310} 4476

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\regedit.exe regedit /s "C:\ztg\fillProxy\bin\startFill.reg"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe Cacls C:\ztg /t /e /c /g users:f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe Cacls C:\ztg /t /e /c /g "Domain users":f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\ztg\fillProxy\bin\vcredist_x86.exe C:\ztg\fillProxy\bin\vcredist_x86.exe /q	Jump to behavior
Source: C:\ztg\fillProxy\bin\vcredist_x86.exe	Process created: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe "C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe" -burn.clean.room="C:\ztg\fillProxy\bin\vcredist_x86.exe" -burn.filehandle.attached=744 -burn.filehandle.self=816 /q	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Process created: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe "C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{645B3868-9A7A-49FB-A8C1-BAE7792CA0E7} {A6CC766D-FCE7-4ED5-846F-2A3F82C8859D} 6936	Jump to behavior
Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1176 -burn.embedded BurnPipe.{3DFA5E1E-FA14-4FA6-B845-2FEC294BCE10} {BF0E961E-0781-45C2-9B76-B54C300A2310} 4476
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.filehandle.attached=564 -burn.filehandle.self=584 /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211217060759.log
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1100 -burn.embedded BurnPipe.{66F04CCF-DF99-4716-9126-725C0AF2D3CA} {6E53EA31-B961-426F-8981-955415C328A5} 4404
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.filehandle.attached=168 -burn.filehandle.self=776 -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1176 -burn.embedded BurnPipe.{3DFA5E1E-FA14-4FA6-B845-2FEC294BCE10} {BF0E961E-0781-45C2-9B76-B54C300A2310} 4476
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

Code function: 0_2_0041E3EF GetVersion,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,DuplicateToken,AllocateAndInitializeSid,LocalAlloc,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,

0_2_0041E3EF

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

0_2_0041E3EF

Source: svchost.exe, 00000006.00000002.538690668.0000021564B90000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: svchost.exe, 00000006.00000002.538690668.0000021564B90000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 00000006.00000002.538690668.0000021564B90000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: svchost.exe, 00000006.00000002.538690668.0000021564B90000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Code function: GetLocaleInfoA,lstrcpyA,__aulldiv,__aulldiv,__aulldiv,	0_2_0041D95E
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Code function: SetDlgItemTextA,GetLocaleInfoA,lstrcpyA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatA,SetDlgItemTextA,lstrlenA,lstrlenA,lstrlenA,lstrcatA,SetDlgItemTextA,GetDlgItem,EnableWindow,	0_2_0040C96B
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Code function: LoadLibraryA,GetProcAddress,FreeLibrary,GetLocaleInfoA,lstrcpyA,FreeLibrary,	0_2_0041EEE8

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe	Queries volume information: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\logo.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\logo.png VolumeInformation
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	Queries volume information: C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\logo.png VolumeInformation

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

Code function: 0_2_00406575 cpuid

0_2_00406575

Source: C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

Code function: 0_2_0041DF41 GetDateFormatA,GetSystemTime,

0_2_0041DF41

Source: C:\ztg\fillProxy\bin\vcredist_x86.exe

Code function: 20_2_000D8733 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

20_2_000D8733

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

Code function: 0_2_00418092 GetUserNameA,LoadLibraryA,GetProcAddress,FreeLibrary,CreateDialogParamA,SetWindowTextA,GetDlgItem,SetWindowTextA,SetWindowTextA,ShowWindow,DestroyWindow,

0_2_00418092

Source: C:\ztg\fillProxy\bin\vcredist_x86.exe

Code function: 20_2_000A4CE8 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,

20_2_000A4CE8

Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe

Code function: 0_2_004253CA EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,

0_2_004253CA

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: svchost.exe, 00000009.00000002.538148344.000002464663D000.00000004.00000001.sdmp	Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000009.00000002.538242968.0000024646702000.00000004.00000001.sdmp	Binary or memory string: Files%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000009.00000002.538242968.0000024646702000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Windows Management Instrumentation1	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools1	Input Capture2	System Time Discovery12	Taint Shared Content1	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scripting1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	LSASS Memory	Peripheral Device Discovery11	Replication Through Removable Media1	Screen Capture1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API4	Windows Service1	Access Token Manipulation1	Scripting1	Security Account Manager	Account Discovery1	SMB/Windows Admin Shares	Input Capture2	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Command and Scripting Interpreter13	Registry Run Keys / Startup Folder1	Windows Service1	Obfuscated Files or Information2	NTDS	File and Directory Discovery5	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Service Execution1	Services File Permissions Weakness1	Process Injection13	DLL Side-Loading1	LSA Secrets	System Information Discovery47	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Registry Run Keys / Startup Folder1	File Deletion1	Cached Domain Credentials	Query Registry1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Services File Permissions Weakness1	Masquerading21	DCSync	Security Software Discovery51	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Modify Registry1	Proc Filesystem	Virtualization/Sandbox Evasion1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Virtualization/Sandbox Evasion1	/etc/passwd and /etc/shadow	Process Discovery12	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Access Token Manipulation1	Network Sniffing	Application Window Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Process Injection13	Input Capture	System Owner/User Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Services File Permissions Weakness1	Keylogging	Remote System Discovery1	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
fillProxy_for_terminal_20210702_v1.0.0.exe	3%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
625626.rbf (copy)	3%	Metadefender	Browse
625626.rbf (copy)	0%	ReversingLabs
625627.rbf (copy)	0%	Metadefender	Browse
625627.rbf (copy)	0%	ReversingLabs
625629.rbf (copy)	0%	Metadefender	Browse
625629.rbf (copy)	0%	ReversingLabs
62562a.rbf (copy)	0%	Metadefender	Browse
62562a.rbf (copy)	0%	ReversingLabs
62562b.rbf (copy)	0%	Metadefender	Browse
62562b.rbf (copy)	0%	ReversingLabs
62562c.rbf (copy)	0%	Metadefender	Browse
62562c.rbf (copy)	0%	ReversingLabs
62562d.rbf (copy)	0%	Metadefender	Browse
62562d.rbf (copy)	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://html4/loose.dtd	0%	Avira URL Cloud	safe
http://.css	0%	Avira URL Cloud	safe
https://curl.se/docs/hsts.html	0%	Virustotal		Browse
https://curl.se/docs/hsts.html	0%	Avira URL Cloud	safe
http://.jpg	0%	Avira URL Cloud	safe
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
https://curl.se/docs/http-cookies.html	0%	URL Reputation	safe
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor	0%	URL Reputation	safe
https://curl.se/docs/alt-svc.html	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://curl.se/docs/copyright.htmlD	0%	URL Reputation	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe
http://www.thraexsoftware.com	0%	Avira URL Cloud	safe
http://help.disneyplus.com.	0%	URL Reputation	safe
http://appsyndication.org/2006/appsyn	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://curl.se/V	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://html4/loose.dtd	libcurl.dll.0.dr	false	Avira URL Cloud: safe	low
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000007.00000002.308131259.000002125303D000.00000004.00000001.sdmp	false		high
http://wixtoolset.org/schemas/thmutil/2010	VC_redist.x86.exe, 0000002D.00000003.497727175.0000000002D8B000.00000004.00000001.sdmp, thm.xml.29.dr	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000007.00000003.307814519.0000021253061000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000007.00000002.308131259.000002125303D000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/	svchost.exe, 00000007.00000002.308155055.000002125305C000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.307825910.000002125305A000.00000004.00000001.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 00000007.00000003.307837115.0000021253040000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.308145704.000002125304E000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.307853364.0000021253047000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000007.00000003.307814519.0000021253061000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 00000007.00000003.307837115.0000021253040000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.308135959.0000021253042000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.307873493.0000021253041000.00000004.00000001.sdmp	false		high
http://.css	libcurl.dll.0.dr	false	Avira URL Cloud: safe	low
https://curl.haxx.se/docs/http-cookies.html	fillClient.exe.0.dr	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000007.00000003.307814519.0000021253061000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000007.00000003.307825910.000002125305A000.00000004.00000001.sdmp	false		high
https://curl.se/docs/hsts.html	libcurl.dll.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000007.00000003.307837115.0000021253040000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000007.00000003.307837115.0000021253040000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.308135959.0000021253042000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.307873493.0000021253041000.00000004.00000001.sdmp	false		high
http://.jpg	libcurl.dll.0.dr	false	Avira URL Cloud: safe	low
http://www.bingmapsportal.com	svchost.exe, 00000007.00000002.308101188.0000021253013000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000007.00000002.308131259.000002125303D000.00000004.00000001.sdmp	false		high
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 00000007.00000003.307814519.0000021253061000.00000004.00000001.sdmp	false		high
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 0000001F.00000003.394577434.000001E288992000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394599846.000001E2889D3000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394463199.000001E288970000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394481721.000001E288981000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394635188.000001E2889B3000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 00000007.00000003.307837115.0000021253040000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.307863122.0000021253045000.00000004.00000001.sdmp	false		high
https://curl.se/docs/http-cookies.html	libcurl.dll.0.dr	false	URL Reputation: safe	unknown
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 00000007.00000002.308168717.000002125306A000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.307794748.0000021253068000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000007.00000002.308131259.000002125303D000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000007.00000003.286141683.0000021253032000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000007.00000003.307837115.0000021253040000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.308155055.000002125305C000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.307825910.000002125305A000.00000004.00000001.sdmp	false		high
https://www.tiktok.com/legal/report/feedback	svchost.exe, 0000001F.00000003.397528537.000001E28897C000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor	vcredist_x86.exe, 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp, vcredist_x86.exe, 00000014.00000000.317945274.00000000000DB000.00000002.00020000.sdmp, vcredist_x86.exe, 00000015.00000000.319764798.000000000005B000.00000002.00020000.sdmp, vcredist_x86.exe, 00000015.00000002.504265173.000000000005B000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000017.00000002.502138652.0000000000FDB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000017.00000003.353876139.0000000000C5D000.00000004.00000001.sdmp, VC_redist.x86.exe, 00000017.00000000.349522912.0000000000FDB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001B.00000000.375558674.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001B.00000002.377741004.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001C.00000002.495810433.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001C.00000000.376739504.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001D.00000000.377937053.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001D.00000002.494132180.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000029.00000000.439038822.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000029.00000002.491994463.00000000012DB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000002C.00000002.500102356.0000000000D1B000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000002D.00000002.499115879.0000000000D1B000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000002E.00000002.488931862.0000000000D1B000.00000002.00020000.sdmp, VC_redist.x86.exe.23.dr, vcredist_x86.exe.0.dr	false	URL Reputation: safe	unknown
https://curl.se/docs/alt-svc.html	libcurl.dll.0.dr	false	URL Reputation: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000007.00000002.308131259.000002125303D000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.308101188.0000021253013000.00000004.00000001.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 00000004.00000002.538293848.000001ED4FE43000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000007.00000003.307837115.0000021253040000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.308145704.000002125304E000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.307853364.0000021253047000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000007.00000003.307814519.0000021253061000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000007.00000003.286141683.0000021253032000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 00000007.00000003.307814519.0000021253061000.00000004.00000001.sdmp	false		high
https://curl.se/docs/copyright.htmlD	libcurl.dll.0.dr	false	URL Reputation: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000007.00000002.308155055.000002125305C000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.307825910.000002125305A000.00000004.00000001.sdmp	false		high
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 0000001F.00000003.394577434.000001E288992000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394599846.000001E2889D3000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394463199.000001E288970000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394481721.000001E288981000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394635188.000001E2889B3000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000007.00000002.308155055.000002125305C000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.307825910.000002125305A000.00000004.00000001.sdmp	false		high
https://dynamic.t	svchost.exe, 00000007.00000003.307863122.0000021253045000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.307825910.000002125305A000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000007.00000003.307814519.0000021253061000.00000004.00000001.sdmp	false		high
https://disneyplus.com/legal.	svchost.exe, 0000001F.00000003.394577434.000001E288992000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394599846.000001E2889D3000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394463199.000001E288970000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394481721.000001E288981000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394635188.000001E2889B3000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 00000007.00000003.286141683.0000021253032000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.308127074.000002125303B000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000007.00000003.307825910.000002125305A000.00000004.00000001.sdmp	false		high
http://www.thraexsoftware.com	fillProxy_for_terminal_20210702_v1.0.0.exe	false	Avira URL Cloud: safe	unknown
https://activity.windows.com	svchost.exe, 00000004.00000002.538293848.000001ED4FE43000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 00000007.00000003.307814519.0000021253061000.00000004.00000001.sdmp	false		high
http://help.disneyplus.com.	svchost.exe, 0000001F.00000003.394577434.000001E288992000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394599846.000001E2889D3000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394463199.000001E288970000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394481721.000001E288981000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.394635188.000001E2889B3000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://appsyndication.org/2006/appsyn	VC_redist.x86.exe	false	URL Reputation: safe	unknown
https://%s.dnet.xboxlive.com	svchost.exe, 00000004.00000002.538293848.000001ED4FE43000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://curl.se/V	libcurl.dll.0.dr	false	URL Reputation: safe	unknown
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000007.00000002.308155055.000002125305C000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.307825910.000002125305A000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000007.00000003.307825910.000002125305A000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	541378
Start date:	17.12.2021
Start time:	06:06:37
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	fillProxy_for_terminal_20210702_v1.0.0.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	46
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.spre.evad.winEXE@54/291@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 93.8% (good quality ratio 87.4%) Quality average: 72.5% Quality standard deviation: 30.4%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, consent.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.54.113.104, 20.54.110.249, 40.91.112.76 Excluded domains from analysis (whitelisted): displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found. Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:08:05	Autostart	Run: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce {65e650ff-30be-469d-b63a-418d71ea1765} "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" /burn.runonce
06:08:23	API Interceptor	7x Sleep call for process: svchost.exe modified
06:08:34	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

625626.rbf (copy) Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	362272
Entropy (8bit):	6.480079655173682
Encrypted:	false
SSDEEP:	6144:TNdn9nbqWFEijveDAHlreqc7Bd0o+Sb9mut1EFnceq0CR0y5M+:j9uAeMBMBio+Sb9mut1EF1qi+
MD5:	766A806CF675EBFC1BCD8766D446692A
SHA1:	71A60564596341323B8544C46A63164974570216
SHA-256:	F59EEFB0DAF0CDD646C5B522BC14B13BCEA57A1ECD567E7A0B930AA5EAA2EC2F
SHA-512:	86B06DED1DBF3399ABEAB86C36268AD061CC19AFEF4F694EFE7F5584959F7551E803361A456EEDC2596440617EF28A7BAA6E34CFA6ABB3EC94D8E54D59FD9F01
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........./...AN..AN..AN...N..AN..@O..AN..DO..AN..EO..AN..BO..AN...N..AN..@N2.AN..HO..AN..AO..AN...N..AN...N..AN..CO..ANRich..AN........................PE..L....V.^.........."!................@3.......................................p......C.....@A........................@s..47......@.......8$...........F.. A...0...>...g..8....................h.......h..@...............\|............................text...t........................... ..`.data....*.......(..................@....idata..............................@..@.rsrc...8$.......&..................@..@.reloc...>...0...@..................@..B........................................................................................................................................................................................................................................................................................

625627.rbf (copy) Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	141600
Entropy (8bit):	6.730918695182974
Encrypted:	false
SSDEEP:	3072:Dx2TmVYqVACERsarapgaqKSVoSkOuRoJm4t4/lAcXNt:FdbPFqjoPOuRou/lA2f
MD5:	072DA195F3C547B1584813E02E245CD8
SHA1:	EDA3A7CD19D4BB362BE37EC06290C1309962D4D4
SHA-256:	DBCB040304AC8A81E149840DEB816E1C4E5BC20487766541AA8C7C5C0629C804
SHA-512:	37BF63D59DF173D5152253CE2A4F5A2BB7DC2BF9F63BF7C379ED5BB3C9989BB782E6A836E8C6D7EBF2F927092E098FAA747F31AC4D6296194AEBCCC4EA8F68CE
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uI...'..'..'..r$..'..r"...'..r#..'.{"..'.{#..'.{$..'......'..&...'.{...'.{'..'.{...'.{%..'.Rich..'.................PE..L...\|V.^.........."!.........>............................................... ............@................................`...<....................... A......d....b..8............................b..@...............\............................text............................... ..`.data...D...........................@....idata..,...........................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................................................................................................

625629.rbf (copy) Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	250144
Entropy (8bit):	6.698404457805156
Encrypted:	false
SSDEEP:	6144:emyq0GgZNA2UwM1vfEcgVAtP+9vIaIgVb5C/U0ZXQVSSIuVxND5S912z/VsDBZAu:eAIMogaIgyRZFuVxNkeztu
MD5:	92F00AD0D5283A6A763073E2F1E4EB58
SHA1:	70BCB3C04DDF9A07F4FA65E94FC6997E58606699
SHA-256:	17079A00DA2F4653B85C9B659088DD485BF84C0B3E5E7E80C7612CAF1EF2BEFC
SHA-512:	2A7BA56FF5B8BC7B8E7C2729C9E59E806F91188A594F306D8524B01C3752066709030F206AA1556507A90944A58D53E497F8774F90D8E8B5FBD31EEC6430FFB0
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M.vH,.%H,.%H,.%..G%J,.%AT;%B,.%CC.$M,.%H,.%.,.%CC.$C,.%CC.$O,.%CC.$.,.%CC.$I,.%CCW%I,.%CC.$I,.%RichH,.%........................PE..L...<W.^.........."!.........x......0........0...........................................@A........................0....K..<r.......................... A.......+...;..8............................<..@............p..8............................text............................... ..`.data....4...0...2..................@....idata.......p.......N..............@..@.rsrc................`..............@..@.reloc...+.......,...d..............@..B........................................................................................................................................................................................................................................................................................................

62562a.rbf (copy) Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	453920
Entropy (8bit):	6.66950080753057
Encrypted:	false
SSDEEP:	12288:tjBcSw+X+OLM+PBrWHPd9pGDXywWz08oumlBVhUgiW6QR7t5s03Ooc8dHkC2esrG:tjBcSw+1M+PBrWF9IWwWz08ay03Ooc87
MD5:	697220335E5C4B4126AF45F6F8207896
SHA1:	8106F2DD4665AEC0D1C652E29378EF46EA4E5801
SHA-256:	D7446822C53CF6B9E31D5610D838EBF26ED08BF7497A3E022C47FF193CCDE0BE
SHA-512:	B820735E96600A1382D4097A7638F3286335D93032152B8C85E4EA8196439DFE687E1F8309A81F13A43705A323EDA12BD69EFAC50A09048E57498CEDE4924CF0
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8"2.\|C\.\|C\.\|C\....~C\.u;.jC\.\|C]..C\.w,]..C\.w,X.wC\.w,_.tC\.w,Y..C\.w,\.}C\.w,..}C\.w,^.}C\.Rich\|C\.................PE..L...AW.^.........."!.....:.......... ........P............................................@A.........................y................................. A.......;...y..8...........................Hx..@...................Tv..@....................text...29.......:.................. ..`.data...t(...P.......>..............@....idata...............V..............@..@.didat..4............j..............@....rsrc................l..............@..@.reloc...;.......<...p..............@..B........................................................................................................................................................................................................................................................................

62562b.rbf (copy) Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29472
Entropy (8bit):	6.817865566900363
Encrypted:	false
SSDEEP:	384:YXi/n/o+H/UgljjdJu+9WcU5gWE5d6c+pBj0HRN7ToucyHRN7rP1x4l78Ka:YknwQJVdJu1qqWNL3nKa
MD5:	511F8CF3E1C960B5AA76FDA0B845D246
SHA1:	6BA029A7C545D64C044AAAD93A3DD00702BDF44E
SHA-256:	4874449EE85BCA44BE95DEA5FAD6AC4F0F5456788C928844702CC5ED4935DD83
SHA-512:	5D0F04AD49AC91202254981CB69EE6EEAEF2C89535B5F396D03EB8BC42B786AF6DB1C3763807597DBDD3E13736B70BFBDEF9149EC45190E7DB1E03E62F939EE4
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................'!......y....................................................Rich....................PE..L...GW.^.........."!.........................0...............................p...........@A...........................J....@..x....P...............2.. A...`......h...8...............................@............@...............................text............................... ..`.data...H....0......."..............@....idata.......@.......$..............@..@.rsrc........P.....................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................

62562c.rbf (copy) Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	174064
Entropy (8bit):	6.871923327983383
Encrypted:	false
SSDEEP:	3072:l3ZqbqsS20jBQh6fLPbU7DuJMCIuW4vdzAY9Sx5+9:l3Zq2bQh6fL+CJMpuW4vdEY489
MD5:	57ED07CB2B239D7CF58EF98040A9B4BD
SHA1:	40BE57A54102EA5AF3D3173C8815BDF35761E5F5
SHA-256:	940FF0F7EA7149084533CF81156CAA42A05BB44656164D769DCB299ECF7A350C
SHA-512:	5459FB26218C13BFC8284E446403964D77CF27ABA51A5149FA7CD916C405811F80A93C93B1310044D586CB7C00489E3AFDDC97343CB40D945BAAEB4B80E971F3
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................ORA.....=....................................Q.........Rich...........PE..L...GW.^.........."!........<...............@............................................@A.........................2..@....Q.......`...............f...A...p..P....\..8............................\..@............P...............................text....(......................... ..`.data... ....@......................@....idata..`....P.......6..............@..@.rsrc........`.......D..............@..@.reloc..P....p.......H..............@..B........................................................................................................................................................................................................................................................................................................................

62562d.rbf (copy) Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	274208
Entropy (8bit):	6.608613260235627
Encrypted:	false
SSDEEP:	3072:JLZNCBQSuHX5pXCcDWUE1GM6FXNQBkNo9uYKTsWycLfaMHjb3yiH:WuTDJZXiBEkuYKTVfa6
MD5:	74E8CB0C4E08C63E386F373D1D2C394D
SHA1:	4134B4A2E5BA4C72A0F8D1472D90E94D7EACBD0F
SHA-256:	75E6504A83B23A9B3D58885BFB3ED8A5C06FAB4C25139AAB83C2EC0522D2C095
SHA-512:	84BAB1D2977089AB3BAC41710FAB40AC39D2FE3B0F9FD7AA6D1E2CEDFDE004595F74A8320E21A4D313EECB407B99BAD39429C8AFA65F16698FE485C4C474CBD1
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B....`@..`@..`@......`@...A..`@...E..`@...D..`@...C..`@.....`@..`A.u`@...I..`@...@..`@......`@...B..`@.Rich.`@.........................PE..L....V.^.........."!......................... ............................... ............@A........................0....=.............................. A.......W..lJ..8............................J..@............................................text...K........................... ..`.data... p... ...n..................@....idata..............................@..@.rsrc...............................@..@.reloc...W.......X..................@..B................................................................................................................................................................................................................................................................................................

62562e.rbf (copy) Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83232
Entropy (8bit):	6.884071103046351
Encrypted:	false
SSDEEP:	1536:DbLqOxUSsdRwFUzVCNkU1jXCizVaYecbv4MUqQmFk:DaOxfsd6FUp3uhecbv4MU
MD5:	4C360F78DE1F5BAAA5F110E65FAC94B4
SHA1:	20A2E66FD577293B33BA1C9D01EF04582DEAF3A5
SHA-256:	AD1B0992B890BFE88EF52D0A830873ACC0AECC9BD6E4FC22397DBCCF4D2B4E37
SHA-512:	C6BBA093D2E83B178A783D1DDFD1530C3ADCB623D299D56DB1B94ED34C0447E88930200BF45E5FB961F8FD7AD691310B586A7D754D7A6D7D27D58B74986A4DB8
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T...............Q........q.........8...................................................Rich............................PE..L...;W.^.........."!.........................................................@......g.....@A......................................... .................. A...0..8....#..8............................#..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc........ ......................@..@.reloc..8....0......................@..B................................................................................................................................................................................................................................................................................................................

625635.rbf (copy) Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4782880
Entropy (8bit):	7.048362842065633
Encrypted:	false
SSDEEP:	98304:rcQO/zACc35FeIj0v8Tu8expRWrBu2gubZkFLOAkGkzdnEVomFHKnP7z:jqie9v8CVp4Bu2gubZkFLOyomFHKnP
MD5:	4B9941864214A7BB96D3704420C2D28C
SHA1:	05ACF3D57A349DCF29BC68A7A6F0DEC6D971B940
SHA-256:	1F9CCCA43EEF25CA44C69648124265944493FC220BCDECDB79AA28C33468B59B
SHA-512:	5CB4FFE656AB0C9973A02A7055689F8B945BCFB312B6B324432A717B2C95FF89B35BF70AE553F5176921A7DFF0E8F8F357288496EDC149CB377675130C7AD38B
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........%.suv.suv.suv7.v.suv7.v.suv7.v.suv...v.suv..tw.suv..qw.suv..vw.suv..pw.suv7.v.suv.stv.wuv..\|w.ruv..uw.suv...v.suv..ww.suvRich.suv........................PE..L....V.^.........."!.........b......._*......................................0I.....r.I...@A.........................-....../......./...............H. A....E.x...l@..8...........................@4..@............./.....`.-......................text.............................. ..`.data...............................@....idata...T..../..V...6/.............@..@.didat......../......./.............@....rsrc........./......./.............@..@.reloc..x.....E......(E.............@..B................................................................................................................................................................................................................................

625636.rbf (copy) Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	47592
Entropy (8bit):	6.147771533863041
Encrypted:	false
SSDEEP:	384:DA5dBlsNKvsXZWxdWvYbMktLiBr8uuPgldyevyBb7DVLN1Xzc+pBj0HRN7TPocyF:GdzvsXcb9tLkr8yTby97DVLBWUHui
MD5:	5EB37CFB087F972E0E9BF8CD9F216D0A
SHA1:	3FD426C91E122990E7746C415AEB3C9E6A459073
SHA-256:	9DBE835C0812D759A4461429D4FDE097BB9EC67A97F347F70C9796800DE92BA6
SHA-512:	865670D5EECF2EAB3BD17348FDCD31EC785F55F345E6048F83B346C16594535F59D68E6EE8F11453C2BD65D89440B50A54903D55E21F6DCB6C7DE79CDC2C06C2
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L...\|V.^.........."!.........v............................................................@.......................................... ..8s...........x...A..............8............................................................................text...............................@..@.rsrc...8s... ...t..................@..@....\|V.^........Y...8...8.......\|V.^........T...........RSDS..M.X=NK.....dH.....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140CHS.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1...a...rsrc$02....................................................................................................................................................................................................................................................................

625637.rbf (copy) Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	47392
Entropy (8bit):	6.180362861252495
Encrypted:	false
SSDEEP:	768:uDhffucVI4Sd7kYw4JUM3i/EhWrKpWin2vSd:YucVI4Sd4YJUM3XhWuoNKd
MD5:	40F626F56782D1C6AE773B202082CB92
SHA1:	65388EDEF5C7DC53A0040AD73D144D52FD02B7F8
SHA-256:	8056DF5651B576CFFAD288A322939049CF62C8A564CB53EEE187E2DCBDBD9BEF
SHA-512:	7F99BFB9C11E377BF5B1F526FA6015BF99E28683EEC5C52FB453F60F4C49561FE81B21A61A4783673C46A8F6D62E048609720674746057291A9F025F565822CD
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!.........v......................................................R.....@.......................................... ..`s...........x.. A..............8............................................................................text...............................@..@.rsrc...`s... ...t..................@..@.....V.^........Y...8...8........V.^........T...........RSDS..9....N..'q........d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140CHT.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1...a...rsrc$02....................................................................................................................................................................................................................................................................

625638.rbf (copy) Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	76272
Entropy (8bit):	4.788610818407564
Encrypted:	false
SSDEEP:	1536:SVPidQr0UZqnn0BDvmPS6VFaGCWKZ+e0petNSaBhp0vcsjsr8gWb8C1dCuf9xtP9:SVidQr0UZqnnSvmPS6VFaGCWKZX0Whpq
MD5:	20A38BD043C56FE2882F88944A3E6E6C
SHA1:	5E154DFD410A7F8F99D11C999DD68CD0C76842F9
SHA-256:	CD305576B63458ADF41BDB70FB6EBAED8A032294851336786A5A7169F4F57B05
SHA-512:	8C706656BA722EA7A9F313F5C1DEF41FA70D7E13D59BC5A3D8F85FE5CEDC2F014DDB76E16D15C231DD08FA6D639C8C457841FF0CCECC6B0FBAC379A460EC5C66
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!................................................................0[....@.......................................... ..X................A..............8............................................................................text...............................@..@.rsrc...X.... ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS2j.5,..J.#..#......d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140DEU.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02....................................................................................................................................................................................................................................................................

625639.rbf (copy) Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	66336
Entropy (8bit):	4.921664492323363
Encrypted:	false
SSDEEP:	768:9VmijcBEhCgy6cAu1HLPLNqyf/nWHBNhdBU2fd5GWPoRh:9Vdzfy6cAuhPLNXf/nWHNfd/PoRh
MD5:	183B42F7ECEDB4AE4BE8E06C2981EDEF
SHA1:	906365FECC6B420C63BDB05574C79571ED4C6654
SHA-256:	5C4B666503DCABF9763610EC5AB3B19D4555A5F349DE7067D6D0F7A3E8146126
SHA-512:	B4C57C1270D2E219210AEA3145148D8DC68A95ED31A0CC026413179A73961E7215DDE9F355B20859BD19B3BDDA943B48F79F94B6F7CC7BB8F4B087CD6E7F73E4
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!......................................................................@.......................................... ................. A..............8............................................................................text...............................@..@.rsrc....... ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS.W-.R.8@..(=.hYo....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140ENU.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1..X....rsrc$02....................................................................................................................................................................................................................................................................

62563a.rbf (copy) Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	75040
Entropy (8bit):	4.751545699698718
Encrypted:	false
SSDEEP:	768:5K0KnBU6gW6qg/iKuCOCF3OKWRElMRZ/IvpIfWUz1v3nl:Vwq6gW6B/iKuFm3OKWxRZ/InW1f
MD5:	D50AB1B9666BD7C9E7C134ADE3C42D1C
SHA1:	CDC5C1987689F1A0E34075CD18C692EA88C17E3A
SHA-256:	8AD53B060AA193BE6517C8C63D1855B39B6523696C617C0764822DB131E78F22
SHA-512:	489D6E0346168381066F0D372E1AD3CBC66FFD3B1F07DC80B76441DCD231563803EF940A96F93270F2BCC82A35F4793EE4B6AD6F4A15A4DAB25ACA343CB693BE
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!......................................................................@.......................................... .................. A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS+..Ti.F.........d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140ESN.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02....................................................................................................................................................................................................................................................................

62563b.rbf (copy) Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	76272
Entropy (8bit):	4.7728351522639585
Encrypted:	false
SSDEEP:	768:W26iNYajZELOtYFmNRYxAaTafCp5eQYZmZUjyyyyyyyyyyyyyyyUGQFUbWTVNerP:WNuqLOt6A2SCHu0joPwsM
MD5:	D58A56D308276A6323EDF45A704C443B
SHA1:	445244F7D875A04B8612E04CA1CACDC7D5275B0F
SHA-256:	22FB670A0C08110F12D9268BBC5F015E5344CD0EA61CF414F2BE4A05B3396478
SHA-512:	AB26805F0FF25ABB934B12F668E0FB5B462D27450673653251BB2B55656DDC4BCBBFA4C12445FAB46AB110E4C28B5F0A156A27D9DAB6CCC1F67748237FDFF8C0
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!.................................................................s....@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS.....}.L...0...f....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140FRA.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1..0....rsrc$02....................................................................................................................................................................................................................................................................

62563c.rbf (copy) Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	74224
Entropy (8bit):	4.770796960519436
Encrypted:	false
SSDEEP:	768:3QE6XaCyqbK15MsOwgDGxNIlW3jSCQQQjeqS1hDDg1UWTVfW5f+rWGg:3Qass5MsOwgSxNIlW3GoiTIF+yn
MD5:	B9C956ED374FFCDBA4C08C3720D1DB53
SHA1:	380CB5C40863E19D690177278C442EF2D10EFA01
SHA-256:	3C9809576B7811C9F2167AE45722C54C73926E133C5BC6B688A6C1846E9EB295
SHA-512:	4BF3FF88AC69131F6C6C23D2B492D7EEB5315259B9465F0316910B7E48FA94D16BC81D1395FE63E01C1B2E527EA8AB1B09561866FCF9EA40BE96E646F3E083A6
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!......................................................................@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDSk.8.#pJ..`\|........d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140ITA.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02....................................................................................................................................................................................................................................................................

62563d.rbf (copy) Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	55792
Entropy (8bit):	5.94964592117223
Encrypted:	false
SSDEEP:	768:VpxanVn/TsfJxsr10/eu9RHreFKpWzziDpI2:Vpcnp/TsguntoXyS2
MD5:	8CDEEEB4F6DC317140C9725D26EA4894
SHA1:	154C83C29AE78C37D24F181D30F0B677E5FA8CA4
SHA-256:	C85FAD3BE1ADB9007045FFB7226F340AA5E14FB35D44DD0177641BD410C9FEA8
SHA-512:	8B3F9CC4CF2C7118276CD8BF8605F6FA2F83A8D479873BABF98DF6C46E27C86A144B289D97D3026C1B2B2384C5938B6C05E78B33AFA1A485D5866AEA083ECB21
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!................................................................9+....@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS.y@b$..@.>.8Z.......d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140JPN.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02....................................................................................................................................................................................................................................................................

62563e.rbf (copy) Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54768
Entropy (8bit):	6.1159324346768695
Encrypted:	false
SSDEEP:	768:fjVQO54LQTNdtUaHqNA3B2I7CvqXWfQNOWho:fjZ51TNdXqNAx2I7CvqmKOWho
MD5:	628CE133C7CDE15B08CC4C07646E7E2E
SHA1:	C6623E5E01DD83C89F96D540BD3D696C324533D2
SHA-256:	854EFA87200BDD5F2FB3B6E65CC43DFC8109A84887201093BAE5EA848271F639
SHA-512:	D79CFAA24A9556702794053CBBDD2B3E9468CB98D2991999ACB344E1ADAF19D7D1DCC204C83DC255E84B362DDCC31CE0B1617374BAC1C3CFB2911169DE802014
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!.................................................................~....@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS.x).6JwK.>H..$.o....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140KOR.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1..@~...rsrc$02....................................................................................................................................................................................................................................................................

62563f.rbf (copy) Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	72176
Entropy (8bit):	5.322279857085589
Encrypted:	false
SSDEEP:	768:rAv/gFXOv00iqNWTMHVhtZgFckD9uAWqMB:K6XOv0EhTW+q+
MD5:	76A39F21CC452E2A7040A78792318982
SHA1:	4EB98EAD87D9DAEB3E2D96127FFBE3727C3E2264
SHA-256:	696DDA39E8DF5BE1006E937BECE2DA07441E8C2BD79760C739922B557A7B9385
SHA-512:	9FA307E5B3FD510619298577E7FD3E036D632B11861A04FB739E4D1443F1EC530EE1E9C9018900A164162074873C50C676EB1477EFB31F3E215C779F48096B00
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!......................................................................@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDSnS...^9@.4.TQ..X....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140RUS.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1..H....rsrc$02....................................................................................................................................................................................................................................................................

625640.rbf (copy) Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5082912
Entropy (8bit):	6.8680590475042465
Encrypted:	false
SSDEEP:	98304:pwTgRb/8LXPwCVSf9qGeFgHt23653x0qfSbNa/S306FLOAkGkzdnEVomFHKnPZC:6cR87wFFqG236L0XNa/S306FLOyomFHT
MD5:	109E1488C848F17E370F3973EFDE2C38
SHA1:	7F2FEB94CF7FD1378DF4963316C7941067E7EDC0
SHA-256:	0CE7B07B16BA59AAE714495043D1CC8385691125F977B34227DBE826DA6D1EEF
SHA-512:	6C66CA88306106E07432D05AE60A0278D6619E57B1B1EAC5C1AD4B02F3DD13EA8F68FE986322877FA975077C879629E0248239C00654420353772E8287583E23
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........;%.sUv.sUv.sUv..v.sUv..v.sUv..v.sUv...v.sUv..Tw.sUv..Qw.sUv..Vw.sUv..Pw.sUv..v.sUv.sTvVpUv..\w9rUv..Uw.sUv...v.sUv..Ww.sUvRich.sUv........................PE..L....V.^.........."!......2..h.......V......../...............................M.....m.N...@A............................L.....3......`4..............NM. A....J.(.....2.8............................a..@.............3.....@.2......................text...t.2.......2................. ..`.data...8.....3.......2.............@....idata..DS....3..T....3.............@..@.didat.......P4.......4.............@....rsrc........`4...... 4.............@..@.reloc..(.....J.......I.............@..B................................................................................................................................................................................................................................

625641.rbf (copy) Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	82720
Entropy (8bit):	6.481840055375367
Encrypted:	false
SSDEEP:	768:7xg82UCqlWXqCVz79dzv3sG2wlv13BVO5ncylfhcsZGolyQw3n/20c6dhVbuwSy1:J2Slq7vzvvTyphcsZGBpcGhQwSwUJ0
MD5:	F46353456429BF7768968B6285D7C2FB
SHA1:	5A6A6D4DB4BBD32CD141C3CD3D4F1996F1D27084
SHA-256:	D7FA4DFD8681B10EBF04CB5C72D0F3A20EAF9C4D287CC05C973561EC8DC6A019
SHA-512:	92C1F4C4AE572DBA8409FBC51F1ACC7FE5C347AFBD0A8B4EABDD339C4F4EF91698B7487E0F4708B89FAE8D2D436644026B89EC53F16F128DA9D773BB5AFE23C2
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.L............K.M......E......x.......x.......x.......o.....K.V.........X....x.......x.......xF......x......Rich............................PE..L....V.^.........."!.....@...........N.......P...............................0......@.....@.........................0................................... A... ..L...hU..8............................T..@............P..,............R..H............text...)?.......@.................. ..`.rdata..^....P.......D..............@..@.data...............................@....rsrc...............................@..@.reloc..L.... ......................@..B........................................................................................................................................................................................................................................................................................

625642.rbf (copy) Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	82720
Entropy (8bit):	6.4817802924170635
Encrypted:	false
SSDEEP:	1536:V8alW6KV4ueuAUnPcsZGVxIb+OvE1R4Wod:K6KpQUnPcsKIbHv+i
MD5:	A67DD2E47CAC448F5E0995FD8634FD4B
SHA1:	879F96580C33618EB4D4349DE3215A87BA132A56
SHA-256:	F371D0868A9BAD5B012AC25BDC55FBF41D7F9535ECDE1A37CB23F2732F5ED303
SHA-512:	912238A4299D50481EF3C48A0E7DBD799B29880131A9667AACD252E3BACE8CDD38F0EAA2EB2C6EE7380B8146B105F94E54F43134AFA841F70176C5F4F318D909
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.L............K.M......E......x.......x.......x.......o.....K.V.........X....x.......x.......xF......x......Rich............................PE..L....V.^.........."!.....@...........N.......P...............................0............@.........................0................................... A... ..L...hU..8............................T..@............P..,............R..H............text...)?.......@.................. ..`.rdata..^....P.......D..............@..@.data...............................@....rsrc...............................@..@.reloc..L.... ......................@..B........................................................................................................................................................................................................................................................................................

C:\Config.Msi\625625.rbs Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	14740
Entropy (8bit):	5.540495128121981
Encrypted:	false
SSDEEP:	192:5URxKoRxKfRZvQCf8AFSZShhhhhhhLqRxYyz92:5URxVRxWRZVLFSF2
MD5:	552CE12024A3EE81E44CDF3097406B33
SHA1:	E67717D2FBB6F2232BA7E4A323A6449F7AD8220E
SHA-256:	4A3EC3CA5266D00FB006A07C0BCF0715E99B28AF1DFE682EEC488B90FB35D909
SHA-512:	ADB938C7056B5414FA785562FE4BDCD0297CFCAE0D5E785676974E437AE1DA30FA84B140CAB91EBB1E82F36D553E45BEFC7D4BD75BBFF1477AA8089EBDC6936B
Malicious:	false
Reputation:	unknown
Preview:	...@IXOS.@.....@.1.S.@.....@.....@.....@.....@.....@......&.{19F7E289-17B8-44EC-A099-927507B6F739};.Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702..vc_runtimeMinimum_x86.msi.@.....@6l...@.....@........&.{4EC06479-0528-4ADB-820D-6027E57F3B81}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....InstallInitialize$..@....z.Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\982E7F918B71CE440A992957706B7F93\Transforms...@....(.$..@....@.Software\Microsoft\Windows\CurrentVersion\Installer\TempPackages...@....(.&...C:\Windows\Installer\be1e5.msi..#0$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\982E7F918B71CE440A992957706B7F93\InstallPropertiesx.....\...l.............H.........?...................9...................?........... ... ........... ... ......

C:\Config.Msi\625628.rbs Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	16051
Entropy (8bit):	5.546186524725506
Encrypted:	false
SSDEEP:	192:aQXZhhhhhhhhUzQMeuCH8DXCH8DvJnQEs4qMfpE:as2zVCH8jCH890t
MD5:	086815DC63EA848E1D3B65F1323309E1
SHA1:	F6B493E0F2B154378722D74B3AE71D5E8B07237C
SHA-256:	65C76F73AD094CC388242544228820CA877C6A7FBC9E7E3C0A1B459246817CE7
SHA-512:	86AA8D24F8826AC70D17C72B97945EEB1338C15638ACF3CD2B955F9855C275F5BB7D3B4155C7ECB149974A6F3423ADE1339D7EDD5A80F5A2FEAA8DD60FA09FF9
Malicious:	false
Reputation:	unknown
Preview:	...@IXOS.@.....@.1.S.@.....@.....@.....@.....@.....@......&.{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2};.Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508..vc_runtimeMinimum_x86.msi.@.....@\o...@.....@........&.{DC639984-8B88-4DB7-A65E-0E5CCB21EAB1}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{E3819B64-3C56-3DD7-921D-00B011AD31DE}&.{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}.@......&.{42F41217-AF8B-33D4-9CB3-FF5F696BECBB}&.{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}.@......&.{E8E39D3B-4F35-36D8-B892-4B28336FE041}&.{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}.@......&.{A2AA960C-FD3C-3A6D-BD6F-14933011AFB3}&.{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}.@......&.{A2E7203F-60C2-3D7E-8A46-DB3D381A2CE6}&.{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}.@......&.{BC0399EF-5E9D-3C7C-BFF5-5E9A95C96DAF}&

C:\Config.Msi\625633.rbs Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	16367
Entropy (8bit):	5.48194848905744
Encrypted:	false
SSDEEP:	384:vs8ERHXeGRjXeAR1v0GBT9Kaqw4qBheUM+raEgxStXv55FzyVGQPViV6ShKWH:vs84n1R1v0GBT9Kaqw4qBheUM+raEgkN
MD5:	27B71DA194C5062FEE21087FB5419E08
SHA1:	FBFAEDD57AF837BFCCC84C84454BB2D7EC9A64B4
SHA-256:	5B90971A285DEC92AD61D7AF64AB144E12B77B70809423F4D5BE0BD54ADF7744
SHA-512:	15E300AED400355B57E9E5F21E94DA56DAF4874F1C2D8E480E70546972C03A5B1290769FE7BA617671D5DCEA9C9CB4C8F79EE79808B24924DFC56897D987535A
Malicious:	false
Reputation:	unknown
Preview:	...@IXOS.@.....@.1.S.@.....@.....@.....@.....@.....@......&.{213668DB-2263-4E2D-ABB8-487FD539130E}>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702..vc_runtimeAdditional_x86.msi.@.....@6l...@.....@........&.{26AB52D0-6847-46B4-81E4-7CED60CF25DC}.....@.....@.....@.....@.......@.....@.....@.......@....>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....InstallInitialize$..@....z.Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\BD8663123622D2E4BA8B84F75D9331E0\Transforms...@....(.$..@....@.Software\Microsoft\Windows\CurrentVersion\Installer\TempPackages...@....(.&...C:\Windows\Installer\be1e9.msi..#0$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\BD8663123622D2E4BA8B84F75D9331E0\InstallPropertiesx.....\...l.............H.........?...................9...................?........... ... ........... .

C:\Config.Msi\625634.rbs Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	19646
Entropy (8bit):	5.521024623559966
Encrypted:	false
SSDEEP:	384:9AKzMWm1RauIGSHL9LisGKg+BNE+BiFSiqQDSR2IB:9ZzMWm7auIGSHL9LisGKg+HE+UFSi5Dw
MD5:	789908F65FAB6E1AFC8A5278E9843ACB
SHA1:	4E4EE9A6AD6D9AA8511DEE0EF22727AA68380689
SHA-256:	3786196398A73833E05DC41405B9C52FE75EA5C04B4A6B052E700D1A73665C06
SHA-512:	2865DDB67232D8E62A23BA2792BF0B20086F801874ACD11BA8E10E2C634DCB0C5F2EA66DD21222EFAD3FBA584C9B70C4C880112FFE87B1A8A431911DC9EEC388
Malicious:	false
Reputation:	unknown
Preview:	...@IXOS.@.....@.1.S.@.....@.....@.....@.....@.....@......&.{0FA68574-690B-4B00-89AA-B28946231449}>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508..vc_runtimeAdditional_x86.msi.@.....@\o...@.....@........&.{AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}.....@.....@.....@.....@.......@.....@.....@.......@....>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{E3819B64-3C56-3DD7-921D-00B011AD31DE}&.{0FA68574-690B-4B00-89AA-B28946231449}.@......&.{4FD4AB8C-C57F-3782-9230-9CCA22153AD3}&.{0FA68574-690B-4B00-89AA-B28946231449}.@......&.{46A1EA6B-3D81-3399-8991-127F7F7AE76A}&.{0FA68574-690B-4B00-89AA-B28946231449}.@......&.{C94DDE19-CC70-3B9A-A6AF-5CA7340B9B9A}&.{0FA68574-690B-4B00-89AA-B28946231449}.@......&.{946D6FA6-49BB-3415-AD2D-4D634C432CF0}&.{0FA68574-690B-4B00-89AA-B28946231449}.@......&.{E533B148-A83A-3788-A763-0C6C4

C:\Config.Msi\625645.rbs Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	3609
Entropy (8bit):	5.2037742735259
Encrypted:	false
SSDEEP:	96:k1dCmt5dfe4mNtvRqTY2mNSZd7ZdnvRqTYfZd7ZdSWm9imxc+iS0Xy:kHeHq+srSWrCV/eVS0i
MD5:	41779FB84A4A2C39F08902F84A21E358
SHA1:	F5B9A4107689D588241CA3397BBFDD5D244AD686
SHA-256:	CC8D5FEE57CBB38CC904AD23F3519764FDA89AD4A796A33CDD10698891B75283
SHA-512:	887E869E760E2A20E140E52B980C45CF023DA98D6D90F14981FBD9E8161BEF1DABE3083E5E1D382060ABFFCA3C13FFEA625B98178CD9254B00324FBE769452C1
Malicious:	false
Reputation:	unknown
Preview:	...@IXOS.@.....@.1.S.@.....@.....@.....@.....@.....@......&.{0FA68574-690B-4B00-89AA-B28946231449}>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508..vc_runtimeAdditional_x86.msi.@.....@\o...@.....@........&.{AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}.....@.....@.....@.....@.......@.....@.....@.......@....>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....RegisterProduct..Registering product..[1]$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\47586AF0B09600B498AA2B9864324194\InstallPropertiesx.....\...l.............H.........?...................9...................?........... ... ........... ... ................@....$..@....3.Software\Microsoft\Windows\CurrentVersion\Uninstall............................................. ...!.......?........... ... .......?...................?.........................................8..........

C:\ProgramData\Package Cache\.unverified\cab54A5CABBE7274D8A22EB58060AAB7623 (copy) Download File
Process:	C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe
File Type:	Microsoft Cabinet archive data, 1350653 bytes, 50 files
Category:	dropped
Size (bytes):	1367669
Entropy (8bit):	7.997832401624505
Encrypted:	true
SSDEEP:	24576:OawWVgz9615LBBl9NWA5852M/fzoapq0m9Oz03FOae6p4Cjd81kD0+0CCxco2iJs:OawWV+96vVBNWOMU0qhOz035e6ppNCst
MD5:	29C34C40D349C145E297B6977908E687
SHA1:	025B5CF7D6515CC6151628063752C159F41D99C7
SHA-256:	61AACFF6365DA15F2C9D0FF1C8FB2EC207D145CD9104AFA0CE663BF1542DB245
SHA-512:	BBD9F65C2619DE25F99A8BA21346D7EA46DB9EBA79FEB6039E0E86999D1EA2C9A4564FA727DDA442A69C169DBDC8A4913DF925C42B3AD7F4030A655AC01C0691
Malicious:	false
Reputation:	unknown
Preview:	MSCF............D...........2...................xB..........~...o....O........(P.. .api_ms_win_core_console_l1_1_0.dll..M...O....(P.. .api_ms_win_core_datetime_l1_1_0.dll..N........(P.. .api_ms_win_core_debug_l1_1_0.dll. M........(P.. .api_ms_win_core_errorhandling_l1_1_0.dll. [...9....(P.. .api_ms_win_core_file_l1_1_0.dll. M..0.....(P.. .api_ms_win_core_file_l1_2_0.dll. M..P.....(P.. .api_ms_win_core_file_l2_1_0.dll. M..p.....(P.. .api_ms_win_core_handle_l1_1_0.dll..O...{....(P.. .api_ms_win_core_heap_l1_1_0.dll..O........(P.. .api_ms_win_core_interlocked_l1_1_0.dll..O..p.....(P.. .api_ms_win_core_libraryloader_l1_1_0.dll..W..`k....(P.. .api_ms_win_core_localization_l1_2_0.dll..O..P.....(P.. .api_ms_win_core_memory_l1_1_0.dll. M..@.....(P.. .api_ms_win_core_namedpipe_l1_1_0.dll..Q..``....(P.. .api_ms_win_core_processenvironment_l1_1_0.dll..U..P.....(P.. .api_ms_win_core_processthreads_l1_1_0.dll..O..@.....(P.. .api_ms_win_core_processthreads_l1_1_1.dll..K..0X....(P.. .api_ms_win_core_

C:\ProgramData\Package Cache\.unverified\cabB3E1576D1FEFBB979E13B1A5379E0B16 (copy) Download File
Process:	C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe
File Type:	Microsoft Cabinet archive data, 5194062 bytes, 14 files
Category:	dropped
Size (bytes):	5211054
Entropy (8bit):	7.998080908238165
Encrypted:	true
SSDEEP:	98304:dEpMtGvCYmfjBvRxMh7vhetajX6x0XSvrTBEbwwF0XVsvufq:dElCPLBvE8xuEebw6vuy
MD5:	4FEADE30692872EAB413C1123A5F3DE4
SHA1:	B08C319BD7E01176F02D0DC3B4AA8B7C5B9A82C6
SHA-256:	2805E5CC8E477AC1D6847B3CF083A85EC463F646037B59C93CB9E3096A78B81A
SHA-512:	145956C65E193AD5309CA3C0F0BC94DFB20C6BCF73494BDE2ABC48F6495061EE727C9FAA1B97739FE3028873A540A5F17FDFFEB08D8C3A35C2CD7B3DDB088E54
Malicious:	false
Reputation:	unknown
Preview:	MSCF....NAO.....D...........................NAO.`B..............F... .H.......(P.. .mfc140.dll.... .H...(P.. .mfc140chs.dll. .....I...(P.. .mfc140cht.dll..)..(nJ...(P.. .mfc140deu.dll. .....K...(P.. .mfc140enu.dll. %..8.L...(P.. .mfc140esn.dll..)..X.M...(P.. .mfc140fra.dll..!..H.N...(P.. .mfc140ita.dll.....8.P...(P.. .mfc140jpn.dll.....(.P...(P.. .mfc140kor.dll.......Q...(P.. .mfc140rus.dll. .M...R...(P.. .mfc140u.dll. C..(e....(P.. .mfcm140.dll. C..H.....(P.. .mfcm140u.dll..J.%.4..CK..w....0...Q6Q..}.......[.nl....;. ...L.....H%.K.w}.<.u..y.y.....g........M6....E..}.m.=...?....?.$Q4...O..;..<8....^{........].Ov....<$.u.d..${...........i..z......s,p.....?...8..F......].~=c.{.].~=m.C.?~..A..6....O....~.h...\..v...s.l..z..'..q..=\|..l...........h.I&...j.N..Y..;.I..-*'D.....;/.Eq.....(...../SG..u..t..eO\|o.p..F.../......{t....E..g/..$.s./..v.........l.Vt.y...L....xW.e&._.i.d..Q4.c......?.=.8$...9..]..N....X>a.]..%...._g.Ng...w.5..........V........v71.~2.

C:\ProgramData\Package Cache\.unverified\vcRuntimeAdditional_x86 (copy) Download File
Process:	C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}, Create Time/Date: Wed Jan 8 09:31:14 2020, Last Saved Time/Date: Wed Jan 8 09:31:14 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
Category:	dropped
Size (bytes):	184320
Entropy (8bit):	6.3376915344280516
Encrypted:	false
SSDEEP:	3072:JviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdN:JvipBaTDo1j//SZhN
MD5:	4B97853A7D10743D67665CCDD67E8566
SHA1:	AF5F7059C9A05A388B4773917E17A078FA58F5E9
SHA-256:	63802C8D96CF21A8EADB1EC5B0B52A9A040581AB2797FE5132E1B3A469108713
SHA-512:	ED88564A372FBA36FB7F2D98476C82D1D66B17B25AB9B6C34489D33BB7F1D64ABBD2E746E75470E05DECA09252D9B855AB0F37F6F82210AF3F006C9A683C7370
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Package Cache\.unverified\vcRuntimeMinimum_x86 (copy) Download File
Process:	C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {DC639984-8B88-4DB7-A65E-0E5CCB21EAB1}, Create Time/Date: Wed Jan 8 09:28:18 2020, Last Saved Time/Date: Wed Jan 8 09:28:18 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
Category:	dropped
Size (bytes):	192512
Entropy (8bit):	6.237627585353464
Encrypted:	false
SSDEEP:	3072:VGviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdNt:8vipBaTDo1j//SZhN
MD5:	6AA3A12A374E36C6A7BD75B7627A5A7C
SHA1:	56DD5F67FE9FB9C9B70470F535FC2DD6C2DECF38
SHA-256:	AA5B428789D83FBCD60442EE253B364C5FC833C698C1DC1EB73F5559A63FB976
SHA-512:	B3A4497E3629A4ED8DB8C7D83C5D8CF2270D7DCE320CA4D5009EDB0F6CBC3F3759A2F753ED0C673EFAF521AA175E2E6D53FC609F351B8A0AA00D74BC4F179720
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe Download File
Process:	C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	647912
Entropy (8bit):	7.215948724836638
Encrypted:	false
SSDEEP:	12288:snMwHskY7gjcjhVIEhqgM7bWvcsi6aVhPIyP3WRCzJ9ztLz5/YTDd:6MysZgjS1hqgSC/izxf+czJZhz5Qnd
MD5:	2F9D2B6CE54F9095695B53D1AA217C7B
SHA1:	3F54934C240F1955301811D2C399728A3E6D1272
SHA-256:	0009D3F27837C3AF3F6FFF7973FAF07AFAA4B53119846F55B6F2A79F1759C757
SHA-512:	692857F960F26039C7B0AF6329E65A71E8588FF71EAAC6B956BD6E437994A8D5A470C7E75DD776E0772E473967B64D5EA0E1D8396546691316DAF4D6B8CCC237
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.u.'.u.'.u.......u.....[.u.....?.u...v.4.u...q.4.u...p...u.....".u....6.u.'.t.v.u...p.l.u....&.u.'..%.u...w.&.u.Rich'.u.........................PE..L......Z.....................v......m.............@..........................p............@..............................................;...............$...0...=.. t..T...................tt......@n..@...................$........................text.............................. ..`.rdata..............................@..@.data...@...........................@....wixburn8...........................@..@.tls................................@....gfids..............................@..@.rsrc....;.......<..................@..@.reloc...=...0...>..................@..B........................................................................................................................................................

C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\state.rsm Download File
Process:	C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe
File Type:	data
Category:	dropped
Size (bytes):	854
Entropy (8bit):	2.5155157298473805
Encrypted:	false
SSDEEP:	12:7ZK34pgMClGttDa+xU9m4RIb7ttun2QCUel1s5un2QFG:lKUgMClccDR8ht1
MD5:	3AD27D3DC00B51235A5C9E9E0D698A2B
SHA1:	5611616F8694678DCD10EF5DAC5AD5A5ED2081BD
SHA-256:	B40DA618F2C4D1EECB2A4DE0D0BBA23DB7C4EFBEEF0C1FADC3BF0E9DEC78A19C
SHA-512:	0EA7EEA498243CCF899F65548F1C0D60D6A678DF9B401F45DAD3D1707828EA963446BC1351726777CB2C370775427A32C4726F8B432363562F3A7A27EA4325EA
Malicious:	false
Reputation:	unknown
Preview:	J...............................................................................................................................................................................................................................................W.i.x.B.u.n.d.l.e.F.o.r.c.e.d.R.e.s.t.a.r.t.P.a.c.k.a.g.e.....................W.i.x.B.u.n.d.l.e.L.a.s.t.U.s.e.d.S.o.u.r.c.e.................................W.i.x.B.u.n.d.l.e.N.a.m.e.....B...M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.5.-.2.0.1.9. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .(.x.8.6.). .-. .1.4...2.5...2.8.5.0.8.............W.i.x.B.u.n.d.l.e.O.r.i.g.i.n.a.l.S.o.u.r.c.e.....%...C.:.\.z.t.g.\.f.i.l.l.P.r.o.x.y.\.b.i.n.\.v.c.r.e.d.i.s.t._.x.8.6...e.x.e.............W.i.x.B.u.n.d.l.e.O.r.i.g.i.n.a.l.S.o.u.r.c.e.F.o.l.d.e.r.........C.:.\.z.t.g.\.f.i.l.l.P.r.o.x.y.\.b.i.n.\.................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11023981794886281
Encrypted:	false
SSDEEP:	12:26ZzXm/Ey6q9995Jqxnq3qQ10nMCldimE8eawHjcov:26kl68XWqLyMCldzE9BHjcI
MD5:	9ACCEB03996BAA2D337F925B1B376A06
SHA1:	A17E8A16A679D1FAB1E2282F8978F64E2097C60C
SHA-256:	434E197E042FC8C5B6077BFADD001B773ABFBAF359FCF9746E0345ADEB918A40
SHA-512:	725E735EBE5E63F3A7BF4A96C607B2139040B7BC794B43D8E26EAA6BBE797619EB06B3117764A14489A1CEE42D60C421FE6E73C454F741B205CAAD93599EDF2A
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................80.2.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................Kpq~..... ......mUoO...........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.........u<.2....................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11259308891449593
Encrypted:	false
SSDEEP:	12:m2zXm/Ey6q9995ZWx1miM3qQ10nMCldimE8eawHza1miILf:mjl68XWx1tMLyMCldzE9BHza1tIj
MD5:	10BAFF930693E44442205D7BA9375F18
SHA1:	5259B4CF69A7A563EB8FF9C4163FE7E1AC4718DE
SHA-256:	7E2513F8D2CB05E5143307DD65F902D650FA03975D6E480C4AEDF16A009C2235
SHA-512:	4EF27B58B5DDED0B8982D6F11E686D9F30B0B3041CCA12503E0327E301DCDE0BE3570B42638B26F0508CFAB66E30684A9EC09E3E5950B1F7142C5B812A63AB61
Malicious:	false
Reputation:	unknown
Preview:	...........................................................................................2.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................Kpq~..... ......ENoO...........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P............2....................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11268815623331206
Encrypted:	false
SSDEEP:	12:A5zXm/Ey6q9995K8x1mK2P3qQ10nMCldimE8eawHza1mKgCf:pl68k8x1iPLyMCldzE9BHza18C
MD5:	838D85E45BB2748227504930B40EF92A
SHA1:	F924AE5FFC55B75B794847A3DD1DFDD09B72FCCC
SHA-256:	5DE1A83B9EDA88E88054EA327A419CC19409DD7066EC8192ADB4581BFEBC7B2D
SHA-512:	8114EE5D490954828ED39C5DCC0733B311706ED509F598148E31EA2D07EB2F708FD5C49CC6A98C22540F5C7B6F2CB10BDB1B224FBB76135BD1B83806780C5D70
Malicious:	false
Reputation:	unknown
Preview:	...........................................................................................2.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................Kpq~..... .......GoO...........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.........2..2....................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI2f4e2.LOG Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4434
Entropy (8bit):	3.7024865689005697
Encrypted:	false
SSDEEP:	96:YJDZF1LSjaLBL4Ol3fRtJw81cU1cufiehektJ05:UVRLBL4OlDHL4/
MD5:	5C37058B923A4D9CBA346AB796450414
SHA1:	474E4E25D24AC071B9828527AE339EAAAB734EEA
SHA-256:	F5229CE5050406A34D03131082B672F47124ADD00F238638C2DFED004C001F78
SHA-512:	DA4B4440C48B1F9FED8DB58E5F01EAA6385E802A986D57ECEB88A52A16CF0A7EAF408D42073EB61EF62F3D2C29566B110734E69810872BA4DDBA7F3829AC5438
Malicious:	false
Reputation:	unknown
Preview:	..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.2./.1.7./.2.0.2.1. . .6.:.0.8.:.4.7. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.6.5.e.6.5.0.f.f.-.3.0.b.e.-.4.6.9.d.-.b.6.3.a.-.4.1.8.d.7.1.e.a.1.7.6.5.}.\.V.C._.r.e.d.i.s.t...x.8.6...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.3.4.:.A.C.). .[.0.6.:.0.8.:.4.7.:.6.1.9.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.3.4.:.A.C.). .[.0.6.:.0.8.:.4.7.:.6.1.9.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.3.4.:.A.C.). .[.0.6.:.0.8.:.4.7.:.6.1.9.].:. ........ .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . ........ .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.0.F.A.6.8.5.7.4.-.6.9.0.B.-.4.B.0.0.-.8.9.A.A.-.B.2.8.9.4.6.2.3.1.4.4.9.}.v.1.4...2.5...2.8.5.0.8.\.p.a.c.k.a.g.e.s.\.v.

C:\Users\user\AppData\Local\Temp\MSI2f4e3.LOG Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	81232
Entropy (8bit):	3.771457892891445
Encrypted:	false
SSDEEP:	1536:La7gyZCaMw1LhsFgDTMqyFaJHhZuGpn/wXE4GKEkuO9nj/yc:Lk0j/d
MD5:	397E4E4992DE36DCE2B1DCDAA75BA92B
SHA1:	A9D78EF91EC475AAF7646BA4F02FF89F535A4F11
SHA-256:	C20AB9DE3224BB4C3C63DAA8FF9B70B4ED9325AB59C58039618BFCCEC1E81989
SHA-512:	62CE4407E850BC6AEBD1072CF6108A70E5F80AA2B9B027A7FA402B4CE7D1395BB2EA18739A83C55094514814DF7AC367FC2359F71BFF709577812FCF95898A4F
Malicious:	false
Reputation:	unknown
Preview:	..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.2./.1.7./.2.0.2.1. . .6.:.0.8.:.5.4. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.6.5.e.6.5.0.f.f.-.3.0.b.e.-.4.6.9.d.-.b.6.3.a.-.4.1.8.d.7.1.e.a.1.7.6.5.}.\.V.C._.r.e.d.i.s.t...x.8.6...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.3.4.:.D.0.). .[.0.6.:.0.8.:.5.4.:.1.1.9.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.3.4.:.D.0.). .[.0.6.:.0.8.:.5.4.:.1.1.9.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.3.4.:.D.0.). .[.0.6.:.0.8.:.5.4.:.1.1.9.].:. ........ .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . ........ .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.0.F.A.6.8.5.7.4.-.6.9.0.B.-.4.B.0.0.-.8.9.A.A.-.B.2.8.9.4.6.2.3.1.4.4.9.}.v.1.4...2.5...2.8.5.0.8.\.p.a.c.k.a.g.e.s.\.v.

C:\Users\user\AppData\Local\Temp\aiw6403531.EXE Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	48128
Entropy (8bit):	6.3377933069406085
Encrypted:	false
SSDEEP:	768:5AOeS5yLM+ZCTrAthB5XWenVL0/fWHrHWicASQqvBMxJmgo71yncc:59qZdHWep0GH7WiLcMxJPo7s
MD5:	5BE82656185B51148A4F0B3ECF16788C
SHA1:	825DE97A1C861D07B9859E67FA3C1908378AF53A
SHA-256:	6B4A95A4468D79C1D09A0A4ECA5A504D406C4BBE532D8475F68AA6DDCF91572B
SHA-512:	387FC089CB295B867B113523BEE5F321BC480A96D2176815EC39DC87E26C16BB9BF1AB93419E122DD3A1FCB33AD5B001960DF6323D74809DC22DBCD793879FB2
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+j..E9..E9..E9..I9..E9..N9..E9{.K9..E9..O9..E9..E9..E9..V9..E9..V9..E9..D9`.E9..N9..E9?.C9..E9Rich..E9........PE..L.....H@.....................4.......i............@......................................................................... ...........X............................................................................................................text............................... ..`.rdata..............................@..@.data...\|...........................@....rsrc...X...........................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211217060759.log Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	17936
Entropy (8bit):	5.486275037352403
Encrypted:	false
SSDEEP:	192:mh8bdnH1N1z1Q1c1D1p1u1J5w9EEnB2kIIxr2lX1lmql2S/4W4s2JJglXgDz:mh8Zx9EEnX3MX1j+JglwDz
MD5:	EB8BF79C7FFF8E6A5B6779367A9C52FE
SHA1:	89BDAC62D7077797C0D09EF29D74637CF49DF214
SHA-256:	A8E2B9CC838AF675FABA38B3DFE248CBA1E5D3C31B349426CA02BB3BB4B65E36
SHA-512:	F8C869162ECBC0ECE14371C24303B2E06DCF40D6DF836A712E5B74363ACDB2E0002CF8BD8CF789EEC9B78376A882F84B61C30FAD0499F9421CD8BE45C5126A8D
Malicious:	false
Reputation:	unknown
Preview:	[1B18:1B14][2021-12-17T06:07:48]i001: Burn v3.10.4.4718, Windows v10.0 (Build 17134: Service Pack 0), path: C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe..[1B18:1B14][2021-12-17T06:07:48]i009: Command Line: '-burn.clean.room=C:\ztg\fillProxy\bin\vcredist_x86.exe -burn.filehandle.attached=744 -burn.filehandle.self=816 /q'..[1B18:1B14][2021-12-17T06:07:48]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\ztg\fillProxy\bin\vcredist_x86.exe'..[1B18:1B14][2021-12-17T06:07:48]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\ztg\fillProxy\bin\'..[1B18:1B14][2021-12-17T06:07:59]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211217060759.log'..[1B18:1B14][2021-12-17T06:07:59]i000: Setting string variable 'WixBundleName' to value 'Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.25.28508'..[1B18:1B14][2021-12-17T06:07:59]i000: Setting string variable 'Wi

C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211217060759_000_vcRuntimeMinimum_x86.log Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	232322
Entropy (8bit):	3.820952216623118
Encrypted:	false
SSDEEP:	3072:4H9L/V/jAOQFvI95xFhgZ0QVjQzBS+cS68pizacWFh68Nujlrgu/yhFmZATxD9xP:2jkjG
MD5:	E469C4103EB2C70AC43ECDE4C53E1900
SHA1:	A20B62207296B33F47143FD259EE3B030E644628
SHA-256:	E2B56C52BCCBFFF3D143E2F345685F0350FAE7FB161ADC3CB896CE8837A92227
SHA-512:	8D484A7D24613DDD5A577B68B00E2F1D59FB82DA2D1AA5DCEC53024A7A4DFDF299CC5A0FE3AD956AA971DCEA92B609D54A7DE34542F96B5A24D5B1DE5D8960B2
Malicious:	false
Reputation:	unknown
Preview:	..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.2./.1.7./.2.0.2.1. . .6.:.0.8.:.0.6. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.9.8.9.E.F.E.3.A.-.7.C.D.0.-.4.6.7.3.-.B.2.9.0.-.5.4.1.1.1.7.C.1.E.B.E.E.}.\...b.e.\.V.C._.r.e.d.i.s.t...x.8.6...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.7.C.:.5.4.). .[.0.6.:.0.8.:.0.6.:.3.4.3.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.7.C.:.5.4.). .[.0.6.:.0.8.:.0.6.:.3.4.3.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.7.C.:.5.4.). .[.0.6.:.0.8.:.0.6.:.3.4.3.].:. ........ .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . ........ .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.2.B.C.3.B.D.4.D.-.F.A.B.A.-.4.3.9.4.-.9.3.C.7.-.9.A.C.8.2.A.2.6.3.F.E.2.}.v.1.4...2.5...2.8.5.0.8.\.p.a.c.k.a.g.e.s.\.v.c.R.u.n.t.i.m.e.M.

C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211217060759_001_vcRuntimeAdditional_x86.log Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	269056
Entropy (8bit):	3.8268855048369264
Encrypted:	false
SSDEEP:	3072:QkVlPyjpJ8tttttttttttts5HHjByzzzzzzzzdddddWeHg5b0zK8ml9YRXzsT:ejRjh
MD5:	2F1DEEF8AB8898D059AF570947D8FAC8
SHA1:	709DCBF2D319478E24DA12E12D0E31D06535B8E6
SHA-256:	2303B6D6A68346C70F50BCCB031981C05221F172157FC9F08F6DAF9C0BAC4209
SHA-512:	E7B9FBC7E9CE66C3BFA582A68B1ACE2E1D177AA904B336ED57483DA8D6290B08B4AA7FD101A09406FBE65FB8BFFCC12F70CE0411EF9EADAB6FC1F264D2F8C81E
Malicious:	false
Reputation:	unknown
Preview:	..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.2./.1.7./.2.0.2.1. . .6.:.0.8.:.2.3. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.9.8.9.E.F.E.3.A.-.7.C.D.0.-.4.6.7.3.-.B.2.9.0.-.5.4.1.1.1.7.C.1.E.B.E.E.}.\...b.e.\.V.C._.r.e.d.i.s.t...x.8.6...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.7.C.:.D.4.). .[.0.6.:.0.8.:.2.3.:.0.9.3.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.7.C.:.D.4.). .[.0.6.:.0.8.:.2.3.:.0.9.3.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.7.C.:.D.4.). .[.0.6.:.0.8.:.2.3.:.0.9.3.].:. ........ .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . ........ .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.0.F.A.6.8.5.7.4.-.6.9.0.B.-.4.B.0.0.-.8.9.A.A.-.B.2.8.9.4.6.2.3.1.4.4.9.}.v.1.4...2.5...2.8.5.0.8.\.p.a.c.k.a.g.e.s.\.v.c.R.u.n.t.i.m.e.A.

C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211217060910.log Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	modified
Size (bytes):	11010
Entropy (8bit):	5.376281686346955
Encrypted:	false
SSDEEP:	192:K/RbxmnI1Q1e1N1p1u1c1D1uSejGjj7MwBBZCvIX6:KZbE5yjj7X0IK
MD5:	A8B4F06B3268601612D387F7A1FE59B8
SHA1:	F0EFF556BE7E228E69392A2D197629803C1B833D
SHA-256:	35B6065DDA33D6F3847E8AE526A0E8B82C3B470E76A9CD105D43E0F2098DAF03
SHA-512:	D571E4FD642479D9057284BCF9369CF79DF838D7DAEB12F9A541AC6FE9D329A05B76452C1C7BD5AD71DC6A6431BB36A5A30F00FD5443659DD2C643A3DD6B3988
Malicious:	false
Reputation:	unknown
Preview:	[1A00:15C4][2021-12-17T06:08:54]i001: Burn v3.10.4.4718, Windows v10.0 (Build 17134: Service Pack 0), path: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe..[1A00:15C4][2021-12-17T06:08:54]i003: This bundle is being run by a related bundle as type 'Upgrade'...[1A00:15C4][2021-12-17T06:08:54]i009: Command Line: '"-burn.clean.room=C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.filehandle.attached=168 -burn.filehandle.self=776 -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1176 -burn.embedded BurnPipe.{3DFA5E1E-FA14-4FA6-B845-2FEC294BCE10} {BF0E961E-0781-45C2-9B76-B54C300A2310} 4476'..[1A00:15C4][2021-12-17T06:09:10]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211217060910.log'..[1A00:15C4][2021-12-17T06:09:10]i000: Setting string variable 'WixBundleName' to value 'Microsoft V

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1028\license.rtf Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	18127
Entropy (8bit):	4.036737741619669
Encrypted:	false
SSDEEP:	192:xaz+aCQbjdBCLCgfvtfLEmmVxJzLKLIW7cBFCoSM0fvJ93eyryH1MqG1xcRY/c5f:seh/IMHexG4q2
MD5:	B7F65A3A169484D21FA075CCA79083ED
SHA1:	5DBFA18928529A798FF84C14FD333CB08B3377C0
SHA-256:	32585B93E69272B6D42DAC718E04D954769FE31AC9217C6431510E9EEAD78C49
SHA-512:	EDA2F946C2E35464E4272B1C3E4A8DC5F17093C05DAB9A685DBEFD5A870B9D872D8A1645ED6F5B9A72BBB2A59D22DFA58FBF420F6440278CCBE07B6D0555C283
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset134 SimSun;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT \f1\'dc\'9b\'f3\'77\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\f0\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f1\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'ca\'c7\'d9\'46\'d3\'c3\'91\'f4\'c5\'63\f0 Microsoft Corporation (\f1\'bb\'f2\'c6\'e4\'ea\'50\'82\'53\'c6\'f3\'98\'49\'a3\'ac\'d2\'95\'d9\'46\'d3\'c3\'91\'f4\'cb\'f9\'be\'d3\'d7\'a1\'b5\'c4\'b5\'d8\'fc\'63\'b6\'f8\'b6\'a8\f0 ) \f1\'d6\'ae\'e9\'67\'b3\'c9\'c1\'a2\'b5\'c4\'ba\'cf\'bc\'73\'a1\'a3\'cb\'fb\'82\'83\'df\'6d\'d3\'c3\'ec\'b6\'c9\'cf\'ca\'f6\'dc\'9b\'f3\'77\'a3\'ac\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'d2\'e0\'df\'6d\'d3\'c3\'ec\'b6\'c8\'ce\'ba\'ce\f0 Microsoft \f1\'b7\'fe\'84\'d5\'bb\'f2\'b1\'be\'dc\'9b\'f3\'77\'d6\'ae\'b8\'fc\'d0\'c2\'a3

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1028\thm.wxl Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	2980
Entropy (8bit):	6.163758160900388
Encrypted:	false
SSDEEP:	48:c5DiTlOtMes9T/JhDXsA9EHSniarRFeOrw8N3mZNNTN2N08CEjMUWFPmDlTKJKy2:uDiTlFrDDsA9tfHP8+8nhM0WamzqDFqD
MD5:	472ABBEDCBAD24DBA5B5F5E8D02C340F
SHA1:	974F62B5C2E149C3879DD16E5A9DBB9406C3DB85
SHA-256:	8E2E660DFB66CB453E17F1B6991799678B1C8B350A55F9EBE2BA0028018A15AD
SHA-512:	676E29378AAED25DE6008D213EFA10D1F5AAD107833E218D71F697E728B7B5B57DE42E7A910F121948D7B1B47AB4F7AE63F71196C747E8AE2B4827F754FC2699
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ................. ......................../passive \| /quiet - .... UI ........... UI.... ........... UI ........../norestart - ................UI ............./log log.txt - .........

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1029\license.rtf Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	13053
Entropy (8bit):	5.125552901367032
Encrypted:	false
SSDEEP:	192:TKwfs7OUpXLa5HEXQwNCNvZSjotXxiwH++3kamdEj6ZDbugDHgbGNlv6NbrYGY9x:Lfs7c5DRH0aHmJGpafU0AliwGra2
MD5:	B408556A89FCE3B47CD61302ECA64AC9
SHA1:	AAC1CDAF085162EFF5EAABF562452C93B73370CB
SHA-256:	21DDCBB0B0860E15FF9294CBB3C4E25B1FE48619210B8A1FDEC90BDCDC8C04BC
SHA-512:	BDE33918E68388C60750C964CDC213EC069CE1F6430C2AA7CF1626E6785C7C865094E59420D00026918E04B9B8D19FA22AC440F851ADC360759977676F8891E7
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 LICEN\f1\'c8N\f0\'cd PODM\'cdNKY PRO SOFTWARE SPOLE\f1\'c8NOSTI MICROSOFT\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Tyto licen\f1\'e8n\f0\'ed podm\'ednky p\f1\'f8edstavuj\f0\'ed smlouvu mezi spole\f1\'e8nost\f0\'ed Microsoft Corporation (nebo n\f1\'eckterou z\~jej\f0\'edch afilac\'ed v\~z\'e1vislosti na tom, kde bydl\'edte) a\~v\'e1mi. Vztahuj\'ed se na v\'fd\f1\'9ae uveden\f0\'fd software. Podm\'ednky se rovn\f1\'ec\'9e vztahuj\f0\'ed na jak\'e9koli slu\f1\'9eby Microsoft nebo aktualizace pro software, pokud se na slu\'9eby nebo aktualizace nevztahuj\f0\'ed odli\f1\'9an\f0\'e9 podm\'ednky.\par..\b DODR\f1\'8e\f0\'cdTE-LI TYTO

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1029\thm.wxl Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3333
Entropy (8bit):	5.370651462060085
Encrypted:	false
SSDEEP:	48:c5DiTlOtesM6H2hDdxHOjZxsaIIy3Iy5sDMN3mkNFN7NwcfiPc3hKPnWZLF0hKqZ:uDiTlVxxHOy/9xXfpZJYnL8xK2S
MD5:	16343005D29EC431891B02F048C7F581
SHA1:	85A14C40C482D9351271F6119D272D19407C3CE9
SHA-256:	07FB3EC174F25DFBE532D9D739234D9DFDA8E9D34F01FE660C5B4D56989FA779
SHA-512:	FF1AE9C21DCFB018DD4EC82A6D43362CB8C591E21F45DD1C25955D83D328B57C8D454BBE33FBC73A70DADF1DFB3AE27502C9B3A8A3FF2DA97085CA0D9A68AB03
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instala.n. program [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Opravdu chcete akci zru.it?</String>.. <String Id="HelpHeader">N.pov.da nastaven.</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [adres..] . Nainstaluje, oprav., odinstaluje nebo.. vytvo.. .plnou m.stn. kopii svazku v adres..i. V.choz. mo.nost. je instalace...../passive \| /quiet . Zobraz. minim.ln. u.ivatelsk. rozhran. bez v.zev nebo nezobraz. ..dn. u.ivatelsk. rozhran. a.. ..dn. v.zvy. V.choz. mo.nost. je zobrazen. u.ivatelsk.ho rozhran. a v.ech v.zev...../noresta

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1031\license.rtf Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	11936
Entropy (8bit):	5.194264396634094
Encrypted:	false
SSDEEP:	192:+XkOmRUOl6WBsl4kA+sn+mvtI0qHl4qj+iPqk6kVV9iX9GzYNvQ8yOejIpRMrhC2:DDHMFPCeV3i4zOHyOejIpkC2
MD5:	C2CFA4CE43DFF1FCD200EDD2B1212F0A
SHA1:	E8286E843192802E5EBF1BE67AE30BCAD75AC4BB
SHA-256:	F861DB23B972FAAA54520558810387D742878947057CF853DC74E5F6432E6A1B
SHA-512:	6FDF02A2DC9EF10DD52404F19C300429E7EA40469F00A43CA627F3B7F3868D1724450F99C65B70B9B7B1F2E1FA9D62B8BE1833A8C5AA3CD31C940459F359F30B
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT-SOFTWARE-LIZENZBESTIMMUNGEN\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Diese Lizenzbestimmungen sind ein Vertrag zwischen Ihnen und der Microsoft Corporation (bzw. abh\'e4ngig von Ihrem Wohnsitz einem mit Microsoft verbundenen Unternehmen). Sie gelten f\'fcr die oben angef\'fchrte Software. Die Bestimmungen gelten ebenso f\'fcr jegliche von Microsoft angebotenen Dienste oder Updates f\'fcr die Software, sofern diesen keine anderen Bestimmungen beiliegen.\par..\b SOFERN SIE DIESE LIZENZBESTIMMUNGEN EINHALTEN, SIND SIE ZU FOLGENDEM BERECHTIGT:\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 RECHTE ZUR INSTALLATION UND NUTZUNG. \

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1031\thm.wxl Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3379
Entropy (8bit):	5.094097800535488
Encrypted:	false
SSDEEP:	48:c5DiTlOZuesXJhDEVTORNxSMoZN3mteNSiNGNsZuiAXEqicMwhPXbhu9KwKlK8Kq:uDiTl3N7xSbu0N8+AhSNnm
MD5:	561F3F32DB2453647D1992D4D932E872
SHA1:	109548642FB7C5CC0159BEDDBCF7752B12B264C0
SHA-256:	8E0DCA6E085744BFCBFF46F7DCBCFA6FBD722DFA52013EE8CEEAF682D7509581
SHA-512:	CEF8C80BEF8F88208E0751305DF519C3D2F1C84351A71098DC73392EC06CB61A4ACA35182A0822CF6934E8EE42196E2BCFE810CC859965A9F6F393858A1242DF
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] - Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">M.chten Sie den Vorgang wirklich abbrechen?</String>.. <String Id="HelpHeader">Setup-Hilfe</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [Verzeichnis] - installiert, repariert, deinstalliert oder.. erstellt eine vollst.ndige lokale Kopie des Bundles im Verzeichnis. Installieren ist die Standardeinstellung...../passive \| /quiet - zeigt eine minimale Benutzeroberfl.che ohne Eingabeaufforderungen oder keine.. Benutzeroberfl.che und keine Eingabeaufforderungen an. Standardm..ig werden die Benutzeroberfl.che und alle Eingab

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1036\license.rtf Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	11593
Entropy (8bit):	5.106817099949188
Encrypted:	false
SSDEEP:	192:aRAbNYjVk+z5GUSLse5GgALEXmAWL+/3FEShP9sJgi8+Ra8woh+89EQdhwQPely6:K4yrPqm9LcVEg9sVp2ohHVdKoXJXci9a
MD5:	F0FF747B85B1088A317399B0E11D2101
SHA1:	F13902A39CEAE703A4713AC883D55CFEE5F1876C
SHA-256:	4D9B7F06BE847E9E135AB3373F381ED7A841E51631E3C2D16E5C40B535DA3BCF
SHA-512:	AA850F05571FFC361A764A14CA9C1A465E2646A8307DEEE0589852E6ACC61AF145AEF26B502835724D7245900F9F0D441451DD8C055404788CE64415F5B79506
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMES DU CONTRAT DE LICENCE LOGICIEL MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Les pr\'e9sents termes du contrat de licence constituent un contrat entre Microsoft Corporation (ou, en fonction de votre lieu de r\'e9sidence, l\rquote un de ses affili\'e9s) et vous. Ils s\rquote appliquent au logiciel vis\'e9 ci-dessus. Les termes s\rquote appliquent \'e9galement \'e0 tout service et \'e0 toute mise \'e0 jour Microsoft pour ce logiciel, \'e0 moins que d\rquote autres termes n\rquote accompagnent ces \'e9l\'e9ments.\par..\b SI VOUS VOUS CONFORMEZ AUX PR\'c9SENTS TERMES DU CONTRAT DE LICENCE, VOUS AVEZ LES DROITS CI-DESSOUS.\par....\pard{\pntext\f1\'B7\tab}{\\pn\pnlvlblt\pnf1\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\s

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1036\thm.wxl Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3366
Entropy (8bit):	5.0912204406356905
Encrypted:	false
SSDEEP:	48:c5DiTlO1BesgKLhD1K8cocDSN3m4NlN2ZfNmXL8ePZFcZkLPqUf9fQKRLKeKqZfj:uDiTlABzH1/qt4qgcXY
MD5:	7B46AE8698459830A0F9116BC27DE7DF
SHA1:	D9BB14D483B88996A591392AE03E245CAE19C6C3
SHA-256:	704DDF2E60C1F292BE95C7C79EE48FE8BA8534CEB7CCF9A9EA68B1AD788AE9D4
SHA-512:	FC536DFADBCD81B42F611AC996059A6264E36ECF72A4AEE7D1E37B87AEFED290CC5251C09B68ED0C8719F655B163AD0782ACD8CE6332ED4AB4046C12D8E6DBF6
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installation de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Voulez-vous vraiment annuler.?</String>.. <String Id="HelpHeader">Aide du programme d'installation</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installe, r.pare, d.sinstalle ou.. cr.e une copie locale compl.te du groupe dans le r.pertoire. Install est l'option par d.faut...../passive \| /quiet - affiche une interface minimale, sans invite, ou n'affiche ni interface.. ni invite. Par d.faut, l'interface et toutes les invites sont affich.es...../norestart - supprime toutes les tentatives de red.

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1040\license.rtf Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	11281
Entropy (8bit):	5.046489958240229
Encrypted:	false
SSDEEP:	192:WBGNX6UXR2+5SmgS/ChMErYkQvowHVw6zdgkycEGCDLQ+n3YJ2d8XSiej+T4Ma8f:gAzSVARBR5jEPLQY3YJpSjTP2
MD5:	9D98044BAC59684489C4CF66C3B34C85
SHA1:	36AAE7F10A19D336C725CAFC8583B26D1F5E2325
SHA-256:	A3F745C01DEA84CE746BA630814E68C7C592B965B048DDC4B1BBE1D6E533BE22
SHA-512:	D849BBB6C87C182CC98C4E2314C0829BB48BAD483D0CD97BF409E75457C3695049C3A8ADFE865E1ECBC989A910096D2C1CDF333705AAC4D22025DF91B355278E
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 CONTRATTO DI LICENZA PER IL SOFTWARE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Le presenti condizioni di licenza costituiscono il contratto tra Microsoft Corporation (o, in base al luogo di residenza del licenziatario, una delle sue consociate) e il licenziatario, Tali condizioni si applicano al software Microsoft di cui sopra. Le condizioni si applicano inoltre a qualsiasi servizio o aggiornamento di Microsoft relativo al software, a meno che questo non sia accompagnato da condizioni differenti.\par..\b QUALORA IL LICENZIATARIO SI ATTENGA ALLE PRESENTI CONDIZIONI DI LICENZA, DISPORR\'c0 DEI DIRITTI INDICATI DI SEGUITO.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\p

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1040\thm.wxl Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3319
Entropy (8bit):	5.019774955491369
Encrypted:	false
SSDEEP:	48:c5DiTlO1eesy+hD9BOtBFv5Vo8BbQhMNDJN3msNlNohNNz+wcPclM+PAoYKp+K/u:uDiTlfQvo8WutJ/s9FHNOJp
MD5:	D90BC60FA15299925986A52861B8E5D5
SHA1:	FADFCA9AB91B1AB4BD7F76132F712357BD6DB760
SHA-256:	0C57F40CC2091554307AA8A7C35DD38E4596E9513E9EFAE00AC30498EF4E9BC2
SHA-512:	11764D0E9F286B5AA7B1A9601170833E462A93A1E569A032FCBA9879174305582BD42794D4131B83FBCFBF1CF868A8D5382B11A4BD21F0F7D9B2E87E3C708C3F
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installazione di [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Annullare?</String>.. <String Id="HelpHeader">Guida alla configurazione</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installa, ripara, disinstalla o.. crea una copia locale completa del bundle nella directory. L'opzione predefinita . Install...../passive \| /quiet - visualizza un'interfaccia utente minima senza prompt oppure non visualizza alcuna interfaccia utente.. n. prompt. Per impostazione predefinita viene visualizzata l'intera interfaccia utente e tutti i prompt...../norestart - annulla quals

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1041\license.rtf Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	28232
Entropy (8bit):	3.7669201853275722
Encrypted:	false
SSDEEP:	192:Qkb65jNkzrUJVbpEiTskXHH1AZWoJxfnVnkDYUqfQFXBue6hX2JSfR7q05kWZxhY:epCD3y/ybox2yrk2
MD5:	8C49936EC4CF0F64CA2398191C462698
SHA1:	CC069FE8F8BC3B6EE2085A4EACF40DB26C842BAC
SHA-256:	7355367B7C48F1BBACC66DFFE1D4BF016C16156D020D4156F288C2B2207ED1C2
SHA-512:	4381147FF6707C3D31C5AE591F68BC61897811112CB507831EFF5E71DD281009400EDA3300E7D3EFDE3545B89BCB71F2036F776C6FDFC73B6B2B2B8FBC084499
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset128 MS Gothic;}{\f1\fnil\fcharset0 MS Gothic;}{\f2\fnil\fcharset134 SimSun;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'83\'7d\'83\'43\'83\'4e\'83\'8d\'83\'5c\'83\'74\'83\'67 \'83\'5c\'83\'74\'83\'67\'83\'45\'83\'46\'83\'41 \'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\par..\f1 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f0\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\'82\'cd\f2\'a1\'a2\f1 Microsoft Corporation (\f0\'82\'dc\'82\'bd\'82\'cd\'82\'a8\'8b\'71\'97\'6c\'82\'cc\'8f\'8a\'8d\'dd\'92\'6e\'82\'c9\'89\'9e\'82\'b6\'82\'c4\'82\'cd\'82\'bb\'82\'cc\'8a\'d6\'98\'41\'89\'ef\'8e\'d0) \'82\'c6\'82\'a8\'8b\'71\'97\'6c\'82\'c6\'82\'cc\'8c\'5f\'96\'f1\'82\'f0\'8d\'5c\'90\'ac\'82\'b5\'82\'dc\'82\'b7\'81\'42\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1041\thm.wxl Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3959
Entropy (8bit):	5.955167044943003
Encrypted:	false
SSDEEP:	96:uDiTlDuB1n+RNmvFo6bnpojeTPk0R/vueX5OA17IHdGWz:5uB1+gD1DU4EdGE
MD5:	DC81ED54FD28FC6DB6F139C8DA1BDED6
SHA1:	9C719C32844F78AAE523ADB8EE42A54D019C2B05
SHA-256:	6B9BBF90D75CFA7D943F036C01602945FE2FA786C6173E22ACB7AFE18375C7EA
SHA-512:	FD759C42C7740EE9B42EA910D66B0FA3F813600FD29D074BB592E5E12F5EC09DB6B529680E54F7943821CEFE84CE155A151B89A355D99C25A920BF8F254AA008
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.. <Control Control="UninstallButton" X="270" Y="237" Width="120" Height="23"/>.. <Control Control="RepairButton" X="187" Y="237" Width="80" Height="23"/>.. .. <String Id="Caption">[WixBundleName] .......</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">..........</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ............ ......... .........................

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1042\license.rtf Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	27936
Entropy (8bit):	3.871317037004171
Encrypted:	false
SSDEEP:	384:kKIgbA2uBsarNG/HxPvCL1ewjxsXmEw4C7C7R4jAeqCBO968y7yNRylBSFfQv9yH:d3ar8Xa/XAeqoc0wfBB4qN
MD5:	184D94082717E684EAF081CEC3CBA4B1
SHA1:	960B9DA48F4CDDF29E78BBAE995B52204B26D51B
SHA-256:	A4C25DA9E3FBCED47464152C10538F16EE06D8E06BC62E1CF4808D293AA1AFA2
SHA-512:	E4016C0CA348299B5EF761F456E3B5AD9B99E5E100C07ACAB1369DFEC214E75AA88E9AD2A0952C0CC1B707E2732779E6E3810B3DA6C839F0181DC81E3560CBDA
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset129 Malgun Gothic;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 Microsoft \f1\'bc\'d2\'c7\'c1\'c6\'ae\'bf\'fe\'be\'ee\f0 \f1\'bb\'e7\'bf\'eb\'b1\'c7\f0 \f1\'b0\'e8\'be\'e0\'bc\'ad\f0\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f1\'ba\'bb\f0 \f1\'bb\'e7\'bf\'eb\'b1\'c7\f0 \f1\'b0\'e8\'be\'e0\'c0\'ba\f0 Microsoft Corporation(\f1\'b6\'c7\'b4\'c2\f0 \f1\'b0\'c5\'c1\'d6\f0 \f1\'c1\'f6\'bf\'aa\'bf\'a1\f0 \f1\'b5\'fb\'b6\'f3\f0 \f1\'b0\'e8\'bf\'ad\'bb\'e7\f0 \f1\'c1\'df\f0 \f1\'c7\'cf\'b3\'aa\f0 )\f1\'b0\'fa\f0 \f1\'b1\'cd\'c7\'cf\f0 \f1\'b0\'a3\'bf\'a1\f0 \f1\'c3\'bc\'b0\'e1\'b5\'c7\'b4\'c2\f0 \f1\'b0\'e8\'be\'e0\'c0\'d4\'b4\'cf\'b4\'d9\f0 . \f1\'ba\'bb\f0 \f1\'c1\'b6\'b0\'c7\'c0\'ba\f0 \f1\'c0\'a7\'bf\'a1\f0 \f1\'b8\'ed\'bd\'c3\'b5\'c8\f0 \f1

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1042\thm.wxl Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3249
Entropy (8bit):	5.985100495461761
Encrypted:	false
SSDEEP:	48:c5DiTlO4TesKOwhDNJCkt1NhEN3m/NFNkbKNdExpVgUnqx6IPaRc0KoUK9TKz0KR:uDiTlUJJCsgqf6YVoz4uU5vI54U5TY
MD5:	B3399648C2F30930487F20B50378CEC1
SHA1:	CA7BDAB3BFEF89F6FA3C4AAF39A165D14069FC3D
SHA-256:	AD7608B87A7135F408ABF54A897A0F0920080F76013314B00D301D6264AE90B2
SHA-512:	C5B0ECF11F6DADF2E68BC3AA29CC8B24C0158DAE61FE488042D1105341773166C9EBABE43B2AF691AD4D4B458BF4A4BF9689C5722C536439CA3CDC84C0825965
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] .. ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">.. ...</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ..... ... .. .. .... .., .., .. .... ...... ... .........../passive \| /quiet - .... .. .. UI. ..... UI ... ..... .... ..... ..... UI. .. ..... ........../norestart - .. .... .. .... ...

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1045\license.rtf Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	13265
Entropy (8bit):	5.358483628484379
Encrypted:	false
SSDEEP:	192:TKpWRd0NE41Y/od7V/sHFos7YLQY9DbLM5D+Vw1VAOb0P4/sHLS7VHwHMPw95a+Q:uy0CG9KZ7qQCw1VAOZ/sHOJfcY2wf6p2
MD5:	5B9DF97FC98938BF2936437430E31ECA
SHA1:	AB1DA8FECDF85CF487709774033F5B4B79DFF8DE
SHA-256:	8CB5EB330AA07ACCD6D1C8961F715F66A4F3D69FB291765F8D9F1850105AF617
SHA-512:	4EF61A484DF85C487BE326AB4F95870813B9D0644DF788CE22D3BEB6E062CDF80732CB0B77FCDA5D4C951A0D67AECF8F5DCD94EA6FA028CFCA11D85AA97714E3
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 POSTANOWIENIA LICENCYJNE DOTYCZ\f1\'a5CE OPROGRAMOWANIA\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Niniejsze postanowienia licencyjne stanowi\f1\'b9 umow\'ea mi\'eadzy Microsoft Corporation (lub, w\~zale\'bfno\'9cci od miejsca zamieszkania Licencjobiorcy, jednym z\~podmiot\f0\'f3w stowarzyszonych Microsoft Corporation) a\~Licencjobiorc\f1\'b9. Maj\'b9 one zastosowanie do wskazanego powy\'bfej oprogramowania. Niniejsze postanowienia maj\'b9 r\f0\'f3wnie\f1\'bf zastosowanie do wszelkich us\'b3ug i aktualizacji Microsoft dla niniejszego oprogramowania, z wyj\'b9tkiem tych, kt\f0\'f3rym towarzysz\f1\'b9 inne postanowienia.\par..\b\

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1045\thm.wxl Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3212
Entropy (8bit):	5.268378763359481
Encrypted:	false
SSDEEP:	48:c5DiTlOPesar4hDo7zGriQjDCN3mDNN0NrsNGl3vxkIP2hUdKLK0KbK4n6W0sfNM:uDiTlusPGriQw8n2rOij4JsU
MD5:	15172EAF5C2C2E2B008DE04A250A62A1
SHA1:	ED60F870C473EE87DF39D1584880D964796E6888
SHA-256:	440B309FCDF61FFC03B269FE3815C60CB52C6AE3FC6ACAD14EAC04D057B6D6EA
SHA-512:	48AA89CF4A0B64FF4DCB82E372A01DFF423C12111D35A4D27B6D8DD793FFDE130E0037AB5E4477818A0939F61F7DB25295E4271B8B03F209D8F498169B1F9BAE
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalator [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Czy na pewno chcesz anulowa.?</String>.. <String Id="HelpHeader">Instalator . Pomoc</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [katalog] - Instaluje, naprawia, odinstalowuje.. lub tworzy pe.n. lokaln. kopi. pakietu w katalogu. Domy.lnie jest u.ywany prze..cznik install...../passive \| /quiet - Wy.wietla ograniczony interfejs u.ytkownika bez monit.w albo nie wy.wietla ani interfejsu u.ytkownika,.. ani monit.w. Domy.lnie jest wy.wietlany interfejs u.ytkownika oraz wszystkie monity...../norestart - Pom

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1046\license.rtf Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	10656
Entropy (8bit):	5.092962528947159
Encrypted:	false
SSDEEP:	192:WIPAufWXXF0+YkR6E0/CiTS0CsGlHIMqf29H7KxLY/aYzApT3anawLXCBX2:VPAufb+YSSCYrCb5BmW4UDaTqzLwX2
MD5:	360FC4A7FFCDB915A7CF440221AFAD36
SHA1:	009F36BBDAD5B9972E8069E53855FC656EA05800
SHA-256:	9BF79B54F4D62BE501FF53EEDEB18683052A4AE38FF411750A764B3A59077F52
SHA-512:	9550A99641F194BB504A76DE011D07C1183EE1D83371EE49782FC3D05BF779415630450174DD0C03CB182A5575F6515012337B899E2D084203717D9F110A6FFE
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMOS DE LICEN\'c7A PARA SOFTWARE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Estes termos de licen\'e7a formam um contrato firmado entre a Microsoft Corporation (ou com base no seu pa\'eds de resid\'eancia, uma de suas afiliadas) e voc\'ea. Eles se aplicam ao software indicado acima. Os termos tamb\'e9m se aplicam a quaisquer servi\'e7os ou atualiza\'e7\'f5es da Microsoft para o software, exceto at\'e9 a extens\'e3o de que eles tenham termos diferentes.\par..\b SE VOC\'ca CONCORDAR COM ESTES TERMOS DE LICEN\'c7A, TER\'c1 OS DIREITOS INDICADOS ABAIXO.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\t

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1046\thm.wxl Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3095
Entropy (8bit):	5.150868216959352
Encrypted:	false
SSDEEP:	48:c5DiTlO5es/4ThDzmU6lDj4N3mBl0N+NWNP4hHCc9skPDXeKKeK9KfKt4eJ2RQdg:uDiTlJhJGl2UsZMLe6
MD5:	BE27B98E086D2B8068B16DBF43E18D50
SHA1:	6FAF34A36C8D9DE55650D0466563852552927603
SHA-256:	F52B54A0E0D0E8F12CBA9823D88E9FD6822B669074DD1DC69DAD6553F7CB8913
SHA-512:	3B7C773EF72D40A8B123FDB8FC11C4F354A3B152CF6D247F02E494B0770C28483392C76F3C222E3719CF500FE98F535014192ACDDD2ED9EF971718EA3EC0A73E
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Instala..o</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Tem certeza de que deseja cancelar?</String>.. <String Id="HelpHeader">Ajuda da Instala..o</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [diret.rio - instala, repara, desinstala ou.. cria uma c.pia local completa do pacote no diret.rio. Install . o padr.o..../passive \| /quiet - exibe a IU m.nima sem nenhum prompt ou n.o exibe nenhuma IU e.. nenhum prompt. Por padr.o, a IU e todos os prompts s.o exibidos...../norestart - suprime qualquer tentativa de reiniciar. Por padr.o, a IU perguntar. antes de reiniciar

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1049\license.rtf Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	31915
Entropy (8bit):	3.6440775919653996
Encrypted:	false
SSDEEP:	384:ntaMxngQEqQUaAEJxkSjjujcme51oVwuZOFsrnkGxunWxGc9wtvVYgCzkSxN1S2:npgnmWWNEvVYgCzxD
MD5:	A59C893E2C2B4063AE821E42519F9812
SHA1:	C00D0B11F6B25246357053F6620E57D990EFC698
SHA-256:	0EC8368E87B3DFC92141885A2930BDD99371526E09FC52B84B764C91C5FC47B8
SHA-512:	B9AD8223DDA2208EC2068DBB85742A03BE0291942E60D4498E3DAB4DDF559AA6DCF9879952F5819223CFC5F4CB71D4E06E4103E129727AACFB8EFE48403A04FA
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset204 Tahoma;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset204 Garamond;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang1049\'d3\'d1\'cb\'ce\'c2\'c8\'df \'cb\'c8\'d6\'c5\'cd\'c7\'c8\'c8 \'cd\'c0 \'cf\'d0\'ce\'c3\'d0\'c0\'cc\'cc\'cd\'ce\'c5 \'ce\'c1\'c5\'d1\'cf\'c5\'d7\'c5\'cd\'c8\'c5 MICROSOFT\par..\f1\lang9 MICROSOFT VISUAL C++ 2019 RUNTIME\par..\b0\f0\lang1049\'cd\'e0\'f1\'f2\'ee\'ff\'f9\'e8\'e5 \'f3\'f1\'eb\'ee\'e2\'e8\'ff \'eb\'e8\'f6\'e5\'ed\'e7\'e8\'e8 \'ff\'e2\'eb\'ff\'fe\'f2\'f1\'ff \'f1\'ee\'e3\'eb\'e0\'f8\'e5\'ed\'e8\'e5\'ec \'ec\'e5\'e6\'e4\'f3 \'ea\'ee\'f0\'ef\'ee\'f0\'e0\'f6\'e8\'e5\'e9 Microsoft (\'e8\'eb\'e8, \'e2 \'e7\'e0\'e2\'e8\'f1\'e8\'ec\'ee\'f1\'f2\'e8 \'ee\'f2 \'ec\'e5\'f1\'f2\'e0 \'e2\'e0\'f8\'e5\'e3\'ee \'ef\'f0\'ee\'e6\'e8\'e2\'e0\'ed\'e8\'ff, \'ee\

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1049\thm.wxl Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	4150
Entropy (8bit):	5.444436038992627
Encrypted:	false
SSDEEP:	48:c5DiTlDhQt9esbrohDTWJt49kAr7DHN3m5GNDCNvNLIkflhrWncPingGdZwK1Kqp:uDiTlDYVgmt4xJ88k193ipzjvL
MD5:	17C652452E5EE930A7F1E5E312C17324
SHA1:	59F3308B87143D8EA0EA319A1F1A1F5DA5759DD3
SHA-256:	7333BC8E52548821D82B53DBD7D7C4AA1703C85155480CB83CEFD78380C95661
SHA-512:	53FD207B96D6BCF0A442E2D90B92E26CBB3ECC6ED71B753A416730E8067E831E9EB32981A9E9368C4CCA16AFBCB2051483FDCFC474EA8F0D652FCA934634FBE8
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.... <String Id="Caption">......... ......... [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">....... .. .........</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [.......] - ........., .............., ........ ..... ........ ...... ......... ..... ...... . ......... .. ......... - ............../passive \| /quiet - ........... ....

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1055\license.rtf Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	13379
Entropy (8bit):	5.214715951393874
Encrypted:	false
SSDEEP:	192:1fGkc01jIjZTUDUTvXt2QpfC5VAlCPpDwuOfH7df3YwnnbZIWG2XjQeoO9uBO8CA:Iiqx4Uh2QpMVA8haDdv9nbZzG6oQR2
MD5:	BD2DC15DFEE66076BBA6D15A527089E7
SHA1:	8768518F2318F1B8A3F8908A056213042A377CC4
SHA-256:	62A07232017702A32F4B6E43E9C6F063B67098A1483EEDDB31D7C73EAF80A6AF
SHA-512:	9C9467A2F2D0886FF4302A44AEA89734FCEFBD3CBE04D895BCEACBA1586AB746E62391800E07B6228E054014BE51F14FF63BA71237268F94019063C8C8B7EF74
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT YAZILIMI L\f1\u304?SANS KO\'aaULLARI\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Bu lisans ko\f1\'baullar\u305?, Microsoft Corporation (veya ya\'baad\u305?\u287?\u305?n\u305?z yere g\f0\'f6re bir ba\f1\u287?l\u305? \'bairketi) ile sizin aran\u305?zda yap\u305?lan anla\'bamay\u305? olu\'baturur. Bu ko\'baullar, yukar\u305?da ad\u305? ge\f0\'e7en yaz\f1\u305?l\u305?m i\f0\'e7in ge\'e7erlidir. \f1\'aaartlar, yaz\u305?l\u305?m i\f0\'e7in t\'fcm Microsoft hizmetleri veya g\'fcncelle\f1\'batirmeleri i\f0\'e7in, beraberlerinde farkl\f1\u305? \'baartlar bulunmad\u305?\u287?\u305? s\f0\'fcrece ge\'e7erlidir.\par..\b BU L\f1\u304?SANS \'aaARTLARINA UYDU\u286?UNUZ TAKD\u304?RDE A\'aaA\u286?IDAK\u3

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\1055\thm.wxl Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3221
Entropy (8bit):	5.280530692056262
Encrypted:	false
SSDEEP:	48:c5DiTlOaesHEqhDTHV4zVy6oBzdp0DYK2GP2ZmN3majyNXNoNKQXVvChcPc+WKb0:uDiTl3PHcIflKNTPgdi12xgg
MD5:	DEFBEA001DC4EB66553630AC7CE47CCA
SHA1:	90CED64EC7C861F03484B5D5616FDBCDA8F64788
SHA-256:	E5ABE3CB3BF84207DAC4E6F5BBA1E693341D01AEA076DD2D91EAA21C6A6CB925
SHA-512:	B3B7A22D0CDADA21A977F1DCEAF2D73212A4CDDBD298532B1AC97575F36113D45E8D71C60A6D8F8CC2E9DBF18EE1000167CFBF0B2E7ED6F05462D77E0BCA0E90
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Kurulumu</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.ptal etmek istedi.inizden emin misiniz?</String>.. <String Id="HelpHeader">Kurulum Yard.m.</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [dizin] - y.kler, onar.r, kald.r.r ya da.. dizindeki paketin tam bir yerel kopyas.n. olu.turur. Varsay.lan install de.eridir...../passive \| /quiet - en az d.zeyde istemsiz UI g.sterir ya da hi. UI g.stermez ve.. istem yoktur. Varsay.lan olarak UI ve t.m istemler g.r.nt.lenir...../norestart - yeniden ba.lama denemelerini engeller. Varsay.lan olarak UI yeniden ba.l

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\2052\license.rtf Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	17863
Entropy (8bit):	3.9617786349452775
Encrypted:	false
SSDEEP:	192:BxoqPyOj+/8Tk5VigWgijAlk5xWvSCI5lgios0EhGXxGMLVGW+uUoqyLZDvAJxMx:vbIeaE7q3KGgzD2
MD5:	3CF16377C0D1B2E16FFD6E32BF139AC5
SHA1:	D1A8C3730231D51C7BB85A7A15B948794E99BDCE
SHA-256:	E95CA64C326A0EF7EF3CED6CDAB072509096356C15D1761646E3C7FDA744D0E0
SHA-512:	E9862FD0E8EC2B2C2180183D06535A16A527756F6907E6A1D2DB85092636F72C497508E793EE8F2CC8E0D1A5E090C6CCF465F78BC1FA8E68DAF7C68815A0EE16
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset134 SimSun;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'ce\'a2\'c8\'ed\'c8\'ed\'bc\'fe\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\f1\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f0\'d5\'e2\'d0\'a9\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\'ca\'c7\f1 Microsoft Corporation\f0\'a3\'a8\'bb\'f2\'c4\'fa\'cb\'f9\'d4\'da\'b5\'d8\'b5\'c4\f1 Microsoft \f0\'b9\'d8\'c1\'aa\'b9\'ab\'cb\'be\'a3\'a9\'d3\'eb\'c4\'fa\'d6\'ae\'bc\'e4\'b4\'ef\'b3\'c9\'b5\'c4\'d0\'ad\'d2\'e9\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'ca\'ca\'d3\'c3\'d3\'da\'c9\'cf\'ca\'f6\'c8\'ed\'bc\'fe\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'d2\'b2\'ca\'ca\'d3\'c3\'d3\'da\'d5\'eb\'b6\'d4\'b8\'c3\'c8\'ed\'bc\'fe\'b5\'c4\'c8\'ce\'ba\'ce\'ce\'a2\'c8\'ed\'b7\'fe\'ce\'f1\'bb\'f2\'b8\'fc\'d0\'c2\'a3\'ac\'b5\'ab\'d3\'d0\'b2\'bb\'cd\

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\2052\thm.wxl Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	2978
Entropy (8bit):	6.135205733555905
Encrypted:	false
SSDEEP:	48:c5DiTlOtKesi+hDtkQf7lz+W0gopN3m5+3cNONeN1ra8vWqPtlTKxKUTKlKXRoR+:uDiTlV5kQR9GLeE0ZxV6gIV
MD5:	3D1E15DEEACE801322E222969A574F17
SHA1:	58074C83775E1A884FED6679ACF9AC78ABB8A169
SHA-256:	2AC8B7C19A5189662DE36A0581C90DBAD96DF259EC00A28F609B644C3F39F9CA
SHA-512:	10797919845C57C5831234E866D730EBD13255E5BF8BA8087D53F1D0FC5D72DC6D5F6945DBEBEE69ACC6A2E20378750C4B78083AE0390632743C184532358E10
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">......</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [..] - .......... ..................Install ........../passive \| /quiet - ..... UI ......... UI ... ........ UI ........../norestart - ..................... UI.../log log.txt - ............. %TEMP% ...

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\3082\license.rtf Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	10714
Entropy (8bit):	5.122578090102117
Encrypted:	false
SSDEEP:	192:WthGE/9wd8eQF/hJOmQeNrXT77uOlQ+v3AqHqc3wpXGYdjvsk2cwBb2:mhGuhj+ed388Bb2
MD5:	FBF293EE95AFEF818EAF07BB088A1596
SHA1:	BBA1991BA6459C9F19B235C43A9B781A24324606
SHA-256:	1FEC058E374C20CB213F53EB3C44392DDFB2CAA1E04B7120FFD3FA7A296C83E2
SHA-512:	6971F20964EF74B19077EE81F953342DC6D2895A8640EC84855CECCEA5AEB581E6A628BCD3BA97A5D3ACB6CBE7971FDF84EF670BDDF901857C3CD28855212019
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 T\'c9RMINOS DE LA LICENCIA DE SOFTWARE DE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME\par..\b0 Estos t\'e9rminos de licencia constituyen un contrato entre Microsoft Corporation (o, en funci\'f3n de donde resida, una de sus filiales) y usted. Se aplican al software antes mencionado. Los t\'e9rminos tambi\'e9n se aplican a cualquier servicio o actualizaci\'f3n de Microsoft para el software, excepto en la medida que tengan t\'e9rminos diferentes.\par..\b SI USTED CUMPLE CON LOS PRESENTES T\'c9RMINOS DE ESTA LICENCIA, DISPONDR\'c1 DE LOS DERECHOS QUE SE DESCRIBEN A CONTINUACI\'d3N.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\3082\thm.wxl Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3265
Entropy (8bit):	5.0491645049584655
Encrypted:	false
SSDEEP:	48:c5DiTlO/esS6VGhDv4tiUiyRUqzC4U+aD6N3m7xNh1NWNGbPz+9o3PWeKK9K9KfT:uDiTlxouUTiySqyIwz9sgxqvjIk8
MD5:	47F9F8D342C9C22D0C9636BC7362FA8F
SHA1:	3922D1589E284CE76AB39800E2B064F71123C1C5
SHA-256:	9CBB2B312C100B309A1B1495E84E2228B937612885F7A642FBBD67969B632C3A
SHA-512:	E458DF875E9B0622AEBE3C1449868AA6A2826A1F851DB71165A872B2897CF870CCF85046944FF51FFC13BB15E54E9D9424EC36CAF5A2F38CE8B7D6DC0E9B2363
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar la operaci.n?</String>.. <String Id="HelpHeader">Ayuda de configuraci.n</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - instala, repara, desinstala o.. crea una copia local completa del paquete en el directorio. La opci.n predeterminada es la instalaci.n...../passive \| /quiet - muestra una IU m.nima sin solicitudes o no muestra ninguna IU ni.. solicitud. De forma predeterminada, se muestran la IU y todas las solicitudes...../norestart - elimina cualquier intento

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\BootstrapperApplicationData.xml Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Category:	modified
Size (bytes):	13122
Entropy (8bit):	3.729412080010859
Encrypted:	false
SSDEEP:	192:X0sg+QnH5zHqQHG0Hd8Hz7HE06HA0rH3FxF6OxLo3MzLa0LTnDBx7z8NkzzkvQwj:X0sBydLbmnoN10A1TpotVos
MD5:	B51EF22109AEEA9AE5190E9EF67D9476
SHA1:	FDF939DA26A1268CDF0510AA40FBCA614947C9FD
SHA-256:	1031C44505A4D8322C3BFF5BA92AE5E2C84D7041A01537D187726C9D4E862E5F
SHA-512:	27AA0612337B7473C75BA73EFAF606EE1DB13F7F633151ED5BFF7A9BB5A5AF5502EF3597AE0E95F714F5F0D19A2452413BD18E91516E696DED76C277D0BCA238
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.a.l.C.o.n.d.i.t.i.o.n. .C.o.n.d.i.t.i.o.n.=.".V.e.r.s.i.o.n.N.T. .&.g.t.;.=. .v.6...0. .O.R. .(.V.e.r.s.i.o.n.N.T. .=. .v.5...1. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .2.). .O.R. .(.V.e.r.s.i.o.n.N.T. .=. .v.5...2. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .1.).". .M.e.s.s.a.g.e.=.".[.W.i.x.B.u.n.d.l.e.N.a.m.e.]. .c.a.n. .o.n.l.y. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .W.i.n.d.o.w.s. .X.P. .S.P.2. .a.n.d. .n.e.w.e.r. .p.l.a.t.f.o.r.m.s...". ./.>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.5.-.2.0.1.9. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .(.x.8.6.). .-. .1.4...2.5...2.8.5.0.8.". .L.o.g.P.

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\license.rtf Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	9046
Entropy (8bit):	5.157073875669985
Encrypted:	false
SSDEEP:	192:W8lZ1UVDWkgWZTIsvPhghtQ1Qf4lCfnEtHixEGx736wHqItfSpOy2:9T15WZMgAYlOnjt5HLoL2
MD5:	2EABBB391ACB89942396DF5C1CA2BAD8
SHA1:	182A6F93703549290BCDE92920D37BC1DEC712BB
SHA-256:	E3156D170014CED8D17A02B3C4FF63237615E5C2A8983B100A78CB1F881D6F38
SHA-512:	20D656A123A220CD3CA3CCBF61CC58E924B44F1F0A74E70D6850F39CECD101A69BCE73C5ED14018456E022E85B62958F046AA4BD1398AA27303C2E86407C3899
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT SOFTWARE LICENSE TERMS\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. They apply to the software named above. The terms also apply to any Microsoft services or updates for the software, except to the extent those have different terms.\par..\b IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 INSTALLATION AND USE RIGHTS. \b0\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-363\

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\logo.png Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	PNG image data, 64 x 64, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1861
Entropy (8bit):	6.868587546770907
Encrypted:	false
SSDEEP:	24:q36cnTKM/3kTIQiBmYKHeQWalGt1Sj9kYIt1uZ+bYOQe0IChR95aW:qqiTKMPuUBm7eQJGtYJM1uZCVszaW
MD5:	D6BD210F227442B3362493D046CEA233
SHA1:	FF286AC8370FC655AEA0EF35E9CF0BFCB6D698DE
SHA-256:	335A256D4779EC5DCF283D007FB56FD8211BBCAF47DCD70FE60DED6A112744EF
SHA-512:	464AAAB9E08DE610AD34B97D4076E92DC04C2CDC6669F60BFC50F0F9CE5D71C31B8943BD84CEE1A04FB9AB5BBED3442BD41D9CB21A0DD170EA97C463E1CE2B5B
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR...@...@.............sRGB.........gAMA......a.....PLTE].q^.r_.r_.s`.s`.s`.ta.ta.ub.ub.vc.vd.vd.vd.we.we.xe.xg.yg yg zh zh"zi"{j#\|i${j$\|n~n.n,.o,.p..q0.r2.s3.t5.x;.x<.y>.z?.\|B.~C.}E..F..F..H..I..J..L..O..P..W..Y..^..a..c..g..i..q..r..}.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S......pHYs..%...%....^.....tEXtSoftware.Paint.NET v3.5.100.r.....IDATXG..iW.@...EJ.$M...`AEpG..7TpWT@\.."....(..(.._;...di:9.c>q..g....T...._...-....F..+..w.

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\thm.wxl Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2952
Entropy (8bit):	5.052095286906672
Encrypted:	false
SSDEEP:	48:c5DiTl/+desK19hDUNKwsqq8+JIDxN3mt7NlN1NVvAdMcgLPDHVXK8KTKjKnSnYF:uDiTl/BbTxmup/vrxATd
MD5:	FBFCBC4DACC566A3C426F43CE10907B6
SHA1:	63C45F9A771161740E100FAF710F30EED017D723
SHA-256:	70400F181D00E1769774FF36BCD8B1AB5FBC431418067D31B876D18CC04EF4CE
SHA-512:	063FB6685EE8D2FA57863A74D66A83C819FE848BA3072B6E7D1B4FE397A9B24A1037183BB2FDA776033C0936BE83888A6456AAE947E240521E2AB75D984EE35E
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29" />.... <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installs, repairs, uninstalls or.. creates a complete local copy of the bundle in directory. Install is the default...../passive \| /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will prompt before restart.../log log.txt - logs to a specific file. B

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\thm.xml Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	8332
Entropy (8bit):	5.184632608060528
Encrypted:	false
SSDEEP:	96:8L2HdQG+3VzHfz96zYFGaPSWXdhRAmImlqFQKFBiUxn7Ke5A82rkO/pWk3nswP:ZHAzZ/3
MD5:	F62729C6D2540015E072514226C121C7
SHA1:	C1E189D693F41AC2EAFCC363F7890FC0FEA6979C
SHA-256:	F13BAE0EC08C91B4A315BB2D86EE48FADE597E7A5440DCE6F751F98A3A4D6916
SHA-512:	CBBFBFA7E013A2B85B78D71D32FDF65323534816978E7544CA6CEA5286A0F6E8E7E5FFC4C538200211F11B94373D5658732D5D8AA1D01F9CCFDBF20F154F1471
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="485" Height="300" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="500" Foreground="000000">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.... <Image X="11" Y="11" Width="64" Height="64" ImageFile="logo.png" Visible="yes"/>.. <Text X="80" Y="11" Width="-11" Heig

C:\Users\user\AppData\Local\Temp\{326F1767-EEA1-4846-94BD-741A750E777A}\.ba\wixstdba.dll Download File
Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	195600
Entropy (8bit):	6.682530937585544
Encrypted:	false
SSDEEP:	3072:OXoiFK6b0k77I+QfaIl191rSJHvlalB+8BHkY6v53EfcUzN0m6I+WxBlnKzeZuqt:OXoQNb++gDrSJdr8BHkPh3wIgnK/IU1a
MD5:	EAB9CAF4277829ABDF6223EC1EFA0EDD
SHA1:	74862ECF349A9BEDD32699F2A7A4E00B4727543D
SHA-256:	A4EFBDB2CE55788FFE92A244CB775EFD475526EF5B61AD78DE2BCDFADDAC7041
SHA-512:	45B15ADE68E0A90EA7300AEB6DCA9BC9E347A63DBA5CE72A635957564D1BDF0B1584A5E34191916498850FC7B3B7ECFBCBFCB246B39DBF59D47F66BC825C6FD2
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3..R...R...R..h.N..R..h.L.R..h.M..R.......R.......R.......R...<..R...,..R...R...S..K....R..K....R..N.@..R...R(..R..K....R..Rich.R..................PE..L......Z...........!................d.....................................................@..............................................................D......,.......T...............................@...............X............................text............................... ..`.rdata.............................@..@.data...............................@....gfids..............................@..@.rsrc...............................@..@.reloc..,...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001 (copy) Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11023981794886281
Encrypted:	false
SSDEEP:	12:26ZzXm/Ey6q9995Jqxnq3qQ10nMCldimE8eawHjcov:26kl68XWqLyMCldzE9BHjcI
MD5:	9ACCEB03996BAA2D337F925B1B376A06
SHA1:	A17E8A16A679D1FAB1E2282F8978F64E2097C60C
SHA-256:	434E197E042FC8C5B6077BFADD001B773ABFBAF359FCF9746E0345ADEB918A40
SHA-512:	725E735EBE5E63F3A7BF4A96C607B2139040B7BC794B43D8E26EAA6BBE797619EB06B3117764A14489A1CEE42D60C421FE6E73C454F741B205CAAD93599EDF2A
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................80.2.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................Kpq~..... ......mUoO...........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.........u<.2....................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001 (copy) Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11259308891449593
Encrypted:	false
SSDEEP:	12:m2zXm/Ey6q9995ZWx1miM3qQ10nMCldimE8eawHza1miILf:mjl68XWx1tMLyMCldzE9BHza1tIj
MD5:	10BAFF930693E44442205D7BA9375F18
SHA1:	5259B4CF69A7A563EB8FF9C4163FE7E1AC4718DE
SHA-256:	7E2513F8D2CB05E5143307DD65F902D650FA03975D6E480C4AEDF16A009C2235
SHA-512:	4EF27B58B5DDED0B8982D6F11E686D9F30B0B3041CCA12503E0327E301DCDE0BE3570B42638B26F0508CFAB66E30684A9EC09E3E5950B1F7142C5B812A63AB61
Malicious:	false
Reputation:	unknown
Preview:	...........................................................................................2.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................Kpq~..... ......ENoO...........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P............2....................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001b. (copy) Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11268815623331206
Encrypted:	false
SSDEEP:	12:A5zXm/Ey6q9995K8x1mK2P3qQ10nMCldimE8eawHza1mKgCf:pl68k8x1iPLyMCldzE9BHza18C
MD5:	838D85E45BB2748227504930B40EF92A
SHA1:	F924AE5FFC55B75B794847A3DD1DFDD09B72FCCC
SHA-256:	5DE1A83B9EDA88E88054EA327A419CC19409DD7066EC8192ADB4581BFEBC7B2D
SHA-512:	8114EE5D490954828ED39C5DCC0733B311706ED509F598148E31EA2D07EB2F708FD5C49CC6A98C22540F5C7B6F2CB10BDB1B224FBB76135BD1B83806780C5D70
Malicious:	false
Reputation:	unknown
Preview:	...........................................................................................2.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................Kpq~..... .......GoO...........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.........2..2....................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\fillProxy\ fillProxy.lnk Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Fri Dec 17 13:07:39 2021, mtime=Fri Dec 17 13:07:39 2021, atime=Fri Dec 17 13:07:39 2021, length=0, window=hide
Category:	dropped
Size (bytes):	785
Entropy (8bit):	4.5064847233480165
Encrypted:	false
SSDEEP:	12:8mkUUM1RK/a9cDVwxOYdtDhYnll5WGeAjAweizhGYU6Fc5Db5DSGm:8mkDYThyrWPUA+hXnKb1Jm
MD5:	4BC3850FF59CEF06C27E4E0DC6FB0670
SHA1:	97EE9101AD801205EAF325409233FA3FA54383DC
SHA-256:	C4E3DA2552058316EEF67CE17E9F4848A7D98CF367AE4DD50124C47D393C8AEE
SHA-512:	14D6EF2A0647EAAE8883D14BB36E8781509934A156070E8C23D76475BC64D973455DD47D854CB6D11798FADAFBB5296CA577E7980C7E9EF3152F6AA5DC86E9AB
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....\8sO....\8sO....\8sO...........................=....P.O. .:i.....+00.../C:\...................J.1......S.p..ztg.8......S.p.S.p.....\|.....................W..z.t.g.....\.1......S.p..FILLPR~1..D......S.p.S.p.....\|......................}.f.i.l.l.P.r.o.x.y.....h.2......S.p .UNINST~1.EXE..L......S.p.S.p............................}.U.n.i.n.s.t.a.l.l...e.x.e.......M...............-.......L............&9......C:\ztg\fillProxy\Uninstall.exe..6.....\.....\.....\.....\.....\.....\.....\.....\.....\.z.t.g.\.f.i.l.l.P.r.o.x.y.\.U.n.i.n.s.t.a.l.l...e.x.e...C.:.\.z.t.g.\.f.i.l.l.P.r.o.x.y.`.......X.......320946...........!a..%.H.VZAj......M..........-..!a..%.H.VZAj......M..........-.E.......9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\Windows\Installer\625622.msi Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {DC639984-8B88-4DB7-A65E-0E5CCB21EAB1}, Create Time/Date: Wed Jan 8 09:28:18 2020, Last Saved Time/Date: Wed Jan 8 09:28:18 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
Category:	dropped
Size (bytes):	192512
Entropy (8bit):	6.237627585353464
Encrypted:	false
SSDEEP:	3072:VGviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdNt:8vipBaTDo1j//SZhN
MD5:	6AA3A12A374E36C6A7BD75B7627A5A7C
SHA1:	56DD5F67FE9FB9C9B70470F535FC2DD6C2DECF38
SHA-256:	AA5B428789D83FBCD60442EE253B364C5FC833C698C1DC1EB73F5559A63FB976
SHA-512:	B3A4497E3629A4ED8DB8C7D83C5D8CF2270D7DCE320CA4D5009EDB0F6CBC3F3759A2F753ED0C673EFAF521AA175E2E6D53FC609F351B8A0AA00D74BC4F179720
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\62562f.msi Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {DC639984-8B88-4DB7-A65E-0E5CCB21EAB1}, Create Time/Date: Wed Jan 8 09:28:18 2020, Last Saved Time/Date: Wed Jan 8 09:28:18 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
Category:	dropped
Size (bytes):	192512
Entropy (8bit):	6.237627585353464
Encrypted:	false
SSDEEP:	3072:VGviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdNt:8vipBaTDo1j//SZhN
MD5:	6AA3A12A374E36C6A7BD75B7627A5A7C
SHA1:	56DD5F67FE9FB9C9B70470F535FC2DD6C2DECF38
SHA-256:	AA5B428789D83FBCD60442EE253B364C5FC833C698C1DC1EB73F5559A63FB976
SHA-512:	B3A4497E3629A4ED8DB8C7D83C5D8CF2270D7DCE320CA4D5009EDB0F6CBC3F3759A2F753ED0C673EFAF521AA175E2E6D53FC609F351B8A0AA00D74BC4F179720
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\625630.msi Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}, Create Time/Date: Wed Jan 8 09:31:14 2020, Last Saved Time/Date: Wed Jan 8 09:31:14 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
Category:	dropped
Size (bytes):	184320
Entropy (8bit):	6.3376915344280516
Encrypted:	false
SSDEEP:	3072:JviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdN:JvipBaTDo1j//SZhN
MD5:	4B97853A7D10743D67665CCDD67E8566
SHA1:	AF5F7059C9A05A388B4773917E17A078FA58F5E9
SHA-256:	63802C8D96CF21A8EADB1EC5B0B52A9A040581AB2797FE5132E1B3A469108713
SHA-512:	ED88564A372FBA36FB7F2D98476C82D1D66B17B25AB9B6C34489D33BB7F1D64ABBD2E746E75470E05DECA09252D9B855AB0F37F6F82210AF3F006C9A683C7370
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\625643.msi Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}, Create Time/Date: Wed Jan 8 09:31:14 2020, Last Saved Time/Date: Wed Jan 8 09:31:14 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
Category:	dropped
Size (bytes):	184320
Entropy (8bit):	6.3376915344280516
Encrypted:	false
SSDEEP:	3072:JviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdN:JvipBaTDo1j//SZhN
MD5:	4B97853A7D10743D67665CCDD67E8566
SHA1:	AF5F7059C9A05A388B4773917E17A078FA58F5E9
SHA-256:	63802C8D96CF21A8EADB1EC5B0B52A9A040581AB2797FE5132E1B3A469108713
SHA-512:	ED88564A372FBA36FB7F2D98476C82D1D66B17B25AB9B6C34489D33BB7F1D64ABBD2E746E75470E05DECA09252D9B855AB0F37F6F82210AF3F006C9A683C7370
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI10C1.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	791
Entropy (8bit):	5.467490725746226
Encrypted:	false
SSDEEP:	24:iNBVhPUoCpsVraj4PUotQXkXZIMEVlt1hlSpF:iN1PVCmtaMPVAe3EVlt1ez
MD5:	C7BE5F77095024A189903755EDDA1E16
SHA1:	62BB3E1FAD36672E98184AEB8D530719892DBD27
SHA-256:	EAC3184E2D3E77461496949F5175E0194A5B026DFA50CD1C6B9E019916D65DAC
SHA-512:	D3FCCFCD9640212831040230E58C1B23E12F8B03BF49FC32032AAD5A19091B44835D35A6B56843149DBE2AFB35090FAD61607C989B10851EC4D0D7A1FCD8BD75
Malicious:	false
Reputation:	unknown
Preview:	...@IXOS.@.....@.1.S.@.....@.....@.....@.....@.....@......&.{0FA68574-690B-4B00-89AA-B28946231449}>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508..vc_runtimeAdditional_x86.msi.@.....@\o...@.....@........&.{AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}.....@.....@.....@.....@.......@.....@.....@.......@....>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........RegisterProduct..Registering product..[1]i...0......PublishProduct..Publishing product information.......@.....@.....@......&.{0FA68574-690B-4B00-89AA-B28946231449}q.C:\ProgramData\Package Cache\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\packages\vcRuntimeAdditional_x86\...@.....@.....@....

C:\Windows\Installer\MSI613D.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	5108
Entropy (8bit):	5.7622649564936275
Encrypted:	false
SSDEEP:	96:tkDpJ8DphgiHMBN6KX+PDdTdr5J5J5J5J5J5J5J59pqLSQFnfSeeDpFaDlEPW:tLHIX3NN3pWW
MD5:	B165BFF54ED2B3037537E7057AA1D906
SHA1:	9C2889D18FF72277766536A68E7E5C33DFBCDA62
SHA-256:	FEC4AF57451D6C94927A534B234D22628E68ABEF91C21820E4C50B2F436B9F25
SHA-512:	D6006F265E212E69EC6B87D00D2643FBDCDCC31C3D308ACA6A264E27F176AD88AC781240F75D760C539244DCB5565079147DEDF4EED24193839D31274CB16316
Malicious:	false
Reputation:	unknown
Preview:	...@IXOS.@.....@.1.S.@.....@.....@.....@.....@.....@......&.{19F7E289-17B8-44EC-A099-927507B6F739};.Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702..vc_runtimeMinimum_x86.msi.@.....@6l...@.....@........&.{4EC06479-0528-4ADB-820D-6027E57F3B81}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........InstallInitialize......&.{65E5BD06-6392-3027-8C26-853107D3CF1A}....&.{4EC06479-0528-4ADB-820D-6027E57F3B81}c.&.{65E5BD06-6392-3027-8C26-853107D3CF1A}............ProcessComponents..Updating component registration.....@.....@.....@.]....&.{E3819B64-3C56-3DD7-921D-00B011AD31DE}&.{19F7E289-17B8-44EC-A099-927507B6F739}..&.{E3819B64-3C56-3DD7-921D-00B011AD31DE}...@.....@......&.{42F41217-AF8B-33D4-9CB3-FF5F696BECBB}&.{19F7E289-17B8-44EC-A099-927507B6F739}..&.{42F41217-AF8B-33D4-9CB3-FF5F696BECBB}...@.....@......&.{E8E

C:\Windows\Installer\MSI67B8.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	8105
Entropy (8bit):	5.683211952720898
Encrypted:	false
SSDEEP:	96:IDDpeDVDpE8rorjkFEdogLNy5J5J5J5J5J5J5J5J5A25WIh7PYP5k7DR/i8tlDpn:IsWzLzIVPk5k3hl0eSnGYWOK
MD5:	9923A5C66A253FC50901D84B4E934C70
SHA1:	4BDA4A33061778DED8ED79C05646E8FB89BB597E
SHA-256:	7FCEBABD539959D01EFAAD4A99FEE2A51E5A8EDA23137B2B0394F366C04075F9
SHA-512:	2CA7E2401C2214208C806881946BB01BF62995D6E1697C05AF906AB13473C4D8A5A48F8912A37148F89314870B07FADEC1F966085DC07899A99A94D22867DC72
Malicious:	false
Reputation:	unknown
Preview:	...@IXOS.@.....@.1.S.@.....@.....@.....@.....@.....@......&.{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2};.Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508..vc_runtimeMinimum_x86.msi.@.....@\o...@.....@........&.{DC639984-8B88-4DB7-A65E-0E5CCB21EAB1}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{E3819B64-3C56-3DD7-921D-00B011AD31DE}@.02:\SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\X86\Version.@.......@.....@.....@......&.{42F41217-AF8B-33D4-9CB3-FF5F696BECBB}...@.......@.....@.....@......&.{E8E39D3B-4F35-36D8-B892-4B28336FE041}$.C:\Windows\SysWOW64\vcruntime140.dll.@.......@.....@.....@......&.{A2AA960C-FD3C-3A6D-BD6F-14933011AFB3} .C:\Windows\SysWOW64\msvcp140.dll.@.......@.....@.....@......&.{A2E7203F-60C2-3D7E-8A46-DB3D

C:\Windows\Installer\MSIAC26.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	6669
Entropy (8bit):	5.683452530149262
Encrypted:	false
SSDEEP:	96:3ZQdlpdwCu5XTQoQMK1UahtL4yrxV7y0oegyBu75J5J5J5J5J5J5J5J5J5J5J5JU:3nCuE1/hhVjxjk3Lso+bAWZ
MD5:	ED450ADCF7CB34967B1BE10326F66FFB
SHA1:	F3F67E1F663F9A469D6199B2D13416B6CAADB29B
SHA-256:	591688E5E5E63F24FCA5FD3CD3CD806F3DFBD4DFDEECE34B8A48A27DD67282AE
SHA-512:	B6DF2D01F2A991719F46C810F54AD60E1911827D3CAD4F07C962FDE03120524E5B219592EB034DB525483C878517A5A2E319C131DD67F379E41B4D3E021B8B6C
Malicious:	false
Reputation:	unknown
Preview:	...@IXOS.@.....@.1.S.@.....@.....@.....@.....@.....@......&.{213668DB-2263-4E2D-ABB8-487FD539130E}>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702..vc_runtimeAdditional_x86.msi.@.....@6l...@.....@........&.{26AB52D0-6847-46B4-81E4-7CED60CF25DC}.....@.....@.....@.....@.......@.....@.....@.......@....>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........InstallInitialize......&.{C78B8E51-0C65-377E-85D1-282F689FE505}....&.{26AB52D0-6847-46B4-81E4-7CED60CF25DC}c.&.{C78B8E51-0C65-377E-85D1-282F689FE505}............ProcessComponents..Updating component registration.....@.....@.....@.]....&.{E3819B64-3C56-3DD7-921D-00B011AD31DE}&.{213668DB-2263-4E2D-ABB8-487FD539130E}..&.{E3819B64-3C56-3DD7-921D-00B011AD31DE}...@.....@......&.{4FD4AB8C-C57F-3782-9230-9CCA22153AD3}&.{213668DB-2263-4E2D-ABB8-487FD539130E}..&.{4FD4AB8C-C57F-3782-9230-9CCA22153AD3}...@.....@...

C:\Windows\Installer\MSIBBC8.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	11258
Entropy (8bit):	5.590168968874697
Encrypted:	false
SSDEEP:	192:BivmH5xSSSLuyAV2YO8tgxgcgSxg76gIdg/g6gmgBgwCUoBaOe9p33LsLNWsrJ5:BivmH5xSSguyA0YOBXSopnQZWsrJ5
MD5:	5A124D978B288464A727D19313A78EB7
SHA1:	D25D485E02808C0DB3C1D5F848A1DA25AB431A76
SHA-256:	8E02702D0A8D62AC022990BE12B9471359A253AC2BBC74CB00A46B947E18533A
SHA-512:	07BD35B855C6F082EC8B5A0900804FAD1CA5AB895925777FE317DCA15C354C3FE7573207A0EDF391DAA47E4BA6B9F8BCBF17D1BD2042BD2EB01AA7035DCA2EA3
Malicious:	false
Reputation:	unknown
Preview:	...@IXOS.@.....@.1.S.@.....@.....@.....@.....@.....@......&.{0FA68574-690B-4B00-89AA-B28946231449}>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508..vc_runtimeAdditional_x86.msi.@.....@\o...@.....@........&.{AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}.....@.....@.....@.....@.......@.....@.....@.......@....>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{E3819B64-3C56-3DD7-921D-00B011AD31DE}@.02:\SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\X86\Version.@.......@.....@.....@......&.{4FD4AB8C-C57F-3782-9230-9CCA22153AD3}..C:\Windows\SysWOW64\mfc140.dll.@.......@.....@.....@......&.{46A1EA6B-3D81-3399-8991-127F7F7AE76A}..C:\Windows\SysWOW64\mfc140u.dll.@.......@.....@.....@......&.{C94DDE19-CC70-3B9A-A6AF-5CA7340B9B9A}..C:\Windows\SysWOW64\mfcm140.dll.@.......@.....@.....@....

C:\Windows\Installer\SourceHash{0FA68574-690B-4B00-89AA-B28946231449} Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.2082686062584482
Encrypted:	false
SSDEEP:	12:JSbX72FjoZXAlfLIlHuRpWBhG7777777777777777777777777ZDHFw7zpHQEQBM:JIUIwUieFHQjcF
MD5:	4E3C69BC8111E80EE4E3B6058DF43E23
SHA1:	984EA30FF375BDE73A38024B947EDE69BA5F0B50
SHA-256:	31382D8AEF4A8DA2B936DB171A966B440230EEB874AA2639686E4D5B491F00A8
SHA-512:	6CF09E858E8328D091464B43ACC3973CA5ECBAADF9EB16DCBB65F392C498906F5FE7703EC98CC6F23F7AFC7E7740A1F00C02219933C7A4FA69174E269DDCCF6C
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2} Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.2061368873547078
Encrypted:	false
SSDEEP:	12:JSbX72FjcCXAlfLIlHuRpZhG7777777777777777777777777ZDHFPZx2hs9X4Kc:JNUIwExP2hs9fcF
MD5:	A7405B76A97BB00AB79009A6A3E038EB
SHA1:	DE5F0D265C3AFE0EF8513E5593DFD3CD0346A480
SHA-256:	26A4D0C20836F7E58D5111EC815BF210879FA5AEC79DA99BD67E5132B0D17A5D
SHA-512:	31FC3BD0673FCE40E0848C0A128350CC19F49671AE04B5CBCD74699C9746F1149269F7D430BB387489B3CD1C21E215D398508A9EFCDFD42B67ECC5C50B8ADD8E
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.545655876074451
Encrypted:	false
SSDEEP:	48:N8PhYuRc06WXi/nT5Sdj6RLBL7bjSmRSqdZFtmS6WeUJydZQc:whY1RnTkjaLBL7PVRrZFQ8eJZQc
MD5:	0438BBBC3046D90D1080FC568FA3A7E7
SHA1:	15806DF19FEE56BB48D60A7580DBDA716D08F3F2
SHA-256:	8802FFEC988EB7E01F8A28696F79C7F775537AD56AC61BC4D27C285718C8527E
SHA-512:	9702C29A50BE7AFC49FA681DB79A9FC45137649BDF60B27F79CA5D83DE7F108E35040554647DA9F593DE2DA5CE49320BE891662A5C85CF5D44E15036995598B7
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	122558
Entropy (8bit):	5.363498910097132
Encrypted:	false
SSDEEP:	1536:iHzMV+f84vcIH17Yyxkjr0+NVRVle+yjeLWJOQzi7gZFOIKICh/81r8yQ1oXB4Hz:iHHJCoX5Cz
MD5:	CB9A2C0D1A8234EB070EBF415B87AD24
SHA1:	6336802E052304145A27A171E69E21AAF4A0588B
SHA-256:	A8A2FAE597F59E1995798E1F939BCE9A679C9E97FDC316798903DD2415E6DDE1
SHA-512:	7E637C451E1C2E088007E4EE887BD38F476730B1B1E3B1EFCDED41C4C3DF16F3F6DC39CD1AC04D2F8C31EC6F1495625EC330590F079250C1DCEBAF85DD7512BB
Malicious:	false
Reputation:	unknown
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 10:13:25.847 [3928]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.Hosting, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.863 [3928]: ngen returning 0x00000000..07/23/2020 10:13:25.925 [1900]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.ServerDocument, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.925 [1900]: ngen returning 0x00000000..07/23/2020 10:13:25.972 [4436]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.v4.0.Framework, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /N

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	9062
Entropy (8bit):	3.1638666293151596
Encrypted:	false
SSDEEP:	192:cY+38+DJl+ibJ6+ioJJ+i3N+WtT+E9tD+Ett3d+E3zL+Q:j+s+v+b+P+m+0+Q+q+8+Q
MD5:	7E89F221196774A006E7AA906CEF3EE9
SHA1:	CD54D4F4A91F88D179BEDB121EA251904A656D64
SHA-256:	FB8634A3DCA3995F968C2447E59B8C561C2B33523D010835547B3B98206066B5
SHA-512:	991EB6ED00C4DDD06A0CDAEA983EAFEABD3E078C43CB9C1EB5855787491C12F430ECD2EDFF8044938566D23391983A0BF419C537BA12B46669ADB4CC28B92AA3
Malicious:	false
Reputation:	unknown
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211217_140731_915.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	3.3906886689365106
Encrypted:	false
SSDEEP:	96:RAClJEwo+gE5VI9Y/YnLCI0I2lMThkWS4wAT2hjFzJNMCPdJRQj5H:RzlJNE+h82U8UCr8
MD5:	F4FD4BDE878EB33D7866ABE7ED32CE7E
SHA1:	46A0BC9F08C375074B83AF393D3FC3B701D0DF38
SHA-256:	16E88079FEBCE88E963DD1361558C2E68C8B0575C66113410851FC2C611B779D
SHA-512:	C7273E409BAC6FEE796986B1E71C25AD14FBF942DF795C53DEE5C998E9E1469D4C42A51E72A62D672C7C5C986158D67725D6096D90C96F4094C7EB4C369167DE
Malicious:	false
Reputation:	unknown
Preview:	.... ... ....................................... ...!............................................................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1..................................................................... ......G.nO...........8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.1.1.2.1.7._.1.4.0.7.3.1._.9.1.5...e.t.l.........P.P.................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\concrt140.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	250144
Entropy (8bit):	6.698404457805156
Encrypted:	false
SSDEEP:	6144:emyq0GgZNA2UwM1vfEcgVAtP+9vIaIgVb5C/U0ZXQVSSIuVxND5S912z/VsDBZAu:eAIMogaIgyRZFuVxNkeztu
MD5:	92F00AD0D5283A6A763073E2F1E4EB58
SHA1:	70BCB3C04DDF9A07F4FA65E94FC6997E58606699
SHA-256:	17079A00DA2F4653B85C9B659088DD485BF84C0B3E5E7E80C7612CAF1EF2BEFC
SHA-512:	2A7BA56FF5B8BC7B8E7C2729C9E59E806F91188A594F306D8524B01C3752066709030F206AA1556507A90944A58D53E497F8774F90D8E8B5FBD31EEC6430FFB0
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M.vH,.%H,.%H,.%..G%J,.%AT;%B,.%CC.$M,.%H,.%.,.%CC.$C,.%CC.$O,.%CC.$.,.%CC.$I,.%CCW%I,.%CC.$I,.%RichH,.%........................PE..L...<W.^.........."!.........x......0........0...........................................@A........................0....K..<r.......................... A.......+...;..8............................<..@............p..8............................text............................... ..`.data....4...0...2..................@....idata.......p.......N..............@..@.rsrc................`..............@..@.reloc...+.......,...d..............@..B........................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4782880
Entropy (8bit):	7.048362842065633
Encrypted:	false
SSDEEP:	98304:rcQO/zACc35FeIj0v8Tu8expRWrBu2gubZkFLOAkGkzdnEVomFHKnP7z:jqie9v8CVp4Bu2gubZkFLOyomFHKnP
MD5:	4B9941864214A7BB96D3704420C2D28C
SHA1:	05ACF3D57A349DCF29BC68A7A6F0DEC6D971B940
SHA-256:	1F9CCCA43EEF25CA44C69648124265944493FC220BCDECDB79AA28C33468B59B
SHA-512:	5CB4FFE656AB0C9973A02A7055689F8B945BCFB312B6B324432A717B2C95FF89B35BF70AE553F5176921A7DFF0E8F8F357288496EDC149CB377675130C7AD38B
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........%.suv.suv.suv7.v.suv7.v.suv7.v.suv...v.suv..tw.suv..qw.suv..vw.suv..pw.suv7.v.suv.stv.wuv..\|w.ruv..uw.suv...v.suv..ww.suvRich.suv........................PE..L....V.^.........."!.........b......._*......................................0I.....r.I...@A.........................-....../......./...............H. A....E.x...l@..8...........................@4..@............./.....`.-......................text.............................. ..`.data...............................@....idata...T..../..V...6/.............@..@.didat......../......./.............@....rsrc........./......./.............@..@.reloc..x.....E......(E.............@..B................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140chs.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	47592
Entropy (8bit):	6.147771533863041
Encrypted:	false
SSDEEP:	384:DA5dBlsNKvsXZWxdWvYbMktLiBr8uuPgldyevyBb7DVLN1Xzc+pBj0HRN7TPocyF:GdzvsXcb9tLkr8yTby97DVLBWUHui
MD5:	5EB37CFB087F972E0E9BF8CD9F216D0A
SHA1:	3FD426C91E122990E7746C415AEB3C9E6A459073
SHA-256:	9DBE835C0812D759A4461429D4FDE097BB9EC67A97F347F70C9796800DE92BA6
SHA-512:	865670D5EECF2EAB3BD17348FDCD31EC785F55F345E6048F83B346C16594535F59D68E6EE8F11453C2BD65D89440B50A54903D55E21F6DCB6C7DE79CDC2C06C2
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L...\|V.^.........."!.........v............................................................@.......................................... ..8s...........x...A..............8............................................................................text...............................@..@.rsrc...8s... ...t..................@..@....\|V.^........Y...8...8.......\|V.^........T...........RSDS..M.X=NK.....dH.....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140CHS.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1...a...rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140cht.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	47392
Entropy (8bit):	6.180362861252495
Encrypted:	false
SSDEEP:	768:uDhffucVI4Sd7kYw4JUM3i/EhWrKpWin2vSd:YucVI4Sd4YJUM3XhWuoNKd
MD5:	40F626F56782D1C6AE773B202082CB92
SHA1:	65388EDEF5C7DC53A0040AD73D144D52FD02B7F8
SHA-256:	8056DF5651B576CFFAD288A322939049CF62C8A564CB53EEE187E2DCBDBD9BEF
SHA-512:	7F99BFB9C11E377BF5B1F526FA6015BF99E28683EEC5C52FB453F60F4C49561FE81B21A61A4783673C46A8F6D62E048609720674746057291A9F025F565822CD
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!.........v......................................................R.....@.......................................... ..`s...........x.. A..............8............................................................................text...............................@..@.rsrc...`s... ...t..................@..@.....V.^........Y...8...8........V.^........T...........RSDS..9....N..'q........d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140CHT.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1...a...rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140deu.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	76272
Entropy (8bit):	4.788610818407564
Encrypted:	false
SSDEEP:	1536:SVPidQr0UZqnn0BDvmPS6VFaGCWKZ+e0petNSaBhp0vcsjsr8gWb8C1dCuf9xtP9:SVidQr0UZqnnSvmPS6VFaGCWKZX0Whpq
MD5:	20A38BD043C56FE2882F88944A3E6E6C
SHA1:	5E154DFD410A7F8F99D11C999DD68CD0C76842F9
SHA-256:	CD305576B63458ADF41BDB70FB6EBAED8A032294851336786A5A7169F4F57B05
SHA-512:	8C706656BA722EA7A9F313F5C1DEF41FA70D7E13D59BC5A3D8F85FE5CEDC2F014DDB76E16D15C231DD08FA6D639C8C457841FF0CCECC6B0FBAC379A460EC5C66
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!................................................................0[....@.......................................... ..X................A..............8............................................................................text...............................@..@.rsrc...X.... ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS2j.5,..J.#..#......d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140DEU.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140enu.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	66336
Entropy (8bit):	4.921664492323363
Encrypted:	false
SSDEEP:	768:9VmijcBEhCgy6cAu1HLPLNqyf/nWHBNhdBU2fd5GWPoRh:9Vdzfy6cAuhPLNXf/nWHNfd/PoRh
MD5:	183B42F7ECEDB4AE4BE8E06C2981EDEF
SHA1:	906365FECC6B420C63BDB05574C79571ED4C6654
SHA-256:	5C4B666503DCABF9763610EC5AB3B19D4555A5F349DE7067D6D0F7A3E8146126
SHA-512:	B4C57C1270D2E219210AEA3145148D8DC68A95ED31A0CC026413179A73961E7215DDE9F355B20859BD19B3BDDA943B48F79F94B6F7CC7BB8F4B087CD6E7F73E4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!......................................................................@.......................................... ................. A..............8............................................................................text...............................@..@.rsrc....... ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS.W-.R.8@..(=.hYo....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140ENU.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1..X....rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140esn.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	75040
Entropy (8bit):	4.751545699698718
Encrypted:	false
SSDEEP:	768:5K0KnBU6gW6qg/iKuCOCF3OKWRElMRZ/IvpIfWUz1v3nl:Vwq6gW6B/iKuFm3OKWxRZ/InW1f
MD5:	D50AB1B9666BD7C9E7C134ADE3C42D1C
SHA1:	CDC5C1987689F1A0E34075CD18C692EA88C17E3A
SHA-256:	8AD53B060AA193BE6517C8C63D1855B39B6523696C617C0764822DB131E78F22
SHA-512:	489D6E0346168381066F0D372E1AD3CBC66FFD3B1F07DC80B76441DCD231563803EF940A96F93270F2BCC82A35F4793EE4B6AD6F4A15A4DAB25ACA343CB693BE
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!......................................................................@.......................................... .................. A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS+..Ti.F.........d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140ESN.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140fra.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	76272
Entropy (8bit):	4.7728351522639585
Encrypted:	false
SSDEEP:	768:W26iNYajZELOtYFmNRYxAaTafCp5eQYZmZUjyyyyyyyyyyyyyyyUGQFUbWTVNerP:WNuqLOt6A2SCHu0joPwsM
MD5:	D58A56D308276A6323EDF45A704C443B
SHA1:	445244F7D875A04B8612E04CA1CACDC7D5275B0F
SHA-256:	22FB670A0C08110F12D9268BBC5F015E5344CD0EA61CF414F2BE4A05B3396478
SHA-512:	AB26805F0FF25ABB934B12F668E0FB5B462D27450673653251BB2B55656DDC4BCBBFA4C12445FAB46AB110E4C28B5F0A156A27D9DAB6CCC1F67748237FDFF8C0
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!.................................................................s....@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS.....}.L...0...f....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140FRA.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1..0....rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140ita.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	74224
Entropy (8bit):	4.770796960519436
Encrypted:	false
SSDEEP:	768:3QE6XaCyqbK15MsOwgDGxNIlW3jSCQQQjeqS1hDDg1UWTVfW5f+rWGg:3Qass5MsOwgSxNIlW3GoiTIF+yn
MD5:	B9C956ED374FFCDBA4C08C3720D1DB53
SHA1:	380CB5C40863E19D690177278C442EF2D10EFA01
SHA-256:	3C9809576B7811C9F2167AE45722C54C73926E133C5BC6B688A6C1846E9EB295
SHA-512:	4BF3FF88AC69131F6C6C23D2B492D7EEB5315259B9465F0316910B7E48FA94D16BC81D1395FE63E01C1B2E527EA8AB1B09561866FCF9EA40BE96E646F3E083A6
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!......................................................................@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDSk.8.#pJ..`\|........d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140ITA.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140jpn.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	55792
Entropy (8bit):	5.94964592117223
Encrypted:	false
SSDEEP:	768:VpxanVn/TsfJxsr10/eu9RHreFKpWzziDpI2:Vpcnp/TsguntoXyS2
MD5:	8CDEEEB4F6DC317140C9725D26EA4894
SHA1:	154C83C29AE78C37D24F181D30F0B677E5FA8CA4
SHA-256:	C85FAD3BE1ADB9007045FFB7226F340AA5E14FB35D44DD0177641BD410C9FEA8
SHA-512:	8B3F9CC4CF2C7118276CD8BF8605F6FA2F83A8D479873BABF98DF6C46E27C86A144B289D97D3026C1B2B2384C5938B6C05E78B33AFA1A485D5866AEA083ECB21
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!................................................................9+....@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS.y@b$..@.>.8Z.......d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140JPN.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140kor.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54768
Entropy (8bit):	6.1159324346768695
Encrypted:	false
SSDEEP:	768:fjVQO54LQTNdtUaHqNA3B2I7CvqXWfQNOWho:fjZ51TNdXqNAx2I7CvqmKOWho
MD5:	628CE133C7CDE15B08CC4C07646E7E2E
SHA1:	C6623E5E01DD83C89F96D540BD3D696C324533D2
SHA-256:	854EFA87200BDD5F2FB3B6E65CC43DFC8109A84887201093BAE5EA848271F639
SHA-512:	D79CFAA24A9556702794053CBBDD2B3E9468CB98D2991999ACB344E1ADAF19D7D1DCC204C83DC255E84B362DDCC31CE0B1617374BAC1C3CFB2911169DE802014
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!.................................................................~....@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS.x).6JwK.>H..$.o....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140KOR.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1..@~...rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140rus.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	72176
Entropy (8bit):	5.322279857085589
Encrypted:	false
SSDEEP:	768:rAv/gFXOv00iqNWTMHVhtZgFckD9uAWqMB:K6XOv0EhTW+q+
MD5:	76A39F21CC452E2A7040A78792318982
SHA1:	4EB98EAD87D9DAEB3E2D96127FFBE3727C3E2264
SHA-256:	696DDA39E8DF5BE1006E937BECE2DA07441E8C2BD79760C739922B557A7B9385
SHA-512:	9FA307E5B3FD510619298577E7FD3E036D632B11861A04FB739E4D1443F1EC530EE1E9C9018900A164162074873C50C676EB1477EFB31F3E215C779F48096B00
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!......................................................................@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDSnS...^9@.4.TQ..X....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140RUS.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1..H....rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140u.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5082912
Entropy (8bit):	6.8680590475042465
Encrypted:	false
SSDEEP:	98304:pwTgRb/8LXPwCVSf9qGeFgHt23653x0qfSbNa/S306FLOAkGkzdnEVomFHKnPZC:6cR87wFFqG236L0XNa/S306FLOyomFHT
MD5:	109E1488C848F17E370F3973EFDE2C38
SHA1:	7F2FEB94CF7FD1378DF4963316C7941067E7EDC0
SHA-256:	0CE7B07B16BA59AAE714495043D1CC8385691125F977B34227DBE826DA6D1EEF
SHA-512:	6C66CA88306106E07432D05AE60A0278D6619E57B1B1EAC5C1AD4B02F3DD13EA8F68FE986322877FA975077C879629E0248239C00654420353772E8287583E23
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........;%.sUv.sUv.sUv..v.sUv..v.sUv..v.sUv...v.sUv..Tw.sUv..Qw.sUv..Vw.sUv..Pw.sUv..v.sUv.sTvVpUv..\w9rUv..Uw.sUv...v.sUv..Ww.sUvRich.sUv........................PE..L....V.^.........."!......2..h.......V......../...............................M.....m.N...@A............................L.....3......`4..............NM. A....J.(.....2.8............................a..@.............3.....@.2......................text...t.2.......2................. ..`.data...8.....3.......2.............@....idata..DS....3..T....3.............@..@.didat.......P4.......4.............@....rsrc........`4...... 4.............@..@.reloc..(.....J.......I.............@..B................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfcm140.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	82720
Entropy (8bit):	6.481840055375367
Encrypted:	false
SSDEEP:	768:7xg82UCqlWXqCVz79dzv3sG2wlv13BVO5ncylfhcsZGolyQw3n/20c6dhVbuwSy1:J2Slq7vzvvTyphcsZGBpcGhQwSwUJ0
MD5:	F46353456429BF7768968B6285D7C2FB
SHA1:	5A6A6D4DB4BBD32CD141C3CD3D4F1996F1D27084
SHA-256:	D7FA4DFD8681B10EBF04CB5C72D0F3A20EAF9C4D287CC05C973561EC8DC6A019
SHA-512:	92C1F4C4AE572DBA8409FBC51F1ACC7FE5C347AFBD0A8B4EABDD339C4F4EF91698B7487E0F4708B89FAE8D2D436644026B89EC53F16F128DA9D773BB5AFE23C2
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.L............K.M......E......x.......x.......x.......o.....K.V.........X....x.......x.......xF......x......Rich............................PE..L....V.^.........."!.....@...........N.......P...............................0......@.....@.........................0................................... A... ..L...hU..8............................T..@............P..,............R..H............text...)?.......@.................. ..`.rdata..^....P.......D..............@..@.data...............................@....rsrc...............................@..@.reloc..L.... ......................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfcm140u.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	82720
Entropy (8bit):	6.4817802924170635
Encrypted:	false
SSDEEP:	1536:V8alW6KV4ueuAUnPcsZGVxIb+OvE1R4Wod:K6KpQUnPcsKIbHv+i
MD5:	A67DD2E47CAC448F5E0995FD8634FD4B
SHA1:	879F96580C33618EB4D4349DE3215A87BA132A56
SHA-256:	F371D0868A9BAD5B012AC25BDC55FBF41D7F9535ECDE1A37CB23F2732F5ED303
SHA-512:	912238A4299D50481EF3C48A0E7DBD799B29880131A9667AACD252E3BACE8CDD38F0EAA2EB2C6EE7380B8146B105F94E54F43134AFA841F70176C5F4F318D909
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.L............K.M......E......x.......x.......x.......o.....K.V.........X....x.......x.......xF......x......Rich............................PE..L....V.^.........."!.....@...........N.......P...............................0............@.........................0................................... A... ..L...hU..8............................T..@............P..,............R..H............text...)?.......@.................. ..`.rdata..^....P.......D..............@..@.data...............................@....rsrc...............................@..@.reloc..L.... ......................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\msvcp140.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	453920
Entropy (8bit):	6.66950080753057
Encrypted:	false
SSDEEP:	12288:tjBcSw+X+OLM+PBrWHPd9pGDXywWz08oumlBVhUgiW6QR7t5s03Ooc8dHkC2esrG:tjBcSw+1M+PBrWF9IWwWz08ay03Ooc87
MD5:	697220335E5C4B4126AF45F6F8207896
SHA1:	8106F2DD4665AEC0D1C652E29378EF46EA4E5801
SHA-256:	D7446822C53CF6B9E31D5610D838EBF26ED08BF7497A3E022C47FF193CCDE0BE
SHA-512:	B820735E96600A1382D4097A7638F3286335D93032152B8C85E4EA8196439DFE687E1F8309A81F13A43705A323EDA12BD69EFAC50A09048E57498CEDE4924CF0
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8"2.\|C\.\|C\.\|C\....~C\.u;.jC\.\|C]..C\.w,]..C\.w,X.wC\.w,_.tC\.w,Y..C\.w,\.}C\.w,..}C\.w,^.}C\.Rich\|C\.................PE..L...AW.^.........."!.....:.......... ........P............................................@A.........................y................................. A.......;...y..8...........................Hx..@...................Tv..@....................text...29.......:.................. ..`.data...t(...P.......>..............@....idata...............V..............@..@.didat..4............j..............@....rsrc................l..............@..@.reloc...;.......<...p..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\msvcp140_1.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29472
Entropy (8bit):	6.817865566900363
Encrypted:	false
SSDEEP:	384:YXi/n/o+H/UgljjdJu+9WcU5gWE5d6c+pBj0HRN7ToucyHRN7rP1x4l78Ka:YknwQJVdJu1qqWNL3nKa
MD5:	511F8CF3E1C960B5AA76FDA0B845D246
SHA1:	6BA029A7C545D64C044AAAD93A3DD00702BDF44E
SHA-256:	4874449EE85BCA44BE95DEA5FAD6AC4F0F5456788C928844702CC5ED4935DD83
SHA-512:	5D0F04AD49AC91202254981CB69EE6EEAEF2C89535B5F396D03EB8BC42B786AF6DB1C3763807597DBDD3E13736B70BFBDEF9149EC45190E7DB1E03E62F939EE4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................'!......y....................................................Rich....................PE..L...GW.^.........."!.........................0...............................p...........@A...........................J....@..x....P...............2.. A...`......h...8...............................@............@...............................text............................... ..`.data...H....0......."..............@....idata.......@.......$..............@..@.rsrc........P.....................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\msvcp140_2.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	174064
Entropy (8bit):	6.871923327983383
Encrypted:	false
SSDEEP:	3072:l3ZqbqsS20jBQh6fLPbU7DuJMCIuW4vdzAY9Sx5+9:l3Zq2bQh6fL+CJMpuW4vdEY489
MD5:	57ED07CB2B239D7CF58EF98040A9B4BD
SHA1:	40BE57A54102EA5AF3D3173C8815BDF35761E5F5
SHA-256:	940FF0F7EA7149084533CF81156CAA42A05BB44656164D769DCB299ECF7A350C
SHA-512:	5459FB26218C13BFC8284E446403964D77CF27ABA51A5149FA7CD916C405811F80A93C93B1310044D586CB7C00489E3AFDDC97343CB40D945BAAEB4B80E971F3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................ORA.....=....................................Q.........Rich...........PE..L...GW.^.........."!........<...............@............................................@A.........................2..@....Q.......`...............f...A...p..P....\..8............................\..@............P...............................text....(......................... ..`.data... ....@......................@....idata..`....P.......6..............@..@.rsrc........`.......D..............@..@.reloc..P....p.......H..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	26400
Entropy (8bit):	6.826117601279947
Encrypted:	false
SSDEEP:	384:hlFGXZfbOwqjmeIFWiWEWu9Pc+pBj0HRN7TsHEcyHRN7rwr2l4UP:UD/OtuWLUG
MD5:	4905D449E1C36735AF33A8CF4F08895D
SHA1:	D34E3F579507F23C6B3378DA44E666B85FFF6E3B
SHA-256:	54CF497485E1247F04EF705157CAD26F2FE9D0C353D5970A6FF8E5848504C4DE
SHA-512:	6FF95EB8B191D970E145C6A6DE98370A0B464BE215A5A2DC14E98BEF03DBB886444CEEA0906DFFEFE07960CC870AF377D64AC4EAF6D9FE7E7F5E0D4A92080559
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........qT............mO......................................................................Rich............PE..L...GW.^.........."!................@........0...............................p......u.....@A.........................!../...l@..P....P..0............&.. A...`..D...D...8...............................@............@..h............................text............................... ..`.data........0......................@....idata..t....@......................@..@.rsrc...0....P......................@..@.reloc..D....`.......$..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\vcamp140.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	362272
Entropy (8bit):	6.480079655173682
Encrypted:	false
SSDEEP:	6144:TNdn9nbqWFEijveDAHlreqc7Bd0o+Sb9mut1EFnceq0CR0y5M+:j9uAeMBMBio+Sb9mut1EF1qi+
MD5:	766A806CF675EBFC1BCD8766D446692A
SHA1:	71A60564596341323B8544C46A63164974570216
SHA-256:	F59EEFB0DAF0CDD646C5B522BC14B13BCEA57A1ECD567E7A0B930AA5EAA2EC2F
SHA-512:	86B06DED1DBF3399ABEAB86C36268AD061CC19AFEF4F694EFE7F5584959F7551E803361A456EEDC2596440617EF28A7BAA6E34CFA6ABB3EC94D8E54D59FD9F01
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........./...AN..AN..AN...N..AN..@O..AN..DO..AN..EO..AN..BO..AN...N..AN..@N2.AN..HO..AN..AO..AN...N..AN...N..AN..CO..ANRich..AN........................PE..L....V.^.........."!................@3.......................................p......C.....@A........................@s..47......@.......8$...........F.. A...0...>...g..8....................h.......h..@...............\|............................text...t........................... ..`.data....*.......(..................@....idata..............................@..@.rsrc...8$.......&..................@..@.reloc...>...0...@..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\vccorlib140.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	274208
Entropy (8bit):	6.608613260235627
Encrypted:	false
SSDEEP:	3072:JLZNCBQSuHX5pXCcDWUE1GM6FXNQBkNo9uYKTsWycLfaMHjb3yiH:WuTDJZXiBEkuYKTVfa6
MD5:	74E8CB0C4E08C63E386F373D1D2C394D
SHA1:	4134B4A2E5BA4C72A0F8D1472D90E94D7EACBD0F
SHA-256:	75E6504A83B23A9B3D58885BFB3ED8A5C06FAB4C25139AAB83C2EC0522D2C095
SHA-512:	84BAB1D2977089AB3BAC41710FAB40AC39D2FE3B0F9FD7AA6D1E2CEDFDE004595F74A8320E21A4D313EECB407B99BAD39429C8AFA65F16698FE485C4C474CBD1
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B....`@..`@..`@......`@...A..`@...E..`@...D..`@...C..`@.....`@..`A.u`@...I..`@...@..`@......`@...B..`@.Rich.`@.........................PE..L....V.^.........."!......................... ............................... ............@A........................0....=.............................. A.......W..lJ..8............................J..@............................................text...K........................... ..`.data... p... ...n..................@....idata..............................@..@.rsrc...............................@..@.reloc...W.......X..................@..B................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\vcomp140.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	141600
Entropy (8bit):	6.730918695182974
Encrypted:	false
SSDEEP:	3072:Dx2TmVYqVACERsarapgaqKSVoSkOuRoJm4t4/lAcXNt:FdbPFqjoPOuRou/lA2f
MD5:	072DA195F3C547B1584813E02E245CD8
SHA1:	EDA3A7CD19D4BB362BE37EC06290C1309962D4D4
SHA-256:	DBCB040304AC8A81E149840DEB816E1C4E5BC20487766541AA8C7C5C0629C804
SHA-512:	37BF63D59DF173D5152253CE2A4F5A2BB7DC2BF9F63BF7C379ED5BB3C9989BB782E6A836E8C6D7EBF2F927092E098FAA747F31AC4D6296194AEBCCC4EA8F68CE
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uI...'..'..'..r$..'..r"...'..r#..'.{"..'.{#..'.{$..'......'..&...'.{...'.{'..'.{...'.{%..'.Rich..'.................PE..L...\|V.^.........."!.........>............................................... ............@................................`...<....................... A......d....b..8............................b..@...............\............................text............................... ..`.data...D...........................@....idata..,...........................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\vcruntime140.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83232
Entropy (8bit):	6.884071103046351
Encrypted:	false
SSDEEP:	1536:DbLqOxUSsdRwFUzVCNkU1jXCizVaYecbv4MUqQmFk:DaOxfsd6FUp3uhecbv4MU
MD5:	4C360F78DE1F5BAAA5F110E65FAC94B4
SHA1:	20A2E66FD577293B33BA1C9D01EF04582DEAF3A5
SHA-256:	AD1B0992B890BFE88EF52D0A830873ACC0AECC9BD6E4FC22397DBCCF4D2B4E37
SHA-512:	C6BBA093D2E83B178A783D1DDFD1530C3ADCB623D299D56DB1B94ED34C0447E88930200BF45E5FB961F8FD7AD691310B586A7D754D7A6D7D27D58B74986A4DB8
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T...............Q........q.........8...................................................Rich............................PE..L...;W.^.........."!.........................................................@......g.....@A......................................... .................. A...0..8....#..8............................#..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc........ ......................@..@.reloc..8....0......................@..B................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1028\license.rtf Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	18127
Entropy (8bit):	4.036737741619669
Encrypted:	false
SSDEEP:	192:xaz+aCQbjdBCLCgfvtfLEmmVxJzLKLIW7cBFCoSM0fvJ93eyryH1MqG1xcRY/c5f:seh/IMHexG4q2
MD5:	B7F65A3A169484D21FA075CCA79083ED
SHA1:	5DBFA18928529A798FF84C14FD333CB08B3377C0
SHA-256:	32585B93E69272B6D42DAC718E04D954769FE31AC9217C6431510E9EEAD78C49
SHA-512:	EDA2F946C2E35464E4272B1C3E4A8DC5F17093C05DAB9A685DBEFD5A870B9D872D8A1645ED6F5B9A72BBB2A59D22DFA58FBF420F6440278CCBE07B6D0555C283
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset134 SimSun;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT \f1\'dc\'9b\'f3\'77\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\f0\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f1\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'ca\'c7\'d9\'46\'d3\'c3\'91\'f4\'c5\'63\f0 Microsoft Corporation (\f1\'bb\'f2\'c6\'e4\'ea\'50\'82\'53\'c6\'f3\'98\'49\'a3\'ac\'d2\'95\'d9\'46\'d3\'c3\'91\'f4\'cb\'f9\'be\'d3\'d7\'a1\'b5\'c4\'b5\'d8\'fc\'63\'b6\'f8\'b6\'a8\f0 ) \f1\'d6\'ae\'e9\'67\'b3\'c9\'c1\'a2\'b5\'c4\'ba\'cf\'bc\'73\'a1\'a3\'cb\'fb\'82\'83\'df\'6d\'d3\'c3\'ec\'b6\'c9\'cf\'ca\'f6\'dc\'9b\'f3\'77\'a3\'ac\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'d2\'e0\'df\'6d\'d3\'c3\'ec\'b6\'c8\'ce\'ba\'ce\f0 Microsoft \f1\'b7\'fe\'84\'d5\'bb\'f2\'b1\'be\'dc\'9b\'f3\'77\'d6\'ae\'b8\'fc\'d0\'c2\'a3

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1028\thm.wxl Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	2980
Entropy (8bit):	6.163758160900388
Encrypted:	false
SSDEEP:	48:c5DiTlOtMes9T/JhDXsA9EHSniarRFeOrw8N3mZNNTN2N08CEjMUWFPmDlTKJKy2:uDiTlFrDDsA9tfHP8+8nhM0WamzqDFqD
MD5:	472ABBEDCBAD24DBA5B5F5E8D02C340F
SHA1:	974F62B5C2E149C3879DD16E5A9DBB9406C3DB85
SHA-256:	8E2E660DFB66CB453E17F1B6991799678B1C8B350A55F9EBE2BA0028018A15AD
SHA-512:	676E29378AAED25DE6008D213EFA10D1F5AAD107833E218D71F697E728B7B5B57DE42E7A910F121948D7B1B47AB4F7AE63F71196C747E8AE2B4827F754FC2699
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ................. ......................../passive \| /quiet - .... UI ........... UI.... ........... UI ........../norestart - ................UI ............./log log.txt - .........

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1029\license.rtf Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	13053
Entropy (8bit):	5.125552901367032
Encrypted:	false
SSDEEP:	192:TKwfs7OUpXLa5HEXQwNCNvZSjotXxiwH++3kamdEj6ZDbugDHgbGNlv6NbrYGY9x:Lfs7c5DRH0aHmJGpafU0AliwGra2
MD5:	B408556A89FCE3B47CD61302ECA64AC9
SHA1:	AAC1CDAF085162EFF5EAABF562452C93B73370CB
SHA-256:	21DDCBB0B0860E15FF9294CBB3C4E25B1FE48619210B8A1FDEC90BDCDC8C04BC
SHA-512:	BDE33918E68388C60750C964CDC213EC069CE1F6430C2AA7CF1626E6785C7C865094E59420D00026918E04B9B8D19FA22AC440F851ADC360759977676F8891E7
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 LICEN\f1\'c8N\f0\'cd PODM\'cdNKY PRO SOFTWARE SPOLE\f1\'c8NOSTI MICROSOFT\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Tyto licen\f1\'e8n\f0\'ed podm\'ednky p\f1\'f8edstavuj\f0\'ed smlouvu mezi spole\f1\'e8nost\f0\'ed Microsoft Corporation (nebo n\f1\'eckterou z\~jej\f0\'edch afilac\'ed v\~z\'e1vislosti na tom, kde bydl\'edte) a\~v\'e1mi. Vztahuj\'ed se na v\'fd\f1\'9ae uveden\f0\'fd software. Podm\'ednky se rovn\f1\'ec\'9e vztahuj\f0\'ed na jak\'e9koli slu\f1\'9eby Microsoft nebo aktualizace pro software, pokud se na slu\'9eby nebo aktualizace nevztahuj\f0\'ed odli\f1\'9an\f0\'e9 podm\'ednky.\par..\b DODR\f1\'8e\f0\'cdTE-LI TYTO

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1029\thm.wxl Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3333
Entropy (8bit):	5.370651462060085
Encrypted:	false
SSDEEP:	48:c5DiTlOtesM6H2hDdxHOjZxsaIIy3Iy5sDMN3mkNFN7NwcfiPc3hKPnWZLF0hKqZ:uDiTlVxxHOy/9xXfpZJYnL8xK2S
MD5:	16343005D29EC431891B02F048C7F581
SHA1:	85A14C40C482D9351271F6119D272D19407C3CE9
SHA-256:	07FB3EC174F25DFBE532D9D739234D9DFDA8E9D34F01FE660C5B4D56989FA779
SHA-512:	FF1AE9C21DCFB018DD4EC82A6D43362CB8C591E21F45DD1C25955D83D328B57C8D454BBE33FBC73A70DADF1DFB3AE27502C9B3A8A3FF2DA97085CA0D9A68AB03
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instala.n. program [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Opravdu chcete akci zru.it?</String>.. <String Id="HelpHeader">N.pov.da nastaven.</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [adres..] . Nainstaluje, oprav., odinstaluje nebo.. vytvo.. .plnou m.stn. kopii svazku v adres..i. V.choz. mo.nost. je instalace...../passive \| /quiet . Zobraz. minim.ln. u.ivatelsk. rozhran. bez v.zev nebo nezobraz. ..dn. u.ivatelsk. rozhran. a.. ..dn. v.zvy. V.choz. mo.nost. je zobrazen. u.ivatelsk.ho rozhran. a v.ech v.zev...../noresta

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1031\license.rtf Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	11936
Entropy (8bit):	5.194264396634094
Encrypted:	false
SSDEEP:	192:+XkOmRUOl6WBsl4kA+sn+mvtI0qHl4qj+iPqk6kVV9iX9GzYNvQ8yOejIpRMrhC2:DDHMFPCeV3i4zOHyOejIpkC2
MD5:	C2CFA4CE43DFF1FCD200EDD2B1212F0A
SHA1:	E8286E843192802E5EBF1BE67AE30BCAD75AC4BB
SHA-256:	F861DB23B972FAAA54520558810387D742878947057CF853DC74E5F6432E6A1B
SHA-512:	6FDF02A2DC9EF10DD52404F19C300429E7EA40469F00A43CA627F3B7F3868D1724450F99C65B70B9B7B1F2E1FA9D62B8BE1833A8C5AA3CD31C940459F359F30B
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT-SOFTWARE-LIZENZBESTIMMUNGEN\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Diese Lizenzbestimmungen sind ein Vertrag zwischen Ihnen und der Microsoft Corporation (bzw. abh\'e4ngig von Ihrem Wohnsitz einem mit Microsoft verbundenen Unternehmen). Sie gelten f\'fcr die oben angef\'fchrte Software. Die Bestimmungen gelten ebenso f\'fcr jegliche von Microsoft angebotenen Dienste oder Updates f\'fcr die Software, sofern diesen keine anderen Bestimmungen beiliegen.\par..\b SOFERN SIE DIESE LIZENZBESTIMMUNGEN EINHALTEN, SIND SIE ZU FOLGENDEM BERECHTIGT:\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 RECHTE ZUR INSTALLATION UND NUTZUNG. \

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1031\thm.wxl Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3379
Entropy (8bit):	5.094097800535488
Encrypted:	false
SSDEEP:	48:c5DiTlOZuesXJhDEVTORNxSMoZN3mteNSiNGNsZuiAXEqicMwhPXbhu9KwKlK8Kq:uDiTl3N7xSbu0N8+AhSNnm
MD5:	561F3F32DB2453647D1992D4D932E872
SHA1:	109548642FB7C5CC0159BEDDBCF7752B12B264C0
SHA-256:	8E0DCA6E085744BFCBFF46F7DCBCFA6FBD722DFA52013EE8CEEAF682D7509581
SHA-512:	CEF8C80BEF8F88208E0751305DF519C3D2F1C84351A71098DC73392EC06CB61A4ACA35182A0822CF6934E8EE42196E2BCFE810CC859965A9F6F393858A1242DF
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] - Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">M.chten Sie den Vorgang wirklich abbrechen?</String>.. <String Id="HelpHeader">Setup-Hilfe</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [Verzeichnis] - installiert, repariert, deinstalliert oder.. erstellt eine vollst.ndige lokale Kopie des Bundles im Verzeichnis. Installieren ist die Standardeinstellung...../passive \| /quiet - zeigt eine minimale Benutzeroberfl.che ohne Eingabeaufforderungen oder keine.. Benutzeroberfl.che und keine Eingabeaufforderungen an. Standardm..ig werden die Benutzeroberfl.che und alle Eingab

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1036\license.rtf Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	11593
Entropy (8bit):	5.106817099949188
Encrypted:	false
SSDEEP:	192:aRAbNYjVk+z5GUSLse5GgALEXmAWL+/3FEShP9sJgi8+Ra8woh+89EQdhwQPely6:K4yrPqm9LcVEg9sVp2ohHVdKoXJXci9a
MD5:	F0FF747B85B1088A317399B0E11D2101
SHA1:	F13902A39CEAE703A4713AC883D55CFEE5F1876C
SHA-256:	4D9B7F06BE847E9E135AB3373F381ED7A841E51631E3C2D16E5C40B535DA3BCF
SHA-512:	AA850F05571FFC361A764A14CA9C1A465E2646A8307DEEE0589852E6ACC61AF145AEF26B502835724D7245900F9F0D441451DD8C055404788CE64415F5B79506
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMES DU CONTRAT DE LICENCE LOGICIEL MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Les pr\'e9sents termes du contrat de licence constituent un contrat entre Microsoft Corporation (ou, en fonction de votre lieu de r\'e9sidence, l\rquote un de ses affili\'e9s) et vous. Ils s\rquote appliquent au logiciel vis\'e9 ci-dessus. Les termes s\rquote appliquent \'e9galement \'e0 tout service et \'e0 toute mise \'e0 jour Microsoft pour ce logiciel, \'e0 moins que d\rquote autres termes n\rquote accompagnent ces \'e9l\'e9ments.\par..\b SI VOUS VOUS CONFORMEZ AUX PR\'c9SENTS TERMES DU CONTRAT DE LICENCE, VOUS AVEZ LES DROITS CI-DESSOUS.\par....\pard{\pntext\f1\'B7\tab}{\\pn\pnlvlblt\pnf1\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\s

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1036\thm.wxl Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3366
Entropy (8bit):	5.0912204406356905
Encrypted:	false
SSDEEP:	48:c5DiTlO1BesgKLhD1K8cocDSN3m4NlN2ZfNmXL8ePZFcZkLPqUf9fQKRLKeKqZfj:uDiTlABzH1/qt4qgcXY
MD5:	7B46AE8698459830A0F9116BC27DE7DF
SHA1:	D9BB14D483B88996A591392AE03E245CAE19C6C3
SHA-256:	704DDF2E60C1F292BE95C7C79EE48FE8BA8534CEB7CCF9A9EA68B1AD788AE9D4
SHA-512:	FC536DFADBCD81B42F611AC996059A6264E36ECF72A4AEE7D1E37B87AEFED290CC5251C09B68ED0C8719F655B163AD0782ACD8CE6332ED4AB4046C12D8E6DBF6
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installation de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Voulez-vous vraiment annuler.?</String>.. <String Id="HelpHeader">Aide du programme d'installation</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installe, r.pare, d.sinstalle ou.. cr.e une copie locale compl.te du groupe dans le r.pertoire. Install est l'option par d.faut...../passive \| /quiet - affiche une interface minimale, sans invite, ou n'affiche ni interface.. ni invite. Par d.faut, l'interface et toutes les invites sont affich.es...../norestart - supprime toutes les tentatives de red.

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1040\license.rtf Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	11281
Entropy (8bit):	5.046489958240229
Encrypted:	false
SSDEEP:	192:WBGNX6UXR2+5SmgS/ChMErYkQvowHVw6zdgkycEGCDLQ+n3YJ2d8XSiej+T4Ma8f:gAzSVARBR5jEPLQY3YJpSjTP2
MD5:	9D98044BAC59684489C4CF66C3B34C85
SHA1:	36AAE7F10A19D336C725CAFC8583B26D1F5E2325
SHA-256:	A3F745C01DEA84CE746BA630814E68C7C592B965B048DDC4B1BBE1D6E533BE22
SHA-512:	D849BBB6C87C182CC98C4E2314C0829BB48BAD483D0CD97BF409E75457C3695049C3A8ADFE865E1ECBC989A910096D2C1CDF333705AAC4D22025DF91B355278E
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 CONTRATTO DI LICENZA PER IL SOFTWARE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Le presenti condizioni di licenza costituiscono il contratto tra Microsoft Corporation (o, in base al luogo di residenza del licenziatario, una delle sue consociate) e il licenziatario, Tali condizioni si applicano al software Microsoft di cui sopra. Le condizioni si applicano inoltre a qualsiasi servizio o aggiornamento di Microsoft relativo al software, a meno che questo non sia accompagnato da condizioni differenti.\par..\b QUALORA IL LICENZIATARIO SI ATTENGA ALLE PRESENTI CONDIZIONI DI LICENZA, DISPORR\'c0 DEI DIRITTI INDICATI DI SEGUITO.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\p

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1040\thm.wxl Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3319
Entropy (8bit):	5.019774955491369
Encrypted:	false
SSDEEP:	48:c5DiTlO1eesy+hD9BOtBFv5Vo8BbQhMNDJN3msNlNohNNz+wcPclM+PAoYKp+K/u:uDiTlfQvo8WutJ/s9FHNOJp
MD5:	D90BC60FA15299925986A52861B8E5D5
SHA1:	FADFCA9AB91B1AB4BD7F76132F712357BD6DB760
SHA-256:	0C57F40CC2091554307AA8A7C35DD38E4596E9513E9EFAE00AC30498EF4E9BC2
SHA-512:	11764D0E9F286B5AA7B1A9601170833E462A93A1E569A032FCBA9879174305582BD42794D4131B83FBCFBF1CF868A8D5382B11A4BD21F0F7D9B2E87E3C708C3F
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installazione di [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Annullare?</String>.. <String Id="HelpHeader">Guida alla configurazione</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installa, ripara, disinstalla o.. crea una copia locale completa del bundle nella directory. L'opzione predefinita . Install...../passive \| /quiet - visualizza un'interfaccia utente minima senza prompt oppure non visualizza alcuna interfaccia utente.. n. prompt. Per impostazione predefinita viene visualizzata l'intera interfaccia utente e tutti i prompt...../norestart - annulla quals

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1041\license.rtf Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	28232
Entropy (8bit):	3.7669201853275722
Encrypted:	false
SSDEEP:	192:Qkb65jNkzrUJVbpEiTskXHH1AZWoJxfnVnkDYUqfQFXBue6hX2JSfR7q05kWZxhY:epCD3y/ybox2yrk2
MD5:	8C49936EC4CF0F64CA2398191C462698
SHA1:	CC069FE8F8BC3B6EE2085A4EACF40DB26C842BAC
SHA-256:	7355367B7C48F1BBACC66DFFE1D4BF016C16156D020D4156F288C2B2207ED1C2
SHA-512:	4381147FF6707C3D31C5AE591F68BC61897811112CB507831EFF5E71DD281009400EDA3300E7D3EFDE3545B89BCB71F2036F776C6FDFC73B6B2B2B8FBC084499
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset128 MS Gothic;}{\f1\fnil\fcharset0 MS Gothic;}{\f2\fnil\fcharset134 SimSun;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'83\'7d\'83\'43\'83\'4e\'83\'8d\'83\'5c\'83\'74\'83\'67 \'83\'5c\'83\'74\'83\'67\'83\'45\'83\'46\'83\'41 \'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\par..\f1 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f0\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\'82\'cd\f2\'a1\'a2\f1 Microsoft Corporation (\f0\'82\'dc\'82\'bd\'82\'cd\'82\'a8\'8b\'71\'97\'6c\'82\'cc\'8f\'8a\'8d\'dd\'92\'6e\'82\'c9\'89\'9e\'82\'b6\'82\'c4\'82\'cd\'82\'bb\'82\'cc\'8a\'d6\'98\'41\'89\'ef\'8e\'d0) \'82\'c6\'82\'a8\'8b\'71\'97\'6c\'82\'c6\'82\'cc\'8c\'5f\'96\'f1\'82\'f0\'8d\'5c\'90\'ac\'82\'b5\'82\'dc\'82\'b7\'81\'42\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1041\thm.wxl Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3959
Entropy (8bit):	5.955167044943003
Encrypted:	false
SSDEEP:	96:uDiTlDuB1n+RNmvFo6bnpojeTPk0R/vueX5OA17IHdGWz:5uB1+gD1DU4EdGE
MD5:	DC81ED54FD28FC6DB6F139C8DA1BDED6
SHA1:	9C719C32844F78AAE523ADB8EE42A54D019C2B05
SHA-256:	6B9BBF90D75CFA7D943F036C01602945FE2FA786C6173E22ACB7AFE18375C7EA
SHA-512:	FD759C42C7740EE9B42EA910D66B0FA3F813600FD29D074BB592E5E12F5EC09DB6B529680E54F7943821CEFE84CE155A151B89A355D99C25A920BF8F254AA008
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.. <Control Control="UninstallButton" X="270" Y="237" Width="120" Height="23"/>.. <Control Control="RepairButton" X="187" Y="237" Width="80" Height="23"/>.. .. <String Id="Caption">[WixBundleName] .......</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">..........</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ............ ......... .........................

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1042\license.rtf Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	27936
Entropy (8bit):	3.871317037004171
Encrypted:	false
SSDEEP:	384:kKIgbA2uBsarNG/HxPvCL1ewjxsXmEw4C7C7R4jAeqCBO968y7yNRylBSFfQv9yH:d3ar8Xa/XAeqoc0wfBB4qN
MD5:	184D94082717E684EAF081CEC3CBA4B1
SHA1:	960B9DA48F4CDDF29E78BBAE995B52204B26D51B
SHA-256:	A4C25DA9E3FBCED47464152C10538F16EE06D8E06BC62E1CF4808D293AA1AFA2
SHA-512:	E4016C0CA348299B5EF761F456E3B5AD9B99E5E100C07ACAB1369DFEC214E75AA88E9AD2A0952C0CC1B707E2732779E6E3810B3DA6C839F0181DC81E3560CBDA
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset129 Malgun Gothic;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 Microsoft \f1\'bc\'d2\'c7\'c1\'c6\'ae\'bf\'fe\'be\'ee\f0 \f1\'bb\'e7\'bf\'eb\'b1\'c7\f0 \f1\'b0\'e8\'be\'e0\'bc\'ad\f0\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f1\'ba\'bb\f0 \f1\'bb\'e7\'bf\'eb\'b1\'c7\f0 \f1\'b0\'e8\'be\'e0\'c0\'ba\f0 Microsoft Corporation(\f1\'b6\'c7\'b4\'c2\f0 \f1\'b0\'c5\'c1\'d6\f0 \f1\'c1\'f6\'bf\'aa\'bf\'a1\f0 \f1\'b5\'fb\'b6\'f3\f0 \f1\'b0\'e8\'bf\'ad\'bb\'e7\f0 \f1\'c1\'df\f0 \f1\'c7\'cf\'b3\'aa\f0 )\f1\'b0\'fa\f0 \f1\'b1\'cd\'c7\'cf\f0 \f1\'b0\'a3\'bf\'a1\f0 \f1\'c3\'bc\'b0\'e1\'b5\'c7\'b4\'c2\f0 \f1\'b0\'e8\'be\'e0\'c0\'d4\'b4\'cf\'b4\'d9\f0 . \f1\'ba\'bb\f0 \f1\'c1\'b6\'b0\'c7\'c0\'ba\f0 \f1\'c0\'a7\'bf\'a1\f0 \f1\'b8\'ed\'bd\'c3\'b5\'c8\f0 \f1

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1042\thm.wxl Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3249
Entropy (8bit):	5.985100495461761
Encrypted:	false
SSDEEP:	48:c5DiTlO4TesKOwhDNJCkt1NhEN3m/NFNkbKNdExpVgUnqx6IPaRc0KoUK9TKz0KR:uDiTlUJJCsgqf6YVoz4uU5vI54U5TY
MD5:	B3399648C2F30930487F20B50378CEC1
SHA1:	CA7BDAB3BFEF89F6FA3C4AAF39A165D14069FC3D
SHA-256:	AD7608B87A7135F408ABF54A897A0F0920080F76013314B00D301D6264AE90B2
SHA-512:	C5B0ECF11F6DADF2E68BC3AA29CC8B24C0158DAE61FE488042D1105341773166C9EBABE43B2AF691AD4D4B458BF4A4BF9689C5722C536439CA3CDC84C0825965
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] .. ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">.. ...</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ..... ... .. .. .... .., .., .. .... ...... ... .........../passive \| /quiet - .... .. .. UI. ..... UI ... ..... .... ..... ..... UI. .. ..... ........../norestart - .. .... .. .... ...

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1045\license.rtf Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	13265
Entropy (8bit):	5.358483628484379
Encrypted:	false
SSDEEP:	192:TKpWRd0NE41Y/od7V/sHFos7YLQY9DbLM5D+Vw1VAOb0P4/sHLS7VHwHMPw95a+Q:uy0CG9KZ7qQCw1VAOZ/sHOJfcY2wf6p2
MD5:	5B9DF97FC98938BF2936437430E31ECA
SHA1:	AB1DA8FECDF85CF487709774033F5B4B79DFF8DE
SHA-256:	8CB5EB330AA07ACCD6D1C8961F715F66A4F3D69FB291765F8D9F1850105AF617
SHA-512:	4EF61A484DF85C487BE326AB4F95870813B9D0644DF788CE22D3BEB6E062CDF80732CB0B77FCDA5D4C951A0D67AECF8F5DCD94EA6FA028CFCA11D85AA97714E3
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 POSTANOWIENIA LICENCYJNE DOTYCZ\f1\'a5CE OPROGRAMOWANIA\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Niniejsze postanowienia licencyjne stanowi\f1\'b9 umow\'ea mi\'eadzy Microsoft Corporation (lub, w\~zale\'bfno\'9cci od miejsca zamieszkania Licencjobiorcy, jednym z\~podmiot\f0\'f3w stowarzyszonych Microsoft Corporation) a\~Licencjobiorc\f1\'b9. Maj\'b9 one zastosowanie do wskazanego powy\'bfej oprogramowania. Niniejsze postanowienia maj\'b9 r\f0\'f3wnie\f1\'bf zastosowanie do wszelkich us\'b3ug i aktualizacji Microsoft dla niniejszego oprogramowania, z wyj\'b9tkiem tych, kt\f0\'f3rym towarzysz\f1\'b9 inne postanowienia.\par..\b\

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1045\thm.wxl Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3212
Entropy (8bit):	5.268378763359481
Encrypted:	false
SSDEEP:	48:c5DiTlOPesar4hDo7zGriQjDCN3mDNN0NrsNGl3vxkIP2hUdKLK0KbK4n6W0sfNM:uDiTlusPGriQw8n2rOij4JsU
MD5:	15172EAF5C2C2E2B008DE04A250A62A1
SHA1:	ED60F870C473EE87DF39D1584880D964796E6888
SHA-256:	440B309FCDF61FFC03B269FE3815C60CB52C6AE3FC6ACAD14EAC04D057B6D6EA
SHA-512:	48AA89CF4A0B64FF4DCB82E372A01DFF423C12111D35A4D27B6D8DD793FFDE130E0037AB5E4477818A0939F61F7DB25295E4271B8B03F209D8F498169B1F9BAE
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalator [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Czy na pewno chcesz anulowa.?</String>.. <String Id="HelpHeader">Instalator . Pomoc</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [katalog] - Instaluje, naprawia, odinstalowuje.. lub tworzy pe.n. lokaln. kopi. pakietu w katalogu. Domy.lnie jest u.ywany prze..cznik install...../passive \| /quiet - Wy.wietla ograniczony interfejs u.ytkownika bez monit.w albo nie wy.wietla ani interfejsu u.ytkownika,.. ani monit.w. Domy.lnie jest wy.wietlany interfejs u.ytkownika oraz wszystkie monity...../norestart - Pom

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1046\license.rtf Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	10656
Entropy (8bit):	5.092962528947159
Encrypted:	false
SSDEEP:	192:WIPAufWXXF0+YkR6E0/CiTS0CsGlHIMqf29H7KxLY/aYzApT3anawLXCBX2:VPAufb+YSSCYrCb5BmW4UDaTqzLwX2
MD5:	360FC4A7FFCDB915A7CF440221AFAD36
SHA1:	009F36BBDAD5B9972E8069E53855FC656EA05800
SHA-256:	9BF79B54F4D62BE501FF53EEDEB18683052A4AE38FF411750A764B3A59077F52
SHA-512:	9550A99641F194BB504A76DE011D07C1183EE1D83371EE49782FC3D05BF779415630450174DD0C03CB182A5575F6515012337B899E2D084203717D9F110A6FFE
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMOS DE LICEN\'c7A PARA SOFTWARE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Estes termos de licen\'e7a formam um contrato firmado entre a Microsoft Corporation (ou com base no seu pa\'eds de resid\'eancia, uma de suas afiliadas) e voc\'ea. Eles se aplicam ao software indicado acima. Os termos tamb\'e9m se aplicam a quaisquer servi\'e7os ou atualiza\'e7\'f5es da Microsoft para o software, exceto at\'e9 a extens\'e3o de que eles tenham termos diferentes.\par..\b SE VOC\'ca CONCORDAR COM ESTES TERMOS DE LICEN\'c7A, TER\'c1 OS DIREITOS INDICADOS ABAIXO.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\t

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1046\thm.wxl Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3095
Entropy (8bit):	5.150868216959352
Encrypted:	false
SSDEEP:	48:c5DiTlO5es/4ThDzmU6lDj4N3mBl0N+NWNP4hHCc9skPDXeKKeK9KfKt4eJ2RQdg:uDiTlJhJGl2UsZMLe6
MD5:	BE27B98E086D2B8068B16DBF43E18D50
SHA1:	6FAF34A36C8D9DE55650D0466563852552927603
SHA-256:	F52B54A0E0D0E8F12CBA9823D88E9FD6822B669074DD1DC69DAD6553F7CB8913
SHA-512:	3B7C773EF72D40A8B123FDB8FC11C4F354A3B152CF6D247F02E494B0770C28483392C76F3C222E3719CF500FE98F535014192ACDDD2ED9EF971718EA3EC0A73E
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Instala..o</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Tem certeza de que deseja cancelar?</String>.. <String Id="HelpHeader">Ajuda da Instala..o</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [diret.rio - instala, repara, desinstala ou.. cria uma c.pia local completa do pacote no diret.rio. Install . o padr.o..../passive \| /quiet - exibe a IU m.nima sem nenhum prompt ou n.o exibe nenhuma IU e.. nenhum prompt. Por padr.o, a IU e todos os prompts s.o exibidos...../norestart - suprime qualquer tentativa de reiniciar. Por padr.o, a IU perguntar. antes de reiniciar

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1049\license.rtf Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	31915
Entropy (8bit):	3.6440775919653996
Encrypted:	false
SSDEEP:	384:ntaMxngQEqQUaAEJxkSjjujcme51oVwuZOFsrnkGxunWxGc9wtvVYgCzkSxN1S2:npgnmWWNEvVYgCzxD
MD5:	A59C893E2C2B4063AE821E42519F9812
SHA1:	C00D0B11F6B25246357053F6620E57D990EFC698
SHA-256:	0EC8368E87B3DFC92141885A2930BDD99371526E09FC52B84B764C91C5FC47B8
SHA-512:	B9AD8223DDA2208EC2068DBB85742A03BE0291942E60D4498E3DAB4DDF559AA6DCF9879952F5819223CFC5F4CB71D4E06E4103E129727AACFB8EFE48403A04FA
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset204 Tahoma;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset204 Garamond;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang1049\'d3\'d1\'cb\'ce\'c2\'c8\'df \'cb\'c8\'d6\'c5\'cd\'c7\'c8\'c8 \'cd\'c0 \'cf\'d0\'ce\'c3\'d0\'c0\'cc\'cc\'cd\'ce\'c5 \'ce\'c1\'c5\'d1\'cf\'c5\'d7\'c5\'cd\'c8\'c5 MICROSOFT\par..\f1\lang9 MICROSOFT VISUAL C++ 2019 RUNTIME\par..\b0\f0\lang1049\'cd\'e0\'f1\'f2\'ee\'ff\'f9\'e8\'e5 \'f3\'f1\'eb\'ee\'e2\'e8\'ff \'eb\'e8\'f6\'e5\'ed\'e7\'e8\'e8 \'ff\'e2\'eb\'ff\'fe\'f2\'f1\'ff \'f1\'ee\'e3\'eb\'e0\'f8\'e5\'ed\'e8\'e5\'ec \'ec\'e5\'e6\'e4\'f3 \'ea\'ee\'f0\'ef\'ee\'f0\'e0\'f6\'e8\'e5\'e9 Microsoft (\'e8\'eb\'e8, \'e2 \'e7\'e0\'e2\'e8\'f1\'e8\'ec\'ee\'f1\'f2\'e8 \'ee\'f2 \'ec\'e5\'f1\'f2\'e0 \'e2\'e0\'f8\'e5\'e3\'ee \'ef\'f0\'ee\'e6\'e8\'e2\'e0\'ed\'e8\'ff, \'ee\

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1049\thm.wxl Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	4150
Entropy (8bit):	5.444436038992627
Encrypted:	false
SSDEEP:	48:c5DiTlDhQt9esbrohDTWJt49kAr7DHN3m5GNDCNvNLIkflhrWncPingGdZwK1Kqp:uDiTlDYVgmt4xJ88k193ipzjvL
MD5:	17C652452E5EE930A7F1E5E312C17324
SHA1:	59F3308B87143D8EA0EA319A1F1A1F5DA5759DD3
SHA-256:	7333BC8E52548821D82B53DBD7D7C4AA1703C85155480CB83CEFD78380C95661
SHA-512:	53FD207B96D6BCF0A442E2D90B92E26CBB3ECC6ED71B753A416730E8067E831E9EB32981A9E9368C4CCA16AFBCB2051483FDCFC474EA8F0D652FCA934634FBE8
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.... <String Id="Caption">......... ......... [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">....... .. .........</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [.......] - ........., .............., ........ ..... ........ ...... ......... ..... ...... . ......... .. ......... - ............../passive \| /quiet - ........... ....

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1055\license.rtf Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	13379
Entropy (8bit):	5.214715951393874
Encrypted:	false
SSDEEP:	192:1fGkc01jIjZTUDUTvXt2QpfC5VAlCPpDwuOfH7df3YwnnbZIWG2XjQeoO9uBO8CA:Iiqx4Uh2QpMVA8haDdv9nbZzG6oQR2
MD5:	BD2DC15DFEE66076BBA6D15A527089E7
SHA1:	8768518F2318F1B8A3F8908A056213042A377CC4
SHA-256:	62A07232017702A32F4B6E43E9C6F063B67098A1483EEDDB31D7C73EAF80A6AF
SHA-512:	9C9467A2F2D0886FF4302A44AEA89734FCEFBD3CBE04D895BCEACBA1586AB746E62391800E07B6228E054014BE51F14FF63BA71237268F94019063C8C8B7EF74
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT YAZILIMI L\f1\u304?SANS KO\'aaULLARI\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Bu lisans ko\f1\'baullar\u305?, Microsoft Corporation (veya ya\'baad\u305?\u287?\u305?n\u305?z yere g\f0\'f6re bir ba\f1\u287?l\u305? \'bairketi) ile sizin aran\u305?zda yap\u305?lan anla\'bamay\u305? olu\'baturur. Bu ko\'baullar, yukar\u305?da ad\u305? ge\f0\'e7en yaz\f1\u305?l\u305?m i\f0\'e7in ge\'e7erlidir. \f1\'aaartlar, yaz\u305?l\u305?m i\f0\'e7in t\'fcm Microsoft hizmetleri veya g\'fcncelle\f1\'batirmeleri i\f0\'e7in, beraberlerinde farkl\f1\u305? \'baartlar bulunmad\u305?\u287?\u305? s\f0\'fcrece ge\'e7erlidir.\par..\b BU L\f1\u304?SANS \'aaARTLARINA UYDU\u286?UNUZ TAKD\u304?RDE A\'aaA\u286?IDAK\u3

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\1055\thm.wxl Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3221
Entropy (8bit):	5.280530692056262
Encrypted:	false
SSDEEP:	48:c5DiTlOaesHEqhDTHV4zVy6oBzdp0DYK2GP2ZmN3majyNXNoNKQXVvChcPc+WKb0:uDiTl3PHcIflKNTPgdi12xgg
MD5:	DEFBEA001DC4EB66553630AC7CE47CCA
SHA1:	90CED64EC7C861F03484B5D5616FDBCDA8F64788
SHA-256:	E5ABE3CB3BF84207DAC4E6F5BBA1E693341D01AEA076DD2D91EAA21C6A6CB925
SHA-512:	B3B7A22D0CDADA21A977F1DCEAF2D73212A4CDDBD298532B1AC97575F36113D45E8D71C60A6D8F8CC2E9DBF18EE1000167CFBF0B2E7ED6F05462D77E0BCA0E90
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Kurulumu</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.ptal etmek istedi.inizden emin misiniz?</String>.. <String Id="HelpHeader">Kurulum Yard.m.</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [dizin] - y.kler, onar.r, kald.r.r ya da.. dizindeki paketin tam bir yerel kopyas.n. olu.turur. Varsay.lan install de.eridir...../passive \| /quiet - en az d.zeyde istemsiz UI g.sterir ya da hi. UI g.stermez ve.. istem yoktur. Varsay.lan olarak UI ve t.m istemler g.r.nt.lenir...../norestart - yeniden ba.lama denemelerini engeller. Varsay.lan olarak UI yeniden ba.l

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\2052\license.rtf Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	17863
Entropy (8bit):	3.9617786349452775
Encrypted:	false
SSDEEP:	192:BxoqPyOj+/8Tk5VigWgijAlk5xWvSCI5lgios0EhGXxGMLVGW+uUoqyLZDvAJxMx:vbIeaE7q3KGgzD2
MD5:	3CF16377C0D1B2E16FFD6E32BF139AC5
SHA1:	D1A8C3730231D51C7BB85A7A15B948794E99BDCE
SHA-256:	E95CA64C326A0EF7EF3CED6CDAB072509096356C15D1761646E3C7FDA744D0E0
SHA-512:	E9862FD0E8EC2B2C2180183D06535A16A527756F6907E6A1D2DB85092636F72C497508E793EE8F2CC8E0D1A5E090C6CCF465F78BC1FA8E68DAF7C68815A0EE16
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset134 SimSun;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'ce\'a2\'c8\'ed\'c8\'ed\'bc\'fe\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\f1\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f0\'d5\'e2\'d0\'a9\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\'ca\'c7\f1 Microsoft Corporation\f0\'a3\'a8\'bb\'f2\'c4\'fa\'cb\'f9\'d4\'da\'b5\'d8\'b5\'c4\f1 Microsoft \f0\'b9\'d8\'c1\'aa\'b9\'ab\'cb\'be\'a3\'a9\'d3\'eb\'c4\'fa\'d6\'ae\'bc\'e4\'b4\'ef\'b3\'c9\'b5\'c4\'d0\'ad\'d2\'e9\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'ca\'ca\'d3\'c3\'d3\'da\'c9\'cf\'ca\'f6\'c8\'ed\'bc\'fe\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'d2\'b2\'ca\'ca\'d3\'c3\'d3\'da\'d5\'eb\'b6\'d4\'b8\'c3\'c8\'ed\'bc\'fe\'b5\'c4\'c8\'ce\'ba\'ce\'ce\'a2\'c8\'ed\'b7\'fe\'ce\'f1\'bb\'f2\'b8\'fc\'d0\'c2\'a3\'ac\'b5\'ab\'d3\'d0\'b2\'bb\'cd\

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\2052\thm.wxl Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	2978
Entropy (8bit):	6.135205733555905
Encrypted:	false
SSDEEP:	48:c5DiTlOtKesi+hDtkQf7lz+W0gopN3m5+3cNONeN1ra8vWqPtlTKxKUTKlKXRoR+:uDiTlV5kQR9GLeE0ZxV6gIV
MD5:	3D1E15DEEACE801322E222969A574F17
SHA1:	58074C83775E1A884FED6679ACF9AC78ABB8A169
SHA-256:	2AC8B7C19A5189662DE36A0581C90DBAD96DF259EC00A28F609B644C3F39F9CA
SHA-512:	10797919845C57C5831234E866D730EBD13255E5BF8BA8087D53F1D0FC5D72DC6D5F6945DBEBEE69ACC6A2E20378750C4B78083AE0390632743C184532358E10
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">......</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [..] - .......... ..................Install ........../passive \| /quiet - ..... UI ......... UI ... ........ UI ........../norestart - ..................... UI.../log log.txt - ............. %TEMP% ...

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\3082\license.rtf Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	10714
Entropy (8bit):	5.122578090102117
Encrypted:	false
SSDEEP:	192:WthGE/9wd8eQF/hJOmQeNrXT77uOlQ+v3AqHqc3wpXGYdjvsk2cwBb2:mhGuhj+ed388Bb2
MD5:	FBF293EE95AFEF818EAF07BB088A1596
SHA1:	BBA1991BA6459C9F19B235C43A9B781A24324606
SHA-256:	1FEC058E374C20CB213F53EB3C44392DDFB2CAA1E04B7120FFD3FA7A296C83E2
SHA-512:	6971F20964EF74B19077EE81F953342DC6D2895A8640EC84855CECCEA5AEB581E6A628BCD3BA97A5D3ACB6CBE7971FDF84EF670BDDF901857C3CD28855212019
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 T\'c9RMINOS DE LA LICENCIA DE SOFTWARE DE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME\par..\b0 Estos t\'e9rminos de licencia constituyen un contrato entre Microsoft Corporation (o, en funci\'f3n de donde resida, una de sus filiales) y usted. Se aplican al software antes mencionado. Los t\'e9rminos tambi\'e9n se aplican a cualquier servicio o actualizaci\'f3n de Microsoft para el software, excepto en la medida que tengan t\'e9rminos diferentes.\par..\b SI USTED CUMPLE CON LOS PRESENTES T\'c9RMINOS DE ESTA LICENCIA, DISPONDR\'c1 DE LOS DERECHOS QUE SE DESCRIBEN A CONTINUACI\'d3N.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\3082\thm.wxl Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3265
Entropy (8bit):	5.0491645049584655
Encrypted:	false
SSDEEP:	48:c5DiTlO/esS6VGhDv4tiUiyRUqzC4U+aD6N3m7xNh1NWNGbPz+9o3PWeKK9K9KfT:uDiTlxouUTiySqyIwz9sgxqvjIk8
MD5:	47F9F8D342C9C22D0C9636BC7362FA8F
SHA1:	3922D1589E284CE76AB39800E2B064F71123C1C5
SHA-256:	9CBB2B312C100B309A1B1495E84E2228B937612885F7A642FBBD67969B632C3A
SHA-512:	E458DF875E9B0622AEBE3C1449868AA6A2826A1F851DB71165A872B2897CF870CCF85046944FF51FFC13BB15E54E9D9424EC36CAF5A2F38CE8B7D6DC0E9B2363
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar la operaci.n?</String>.. <String Id="HelpHeader">Ayuda de configuraci.n</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - instala, repara, desinstala o.. crea una copia local completa del paquete en el directorio. La opci.n predeterminada es la instalaci.n...../passive \| /quiet - muestra una IU m.nima sin solicitudes o no muestra ninguna IU ni.. solicitud. De forma predeterminada, se muestran la IU y todas las solicitudes...../norestart - elimina cualquier intento

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\BootstrapperApplicationData.xml Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	13122
Entropy (8bit):	3.729412080010859
Encrypted:	false
SSDEEP:	192:X0sg+QnH5zHqQHG0Hd8Hz7HE06HA0rH3FxF6OxLo3MzLa0LTnDBx7z8NkzzkvQwj:X0sBydLbmnoN10A1TpotVos
MD5:	B51EF22109AEEA9AE5190E9EF67D9476
SHA1:	FDF939DA26A1268CDF0510AA40FBCA614947C9FD
SHA-256:	1031C44505A4D8322C3BFF5BA92AE5E2C84D7041A01537D187726C9D4E862E5F
SHA-512:	27AA0612337B7473C75BA73EFAF606EE1DB13F7F633151ED5BFF7A9BB5A5AF5502EF3597AE0E95F714F5F0D19A2452413BD18E91516E696DED76C277D0BCA238
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.a.l.C.o.n.d.i.t.i.o.n. .C.o.n.d.i.t.i.o.n.=.".V.e.r.s.i.o.n.N.T. .&.g.t.;.=. .v.6...0. .O.R. .(.V.e.r.s.i.o.n.N.T. .=. .v.5...1. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .2.). .O.R. .(.V.e.r.s.i.o.n.N.T. .=. .v.5...2. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .1.).". .M.e.s.s.a.g.e.=.".[.W.i.x.B.u.n.d.l.e.N.a.m.e.]. .c.a.n. .o.n.l.y. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .W.i.n.d.o.w.s. .X.P. .S.P.2. .a.n.d. .n.e.w.e.r. .p.l.a.t.f.o.r.m.s...". ./.>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.5.-.2.0.1.9. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .(.x.8.6.). .-. .1.4...2.5...2.8.5.0.8.". .L.o.g.P.

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\license.rtf Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	9046
Entropy (8bit):	5.157073875669985
Encrypted:	false
SSDEEP:	192:W8lZ1UVDWkgWZTIsvPhghtQ1Qf4lCfnEtHixEGx736wHqItfSpOy2:9T15WZMgAYlOnjt5HLoL2
MD5:	2EABBB391ACB89942396DF5C1CA2BAD8
SHA1:	182A6F93703549290BCDE92920D37BC1DEC712BB
SHA-256:	E3156D170014CED8D17A02B3C4FF63237615E5C2A8983B100A78CB1F881D6F38
SHA-512:	20D656A123A220CD3CA3CCBF61CC58E924B44F1F0A74E70D6850F39CECD101A69BCE73C5ED14018456E022E85B62958F046AA4BD1398AA27303C2E86407C3899
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT SOFTWARE LICENSE TERMS\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. They apply to the software named above. The terms also apply to any Microsoft services or updates for the software, except to the extent those have different terms.\par..\b IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 INSTALLATION AND USE RIGHTS. \b0\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-363\

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\logo.png Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	PNG image data, 64 x 64, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1861
Entropy (8bit):	6.868587546770907
Encrypted:	false
SSDEEP:	24:q36cnTKM/3kTIQiBmYKHeQWalGt1Sj9kYIt1uZ+bYOQe0IChR95aW:qqiTKMPuUBm7eQJGtYJM1uZCVszaW
MD5:	D6BD210F227442B3362493D046CEA233
SHA1:	FF286AC8370FC655AEA0EF35E9CF0BFCB6D698DE
SHA-256:	335A256D4779EC5DCF283D007FB56FD8211BBCAF47DCD70FE60DED6A112744EF
SHA-512:	464AAAB9E08DE610AD34B97D4076E92DC04C2CDC6669F60BFC50F0F9CE5D71C31B8943BD84CEE1A04FB9AB5BBED3442BD41D9CB21A0DD170EA97C463E1CE2B5B
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR...@...@.............sRGB.........gAMA......a.....PLTE].q^.r_.r_.s`.s`.s`.ta.ta.ub.ub.vc.vd.vd.vd.we.we.xe.xg.yg yg zh zh"zi"{j#\|i${j$\|n~n.n,.o,.p..q0.r2.s3.t5.x;.x<.y>.z?.\|B.~C.}E..F..F..H..I..J..L..O..P..W..Y..^..a..c..g..i..q..r..}.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S......pHYs..%...%....^.....tEXtSoftware.Paint.NET v3.5.100.r.....IDATXG..iW.@...EJ.$M...`AEpG..7TpWT@\.."....(..(.._;...di:9.c>q..g....T...._...-....F..+..w.

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\thm.wxl Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2952
Entropy (8bit):	5.052095286906672
Encrypted:	false
SSDEEP:	48:c5DiTl/+desK19hDUNKwsqq8+JIDxN3mt7NlN1NVvAdMcgLPDHVXK8KTKjKnSnYF:uDiTl/BbTxmup/vrxATd
MD5:	FBFCBC4DACC566A3C426F43CE10907B6
SHA1:	63C45F9A771161740E100FAF710F30EED017D723
SHA-256:	70400F181D00E1769774FF36BCD8B1AB5FBC431418067D31B876D18CC04EF4CE
SHA-512:	063FB6685EE8D2FA57863A74D66A83C819FE848BA3072B6E7D1B4FE397A9B24A1037183BB2FDA776033C0936BE83888A6456AAE947E240521E2AB75D984EE35E
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29" />.... <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installs, repairs, uninstalls or.. creates a complete local copy of the bundle in directory. Install is the default...../passive \| /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will prompt before restart.../log log.txt - logs to a specific file. B

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\thm.xml Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	8332
Entropy (8bit):	5.184632608060528
Encrypted:	false
SSDEEP:	96:8L2HdQG+3VzHfz96zYFGaPSWXdhRAmImlqFQKFBiUxn7Ke5A82rkO/pWk3nswP:ZHAzZ/3
MD5:	F62729C6D2540015E072514226C121C7
SHA1:	C1E189D693F41AC2EAFCC363F7890FC0FEA6979C
SHA-256:	F13BAE0EC08C91B4A315BB2D86EE48FADE597E7A5440DCE6F751F98A3A4D6916
SHA-512:	CBBFBFA7E013A2B85B78D71D32FDF65323534816978E7544CA6CEA5286A0F6E8E7E5FFC4C538200211F11B94373D5658732D5D8AA1D01F9CCFDBF20F154F1471
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="485" Height="300" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="500" Foreground="000000">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.... <Image X="11" Y="11" Width="64" Height="64" ImageFile="logo.png" Visible="yes"/>.. <Text X="80" Y="11" Width="-11" Heig

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.ba\wixstdba.dll Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	195600
Entropy (8bit):	6.682530937585544
Encrypted:	false
SSDEEP:	3072:OXoiFK6b0k77I+QfaIl191rSJHvlalB+8BHkY6v53EfcUzN0m6I+WxBlnKzeZuqt:OXoQNb++gDrSJdr8BHkPh3wIgnK/IU1a
MD5:	EAB9CAF4277829ABDF6223EC1EFA0EDD
SHA1:	74862ECF349A9BEDD32699F2A7A4E00B4727543D
SHA-256:	A4EFBDB2CE55788FFE92A244CB775EFD475526EF5B61AD78DE2BCDFADDAC7041
SHA-512:	45B15ADE68E0A90EA7300AEB6DCA9BC9E347A63DBA5CE72A635957564D1BDF0B1584A5E34191916498850FC7B3B7ECFBCBFCB246B39DBF59D47F66BC825C6FD2
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3..R...R...R..h.N..R..h.L.R..h.M..R.......R.......R.......R...<..R...,..R...R...S..K....R..K....R..N.@..R...R(..R..K....R..Rich.R..................PE..L......Z...........!................d.....................................................@..............................................................D......,.......T...............................@...............X............................text............................... ..`.rdata.............................@..@.data...............................@....gfids..............................@..@.rsrc...............................@..@.reloc..,...........................@..B........................................................................................................................................................................................................................................

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	647912
Entropy (8bit):	7.215948724836638
Encrypted:	false
SSDEEP:	12288:snMwHskY7gjcjhVIEhqgM7bWvcsi6aVhPIyP3WRCzJ9ztLz5/YTDd:6MysZgjS1hqgSC/izxf+czJZhz5Qnd
MD5:	2F9D2B6CE54F9095695B53D1AA217C7B
SHA1:	3F54934C240F1955301811D2C399728A3E6D1272
SHA-256:	0009D3F27837C3AF3F6FFF7973FAF07AFAA4B53119846F55B6F2A79F1759C757
SHA-512:	692857F960F26039C7B0AF6329E65A71E8588FF71EAAC6B956BD6E437994A8D5A470C7E75DD776E0772E473967B64D5EA0E1D8396546691316DAF4D6B8CCC237
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.u.'.u.'.u.......u.....[.u.....?.u...v.4.u...q.4.u...p...u.....".u....6.u.'.t.v.u...p.l.u....&.u.'..%.u...w.&.u.Rich'.u.........................PE..L......Z.....................v......m.............@..........................p............@..............................................;...............$...0...=.. t..T...................tt......@n..@...................$........................text.............................. ..`.rdata..............................@..@.data...@...........................@....wixburn8...........................@..@.tls................................@....gfids..............................@..@.rsrc....;.......<..................@..@.reloc...=...0...>..................@..B........................................................................................................................................................

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\cab54A5CABBE7274D8A22EB58060AAB7623 Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	Microsoft Cabinet archive data, 1350653 bytes, 50 files
Category:	dropped
Size (bytes):	1367669
Entropy (8bit):	7.997832401624505
Encrypted:	true
SSDEEP:	24576:OawWVgz9615LBBl9NWA5852M/fzoapq0m9Oz03FOae6p4Cjd81kD0+0CCxco2iJs:OawWV+96vVBNWOMU0qhOz035e6ppNCst
MD5:	29C34C40D349C145E297B6977908E687
SHA1:	025B5CF7D6515CC6151628063752C159F41D99C7
SHA-256:	61AACFF6365DA15F2C9D0FF1C8FB2EC207D145CD9104AFA0CE663BF1542DB245
SHA-512:	BBD9F65C2619DE25F99A8BA21346D7EA46DB9EBA79FEB6039E0E86999D1EA2C9A4564FA727DDA442A69C169DBDC8A4913DF925C42B3AD7F4030A655AC01C0691
Malicious:	false
Reputation:	unknown
Preview:	MSCF............D...........2...................xB..........~...o....O........(P.. .api_ms_win_core_console_l1_1_0.dll..M...O....(P.. .api_ms_win_core_datetime_l1_1_0.dll..N........(P.. .api_ms_win_core_debug_l1_1_0.dll. M........(P.. .api_ms_win_core_errorhandling_l1_1_0.dll. [...9....(P.. .api_ms_win_core_file_l1_1_0.dll. M..0.....(P.. .api_ms_win_core_file_l1_2_0.dll. M..P.....(P.. .api_ms_win_core_file_l2_1_0.dll. M..p.....(P.. .api_ms_win_core_handle_l1_1_0.dll..O...{....(P.. .api_ms_win_core_heap_l1_1_0.dll..O........(P.. .api_ms_win_core_interlocked_l1_1_0.dll..O..p.....(P.. .api_ms_win_core_libraryloader_l1_1_0.dll..W..`k....(P.. .api_ms_win_core_localization_l1_2_0.dll..O..P.....(P.. .api_ms_win_core_memory_l1_1_0.dll. M..@.....(P.. .api_ms_win_core_namedpipe_l1_1_0.dll..Q..``....(P.. .api_ms_win_core_processenvironment_l1_1_0.dll..U..P.....(P.. .api_ms_win_core_processthreads_l1_1_0.dll..O..@.....(P.. .api_ms_win_core_processthreads_l1_1_1.dll..K..0X....(P.. .api_ms_win_core_

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\cabB3E1576D1FEFBB979E13B1A5379E0B16 Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	Microsoft Cabinet archive data, 5194062 bytes, 14 files
Category:	dropped
Size (bytes):	5211054
Entropy (8bit):	7.998080908238165
Encrypted:	true
SSDEEP:	98304:dEpMtGvCYmfjBvRxMh7vhetajX6x0XSvrTBEbwwF0XVsvufq:dElCPLBvE8xuEebw6vuy
MD5:	4FEADE30692872EAB413C1123A5F3DE4
SHA1:	B08C319BD7E01176F02D0DC3B4AA8B7C5B9A82C6
SHA-256:	2805E5CC8E477AC1D6847B3CF083A85EC463F646037B59C93CB9E3096A78B81A
SHA-512:	145956C65E193AD5309CA3C0F0BC94DFB20C6BCF73494BDE2ABC48F6495061EE727C9FAA1B97739FE3028873A540A5F17FDFFEB08D8C3A35C2CD7B3DDB088E54
Malicious:	false
Reputation:	unknown
Preview:	MSCF....NAO.....D...........................NAO.`B..............F... .H.......(P.. .mfc140.dll.... .H...(P.. .mfc140chs.dll. .....I...(P.. .mfc140cht.dll..)..(nJ...(P.. .mfc140deu.dll. .....K...(P.. .mfc140enu.dll. %..8.L...(P.. .mfc140esn.dll..)..X.M...(P.. .mfc140fra.dll..!..H.N...(P.. .mfc140ita.dll.....8.P...(P.. .mfc140jpn.dll.....(.P...(P.. .mfc140kor.dll.......Q...(P.. .mfc140rus.dll. .M...R...(P.. .mfc140u.dll. C..(e....(P.. .mfcm140.dll. C..H.....(P.. .mfcm140u.dll..J.%.4..CK..w....0...Q6Q..}.......[.nl....;. ...L.....H%.K.w}.<.u..y.y.....g........M6....E..}.m.=...?....?.$Q4...O..;..<8....^{........].Ov....<$.u.d..${...........i..z......s,p.....?...8..F......].~=c.{.].~=m.C.?~..A..6....O....~.h...\..v...s.l..z..'..q..=\|..l...........h.I&...j.N..Y..;.I..-*'D.....;/.Eq.....(...../SG..u..t..eO\|o.p..F.../......{t....E..g/..$.s./..v.........l.Vt.y...L....xW.e&._.i.d..Q4.c......?.=.8$...9..]..N....X>a.]..%...._g.Ng...w.5..........V........v71.~2.

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\vcRuntimeAdditional_x86 Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}, Create Time/Date: Wed Jan 8 09:31:14 2020, Last Saved Time/Date: Wed Jan 8 09:31:14 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
Category:	dropped
Size (bytes):	184320
Entropy (8bit):	6.3376915344280516
Encrypted:	false
SSDEEP:	3072:JviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdN:JvipBaTDo1j//SZhN
MD5:	4B97853A7D10743D67665CCDD67E8566
SHA1:	AF5F7059C9A05A388B4773917E17A078FA58F5E9
SHA-256:	63802C8D96CF21A8EADB1EC5B0B52A9A040581AB2797FE5132E1B3A469108713
SHA-512:	ED88564A372FBA36FB7F2D98476C82D1D66B17B25AB9B6C34489D33BB7F1D64ABBD2E746E75470E05DECA09252D9B855AB0F37F6F82210AF3F006C9A683C7370
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\vcRuntimeMinimum_x86 Download File
Process:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {DC639984-8B88-4DB7-A65E-0E5CCB21EAB1}, Create Time/Date: Wed Jan 8 09:28:18 2020, Last Saved Time/Date: Wed Jan 8 09:28:18 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
Category:	dropped
Size (bytes):	192512
Entropy (8bit):	6.237627585353464
Encrypted:	false
SSDEEP:	3072:VGviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdNt:8vipBaTDo1j//SZhN
MD5:	6AA3A12A374E36C6A7BD75B7627A5A7C
SHA1:	56DD5F67FE9FB9C9B70470F535FC2DD6C2DECF38
SHA-256:	AA5B428789D83FBCD60442EE253B364C5FC833C698C1DC1EB73F5559A63FB976
SHA-512:	B3A4497E3629A4ED8DB8C7D83C5D8CF2270D7DCE320CA4D5009EDB0F6CBC3F3759A2F753ED0C673EFAF521AA175E2E6D53FC609F351B8A0AA00D74BC4F179720
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1028\license.rtf Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	18127
Entropy (8bit):	4.036737741619669
Encrypted:	false
SSDEEP:	192:xaz+aCQbjdBCLCgfvtfLEmmVxJzLKLIW7cBFCoSM0fvJ93eyryH1MqG1xcRY/c5f:seh/IMHexG4q2
MD5:	B7F65A3A169484D21FA075CCA79083ED
SHA1:	5DBFA18928529A798FF84C14FD333CB08B3377C0
SHA-256:	32585B93E69272B6D42DAC718E04D954769FE31AC9217C6431510E9EEAD78C49
SHA-512:	EDA2F946C2E35464E4272B1C3E4A8DC5F17093C05DAB9A685DBEFD5A870B9D872D8A1645ED6F5B9A72BBB2A59D22DFA58FBF420F6440278CCBE07B6D0555C283
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset134 SimSun;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT \f1\'dc\'9b\'f3\'77\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\f0\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f1\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'ca\'c7\'d9\'46\'d3\'c3\'91\'f4\'c5\'63\f0 Microsoft Corporation (\f1\'bb\'f2\'c6\'e4\'ea\'50\'82\'53\'c6\'f3\'98\'49\'a3\'ac\'d2\'95\'d9\'46\'d3\'c3\'91\'f4\'cb\'f9\'be\'d3\'d7\'a1\'b5\'c4\'b5\'d8\'fc\'63\'b6\'f8\'b6\'a8\f0 ) \f1\'d6\'ae\'e9\'67\'b3\'c9\'c1\'a2\'b5\'c4\'ba\'cf\'bc\'73\'a1\'a3\'cb\'fb\'82\'83\'df\'6d\'d3\'c3\'ec\'b6\'c9\'cf\'ca\'f6\'dc\'9b\'f3\'77\'a3\'ac\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'d2\'e0\'df\'6d\'d3\'c3\'ec\'b6\'c8\'ce\'ba\'ce\f0 Microsoft \f1\'b7\'fe\'84\'d5\'bb\'f2\'b1\'be\'dc\'9b\'f3\'77\'d6\'ae\'b8\'fc\'d0\'c2\'a3

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1028\thm.wxl Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	2980
Entropy (8bit):	6.163758160900388
Encrypted:	false
SSDEEP:	48:c5DiTlOtMes9T/JhDXsA9EHSniarRFeOrw8N3mZNNTN2N08CEjMUWFPmDlTKJKy2:uDiTlFrDDsA9tfHP8+8nhM0WamzqDFqD
MD5:	472ABBEDCBAD24DBA5B5F5E8D02C340F
SHA1:	974F62B5C2E149C3879DD16E5A9DBB9406C3DB85
SHA-256:	8E2E660DFB66CB453E17F1B6991799678B1C8B350A55F9EBE2BA0028018A15AD
SHA-512:	676E29378AAED25DE6008D213EFA10D1F5AAD107833E218D71F697E728B7B5B57DE42E7A910F121948D7B1B47AB4F7AE63F71196C747E8AE2B4827F754FC2699
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ................. ......................../passive \| /quiet - .... UI ........... UI.... ........... UI ........../norestart - ................UI ............./log log.txt - .........

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1029\license.rtf Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	13053
Entropy (8bit):	5.125552901367032
Encrypted:	false
SSDEEP:	192:TKwfs7OUpXLa5HEXQwNCNvZSjotXxiwH++3kamdEj6ZDbugDHgbGNlv6NbrYGY9x:Lfs7c5DRH0aHmJGpafU0AliwGra2
MD5:	B408556A89FCE3B47CD61302ECA64AC9
SHA1:	AAC1CDAF085162EFF5EAABF562452C93B73370CB
SHA-256:	21DDCBB0B0860E15FF9294CBB3C4E25B1FE48619210B8A1FDEC90BDCDC8C04BC
SHA-512:	BDE33918E68388C60750C964CDC213EC069CE1F6430C2AA7CF1626E6785C7C865094E59420D00026918E04B9B8D19FA22AC440F851ADC360759977676F8891E7
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 LICEN\f1\'c8N\f0\'cd PODM\'cdNKY PRO SOFTWARE SPOLE\f1\'c8NOSTI MICROSOFT\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Tyto licen\f1\'e8n\f0\'ed podm\'ednky p\f1\'f8edstavuj\f0\'ed smlouvu mezi spole\f1\'e8nost\f0\'ed Microsoft Corporation (nebo n\f1\'eckterou z\~jej\f0\'edch afilac\'ed v\~z\'e1vislosti na tom, kde bydl\'edte) a\~v\'e1mi. Vztahuj\'ed se na v\'fd\f1\'9ae uveden\f0\'fd software. Podm\'ednky se rovn\f1\'ec\'9e vztahuj\f0\'ed na jak\'e9koli slu\f1\'9eby Microsoft nebo aktualizace pro software, pokud se na slu\'9eby nebo aktualizace nevztahuj\f0\'ed odli\f1\'9an\f0\'e9 podm\'ednky.\par..\b DODR\f1\'8e\f0\'cdTE-LI TYTO

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1029\thm.wxl Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3333
Entropy (8bit):	5.370651462060085
Encrypted:	false
SSDEEP:	48:c5DiTlOtesM6H2hDdxHOjZxsaIIy3Iy5sDMN3mkNFN7NwcfiPc3hKPnWZLF0hKqZ:uDiTlVxxHOy/9xXfpZJYnL8xK2S
MD5:	16343005D29EC431891B02F048C7F581
SHA1:	85A14C40C482D9351271F6119D272D19407C3CE9
SHA-256:	07FB3EC174F25DFBE532D9D739234D9DFDA8E9D34F01FE660C5B4D56989FA779
SHA-512:	FF1AE9C21DCFB018DD4EC82A6D43362CB8C591E21F45DD1C25955D83D328B57C8D454BBE33FBC73A70DADF1DFB3AE27502C9B3A8A3FF2DA97085CA0D9A68AB03
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instala.n. program [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Opravdu chcete akci zru.it?</String>.. <String Id="HelpHeader">N.pov.da nastaven.</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [adres..] . Nainstaluje, oprav., odinstaluje nebo.. vytvo.. .plnou m.stn. kopii svazku v adres..i. V.choz. mo.nost. je instalace...../passive \| /quiet . Zobraz. minim.ln. u.ivatelsk. rozhran. bez v.zev nebo nezobraz. ..dn. u.ivatelsk. rozhran. a.. ..dn. v.zvy. V.choz. mo.nost. je zobrazen. u.ivatelsk.ho rozhran. a v.ech v.zev...../noresta

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1031\license.rtf Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	11936
Entropy (8bit):	5.194264396634094
Encrypted:	false
SSDEEP:	192:+XkOmRUOl6WBsl4kA+sn+mvtI0qHl4qj+iPqk6kVV9iX9GzYNvQ8yOejIpRMrhC2:DDHMFPCeV3i4zOHyOejIpkC2
MD5:	C2CFA4CE43DFF1FCD200EDD2B1212F0A
SHA1:	E8286E843192802E5EBF1BE67AE30BCAD75AC4BB
SHA-256:	F861DB23B972FAAA54520558810387D742878947057CF853DC74E5F6432E6A1B
SHA-512:	6FDF02A2DC9EF10DD52404F19C300429E7EA40469F00A43CA627F3B7F3868D1724450F99C65B70B9B7B1F2E1FA9D62B8BE1833A8C5AA3CD31C940459F359F30B
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT-SOFTWARE-LIZENZBESTIMMUNGEN\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Diese Lizenzbestimmungen sind ein Vertrag zwischen Ihnen und der Microsoft Corporation (bzw. abh\'e4ngig von Ihrem Wohnsitz einem mit Microsoft verbundenen Unternehmen). Sie gelten f\'fcr die oben angef\'fchrte Software. Die Bestimmungen gelten ebenso f\'fcr jegliche von Microsoft angebotenen Dienste oder Updates f\'fcr die Software, sofern diesen keine anderen Bestimmungen beiliegen.\par..\b SOFERN SIE DIESE LIZENZBESTIMMUNGEN EINHALTEN, SIND SIE ZU FOLGENDEM BERECHTIGT:\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 RECHTE ZUR INSTALLATION UND NUTZUNG. \

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1031\thm.wxl Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3379
Entropy (8bit):	5.094097800535488
Encrypted:	false
SSDEEP:	48:c5DiTlOZuesXJhDEVTORNxSMoZN3mteNSiNGNsZuiAXEqicMwhPXbhu9KwKlK8Kq:uDiTl3N7xSbu0N8+AhSNnm
MD5:	561F3F32DB2453647D1992D4D932E872
SHA1:	109548642FB7C5CC0159BEDDBCF7752B12B264C0
SHA-256:	8E0DCA6E085744BFCBFF46F7DCBCFA6FBD722DFA52013EE8CEEAF682D7509581
SHA-512:	CEF8C80BEF8F88208E0751305DF519C3D2F1C84351A71098DC73392EC06CB61A4ACA35182A0822CF6934E8EE42196E2BCFE810CC859965A9F6F393858A1242DF
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] - Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">M.chten Sie den Vorgang wirklich abbrechen?</String>.. <String Id="HelpHeader">Setup-Hilfe</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [Verzeichnis] - installiert, repariert, deinstalliert oder.. erstellt eine vollst.ndige lokale Kopie des Bundles im Verzeichnis. Installieren ist die Standardeinstellung...../passive \| /quiet - zeigt eine minimale Benutzeroberfl.che ohne Eingabeaufforderungen oder keine.. Benutzeroberfl.che und keine Eingabeaufforderungen an. Standardm..ig werden die Benutzeroberfl.che und alle Eingab

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1036\license.rtf Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	11593
Entropy (8bit):	5.106817099949188
Encrypted:	false
SSDEEP:	192:aRAbNYjVk+z5GUSLse5GgALEXmAWL+/3FEShP9sJgi8+Ra8woh+89EQdhwQPely6:K4yrPqm9LcVEg9sVp2ohHVdKoXJXci9a
MD5:	F0FF747B85B1088A317399B0E11D2101
SHA1:	F13902A39CEAE703A4713AC883D55CFEE5F1876C
SHA-256:	4D9B7F06BE847E9E135AB3373F381ED7A841E51631E3C2D16E5C40B535DA3BCF
SHA-512:	AA850F05571FFC361A764A14CA9C1A465E2646A8307DEEE0589852E6ACC61AF145AEF26B502835724D7245900F9F0D441451DD8C055404788CE64415F5B79506
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMES DU CONTRAT DE LICENCE LOGICIEL MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Les pr\'e9sents termes du contrat de licence constituent un contrat entre Microsoft Corporation (ou, en fonction de votre lieu de r\'e9sidence, l\rquote un de ses affili\'e9s) et vous. Ils s\rquote appliquent au logiciel vis\'e9 ci-dessus. Les termes s\rquote appliquent \'e9galement \'e0 tout service et \'e0 toute mise \'e0 jour Microsoft pour ce logiciel, \'e0 moins que d\rquote autres termes n\rquote accompagnent ces \'e9l\'e9ments.\par..\b SI VOUS VOUS CONFORMEZ AUX PR\'c9SENTS TERMES DU CONTRAT DE LICENCE, VOUS AVEZ LES DROITS CI-DESSOUS.\par....\pard{\pntext\f1\'B7\tab}{\\pn\pnlvlblt\pnf1\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\s

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1036\thm.wxl Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3366
Entropy (8bit):	5.0912204406356905
Encrypted:	false
SSDEEP:	48:c5DiTlO1BesgKLhD1K8cocDSN3m4NlN2ZfNmXL8ePZFcZkLPqUf9fQKRLKeKqZfj:uDiTlABzH1/qt4qgcXY
MD5:	7B46AE8698459830A0F9116BC27DE7DF
SHA1:	D9BB14D483B88996A591392AE03E245CAE19C6C3
SHA-256:	704DDF2E60C1F292BE95C7C79EE48FE8BA8534CEB7CCF9A9EA68B1AD788AE9D4
SHA-512:	FC536DFADBCD81B42F611AC996059A6264E36ECF72A4AEE7D1E37B87AEFED290CC5251C09B68ED0C8719F655B163AD0782ACD8CE6332ED4AB4046C12D8E6DBF6
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installation de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Voulez-vous vraiment annuler.?</String>.. <String Id="HelpHeader">Aide du programme d'installation</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installe, r.pare, d.sinstalle ou.. cr.e une copie locale compl.te du groupe dans le r.pertoire. Install est l'option par d.faut...../passive \| /quiet - affiche une interface minimale, sans invite, ou n'affiche ni interface.. ni invite. Par d.faut, l'interface et toutes les invites sont affich.es...../norestart - supprime toutes les tentatives de red.

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1040\license.rtf Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	11281
Entropy (8bit):	5.046489958240229
Encrypted:	false
SSDEEP:	192:WBGNX6UXR2+5SmgS/ChMErYkQvowHVw6zdgkycEGCDLQ+n3YJ2d8XSiej+T4Ma8f:gAzSVARBR5jEPLQY3YJpSjTP2
MD5:	9D98044BAC59684489C4CF66C3B34C85
SHA1:	36AAE7F10A19D336C725CAFC8583B26D1F5E2325
SHA-256:	A3F745C01DEA84CE746BA630814E68C7C592B965B048DDC4B1BBE1D6E533BE22
SHA-512:	D849BBB6C87C182CC98C4E2314C0829BB48BAD483D0CD97BF409E75457C3695049C3A8ADFE865E1ECBC989A910096D2C1CDF333705AAC4D22025DF91B355278E
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 CONTRATTO DI LICENZA PER IL SOFTWARE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Le presenti condizioni di licenza costituiscono il contratto tra Microsoft Corporation (o, in base al luogo di residenza del licenziatario, una delle sue consociate) e il licenziatario, Tali condizioni si applicano al software Microsoft di cui sopra. Le condizioni si applicano inoltre a qualsiasi servizio o aggiornamento di Microsoft relativo al software, a meno che questo non sia accompagnato da condizioni differenti.\par..\b QUALORA IL LICENZIATARIO SI ATTENGA ALLE PRESENTI CONDIZIONI DI LICENZA, DISPORR\'c0 DEI DIRITTI INDICATI DI SEGUITO.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\p

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1040\thm.wxl Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3319
Entropy (8bit):	5.019774955491369
Encrypted:	false
SSDEEP:	48:c5DiTlO1eesy+hD9BOtBFv5Vo8BbQhMNDJN3msNlNohNNz+wcPclM+PAoYKp+K/u:uDiTlfQvo8WutJ/s9FHNOJp
MD5:	D90BC60FA15299925986A52861B8E5D5
SHA1:	FADFCA9AB91B1AB4BD7F76132F712357BD6DB760
SHA-256:	0C57F40CC2091554307AA8A7C35DD38E4596E9513E9EFAE00AC30498EF4E9BC2
SHA-512:	11764D0E9F286B5AA7B1A9601170833E462A93A1E569A032FCBA9879174305582BD42794D4131B83FBCFBF1CF868A8D5382B11A4BD21F0F7D9B2E87E3C708C3F
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installazione di [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Annullare?</String>.. <String Id="HelpHeader">Guida alla configurazione</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installa, ripara, disinstalla o.. crea una copia locale completa del bundle nella directory. L'opzione predefinita . Install...../passive \| /quiet - visualizza un'interfaccia utente minima senza prompt oppure non visualizza alcuna interfaccia utente.. n. prompt. Per impostazione predefinita viene visualizzata l'intera interfaccia utente e tutti i prompt...../norestart - annulla quals

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1041\license.rtf Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	28232
Entropy (8bit):	3.7669201853275722
Encrypted:	false
SSDEEP:	192:Qkb65jNkzrUJVbpEiTskXHH1AZWoJxfnVnkDYUqfQFXBue6hX2JSfR7q05kWZxhY:epCD3y/ybox2yrk2
MD5:	8C49936EC4CF0F64CA2398191C462698
SHA1:	CC069FE8F8BC3B6EE2085A4EACF40DB26C842BAC
SHA-256:	7355367B7C48F1BBACC66DFFE1D4BF016C16156D020D4156F288C2B2207ED1C2
SHA-512:	4381147FF6707C3D31C5AE591F68BC61897811112CB507831EFF5E71DD281009400EDA3300E7D3EFDE3545B89BCB71F2036F776C6FDFC73B6B2B2B8FBC084499
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset128 MS Gothic;}{\f1\fnil\fcharset0 MS Gothic;}{\f2\fnil\fcharset134 SimSun;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'83\'7d\'83\'43\'83\'4e\'83\'8d\'83\'5c\'83\'74\'83\'67 \'83\'5c\'83\'74\'83\'67\'83\'45\'83\'46\'83\'41 \'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\par..\f1 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f0\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\'82\'cd\f2\'a1\'a2\f1 Microsoft Corporation (\f0\'82\'dc\'82\'bd\'82\'cd\'82\'a8\'8b\'71\'97\'6c\'82\'cc\'8f\'8a\'8d\'dd\'92\'6e\'82\'c9\'89\'9e\'82\'b6\'82\'c4\'82\'cd\'82\'bb\'82\'cc\'8a\'d6\'98\'41\'89\'ef\'8e\'d0) \'82\'c6\'82\'a8\'8b\'71\'97\'6c\'82\'c6\'82\'cc\'8c\'5f\'96\'f1\'82\'f0\'8d\'5c\'90\'ac\'82\'b5\'82\'dc\'82\'b7\'81\'42\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1041\thm.wxl Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3959
Entropy (8bit):	5.955167044943003
Encrypted:	false
SSDEEP:	96:uDiTlDuB1n+RNmvFo6bnpojeTPk0R/vueX5OA17IHdGWz:5uB1+gD1DU4EdGE
MD5:	DC81ED54FD28FC6DB6F139C8DA1BDED6
SHA1:	9C719C32844F78AAE523ADB8EE42A54D019C2B05
SHA-256:	6B9BBF90D75CFA7D943F036C01602945FE2FA786C6173E22ACB7AFE18375C7EA
SHA-512:	FD759C42C7740EE9B42EA910D66B0FA3F813600FD29D074BB592E5E12F5EC09DB6B529680E54F7943821CEFE84CE155A151B89A355D99C25A920BF8F254AA008
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.. <Control Control="UninstallButton" X="270" Y="237" Width="120" Height="23"/>.. <Control Control="RepairButton" X="187" Y="237" Width="80" Height="23"/>.. .. <String Id="Caption">[WixBundleName] .......</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">..........</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ............ ......... .........................

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1042\license.rtf Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	27936
Entropy (8bit):	3.871317037004171
Encrypted:	false
SSDEEP:	384:kKIgbA2uBsarNG/HxPvCL1ewjxsXmEw4C7C7R4jAeqCBO968y7yNRylBSFfQv9yH:d3ar8Xa/XAeqoc0wfBB4qN
MD5:	184D94082717E684EAF081CEC3CBA4B1
SHA1:	960B9DA48F4CDDF29E78BBAE995B52204B26D51B
SHA-256:	A4C25DA9E3FBCED47464152C10538F16EE06D8E06BC62E1CF4808D293AA1AFA2
SHA-512:	E4016C0CA348299B5EF761F456E3B5AD9B99E5E100C07ACAB1369DFEC214E75AA88E9AD2A0952C0CC1B707E2732779E6E3810B3DA6C839F0181DC81E3560CBDA
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset129 Malgun Gothic;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 Microsoft \f1\'bc\'d2\'c7\'c1\'c6\'ae\'bf\'fe\'be\'ee\f0 \f1\'bb\'e7\'bf\'eb\'b1\'c7\f0 \f1\'b0\'e8\'be\'e0\'bc\'ad\f0\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f1\'ba\'bb\f0 \f1\'bb\'e7\'bf\'eb\'b1\'c7\f0 \f1\'b0\'e8\'be\'e0\'c0\'ba\f0 Microsoft Corporation(\f1\'b6\'c7\'b4\'c2\f0 \f1\'b0\'c5\'c1\'d6\f0 \f1\'c1\'f6\'bf\'aa\'bf\'a1\f0 \f1\'b5\'fb\'b6\'f3\f0 \f1\'b0\'e8\'bf\'ad\'bb\'e7\f0 \f1\'c1\'df\f0 \f1\'c7\'cf\'b3\'aa\f0 )\f1\'b0\'fa\f0 \f1\'b1\'cd\'c7\'cf\f0 \f1\'b0\'a3\'bf\'a1\f0 \f1\'c3\'bc\'b0\'e1\'b5\'c7\'b4\'c2\f0 \f1\'b0\'e8\'be\'e0\'c0\'d4\'b4\'cf\'b4\'d9\f0 . \f1\'ba\'bb\f0 \f1\'c1\'b6\'b0\'c7\'c0\'ba\f0 \f1\'c0\'a7\'bf\'a1\f0 \f1\'b8\'ed\'bd\'c3\'b5\'c8\f0 \f1

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1042\thm.wxl Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3249
Entropy (8bit):	5.985100495461761
Encrypted:	false
SSDEEP:	48:c5DiTlO4TesKOwhDNJCkt1NhEN3m/NFNkbKNdExpVgUnqx6IPaRc0KoUK9TKz0KR:uDiTlUJJCsgqf6YVoz4uU5vI54U5TY
MD5:	B3399648C2F30930487F20B50378CEC1
SHA1:	CA7BDAB3BFEF89F6FA3C4AAF39A165D14069FC3D
SHA-256:	AD7608B87A7135F408ABF54A897A0F0920080F76013314B00D301D6264AE90B2
SHA-512:	C5B0ECF11F6DADF2E68BC3AA29CC8B24C0158DAE61FE488042D1105341773166C9EBABE43B2AF691AD4D4B458BF4A4BF9689C5722C536439CA3CDC84C0825965
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] .. ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">.. ...</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ..... ... .. .. .... .., .., .. .... ...... ... .........../passive \| /quiet - .... .. .. UI. ..... UI ... ..... .... ..... ..... UI. .. ..... ........../norestart - .. .... .. .... ...

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1045\license.rtf Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	13265
Entropy (8bit):	5.358483628484379
Encrypted:	false
SSDEEP:	192:TKpWRd0NE41Y/od7V/sHFos7YLQY9DbLM5D+Vw1VAOb0P4/sHLS7VHwHMPw95a+Q:uy0CG9KZ7qQCw1VAOZ/sHOJfcY2wf6p2
MD5:	5B9DF97FC98938BF2936437430E31ECA
SHA1:	AB1DA8FECDF85CF487709774033F5B4B79DFF8DE
SHA-256:	8CB5EB330AA07ACCD6D1C8961F715F66A4F3D69FB291765F8D9F1850105AF617
SHA-512:	4EF61A484DF85C487BE326AB4F95870813B9D0644DF788CE22D3BEB6E062CDF80732CB0B77FCDA5D4C951A0D67AECF8F5DCD94EA6FA028CFCA11D85AA97714E3
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 POSTANOWIENIA LICENCYJNE DOTYCZ\f1\'a5CE OPROGRAMOWANIA\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Niniejsze postanowienia licencyjne stanowi\f1\'b9 umow\'ea mi\'eadzy Microsoft Corporation (lub, w\~zale\'bfno\'9cci od miejsca zamieszkania Licencjobiorcy, jednym z\~podmiot\f0\'f3w stowarzyszonych Microsoft Corporation) a\~Licencjobiorc\f1\'b9. Maj\'b9 one zastosowanie do wskazanego powy\'bfej oprogramowania. Niniejsze postanowienia maj\'b9 r\f0\'f3wnie\f1\'bf zastosowanie do wszelkich us\'b3ug i aktualizacji Microsoft dla niniejszego oprogramowania, z wyj\'b9tkiem tych, kt\f0\'f3rym towarzysz\f1\'b9 inne postanowienia.\par..\b\

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1045\thm.wxl Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3212
Entropy (8bit):	5.268378763359481
Encrypted:	false
SSDEEP:	48:c5DiTlOPesar4hDo7zGriQjDCN3mDNN0NrsNGl3vxkIP2hUdKLK0KbK4n6W0sfNM:uDiTlusPGriQw8n2rOij4JsU
MD5:	15172EAF5C2C2E2B008DE04A250A62A1
SHA1:	ED60F870C473EE87DF39D1584880D964796E6888
SHA-256:	440B309FCDF61FFC03B269FE3815C60CB52C6AE3FC6ACAD14EAC04D057B6D6EA
SHA-512:	48AA89CF4A0B64FF4DCB82E372A01DFF423C12111D35A4D27B6D8DD793FFDE130E0037AB5E4477818A0939F61F7DB25295E4271B8B03F209D8F498169B1F9BAE
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalator [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Czy na pewno chcesz anulowa.?</String>.. <String Id="HelpHeader">Instalator . Pomoc</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [katalog] - Instaluje, naprawia, odinstalowuje.. lub tworzy pe.n. lokaln. kopi. pakietu w katalogu. Domy.lnie jest u.ywany prze..cznik install...../passive \| /quiet - Wy.wietla ograniczony interfejs u.ytkownika bez monit.w albo nie wy.wietla ani interfejsu u.ytkownika,.. ani monit.w. Domy.lnie jest wy.wietlany interfejs u.ytkownika oraz wszystkie monity...../norestart - Pom

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1046\license.rtf Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	10656
Entropy (8bit):	5.092962528947159
Encrypted:	false
SSDEEP:	192:WIPAufWXXF0+YkR6E0/CiTS0CsGlHIMqf29H7KxLY/aYzApT3anawLXCBX2:VPAufb+YSSCYrCb5BmW4UDaTqzLwX2
MD5:	360FC4A7FFCDB915A7CF440221AFAD36
SHA1:	009F36BBDAD5B9972E8069E53855FC656EA05800
SHA-256:	9BF79B54F4D62BE501FF53EEDEB18683052A4AE38FF411750A764B3A59077F52
SHA-512:	9550A99641F194BB504A76DE011D07C1183EE1D83371EE49782FC3D05BF779415630450174DD0C03CB182A5575F6515012337B899E2D084203717D9F110A6FFE
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMOS DE LICEN\'c7A PARA SOFTWARE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Estes termos de licen\'e7a formam um contrato firmado entre a Microsoft Corporation (ou com base no seu pa\'eds de resid\'eancia, uma de suas afiliadas) e voc\'ea. Eles se aplicam ao software indicado acima. Os termos tamb\'e9m se aplicam a quaisquer servi\'e7os ou atualiza\'e7\'f5es da Microsoft para o software, exceto at\'e9 a extens\'e3o de que eles tenham termos diferentes.\par..\b SE VOC\'ca CONCORDAR COM ESTES TERMOS DE LICEN\'c7A, TER\'c1 OS DIREITOS INDICADOS ABAIXO.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\t

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1046\thm.wxl Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3095
Entropy (8bit):	5.150868216959352
Encrypted:	false
SSDEEP:	48:c5DiTlO5es/4ThDzmU6lDj4N3mBl0N+NWNP4hHCc9skPDXeKKeK9KfKt4eJ2RQdg:uDiTlJhJGl2UsZMLe6
MD5:	BE27B98E086D2B8068B16DBF43E18D50
SHA1:	6FAF34A36C8D9DE55650D0466563852552927603
SHA-256:	F52B54A0E0D0E8F12CBA9823D88E9FD6822B669074DD1DC69DAD6553F7CB8913
SHA-512:	3B7C773EF72D40A8B123FDB8FC11C4F354A3B152CF6D247F02E494B0770C28483392C76F3C222E3719CF500FE98F535014192ACDDD2ED9EF971718EA3EC0A73E
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Instala..o</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Tem certeza de que deseja cancelar?</String>.. <String Id="HelpHeader">Ajuda da Instala..o</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [diret.rio - instala, repara, desinstala ou.. cria uma c.pia local completa do pacote no diret.rio. Install . o padr.o..../passive \| /quiet - exibe a IU m.nima sem nenhum prompt ou n.o exibe nenhuma IU e.. nenhum prompt. Por padr.o, a IU e todos os prompts s.o exibidos...../norestart - suprime qualquer tentativa de reiniciar. Por padr.o, a IU perguntar. antes de reiniciar

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1049\license.rtf Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	31915
Entropy (8bit):	3.6440775919653996
Encrypted:	false
SSDEEP:	384:ntaMxngQEqQUaAEJxkSjjujcme51oVwuZOFsrnkGxunWxGc9wtvVYgCzkSxN1S2:npgnmWWNEvVYgCzxD
MD5:	A59C893E2C2B4063AE821E42519F9812
SHA1:	C00D0B11F6B25246357053F6620E57D990EFC698
SHA-256:	0EC8368E87B3DFC92141885A2930BDD99371526E09FC52B84B764C91C5FC47B8
SHA-512:	B9AD8223DDA2208EC2068DBB85742A03BE0291942E60D4498E3DAB4DDF559AA6DCF9879952F5819223CFC5F4CB71D4E06E4103E129727AACFB8EFE48403A04FA
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset204 Tahoma;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset204 Garamond;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang1049\'d3\'d1\'cb\'ce\'c2\'c8\'df \'cb\'c8\'d6\'c5\'cd\'c7\'c8\'c8 \'cd\'c0 \'cf\'d0\'ce\'c3\'d0\'c0\'cc\'cc\'cd\'ce\'c5 \'ce\'c1\'c5\'d1\'cf\'c5\'d7\'c5\'cd\'c8\'c5 MICROSOFT\par..\f1\lang9 MICROSOFT VISUAL C++ 2019 RUNTIME\par..\b0\f0\lang1049\'cd\'e0\'f1\'f2\'ee\'ff\'f9\'e8\'e5 \'f3\'f1\'eb\'ee\'e2\'e8\'ff \'eb\'e8\'f6\'e5\'ed\'e7\'e8\'e8 \'ff\'e2\'eb\'ff\'fe\'f2\'f1\'ff \'f1\'ee\'e3\'eb\'e0\'f8\'e5\'ed\'e8\'e5\'ec \'ec\'e5\'e6\'e4\'f3 \'ea\'ee\'f0\'ef\'ee\'f0\'e0\'f6\'e8\'e5\'e9 Microsoft (\'e8\'eb\'e8, \'e2 \'e7\'e0\'e2\'e8\'f1\'e8\'ec\'ee\'f1\'f2\'e8 \'ee\'f2 \'ec\'e5\'f1\'f2\'e0 \'e2\'e0\'f8\'e5\'e3\'ee \'ef\'f0\'ee\'e6\'e8\'e2\'e0\'ed\'e8\'ff, \'ee\

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1049\thm.wxl Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	4150
Entropy (8bit):	5.444436038992627
Encrypted:	false
SSDEEP:	48:c5DiTlDhQt9esbrohDTWJt49kAr7DHN3m5GNDCNvNLIkflhrWncPingGdZwK1Kqp:uDiTlDYVgmt4xJ88k193ipzjvL
MD5:	17C652452E5EE930A7F1E5E312C17324
SHA1:	59F3308B87143D8EA0EA319A1F1A1F5DA5759DD3
SHA-256:	7333BC8E52548821D82B53DBD7D7C4AA1703C85155480CB83CEFD78380C95661
SHA-512:	53FD207B96D6BCF0A442E2D90B92E26CBB3ECC6ED71B753A416730E8067E831E9EB32981A9E9368C4CCA16AFBCB2051483FDCFC474EA8F0D652FCA934634FBE8
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.... <String Id="Caption">......... ......... [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">....... .. .........</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [.......] - ........., .............., ........ ..... ........ ...... ......... ..... ...... . ......... .. ......... - ............../passive \| /quiet - ........... ....

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1055\license.rtf Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	13379
Entropy (8bit):	5.214715951393874
Encrypted:	false
SSDEEP:	192:1fGkc01jIjZTUDUTvXt2QpfC5VAlCPpDwuOfH7df3YwnnbZIWG2XjQeoO9uBO8CA:Iiqx4Uh2QpMVA8haDdv9nbZzG6oQR2
MD5:	BD2DC15DFEE66076BBA6D15A527089E7
SHA1:	8768518F2318F1B8A3F8908A056213042A377CC4
SHA-256:	62A07232017702A32F4B6E43E9C6F063B67098A1483EEDDB31D7C73EAF80A6AF
SHA-512:	9C9467A2F2D0886FF4302A44AEA89734FCEFBD3CBE04D895BCEACBA1586AB746E62391800E07B6228E054014BE51F14FF63BA71237268F94019063C8C8B7EF74
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT YAZILIMI L\f1\u304?SANS KO\'aaULLARI\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Bu lisans ko\f1\'baullar\u305?, Microsoft Corporation (veya ya\'baad\u305?\u287?\u305?n\u305?z yere g\f0\'f6re bir ba\f1\u287?l\u305? \'bairketi) ile sizin aran\u305?zda yap\u305?lan anla\'bamay\u305? olu\'baturur. Bu ko\'baullar, yukar\u305?da ad\u305? ge\f0\'e7en yaz\f1\u305?l\u305?m i\f0\'e7in ge\'e7erlidir. \f1\'aaartlar, yaz\u305?l\u305?m i\f0\'e7in t\'fcm Microsoft hizmetleri veya g\'fcncelle\f1\'batirmeleri i\f0\'e7in, beraberlerinde farkl\f1\u305? \'baartlar bulunmad\u305?\u287?\u305? s\f0\'fcrece ge\'e7erlidir.\par..\b BU L\f1\u304?SANS \'aaARTLARINA UYDU\u286?UNUZ TAKD\u304?RDE A\'aaA\u286?IDAK\u3

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\1055\thm.wxl Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3221
Entropy (8bit):	5.280530692056262
Encrypted:	false
SSDEEP:	48:c5DiTlOaesHEqhDTHV4zVy6oBzdp0DYK2GP2ZmN3majyNXNoNKQXVvChcPc+WKb0:uDiTl3PHcIflKNTPgdi12xgg
MD5:	DEFBEA001DC4EB66553630AC7CE47CCA
SHA1:	90CED64EC7C861F03484B5D5616FDBCDA8F64788
SHA-256:	E5ABE3CB3BF84207DAC4E6F5BBA1E693341D01AEA076DD2D91EAA21C6A6CB925
SHA-512:	B3B7A22D0CDADA21A977F1DCEAF2D73212A4CDDBD298532B1AC97575F36113D45E8D71C60A6D8F8CC2E9DBF18EE1000167CFBF0B2E7ED6F05462D77E0BCA0E90
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Kurulumu</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.ptal etmek istedi.inizden emin misiniz?</String>.. <String Id="HelpHeader">Kurulum Yard.m.</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [dizin] - y.kler, onar.r, kald.r.r ya da.. dizindeki paketin tam bir yerel kopyas.n. olu.turur. Varsay.lan install de.eridir...../passive \| /quiet - en az d.zeyde istemsiz UI g.sterir ya da hi. UI g.stermez ve.. istem yoktur. Varsay.lan olarak UI ve t.m istemler g.r.nt.lenir...../norestart - yeniden ba.lama denemelerini engeller. Varsay.lan olarak UI yeniden ba.l

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\2052\license.rtf Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	17863
Entropy (8bit):	3.9617786349452775
Encrypted:	false
SSDEEP:	192:BxoqPyOj+/8Tk5VigWgijAlk5xWvSCI5lgios0EhGXxGMLVGW+uUoqyLZDvAJxMx:vbIeaE7q3KGgzD2
MD5:	3CF16377C0D1B2E16FFD6E32BF139AC5
SHA1:	D1A8C3730231D51C7BB85A7A15B948794E99BDCE
SHA-256:	E95CA64C326A0EF7EF3CED6CDAB072509096356C15D1761646E3C7FDA744D0E0
SHA-512:	E9862FD0E8EC2B2C2180183D06535A16A527756F6907E6A1D2DB85092636F72C497508E793EE8F2CC8E0D1A5E090C6CCF465F78BC1FA8E68DAF7C68815A0EE16
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset134 SimSun;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'ce\'a2\'c8\'ed\'c8\'ed\'bc\'fe\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\f1\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f0\'d5\'e2\'d0\'a9\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\'ca\'c7\f1 Microsoft Corporation\f0\'a3\'a8\'bb\'f2\'c4\'fa\'cb\'f9\'d4\'da\'b5\'d8\'b5\'c4\f1 Microsoft \f0\'b9\'d8\'c1\'aa\'b9\'ab\'cb\'be\'a3\'a9\'d3\'eb\'c4\'fa\'d6\'ae\'bc\'e4\'b4\'ef\'b3\'c9\'b5\'c4\'d0\'ad\'d2\'e9\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'ca\'ca\'d3\'c3\'d3\'da\'c9\'cf\'ca\'f6\'c8\'ed\'bc\'fe\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'d2\'b2\'ca\'ca\'d3\'c3\'d3\'da\'d5\'eb\'b6\'d4\'b8\'c3\'c8\'ed\'bc\'fe\'b5\'c4\'c8\'ce\'ba\'ce\'ce\'a2\'c8\'ed\'b7\'fe\'ce\'f1\'bb\'f2\'b8\'fc\'d0\'c2\'a3\'ac\'b5\'ab\'d3\'d0\'b2\'bb\'cd\

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\2052\thm.wxl Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	2978
Entropy (8bit):	6.135205733555905
Encrypted:	false
SSDEEP:	48:c5DiTlOtKesi+hDtkQf7lz+W0gopN3m5+3cNONeN1ra8vWqPtlTKxKUTKlKXRoR+:uDiTlV5kQR9GLeE0ZxV6gIV
MD5:	3D1E15DEEACE801322E222969A574F17
SHA1:	58074C83775E1A884FED6679ACF9AC78ABB8A169
SHA-256:	2AC8B7C19A5189662DE36A0581C90DBAD96DF259EC00A28F609B644C3F39F9CA
SHA-512:	10797919845C57C5831234E866D730EBD13255E5BF8BA8087D53F1D0FC5D72DC6D5F6945DBEBEE69ACC6A2E20378750C4B78083AE0390632743C184532358E10
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">......</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [..] - .......... ..................Install ........../passive \| /quiet - ..... UI ......... UI ... ........ UI ........../norestart - ..................... UI.../log log.txt - ............. %TEMP% ...

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\3082\license.rtf Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	10714
Entropy (8bit):	5.122578090102117
Encrypted:	false
SSDEEP:	192:WthGE/9wd8eQF/hJOmQeNrXT77uOlQ+v3AqHqc3wpXGYdjvsk2cwBb2:mhGuhj+ed388Bb2
MD5:	FBF293EE95AFEF818EAF07BB088A1596
SHA1:	BBA1991BA6459C9F19B235C43A9B781A24324606
SHA-256:	1FEC058E374C20CB213F53EB3C44392DDFB2CAA1E04B7120FFD3FA7A296C83E2
SHA-512:	6971F20964EF74B19077EE81F953342DC6D2895A8640EC84855CECCEA5AEB581E6A628BCD3BA97A5D3ACB6CBE7971FDF84EF670BDDF901857C3CD28855212019
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 T\'c9RMINOS DE LA LICENCIA DE SOFTWARE DE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME\par..\b0 Estos t\'e9rminos de licencia constituyen un contrato entre Microsoft Corporation (o, en funci\'f3n de donde resida, una de sus filiales) y usted. Se aplican al software antes mencionado. Los t\'e9rminos tambi\'e9n se aplican a cualquier servicio o actualizaci\'f3n de Microsoft para el software, excepto en la medida que tengan t\'e9rminos diferentes.\par..\b SI USTED CUMPLE CON LOS PRESENTES T\'c9RMINOS DE ESTA LICENCIA, DISPONDR\'c1 DE LOS DERECHOS QUE SE DESCRIBEN A CONTINUACI\'d3N.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\3082\thm.wxl Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	3265
Entropy (8bit):	5.0491645049584655
Encrypted:	false
SSDEEP:	48:c5DiTlO/esS6VGhDv4tiUiyRUqzC4U+aD6N3m7xNh1NWNGbPz+9o3PWeKK9K9KfT:uDiTlxouUTiySqyIwz9sgxqvjIk8
MD5:	47F9F8D342C9C22D0C9636BC7362FA8F
SHA1:	3922D1589E284CE76AB39800E2B064F71123C1C5
SHA-256:	9CBB2B312C100B309A1B1495E84E2228B937612885F7A642FBBD67969B632C3A
SHA-512:	E458DF875E9B0622AEBE3C1449868AA6A2826A1F851DB71165A872B2897CF870CCF85046944FF51FFC13BB15E54E9D9424EC36CAF5A2F38CE8B7D6DC0E9B2363
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar la operaci.n?</String>.. <String Id="HelpHeader">Ayuda de configuraci.n</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - instala, repara, desinstala o.. crea una copia local completa del paquete en el directorio. La opci.n predeterminada es la instalaci.n...../passive \| /quiet - muestra una IU m.nima sin solicitudes o no muestra ninguna IU ni.. solicitud. De forma predeterminada, se muestran la IU y todas las solicitudes...../norestart - elimina cualquier intento

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\BootstrapperApplicationData.xml Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	13122
Entropy (8bit):	3.7302550311932055
Encrypted:	false
SSDEEP:	192:X0sgKnH5zHqQHG0Hd8Hz7HE06HA0rH3F5FhFxLo3SzLa0LgnOBx7z8NkzzkvQaiS:X0sLdLbmnoNfb0e1TpotVoi
MD5:	E45E751A540729570C17491DF5A6E5EF
SHA1:	7FFDE23B6813BF7326FDE6E0F4A01F9E6F735026
SHA-256:	4F6462CE939AC30F5CA0657DC8567071329551460898D470D6B7058A623DD73E
SHA-512:	E9CD4F9451D7C280AC5EBD4A7B638D7EA7D517EB1DDA5992F7578E7FBB552008BC9231B3DEC5851356EB26FE81AC5A1FCF17DEAE934F53B5DADDC077B9F71288
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.a.l.C.o.n.d.i.t.i.o.n. .C.o.n.d.i.t.i.o.n.=.".V.e.r.s.i.o.n.N.T. .&.g.t.;.=. .v.6...0. .O.R. .(.V.e.r.s.i.o.n.N.T. .=. .v.5...1. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .2.). .O.R. .(.V.e.r.s.i.o.n.N.T. .=. .v.5...2. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .1.).". .M.e.s.s.a.g.e.=.".[.W.i.x.B.u.n.d.l.e.N.a.m.e.]. .c.a.n. .o.n.l.y. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .W.i.n.d.o.w.s. .X.P. .S.P.2. .a.n.d. .n.e.w.e.r. .p.l.a.t.f.o.r.m.s...". ./.>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.5.-.2.0.1.9. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .(.x.8.6.). .-. .1.4...2.1...2.7.7.0.2.". .L.o.g.P.

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\license.rtf Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	9046
Entropy (8bit):	5.157073875669985
Encrypted:	false
SSDEEP:	192:W8lZ1UVDWkgWZTIsvPhghtQ1Qf4lCfnEtHixEGx736wHqItfSpOy2:9T15WZMgAYlOnjt5HLoL2
MD5:	2EABBB391ACB89942396DF5C1CA2BAD8
SHA1:	182A6F93703549290BCDE92920D37BC1DEC712BB
SHA-256:	E3156D170014CED8D17A02B3C4FF63237615E5C2A8983B100A78CB1F881D6F38
SHA-512:	20D656A123A220CD3CA3CCBF61CC58E924B44F1F0A74E70D6850F39CECD101A69BCE73C5ED14018456E022E85B62958F046AA4BD1398AA27303C2E86407C3899
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT SOFTWARE LICENSE TERMS\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. They apply to the software named above. The terms also apply to any Microsoft services or updates for the software, except to the extent those have different terms.\par..\b IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 INSTALLATION AND USE RIGHTS. \b0\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-363\

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\logo.png Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	PNG image data, 64 x 64, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1861
Entropy (8bit):	6.868587546770907
Encrypted:	false
SSDEEP:	24:q36cnTKM/3kTIQiBmYKHeQWalGt1Sj9kYIt1uZ+bYOQe0IChR95aW:qqiTKMPuUBm7eQJGtYJM1uZCVszaW
MD5:	D6BD210F227442B3362493D046CEA233
SHA1:	FF286AC8370FC655AEA0EF35E9CF0BFCB6D698DE
SHA-256:	335A256D4779EC5DCF283D007FB56FD8211BBCAF47DCD70FE60DED6A112744EF
SHA-512:	464AAAB9E08DE610AD34B97D4076E92DC04C2CDC6669F60BFC50F0F9CE5D71C31B8943BD84CEE1A04FB9AB5BBED3442BD41D9CB21A0DD170EA97C463E1CE2B5B
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR...@...@.............sRGB.........gAMA......a.....PLTE].q^.r_.r_.s`.s`.s`.ta.ta.ub.ub.vc.vd.vd.vd.we.we.xe.xg.yg yg zh zh"zi"{j#\|i${j$\|n~n.n,.o,.p..q0.r2.s3.t5.x;.x<.y>.z?.\|B.~C.}E..F..F..H..I..J..L..O..P..W..Y..^..a..c..g..i..q..r..}.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S......pHYs..%...%....^.....tEXtSoftware.Paint.NET v3.5.100.r.....IDATXG..iW.@...EJ.$M...`AEpG..7TpWT@\.."....(..(.._;...di:9.c>q..g....T...._...-....F..+..w.

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\thm.wxl Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2952
Entropy (8bit):	5.052095286906672
Encrypted:	false
SSDEEP:	48:c5DiTl/+desK19hDUNKwsqq8+JIDxN3mt7NlN1NVvAdMcgLPDHVXK8KTKjKnSnYF:uDiTl/BbTxmup/vrxATd
MD5:	FBFCBC4DACC566A3C426F43CE10907B6
SHA1:	63C45F9A771161740E100FAF710F30EED017D723
SHA-256:	70400F181D00E1769774FF36BCD8B1AB5FBC431418067D31B876D18CC04EF4CE
SHA-512:	063FB6685EE8D2FA57863A74D66A83C819FE848BA3072B6E7D1B4FE397A9B24A1037183BB2FDA776033C0936BE83888A6456AAE947E240521E2AB75D984EE35E
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29" />.... <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installs, repairs, uninstalls or.. creates a complete local copy of the bundle in directory. Install is the default...../passive \| /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will prompt before restart.../log log.txt - logs to a specific file. B

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\thm.xml Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	8332
Entropy (8bit):	5.184632608060528
Encrypted:	false
SSDEEP:	96:8L2HdQG+3VzHfz96zYFGaPSWXdhRAmImlqFQKFBiUxn7Ke5A82rkO/pWk3nswP:ZHAzZ/3
MD5:	F62729C6D2540015E072514226C121C7
SHA1:	C1E189D693F41AC2EAFCC363F7890FC0FEA6979C
SHA-256:	F13BAE0EC08C91B4A315BB2D86EE48FADE597E7A5440DCE6F751F98A3A4D6916
SHA-512:	CBBFBFA7E013A2B85B78D71D32FDF65323534816978E7544CA6CEA5286A0F6E8E7E5FFC4C538200211F11B94373D5658732D5D8AA1D01F9CCFDBF20F154F1471
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="485" Height="300" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="500" Foreground="000000">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.... <Image X="11" Y="11" Width="64" Height="64" ImageFile="logo.png" Visible="yes"/>.. <Text X="80" Y="11" Width="-11" Heig

C:\Windows\Temp\{AF4E4CD4-6132-4D65-BCE1-7698957569EC}\.ba\wixstdba.dll Download File
Process:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	195600
Entropy (8bit):	6.682530937585544
Encrypted:	false
SSDEEP:	3072:OXoiFK6b0k77I+QfaIl191rSJHvlalB+8BHkY6v53EfcUzN0m6I+WxBlnKzeZuqt:OXoQNb++gDrSJdr8BHkPh3wIgnK/IU1a
MD5:	EAB9CAF4277829ABDF6223EC1EFA0EDD
SHA1:	74862ECF349A9BEDD32699F2A7A4E00B4727543D
SHA-256:	A4EFBDB2CE55788FFE92A244CB775EFD475526EF5B61AD78DE2BCDFADDAC7041
SHA-512:	45B15ADE68E0A90EA7300AEB6DCA9BC9E347A63DBA5CE72A635957564D1BDF0B1584A5E34191916498850FC7B3B7ECFBCBFCB246B39DBF59D47F66BC825C6FD2
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3..R...R...R..h.N..R..h.L.R..h.M..R.......R.......R.......R...<..R...,..R...R...S..K....R..K....R..N.@..R...R(..R..K....R..Rich.R..................PE..L......Z...........!................d.....................................................@..............................................................D......,.......T...............................@...............X............................text............................... ..`.rdata.............................@..@.data...............................@....gfids..............................@..@.rsrc...............................@..@.reloc..,...........................@..B........................................................................................................................................................................................................................................

C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe Download File
Process:	C:\ztg\fillProxy\bin\vcredist_x86.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	647912
Entropy (8bit):	7.215948724836638
Encrypted:	false
SSDEEP:	12288:snMwHskY7gjcjhVIEhqgM7bWvcsi6aVhPIyP3WRCzJ9ztLz5/YTDd:6MysZgjS1hqgSC/izxf+czJZhz5Qnd
MD5:	2F9D2B6CE54F9095695B53D1AA217C7B
SHA1:	3F54934C240F1955301811D2C399728A3E6D1272
SHA-256:	0009D3F27837C3AF3F6FFF7973FAF07AFAA4B53119846F55B6F2A79F1759C757
SHA-512:	692857F960F26039C7B0AF6329E65A71E8588FF71EAAC6B956BD6E437994A8D5A470C7E75DD776E0772E473967B64D5EA0E1D8396546691316DAF4D6B8CCC237
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.u.'.u.'.u.......u.....[.u.....?.u...v.4.u...q.4.u...p...u.....".u....6.u.'.t.v.u...p.l.u....&.u.'..%.u...w.&.u.Rich'.u.........................PE..L......Z.....................v......m.............@..........................p............@..............................................;...............$...0...=.. t..T...................tt......@n..@...................$........................text.............................. ..`.rdata..............................@..@.data...@...........................@....wixburn8...........................@..@.tls................................@....gfids..............................@..@.rsrc....;.......<..................@..@.reloc...=...0...>..................@..B........................................................................................................................................................

C:\Windows\Temp\~DF012430724D794CCC.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2406512392763793
Encrypted:	false
SSDEEP:	48:985uEs4vFXiiT5Ydj6RLBL7bSS2fsl8RSqmeSIV0dZQc:q5n3TSjaLBL7mIeRnJsZQc
MD5:	7D5C30083AD1B8664F1E63B811C40B83
SHA1:	BF18EB1CD642299367296B55AC4706418F893557
SHA-256:	87C33814B7A5576BDEB263EEDBF8A0A5F480EAEE48B74230E57484C5779E7A39
SHA-512:	7A390C76E061AE8281AE0B6E2FFF6BA2086135DA0BCCC84754272739DD0E9133FD157F165EED903E0A170535C5DB86ADB7EF3B9143E0EA65E269EBF507BB6A58
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF03D02E3D6B2974E4.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF086CCE247ABE84D5.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF18EEA78C974DDD69.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5513471836912807
Encrypted:	false
SSDEEP:	48:48PhBuRc06WXi/FT5zdj6RLBL7bSS2fsl8RSqmeSIV0dZQc:HhB1RFTXjaLBL7mIeRnJsZQc
MD5:	23DFF72F459C43FB0DFC54D4611AA65C
SHA1:	80F227B563E579943B536DA17009FE6E112F78FC
SHA-256:	F7DA8E345D6FE329E26C58956E2F86536A5BB6B6B9D95402C7BC4A6BE3B30C00
SHA-512:	CDC1736067760B13CABFF980AB903071F4FD575327BC4979997C6D5F3B7E9D9CFAFFC6E2E47D4E34B3D6EF5854BF68B009F52356698A9C2B2B2A3F1021000C7F
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF19F17A4E28716C15.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF1C9E2603C700F950.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF2078C7993C901858.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF257E18FAB60BB310.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2364567567671987
Encrypted:	false
SSDEEP:	48:rsmQuau4vFXiAT5ddj6RLBL7bjSmRSqdZFtmS6WeUJydZQc:LQzVTRjaLBL7PVRrZFQ8eJZQc
MD5:	528567E37CFFB157C4BC2EAB9E00EB7C
SHA1:	678190752C4D1ADAF73F0E4518A4F26C4AE2BD8E
SHA-256:	30F71FD3831DD2D5670104D049638FA0559FA8EA83AD62EA0CBCB3349A248C3C
SHA-512:	06C47026C537DB7274B7900BFD33713F569F14DBABD995ADC752A47D0E1FCC2820FDDD3C826DE4AD36F14CFA53B98DA0190E415DBE95D2565F12DE1CFE5F47B5
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF271EE37F47106041.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF32086BD069C0DF46.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF450C3B3D19FF0928.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.101966517312601
Encrypted:	false
SSDEEP:	6:xPLG7iVCnLG7iVrKOzPLHKOP1/x2I2M9R9X4IOxkQliVky6lJl0t/:50i8n0itFzDHFPZx2hs9X4KQDr01
MD5:	4C576594FA66D0DC4C7A6A7AE5F90728
SHA1:	501FA73B78162CE60B28F7010F01F19C7DAC0832
SHA-256:	A75EB9D68001602F6E03987E09472D3C25851AA318AE58DB08C085E4E81D5F2E
SHA-512:	D10BE1817CB6B1004614FB05DB54FDC2DFE732C7F15934E0D0E2242D313FC61254F60B34F587D9D731A7A52EDB3394635143C249082E9E68C7F38CBFFE35E0D6
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF488E440D45FB4016.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2406512392763793
Encrypted:	false
SSDEEP:	48:985uEs4vFXiiT5Ydj6RLBL7bSS2fsl8RSqmeSIV0dZQc:q5n3TSjaLBL7mIeRnJsZQc
MD5:	7D5C30083AD1B8664F1E63B811C40B83
SHA1:	BF18EB1CD642299367296B55AC4706418F893557
SHA-256:	87C33814B7A5576BDEB263EEDBF8A0A5F480EAEE48B74230E57484C5779E7A39
SHA-512:	7A390C76E061AE8281AE0B6E2FFF6BA2086135DA0BCCC84754272739DD0E9133FD157F165EED903E0A170535C5DB86ADB7EF3B9143E0EA65E269EBF507BB6A58
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF4DCAABE11F866428.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF50981F6F236C3AC1.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5914438C0747B793.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.236974071801944
Encrypted:	false
SSDEEP:	48:kG5u2s4vFXiQZT5cdmF6rb5S2/mRSqmeSILdZQ:L5BtZTGmFQlbmRn1ZQ
MD5:	D5BA8C7C9F5328D5F512D9FA6C875EA5
SHA1:	E8B583ECADA9334A1AF7FB363FDE19852726BA6A
SHA-256:	BB7156954412F69DC29EEDAA6C8A5F09A2F39563A218B16D0F496201DA8292CA
SHA-512:	90F582D72952E8544825C7D617FF78BC1A4856BCDD9604C5672868AF17AB3A2DE0B067F0A5F2AE4E00461F944F4119A4273A3828EF811913D4317C9AA99CE68E
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF59EE1EE7EB7BADAE.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5E65A3CA3E65D5E0.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2364567567671987
Encrypted:	false
SSDEEP:	48:rsmQuau4vFXiAT5ddj6RLBL7bjSmRSqdZFtmS6WeUJydZQc:LQzVTRjaLBL7PVRrZFQ8eJZQc
MD5:	528567E37CFFB157C4BC2EAB9E00EB7C
SHA1:	678190752C4D1ADAF73F0E4518A4F26C4AE2BD8E
SHA-256:	30F71FD3831DD2D5670104D049638FA0559FA8EA83AD62EA0CBCB3349A248C3C
SHA-512:	06C47026C537DB7274B7900BFD33713F569F14DBABD995ADC752A47D0E1FCC2820FDDD3C826DE4AD36F14CFA53B98DA0190E415DBE95D2565F12DE1CFE5F47B5
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5F0C77CCC3CB0DFD.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5460427872124893
Encrypted:	false
SSDEEP:	48:18PhBuRc06WXikwFT5XdmF6rb5S2/mRSqmeSILdZQ:YhB1WwFTrmFQlbmRn1ZQ
MD5:	2449A8B90CACD521C54AF14CD63EF44A
SHA1:	22D4940BD0C5B76E651C3D5D76DBD8A10EB4477A
SHA-256:	30DC1774F8CDCCE9A1C27F2D624FBF5C0F56A8C38653E2ABA58FB1E1831FA5FF
SHA-512:	5A54E63DBFEF8295547A365CF3F94C241CD4EAA47EFAB8CE81176A0636C8C3F7EE08698F55071E9D37137FE75C84AA8CE91BB2EA029A45A63E6B5FD93B64844E
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF611ACE896E2C2EEB.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2406512392763793
Encrypted:	false
SSDEEP:	48:985uEs4vFXiiT5Ydj6RLBL7bSS2fsl8RSqmeSIV0dZQc:q5n3TSjaLBL7mIeRnJsZQc
MD5:	7D5C30083AD1B8664F1E63B811C40B83
SHA1:	BF18EB1CD642299367296B55AC4706418F893557
SHA-256:	87C33814B7A5576BDEB263EEDBF8A0A5F480EAEE48B74230E57484C5779E7A39
SHA-512:	7A390C76E061AE8281AE0B6E2FFF6BA2086135DA0BCCC84754272739DD0E9133FD157F165EED903E0A170535C5DB86ADB7EF3B9143E0EA65E269EBF507BB6A58
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF616F7FB10DD08DCA.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.13422446873537675
Encrypted:	false
SSDEEP:	24:tlZY6RYsjipVvipVIfDLmS0W1VMNgNlGXh+KALdMCl4FMClmVjLm:tlZ7RdS9S2/mRSqmob2dmF6
MD5:	28AAA9BA7D1BC5917EACF0BA3E9E4FE0
SHA1:	3F1B33627B50E00C198AF8AC9FB13CEE0C30D262
SHA-256:	E71E99B62294A79E53B93F3494557959F8CF46AA2CD22F8BF7EE6570F1FE5CB2
SHA-512:	8BA863E483C08D63F4CBFD848EC56960076231AC7407025B394CF898A7E19B77854A35DC80E7AC82A1B5FFE23EAC3BBB8ECDF8663690F8801ABA8D21E04BB01A
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF6242225C3E080A51.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF625B451E73EA18BB.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF63FC9392A48FE3C0.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2406512392763793
Encrypted:	false
SSDEEP:	48:985uEs4vFXiiT5Ydj6RLBL7bSS2fsl8RSqmeSIV0dZQc:q5n3TSjaLBL7mIeRnJsZQc
MD5:	7D5C30083AD1B8664F1E63B811C40B83
SHA1:	BF18EB1CD642299367296B55AC4706418F893557
SHA-256:	87C33814B7A5576BDEB263EEDBF8A0A5F480EAEE48B74230E57484C5779E7A39
SHA-512:	7A390C76E061AE8281AE0B6E2FFF6BA2086135DA0BCCC84754272739DD0E9133FD157F165EED903E0A170535C5DB86ADB7EF3B9143E0EA65E269EBF507BB6A58
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF703C597A03874B3F.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.545655876074451
Encrypted:	false
SSDEEP:	48:N8PhYuRc06WXi/nT5Sdj6RLBL7bjSmRSqdZFtmS6WeUJydZQc:whY1RnTkjaLBL7PVRrZFQ8eJZQc
MD5:	0438BBBC3046D90D1080FC568FA3A7E7
SHA1:	15806DF19FEE56BB48D60A7580DBDA716D08F3F2
SHA-256:	8802FFEC988EB7E01F8A28696F79C7F775537AD56AC61BC4D27C285718C8527E
SHA-512:	9702C29A50BE7AFC49FA681DB79A9FC45137649BDF60B27F79CA5D83DE7F108E35040554647DA9F593DE2DA5CE49320BE891662A5C85CF5D44E15036995598B7
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF71C61E859AED9DD8.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7C47788523DCC6E3.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.13645749055645312
Encrypted:	false
SSDEEP:	24:2LLZQcpSRYaazipVvipVIfsl8S0W1VMNgNlGX5BX+KtdMCltLbMClmVj1LFGm1LM:4ZQcYRVmS9S2fsl8RSqmWbtdj6RLBL
MD5:	0F48FAB7F40F4C8371B3CCC562667F46
SHA1:	B8E559A74B89AB4EB52AD1079C871649B87C89A8
SHA-256:	031B54C099E724745456626D21BFB77C8FDD953CBD263E6267AA4745CD8A5052
SHA-512:	69A9765164CB434732848AF27D6C5CBDF5FE605D74FFE1AB0DF4F57D33344199058D05EB022CB7EE3D9ECB688578BB16782B1566218072CC7F63B8C1542A6C16
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7F76ECBCA6758428.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2364567567671987
Encrypted:	false
SSDEEP:	48:rsmQuau4vFXiAT5ddj6RLBL7bjSmRSqdZFtmS6WeUJydZQc:LQzVTRjaLBL7PVRrZFQ8eJZQc
MD5:	528567E37CFFB157C4BC2EAB9E00EB7C
SHA1:	678190752C4D1ADAF73F0E4518A4F26C4AE2BD8E
SHA-256:	30F71FD3831DD2D5670104D049638FA0559FA8EA83AD62EA0CBCB3349A248C3C
SHA-512:	06C47026C537DB7274B7900BFD33713F569F14DBABD995ADC752A47D0E1FCC2820FDDD3C826DE4AD36F14CFA53B98DA0190E415DBE95D2565F12DE1CFE5F47B5
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF84E31083CAA49281.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF87E80E4EFC92CC58.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9A1B2AB1A512827C.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.236974071801944
Encrypted:	false
SSDEEP:	48:kG5u2s4vFXiQZT5cdmF6rb5S2/mRSqmeSILdZQ:L5BtZTGmFQlbmRn1ZQ
MD5:	D5BA8C7C9F5328D5F512D9FA6C875EA5
SHA1:	E8B583ECADA9334A1AF7FB363FDE19852726BA6A
SHA-256:	BB7156954412F69DC29EEDAA6C8A5F09A2F39563A218B16D0F496201DA8292CA
SHA-512:	90F582D72952E8544825C7D617FF78BC1A4856BCDD9604C5672868AF17AB3A2DE0B067F0A5F2AE4E00461F944F4119A4273A3828EF811913D4317C9AA99CE68E
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA097E17722BAB5E8.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5460427872124893
Encrypted:	false
SSDEEP:	48:18PhBuRc06WXikwFT5XdmF6rb5S2/mRSqmeSILdZQ:YhB1WwFTrmFQlbmRn1ZQ
MD5:	2449A8B90CACD521C54AF14CD63EF44A
SHA1:	22D4940BD0C5B76E651C3D5D76DBD8A10EB4477A
SHA-256:	30DC1774F8CDCCE9A1C27F2D624FBF5C0F56A8C38653E2ABA58FB1E1831FA5FF
SHA-512:	5A54E63DBFEF8295547A365CF3F94C241CD4EAA47EFAB8CE81176A0636C8C3F7EE08698F55071E9D37137FE75C84AA8CE91BB2EA029A45A63E6B5FD93B64844E
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA4A4DBB6F4C35C75.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.236974071801944
Encrypted:	false
SSDEEP:	48:kG5u2s4vFXiQZT5cdmF6rb5S2/mRSqmeSILdZQ:L5BtZTGmFQlbmRn1ZQ
MD5:	D5BA8C7C9F5328D5F512D9FA6C875EA5
SHA1:	E8B583ECADA9334A1AF7FB363FDE19852726BA6A
SHA-256:	BB7156954412F69DC29EEDAA6C8A5F09A2F39563A218B16D0F496201DA8292CA
SHA-512:	90F582D72952E8544825C7D617FF78BC1A4856BCDD9604C5672868AF17AB3A2DE0B067F0A5F2AE4E00461F944F4119A4273A3828EF811913D4317C9AA99CE68E
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA4BDAD983D3AAB0C.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.236974071801944
Encrypted:	false
SSDEEP:	48:kG5u2s4vFXiQZT5cdmF6rb5S2/mRSqmeSILdZQ:L5BtZTGmFQlbmRn1ZQ
MD5:	D5BA8C7C9F5328D5F512D9FA6C875EA5
SHA1:	E8B583ECADA9334A1AF7FB363FDE19852726BA6A
SHA-256:	BB7156954412F69DC29EEDAA6C8A5F09A2F39563A218B16D0F496201DA8292CA
SHA-512:	90F582D72952E8544825C7D617FF78BC1A4856BCDD9604C5672868AF17AB3A2DE0B067F0A5F2AE4E00461F944F4119A4273A3828EF811913D4317C9AA99CE68E
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFAFBFD139F342A139.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.13417378397224683
Encrypted:	false
SSDEEP:	48:4ZQcY7WeUJ4S9SmRSqdZFtFbBdj6RLBL:4ZQcJe9kVRrZFXXjaLBL
MD5:	ED70EE4D548A450215A2519AB46B26FF
SHA1:	46B9062EBFF04C7AE7646D59CD11642A9E123384
SHA-256:	063C831CDCB1176D70F5B40C58F4C69AE726C6C9ABE5552AF4A0EAB186BBD637
SHA-512:	08082E2D3E0D15D54CCA0396401E7E84686DDC7604C86FD785E52005766DAB891E04D37BA8C8BE5256C755000C67FF1A681533D2292E63EE6FFE6D17DA10B691
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB6A5ABDFB91E28D8.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.545655876074451
Encrypted:	false
SSDEEP:	48:N8PhYuRc06WXi/nT5Sdj6RLBL7bjSmRSqdZFtmS6WeUJydZQc:whY1RnTkjaLBL7PVRrZFQ8eJZQc
MD5:	0438BBBC3046D90D1080FC568FA3A7E7
SHA1:	15806DF19FEE56BB48D60A7580DBDA716D08F3F2
SHA-256:	8802FFEC988EB7E01F8A28696F79C7F775537AD56AC61BC4D27C285718C8527E
SHA-512:	9702C29A50BE7AFC49FA681DB79A9FC45137649BDF60B27F79CA5D83DE7F108E35040554647DA9F593DE2DA5CE49320BE891662A5C85CF5D44E15036995598B7
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC42D49C046A74000.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC4BEF18E74168F3E.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2406512392763793
Encrypted:	false
SSDEEP:	48:985uEs4vFXiiT5Ydj6RLBL7bSS2fsl8RSqmeSIV0dZQc:q5n3TSjaLBL7mIeRnJsZQc
MD5:	7D5C30083AD1B8664F1E63B811C40B83
SHA1:	BF18EB1CD642299367296B55AC4706418F893557
SHA-256:	87C33814B7A5576BDEB263EEDBF8A0A5F480EAEE48B74230E57484C5779E7A39
SHA-512:	7A390C76E061AE8281AE0B6E2FFF6BA2086135DA0BCCC84754272739DD0E9133FD157F165EED903E0A170535C5DB86ADB7EF3B9143E0EA65E269EBF507BB6A58
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC71AB3E833D9C07F.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.236974071801944
Encrypted:	false
SSDEEP:	48:kG5u2s4vFXiQZT5cdmF6rb5S2/mRSqmeSILdZQ:L5BtZTGmFQlbmRn1ZQ
MD5:	D5BA8C7C9F5328D5F512D9FA6C875EA5
SHA1:	E8B583ECADA9334A1AF7FB363FDE19852726BA6A
SHA-256:	BB7156954412F69DC29EEDAA6C8A5F09A2F39563A218B16D0F496201DA8292CA
SHA-512:	90F582D72952E8544825C7D617FF78BC1A4856BCDD9604C5672868AF17AB3A2DE0B067F0A5F2AE4E00461F944F4119A4273A3828EF811913D4317C9AA99CE68E
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC8465CA99FDD6D67.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2406512392763793
Encrypted:	false
SSDEEP:	48:985uEs4vFXiiT5Ydj6RLBL7bSS2fsl8RSqmeSIV0dZQc:q5n3TSjaLBL7mIeRnJsZQc
MD5:	7D5C30083AD1B8664F1E63B811C40B83
SHA1:	BF18EB1CD642299367296B55AC4706418F893557
SHA-256:	87C33814B7A5576BDEB263EEDBF8A0A5F480EAEE48B74230E57484C5779E7A39
SHA-512:	7A390C76E061AE8281AE0B6E2FFF6BA2086135DA0BCCC84754272739DD0E9133FD157F165EED903E0A170535C5DB86ADB7EF3B9143E0EA65E269EBF507BB6A58
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFCF37120B577C05ED.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.236974071801944
Encrypted:	false
SSDEEP:	48:kG5u2s4vFXiQZT5cdmF6rb5S2/mRSqmeSILdZQ:L5BtZTGmFQlbmRn1ZQ
MD5:	D5BA8C7C9F5328D5F512D9FA6C875EA5
SHA1:	E8B583ECADA9334A1AF7FB363FDE19852726BA6A
SHA-256:	BB7156954412F69DC29EEDAA6C8A5F09A2F39563A218B16D0F496201DA8292CA
SHA-512:	90F582D72952E8544825C7D617FF78BC1A4856BCDD9604C5672868AF17AB3A2DE0B067F0A5F2AE4E00461F944F4119A4273A3828EF811913D4317C9AA99CE68E
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD72F4C4CF75EA906.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFDC4B9F3CA1D8D579.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFDDA40D848E874565.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFDF654D6B1FE861B8.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.10315420318511248
Encrypted:	false
SSDEEP:	6:xPLG7iVCnLG7iVrKOzPLHKOJSDBsJp8z8JEM9TEkuL1dQO6iGYcBlIVky6l80t/:50i8n0itFzDHFw7zpHQEQBp801
MD5:	60ACE1ED3D1052DD04B59CF080FFE8F9
SHA1:	130ECD05D54CA74F36D0B75F565E5A7B216CACBE
SHA-256:	084EF06277D865635F060799E85D33CEFAAE0B0465DDD17559853DA5481A10B5
SHA-512:	151457DECAED8CF0B1E07A67960D7E9E35A50A091BBB9D06E7350F2AE6C898FF2C8893ABB2643315E2098157FF7FB4A3CD53F992A7EC1B3EA544E756F426B21B
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE14B705FB84E7285.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE9B96EFF5131FD5D.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5513471836912807
Encrypted:	false
SSDEEP:	48:48PhBuRc06WXi/FT5zdj6RLBL7bSS2fsl8RSqmeSIV0dZQc:HhB1RFTXjaLBL7mIeRnJsZQc
MD5:	23DFF72F459C43FB0DFC54D4611AA65C
SHA1:	80F227B563E579943B536DA17009FE6E112F78FC
SHA-256:	F7DA8E345D6FE329E26C58956E2F86536A5BB6B6B9D95402C7BC4A6BE3B30C00
SHA-512:	CDC1736067760B13CABFF980AB903071F4FD575327BC4979997C6D5F3B7E9D9CFAFFC6E2E47D4E34B3D6EF5854BF68B009F52356698A9C2B2B2A3F1021000C7F
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF33DEC36E868E032.TMP Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ztg\fillProxy\Uninstall.exe Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	51012
Entropy (8bit):	6.48517473707314
Encrypted:	false
SSDEEP:	768:5AOeS5yLM+ZCTrAthB5XWenVL0/fWHrHWicASQqvBMxJmgo71yncctKnms0:59qZdHWep0GH7WiLcMxJPo7stK2
MD5:	1ECDA855A645039C2C3034699D24465C
SHA1:	25751D0015EF0D559B5C231C331F7925FEC76684
SHA-256:	1658685A765C8A4324E9248B0F7178BFB2C3BF09203EF471C143296AC3CA5D81
SHA-512:	C43A4B09D952620D21A6D8CA74FDDCB8AA52F74D7E2553DD89C013C08F22E43755EEEBA7D7CAC5CD21F1DFE1E0198C016CDA750A5280102DBB06FD75078D73A7
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+j..E9..E9..E9..I9..E9..N9..E9{.K9..E9..O9..E9..E9..E9..V9..E9..V9..E9..D9`.E9..N9..E9?.C9..E9Rich..E9........PE..L.....H@.....................4.......i............@......................................................................... ...........X............................................................................................................text............................... ..`.rdata..............................@..@.data...\|...........................@....rsrc...X...........................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\ztg\fillProxy\bin\Default.rdp Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	2000
Entropy (8bit):	3.31564836065367
Encrypted:	false
SSDEEP:	24:QWcuYaRlTZAzx+ifn9WDjMn5vZm6/0hfq0Yhyl1rUcAqI4tiqn2zqRnMgtp:YkDTZSlf9WPMfmNpblhRnh
MD5:	486F42E6B70BAAC5EC59E930BEC884A2
SHA1:	E2B4CFF7911C941EE7BBE9332D1E1C32E46BD15C
SHA-256:	651BAD16A3D8626B0065814B5D24349F639D288D51DDD949D48CB06462938905
SHA-512:	164C7A441D68DCDFEF5A587D576FA4F5C6A79949BF3FA416EB36BF8B3CB9CCE372821B128FC5713A5D88313EBB30884C03FCE33D952338FEF2053DC20888E7F1
Malicious:	false
Reputation:	unknown
Preview:	..s.c.r.e.e.n. .m.o.d.e. .i.d.:.i.:.1.....u.s.e. .m.u.l.t.i.m.o.n.:.i.:.0.....d.e.s.k.t.o.p.w.i.d.t.h.:.i.:.1.9.2.0.....d.e.s.k.t.o.p.h.e.i.g.h.t.:.i.:.1.0.8.0.....s.e.s.s.i.o.n. .b.p.p.:.i.:.1.6.....w.i.n.p.o.s.s.t.r.:.s.:.2.,.3.,.0.,.0.,.8.0.0.,.6.0.0.....c.o.m.p.r.e.s.s.i.o.n.:.i.:.1.....k.e.y.b.o.a.r.d.h.o.o.k.:.i.:.2.....a.u.d.i.o.c.a.p.t.u.r.e.m.o.d.e.:.i.:.0.....v.i.d.e.o.p.l.a.y.b.a.c.k.m.o.d.e.:.i.:.1.....c.o.n.n.e.c.t.i.o.n. .t.y.p.e.:.i.:.2.....d.i.s.p.l.a.y.c.o.n.n.e.c.t.i.o.n.b.a.r.:.i.:.1.....d.i.s.a.b.l.e. .w.a.l.l.p.a.p.e.r.:.i.:.1.....a.l.l.o.w. .f.o.n.t. .s.m.o.o.t.h.i.n.g.:.i.:.0.....a.l.l.o.w. .d.e.s.k.t.o.p. .c.o.m.p.o.s.i.t.i.o.n.:.i.:.0.....d.i.s.a.b.l.e. .f.u.l.l. .w.i.n.d.o.w. .d.r.a.g.:.i.:.1.....d.i.s.a.b.l.e. .m.e.n.u. .a.n.i.m.s.:.i.:.1.....d.i.s.a.b.l.e. .t.h.e.m.e.s.:.i.:.0.....d.i.s.a.b.l.e. .c.u.r.s.o.r. .s.e.t.t.i.n.g.:.i.:.0.....b.i.t.m.a.p.c.a.c.h.e.p.e.r.s.i.s.t.e.n.a.b.l.e.:.i.:.1.....f.u.l.l. .a.d.d.r.e.s.s.:.s.:.1.7.2...1.6...5...2.9.....a.u.d.i.

C:\ztg\fillProxy\bin\SPY.dll Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	452608
Entropy (8bit):	6.609176403412194
Encrypted:	false
SSDEEP:	6144:ryvstmSbTvYPv7Eu9nFmtvUuAjDR7qPJAOQZnOS2WFy4J:rZvvYn7Eu9n8tgx2Wp
MD5:	545B8DA480D98435C995CF1FFF55C873
SHA1:	73746290B655A5979A03841FED13E3686A428726
SHA-256:	DB7A130D294364FFB05CF9750B82459D7FE70A58489B99706222CE12DBA60417
SHA-512:	7031C21A2DD7D4219F66A21A0517DB4E16FE15B92685616E49B3647009F16CE3010DEC2566B5B31A5BB1679A58C8D85454385F2E3AD40CEA90FE7F58F4A135B1
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........DLv..Lv..Lv..X...Bv..X....v..X...Zv.. ...Cv.. ...Zv.. ....v......Ov......Nv..X...Gv..Lv...v......Ov......Mv......Mv......Mv..RichLv..................PE..L...[..`...........!.........................................................0............@..........................u..x....y..x................................M......p...............................@...............$............................text...v........................... ..`.rdata..\...........................@..@.data....6.......$...t..............@....rsrc...............................@..@.reloc...M.......N..................@..B................................................................................................................................................................................................................................................................................

C:\ztg\fillProxy\bin\SPYaaa.dll Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	460288
Entropy (8bit):	6.640982703797016
Encrypted:	false
SSDEEP:	12288:AzHtlicKZ78uGfejmJIPb+m6uL1+oxi0IIv8uEwTiMi:A5MfNPtjmJ6U1A8uEnL
MD5:	03ED0A0F88A2ED035123A93920FB7AF7
SHA1:	B36AFCFEDA852E78EE4327DECD3BE5896AFF06AB
SHA-256:	CDA21182C591D30572A46325EB6A40D9B304CCF4DF7C484E6F7373E58EF08508
SHA-512:	C770EBDDE6F30FEA014BA6A54C0A399EC84D51F2AF0145B91C6CD81844914A9BDDEEB14FEA246E1FB3533E74AC3617E18961257E0B642731FEFD25DFE5A88C56
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................S..........s.......s.......s...E...z.......K..................b...Z.......Z.......Z.].....Z.......Rich....................PE..L....V.`...........!........."...............................................`............@.....................................x................................Q...%..p...................@'......P&..@...............(............................text............................... ..`.rdata..............................@..@.data...X6......."..................@....rsrc...............................@..@.reloc...Q.......R..................@..B................................................................................................................................................................................................................................................................................

C:\ztg\fillProxy\bin\boost_date_time-vc142-mt-gd-x32-1_72.dll Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	94720
Entropy (8bit):	5.9975485249767075
Encrypted:	false
SSDEEP:	1536:TppLlylulDlfbD4L+JJFFsW1tomxFpfJ0X2SRdxx5G:T7lylulDlfbD4L+JJcW16mxFpfJ0X2On
MD5:	D78D2152487E69DE35171633FBA5EC4E
SHA1:	5C8ECFDD8812C1396CAFBAD3F7FA06DA0AF558A0
SHA-256:	F14629671AE2D930D0429B9E431B7C3FD354EC10B90DA765CBA991FDE81EAEE0
SHA-512:	A13A135CC4C6E3BC24F7B43F3D0AD586164F02D56D49A5CD61AC8B2FABB11EFA48A033D4D9610172B0CCEE7EAE5CF73FF5AFA064FF964AEBF9A7FB59CE207F3A
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............P...P...P...Q...P...Q...P...Q...P...Q...P...Q...P...P...Pb..Q...Pb..Q...Pb..Q...PRich...P................PE..L..."`.^...........!................@...............................................-.....@......................... E.......W..d...................................0...T...................@...........@...............p............................text...O........................... ..`.rdata...r.......t..................@..@.data...\|....p.......T..............@....rsrc................^..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................

C:\ztg\fillProxy\bin\changePv.bat Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	107
Entropy (8bit):	4.550627534923158
Encrypted:	false
SSDEEP:	3:mKDDVBFFyzJcf5fMKw5HHX+RWcf5fMKw5QrFQl9A+Fn:hezsGKkHHXKFGKkhln
MD5:	DA5C9A049152E54D516AE93A4F61E033
SHA1:	E73D3651A0F1E721B3B6FF0C56D4F96CDA40C84D
SHA-256:	5C4149942F7CD956C34846D60BB3819BB36685E962BABD0FF2FFD8C8DD35C26F
SHA-512:	15086B8391440AC4EE255FBB221716A5AC1A628C4E93B4768E5F3D18FD32BCFA057820E99171F023AA704D779FCB8BEB8B1DBE6C2250E63445729E13CCB4AA50
Malicious:	false
Reputation:	unknown
Preview:	@echo off..cd /d %~dp0..Cacls C:\ztg /t /e /c /g users:f..Cacls C:\ztg /t /e /c /g "Domain users":f..@exit

C:\ztg\fillProxy\bin\chromeShowAlwaysCheckBox.reg Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	Windows Registry text (Win2K or above)
Category:	dropped
Size (bytes):	155
Entropy (8bit):	5.333230654958506
Encrypted:	false
SSDEEP:	3:jBJ0nMWXZ6RKZFNKo1gLxqyB+pMITAbwwSxKCxS3EcASFxM7V/W:jBJ0nMhRKLNKomLx78aITYwwSDQAz7Vu
MD5:	2C112915B6620E4F2B667D91C5E6842A
SHA1:	180B0581274F18A36CD7CD050E27B7390B98DDCF
SHA-256:	094F11E66626D28AA164ABA88B6810CB5026F77E6648E1460FC4DAC3B0CF9F85
SHA-512:	28116F5331ADF63C992E7B44114CD6B40B838D76B769AC0A8A48898F4373B97F1B2697136B6F96E254DFBF31BE377A613FA2F4F3B102A9C76E37E87183899027
Malicious:	false
Reputation:	unknown
Preview:	Windows Registry Editor Version 5.00....[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome].."ExternalProtocolDialogShowAlwaysOpenCheckbox"=dword:00000001

C:\ztg\fillProxy\bin\cleanNavicatHistory.exe Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175104
Entropy (8bit):	6.477668939571025
Encrypted:	false
SSDEEP:	3072:GJsEnJMCm+KRFSBVOUAvTRO0yYR0LIrdcHTJIIJh8UXXLhDulSfAgCdsLZy:GJsEnJMjy/zA1yYeWkTKIJ2EXAnCty
MD5:	AAAD5FA996908255993CA422FC6190C9
SHA1:	B26DC3E162351B0B4679C281AB072432E4DF1DDB
SHA-256:	F06D5BA0454B0944A1833791C6BCD03F685EA0CFE8C87A17B95D75E18BA5326B
SHA-512:	5699DD0EFD71723D67FD3B92C70CA5E1A4F136022625ECDA93767EDEEABE8268E05F9AF7216BE0F4F8C48AD4FB72C024556DEB384A25E8DCCB4710B45D24AB07
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.nFJ.=FJ.=FJ.=R!.<MJ.=R!.<.J.=R!.<TJ.=>.<WJ.=>.<TJ.=*>.<kJ.=.;.<EJ.=R!.<MJ.=FJ.=7J.=.>.<GJ.=.>C=GJ.=.>.<GJ.=RichFJ.=........PE..L.....]`............................[Z............@.......................................@.................................L...d................................ ..`f..p....................g.......f..@...............h............................text...t........................... ..`.rdata..\|...........................@..@.data................x..............@....rsrc...............................@..@.reloc... ......."..................@..B........................................................................................................................................................................................................................................................................................................

C:\ztg\fillProxy\bin\crt6.6.1_tmp.exe Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	280576
Entropy (8bit):	6.601707889539921
Encrypted:	false
SSDEEP:	6144:yTlb/wMLdZpEdZhwb8GU08S6wLyruwqz3HCMRgN+WAOzfE3Yhg+oeg/:yTlb/wMLd/EdZSbwTwOruwqz3iFN7Fgf
MD5:	3BD96ABA89123D54F60EB9C2B43A12E0
SHA1:	F2DE612AFB95AC795FE616A5978E1E3C06F37504
SHA-256:	B02164573E33A7DA099C3041A916706095F09160FE1A3341B049F58D2B7483F4
SHA-512:	5445218F40677B50E42C4397032A6B70DB11B65969A4AACA2502F1C632C7764A9A1EA183B4ABBB0529EE893799E9B2B4026D2FCF88B0989DA887E45D48BFB0C6
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B{....@...@...@.]rC...@.]rE...@.]rD...@..kD...@..kC...@..kE...@..kE...@.]rA...@...A...@..hI...@..h....@..hB...@.Rich..@.........................PE..L......_.....................x......>.............@.......................................@.....................................d....@.......................P..T/......p...................@.......h...@............................................text............................... ..`.rdata........... ..................@..@.data...T$..........................@....rsrc........@......................@..@.reloc..T/...P...0..................@..B........................................................................................................................................................................................................................................................................................

C:\ztg\fillProxy\bin\curl.exe Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	3811960
Entropy (8bit):	6.615664674229294
Encrypted:	false
SSDEEP:	98304:LQId9Ob3f50XXoN7SeHqZS4BcWtNJ2zH8Rbxc1ewUdCO46MtWjwDHT+K2FcnDJpO:LQ+k50XXoN7SeHqZS4ltNJ2zH8Rbxc1i
MD5:	2B5F330320DEA666E02E28B97B751AF9
SHA1:	4038562D0A950229B6D68FB62384AE59EEF07FFD
SHA-256:	4FAE7A2C81D933A9955F276AB680AB75FFBDB15CD62ABC43AF161BCCE4C29847
SHA-512:	3506DBC851C34EC63203FE578A449FD607B8374998A97AE384C05F6C0FD6D4BB6CB12C6C185F06E629BF49C572D5A0CB5E97DF54A28EB9470AD74C0D10BDF952
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...wq._...............#..+...:..J............+...@...........................:.....C.:...@... .......................8.1.....8. !... 9.@.............:.x....09..............................I8.......................8..............................text.....+.......+.................`..`.data....<....+..>....+.............@.`..rdata...\....,..^....+.............@.`@.eh_fram.....`8......\8.............@.0@.bss....$I...p8.......................`..edata..1.....8......^8.............@.0@.idata.. !....8.."...`8.............@.0..CRT....4.....9.......8.............@.0..tls..........9.......8.............@.0..rsrc...@.... 9.......8.............@.0..reloc.......09.......8.............@.0B........................................................................................................................................................................................

C:\ztg\fillProxy\bin\default Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	ISO-8859 text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	65203
Entropy (8bit):	6.093899587214663
Encrypted:	false
SSDEEP:	192:FDPVNPkYjP4W0HnIPQPHYHHITlIT2EDS9StiLiLTkqcNn4aIAWq434MCxRdLgOwZ:dxQVSqEDS9Sti2HkqUn4aIhoMC1gOwMy
MD5:	5D139D7826C4A26AC9C16524CD9A95C9
SHA1:	C13F72D6D7E9EA6AC94D767B7E2663031C2BC530
SHA-256:	DDDC1933E05E2868508BD670B13FF9F44DAC26BC73AB76F4BF82305972BF4027
SHA-512:	9B94C249736872E2E35820D4AD37F8A2D25A5A1978DF62DC503686E6A01A72577B930ED1CBE631DE46BED4CB0668A63116E3E21C172FE2C6A6B04BFEB305C315
Malicious:	false
Reputation:	unknown
Preview:	[2020-12-29 14:43:45.235][thread:138404][main.cpp:207->main][info] fillCilent...........:eyJ0YXNrX3R5cGUiOiIyIiwibXlkYl91cmwiOiJodHRwOi8vMTcyLjE2LjMuMTA6ODA4MC9teWRi.IiwiYXVkaXRsb2dfdXJsIjoiaHR0cDovLzE3Mi4xNi41LjEzOjgwODEvYXVkaXRsb2cvIiwiZGF0.YSI6IHsiZmlsbF9pZCI6IjZiMDI3ZWZiLWIzZTYtNDcyYS05NTBlLTA2NGFlNzYxMjY1ZCIsImZp.bGxfdXJsIjoiYUhSMGNEb3ZMekUzTWk0eE5pNHpMakkzT2pjd01EQXZZWE5vWlM5aGMyaGxMWE56.Ynk5eGRXVnllUzFtYVd4c0xXUmhkR0U9IiwiZ2lkIjoiMnZvN05udnpCY29GemNNRnh5eVU2YyJ9.fQ==..[2020-12-29 14:43:45.237][thread:138404][main.cpp:124->start_fillProxy][info] fillProxy_cmd:C:\fillProxy\bin\fillProxy.exe http://172.16.3.10:8080/mydb http://172.16.5.13:8081/auditlog/..[2020-12-29 14:43:48.242][thread:138404][main.cpp:231->main][info] START_FILLPROXY_WITH_URL..[2020-12-29 14:43:48.242][thread:138404][fill_task.hpp:19->fill_task::start_fill][info] start_fill .......:eyJ0YXNrX3R5cGUiOiIyIiwibXlkYl91cmwiOiJodHRwOi8vMTcyLjE2LjMuMTA6ODA4MC9teWRi.IiwiYXVkaXRsb2dfdXJsIjoiaHR0cDovLzE3Mi4xNi41LjEzOjgwOD

C:\ztg\fillProxy\bin\fillClient.exe Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1537024
Entropy (8bit):	6.6738666093131975
Encrypted:	false
SSDEEP:	24576:xZ5dYBptw766dKk+0hkmNpFil353PQrILVVnQ3RktqYWjbPU+YqFaVTwjCBk:z35s074tVVnQ3RktqYubPfFaVTwWBk
MD5:	0BB036477EBDA3814FF81C77DF0FF64A
SHA1:	766820F7D7FD78EAF3F109E7A952F4E0071FEDD6
SHA-256:	12552E5B99F3CAB16C604EF578F115E65A9B10FA1664E1F49F53809954D7B481
SHA-512:	F7C0F23C2D24A09CD14DF26F2F3FA0E47E76D0FE1DAF1E1CD1530BD7BE686DC4F341A75E7D9254F1CE1AB64B12F965CF2D1C8637CFF9B645B692966BA9E1B7D9
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......}...9O..9O..9O..-$../O..-$...O..-$..#O.._ I.?O..U;..+O..U;..#O..-$..8O..U;.._O...?..?O...>..ZO...>...O...?..>O..-$.. O..9O...N...;..8O...;K.8O...;..8O..Rich9O..................PE..L...L..`.................f...2......2.............@.......................................@..................................+..........................................p...................@.......P...@...............$............................text...\|e.......f.................. ..`.rdata...............j..............@..@.data........P...b...,..............@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

C:\ztg\fillProxy\bin\fillProxy.exe Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2474496
Entropy (8bit):	6.6707771894499555
Encrypted:	false
SSDEEP:	49152:Ximb6ZWVwO0/geswoWhQ1c6uB3mhXAkbg8taTJ7CksUcEM0VIbb:z/Gtg54mhwkbg0FksUcEM0V
MD5:	035104AEEF132D374F5BA4D6C80A80A4
SHA1:	9C6FCC9D8244711081547F1C2E0F486BA25E058B
SHA-256:	1768498FAAAD1F6F2B124B0969B175BA5430338E6B249093A72D42E1D1D6161F
SHA-512:	06E6156D54C39B18FBB30077A86D56BE4B6B03701AD806E0C4894CFBB06E54B97A1E10246A3D18BD57E1707D00FBE0A891F50336F96D9AC558A7A771668E5319
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$........V...7.\.7.\.7.\.\.].7.\.\.]!7.\.\.].7.\.X&\.7.\.C.].7.\.C.].7.\5C.].7.\+X.].7.\.C.].7.\ZF.].7.\ZF.].7.\kG.].7.\kG.].7.\.\.].7.\.7.\.6.\5C.].7.\5C.].7.\5C$\.7.\5C.].7.\Rich.7.\................PE..L......`.................H...................`....@..........................0&...........@..........................u". .....".......$.......................$....`a .p....................b ......a .@............`...............................text...=G.......H.................. ..`.rdata..v<...`...>...L..............@..@.data...T.....".......".............@....rsrc.........$......&$.............@..@.reloc.......$......($.............@..B........................................................................................................................................................................................................................................

C:\ztg\fillProxy\bin\fillServer.exe Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3376128
Entropy (8bit):	6.830510133800319
Encrypted:	false
SSDEEP:	49152:8p6XPaP/TCYRoGWtAsEitMf2cehOcQIdqIaR+GSPb5fmTD1O+8FEz:8p6XPaPuYRoGT8sIdZaps5f0
MD5:	AE2E44E9F830431F2E7AA3749CC39805
SHA1:	1DBEEF62F39F41C646DBDDFD84D220CB2D49CC28
SHA-256:	4A0122AFAD066CB74DFB3F751C04720BE37185DCDBA22061AC57C50BD47D1293
SHA-512:	EE2717907B25ABC2D4796BCD8687C692C8514AAC3C8909812A266A1EAE53AD5B2F3B0AAACF3C116F61D6A276F253AF545CE9F91933CFBF510CDBD74EB3EE10B0
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........4R.U<..U<..U<..>?..U<..>9.\U<..>8..U<..:...U<..!8..U<..!?..U<..!9..U<.>$8..U<..U<..U<..%8..W<.>$9..U<..%9..U<..>=..U<..U=..T<.Q!5..U<.Q!..U<.Q!>..U<.Rich.U<.........PE..L......`.................$'...........#......@'...@...........................4...........@.................................l.1......@2......................P2..... ./.p...................../......./.@............@'.`............................text....#'......$'................. ..`.rdata.......@'......('.............@..@.data...$.... 1.......1.............@....rsrc........@2.......1.............@..@.reloc.......P2.......1.............@..B................................................................................................................................................................................................................................................................

C:\ztg\fillProxy\bin\fillServer.reg Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	472
Entropy (8bit):	3.59840654991338
Encrypted:	false
SSDEEP:	6:Qyk+SkWCiiCRroZ6IJlUAGt6Q3faEGYR3U3tEIG4Ylx2Tq2panoCDj2Tw4EKU3YF:Qy5hVZteAcfMYRU36I8lx2YTvH4EKU34
MD5:	E4444042E5E4FE7B6883B1B41884A6C1
SHA1:	458C741DD576BA7631E82000D24314C8ADED7132
SHA-256:	15BBB75EDBB609C7631680779DE1D15F2A5609BDB6564B5E24A2C5D748AB2665
SHA-512:	46F6BF4182852F6B174FD08E4ABC566217AC6BB73776768CE965EF3DD356E23A6A0B1BCB30578EC4CB527349857F75242200DFA8394AAE5FB79136089BF4A967
Malicious:	false
Reputation:	unknown
Preview:	..W.i.n.d.o.w.s. .R.e.g.i.s.t.r.y. .E.d.i.t.o.r. .V.e.r.s.i.o.n. .5...0.0.........[.H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.\.S.Y.S.T.E.M.\.C.u.r.r.e.n.t.C.o.n.t.r.o.l.S.e.t.\.s.e.r.v.i.c.e.s.\.f.i.l.l.S.e.r.v.e.r.\.P.a.r.a.m.e.t.e.r.s.].....".A.p.p.l.i.c.a.t.i.o.n.".=.".C.:.\.\.z.t.g.\.\.f.i.l.l.P.r.o.x.y.\.\.b.i.n.\.\.f.i.l.l.S.e.r.v.e.r...e.x.e.".....".A.p.p.D.i.r.e.c.t.o.r.y.".=.".C.:.\.\.z.t.g.\.\.f.i.l.l.P.r.o.x.y.\.\.b.i.n.".....".A.p.p.P.a.r.a.m.e.t.e.r.s.".=.".".

C:\ztg\fillProxy\bin\fixBoostIpcSharedMem6005issue.exe Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.511085273604288
Encrypted:	false
SSDEEP:	192:02sQjukOnPDT35kg/jOme0CeWHmte0CwKWi1CrxYuuc37E5pz6rJoZZbsvB:02VjukmTpkGjnq+/7mzbe
MD5:	F23D2AA5F984B29D42CE6F5A864747D5
SHA1:	658DD36CAAD4A983EFE027D861DAEF67944CC746
SHA-256:	B8F943985EA59BB8C921B227CD656DA2971033F36DFD48F66A14372551129D56
SHA-512:	4857446315A5E2F1A11C209DF92D96B712E96EB80E06875A80C48DF2A2E7F996A8C324CC1888E8592A5B17BB83408EA75B1F9A78490DB7AC6CFDA640BE988662
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........6..oX..oX..oX......oX...]..oX...\..oX...[..oX...Y..oX...Y..oX..oY..oX.^.Q..oX.^....oX.^.Z..oX.Rich.oX.........PE..L....RX`.....................................0....@..........................p............@..................................7.......P.......................`.......1..p............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc.......`.......*..............@..B........................................................................................................................................................................................................................................................................................................................

C:\ztg\fillProxy\bin\hb_terminal_code.exe Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2174464
Entropy (8bit):	6.577019737050582
Encrypted:	false
SSDEEP:	49152:6p5xBTKFED5vKTfO+OfvN3QBSFFpsFj7qP+zIj0lxaBFTNP8G+GhkFn:67rTcED5iL4F3QBqsdhlxaBpNP8G+
MD5:	5F43B1AAE665F29A63066B5B5967CEDE
SHA1:	58E4ECB6363FE94C92B4E4C362DCCE0C27B941A9
SHA-256:	74E302FA86E8F711F195A19D327AFA618EE3DFC74B05B00DD0619154DC55A839
SHA-512:	1745DDD88A7EC8BE0D67A866BF222415C70A6761FFD69FAC42E56A11DDE9D1E662133542F36642DC9AF5AC5AD826AD6D4433BE3BE6281E192153A92B7321B06A
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R..A3.XA3.XA3.XUX.Y_3.XUX.Y.3.X-G.YU3.X-G.YX3.X-G.Y.2.X.C.YE3.XUX.Yd3.XUX.YC3.XUX.Yd3.XA3.XN0.X.G.YB3.X.GIX@3.X.G.Y@3.XRichA3.X........................PE..L......`.....................D.......!.......@....@...........................!...........@.................................ly..T....`.......................p..\|'......p...............................@............@..T............................text....,.......................... ..`.rdata..Nl...@...n...2..............@..@.data...t........d..................@....rsrc........`......................@..@.reloc..\|'...p...(..................@..B................................................................................................................................................................................................................................................................................

C:\ztg\fillProxy\bin\install_svr.bat Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	207
Entropy (8bit):	4.885411930989638
Encrypted:	false
SSDEEP:	6:heHdojUxyNKRQcvyNGiOy8Ekf9yNsYdqml:k6iQ9PgVuqml
MD5:	E02C363AA28643E0EEB3F62C8B3BF23F
SHA1:	6C9CAF47286D860099D4A457BC73C479573379D4
SHA-256:	5BF2BABC9D14A8B5BAFFDDA27023C4B39C0779354303D166F02CA9508915E363
SHA-512:	1BB11AA599D065676BDE13CF22F1195A60B5BA9BA96E61169A63CF8549BA912F3AD1976AB9912E662DAC59480B70D34A4F055A62517F9C59532D2C2B56BB7550
Malicious:	false
Reputation:	unknown
Preview:	@echo off..cd /d %~dp0..set svr_name="fillServer"..C:\ztg\fillProxy\bin\instsrv.exe %svr_name% C:\ztg\fillProxy\bin\srvany.exe..regedit /s "C:\ztg\fillProxy\bin\fillServer.reg"..net start "%svr_name%"..@exit

C:\ztg\fillProxy\bin\install_vc.bat Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	73
Entropy (8bit):	4.893534278289735
Encrypted:	false
SSDEEP:	3:mKDDVBFFyWCyyNBBMWXG6lov:he8yNB6WHyv
MD5:	DFC002E73F18124108E1387CDAEE6E6C
SHA1:	A16F924EAFC4D694F05BF69BD80755DF14E741A7
SHA-256:	96502D0AA7CBE304DFD5161BFDF7E5EB8268CF594FB763AAB4BD91F38ED6F277
SHA-512:	9376C569E2044ECC4E6E6DCE728FBB6B1AFD42FF89D2BCE357A11A7BF24316892BFC0B8A230F424C34D0AC326A02CDC3A640E337AF2B57FFF3CCAD824B17B646
Malicious:	false
Reputation:	unknown
Preview:	@echo off..cd /d %~dp0..C:\ztg\fillProxy\bin\vcredist_x86.exe /q..@exit..

C:\ztg\fillProxy\bin\instsrv.exe Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	6.076067377332334
Encrypted:	false
SSDEEP:	384:ERAPOBv1bDSKQ64aj9TnjtO1ohmU1bswVu0ebOw0lwFkgK+afrRvKl7F7O:VelhJIogqgwTet0lwFNgClh7
MD5:	9F7ACAAD365AF0D1A3CD9261E3208B9B
SHA1:	B4C7049562E770093E707AC1329CB37AD6313A37
SHA-256:	F7B0A444B590EB8A6B46CEDF544BCB3117C85CAB02B599B45D61B8A590095C9C
SHA-512:	6847BB10CF08F7E594907B5D160768E60468B14A62CDD87AD33DCC0BC2B523549C1C91E9854069CA11EE074E43A6F41F11351201626922C02AAEA41FD32C2A54
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................i.........i.....d....d.....i....Rich..........................PE..L....>.................p...$......]*................................3.............J............ ..........................`y..<...................................@................................#..@............................................text...>o.......p.................. ..`.data... "...........t..............@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ztg\fillProxy\bin\libcurl-x64.dll Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1102968
Entropy (8bit):	6.532239486687052
Encrypted:	false
SSDEEP:	24576:r+9f+LJl0C2kGH6vuvJ10r0axDLRTnURsQTeoA+f:a9GJlRVGKuvJ1E0axDL9UR7TH
MD5:	D5857ED6A733A4ADDC74BEA9B79CB49B
SHA1:	A36F2E02D7E1CBAED3DD24E339DF73DEE9495A84
SHA-256:	076AF73804F18EDAA55393EE183A1568CABD0C95161D9B2402F95D82E0089B30
SHA-512:	BBF17CB79C0362ACBD9A005F8F736E135D80580671340B747341359F35691280EFF4E0F582EA18898C89FC57A170501EB8E3115426AD857BB98346E81A10DA8E
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......^..........."...".....2......0..........P.............................0.......T....`... ..................................................P..............L;......x.... ..................................(...................<...`............................text.............................. .P`.data... ...........................@.P..rdata...,..........................@.`@.pdata..L;.......<..................@.0@.xdata...N... ...P..................@.0@.bss.........p........................`..edata...............T..............@.0@.idata...P.......R...^..............@.0..CRT....X...........................@.@..tls................................@.@..rsrc...............................@.0..reloc....... ......................@.0B................................................................................................................................

C:\ztg\fillProxy\bin\libcurl.dll Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1152120
Entropy (8bit):	6.718131954608567
Encrypted:	false
SSDEEP:	24576:tTZKRJUbe2HjVjy9ZYSpFRrhifOgCtH30nPpbFTBT44A900TE:tKUbibtYTmE
MD5:	5E4D6CE410E2C156C293162CEF078FCA
SHA1:	19E8F2046683A71CDAF907120CE4C95F5339FAF3
SHA-256:	6E158F098213773EE2AB91C1F02AB39FBE2896947C9DFCF762AEE10662A8BCD8
SHA-512:	076824CC390A7EDE124F6ACBBF407ED7CAED0CF15E5B827F0B622FC93B851EAAA3F8A1D6F2F701CCB2078B7B8A28D2383DE7B71DE6F560B628049394DFC29EA9
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...wq._...........#...#.....l...............0....Dk.................................]....@... .........................-.......\A......................x.......`z..................................................T...x............................text...H........................... .P`.data...\|....0......................@.0..rdata.......P.......0..............@.`@.eh_framx...........................@.0@.bss..................................`..edata..-...........................@.0@.idata..\A.......B..................@.0..CRT....,....`......................@.0..tls.........p......................@.0..rsrc...............................@.0..reloc..`z.......\|..................@.0B........................................................................................................................................................................................

C:\ztg\fillProxy\bin\loadyyChannelCrt.exe Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1392640
Entropy (8bit):	6.692896147535185
Encrypted:	false
SSDEEP:	24576:EDVYIAhFgWVI77yx2RSZcPkE2Gwh/Mq/37y9DwupI1VWTApMu0wKtJ5Q:DbhFgWSiU47/Mq/37yxwup0WTAyu0wKe
MD5:	DB9D43D44FDC20315F38EB9F97B99871
SHA1:	CDE6651DF30601E58DB53FFE84D3E07764B4CE4E
SHA-256:	FE4A9DFEA477249053DF6B26C4F436AFB90A22D8B71D82FF712A43AB4240B97F
SHA-512:	99603C476F984225CE4C263AC90E7B20B7830439A9D83A513B9CBAFB6E26FED5C9A94B17AEFD75387D285DDF60DBE0AEA07C24632F314F6426451DA6273C4368
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$..............................u.....................................>....................>..................`......`......`......Rich....................PE..L....-.`.............................F............@.......................................@..................................!..x...................................`@..p....................A.......@..@...............0............................text.............................. ..`.rdata...a.......b..................@..@.data....{...@...V... ..............@....rsrc................v..............@..@.reloc...............x..............@..B................................................................................................................................................................................................................................................................

C:\ztg\fillProxy\bin\registerNavicat.exe Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	313344
Entropy (8bit):	6.581535708576736
Encrypted:	false
SSDEEP:	6144:eqr+R666mDFoOceY9Jki5KRcPCrmcRfYMjzG9b751BWXhAONIv71:eqrAT6Oc/BQyPWmcu4hyp
MD5:	24FB2CEC5BA70D42CC46EA3F64E243DC
SHA1:	B56EF4DAF7E8EA34F00E5D466A65A0BD29AF173B
SHA-256:	1EB8A2F3C1A42F832EF5C881EED0E5B70870A67C6AB792D37554BC8813EA2586
SHA-512:	04A0654A62968BB6494F9997EE844B8F7B7F8E3E17696EBBC7FDBE974E82521CEDAABBCEA14B4ACD15E4D35910F76EBA74A9C8F93F40FFAFCC348B8E87885FDB
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[w[.5$[.5$[.5$O.6%U.5$O.0%..5$O.1%M.5$7.1%J.5$7.6%M.5$7.0%..5$.0%X.5$.0%M.5$O.4%R.5$[.4$..5$..<%Z.5$...$Z.5$..7%Z.5$Rich[.5$................PE..L...E.\`.................`...x.......=.......p....@.......................................@.................................8}..d...............................X1..PB..p....................C.......B..@............p...............................text...._.......`.................. ..`.rdata.......p.......d..............@..@.data....*...........\|..............@....rsrc...............................@..@.reloc..X1.......2..................@..B........................................................................................................................................................................................................................................................................................

C:\ztg\fillProxy\bin\run_startfill.bat Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	80
Entropy (8bit):	4.813137789834391
Encrypted:	false
SSDEEP:	3:mKDDVBFFy8CHkfkyyN6FXIzRov:he8Ekf9yNoHv
MD5:	0ECB9B052D033655D99A68A1C1A668DD
SHA1:	57F3E4DE2CC4B96E01AD0768C23FFAAE0C3F7BC8
SHA-256:	C76388A662C8FF10C594619F2026F4C52AAF6BF065A49F15A298F74743620D71
SHA-512:	533D88139F662ED183B3E73733F2DA456C891B9A55898B4397ED670AC3FA9CF1C081A64FFF2A4025DE3ED5CCD83D39C345022C1BD24B1258CA5BC232B40EA5C5
Malicious:	false
Reputation:	unknown
Preview:	@echo off..cd /d %~dp0..regedit /s "C:\ztg\fillProxy\bin\startFill.reg"..@exit..

C:\ztg\fillProxy\bin\sigc-vc142-3_0.dll Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31232
Entropy (8bit):	5.927676761171113
Encrypted:	false
SSDEEP:	768:Y+mTo8IlRuh7GPcFttnDRzCef8rMM3sIUCz/a/iwD9Feo10tDfG6cRSC9oTt04Bi:Y+qoVruhQaD6cAT81
MD5:	1EDBD10831D50A65CB1BA3B369F64A89
SHA1:	08642FB04AFB325BFADA88C9610D4CA60C42CFB5
SHA-256:	381087DCD5A793070175F1356BBA0FC01370F4601244194EDF63371F394C5726
SHA-512:	8A24E3BBD9C265F5967053EA8E9621C5078A68FECF87E3CD44597778BFDBD5E686ADD0CC8392BB8A9E2412BFC11895FEF3CA4E725A20F97406F3EFE660E96C9B
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............p\..p\..p\..\..p\..q]..p\.u]..p\.t]..p\.s]..p\.q]..p\..q\..p\..y]..p\..p]..p\...\..p\..r]..p\Rich..p\........PE..L...~Y5_...........!.....:...@......B<.......P............................................@..........................]..X....z..x....................................Q..T............................Q..@............P...............................text....9.......:.................. ..`.rdata..l/...P...0...>..............@..@.data...,............n..............@....rsrc................p..............@..@.reloc...............t..............@..B................................................................................................................................................................................................................................................................................................................

C:\ztg\fillProxy\bin\sigc-vc142-d-3_0.dll Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	98816
Entropy (8bit):	4.747285270900101
Encrypted:	false
SSDEEP:	768:JT945PyPL0/f4NSjYnQJ9ng3WxVR+nUSkEjhY4GPcFttnDRzCef8rMM3sIUCz/az:h945Phg8DZg3WxV8RW/aD6tEsxW817
MD5:	3CDE4A53C29012B256511ABC8C2951C7
SHA1:	9D5ED0BDD36BA77615EDECCB84796BE69AE455A0
SHA-256:	2138D294BACB3CC112D8EE1B18B4F024B03A9578D50A4B9D8763855CFCC01215
SHA-512:	9CF341F294940E1AEFB48265DB00A582A67FED0114F8E28BB6B70C251C5F80F8E8403C102548ABC6EDA3663715714CB400CFA56EE9E42E0C0A1DB5A6091FEA95
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .m:dj.idj.idj.i?..h`j.io..hwj.io..hnj.io..haj.idj.iHj.i...h`j.i...hej.i...iej.i...hej.iRichdj.i........................PE..L...D.:_...........!......................................................................@.........................@R..8$..\|...d.......9............................5..8............................5..@...............\|............................text...r........................... ..`.rdata..xf.......h..................@..@.data...L............^..............@....idata...............d..............@..@.00cfg...............n..............@..@.rsrc...9............p..............@..@.reloc...............x..............@..B................................................................................................................................................................................................................................

C:\ztg\fillProxy\bin\sqlnet.log Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	13104
Entropy (8bit):	5.448705416493811
Encrypted:	false
SSDEEP:	192:PtwWjtLtwWj0LgKWjALgKWjULgKWjBLgKWjaLgKWj/Aj5ykWj3sLykWjKLykWj6h:BszTKdwApZxMTSSUSSAI
MD5:	5D1659937C28D30D2EF5A0254358F536
SHA1:	2F5E5F377B3B00117BAD140A01EA9D8BA06181A2
SHA-256:	2A2DC159F6C019618BDEB3B667FC3AEF144C7FD2B392A9E93CD686F209526A4A
SHA-512:	4A2BDE434B5533F85FD11BE6059D5120E6A4E640EC535EAD53D8903FDEA42DCFAD4F8AE41AB462EDB91DFA46A8CC1734D91C0ACFF01DE8FC3DD1D6113085432C
Malicious:	false
Reputation:	unknown
Preview:	....*********************************************************************..Fatal NI connect error 12547, connecting to:.. (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.3.73)(PORT=1521))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=testdb)(CID=(PROGRAM=C:\tool\PLSQL804\plsqldev.exe)(HOST=USER-96A8M3CJV3)(USER=admin)))).... VERSION INFORMATION:...TNS for 32-bit Windows: Version 10.2.0.1.0 - Production...Windows NT TCP/IP NT Protocol Adapter for 32-bit Windows: Version 10.2.0.1.0 - Production.. Time: 07-12..-2020 18:19:01.. Tracing not turned on... Tns error struct:.. ns main err code: 12547.. TNS-12547: TNS: ......... ns secondary err code: 12560.. nt main err code: 517.. TNS-00517: ......... nt secondary err code: 54.. nt OS err code: 0......*********************************************************************..Fatal NI connect error 12547, connecting to:.. (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.3.73)(PORT=1521))(CONNECT_DATA=(SERVER=DEDICATED

C:\ztg\fillProxy\bin\srvany.exe Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	5.259110186515502
Encrypted:	false
SSDEEP:	96:8ldfxd/yKaP64DMI1XT3kaiyMlH38ZldnXFADkYLyAFdfcdTbGu00C:mSP64DMI1DkHMZ36kYLxFdfcdnGu00C
MD5:	4635935FC972C582632BF45C26BFCB0E
SHA1:	7C5329229042535FE56E74F1F246C6DA8CEA3BE8
SHA-256:	ABD4AFD71B3C2BD3F741BBE3CEC52C4FA63AC78D353101D2E7DC4DE2725D1CA1
SHA-512:	167503133B5A0EBD9F8B2971BCA120E902497EB21542D6A1F94E52AE8E5B6BDE1E4CAE1A2C905870A00D772E0DF35F808701E2CFBD26DCBB130A5573FA590060
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........6.n.e.n.e.n.e<f.e.n.e<f.e.n.e.n.e.n.e1f.e.n.e<f.e.n.eRich.n.e........PE..L......>............................O .......0...............................@................... ...........................#..d.......................................................................@............................................text...P........................... ..`.data........0......................@...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ztg\fillProxy\bin\startFill.reg Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	Windows Registry text (Win2K or above)
Category:	dropped
Size (bytes):	522
Entropy (8bit):	5.309357301712075
Encrypted:	false
SSDEEP:	12:jBJ0SK0pt9jX0QLb4fSJs4f8TfOffxwIdUw9CmLh8FwSnzRu:jBJtzpJ/CsOOCmYwh
MD5:	C78DBEB5E9FB0B59CFA878E35AA1DAF5
SHA1:	E372061A374D9A4620FDA13EFD67965F84546DD2
SHA-256:	9D779FC02F6E8A8BDE4E8CDA1C0A2597BC4206D3BBE622DEDA0738449B32F952
SHA-512:	B99AD1E72E0C90B6F6237C1CC51C1688598C1D4A5B3623FF5EE99F8215186D3E53ADB13DC41275680B08BA2B64FC7ADAED47A29C40F8A8E67ABE04787E2D81A8
Malicious:	true
Reputation:	unknown
Preview:	Windows Registry Editor Version 5.00....[HKEY_CLASSES_ROOT\fillClient]..@="URL:fillClient Protocol".."URL Protocol"=""....[HKEY_CLASSES_ROOT\fillClient\DefaultIcon]..@="\"C:\ztg\fillProxy\bin\fillClient.exe\""....[HKEY_CLASSES_ROOT\fillClient\shell]....[HKEY_CLASSES_ROOT\fillClient\shell\open]....[HKEY_CLASSES_ROOT\fillClient\shell\open\command]..@="\"C:\\ztg\\fillProxy\\bin\\fillClient.exe\" \"%1\""....[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome].."ExternalProtocolDialogShowAlwaysOpenCheckbox"=dword:00000001

C:\ztg\fillProxy\bin\uninstall_svr.bat Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	129
Entropy (8bit):	4.845690215236772
Encrypted:	false
SSDEEP:	3:mKDDVBFFyHqTwEsQWADAXjwO6Wb6LEbWCyyNKWRWXAdsUEmIMyadQn:heHdojUjw7OF8yNKRQkz
MD5:	19ACEF0C4F1BDCB92EB3A09DFEA74B3D
SHA1:	26B87B4DAFEF649345C9154FC4CC59AF9EC0FC8A
SHA-256:	8A63AC42FCB8C432C3C9E5D8CCF031378066017873779B8ADDE950479E2F9772
SHA-512:	EA0EA71EE2AC33117493C772C32277A23642B8A8D89EF7483D2CAB4BB0374C6068372315316D49556BE52984B60FC8C6E8E82D81F47DD077CE6C8B5B47B8FA14
Malicious:	false
Reputation:	unknown
Preview:	@echo off..cd /d %~dp0..set svr_name="fillServer"..net stop %svr_name%..C:\ztg\fillProxy\bin\instsrv.exe %svr_name% remove..@exit

C:\ztg\fillProxy\bin\vcredist_x86.exe Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14412304
Entropy (8bit):	7.995531820003883
Encrypted:	true
SSDEEP:	393216:/d/FlptVYmfr7yBG/4JU4TRjtjUMy4i6kgsY7i:/1PpttD7yBG/QHTJtYMyke9
MD5:	DE34B1C517E0463602624BBC8294C08D
SHA1:	5CE7923FFEA712468C05E7AC376DD9C29EA9F6BE
SHA-256:	AC96016F1511AE3EB5EC9DE04551146FE351B7F97858DCD67163912E2302F5D6
SHA-512:	114BCA1ECD17E419AD617A1A4341E607250BCB02626CDC0670EB60BE734BBAD1F3C84E38F077AF9A32A6B1607B8CE6E4B3641C0FAEFAA779C0FEC0D3AC022DAC
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.u.'.u.'.u.......u.....[.u.....?.u...v.4.u...q.4.u...p...u.....".u....6.u.'.t.v.u...p.l.u....&.u.'..%.u...w.&.u.Rich'.u.........................PE..L......Z.....................v......m.............@..........................p............@..............................................;...............B...0...=.. t..T...................tt......@n..@...................$........................text.............................. ..`.rdata..............................@..@.data...@...........................@....wixburn8...........................@..@.tls................................@....gfids..............................@..@.rsrc....;.......<..................@..@.reloc...=...0...>..................@..B........................................................................................................................................................

C:\ztg\fillProxy\data\FlashFXP.ini Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	data
Category:	dropped
Size (bytes):	3946
Entropy (8bit):	5.4635327636206945
Encrypted:	false
SSDEEP:	48:IsNCn05qTrn59IKoO9WQxTKhoVgv9IKoOCxqyhoCArn59IKoO2xTKhocO:pIEKoP9QZKo1jUEKo6NO
MD5:	0C8DB94055D7C3C8A08D4BA03A3F1E2B
SHA1:	46A6E54A8EB50FDB07ED3ECB6B9B98EED8993EB9
SHA-256:	2642CAB446335C667ADA30C166A93854FA4BE79304491AA0B8B30A58EE02F44D
SHA-512:	EC57815899B74437868718207C2F5AC2E778A2670583B23AE64AD45A0913BB7B306F92075F07B9C20F9AFC914B5A6E608C518E1BBA6EA1E9D35E752DE2E59185
Malicious:	false
Reputation:	unknown
Preview:	[main]..v4opt=eJwtk0lyQCEIBfepyl1kErj/xeJ/nVUX00MF8+yp3598uKDBgBXsAAMOAiRAxVAxVAwVQ8VRqS/FrEa4X7m5upt7C3mACatYnBC8hMIaB1ir8jzSzFAs++tu5bIqJVat7jVYe8BX7rkFvpiXrvmgWAXOGKENuCCVh6+73wN0XL86y0OAFXRNv4WzyNTz+L0DyBwDaA7OJWVlNR065ewygLP/oUbNAUcP4rNy7lEB83Mm5kzsgVgUaEBKEkuJ7QW8y/ZXEEcqcZTycIWLdQP8OxuM0ClotmHaunhLASTN9oQN1qjcNaNge966HCArjqzgEEEj9iVSjxwFrjYy7pX0bVmtLYge1Y2eILhtrMaRdlzQ2qTpRg/EGuccYICUxalxpGscDwkGrKDf+ECKvszDS/kDXwOZcQ==..build=1689..Lang=Chinese Simplified.dlf..Options=0001000010000010011010011111111000000101111101110000000010001100000100110010011041100000000210010111111113001111010100111001000000000000000010400001131110100..setup=40905..FileExists=000000000..optdata=eJwzMbA0MOXlAgAFMwEa..LSS=F755C4CE371D0A0B7BC947112325283F1E66C592F510296CCF6DE165A0AFA4..PIDX=0....[LiveUpdate]..Interval=15..X=1937....[H]..H=E14E06F3-4DA3-4783-8061-939326220705....[Graph]..V=1..H=65....[window]..Left=374..Top=60..Width=913..Height=542..State=0..TS=0.488888889551163..BS=0.493750005960464..CS=0.71

C:\ztg\fillProxy\data\P50_modifyCrtTitle.vbs Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	165
Entropy (8bit):	5.123641097345697
Encrypted:	false
SSDEEP:	3:WUgYjk+v/GoY+yXF4fIrdBY2R4BP9jRxE4xEGKQcB+KB1IQMLKJnHytL:W7YPHGIqecdBiBtRx9xkgKB1ucnStL
MD5:	669629FA945A22B77F8C478B60BAEABC
SHA1:	7FCD9D184546256FFCC3040BA8C1328B38390429
SHA-256:	F0174AAA48638F3AA8BFFD77F061784F77209AE4C29F52BB5532C0B8B141E56E
SHA-512:	78BA4578A46352FC99D8826DC53245714868AA441B0F437B6B24B32938CD1073CC3502E1E6372FB6459287342E38A9A0A7443788F4D8EBF78B579F4EA8D8C758
Malicious:	false
Reputation:	unknown
Preview:	#$language = "VBScript"..#$interface = "1.0"..SUB MAIN..Dim tab_window..Set tab_window = crt.GetTab(crt.GetTabCount())..tab_window.Caption = "192.168.1.1"..End SUB..

C:\ztg\fillProxy\data\aaaa_login.vbs Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	344
Entropy (8bit):	5.073346804234943
Encrypted:	false
SSDEEP:	6:W7YPHGIqeXSMcpaq5uN1K5lE5LTMwFyk/LT/12eWDKfLTMwFjHJsdn/LT/1QPCBO:QYPHeePcpaq5OKA5Xt5/H12VKfXt4n/c
MD5:	2990CA02ABF73F4EEC43C0C402949855
SHA1:	A6714ACE5D54496D9F6D3014B7AD0F8FAC3F308B
SHA-256:	2591DB23433CBA355D958F522202B18DE2AEEFC9B307B38C5EAA830E83997C30
SHA-512:	839F690B277A429DED9B0E80A997060E52444C9CB9C32976ADFA8A2DAEC612E8BC5EF55A15E13A7D8FE00B410A5BE186A1642D329DDEECE7829552A035727A8F
Malicious:	false
Reputation:	unknown
Preview:	#$language = "VBScript"..#$interface = "1.0"..SUB MAIN..Dim conf,tabwin..Set tabwin = crt.session.ConnectInTab("/telnet 172.16.5.29 23")..tabwin.screen.WaitForString "ogin:", 8000..tabwin.Screen.Send "administrator" & VbCr..tabwin.screen.WaitForString "assword:", 3000..tabwin.Screen.Send "Ab123456" & VbCr..tabwin.Caption = "aaaaaa"..End SUB..

C:\ztg\fillProxy\data\admin_crtTelnet.vbs Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	267
Entropy (8bit):	5.199723470137838
Encrypted:	false
SSDEEP:	6:W7YPHGIqeXSMcpaq5uN1K59TRGwLTMwFudB/LT/1BMBKfLNZMlgPC:QYPHeePcpaq5OKPjXtUB/H1BMBKfO
MD5:	9C9F146ABF1041CD9F2711D817709FEB
SHA1:	C8C1527448CCE791562CD369D89F8795C7318372
SHA-256:	E39A7CD3E18893959CBDC70B8AED1AA745F29CA1E73DFDFF787C9D301E904A91
SHA-512:	F1A0319765C8D801367FD7516DAB926192A61379D02E008BE946546AF9D9C6E7B71B38FF2F7072AC325ED191430B1A239A40DCDFE81D5767A55D0648A9FB97F3
Malicious:	false
Reputation:	unknown
Preview:	#$language = "VBScript"..#$interface = "1.0"..SUB MAIN..Dim conf,tabwin..Set tabwin = crt.session.ConnectInTab("/telnet 10.149.85.217 23")..tabwin.screen.WaitForString "ogin:", 30000..tabwin.Screen.Send "audit" & VbCr..tabwin.Caption = "unix[10.149.85.217]" End SUB..

C:\ztg\fillProxy\data\admin_modifyCrtTitle.vbs Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	177
Entropy (8bit):	5.214171244069935
Encrypted:	false
SSDEEP:	3:WUgYjk+v/GoY+yXF4fIrdBY2R4BP9jRxE4xEGKQcB+KB1IQk9m9UVo6L:W7YPHGIqecdBiBtRx9xkgKB1g9UUa6L
MD5:	7656296425262F4147F39D2271EA2650
SHA1:	B60C94FA23D2AB2AC3DFF04577B43AAC66FD7D0A
SHA-256:	41DB6646D6C895A2ECD3E1169AEF84579B230C66A40B86A17589ED8A3608E8E1
SHA-512:	7ED49D116E7483604408719B6CE5E22C7739E288C5785DAA2E108C3A6E8AF09A819F0DCEF2186D45D644F0CB22A23034FF181334622EB9E4BBDF196EC79CB761
Malicious:	false
Reputation:	unknown
Preview:	#$language = "VBScript"..#$interface = "1.0"..SUB MAIN..Dim tab_window..Set tab_window = crt.GetTab(crt.GetTabCount())..tab_window.Caption = "test2021[10.149.98.202]"..End SUB..

C:\ztg\fillProxy\data\administrator_crtTelnet.vbs Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	375
Entropy (8bit):	5.072691837410313
Encrypted:	false
SSDEEP:	6:W7YPHGIqecKq5uN1K5lXe1wAf1VvMwFudBfV512eWDK/1VvMwFjHJuXfV51C7BK1:QYPHeecKq5OKvAf1VvtUBfV512VK/1VC
MD5:	8DD55051605199B48903DB05C4A52E2C
SHA1:	FA758BBC58DC140E0B5C9C9FF81E9EAAFA18463A
SHA-256:	3535C396F39A19A36CAE7D67C2F18E3A1E524FB9749CC474AFA95A319F4E9C73
SHA-512:	5418575490D1E87346DC366CA618E2BAA1EB7868E7FFC371B70245E4A5F2EDB4246FCCF8D3E53FC69F850EC6E0710151BE1E1DFA2016688801DE9CD98D27540A
Malicious:	false
Reputation:	unknown
Preview:	#$language = "VBScript"..#$interface = "1.0"..SUB MAIN..Dim tabWindow..Set tabWindow = crt.session.ConnectInTab("/telnet 172.16.5.5 23")..crt.sleep 1000..tabWindow.screen.WaitForString "ogin:", 30000..tabWindow.Screen.Send "administrator" & VbCr..tabWindow.screen.WaitForString "assword:", 10000..tabWindow.Screen.Send "Aa123456" & VbCr..tabWindow.Caption = "aaaa"..End SUB..

C:\ztg\fillProxy\data\administrator_modifyCrtTitle.vbs Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	165
Entropy (8bit):	5.153063842632202
Encrypted:	false
SSDEEP:	3:WUgYjk+v/GoY+yXF4fIrdBY2R4BP9jRxE4xEGKQcB+KB1IQ+gs9ML:W7YPHGIqecdBiBtRx9xkgKB1e2L
MD5:	F4E99189EB2AC10AE22E22EA2C02E98C
SHA1:	B2F0EC4EC96799231B1508377A5B9C221FB2A540
SHA-256:	14A42A5E6DE69EF46EDFF575595A614C92AA977E853A92F76FF1FEAC5406758C
SHA-512:	7D309A00604740D509F018D4AE1641E47F12C094D51D4F358D4747D91A2F84E8C215E3E46836440782A89F96215F9F7393CA7A0D2C9B4815B372F111BE774093
Malicious:	false
Reputation:	unknown
Preview:	#$language = "VBScript"..#$interface = "1.0"..SUB MAIN..Dim tab_window..Set tab_window = crt.GetTab(crt.GetTabCount())..tab_window.Caption = "172.16.3.40"..End SUB..

C:\ztg\fillProxy\data\crt87Telnet.vbs Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	386
Entropy (8bit):	5.353996135771334
Encrypted:	false
SSDEEP:	12:QYPHeecKq5OKh1Vvts0V51FM21VvtiV51B3O62u2:QYvvcl5OimuFMm2s6T2
MD5:	474947F424003B9CA9908FBC0C425E7D
SHA1:	9C7B1F6A34AD5F3D63DE297C5521D634F2EAC724
SHA-256:	3A3EE962B62458E6B530EB10BBCDA32AFAB476472A8D1F54AFF7A615006356D4
SHA-512:	4951CE6C162C63B01F39AA951C547931E8B55D7F77250EDF217EC32D88EC1DAB3B4F10BB737EB2AF1F4867BDC8147430672F07F92D7BA3CC8416827F2AC4EDCB
Malicious:	false
Reputation:	unknown
Preview:	#$language = "VBScript"..#$interface = "1.0"..SUB MAIN..Dim tabWindow..Set tabWindow = crt.session.ConnectInTab("/telnet [HOST] [PORT]")..tabWindow.screen.WaitForString "[LOGIN_FLAG]", [WAIT_LOGIN]..tabWindow.Screen.Send "[USERNAME]" & chr(13)..tabWindow.screen.WaitForString "assword:", [WAIT_PWD]..tabWindow.Screen.Send "[PASSWORD]" & chr(13)..tabWindow.Caption = "[TITLE]"..End SUB..

C:\ztg\fillProxy\data\crtTelnet.vbs Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	271
Entropy (8bit):	5.304229409825305
Encrypted:	false
SSDEEP:	6:W7YPHGIqeXSMcpaq5uN1K5sfMBLTMwFCUsIFLT/1FRKfLjC:QYPHeePcpaq5OKBXtsUH1FRKfi
MD5:	C4CCD80375CDC93FDA009CF7750C317F
SHA1:	630B11A2BBA1241EC36BCE77784EAA9874F5359F
SHA-256:	3FE6D7FA8FC880B99F04D71D2436FF157F39052824AEA0ADC41EC9484936DC7B
SHA-512:	3DE513CE3BDDF1B1B567C71B80D5D1AC83B7CCBFB10C9BB755E4CDCFC9427F0C7C9821704A0B50B6E33E94A85E8D46DD6969F8CBD4FA9F03AF3DA4974D7899E6
Malicious:	false
Reputation:	unknown
Preview:	#$language = "VBScript"..#$interface = "1.0"..SUB MAIN..Dim conf,tabwin..Set tabwin = crt.session.ConnectInTab("/telnet [HOST] [PORT]")..tabwin.screen.WaitForString "[LOGIN_FLAG]", [WAIT_LOGIN]..tabwin.Screen.Send "[USERNAME]" & VbCr..tabwin.Caption = "[TITLE]" End SUB..

C:\ztg\fillProxy\data\modifyCrtTitle.vbs Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	163
Entropy (8bit):	5.150623648930425
Encrypted:	false
SSDEEP:	3:WUgYjk+v/GoY+yXF4fIrdBY2R4BP9jRxE4xEGKQcB+KB1IQL5qQ4IvOaL:W7YPHGIqecdBiBtRx9xkgKB1cMOaL
MD5:	CB2159FA8DFFD55C0BF7390E27541B0F
SHA1:	D09E5D7642FE76FB777137ED98EC4BC95F475CD6
SHA-256:	E448FC32434DEEDA833E5D78604F7F1C0D4FC5BE64B3308D807E8C3E20EBCBD2
SHA-512:	4E51BE7CCF39B0D06FFC061C390EAEB3BBFB311B7F130C5DD99E16660EE3818E56738651CF1AF15A9CF54F04C283E8AD2FDC3024865A44D76DAC9EFB3B45771C
Malicious:	false
Reputation:	unknown
Preview:	#$language = "VBScript"..#$interface = "1.0"..SUB MAIN..Dim tab_window..Set tab_window = crt.GetTab(crt.GetTabCount())..tab_window.Caption = "[CAPTION]"..End SUB..

C:\ztg\fillProxy\data\tnsnames.ora Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	183
Entropy (8bit):	4.1040802361906366
Encrypted:	false
SSDEEP:	3:sLuFYyFhRrFYolFQ1uvuNmjygCPZKpioHFFhzfblmtLJzfdAYE2Hd/vM:sLuFVFhXFlFQ1UuwjygyciCFFhzT8FJW
MD5:	EAB2FBA5BC46241271A1F9FFB162C710
SHA1:	4124CB7F6A9474681BD12D1FC0F08511E76367DA
SHA-256:	7EB0306172B9C44328834FF519D735DF1C8843171E764FA3CD05CBF3B84EFBE8
SHA-512:	7CB59D6F842625F9144A03D589B2E2CECCE406F4B29B7E274D532C01182FCACF269EE314410DC0FA61F2BA6CBC4A1B5DD2716B8F850334D39F452407C8EC7054
Malicious:	false
Reputation:	unknown
Preview:	[IP]_[SID] =.. (DESCRIPTION =.. (ADDRESS = (PROTOCOL = TCP)(HOST = [IP])(PORT = [PORT])).. (CONNECT_DATA =.. (SERVER = DEDICATED).. (SERVICE_NAME = [SID]).. ).. )

C:\ztg\fillProxy\etc\CloudDesktopAuth.xml Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	399
Entropy (8bit):	5.301480720580332
Encrypted:	false
SSDEEP:	12:TMHdwLZZEaK2vZZEp9Yx6Rd6y/iKuXtmvW/c9WVb:2dwbNKGHqOnmO/px
MD5:	94D8A4DFC5C4620163D24339637F0791
SHA1:	E57F14DA2C00D52696079D94FB6B05F6C2AA31ED
SHA-256:	5293115291C5E162A2F48813E521A5DB2144A4460EC499C9B10F6E0D4B4870E9
SHA-512:	8B4805E1BB9ECF952180DDEED8B4D862E7FB9F64D2AC8CE13096D123CA2DB2BEFC72E24188EC23B17FB7BCD220480A5062B891C16DF0FBE9F1B84BB79CD2E4BC
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<config>...<auth username_auth_url="http://172.16.4.157:7000/ashe/ashe-hlj-login/checkUser" smscode_auth_url="http://172.16.4.157:7000/ashe/ashe-hlj-login/smsAuthen" ie_path="C:\\Program Files\\Internet Explorer\\iexplore.exe" chrome_path="C:\\ztg\\fillProxy\\tool\\Chrome\\Application\\chrome.exe"/>.. <white_list>....<u>P50</u>...</white_list>..</config>

C:\ztg\fillProxy\etc\CloudDesktopAuthTmp.ini Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.353618847088081
Encrypted:	false
SSDEEP:	3:7QiOEN4y5r6B66ff1:77dG71
MD5:	5A3ABBE5F21C78B5848AC03C192CF1A8
SHA1:	10D4444693955A9D41E05C48A06F530AB736A008
SHA-256:	3284637CE5FB828A1EF94E1C1278E32C23BCC199B3DF93DF5A6745BED32380E2
SHA-512:	C94669B398E848D4BC774EA734F8410C2790AC7C3FA26D34B0942B00308A0A3D497B8427EC43F6F8DE53B03442C79DD9E0D263D004188C5874C73FE2F2F60B10
Malicious:	false
Reputation:	unknown
Preview:	[CloudDesktopAuth]..auth_cmd_line=xxxxxxx

C:\ztg\fillProxy\etc\address.ini Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	117
Entropy (8bit):	4.723855136482454
Encrypted:	false
SSDEEP:	3:dJH15BMRExJpA1vWWLwvKCWie6fZJgBYdVkvy:d51kuPp8vW/vKWuudVkvy
MD5:	1D56D1CE58AD11A1C033D6DA9BCB01DB
SHA1:	C8641A0D0A4CD64700AACB058F4F0CEE1BCC97EE
SHA-256:	0C5BCE82900011755CDF94612380FFC22EB594DB07C734E24D34CC4C1C3AA5DE
SHA-512:	48A6CEBDA2A873CAFB87507599E4EE9D9740943B3E27B77C6DE8395A5015B112DC330F3B0226A67CB1B2CC78F7E65673FF1612A6B1376217E20B22CC1F74781D
Malicious:	false
Reputation:	unknown
Preview:	[fillProxy]..audit_cfg_url=..[fillServer]..session_cfg_upload_url=xxxxxx..local_ip=127.0.0.1..restful_port=8038......

C:\ztg\fillProxy\etc\fillProxy.xml Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	588
Entropy (8bit):	5.148997956865145
Encrypted:	false
SSDEEP:	12:TMHdwWw49Ln3Kpms/2U0zkq941IlxjDJFl11voosn0koo4VEYogKTZb:2dwN46pmE2UMK1OxjdF/I0N2OKTl
MD5:	C2136B9C76280C3CEA8509F9756A32D5
SHA1:	5181453D43A7F4E9DA32C13C4029262432318A92
SHA-256:	5A3D943C8A8EE80C5D1D66852FD9B9207C56C3D84DF0537611B1BB5ABF4BA428
SHA-512:	0B29C8B383EFC617CE5A9FDE5E1D73EF0C2F1CA44D33446B31D511484C93C427A2AAD6C11CD6066AA4C6B606F24286D577FE292D8783A408D30D6E0E2463A556
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<config>...<log pattern="[%Y-%m-%d %H:%M:%S.%e][thread:%t][%s:%#->%!][%l] %v" level="trace" filepath="default" file_type="console" max_file_size="1024000" max_file_num="3"/>...<agent local_ip="1.1.1.1" mode="local" ipc_mode="pipe"/>...<audit url="xxxxxx" enable="false" block="false"/>...<session upload_url="xxxxxx" enable_logoff="false"/>...<curl cnn_timeout="30" opt_timeout="30"/>.. <process_black_list>....<process>cmd.exe</process>....<process>powershell.exe</process>....<process>explorer.exe</process>...</process_black_list>..</config>

C:\ztg\fillProxy\etc\fillProxy.xml.bak Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	602
Entropy (8bit):	5.14771576715101
Encrypted:	false
SSDEEP:	12:TMHdwWw49Ln3Kpms/2U0ohlq941IlxjDJFl11voosn0koo4VEYogKTZb:2dwN46pmE2UNOK1OxjdF/I0N2OKTl
MD5:	A40D196FF81ECD9695869FEC4DC23386
SHA1:	CEFFC8FEF563B8A5EF56A0A1E8B8A586B94120AC
SHA-256:	DA79E4DD6349CBA32285C034E97221B250FD0590FAA1FE0BBB8A918CDA43AADA
SHA-512:	4012ABD8C679599AD6433A6EBFD5F57CF00101CDF464911A1FD1AC0EDF6ABFCB1A3AFB5984331D88747B13E34B4E39950F6E47BD38366E8CE7B170219EB8409D
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<config>...<log pattern="[%Y-%m-%d %H:%M:%S.%e][thread:%t][%s:%#->%!][%l] %v" level="trace" filepath="default" file_type="console" max_file_size="1024000" max_file_num="3"/>...<agent local_ip="www.atg.server.com.cn" mode="local" ipc_mode="pipe"/>...<audit url="xxxxxx" enable="false" block="false"/>...<session upload_url="xxxxxx" enable_logoff="false"/>...<curl cnn_timeout="30" opt_timeout="30"/>.. <process_black_list>....<process>cmd.exe</process>....<process>powershell.exe</process>....<process>explorer.exe</process>...</process_black_list>..</config>

C:\ztg\fillProxy\log\a.txt Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:E:E
MD5:	0CC175B9C0F1B6A831C399E269772661
SHA1:	86F7E437FAA5A7FCE15D1DDCB9EAEAEA377667B8
SHA-256:	CA978112CA1BBDCAFAC231B39A23DC4DA786EFF8147C4E72B9807785AFEE48BB
SHA-512:	1F40FC92DA241694750979EE6CF582F2D5D7D28E18335DE05ABC54D0560E0F5302860C652BF08D560252AA5E74210546F369FBBBCE8C12CFC7957B2652FE9A75
Malicious:	false
Reputation:	unknown
Preview:	a

C:\ztg\fillProxy\script\ .txt Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	UTF-8 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	62
Entropy (8bit):	4.794933359081599
Encrypted:	false
SSDEEP:	3:mKN5ALTA4Pn4w+F:wHAs4vF
MD5:	DD1F573470F6FE4ACB6BDD08EDBE0A4C
SHA1:	119CDA19328B8131639E8FFB3BCAA642C6CAA3A3
SHA-256:	22C929A962F21B82A9FFA08C0FD724234983C241C860A1DFE136D69BF430A093
SHA-512:	1B42EF70B60A35AF9B88CBCAF14E78C6B00BEA7A191E502CCC109AFB6796BB6BEAB0A78D56DC7E5ACC59D6692F7AF42263BAF83EC1764EF19B2F557BA3BC45F8
Malicious:	false
Reputation:	unknown
Preview:	...........ie.........

C:\ztg\fillProxy\script\IE.xml Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1192
Entropy (8bit):	5.041173060503044
Encrypted:	false
SSDEEP:	24:2dduhk/TgHZqFcduA67JUsh0boiyqHAOc8IGIkB3l8T4/O1:cl/TVcuA67JnyMiFHcWIpTb
MD5:	28953B648AED823690925857D30114E1
SHA1:	036A40AE59453927B936EBC7CC155455A3F3F138
SHA-256:	FFD675DA113CC103AD7402A8F60ED6D3F003C331F94C631BA560D5490C328D50
SHA-512:	67942A6FD1791AC5ADDC9FF86DEDF92C97ADA9AF7758D83495754A3775C20ABE258B54E18F967F862C4121BCE631DAF737329254CB8D40C8F90E5F3505F9F150
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="GBK"?>..<ie>.. <fill>. .. <cmd_string.format var="ie_path" fmt="[WHOLEPATH]" params="..." WHOLEPATH="C:\Program Files\Internet Explorer\iexplore.exe" need_quote="true"/>.. <cmd_string.format var="cmd" fmt="[IEPATH] [SSO]" params="..." IEPATH="ie_path" SSO="#ssohref"/> .. <cmd_app.start var="pid" cmd_line="cmd" mode="aaa"/>.. <cmd_wnd.run_process_and_get_wnd var="ie_wnd" cmd_line="cmd" class_name="IEFrame" win_text="NULL" time_wait="3000"/>.. <cmd_wnd.focus_window hwnd="ie_wnd"/>-->... .. <cmd_app.get_local_ip var="apptoolsgateip"/>.. <cmd_app.get_self_pid var="fillProxyPid"/>.. <cmd_app.get_win_session_id var="win_session_id"/>.. <cmd_audit.send_audit_info kv_field="..." apptoolsgateip="apptoolsgateip" fillprocessid="fillProxyPid" filledprocessid="pid" hid="win_session_id" gid="#gid" ssohref="#ssohref" schemaData="#schemaData" userName="#userName" prot="http" filedprocessname="iexplore

C:\ztg\fillProxy\script\chrome.xml Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1009
Entropy (8bit):	5.041929860738074
Encrypted:	false
SSDEEP:	24:2d9uhk/TUaZqFcdu6/qHAOc8IGIkBaQl8T4DBDV:cF/TUJcu6iHcWIvZTmBJ
MD5:	0BE8E8BACCA0E7F0699E6F854EEA8290
SHA1:	81B2D907919B5F493CDF8F8CB340CA932FF95266
SHA-256:	E99D060223BF6F7BA3A93EC4A5AEA0505674ADF213710C1D0C8F41750DE9B71F
SHA-512:	045FA727F4DF4AB02DABBE3B1C491D34D3EF6D1DAD7121664A398DDEE5667B788BD1A0BCDF5737362B9A50DFEBEBE807F71461BCEB9EDE722A674811607D7EAF
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="GBK"?>..<chrome>.. <fill>. .. <cmd_string.format var="ie_path" fmt="[WHOLEPATH]" params="..." WHOLEPATH="C:\ztg\fillProxy\tool\Chrome\Application\chrome.exe" need_quote="true"/>.. <cmd_string.format var="cmd" fmt="[IEPATH] [SSO]" params="..." IEPATH="ie_path" SSO="#ssohref"/> .. <cmd_app.start var="pid" cmd_line="cmd" mode="aaa"/>.. <cmd_app.get_local_ip var="apptoolsgateip"/>.. <cmd_app.get_self_pid var="fillProxyPid"/>.. <cmd_app.get_win_session_id var="win_session_id"/>.. <cmd_audit.send_audit_info kv_field="..." apptoolsgateip="apptoolsgateip" fillprocessid="fillProxyPid" filledprocessid="pid" hid="win_session_id" gid="#gid" ssohref="#ssohref" schemaData="#schemaData" userName="#userName" prot="http" filedprocessname="chrome.exe" sessionId="#sessionId"/> .. <cmd_audit.start_session_monitor pid="0" gid="#gid" sessionId="#sessionId" processName="chrome.exe" need_record="false"/>-->.. </fill>..

C:\ztg\fillProxy\session_record\a.txt Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:E:E
MD5:	0CC175B9C0F1B6A831C399E269772661
SHA1:	86F7E437FAA5A7FCE15D1DDCB9EAEAEA377667B8
SHA-256:	CA978112CA1BBDCAFAC231B39A23DC4DA786EFF8147C4E72B9807785AFEE48BB
SHA-512:	1F40FC92DA241694750979EE6CF582F2D5D7D28E18335DE05ABC54D0560E0F5302860C652BF08D560252AA5E74210546F369FBBBCE8C12CFC7957B2652FE9A75
Malicious:	false
Reputation:	unknown
Preview:	a

C:\ztg\fillProxy\spy++\spyxx.exe Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	496824
Entropy (8bit):	5.656320161333186
Encrypted:	false
SSDEEP:	6144:ohX9SnE7wwsuHix7yziQYy5x4j/s7pSUD7o5JwtOQnQ3dvyf3k1MMN:kkRwsuCx7Aj5x4j/ipZ7otvyf3RMN
MD5:	E81E6028623071835DEB307E7B9E86E5
SHA1:	51956F194082616CB74068FAA926CA46F121A883
SHA-256:	58E30254A936D5B22C7FFF8B66EFD9EB823DD91A4B5C0165581463E95F742C88
SHA-512:	BC876D353C4A26F2FA4B0C3D60DBE6724BD45CE7B1BC3B40B718984CA0A90411DF252271B0BF3A8A6C48CFD102432D07E876079F5B4287042D8EF7F051882C1A
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q...5k.Y5k.Y5k.Y.d.Y9k.Y...Y0k.Y...Y#k.Y5k.Y.i.Y...Y<k.Y...Ysk.Y...Y<k.Y...Y)k.Y...Y4k.Y...Y4k.YRich5k.Y................PE..L...U.3C.............................I............@.............................................. ..........................8~.......................z..............................................@...@....................}..@....................text...J........................... ..`.data...............................@....rsrc................\|..............@..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\ztg\fillProxy\spy++\spyxxhk.dll Download File
Process:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	3.1519636837492246
Encrypted:	false
SSDEEP:	768:hcueEe71u1LMX9JUSZROeW7XyOzA/z0nep:iuze7SAX9NR9ROk/Fp
MD5:	8B351FA820CEFBFFF7733C47A1CD0A91
SHA1:	FD7FBD9D5DAB45C238E0B32AC76384230A97FC21
SHA-256:	8D9AE4417D3DD3E35C2400591CF7AEC07010D4BF9FFAAA0CE234BA92B27E5E99
SHA-512:	62AFE5AA328A661250035939A358AA0ED935008DB883E38FA9E7139A603EFD3D9575273155105D04388407EE03CB5789878B1D1EB32DCDEF0765B509B92C8738
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{V...8...8...8...e...8...9..8...C...8...E...8...V...8...U...8...B...8...I...8...D...8...@...8.Rich..8.................PE..L...M.3C...........!.....R...........M.......p.....[.........................P......&................................].......W..x....0.......................@......P................................"..@...............4...\|V..@....................text....Q.......R.................. ..`.data...`....p.......V..............@....shdata..............^..............@....rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................

\Device\ConDrv Download File
Process:	C:\Windows\SysWOW64\cacls.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	62
Entropy (8bit):	4.221564407119748
Encrypted:	false
SSDEEP:	3:DEVT8KvCi6A3QVgScA3:DEV4KD6AAVgSB
MD5:	53F5122CBD1A96F1EEAC4CD2A5C949F3
SHA1:	ED231A2874ABDB6040CC0DA9D9145F3D712E31D1
SHA-256:	E8E11D19A10A061437CF5EB7786292AA85C18EBD5FE37F3281BA2A729FC63FE2
SHA-512:	9A23BA096C3B7D4604F646CC430BC1FCD143C21F316C4958272BDE97F5FE68A6F263EEB17637F73334CE8848C622E6D6AB5882522C461573ED8E1CCDDEDB3AD0
Malicious:	false
Reputation:	unknown
Preview:	No mapping between account names and security IDs was done....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.998867226699473
TrID:	Win32 Executable (generic) a (10002005/4) 99.40% InstallShield setup (43055/19) 0.43% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	fillProxy_for_terminal_20210702_v1.0.0.exe
File size:	23653052
MD5:	e744a9216199c95f313b5a9caff52306
SHA1:	e6895f247ec71e97db4eb75070408f171203919e
SHA256:	13d345e09772591b82023fb12d68e41158c865bfec60c017d50aff16486e07e1
SHA512:	e8d23ae31d7a427c00ccf480f5c3d6b3f4d9daeee6bb84dc9fb67081b6c6066e21c4410c5bc56e34a3aae36352b3502e2f207c2940a50b961d044dd184d38e6c
SSDEEP:	393216:iREgL13gKDvc4T+HYqelF3oJbg7VM5b3lpT7CajBLUzQBKakg/lTbbEeyU6qkyOO:Dg9MTelFYlYm1pT9dLUzQBJ5/5bweymF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P...1...1...1...-...1......1..A-...1......1.......1.......1...1...1.......1...1..91..=....1...7...1..Rich.1.................

File Icon


Icon Hash:	c8d49ccde690ae46

Static PE Info

General
Entrypoint:	0x4253ca
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x40813A96 [Sat Apr 17 14:09:26 2004 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	76d5c02c1b61ff55cf8d344cde5d8b26

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00428828h
push 00424EE0h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [0042812Ch]
xor edx, edx
mov dl, ah
mov dword ptr [0047F344h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [0047F340h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [0047F33Ch], ecx
shr eax, 10h
mov dword ptr [0047F338h], eax
xor esi, esi
push esi
call 00007F5B44D31FA5h
pop ecx
test eax, eax
jne 00007F5B44D31ECAh
push 0000001Ch
call 00007F5B44D31F75h
pop ecx
mov dword ptr [ebp-04h], esi
call 00007F5B44D332F8h
call dword ptr [00428108h]
mov dword ptr [0047F840h], eax
call 00007F5B44D331B6h
mov dword ptr [0047F378h], eax
call 00007F5B44D32F5Fh
call 00007F5B44D32EA1h
call 00007F5B44D31673h
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [0042818Ch]
call 00007F5B44D32E32h
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F5B44D31EC8h
movzx eax, word ptr [ebp-2Ch]
jmp 00007F5B44D31EC5h
push 0000000Ah
pop eax
push eax
push dword ptr [ebp-64h]
push esi
push esi
call dword ptr [0042822Ch]

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[EXP] VC++ 6.0 SP5 build 8804
[C++] VS98 (6.0) build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x28b88	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x80000	0xfb0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x28000	0x418	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x26ae0	0x26c00	False	0.58205015121	data	6.59632180574	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x28000	0x2208	0x2400	False	0.415907118056	zlib compressed data	5.57765758968	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2b000	0x54858	0x3200	False	0.465703125	data	5.50529776871	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x80000	0xfb0	0x1000	False	0.37744140625	data	4.30991765431	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x80e60	0x134	data	Finnish	Finland
RT_BITMAP	0x80c88	0x1d4	data	Finnish	Finland
RT_ICON	0x806d0	0x2e8	data	Finnish	Finland
RT_DIALOG	0x802a0	0xf0	data	Finnish	Finland
RT_DIALOG	0x80438	0x1e0	data	Finnish	Finland
RT_DIALOG	0x80390	0xa6	data	Finnish	Finland
RT_DIALOG	0x80618	0xb6	data	Finnish	Finland
RT_GROUP_CURSOR	0x80f98	0x14	Lotus unknown worksheet or configuration, revision 0x1	Finnish	Finland
RT_GROUP_ICON	0x809b8	0x14	data	Finnish	Finland
RT_MANIFEST	0x809d0	0x2b8	XML 1.0 document, ASCII text, with CRLF line terminators	Finnish	Finland

Imports

DLL	Import
KERNEL32.dll	WaitForSingleObject, GetModuleFileNameA, GetDateFormatA, GetSystemDirectoryA, GetWindowsDirectoryA, GetCommandLineA, GetVersionExA, CreateMutexA, GetPrivateProfileIntA, GetPrivateProfileStringA, lstrcmpA, GetSystemTime, LocalFree, LocalAlloc, GetVersion, GetSystemInfo, GetComputerNameA, SetEndOfFile, LCMapStringA, GetStringTypeW, GetStringTypeA, GetOEMCP, lstrcpynA, GetCPInfo, GetFileType, GetStdHandle, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, HeapSize, HeapReAlloc, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, GetStartupInfoA, RtlUnwind, TerminateProcess, HeapAlloc, HeapFree, GetExitCodeProcess, SetFileTime, GlobalMemoryStatus, GetShortPathNameA, SetErrorMode, WritePrivateProfileStringA, WritePrivateProfileSectionA, MoveFileExA, GetCurrentProcess, ExitProcess, WideCharToMultiByte, CreateProcessA, RemoveDirectoryA, GetFileTime, VerLanguageNameA, CompareFileTime, CopyFileA, GetFileSize, GetLogicalDriveStringsA, FreeLibrary, GetCurrentDirectoryA, SetCurrentDirectoryA, MultiByteToWideChar, SetFileAttributesA, LCMapStringW, GetTempPathA, GetFileAttributesA, CreateDirectoryA, GetLocaleInfoA, FindFirstFileA, lstrcmpiA, FindNextFileA, FindClose, GetDriveTypeA, lstrcatA, GetModuleHandleA, LoadLibraryA, GetProcAddress, GetTickCount, Sleep, GetCurrentThread, QueryPerformanceFrequency, QueryPerformanceCounter, GetThreadPriority, SetThreadPriority, GlobalReAlloc, GlobalUnlock, GlobalFree, GlobalAlloc, GlobalLock, MulDiv, lstrlenA, GetLastError, FormatMessageA, WriteFile, ReadFile, lstrcpyA, SetFilePointer, CreateFileA, CloseHandle, GetACP, DeleteFileA
USER32.dll	FindWindowA, IsIconic, PostMessageA, RegisterClassA, SetRectEmpty, ExitWindowsEx, MsgWaitForMultipleObjects, GetMessageA, TranslateMessage, DispatchMessageA, FillRect, PostQuitMessage, EnableWindow, SetWindowPos, SetTimer, GetDlgItemTextA, CreateDialogParamA, GetWindowLongA, IsWindowEnabled, GetSystemMetrics, RegisterClassExA, GetClientRect, IsWindowVisible, PtInRect, SetCursor, EndDialog, GetActiveWindow, WaitMessage, IsDialogMessageA, MessageBoxA, CopyRect, KillTimer, DrawEdge, GetDlgItem, SendDlgItemMessageA, SetDlgItemTextA, PeekMessageA, SetWindowTextA, ReleaseDC, EnumDisplaySettingsA, LoadBitmapA, GetDC, DestroyWindow, DefWindowProcA, GetWindowRect, InvalidateRect, LoadIconA, LoadImageA, GetSysColor, GetDesktopWindow, SystemParametersInfoA, SetForegroundWindow, DialogBoxParamA, GetWindowTextLengthA, GetWindowTextA, CreateWindowExA, SetWindowLongA, SetFocus, GetSystemMenu, DeleteMenu, AppendMenuA, ShowWindow, LoadCursorA, GetCursorPos, ScreenToClient, SendMessageA
GDI32.dll	SaveDC, SetMapMode, SetViewportOrgEx, RestoreDC, StartDocA, StartPage, EndPage, TextOutA, SetBkMode, SelectObject, CreateFontA, GetDeviceCaps, BitBlt, DeleteDC, DeleteObject, CreateSolidBrush, GetStockObject, SetBkColor, SetTextColor, CreateCompatibleBitmap, CreateCompatibleDC, StretchDIBits, GetTextExtentPoint32A, CreateBitmap, CreateDIBitmap, CreatePalette, AddFontResourceA, CreateScalableFontResourceA, EndDoc, RemoveFontResourceA
comdlg32.dll	GetOpenFileNameA, PrintDlgA
ADVAPI32.dll	RegCloseKey, RegOpenKeyExA, AdjustTokenPrivileges, LookupPrivilegeValueA, RegDeleteValueA, RegQueryInfoKeyA, RegEnumKeyExA, OpenThreadToken, DuplicateToken, AllocateAndInitializeSid, InitializeSecurityDescriptor, GetLengthSid, InitializeAcl, AddAccessAllowedAce, SetSecurityDescriptorDacl, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, IsValidSecurityDescriptor, AccessCheck, FreeSid, GetUserNameA, RegSetValueExA, RegCreateKeyExA, OpenProcessToken, RegQueryValueExA
SHELL32.dll	SHFileOperationA, SHBrowseForFolderA, SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc, ShellExecuteA, SHChangeNotify
ole32.dll	CoUninitialize, CoInitialize, OleInitialize, CoCreateInstance, OleUninitialize
OLEAUT32.dll	RegisterTypeLib, LoadTypeLib
WINMM.dll	waveOutGetNumDevs, midiOutGetNumDevs, joyGetPos
COMCTL32.dll	ImageList_Create, ImageList_Add
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Finnish	Finland

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: fillProxy_for_terminal_20210702_v1.0.0.exe PID: 7056 Parent PID: 5744

General

Start time:	06:07:25
Start date:	17/12/2021
Path:	C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe"
Imagebase:	0x400000
File size:	23653052 bytes
MD5 hash:	E744A9216199C95F313B5A9CAFF52306
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 6096 Parent PID: 572

General

Start time:	06:07:28
Start date:	17/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6280 Parent PID: 572

General

Start time:	06:07:30
Start date:	17/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5324 Parent PID: 572

General

Start time:	06:07:30
Start date:	17/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6368 Parent PID: 572

General

Start time:	06:07:31
Start date:	17/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6340 Parent PID: 572

General

Start time:	06:07:31
Start date:	17/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k unistacksvcgroup
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5400 Parent PID: 572

General

Start time:	06:07:32
Start date:	17/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: SgrmBroker.exe PID: 6260 Parent PID: 572

General

Start time:	06:07:32
Start date:	17/12/2021
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff6bdd40000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 3452 Parent PID: 572

General

Start time:	06:07:33
Start date:	17/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 5316 Parent PID: 7056

General

Start time:	06:07:40
Start date:	17/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\ztg\fillProxy\bin\run_startfill.bat""
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5352 Parent PID: 5316

General

Start time:	06:07:40
Start date:	17/12/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regedit.exe PID: 5348 Parent PID: 5316

General

Start time:	06:07:41
Start date:	17/12/2021
Path:	C:\Windows\SysWOW64\regedit.exe
Wow64 process (32bit):	true
Commandline:	regedit /s "C:\ztg\fillProxy\bin\startFill.reg"
Imagebase:	0xe80000
File size:	316416 bytes
MD5 hash:	617538C965AC4DDC72F9CF647C4343D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 6512 Parent PID: 7056

General

Start time:	06:07:43
Start date:	17/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\ztg\fillProxy\bin\changePv.bat""
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6528 Parent PID: 6512

General

Start time:	06:07:43
Start date:	17/12/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cacls.exe PID: 6596 Parent PID: 6512

General

Start time:	06:07:44
Start date:	17/12/2021
Path:	C:\Windows\SysWOW64\cacls.exe
Wow64 process (32bit):	true
Commandline:	Cacls C:\ztg /t /e /c /g users:f
Imagebase:	0x1300000
File size:	27648 bytes
MD5 hash:	4CBB1C027DF71C53A8EE4C855FD35B25
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cacls.exe PID: 6548 Parent PID: 6512

General

Start time:	06:07:45
Start date:	17/12/2021
Path:	C:\Windows\SysWOW64\cacls.exe
Wow64 process (32bit):	true
Commandline:	Cacls C:\ztg /t /e /c /g "Domain users":f
Imagebase:	0x1300000
File size:	27648 bytes
MD5 hash:	4CBB1C027DF71C53A8EE4C855FD35B25
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 6540 Parent PID: 7056

General

Start time:	06:07:46
Start date:	17/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\ztg\fillProxy\bin\install_vc.bat""
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6536 Parent PID: 6540

General

Start time:	06:07:46
Start date:	17/12/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: vcredist_x86.exe PID: 6976 Parent PID: 6540

General

Start time:	06:07:47
Start date:	17/12/2021
Path:	C:\ztg\fillProxy\bin\vcredist_x86.exe
Wow64 process (32bit):	true
Commandline:	C:\ztg\fillProxy\bin\vcredist_x86.exe /q
Imagebase:	0x90000
File size:	14412304 bytes
MD5 hash:	DE34B1C517E0463602624BBC8294C08D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: vcredist_x86.exe PID: 6936 Parent PID: 6976

General

Start time:	06:07:48
Start date:	17/12/2021
Path:	C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Temp\{F9528604-2883-4C3D-A8EE-283281AA48FE}\.cr\vcredist_x86.exe" -burn.clean.room="C:\ztg\fillProxy\bin\vcredist_x86.exe" -burn.filehandle.attached=744 -burn.filehandle.self=816 /q
Imagebase:	0x10000
File size:	647912 bytes
MD5 hash:	2F9D2B6CE54F9095695B53D1AA217C7B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 6924 Parent PID: 572

General

Start time:	06:07:49
Start date:	17/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: VC_redist.x86.exe PID: 4476 Parent PID: 6936

General

Start time:	06:08:01
Start date:	17/12/2021
Path:	C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Temp\{989EFE3A-7CD0-4673-B290-541117C1EBEE}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{645B3868-9A7A-49FB-A8C1-BAE7792CA0E7} {A6CC766D-FCE7-4ED5-846F-2A3F82C8859D} 6936
Imagebase:	0xf90000
File size:	647912 bytes
MD5 hash:	2F9D2B6CE54F9095695B53D1AA217C7B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: msiexec.exe PID: 2952 Parent PID: 572

General

Start time:	06:08:06
Start date:	17/12/2021
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff705df0000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 5400 Parent PID: 572

General

Start time:	06:08:06
Start date:	17/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: VC_redist.x86.exe PID: 5928 Parent PID: 3352

General

Start time:	06:08:13
Start date:	17/12/2021
Path:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" /burn.runonce
Imagebase:	0x1290000
File size:	647912 bytes
MD5 hash:	2F9D2B6CE54F9095695B53D1AA217C7B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: VC_redist.x86.exe PID: 5912 Parent PID: 5928

General

Start time:	06:08:14
Start date:	17/12/2021
Path:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211217060759.log
Imagebase:	0x1290000
File size:	647912 bytes
MD5 hash:	2F9D2B6CE54F9095695B53D1AA217C7B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: VC_redist.x86.exe PID: 5704 Parent PID: 5912

General

Start time:	06:08:15
Start date:	17/12/2021
Path:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.filehandle.attached=564 -burn.filehandle.self=584 /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211217060759.log
Imagebase:	0x1290000
File size:	647912 bytes
MD5 hash:	2F9D2B6CE54F9095695B53D1AA217C7B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 6668 Parent PID: 572

General

Start time:	06:08:20
Start date:	17/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: MpCmdRun.exe PID: 2228 Parent PID: 3452

General

Start time:	06:08:33
Start date:	17/12/2021
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff7f26b0000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 4256 Parent PID: 2228

General

Start time:	06:08:34
Start date:	17/12/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: VC_redist.x86.exe PID: 4404 Parent PID: 5704

General

Start time:	06:08:43
Start date:	17/12/2021
Path:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{36DB509C-8644-440C-B46D-D0502611EA71} {DAD621ED-08F2-4F98-B829-756C75226406} 5704
Imagebase:	0x1290000
File size:	647912 bytes
MD5 hash:	2F9D2B6CE54F9095695B53D1AA217C7B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: VC_redist.x86.exe PID: 1860 Parent PID: 4476

General

Start time:	06:08:53
Start date:	17/12/2021
Path:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1176 -burn.embedded BurnPipe.{3DFA5E1E-FA14-4FA6-B845-2FEC294BCE10} {BF0E961E-0781-45C2-9B76-B54C300A2310} 4476
Imagebase:	0xcd0000
File size:	654616 bytes
MD5 hash:	77F9143FEEBC7782FE91336F104EC997
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: VC_redist.x86.exe PID: 6656 Parent PID: 1860

General

Start time:	06:08:53
Start date:	17/12/2021
Path:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.filehandle.attached=168 -burn.filehandle.self=776 -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1176 -burn.embedded BurnPipe.{3DFA5E1E-FA14-4FA6-B845-2FEC294BCE10} {BF0E961E-0781-45C2-9B76-B54C300A2310} 4476
Imagebase:	0xcd0000
File size:	654616 bytes
MD5 hash:	77F9143FEEBC7782FE91336F104EC997
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: VC_redist.x86.exe PID: 5904 Parent PID: 4404

General

Start time:	06:09:05
Start date:	17/12/2021
Path:	C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1100 -burn.embedded BurnPipe.{66F04CCF-DF99-4716-9126-725C0AF2D3CA} {6E53EA31-B961-426F-8981-955415C328A5} 4404
Imagebase:	0xcd0000
File size:	654616 bytes
MD5 hash:	77F9143FEEBC7782FE91336F104EC997
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: fillProxy_for_terminal_20210702_v1.0.0.exe PID: 7056 Parent PID: 5744 fillProxy_for_terminal_20210702_v1.0.0.exeCOMMON

Execution Graph

Execution Coverage:	12%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	44

Executed Functions

Function 004184A4, Relevance: 111.2, APIs: 22, Strings: 41, Instructions: 972
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E004184A4(signed int __ecx) {
				char _v260;
				intOrPtr _v268;
				signed int _v272;
				signed int _v276;
				char _v288;
				signed int _v292;
				char _v296;
				signed int _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v332;
				char _v336;
				char _v348;
				char _v352;
				signed int _v360;
				char _v364;
				char _v368;
				char _v380;
				char _v404;
				char _v408;
				signed char _t107;
				signed int _t108;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				signed int _t112;
				void* _t113;
				intOrPtr _t117;
				signed int _t118;
				signed int _t119;
				void* _t121;
				signed int _t122;
				void* _t123;
				void* _t124;
				signed int _t126;
				signed int _t136;
				signed int _t144;
				void* _t145;
				signed int _t153;
				signed int _t158;
				signed int _t159;
				signed int _t162;
				struct HINSTANCE__* _t167;
				signed int _t186;
				signed int _t190;
				signed int _t191;
				void* _t194;
				signed int _t196;
				void* _t204;
				void* _t205;
				void* _t209;
				intOrPtr _t210;
				signed int _t211;
				signed int _t212;
				signed int _t215;
				void* _t223;
				signed int _t225;
				signed int _t238;
				signed int _t239;
				signed int _t241;
				signed int _t247;
				signed int _t248;
				signed int _t250;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t258;
				signed int _t260;
				signed int _t273;
				intOrPtr _t274;
				signed int _t275;
				signed int _t276;
				void* _t278;
				signed int _t280;
				signed int _t292;
				signed int _t301;
				void* _t306;
				intOrPtr _t313;
				signed int _t316;
				intOrPtr _t320;
				void* _t324;
				void* _t334;
				void* _t335;
				signed int _t338;
				void* _t341;
				signed int _t343;
				void* _t344;
				void* _t345;
				void* _t346;
				CHAR* _t347;
				signed int _t348;
				void* _t349;
				signed int _t350;
				signed int _t351;
				void* _t352;
				signed int _t353;
				signed int _t354;
				void* _t361;
				void* _t383;
				void* _t408;
				void* _t433;
				void* _t439;
				void* _t478;
				void* _t552;
				signed int _t553;
				signed int _t554;
				void* _t556;
				CHAR* _t557;
				signed int _t559;
				void* _t561;
				signed int _t562;
				void* _t564;
				void* _t565;
				void* _t566;
				void* _t567;
				void* _t568;
				void* _t569;
				void* _t570;
				void* _t571;
				void* _t572;
				signed int* _t575;

				_t575 =  &_v292;
				_t107 =  *0x47e194; // 0x0
				_v276 = __ecx;
				if((_t107 & 0x00000010) == 0 || (_t107 & 0x00000020) == 0 || E0041C8FD(0x47e2f0, 0x4c) == 0) {
					L7:
					__eflags =  *0x47f27c;
					if( *0x47f27c != 0) {
						L41:
						_t108 = E0041C8FD(0x47e2f0, 0x5c);
						__eflags = _t108;
						_t341 = 0x47e880;
						if(_t108 == 0) {
							L49:
							_t109 = E0041C8FD(0x47e2f0, 0x50);
							__eflags = _t109;
							if(_t109 == 0) {
								L59:
								__eflags =  *0x47f27c;
								if( *0x47f27c != 0) {
									L85:
									_t110 = E0041C8FD(0x47e2f0, 0x68);
									__eflags = _t110;
									if(_t110 == 0) {
										L94:
										_t111 = E0041C8FD(0x47e2f0, 0x90);
										__eflags =  *0x47f27c;
										_t553 = _t111;
										if( *0x47f27c != 0) {
											L114:
											_t112 = E0041C8FD(0x47e2f0, 0xa8);
											__eflags = _t112;
											if(_t112 == 0) {
												L125:
												_push(1);
												goto L126;
											}
											__eflags =  *0x47e192 & 0x00000002;
											if(( *0x47e192 & 0x00000002) != 0) {
												goto L125;
											}
											_t554 = E00424DD9(0x104);
											_pop(_t361);
											__eflags = _t554;
											if(_t554 == 0) {
												E0041D881(E0041CD1E(0x47e924));
												_pop(_t361);
											}
											E0041DBFF(_t361, _t554, ".EXE"); // executed
											E0041BF12(0x47e788, _t554);
											_t117 = 1;
											 *0x47f21c = _t117;
											 *0x47e290 = _t117;
											_t118 =  *0x47f28c; // 0x2070010
											__eflags = _t118;
											if(_t118 != 0) {
												E00424DCE(_t118);
											}
											_t119 = E00424DD9(4);
											__eflags = _t119;
											 *0x47f28c = _t119;
											if(_t119 == 0) {
												E0041D881(E0041CD1E(0x47e924));
											}
											_v268 = E0041C8FD(0x47e2f0, 0xac);
											_t121 = E0041C8FD(0x47e2f0, 0xa8);
											_t122 =  *0x47f28c; // 0x2070010
											 *_t122 = _v272 + _t121;
											_t123 = E0041C8FD(0x47e2f0, 0xa8);
											_t124 = E0041C8FD(0x47e2f0, 0xac);
											_t126 = E00401AC0(E0041CD1E(0x47e6c8), _t554, _t124, _t123); // executed
											__eflags = _t126;
											_push(_t554);
											if(_t126 == 0) {
												E00424DCE();
												goto L125;
											} else {
												DeleteFileA();
												E00424DCE(_t554);
												_push(0xfffffff1);
												goto L126;
											}
										}
										__eflags = _t553;
										if(_t553 <= 0) {
											L108:
											 *0x47e60c = E0041C8FD(0x47e2f0, 0xa0);
											_t136 = E004153F8(0x47dfb8, __eflags, _t135);
											__eflags = _t136;
											if(_t136 != 0) {
												E0041BF12(0x47e700, 0x42e0c8);
												__eflags =  *0x47e18c & 0x00000040;
												if(( *0x47e18c & 0x00000040) == 0) {
													_push(E0041CD1E(0x47e350));
													_t383 = 0x47e900;
												} else {
													_push(E0041CD1E(0x47e350));
													_t383 = 0x47e90c;
												}
												E0041C467(0x47e700, E0041CD1E(_t383));
												_t575 =  &(_t575[3]);
												goto L114;
											}
											_push(0xfffffff0);
											goto L126;
										}
										_t144 = E00424DD9(4 + (_t553 + _t553 * 2) * 4);
										__eflags = _t144;
										if(_t144 == 0) {
											_t343 = 0;
											__eflags = 0;
											L102:
											__eflags = _t343;
											 *0x47e780 = _t343;
											if(_t343 == 0) {
												E0041D881(E0041CD1E(0x47e924));
											}
											 *0x47e784 = _t553;
											_t145 = E0041C8FD(0x47e2f0, 0x94);
											__eflags = _t553;
											_t344 = _t145;
											if(_t553 <= 0) {
												L107:
												__eflags =  *0x47f27c;
												if( *0x47f27c != 0) {
													goto L114;
												}
												goto L108;
											} else {
												_t87 =  &_v292;
												 *_t87 = _v292 & 0x00000000;
												__eflags =  *_t87;
												_v276 = _t553;
												do {
													E0041BDC5( &_v288);
													E0041CAC5( &_v288, E0041CD1E(0x47e6c8), _t344, 4);
													_t556 = E0041C8FD( &_v300, 0);
													_t345 = _t344 + 4;
													E0041CAC5( &_v304, E0041CD1E(0x47e6c8), _t345, _t556);
													_t153 =  *0x47e780; // 0x0
													_t344 = _t345 + _t556;
													E0041BF80(_v320 + _t153,  &_v316);
													E0041BEFB( &_v320);
													_v324 = _v324 + 0xc;
													_t99 =  &_v308;
													 *_t99 = _v308 - 1;
													__eflags =  *_t99;
												} while ( *_t99 != 0);
												goto L107;
											}
										}
										 *_t144 = _t553;
										_t78 = _t144 + 4; // 0x4
										_t343 = _t78;
										_t79 = _t553 - 1; // -1
										_t158 = _t79;
										_v292 = _t343;
										__eflags = _t158;
										if(_t158 < 0) {
											goto L102;
										}
										_t159 = _t158 + 1;
										__eflags = _t159;
										_v276 = _t159;
										do {
											E0041BDC5(_v292);
											_v292 = _v292 + 0xc;
											_t85 =  &_v276;
											 *_t85 = _v276 - 1;
											__eflags =  *_t85;
										} while ( *_t85 != 0);
										goto L102;
									}
									_t557 = E00424DD9(0x104);
									__eflags = _t557;
									if(__eflags == 0) {
										E0041D881(E0041CD1E(0x47e924));
									}
									_t162 = E00411CE5(_t341, __eflags, _t557, 0x6c);
									__eflags = _t162;
									_push(_t557);
									if(_t162 != 0) {
										E0041BF12(0x47df90);
										E0041BF12(0x47f270, _t557);
										 *0x47f26c = LoadLibraryA(_t557);
										E00424DCE(_t557);
										_t167 =  *0x47f26c; // 0x0
										__eflags = _t167;
										if(_t167 != 0) {
											 *0x47f220 = GetProcAddress(_t167, "AdvancedEntry");
											 *0x47f224 = GetProcAddress( *0x47f26c, "EntryPoint0");
											 *0x47f22c = GetProcAddress( *0x47f26c, "EntryPoint1");
											 *0x47f228 = GetProcAddress( *0x47f26c, "EntryPoint1_5");
											 *0x47f230 = GetProcAddress( *0x47f26c, "EntryPoint2");
											 *0x47f234 = GetProcAddress( *0x47f26c, "EntryPoint3");
											 *0x47f238 = GetProcAddress( *0x47f26c, "EntryPoint4");
											 *0x47f23c = GetProcAddress( *0x47f26c, "EntryPoint5");
											 *0x47f240 = GetProcAddress( *0x47f26c, "EntryPoint6");
											 *0x47f244 = GetProcAddress( *0x47f26c, "EntryPoint7");
											 *0x47f248 = GetProcAddress( *0x47f26c, "EntryPoint8");
											 *0x47f24c = GetProcAddress( *0x47f26c, "EntryPoint9");
											 *0x47f250 = GetProcAddress( *0x47f26c, "EntryPoint10");
											 *0x47f254 = GetProcAddress( *0x47f26c, "EntryPoint11");
											 *0x47f258 = GetProcAddress( *0x47f26c, "EntryPoint12");
											 *0x47f25c = GetProcAddress( *0x47f26c, "EntryPoint13");
											 *0x47f260 = GetProcAddress( *0x47f26c, "EntryPointCustom");
											 *0x47f264 = GetProcAddress( *0x47f26c, "SystemInformation");
											_t186 = GetProcAddress( *0x47f26c, "OnMessage");
											__eflags = _t186;
											 *0x47f268 = _t186;
											if(_t186 != 0) {
												 *0x47e18f =  *0x47e18f | 0x00000080;
												__eflags =  *0x47e18f;
											}
											goto L94;
										}
										_push(0xfffffff8);
									} else {
										E00424DCE();
										_push(0xfffffff9);
									}
									goto L126;
								}
								_t190 = E0041C8FD(0x47e2f0, 0x80);
								__eflags = _t190;
								if(_t190 == 0) {
									L78:
									__eflags =  *0x47f27c;
									if( *0x47f27c != 0) {
										goto L85;
									}
									_t191 = E0041C8FD(0x47e2f0, 0x74);
									__eflags = _t191;
									if(_t191 == 0) {
										goto L85;
									}
									_t559 = E00424DD9(0x104);
									_pop(_t408);
									__eflags = _t559;
									if(_t559 == 0) {
										E0041D881(E0041CD1E(0x47e924));
										_pop(_t408);
									}
									E0041DBFF(_t408, _t559, ".mp3");
									_t194 = E0041C8FD(0x47e2f0, 0x7c);
									_t196 = E00410722(_t544, _t559, E0041C8FD(0x47e2f0, 0x78), _t194, 0);
									__eflags = _t196;
									_push(_t559);
									if(_t196 != 0) {
										E0041BF12(0x47e758);
										E0041BF12(0x47dfa8, _t559);
										E00424DCE(_t559);
										goto L85;
									} else {
										E00424DCE();
										_push(0xfffffffa);
										goto L126;
									}
								}
								_t204 = E0040FCA0(__eflags, E0041C8FD(0x47e2f0, 0x88));
								__eflags = _t204 - 2;
								if(_t204 != 2) {
									_t205 = E0041C8FD(0x47e2f0, 0x84);
									__eflags = _t205 - 1;
									if(_t205 != 1) {
										goto L78;
									}
									E0041DBFF(0x47e2f0,  &_v260, ".bmp");
									_t561 = E0041C8FD(0x47e2f0, 0x88);
									_t209 = E0041C8FD(0x47e2f0, 0x8c);
									_t346 = _t209;
									_t210 = 1;
									 *0x47f21c = _t210;
									 *0x47e290 = _t210;
									_t211 =  *0x47f28c; // 0x2070010
									__eflags = _t211;
									if(_t211 != 0) {
										E00424DCE(_t211);
									}
									_t212 = E00424DD9(4);
									__eflags = _t212;
									 *0x47f28c = _t212;
									if(_t212 == 0) {
										E0041D881(E0041CD1E(0x47e924));
										_t212 =  *0x47f28c; // 0x2070010
									}
									 *_t212 = _t346 + _t561;
									_t215 = E00401AC0(E0041CD1E(0x47e6c8),  &_v260, _t561, _t346);
									_t575 =  &(_t575[4]);
									__eflags = _t215;
									if(_t215 == 0) {
										E0041BF12(0x47df9c,  &_v260);
										L77:
										_t341 = 0x47e880;
										goto L78;
									} else {
										_push(0xffffffd1);
										goto L126;
									}
								}
								_t347 = E00424DD9(0x104);
								_pop(_t433);
								__eflags = _t347;
								if(_t347 == 0) {
									E0041D881(E0041CD1E(0x47e924));
									_pop(_t433);
								}
								E0041DBFF(_t433, _t347, ".jpg");
								_t223 = E0041C8FD(0x47e2f0, 0x8c);
								_t225 = E00410722(_t544, _t347, E0041C8FD(0x47e2f0, 0x88), _t223, 0);
								__eflags = _t225;
								if(_t225 != 0) {
									_t562 = E00424DD9(0x104);
									_pop(_t439);
									__eflags = _t562;
									if(_t562 == 0) {
										E0041D881(E0041CD1E(0x47e924));
										_pop(_t439);
									}
									E0041DBFF(_t439, _t562, ".bmp");
									 *0x47e2d8(_t347, _t562);
									DeleteFileA(_t347);
									E0041BF12(0x47df9c, _t562);
									E00424DCE(_t347);
									E00424DCE(_t562);
									goto L77;
								} else {
									E00424DCE(_t347);
									_push(0xfffffffb);
									goto L126;
								}
							}
							_t238 = E00424DD9(0x104);
							_t563 = _t238;
							__eflags = _t238;
							if(__eflags == 0) {
								E0041D881(E0041CD1E(0x47e924));
							}
							_t239 = E00411CE5(_t341, __eflags, _t563, 0x54);
							__eflags = _t239;
							if(_t239 != 0) {
								E0041BF12(0x47df78, _t563);
								_t241 = E0041BD55(0x47e2d0, _t563);
								__eflags = _t241;
								if(_t241 != 0) {
									E00424DCE(_t563);
									goto L59;
								}
								_push(0xfffffffc);
								goto L56;
							} else {
								_push(0xfffffffd);
								L56:
								_pop(_t552);
								L57:
								E00424DCE(_t563);
								return _t552;
							}
						}
						_t247 = E00424DD9(0x104);
						_t563 = _t247;
						__eflags = _t247;
						if(__eflags == 0) {
							E0041D881(E0041CD1E(0x47e924));
						}
						_t248 = E00411CE5(_t341, __eflags, _t563, 0x60);
						__eflags = _t248;
						if(_t248 != 0) {
							E0041BF12(0x47df84, _t563);
							_t250 = E0041E6A9(0x47e710, _t563);
							__eflags = _t250;
							if(_t250 != 0) {
								E00424DCE(_t563);
								goto L49;
							}
							_push(0xfffffffe);
							goto L56;
						} else {
							_t552 = 0xffffffffffffffff;
							goto L57;
						}
					}
					_t254 = E0041C8FD(0x47e2f0, 0x10);
					__eflags = _t254;
					if(_t254 == 0) {
						L17:
						__eflags =  *0x47f27c;
						if( *0x47f27c != 0) {
							goto L41;
						}
						_t255 = E0041C8FD(0x47e2f0, 0x18);
						__eflags = _t255;
						if(_t255 == 0) {
							L22:
							__eflags =  *0x47f27c;
							if( *0x47f27c != 0) {
								goto L41;
							}
							_t256 = E0041C8FD(0x47e2f0, 0x20);
							__eflags = _t256;
							if(_t256 == 0) {
								L36:
								__eflags =  *0x47f27c;
								if( *0x47f27c != 0) {
									goto L41;
								}
								__eflags = E0041C8FD(0x47e2f0, 0x28);
								if(__eflags == 0) {
									goto L41;
								}
								_t258 = E00419BE3(__eflags);
								__eflags = _t258;
								if(_t258 != 0) {
									goto L41;
								}
								_push(0xffffffd3);
								goto L126;
							}
							_t564 = E0041C8FD(0x47e2f0, 0x24);
							_t260 = E0041C8FD(0x47e2f0, 0x20);
							_v300 = _v300 & 0x00000000;
							_v272 = _t260;
							__eflags = _t260;
							if(_t260 <= 0) {
								goto L36;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								_t348 = E00424DD9(0x10);
								__eflags = _t348;
								if(_t348 == 0) {
									_t48 =  &_v272;
									 *_t48 = _v272 & 0x00000000;
									__eflags =  *_t48;
								} else {
									_t46 = _t348 + 4; // 0x4
									E0041BDC5(_t46);
									_v272 = _t348;
								}
								E0041BDC5( &_v288);
								_t349 = 4;
								E0041CAC5( &_v288, E0041CD1E(0x47e6c8), _t564, _t349);
								_t565 = _t564 + _t349;
								 *_v288 = E0041C8FD( &_v300, 0);
								E0041CAC5( &_v304, E0041CD1E(0x47e6c8), _t565, _t349);
								_t566 = _t565 + _t349;
								_t350 = E00424DD9(0x104);
								_pop(_t478);
								__eflags = _t350;
								if(_t350 == 0) {
									E0041D881(E0041CD1E(0x47e924));
									_pop(_t478);
								}
								E0041DBFF(_t478, _t350, ".bmp");
								_t56 = _v272 + 4; // 0x4
								E0041BF12(_t56, _t350);
								E00424DCE(_t350);
								_t273 = E0041C8FD( &_v292, 0);
								_t351 = _t273;
								_t274 = 1;
								_v276 = _t351;
								 *0x47f21c = _t274;
								 *0x47e290 = _t274;
								_t275 =  *0x47f28c; // 0x2070010
								__eflags = _t275;
								if(_t275 != 0) {
									E00424DCE(_t275);
								}
								_t276 = E00424DD9(4);
								__eflags = _t276;
								 *0x47f28c = _t276;
								if(_t276 == 0) {
									E0041D881(E0041CD1E(0x47e924));
									_t276 =  *0x47f28c; // 0x2070010
								}
								_t352 = _t351 + _t566;
								 *_t276 = _t352;
								_t61 = _v272 + 4; // 0x8
								_t278 = E0041CD1E(_t61);
								_t280 = E00401AC0(E0041CD1E(0x47e6c8), _t278, _t566, _v268);
								_t575 =  &(_t575[4]);
								__eflags = _t280;
								if(_t280 != 0) {
									break;
								}
								_t564 = _t352;
								E0041E87A(0x47e520, _v272, 0xffffffff);
								E0041BEFB( &_v296);
								_v300 = _v300 + 1;
								__eflags = _v300 - _v272;
								if(_v300 < _v272) {
									continue;
								}
								goto L36;
							}
							E0041BEFB( &_v288);
							_push(0xffffffd6);
							goto L126;
						}
						_t567 = E0041C8FD(0x47e2f0, 0x1c);
						_t292 = E0041C8FD(0x47e2f0, 0x18);
						__eflags = _t292;
						if(_t292 <= 0) {
							goto L22;
						}
						_t353 = _t292;
						do {
							E0041BDC5( &_v288);
							E0041CAC5( &_v288, E0041CD1E(0x47e6c8), _t567, 4);
							_t567 = _t567 + 4;
							_t544 = (E0041C8FD( &_v300, 0) << 0x00000010 | _t296 & 0x0000ff00) << 8;
							E0041E87A(0x47e534, (_t296 & 0x00ff0000 | _t296 >> 0x00000010) >> 0x00000008 | (E0041C8FD( &_v300, 0) << 0x00000010 | _t296 & 0x0000ff00) << 0x00000008, 0xffffffff);
							E0041BEFB( &_v312);
							_t353 = _t353 - 1;
							__eflags = _t353;
						} while (_t353 != 0);
						goto L22;
					}
					_t568 = E0041C8FD(0x47e2f0, 0x14);
					_t301 = E0041C8FD(0x47e2f0, 0x10);
					__eflags = _t301;
					if(_t301 <= 0) {
						goto L17;
					}
					_v292 = _t301;
					do {
						_t354 = E00424DD9(0x18);
						__eflags = _t354;
						if(_t354 == 0) {
							_t354 = 0;
							__eflags = 0;
						} else {
							E0041BDC5(_t354);
						}
						__eflags = _t354;
						if(_t354 == 0) {
							E0041D881(E0041CD1E(0x47e924));
						}
						 *(_t354 + 0x11) =  *(_t354 + 0x11) & 0x00000000;
						E0041BDC5( &_v288);
						E0041CAC5( &_v288, E0041CD1E(0x47e6c8), _t568, 4);
						_t306 = E0041C8FD( &_v300, 0);
						_t12 = _t568 + 4; // 0x4
						E0041CAC5(_t354, E0041CD1E(0x47e6c8), _t12, _t306);
						_t569 = _t568 + E0041C8FD( &_v316, 0) + 4;
						E0041CAC5( &_v320, E0041CD1E(0x47e6c8), _t569, 4);
						_t313 = E0041C8FD( &_v332, 0);
						_t570 = _t569 + 4;
						 *((intOrPtr*)(_t354 + 0xc)) = _t313;
						E0041CAC5( &_v336, E0041CD1E(0x47e6c8), _t570, 4);
						_t316 = E0041C8FD( &_v348, 0);
						__eflags = _t316;
						_t571 = _t570 + 4;
						 *((char*)(_t354 + 0x10)) = _t316 & 0xffffff00 | _t316 != 0x00000000;
						E0041CAC5( &_v352, E0041CD1E(0x47e6c8), _t571, 4);
						_t320 = E0041C8FD( &_v364, 0);
						_t572 = _t571 + 4;
						_v352 = _t320;
						E0041CAC5( &_v368, E0041CD1E(0x47e6c8), _t572, _t320);
						_t568 = _t572 + _v364;
						_v360 = _v360 & 0x00000000;
						_t324 = E0041CD1E( &_v380);
						_t34 = _t354 + 0x14; // 0x14
						E004167AA(__eflags, _t34,  &_v380, _t324,  &_v360);
						E0041E87A(0x47e50c, _t354, 0xffffffff);
						E0041BEFB( &_v404);
						_t37 =  &_v408;
						 *_t37 = _v408 - 1;
						__eflags =  *_t37;
					} while ( *_t37 != 0);
					goto L17;
				} else {
					_t334 = E0041C8FD(0x47e2f0, 0x4c);
					_t335 = E0041C8FD(0x47e2f0, 0x48);
					if(E0041CAC5(0x47e57c, E0041CD1E(0x47e6c8), _t335, _t334) >= 0) {
						_t338 = E0041C2E0(0x47e57c);
						__eflags = _t338;
						if(_t338 != 0) {
							goto L7;
						}
						E0041B2A8(0, E0041CD1E(0x47ebac), 0);
						_push(0xfffffff5);
						L126:
						_pop(_t113);
						return _t113;
					}
					_push(0xfffffff6);
					goto L126;
				}
			}

0x004184a4
0x004184aa
0x004184b3
0x004184c3
0x00418534
0x00418534
0x0041853b
0x00418934
0x00418938
0x0041893d
0x0041893f
0x00418944
0x004189a3
0x004189a7
0x004189ac
0x004189ae
0x00418a16
0x00418a16
0x00418a1d
0x00418c6a
0x00418c6e
0x00418c73
0x00418c75
0x00418e53
0x00418e5a
0x00418e5f
0x00418e66
0x00418e68
0x00418fd5
0x00418fdd
0x00418fe2
0x00418fe4
0x004190de
0x004190de
0x00000000
0x004190de
0x00418fea
0x00418ff1
0x00000000
0x00000000
0x00419001
0x00419003
0x00419004
0x00419006
0x00419013
0x00419018
0x00419018
0x0041901f
0x0041902c
0x00419033
0x00419034
0x00419039
0x0041903e
0x00419043
0x00419045
0x00419048
0x0041904d
0x00419050
0x00419055
0x00419058
0x0041905d
0x0041906a
0x0041906f
0x00419081
0x00419085
0x00419095
0x0041909a
0x0041909e
0x004190ab
0x004190ba
0x004190c2
0x004190c4
0x004190c5
0x004190d8
0x00000000
0x004190c7
0x004190c7
0x004190ce
0x004190d4
0x00000000
0x004190d4
0x004190c5
0x00418e6e
0x00418e70
0x00418f68
0x00418f7a
0x00418f7f
0x00418f84
0x00418f86
0x00418f9b
0x00418fa0
0x00418fac
0x00418fc0
0x00418fc1
0x00418fae
0x00418fb3
0x00418fb4
0x00418fb4
0x00418fcd
0x00418fd2
0x00000000
0x00418fd2
0x00418f88
0x00000000
0x00418f88
0x00418e81
0x00418e86
0x00418e89
0x00418eb6
0x00418eb6
0x00418eb8
0x00418eb8
0x00418eba
0x00418ec0
0x00418ecd
0x00418ed2
0x00418eda
0x00418ee0
0x00418ee5
0x00418ee7
0x00418ee9
0x00418f5f
0x00418f5f
0x00418f66
0x00000000
0x00000000
0x00000000
0x00418eeb
0x00418eeb
0x00418eeb
0x00418eeb
0x00418ef0
0x00418ef4
0x00418ef8
0x00418f0c
0x00418f1c
0x00418f1e
0x00418f2f
0x00418f3d
0x00418f44
0x00418f46
0x00418f4f
0x00418f54
0x00418f59
0x00418f59
0x00418f59
0x00418f59
0x00000000
0x00418ef4
0x00418ee9
0x00418e8b
0x00418e8d
0x00418e8d
0x00418e90
0x00418e90
0x00418e93
0x00418e97
0x00418e99
0x00000000
0x00000000
0x00418e9b
0x00418e9b
0x00418e9c
0x00418ea0
0x00418ea4
0x00418ea9
0x00418eae
0x00418eae
0x00418eae
0x00418eae
0x00000000
0x00418eb4
0x00418c85
0x00418c88
0x00418c8a
0x00418c97
0x00418c9c
0x00418ca2
0x00418ca7
0x00418ca9
0x00418caa
0x00418cbe
0x00418cc9
0x00418cd6
0x00418cdb
0x00418ce0
0x00418ce6
0x00418ce8
0x00418d04
0x00418d16
0x00418d28
0x00418d3a
0x00418d4c
0x00418d5e
0x00418d70
0x00418d82
0x00418d94
0x00418da6
0x00418db8
0x00418dca
0x00418ddc
0x00418dee
0x00418e00
0x00418e12
0x00418e24
0x00418e36
0x00418e41
0x00418e43
0x00418e45
0x00418e4a
0x00418e4c
0x00418e4c
0x00418e4c
0x00000000
0x00418e4a
0x00418cea
0x00418cac
0x00418cac
0x00418cb2
0x00418cb2
0x00000000
0x00418caa
0x00418a2a
0x00418a2f
0x00418a31
0x00418bd5
0x00418bd5
0x00418bdc
0x00000000
0x00000000
0x00418be6
0x00418beb
0x00418bed
0x00000000
0x00000000
0x00418bf9
0x00418bfb
0x00418bfc
0x00418bfe
0x00418c0b
0x00418c10
0x00418c10
0x00418c17
0x00418c24
0x00418c37
0x00418c3c
0x00418c3e
0x00418c3f
0x00418c53
0x00418c5e
0x00418c64
0x00000000
0x00418c41
0x00418c41
0x00418c47
0x00000000
0x00418c47
0x00418c3f
0x00418a4a
0x00418a4f
0x00418a52
0x00418b1f
0x00418b24
0x00418b27
0x00000000
0x00000000
0x00418b37
0x00418b4d
0x00418b4f
0x00418b56
0x00418b58
0x00418b59
0x00418b5e
0x00418b63
0x00418b68
0x00418b6a
0x00418b6d
0x00418b72
0x00418b75
0x00418b7a
0x00418b7d
0x00418b82
0x00418b8f
0x00418b94
0x00418b99
0x00418b9e
0x00418bae
0x00418bb3
0x00418bb6
0x00418bb8
0x00418bcb
0x00418bd0
0x00418bd0
0x00000000
0x00418bba
0x00418bba
0x00000000
0x00418bba
0x00418bb8
0x00418a62
0x00418a64
0x00418a65
0x00418a67
0x00418a74
0x00418a79
0x00418a79
0x00418a80
0x00418a90
0x00418aa5
0x00418aaa
0x00418aac
0x00418ac6
0x00418ac8
0x00418ac9
0x00418acb
0x00418ad8
0x00418add
0x00418add
0x00418ae4
0x00418aed
0x00418af4
0x00418b00
0x00418b06
0x00418b0c
0x00000000
0x00418aae
0x00418aaf
0x00418ab5
0x00000000
0x00418ab5
0x00418aac
0x004189b5
0x004189ba
0x004189bd
0x004189bf
0x004189cc
0x004189d1
0x004189d7
0x004189dc
0x004189de
0x004189ea
0x004189f5
0x004189fa
0x004189fc
0x00418a10
0x00000000
0x00418a15
0x004189fe
0x00000000
0x004189e0
0x004189e0
0x00418a00
0x00418a00
0x00418a01
0x00418a02
0x00000000
0x00418a08
0x004189de
0x0041894b
0x00418950
0x00418953
0x00418955
0x00418962
0x00418967
0x0041896d
0x00418972
0x00418974
0x00418984
0x0041898f
0x00418994
0x00418996
0x0041899d
0x00000000
0x004189a2
0x00418998
0x00000000
0x00418976
0x00418976
0x00000000
0x00418976
0x00418974
0x00418545
0x0041854a
0x0041854c
0x004186c1
0x004186c1
0x004186c8
0x00000000
0x00000000
0x004186d2
0x004186d7
0x004186d9
0x00418760
0x00418760
0x00418767
0x00000000
0x00000000
0x00418771
0x00418776
0x00418778
0x004188fa
0x004188fa
0x00418901
0x00000000
0x00000000
0x0041890c
0x0041890e
0x00000000
0x00000000
0x00418914
0x00418919
0x0041891b
0x00000000
0x00000000
0x0041891d
0x00000000
0x0041891d
0x0041878b
0x0041878d
0x00418792
0x00418797
0x0041879b
0x0041879d
0x00000000
0x00000000
0x00000000
0x00000000
0x004187a3
0x004187a3
0x004187aa
0x004187ad
0x004187af
0x004187bf
0x004187bf
0x004187bf
0x004187b1
0x004187b1
0x004187b4
0x004187b9
0x004187b9
0x004187c8
0x004187d1
0x004187de
0x004187e9
0x004187f6
0x00418804
0x0041880e
0x00418815
0x00418817
0x00418818
0x0041881a
0x00418827
0x0041882c
0x0041882c
0x00418833
0x0041883e
0x00418842
0x00418848
0x00418854
0x0041885b
0x0041885d
0x0041885e
0x00418862
0x00418867
0x0041886c
0x00418871
0x00418873
0x00418876
0x0041887b
0x0041887e
0x00418883
0x00418886
0x0041888b
0x00418898
0x0041889d
0x004188a2
0x004188a7
0x004188a9
0x004188b0
0x004188b3
0x004188c1
0x004188c6
0x004188c9
0x004188cb
0x00000000
0x00000000
0x004188d8
0x004188da
0x004188e3
0x004188e8
0x004188f0
0x004188f4
0x00000000
0x00000000
0x00000000
0x004188f4
0x00418928
0x0041892d
0x00000000
0x0041892d
0x004186ec
0x004186ee
0x004186f3
0x004186f5
0x00000000
0x00000000
0x004186f7
0x004186f9
0x004186fd
0x00418711
0x0041871c
0x00418744
0x0041874f
0x00418758
0x0041875d
0x0041875d
0x0041875d
0x00000000
0x004186f9
0x0041855f
0x00418561
0x00418566
0x00418568
0x00000000
0x00000000
0x0041856e
0x00418572
0x00418579
0x0041857c
0x0041857e
0x00418589
0x00418589
0x00418580
0x00418582
0x00418582
0x0041858b
0x0041858d
0x0041859a
0x0041859f
0x004185a0
0x004185a8
0x004185bc
0x004185c7
0x004185cd
0x004185db
0x004185eb
0x004185fe
0x00418609
0x0041860e
0x00418616
0x00418623
0x0041862e
0x00418633
0x00418638
0x00418640
0x0041864d
0x00418658
0x0041865d
0x00418664
0x00418672
0x00418677
0x0041867b
0x00418689
0x00418694
0x0041869c
0x004186a9
0x004186b2
0x004186b7
0x004186b7
0x004186b7
0x004186b7
0x00000000
0x004184d6
0x004184da
0x004184e4
0x00418500
0x0041850b
0x00418510
0x00418512
0x00000000
0x00000000
0x00418528
0x0041852d
0x004190e0
0x004190e0
0x00000000
0x004190e0
0x00418502
0x00000000
0x00418502

Strings

SystemInformation, xrefs: 00418E1F
.bmp, xrefs: 0041882D, 00418ADE, 00418B31
EntryPoint7, xrefs: 00418D8F
AdvancedEntry, xrefs: 00418CF7
OnMessage, xrefs: 00418E31
$G, xrefs: 00418957
EntryPoint1_5, xrefs: 00418D23
.EXE, xrefs: 00419019
$G, xrefs: 00418B84
$G, xrefs: 00418C00
4G, xrefs: 0041874A
$G, xrefs: 00418ACD
.mp3, xrefs: 00418C11
$G, xrefs: 004189C1
$G, xrefs: 00419008
EntryPoint8, xrefs: 00418DA1
EntryPoint11, xrefs: 00418DD7
EntryPoint3, xrefs: 00418D47
$G, xrefs: 0041881C
$G, xrefs: 0041888D
EntryPoint1, xrefs: 00418D11
XG, xrefs: 00418C4E
EntryPoint2, xrefs: 00418D35
G, xrefs: 004188CF
$G, xrefs: 0041858F
EntryPoint12, xrefs: 00418DE9
$G, xrefs: 00418C8C
EntryPointCustom, xrefs: 00418E0D
EntryPoint13, xrefs: 00418DFB
EntryPoint6, xrefs: 00418D7D
$G, xrefs: 0041905F
EntryPoint10, xrefs: 00418DC5
EntryPoint0, xrefs: 00418CFF
|G, xrefs: 004184F1
$G, xrefs: 00418EC2
EntryPoint5, xrefs: 00418D6B
$G, xrefs: 00418A69
.jpg, xrefs: 00418A7A
PG, xrefs: 00418FA7
EntryPoint9, xrefs: 00418DB3
EntryPoint4, xrefs: 00418D59

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocCreateFileLockUnlock
String ID: G$$G$$G$$G$$G$$G$$G$$G$$G$$G$$G$$G$$G$$G$.EXE$.bmp$.jpg$.mp3$4G$AdvancedEntry$EntryPoint0$EntryPoint1$EntryPoint10$EntryPoint11$EntryPoint12$EntryPoint13$EntryPoint1_5$EntryPoint2$EntryPoint3$EntryPoint4$EntryPoint5$EntryPoint6$EntryPoint7$EntryPoint8$EntryPoint9$EntryPointCustom$OnMessage$PG$SystemInformation$XG$|G
API String ID: 386137224-3186843747
Opcode ID: b9e612b76b28ed45f11c040e0f1b7bf33c36f68f2f0afff178c721e07a82593c
Instruction ID: 069748b118062842f7cf095dcfe8d5fa59bc9307c264f3c7159fc0c8cc25633c
Opcode Fuzzy Hash: b9e612b76b28ed45f11c040e0f1b7bf33c36f68f2f0afff178c721e07a82593c
Instruction Fuzzy Hash: 785226B17443116AD704BB72AC92BFE26899F84358F10057FF606A62E3DF6C8C85875E

Uniqueness

Uniqueness Score: -1.00%

Function 00418092, Relevance: 80.8, APIs: 10, Strings: 36, Instructions: 309
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00418092(intOrPtr* __ecx, intOrPtr __edx) {
				struct HINSTANCE__* _v8;
				void* _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				struct HWND__* _v20;
				char _v24;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				char _v57;
				char _v58;
				char _v59;
				char _v60;
				char _v61;
				char _v62;
				char _v63;
				char _v64;
				char _v65;
				char _v66;
				char _v67;
				char _v68;
				char _v69;
				char _v70;
				char _v71;
				char _v72;
				char _v73;
				char _v74;
				char _v75;
				char _v76;
				char _v80;
				char _v340;
				CHAR* _t91;
				void* _t92;
				void* _t93;
				intOrPtr _t96;
				intOrPtr _t97;
				signed int _t103;
				void* _t104;
				struct HINSTANCE__* _t107;
				signed int _t108;
				signed int _t110;
				signed int _t112;
				void* _t123;
				CHAR* _t126;
				CHAR* _t127;
				struct HINSTANCE__* _t133;
				_Unknown_base(*)()* _t134;
				intOrPtr _t168;
				struct HINSTANCE__* _t172;
				struct HINSTANCE__* _t174;
				intOrPtr _t180;
				intOrPtr _t185;
				signed int _t188;
				signed int _t189;
				intOrPtr _t190;
				signed int _t194;
				signed int _t195;

				_t168 = __edx;
				_t1 =  &_v24; // 0x415177
				_v12 = __ecx;
				_v24 = 0x104;
				GetUserNameA( &_v340, _t1); // executed
				E0041BF12(0x47e1b8,  &_v340);
				_t180 =  *0x47e19c; // 0x1
				if(_t180 != 0) {
					_t133 = LoadLibraryA("Secur32.dll"); // executed
					_v8 = _t133;
					if(_t133 != 0) {
						_t134 = GetProcAddress(_t133, "GetUserNameExA");
						if(_t134 != 0) {
							_t7 =  &_v24; // 0x415177
							_v24 = 0x104;
							_push( &_v340);
							_push(3);
							if( *_t134() != 0 && _v24 > 0) {
								E0041BF12(0x47e1b8,  &_v340);
							}
						}
						FreeLibrary(_v8);
					}
				}
				_t185 =  *0x47e19c; // 0x1
				_t172 = 1;
				_t91 = "Software\\Microsoft\\Windows NT\\CurrentVersion";
				_v8 = _t172;
				if(_t185 == 0) {
					_t91 = "Software\\Microsoft\\Windows\\CurrentVersion";
				}
				_t92 = E0041DAE7(0x80000002, _t91, "RegisteredOrganization",  &_v80); // executed
				if(_t92 > 0) {
					E0041BF12(0x47e1c4, _v80);
					E00424DCE(_v80);
				}
				_t93 = E0041A2C6(_v12);
				if(_t93 < 0) {
					L51:
					return _t93;
				}
				_v16 = E0041BFE3(0x47e338, 0);
				_v15 = 0x3a;
				_v14 = 0x5c;
				_v13 = 0;
				_t96 = E0040DE4D( &_v16, _t172);
				_t188 =  *0x47f27c; // 0x1
				 *0x47e648 = _t96;
				 *0x47e64c = _t168;
				_v20 = 0;
				if(_t188 != 0) {
					L19:
					_t147 = _v12;
					_t93 = E004184A4(_v12);
					if(_t93 < 0) {
						goto L51;
					}
					_t194 =  *0x47f27c; // 0x1
					if(_t194 == 0) {
						_t147 = _v12;
						E00415C0F(_v12);
						_t195 =  *0x47f27c; // 0x1
						if(_t195 == 0) {
							_t147 = 0x47f208;
							if(E0040FD20(0x47f208, _t195) < 0) {
								_t123 = E0041CD1E(0x47e850);
								_t147 = 0x47dfb8;
								E0041B2CC(0x47dfb8, 0, "Graphics initialization failed. Dialog image will not be shown", _t123, 0x30);
							}
						}
					}
					_t97 =  *0x47e180; // 0x0
					_v76 = 0x55;
					 *0x47e31c = _t97;
					_v75 = 0xd7;
					_v74 = 0x50;
					_v73 = 0x85;
					_v72 = 0x6b;
					_v71 = 0x19;
					_v70 = 0x32;
					_v69 = 0xcc;
					_v68 = 0x45;
					_v67 = 0xf;
					_v66 = 8;
					_v65 = 0x1e;
					_v64 = 0xb6;
					_v63 = 0xa5;
					_v62 = 0x6a;
					_v61 = 0xe4;
					_v60 = 0xa1;
					_v59 = 0xc7;
					_v58 = 0xc4;
					_v57 = 0x76;
					_v56 = 0x33;
					_v55 = 0x59;
					_v54 = 0x71;
					_v53 = 0x34;
					_v52 = 0x59;
					_v51 = 0x23;
					_v50 = 0x8d;
					_v49 = 0x82;
					_v48 = 0x8b;
					_v47 = 0xa5;
					_v46 = 0x59;
					_v45 = 0xb6;
					_v44 = 0xc5;
					_v43 = 0x50;
					_v42 = 0xe8;
					_v41 = 0x9a;
					_v40 = 0xf4;
					_v39 = 0xf4;
					_v38 = 0xd;
					_v37 = 0xfd;
					_v36 = 0x21;
					_v35 = 0x12;
					_v34 = 0x7a;
					_v33 = 0x32;
					_v32 = 0x91;
					_v31 = 0x35;
					_v30 = 0xd3;
					_v29 = 0xb0;
					_v28 = 0x73;
					_v27 = 0x97;
					E004236CA(_t147);
					if(E0042371F() <= 0) {
						__eflags =  *0x47e114; // 0x0
						if(__eflags != 0) {
							E0041C047(0x47df68,  &_v76, 0x32);
						}
						E0041C2E0(0x47df68);
						E0041DCD0(__eflags, 0x47df68);
						E0041C2E0(0x47df68);
						__eflags =  *0x47e114; // 0x0
						if(__eflags == 0) {
							L31:
							__eflags =  *0x47f27c; // 0x1
							if(__eflags == 0) {
								__eflags =  *0x47e84c & 0x00000002;
								if(( *0x47e84c & 0x00000002) != 0) {
									_push(3);
								} else {
									_push(1);
								}
								ShowWindow( *0x47e178, ??);
								DestroyWindow(_v20);
							}
							goto L36;
						} else {
							__eflags =  *0x47f27c; // 0x1
							if(__eflags != 0) {
								L36:
								__eflags =  *0x47e114; // 0x0
								if(__eflags != 0) {
									_t174 = _v8;
								} else {
									_t174 = E00424DD9(4);
								}
								_t103 = E0041C8FD(0x47e2f0, 0x74);
								__eflags = _t103;
								if(_t103 != 0) {
									__eflags =  *0x47f27c; // 0x1
									if(__eflags == 0) {
										_t108 =  *0x47e72c(0);
										__eflags = _t108;
										if(_t108 != 0) {
											 *0x47f289 = 1;
											 *0x47e744(0, 1);
											_t110 =  *0x47e73c(0, 0, 0);
											__eflags = _t110;
											if(_t110 != 0) {
												_t112 =  *0x47e730(0, E0041CD1E(0x47e758));
												__eflags = _t112;
												if(_t112 != 0) {
													 *0x47e738(0, 0, 0, 0x47e754);
												}
											}
										}
									}
								}
								__eflags =  *0x47e114; // 0x0
								if(__eflags == 0) {
									L48:
									__eflags =  *0x47e610; // 0x0
									if(__eflags == 0) {
										_t174->i = _t174->i + 0xc;
										__eflags = _t174->i;
										E00424DCE(_t174);
									}
									goto L50;
								} else {
									__eflags =  *0x47e610; // 0x0
									if(__eflags != 0) {
										L50:
										_t104 = 1;
										return _t104;
									}
									E0041B2CC(_v12,  *_v12, "This setup program was created using unregistered shareware version of Astrum InstallWizard and distribution of this program is strictly forbidden.\r\n(This message will not be shown in the registered version of Astrum InstallWizard.)", "Astrum Installer", 0x30);
									_t107 = E00424DD9(4);
									_v8 = _t107;
									_t174 = _t107;
									goto L48;
								}
							}
							E0040EFE7();
							goto L31;
						}
					} else {
						return 0;
					}
				}
				_t189 =  *0x47e610; // 0x0
				if(_t189 != 0) {
					goto L19;
				}
				_t190 =  *0x47e614; // 0x0
				if(_t190 != 0) {
					goto L19;
				}
				_v20 = CreateDialogParamA( *0x47e17c, 0x12, 0, E00405811, 0);
				_t126 = E0041D46F("<__Internal_Initializing__>");
				if(_t126 != 0) {
					SetWindowTextA(GetDlgItem(_v20, 0x422), _t126);
				}
				_t127 = E0041D46F("<__Internal_InitializingTitle__>");
				if(_t127 != 0) {
					SetWindowTextA(_v20, _t127);
				}
				goto L19;
			}

0x00418092
0x0041809d
0x004180ad
0x004180b1
0x004180b4
0x004180c8
0x004180cf
0x004180d5
0x004180dc
0x004180e4
0x004180e7
0x004180ef
0x004180f7
0x004180f9
0x004180fc
0x00418106
0x00418107
0x0041810d
0x0041811d
0x0041811d
0x0041810d
0x00418125
0x00418125
0x004180e7
0x0041812b
0x00418133
0x00418134
0x00418139
0x0041813c
0x0041813e
0x0041813e
0x00418152
0x0041815c
0x00418166
0x0041816e
0x00418173
0x00418177
0x0041817e
0x004184a3
0x004184a3
0x004184a3
0x0041818f
0x00418197
0x0041819b
0x0041819f
0x004181a2
0x004181a7
0x004181af
0x004181b4
0x004181ba
0x004181bd
0x00418221
0x00418221
0x00418224
0x0041822b
0x00000000
0x00000000
0x00418231
0x0041823c
0x0041823e
0x00418241
0x00418246
0x0041824c
0x0041824e
0x00418257
0x00418260
0x0041826c
0x00418271
0x00418271
0x00418257
0x0041824c
0x00418276
0x0041827b
0x0041827f
0x00418284
0x00418288
0x0041828c
0x00418290
0x00418294
0x00418298
0x0041829c
0x004182a0
0x004182a4
0x004182a8
0x004182ac
0x004182b0
0x004182b4
0x004182b8
0x004182bc
0x004182c0
0x004182c4
0x004182c8
0x004182cc
0x004182d0
0x004182d4
0x004182d8
0x004182dc
0x004182e0
0x004182e4
0x004182e8
0x004182ec
0x004182f0
0x004182f4
0x004182f8
0x004182fc
0x00418300
0x00418304
0x00418308
0x0041830c
0x00418310
0x00418314
0x00418318
0x0041831c
0x00418320
0x00418324
0x00418328
0x0041832c
0x00418330
0x00418334
0x00418338
0x0041833c
0x00418340
0x00418344
0x00418348
0x00418354
0x0041835d
0x00418368
0x00418372
0x00418372
0x00418379
0x00418383
0x0041838b
0x00418390
0x00418396
0x004183a7
0x004183a7
0x004183ad
0x004183af
0x004183b6
0x004183bc
0x004183b8
0x004183b8
0x004183b8
0x004183c4
0x004183cd
0x004183cd
0x00000000
0x00418398
0x00418398
0x0041839e
0x004183d3
0x004183d3
0x004183d9
0x004183e7
0x004183db
0x004183e3
0x004183e3
0x004183f1
0x004183f6
0x004183f8
0x004183fa
0x00418400
0x00418403
0x00418409
0x0041840c
0x00418411
0x00418418
0x00418421
0x0041842a
0x0041842c
0x0041843a
0x00418441
0x00418444
0x0041844e
0x00418454
0x00418444
0x0041842c
0x0041840c
0x00418400
0x00418457
0x0041845d
0x0041848a
0x0041848a
0x00418490
0x00418492
0x00418492
0x00418496
0x0041849b
0x00000000
0x0041845f
0x0041845f
0x00418465
0x0041849c
0x0041849e
0x00000000
0x0041849e
0x00418478
0x0041847f
0x00418485
0x00418488
0x00000000
0x00418488
0x0041845d
0x004183a2
0x00000000
0x004183a2
0x00418356
0x00000000
0x00418356
0x00418354
0x004181bf
0x004181c5
0x00000000
0x00000000
0x004181c7
0x004181cd
0x00000000
0x00000000
0x004181e9
0x004181ec
0x004181f9
0x0041820b
0x0041820b
0x00418212
0x00418219
0x0041821f
0x0041821f
0x00000000

APIs

GetUserNameA.ADVAPI32(?,wQA), ref: 004180B4

Part of subcall function 0041BF12: GlobalUnlock.KERNEL32(0217020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
Part of subcall function 0041BF12: GlobalReAlloc.KERNEL32 ref: 0041BF3B
Part of subcall function 0041BF12: GlobalLock.KERNEL32 ref: 0041BF5C

LoadLibraryA.KERNEL32(Secur32.dll,?,?,0047DFB8,00000000), ref: 004180DC
GetProcAddress.KERNEL32(00000000,GetUserNameExA), ref: 004180EF
FreeLibrary.KERNEL32(?,?,0047DFB8,00000000), ref: 00418125
CreateDialogParamA.USER32(00000012,00000000,00405811,00000000,00000000), ref: 004181DE
GetDlgItem.USER32 ref: 00418204
SetWindowTextA.USER32(00000000), ref: 0041820B
SetWindowTextA.USER32(?,00000000), ref: 0041821F
ShowWindow.USER32(00000003,00000000,?,?,0047DFB8,00000000), ref: 004183C4
DestroyWindow.USER32(?,?,0047DFB8,00000000), ref: 004183CD

Part of subcall function 0041BF12: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0047DFB8), ref: 0041BF2C

Strings

Y, xrefs: 004182E0
k, xrefs: 00418290
<__Internal_Initializing__>, xrefs: 004181E4
XG, xrefs: 0041842E
E, xrefs: 004182A0
q, xrefs: 004182D8
P, xrefs: 00418288
This setup program was created using unregistered shareware version of Astrum InstallWizard and distribution of this program is strictly forbidden.(This message will not be shown in the registered version of Astrum InstallWizard.), xrefs: 00418471
v, xrefs: 004182CC
j, xrefs: 004182B8
2, xrefs: 00418298
Secur32.dll, xrefs: 004180D7
s, xrefs: 00418340
Software\Microsoft\Windows\CurrentVersion, xrefs: 0041813E, 0041814C
z, xrefs: 00418328
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 00418134
8G, xrefs: 00418185
\, xrefs: 0041819B
P, xrefs: 00418304
RegisteredOrganization, xrefs: 00418147
#, xrefs: 004182E4
5, xrefs: 00418334
wQA, xrefs: 0041809D, 004180F9, 004180A1, 004180FF
Graphics initialization failed. Dialog image will not be shown, xrefs: 00418266
2, xrefs: 0041832C
<__Internal_InitializingTitle__>, xrefs: 0041820D
Astrum Installer, xrefs: 0041846C
U, xrefs: 0041827B
Y, xrefs: 004182F8
GetUserNameExA, xrefs: 004180E9
3, xrefs: 004182D0
:, xrefs: 00418197
!, xrefs: 00418320
PG, xrefs: 0041825B
Y, xrefs: 004182D4
4, xrefs: 004182DC

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Window$Global$LibraryText$AddressAllocCreateDestroyDialogFreeItemLoadLockNameParamProcShowUnlockUserlstrlen
String ID: !$#$2$2$3$4$5$8G$:$<__Internal_InitializingTitle__>$<__Internal_Initializing__>$Astrum Installer$E$GetUserNameExA$Graphics initialization failed. Dialog image will not be shown$P$P$PG$RegisteredOrganization$Secur32.dll$Software\Microsoft\Windows NT\CurrentVersion$Software\Microsoft\Windows\CurrentVersion$This setup program was created using unregistered shareware version of Astrum InstallWizard and distribution of this program is strictly forbidden.(This message will not be shown in the registered version of Astrum InstallWizard.)$U$XG$Y$Y$Y$\$j$k$q$s$v$wQA$z
API String ID: 4258967090-873418493
Opcode ID: 53ec0108de2d384e0cf6598ec89a1f3f3092e023dac03804c953e0beced376f2
Instruction ID: eff9955d6398441ffca9b6b4d566012dda0002604f72869e784a3dfacfae18f8
Opcode Fuzzy Hash: 53ec0108de2d384e0cf6598ec89a1f3f3092e023dac03804c953e0beced376f2
Instruction Fuzzy Hash: 2DC13630D04389AADF21D7B99C456DE7F649F19314F0802AFF154762D2CB790986C76E

Uniqueness

Uniqueness Score: -1.00%

Function 0041938D, Relevance: 75.9, APIs: 4, Strings: 39, Instructions: 629
registryfileCOMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E0041938D(intOrPtr __ecx) {
				signed int _v5;
				intOrPtr _v12;
				int _v16;
				char _v28;
				int _v32;
				unsigned int _v36;
				void* _v40;
				char _v52;
				char _v64;
				unsigned int _v68;
				char _v80;
				char _v92;
				char _v104;
				signed short _v108;
				signed int _v112;
				char _v124;
				char _v136;
				char _v148;
				char _v160;
				char _v172;
				char _v184;
				void _v235;
				char _v236;
				void* _t140;
				intOrPtr _t143;
				intOrPtr _t145;
				unsigned int _t147;
				int _t152;
				intOrPtr _t176;
				intOrPtr _t177;
				signed char _t180;
				signed char _t182;
				int _t200;
				void* _t213;
				void* _t231;
				int _t237;
				int _t240;
				void* _t244;
				int _t246;
				int _t273;
				unsigned int _t275;
				void* _t284;
				int _t286;
				void* _t287;
				intOrPtr* _t289;
				unsigned int _t290;
				char* _t314;
				char* _t319;
				char* _t340;
				char* _t366;
				signed int _t371;
				unsigned int _t391;
				int _t402;
				unsigned int _t406;
				void* _t407;
				void* _t413;
				void* _t415;
				void* _t423;
				void* _t426;

				_t402 = 0;
				_t415 =  *0x47e568 - _t402; // 0x1
				_v12 = __ecx;
				_v32 = 0;
				if(_t415 <= 0) {
					return _t140;
				} else {
					goto L1;
				}
				do {
					L1:
					_t289 = E0041E860(0x47e55c, _v32);
					_v16 = _t289;
					if(E00412BA7( *((intOrPtr*)(_t289 + 0x2c))) == 0) {
						goto L111;
					}
					E0041BDC5( &_v28);
					_t145 =  *_t289;
					_v5 = 1;
					_t417 = _t145 - 1;
					if(_t145 != 1) {
						__eflags = _t145 - 2;
						if(_t145 != 2) {
							__eflags = _t145 - 3;
							if(_t145 != 3) {
								__eflags = _t145 - 4;
								if(_t145 != 4) {
									__eflags = _t145 - 5;
									if(_t145 != 5) {
										goto L110;
									}
									_t147 =  *0x47e6f4; // 0x9
									__eflags = _t147 - 0xffffffff;
									if(__eflags == 0) {
										_t147 = E0041FEF9(); // executed
										 *0x47e6f4 = _t147;
									}
									_v108 = _t147;
									_t64 = _t289 + 8; // 0x8
									_t408 = _t64;
									_v112 = _t147 >> 0x10;
									_v16 = 0;
									__eflags = E0041C1FA(_t64, __eflags, "7.0", 1);
									if(__eflags == 0) {
										__eflags = E0041C1FA(_t408, __eflags, "8.0", 1);
										if(__eflags == 0) {
											__eflags = E0041C1FA(_t408, __eflags, "8.1", 1);
											if(__eflags == 0) {
												_t152 = E0041C1FA(_t408, __eflags, "9.0", 1);
												__eflags = _t152;
												if(_t152 == 0) {
													goto L75;
												}
												_push(9);
												goto L74;
											}
											_push(8);
											_v16 = 1;
											_pop(0);
											goto L75;
										}
										_push(8);
										goto L74;
									} else {
										_push(7);
										L74:
										_pop(0);
										L75:
										__eflags = _v108 & 0x0000ffff;
										if(__eflags < 0) {
											L78:
											_t71 =  &_v5;
											 *_t71 = _v5 & 0x00000000;
											__eflags =  *_t71;
											L79:
											_push("DirectX");
											goto L80;
										}
										if(__eflags != 0) {
											goto L79;
										}
										__eflags = (_v112 & 0x0000ffff) - _v16;
										if((_v112 & 0x0000ffff) >= _v16) {
											goto L79;
										}
										goto L78;
									}
								}
								E0041BE35( &_v92, 0x42e0c8);
								_t39 = _t289 + 8; // 0x8
								_t409 = _t39;
								__eflags = E0041C1FA(_t39, __eflags, "2.5", 1);
								if(__eflags == 0) {
									__eflags = E0041C1FA(_t409, __eflags, "2.6", 1);
									if(__eflags == 0) {
										__eflags = E0041C1FA(_t409, __eflags, "2.7", 1);
										if(__eflags == 0) {
											_t237 = E0041C1FA(_t409, __eflags, "2.8", 1);
											__eflags = _t237;
											if(_t237 == 0) {
												L57:
												E0041BDC5( &_v124);
												_v40 = _t402;
												_t240 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\DataAccess", _t402, 0x20019,  &_v40);
												__eflags = _t240;
												if(_t240 == 0) {
													_v236 = _v236 & _t240;
													_t371 = 0xc;
													memset( &_v235, _t240, _t371 << 2);
													_t413 = _t413 + 0xc;
													asm("stosb");
													_v16 = 0x32;
													RegQueryValueExA(_v40, "FullInstallVer", 0, 0,  &_v236,  &_v16);
													E0041BF12( &_v124,  &_v236);
													RegCloseKey(_v40);
													_t402 = 0;
													__eflags = 0;
												}
												__eflags = _v124 - _t402;
												if(_v124 == _t402) {
													L61:
													_t58 =  &_v5;
													 *_t58 = _v5 & 0x00000000;
													__eflags =  *_t58;
													goto L62;
												} else {
													_t244 = E0041CD1E( &_v124);
													_t246 = E00424A30(E0041CD1E( &_v92), _t244);
													__eflags = _t246;
													if(_t246 <= 0) {
														L62:
														E0041BF12( &_v28, "Microsoft Data Access Components");
														E0041BEFB( &_v124);
														_t366 =  &_v92;
														L13:
														E0041BEFB(_t366);
														goto L82;
													}
													goto L61;
												}
											}
											_push("2.80.1022.3");
											L56:
											E0041BF12( &_v92);
											goto L57;
										}
										_push("2.70.9001.0");
										goto L56;
									}
									_push("2.60.6526.3");
									goto L56;
								}
								_push("2.50.4403.12");
								goto L56;
							} else {
								E0041BE99( &_v172, 0x47e0a0);
								_t406 = 0;
								E0041C047( &_v172, "\\hhctrl.ocx", 0);
								_v36 = 0;
								_v68 = 0;
								E0040D883(E0041CD1E( &_v172),  &_v36,  &_v68);
								_t413 = _t413 + 0xc;
								_t290 = 0;
								_t410 = _v16 + 8;
								__eflags = E0041C1FA(_v16 + 8, __eflags, "1.0", 1);
								if(__eflags == 0) {
									__eflags = E0041C1FA(_t410, __eflags, "1.1", 1);
									if(__eflags == 0) {
										__eflags = E0041C1FA(_t410, __eflags, "1.1a", 1);
										if(__eflags == 0) {
											__eflags = E0041C1FA(_t410, __eflags, "1.1b", 1);
											if(__eflags == 0) {
												__eflags = E0041C1FA(_t410, __eflags, "1.2", 1);
												if(__eflags == 0) {
													__eflags = E0041C1FA(_t410, __eflags, "1.21", 1);
													if(__eflags == 0) {
														__eflags = E0041C1FA(_t410, __eflags, "1.21a", 1);
														if(__eflags == 0) {
															__eflags = E0041C1FA(_t410, __eflags, "1.22", 1);
															if(__eflags == 0) {
																__eflags = E0041C1FA(_t410, __eflags, "1.3", 1);
																if(__eflags == 0) {
																	__eflags = E0041C1FA(_t410, __eflags, "1.31", 1);
																	if(__eflags == 0) {
																		__eflags = E0041C1FA(_t410, __eflags, "1.32", 1);
																		if(__eflags == 0) {
																			_t273 = E0041C1FA(_t410, __eflags, "1.33", 1);
																			__eflags = _t273;
																			if(_t273 != 0) {
																				_t406 = 0x4004a;
																				_t290 = 0x24390000;
																			}
																		} else {
																			_t406 = 0x4004a;
																			_t290 = 0x22ab0000;
																		}
																	} else {
																		_t406 = 0x4004a;
																		_t290 = 0x22590000;
																	}
																} else {
																	_t406 = 0x4004a;
																	_t290 = 0x21fe0000;
																}
															} else {
																_t406 = 0x40049;
																_t290 = 0x21710000;
															}
														} else {
															_t406 = 0x40049;
															_t290 = 0x211a0000;
														}
													} else {
														_t406 = 0x40049;
														_t290 = 0x20dc0000;
													}
												} else {
													_t406 = 0x40049;
													_t290 = 0x203c0000;
												}
											} else {
												_t406 = 0x40048;
												_t290 = 0x1fe40000;
											}
										} else {
											_t406 = 0x40048;
											_t290 = 0x1c9d0000;
										}
									} else {
										_t406 = 0x40048;
										_t290 = 0x1c9b0000;
									}
								} else {
									_t406 = 0x40048;
									_t290 = 0x1c7a0000;
								}
								_t275 = _t406 >> 0x10;
								_t391 = _v36 >> 0x10;
								__eflags = _t391 - _t275;
								if(__eflags < 0) {
									L45:
									_t33 =  &_v5;
									 *_t33 = _v5 & 0x00000000;
									__eflags =  *_t33;
									L46:
									E0041BF12( &_v28, "HTML Help Viewer ");
									E0041BEFB( &_v172);
									_t289 = _v16;
									goto L81;
								}
								if(__eflags != 0) {
									L42:
									__eflags = _t391 - _t275;
									if(_t391 != _t275) {
										goto L46;
									}
									__eflags = _v36 - _t406;
									if(_v36 != _t406) {
										goto L46;
									}
									__eflags = _v68 >> 0x10 - _t290 >> 0x10;
									if(_v68 >> 0x10 >= _t290 >> 0x10) {
										goto L46;
									}
									goto L45;
								}
								__eflags = _v36 - _t406;
								if(_v36 < _t406) {
									goto L45;
								}
								goto L42;
							}
						}
						E0041BDC5( &_v160);
						E00420AA9( &_v160);
						__eflags = _v160 - _t402;
						if(_v160 == _t402) {
							L11:
							_t16 =  &_v5;
							 *_t16 = _v5 & 0x00000000;
							__eflags =  *_t16;
							L12:
							E0041BF12( &_v28, "Java ");
							_t366 =  &_v160;
							goto L13;
						}
						_t284 = E0041CD1E( &_v160);
						_t15 = _t289 + 8; // 0x8
						_t286 = E00424A30(E0041CD1E(_t15), _t284);
						__eflags = _t286;
						if(_t286 <= 0) {
							goto L12;
						}
						goto L11;
					} else {
						_t287 = E0041FB81();
						_t8 = _t289 + 8; // 0x8
						_t407 = _t287;
						if(E0041C1FA(_t8, _t417, "1.1", 1) != 0) {
							_push(1);
							_pop(0);
						}
						if(_t407 < 0) {
							_v5 = _v5 & 0x00000000;
						}
						_push(".NET Framework ");
						L80:
						E0041BF12( &_v28);
						L81:
						_t402 = 0;
						L82:
						_t422 = _v5;
						if(_v5 != 0) {
							L110:
							E0041BEFB( &_v28);
							goto L111;
						}
						E0041BE99( &_v80,  &_v28);
						_t77 = _t289 + 0x14; // 0x14
						E0041C0C5( &_v80, _t422, _t77);
						_t79 = _t289 + 8; // 0x8
						E0041C0C5( &_v28, _t422, _t79);
						_t423 =  *0x47e19c - _t402; // 0x1
						if(_t423 == 0 || E0041E3EF() != 0) {
							E0041BDC5( &_v136);
							_push(E0041CD1E( &_v28));
							E0041C467( &_v136, E0041CD1E(0x47f0f8));
							_t413 = _t413 + 0xc;
							__eflags = E0041B2CC(_v12, _t402, E0041CD1E( &_v136), _t402, 4) - 7;
							if(__eflags == 0) {
								E0041A1B5(1);
								E0041BEFB( &_v136);
								E0041BEFB( &_v80);
								return E0041BEFB( &_v28);
							}
							_t314 =  &_v136;
							goto L92;
						} else {
							E0041BDC5( &_v148);
							_push(E0041CD1E( &_v28));
							E0041C467( &_v148, E0041CD1E(0x47f104));
							_t413 = _t413 + 0xc;
							_t231 = E0041B2CC(_v12, _t402, E0041CD1E( &_v148), _t402, 3);
							if(_t231 != 7) {
								__eflags = _t231 - 2;
								if(__eflags == 0) {
									E0041A1B5(1);
								}
								_t314 =  &_v148;
								L92:
								E0041BEFB(_t314);
								_t95 = _t289 + 0x20; // 0x20
								_t411 = _t95;
								E004164B1(_v12, __eflags, _t95);
								E0041A81A(__eflags, _t95);
								E0041B3B9(_v12, _t411, 0x7fffffff);
								E0041BDC5( &_v104);
								_t176 =  *_t289;
								__eflags = _t176 - 3;
								if(_t176 != 3) {
									__eflags = _t176 - 4;
									if(_t176 != 4) {
										L97:
										_t177 =  *((intOrPtr*)(_t289 + 4));
										__eflags = _t177 - _t402;
										if(_t177 != _t402) {
											__eflags = _t177 - 1;
											if(_t177 != 1) {
												L106:
												__eflags =  *_t289 - 4;
												if( *_t289 == 4) {
													_t180 =  *0x47e190; // 0x2080c08
													_t182 = _t180 & 0x000000f3 | 0x00000002;
													__eflags = _t182;
													 *0x47e190 = _t182;
												}
												L108:
												_t319 =  &_v104;
												L109:
												E0041BEFB(_t319);
												E0041BEFB( &_v80);
												goto L110;
											}
											E0041BDC5( &_v64);
											E0041BDC5( &_v52);
											_push(E0041CD1E( &_v28));
											E0041C467( &_v52, "<ResourceDir>\\3rd-party\\%s.exe");
											E0041A81A(__eflags,  &_v52);
											_push(E0041CD1E( &_v80));
											_push(E0041CD1E(_t411));
											_push(E0041CD1E( &_v52));
											E0041C467( &_v64, "\"<ResourceDir>\\3rd-party\\Downloader.exe\" /download /local \"%s\" /url \"%s\" /program \"%s\"");
											_t413 = _t413 + 0x20;
											E0041A81A(__eflags,  &_v64);
											E004114E1(E0041CD1E( &_v64), _t402);
											_t200 = E0040DF52(E0041CD1E( &_v52));
											__eflags = _t200;
											if(_t200 != 0) {
												L104:
												E0041BF12( &_v64, 0x42e0c8);
												_push(E0041CD1E( &_v104));
												_push(E0041CD1E( &_v52));
												E0041C467( &_v64, "\"%s\"%s");
												_t413 = _t413 + 0x10;
												E004114E1(E0041CD1E( &_v64), _t402);
												DeleteFileA(E0041CD1E( &_v52));
												E0041BEFB( &_v52);
												_t340 =  &_v64;
												L105:
												E0041BEFB(_t340);
												goto L106;
											}
											_t213 = E0041B2CC(_v12, _t402, E0041CD1E(0x47f110), _t402, 4);
											__eflags = _t213 - 6;
											if(_t213 != 6) {
												E0041A1B5(1);
												goto L104;
											}
											E0041BEFB( &_v52);
											E0041BEFB( &_v64);
											goto L108;
										}
										E0041BDC5( &_v184);
										_push(E0041CD1E( &_v104));
										_push(E0041CD1E(_t411));
										E0041C467( &_v184, "\"%s\"%s");
										_t413 = _t413 + 0x10;
										E004114E1(E0041CD1E( &_v184), _t402);
										_t340 =  &_v184;
										goto L105;
									}
									_push(" /q:a /c:\"dasetup.exe /q /n\"");
									L96:
									E0041BF12( &_v104);
									goto L97;
								}
								_push(" /r:n /q:a");
								goto L96;
							}
							_t319 =  &_v148;
							goto L109;
						}
					}
					L111:
					_v32 = _v32 + 1;
					_t143 = _v32;
					_t426 = _t143 -  *0x47e568; // 0x1
				} while (_t426 < 0);
				return _t143;
			}

0x00419399
0x0041939b
0x004193a1
0x004193a4
0x004193a7
0x00419be2
0x00000000
0x00000000
0x00000000
0x004193ad
0x004193ad
0x004193ba
0x004193bc
0x004193ca
0x00000000
0x00000000
0x004193d3
0x004193d8
0x004193da
0x004193de
0x004193e1
0x00419414
0x00419417
0x0041947a
0x0041947d
0x0041969f
0x004196a2
0x004197de
0x004197e1
0x00000000
0x00000000
0x004197e7
0x004197ec
0x004197ef
0x004197f1
0x004197f6
0x004197f6
0x004197fb
0x004197fe
0x004197fe
0x0041980f
0x00419812
0x0041981a
0x0041981c
0x00419830
0x00419832
0x00419846
0x00419848
0x0041985f
0x00419864
0x00419866
0x00000000
0x00000000
0x00419868
0x00000000
0x00419868
0x0041984a
0x0041984c
0x00419853
0x00000000
0x00419853
0x00419834
0x00000000
0x0041981e
0x0041981e
0x0041986a
0x0041986a
0x0041986b
0x0041986f
0x00419871
0x0041987e
0x0041987e
0x0041987e
0x0041987e
0x00419882
0x00419882
0x00000000
0x00419882
0x00419873
0x00000000
0x00000000
0x00419879
0x0041987c
0x00000000
0x00000000
0x00000000
0x0041987c
0x0041981c
0x004196b0
0x004196b5
0x004196b5
0x004196c6
0x004196c8
0x004196df
0x004196e1
0x004196f8
0x004196fa
0x0041970c
0x00419711
0x00419713
0x00419722
0x00419725
0x0041972d
0x00419741
0x00419747
0x00419749
0x0041974b
0x00419753
0x0041975a
0x0041975a
0x0041975c
0x00419760
0x0041977b
0x0041978b
0x00419793
0x00419799
0x00419799
0x00419799
0x0041979b
0x0041979e
0x004197bd
0x004197bd
0x004197bd
0x004197bd
0x00000000
0x004197a0
0x004197a3
0x004197b2
0x004197b8
0x004197bb
0x004197c1
0x004197c9
0x004197d1
0x004197d6
0x00419470
0x00419470
0x00000000
0x00419470
0x00000000
0x004197bb
0x0041979e
0x00419715
0x0041971a
0x0041971d
0x00000000
0x0041971d
0x004196fc
0x00000000
0x004196fc
0x004196e3
0x00000000
0x004196e3
0x004196ca
0x00000000
0x00419483
0x0041948e
0x00419493
0x004194a1
0x004194b4
0x004194b7
0x004194c0
0x004194c8
0x004194cb
0x004194cd
0x004194de
0x004194e0
0x004194ff
0x00419501
0x00419520
0x00419522
0x00419541
0x00419543
0x00419562
0x00419564
0x00419583
0x00419585
0x004195a4
0x004195a6
0x004195c5
0x004195c7
0x004195e3
0x004195e5
0x00419601
0x00419603
0x0041961f
0x00419621
0x00419638
0x0041963d
0x0041963f
0x00419641
0x00419646
0x00419646
0x00419623
0x00419623
0x00419628
0x00419628
0x00419605
0x00419605
0x0041960a
0x0041960a
0x004195e7
0x004195e7
0x004195ec
0x004195ec
0x004195c9
0x004195c9
0x004195ce
0x004195ce
0x004195a8
0x004195a8
0x004195ad
0x004195ad
0x00419587
0x00419587
0x0041958c
0x0041958c
0x00419566
0x00419566
0x0041956b
0x0041956b
0x00419545
0x00419545
0x0041954a
0x0041954a
0x00419524
0x00419524
0x00419529
0x00419529
0x00419503
0x00419503
0x00419508
0x00419508
0x004194e2
0x004194e2
0x004194e7
0x004194e7
0x00419650
0x00419653
0x00419656
0x00419659
0x0041967b
0x0041967b
0x0041967b
0x0041967b
0x0041967f
0x00419687
0x00419692
0x00419697
0x00000000
0x00419697
0x0041965b
0x00419663
0x00419663
0x00419666
0x00000000
0x00000000
0x00419668
0x0041966c
0x00000000
0x00000000
0x00419677
0x00419679
0x00000000
0x00000000
0x00000000
0x00419679
0x0041965d
0x00419661
0x00000000
0x00000000
0x00000000
0x00419661
0x0041947d
0x0041941f
0x0041942b
0x00419430
0x00419437
0x00419459
0x00419459
0x00419459
0x00419459
0x0041945d
0x00419465
0x0041946a
0x00000000
0x0041946a
0x0041943f
0x00419445
0x0041944e
0x00419454
0x00419457
0x00000000
0x00000000
0x00000000
0x004193e3
0x004193e3
0x004193ef
0x004193f2
0x004193fd
0x004193ff
0x00419401
0x00419401
0x00419404
0x00419406
0x00419406
0x0041940a
0x00419887
0x0041988a
0x0041988f
0x0041988f
0x00419891
0x00419891
0x00419895
0x00419b9d
0x00419ba0
0x00000000
0x00419ba0
0x004198a2
0x004198a7
0x004198ae
0x004198b3
0x004198ba
0x004198bf
0x004198c5
0x00419945
0x00419952
0x00419965
0x0041996a
0x00419985
0x00419988
0x00419bbe
0x00419bc9
0x00419bd1
0x00000000
0x00419bd9
0x0041998e
0x00000000
0x004198d0
0x004198d6
0x004198e3
0x004198f6
0x004198fb
0x00419911
0x00419919
0x00419926
0x00419929
0x00419932
0x00419932
0x00419937
0x00419994
0x00419994
0x0041999c
0x0041999c
0x004199a0
0x004199a9
0x004199b7
0x004199bf
0x004199c4
0x004199c6
0x004199c9
0x004199d2
0x004199d5
0x004199e4
0x004199e4
0x004199e7
0x004199e9
0x00419a3d
0x00419a40
0x00419b7a
0x00419b7a
0x00419b7d
0x00419b7f
0x00419b86
0x00419b86
0x00419b88
0x00419b88
0x00419b8d
0x00419b8d
0x00419b90
0x00419b90
0x00419b98
0x00000000
0x00419b98
0x00419a49
0x00419a51
0x00419a5e
0x00419a68
0x00419a77
0x00419a84
0x00419a8c
0x00419a95
0x00419a9f
0x00419aa7
0x00419aae
0x00419ac2
0x00419ad0
0x00419ad5
0x00419ad8
0x00419b17
0x00419b1f
0x00419b2c
0x00419b35
0x00419b3f
0x00419b44
0x00419b56
0x00419b64
0x00419b6d
0x00419b72
0x00419b75
0x00419b75
0x00000000
0x00419b75
0x00419aec
0x00419af1
0x00419af4
0x00419b12
0x00000000
0x00419b12
0x00419af9
0x00419b01
0x00000000
0x00419b01
0x004199f1
0x004199fe
0x00419a06
0x00419a13
0x00419a18
0x00419a2d
0x00419a32
0x00000000
0x00419a32
0x004199d7
0x004199dc
0x004199df
0x00000000
0x004199df
0x004199cb
0x00000000
0x004199cb
0x0041991b
0x00000000
0x0041991b
0x004198c5
0x00419ba5
0x00419ba5
0x00419ba8
0x00419bab
0x00419bab
0x00000000

APIs

Part of subcall function 0041BDC5: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF

Part of subcall function 0041FB81: FindFirstFileA.KERNEL32(00000000,?,00000001,00420E9E,0047DFBC), ref: 0041FC08
Part of subcall function 0041FB81: GetFileAttributesA.KERNEL32(00000000,\system.dll,00000000,0000002E,00000000,00420E9F), ref: 0041FC66
Part of subcall function 0041FB81: lstrlenA.KERNEL32(0000002E), ref: 0041FC78

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\DataAccess,00000000,00020019,0047DFB8,2.8,00000001,2.7,00000001,2.6,00000001,2.5,00000001,0042E0C8,00000000,?), ref: 00419741
RegQueryValueExA.ADVAPI32(0047DFB8,FullInstallVer,00000000,00000000,?,?), ref: 0041977B
RegCloseKey.ADVAPI32(0047DFB8,?), ref: 00419793

Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4

Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Part of subcall function 0040D883: GetFileVersionInfoSizeA.VERSION(00000000,00000000,00000000,?,00000000,00000000), ref: 0040D891

DeleteFileA.KERNEL32(00000000,00000000,00000000,0042E0C8,00000000,00000000,0000000E,?,?,?,?,FFFFFFFF,00000000,00000000,00000004,?), ref: 00419B64

Strings

"<ResourceDir>\3rd-party\Downloader.exe" /download /local "%s" /url "%s" /program "%s", xrefs: 00419A99
\hhctrl.ocx, xrefs: 0041949C
Java , xrefs: 0041945D
2.70.9001.0, xrefs: 004196FC
1.1a, xrefs: 00419514
Microsoft Data Access Components, xrefs: 004197C1
2.50.4403.12, xrefs: 004196CA
/r:n /q:a, xrefs: 004199CB
2.8, xrefs: 00419705
1.21a, xrefs: 00419598
1.0, xrefs: 004194D2
2.6, xrefs: 004196D3
8.0, xrefs: 00419824
.NET Framework , xrefs: 0041940A
2.80.1022.3, xrefs: 00419715
1.22, xrefs: 004195B9
1.1b, xrefs: 00419535
2.5, xrefs: 004196BA
Software\Microsoft\DataAccess, xrefs: 00419737
1.2, xrefs: 00419556
1.1, xrefs: 004193EA, 004194F3
1.32, xrefs: 00419613
1.33, xrefs: 00419631
"%s"%s, xrefs: 00419A0D, 00419B39
1.31, xrefs: 004195F5
1.3, xrefs: 004195D7
2.60.6526.3, xrefs: 004196E3
FullInstallVer, xrefs: 00419773
HTML Help Viewer , xrefs: 0041967F
7.0, xrefs: 00419808
8.1, xrefs: 0041983A
9.0, xrefs: 00419858
DirectX, xrefs: 00419882
2.7, xrefs: 004196EC
/q:a /c:"dasetup.exe /q /n", xrefs: 004199D7
<ResourceDir>\3rd-party\%s.exe, xrefs: 00419A62
\G, xrefs: 004193B0
2, xrefs: 00419760
1.21, xrefs: 00419577

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocFileLock$Unlocklstrlen$AttributesCloseDeleteFindFirstInfoOpenQuerySizeValueVersion
String ID: /q:a /c:"dasetup.exe /q /n"$ /r:n /q:a$"%s"%s$"<ResourceDir>\3rd-party\Downloader.exe" /download /local "%s" /url "%s" /program "%s"$.NET Framework $1.0$1.1$1.1a$1.1b$1.2$1.21$1.21a$1.22$1.3$1.31$1.32$1.33$2$2.5$2.50.4403.12$2.6$2.60.6526.3$2.7$2.70.9001.0$2.8$2.80.1022.3$7.0$8.0$8.1$9.0$<ResourceDir>\3rd-party\%s.exe$DirectX$FullInstallVer$HTML Help Viewer $Java $Microsoft Data Access Components$Software\Microsoft\DataAccess$\hhctrl.ocx$\G
API String ID: 1102018280-2153218299
Opcode ID: 030333e0018df0888f60f3913a941313b334ee0bf5367e1edcfc2d5dfe4a9605
Instruction ID: 6fa8a9ce8b94bae494bd30facd369e5acc3ed9cdb665eb8de86f93847e4eb968
Opcode Fuzzy Hash: 030333e0018df0888f60f3913a941313b334ee0bf5367e1edcfc2d5dfe4a9605
Instruction Fuzzy Hash: 12227E31A40218A6CF14EBA1DDA2BED7725AF14708F50406FF506B72C2DB6C5ECACA5D

Uniqueness

Uniqueness Score: -1.00%

Function 0041FEF9, Relevance: 49.2, APIs: 21, Strings: 7, Instructions: 234
librarynativeloaderCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E0041FEF9() {
				void* _v8;
				struct HINSTANCE__* _v12;
				void* _v16;
				void* _v20;
				char _v24;
				struct HINSTANCE__* _v28;
				void* _v32;
				void* _v36;
				signed short _v40;
				void* _v44;
				void* _v48;
				struct HINSTANCE__* _t61;
				_Unknown_base(*)()* _t62;
				void* _t65;
				long _t67;
				intOrPtr* _t68;
				struct HINSTANCE__* _t70;
				_Unknown_base(*)()* _t71;
				intOrPtr* _t73;
				void* _t75;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				struct HINSTANCE__* _t83;
				intOrPtr* _t84;
				intOrPtr* _t86;
				struct HINSTANCE__* _t88;
				intOrPtr* _t90;
				intOrPtr* _t92;
				intOrPtr* _t94;
				void* _t97;
				intOrPtr* _t98;
				char* _t104;
				intOrPtr* _t105;
				intOrPtr* _t107;
				_Unknown_base(*)()* _t111;
				void* _t113;
				intOrPtr* _t114;
				void* _t117;
				void* _t120;
				intOrPtr* _t121;
				struct HINSTANCE__* _t151;
				void* _t152;

				_v8 = 0;
				_v20 = 0;
				_v36 = 0;
				_v44 = 0;
				_v16 = 0;
				_v24 = 0;
				_v32 = 0;
				_v40 = 0;
				_t61 = LoadLibraryA("DDRAW.DLL"); // executed
				_v12 = _t61;
				if(_t61 != 0) {
					_t62 = GetProcAddress(_t61, "DirectDrawCreate");
					if(_t62 == 0) {
						L16:
						FreeLibrary(_v12);
						return 0;
					}
					_t65 =  *_t62(0,  &_v8, 0); // executed
					if(_t65 < 0) {
						goto L16;
					}
					_push( &_v20);
					_push(0x428818);
					_t67 = NtProtectVirtualMemory(_v8); // executed
					if(_t67 >= 0) {
						_t68 = _v20;
						 *((intOrPtr*)( *_t68 + 8))(_t68);
						_t70 = LoadLibraryA("DINPUT.DLL"); // executed
						_v28 = _t70;
						if(_t70 != 0) {
							_t71 = GetProcAddress(_t70, "DirectInputCreateA");
							if(_t71 == 0) {
								L11:
								_push(2);
								L14:
								_pop(0);
								FreeLibrary(_v28);
								L15:
								_t73 = _v8;
								 *((intOrPtr*)( *_t73 + 8))(_t73);
								goto L16;
							}
							_t75 =  *_t71( *0x47e17c, 0x500,  &_v16, 0); // executed
							if(_t75 == 0) {
								_t76 = _v16;
								_push( &_v24);
								_push(0x4287e8);
								_push(_t76);
								if( *((intOrPtr*)( *_t76))() >= 0) {
									_t78 = _v24;
									 *((intOrPtr*)( *_t78 + 8))(_t78);
									_t80 = _v16;
									 *((intOrPtr*)( *_t80 + 8))(_t80);
									FreeLibrary(_v28); // executed
									_t83 = LoadLibraryA("DINPUT8.DLL"); // executed
									_v28 = _t83;
									if(_t83 == 0) {
										L22:
										_t84 = _v8;
										_push( &_v36);
										_push(0x428808);
										_push(_t84);
										if( *((intOrPtr*)( *_t84))() >= 0) {
											_t86 = _v36;
											 *((intOrPtr*)( *_t86 + 8))(_t86);
											_t88 = LoadLibraryA("DMUSIC.DLL");
											_t151 = _t88;
											if(_t151 != 0) {
												__imp__CoInitialize(0);
												if(_t88 >= 0) {
													_t104 =  &_v48;
													__imp__CoCreateInstance(0x4287c8, 0, 3, 0x4287b8, _t104);
													if(_t104 >= 0) {
														_t105 = _v48;
														 *((intOrPtr*)( *_t105 + 8))(_t105);
														_v40 = 1;
													}
												}
												__imp__CoUninitialize();
												FreeLibrary(_t151);
												_t90 = _v8;
												_push( &_v44);
												_push(0x4287f8);
												_push(_t90);
												if( *((intOrPtr*)( *_t90))() >= 0) {
													_t92 = _v44;
													 *((intOrPtr*)( *_t92 + 8))(_t92);
													_t94 = _v8;
													 *((intOrPtr*)( *_t94 + 8))(_t94);
													FreeLibrary(_v12);
													_t97 = 7;
													return _t97;
												} else {
													_t98 = _v8;
													 *((intOrPtr*)( *_t98 + 8))(_t98);
													FreeLibrary(_v12);
													return (_v40 & 0x0000ffff) << 0x00000010 | 0x00000006;
												}
											}
											_push(6);
											L26:
											_t107 = _v8;
											_pop(_t152);
											 *((intOrPtr*)( *_t107 + 8))(_t107);
											FreeLibrary(_v12);
											return _t152;
										}
										_push(5);
										goto L26;
									}
									_t111 = GetProcAddress(_t83, "DirectInput8Create");
									if(_t111 == 0) {
										L21:
										FreeLibrary(_v28);
										goto L22;
									}
									_t113 =  *_t111( *0x47e17c, 0x800, 0x4287d8,  &_v32, 0); // executed
									if(_t113 < 0) {
										goto L21;
									}
									_t114 = _v32;
									 *((intOrPtr*)( *_t114 + 8))(_t114);
									FreeLibrary(_v28); // executed
									_t117 = _v8;
									 *((intOrPtr*)( *_t117 + 8))(_t117);
									FreeLibrary(_v12); // executed
									_t120 = E0041FD0E( &_v24, 8); // executed
									return _t120;
								}
								_t121 = _v16;
								 *((intOrPtr*)( *_t121 + 8))(_t121);
								_push(3);
								goto L14;
							}
							goto L11;
						}
						_push(2);
						L6:
						_pop(0);
						goto L15;
					}
					_push(1);
					goto L6;
				}
				return 0;
			}

0x0041ff0f
0x0041ff12
0x0041ff15
0x0041ff18
0x0041ff1b
0x0041ff1e
0x0041ff21
0x0041ff24
0x0041ff27
0x0041ff2b
0x0041ff2e
0x0041ff43
0x0041ff47
0x0041ffeb
0x0041ffee
0x00000000
0x0041fff4
0x0041ff53
0x0041ff57
0x00000000
0x00000000
0x0041ff63
0x0041ff64
0x0041ff6c
0x0041ff70
0x0041ff77
0x0041ff7d
0x0041ff85
0x0041ff89
0x0041ff8c
0x0041ff98
0x0041ff9c
0x0041ffb4
0x0041ffb4
0x0041ffd8
0x0041ffd8
0x0041ffdc
0x0041ffe2
0x0041ffe2
0x0041ffe8
0x00000000
0x0041ffe8
0x0041ffae
0x0041ffb2
0x0041ffb8
0x0041ffbe
0x0041ffbf
0x0041ffc6
0x0041ffcb
0x0041fffb
0x00420001
0x00420004
0x0042000a
0x00420016
0x0042001d
0x00420021
0x00420024
0x0042007c
0x0042007c
0x00420082
0x00420083
0x0042008a
0x0042008f
0x00420095
0x0042009b
0x004200a3
0x004200a5
0x004200a9
0x004200c5
0x004200cd
0x004200cf
0x004200e1
0x004200e9
0x004200eb
0x004200f1
0x004200f4
0x004200f4
0x004200e9
0x004200fb
0x00420102
0x00420104
0x0042010a
0x0042010b
0x00420112
0x00420117
0x00420132
0x00420138
0x0042013b
0x00420141
0x00420147
0x0042014b
0x00000000
0x00420119
0x00420119
0x0042011f
0x00420125
0x00000000
0x0042012e
0x00420117
0x004200ab
0x004200ad
0x004200ad
0x004200b0
0x004200b4
0x004200ba
0x00000000
0x004200bc
0x00420091
0x00000000
0x00420091
0x0042002c
0x00420030
0x00420077
0x0042007a
0x00000000
0x0042007a
0x00420048
0x0042004c
0x00000000
0x00000000
0x0042004e
0x00420054
0x0042005a
0x0042005c
0x00420062
0x00420068
0x0042006c
0x00000000
0x00420071
0x0041ffcd
0x0041ffd3
0x0041ffd6
0x00000000
0x0041ffd6
0x00000000
0x0041ffb2
0x0041ff8e
0x0041ff74
0x0041ff74
0x00000000
0x0041ff74
0x0041ff72
0x00000000
0x0041ff72
0x00000000

APIs

LoadLibraryA.KERNEL32(DDRAW.DLL,00000001,00000000,00000000,00000001,<CPUFlags>,00000001,<CPUType>,00000001,<CPUSpeed>,00000001,00000000,00000000,?,?), ref: 0041FF27
GetProcAddress.KERNEL32(00000000,DirectDrawCreate), ref: 0041FF43
NtProtectVirtualMemory.NTDLL(?,00428818,?,?,?,?,00412B18,00000001,00000000,00000000,00000000,00000000,00000000,0047DFB8,?,?), ref: 0041FF6C
FreeLibrary.KERNEL32(?,?,?,?,00412B18,00000001,00000000,00000000,00000000,00000000,00000000,0047DFB8,?,?,00000000), ref: 0041FFEE

Strings

DirectDrawCreate, xrefs: 0041FF3D
DirectInput8Create, xrefs: 00420026
DINPUT8.DLL, xrefs: 00420018
DMUSIC.DLL, xrefs: 0042009E
DINPUT.DLL, xrefs: 0041FF80
DDRAW.DLL, xrefs: 0041FF0A
DirectInputCreateA, xrefs: 0041FF92

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Library$AddressFreeLoadMemoryProcProtectVirtual
String ID: DDRAW.DLL$DINPUT.DLL$DINPUT8.DLL$DMUSIC.DLL$DirectDrawCreate$DirectInput8Create$DirectInputCreateA
API String ID: 2455427899-3038032637
Opcode ID: 13716e16cda4e295f7d045c615a71956f364686ee3ef6c40b621549153a8947e
Instruction ID: 0ac77204e77cf816d812a61ffea9b3b6a34bdbd4df8a9caef812cf474fc0b842
Opcode Fuzzy Hash: 13716e16cda4e295f7d045c615a71956f364686ee3ef6c40b621549153a8947e
Instruction Fuzzy Hash: FB814071B00119EFDB00DBA4DC45EAEBBB8EF49704F60406AF105EB1A1DB759D42CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00411811, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 132
stringlibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00411811() {
				_Unknown_base(*)()* _v8;
				void _v526;
				short _v528;
				int _t29;
				long _t37;
				long _t40;
				CHAR* _t78;
				long _t87;

				if(( *0x47f290 & 0x00000001) == 0) {
					 *0x47f290 =  *0x47f290 | 0x00000001;
					E0041BDC5(0x47f298);
					E004251DD( *0x47f290, E00411992);
				}
				_t78 = E00424DD9(0x104);
				if(_t78 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				E00424500(_t78, 0, 0x104);
				if(( *0x47e192 & 0x00000080) == 0) {
					L7:
					_v8 = GetProcAddress(LoadLibraryA("KERNEL32.DLL"), "GetShortPathNameW");
					_v528 = 0;
					memset( &_v526, 0, 0x81 << 2);
					asm("stosw");
					__eflags =  *0x47e19c; // 0x1
					if(__eflags == 0) {
						L12:
						E0040DF78(0, 2, _t78);
						goto L13;
					}
					__eflags = _v8;
					if(_v8 == 0) {
						goto L12;
					}
					_t37 = E0040E110(0, 2,  &_v528); // executed
					__eflags = _t37;
					_pop(0);
					if(_t37 == 0) {
						goto L12;
					}
					_t40 = GetShortPathNameW( &_v528,  &_v528, 0x104);
					__eflags = _t40;
					if(_t40 != 0) {
						WideCharToMultiByte(0, 0,  &_v528, 0xffffffff, _t78, 0x104, 0, 0);
					}
					goto L13;
				} else {
					_t87 =  *0x47e19c; // 0x1
					if(_t87 == 0) {
						goto L7;
					}
					lstrcpyA(_t78, E0041CD1E(0x47e064));
					L13:
					if( *((char*)(lstrlenA(_t78) + _t78 - 1)) != 0x5c) {
						lstrcatA(_t78, "\\");
					}
					lstrcatA(_t78, E0041CD1E(0x47e344));
					_t29 = lstrlenA(_t78);
					_t89 =  *((char*)(_t29 + _t78 - 1)) - 0x5c;
					if( *((char*)(_t29 + _t78 - 1)) != 0x5c) {
						lstrcatA(_t78, "\\");
					}
					if(E0041C1FA(0x47f298, _t89, _t78, 1) == 0) {
						E0041BF12(0x47f298, _t78);
					}
					E00424DCE(_t78);
					return E0041CD1E(0x47f298);
				}
			}

0x00411821
0x00411823
0x0041182f
0x00411839
0x0041183e
0x0041184d
0x00411854
0x00411861
0x00411866
0x0041186a
0x00411879
0x0041189a
0x004118b1
0x004118b4
0x004118c8
0x004118ca
0x004118ce
0x004118d4
0x0041191c
0x0041191f
0x00000000
0x00411925
0x004118d6
0x004118d9
0x00000000
0x00000000
0x004118e4
0x004118ea
0x004118ec
0x004118ed
0x00000000
0x00000000
0x004118fe
0x00411901
0x00411903
0x00411914
0x00411914
0x00000000
0x0041187b
0x0041187b
0x00411881
0x00000000
0x00000000
0x0041188f
0x00411926
0x0041193a
0x00411942
0x00411942
0x00411950
0x00411953
0x00411955
0x0041195a
0x00411962
0x00411962
0x00411975
0x0041197a
0x0041197a
0x00411980
0x00411991
0x00411991

APIs

lstrcpyA.KERNEL32(00000000,00000000,00000104,0047F2C8,00000000), ref: 0041188F
LoadLibraryA.KERNEL32(KERNEL32.DLL,00000104,0047F2C8,00000000), ref: 0041189F
GetProcAddress.KERNEL32(00000000,GetShortPathNameW), ref: 004118AB

Part of subcall function 0040E110: SHGetSpecialFolderLocation.SHELL32(00000000,00000081,?,00000081,?,004118E9,00000002,?), ref: 0040E11D
Part of subcall function 0040E110: LoadLibraryA.KERNEL32(SHELL32.DLL,?,004118E9,00000002,?), ref: 0040E12C
Part of subcall function 0040E110: GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 0040E138
Part of subcall function 0040E110: SHGetPathFromIDListW.SHELL32(?,?,00000104,?,004118E9,00000002,?), ref: 0040E149
Part of subcall function 0040E110: SHGetMalloc.SHELL32(?), ref: 0040E158

GetShortPathNameW.KERNEL32(?,?,00000104), ref: 004118FE
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000104,00000000,00000000), ref: 00411914
lstrlenA.KERNEL32(00000000), ref: 0041192D
lstrcatA.KERNEL32(00000000,0042BC5C), ref: 00411942
lstrcatA.KERNEL32(00000000,00000000), ref: 00411950
lstrlenA.KERNEL32(00000000), ref: 00411953
lstrcatA.KERNEL32(00000000,0042BC5C), ref: 00411962

Part of subcall function 0041BDC5: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF

Strings

DG, xrefs: 00411944
GetShortPathNameW, xrefs: 004118A5
dG, xrefs: 00411883
KERNEL32.DLL, xrefs: 0041189A
$G, xrefs: 00411856

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: lstrcat$AddressGlobalLibraryLoadPathProclstrlen$AllocByteCharFolderFromListLocationLockMallocMultiNameShortSpecialWidelstrcpy
String ID: $G$DG$GetShortPathNameW$KERNEL32.DLL$dG
API String ID: 34222962-200428141
Opcode ID: 66568acae63ccb5684c66ec1d5b77abda51610691b82027195e93ecbe508e087
Instruction ID: 524a24811f81cc76c8cd29adb63b79f761c01f1d81faf01de5f134878f06db49
Opcode Fuzzy Hash: 66568acae63ccb5684c66ec1d5b77abda51610691b82027195e93ecbe508e087
Instruction Fuzzy Hash: EA3116B16012246AD7206362AC5AFFF275CDF85354F5041AFF614A2193CF7C09C2CA6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE4D, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 85
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E0040DE4D(signed int _a4, intOrPtr _a8) {
				signed int _v8;
				union _ULARGE_INTEGER _v12;
				signed int _v16;
				union _ULARGE_INTEGER _v20;
				signed int _v24;
				union _ULARGE_INTEGER _v28;
				signed int _t26;
				void* _t34;
				int _t40;
				intOrPtr _t44;
				intOrPtr* _t49;
				struct HINSTANCE__* _t57;

				_t57 = LoadLibraryA("KERNEL32.DLL");
				if(_t57 == 0) {
					L16:
					_t26 = 0;
					L17:
					return _t26;
				}
				_t49 = GetProcAddress(_t57, "GetDiskFreeSpaceA");
				if(GetProcAddress(_t57, "GetDiskFreeSpaceExA") == 0) {
					if(_t49 == 0) {
						L14:
						_push(_t57);
						L15:
						FreeLibrary();
						goto L16;
					}
					_t34 =  *_t49(_a4,  &_a4,  &_v8,  &_v24,  &_v16);
					_push(_t57);
					if(_t34 == 0) {
						goto L15;
					}
					FreeLibrary();
					if(_a8 == 1 || _a8 == 3) {
						_t26 = _a4 * _v8 * _v24;
					} else {
						_t26 = _a4 * _v8 * _v16;
					}
					goto L17;
				}
				_t40 = GetDiskFreeSpaceExA(_a4,  &_v28,  &_v12,  &_v20); // executed
				if(_t40 == 0) {
					goto L14;
				}
				FreeLibrary(_t57);
				_t44 = _a8;
				if(_t44 == 0) {
					return _v12.LowPart;
				}
				if(_t44 == 1) {
					return _v20.LowPart;
				}
				return _v28.LowPart;
			}

0x0040de60
0x0040de64
0x0040df17
0x0040df17
0x0040df19
0x00000000
0x0040df19
0x0040de7f
0x0040de86
0x0040dec8
0x0040df10
0x0040df10
0x0040df11
0x0040df11
0x00000000
0x0040df11
0x0040dedd
0x0040dee1
0x0040dee2
0x00000000
0x00000000
0x0040dee4
0x0040deee
0x0040df0a
0x0040def6
0x0040defd
0x0040defd
0x00000000
0x0040deee
0x0040de97
0x0040de9b
0x00000000
0x00000000
0x0040de9e
0x0040dea8
0x0040dea9
0x00000000
0x0040dec1
0x0040deac
0x00000000
0x0040deb9
0x00000000

APIs

LoadLibraryA.KERNEL32(KERNEL32.DLL,0047E1B8,00000000,?,?,004181A7,?,00000001,00000000,?,?,0047DFB8,00000000), ref: 0040DE5A
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceA), ref: 0040DE77
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0040DE81
GetDiskFreeSpaceExA.KERNEL32(00000001,004181A7,00000001,004181A7,?,004181A7,?,00000001,00000000,?,?,0047DFB8,00000000), ref: 0040DE97
FreeLibrary.KERNEL32(00000000,?,004181A7,?,00000001,00000000,?,?,0047DFB8,00000000), ref: 0040DE9E
FreeLibrary.KERNEL32(00000000,?,004181A7,?,00000001,00000000,?,?,0047DFB8,00000000), ref: 0040DEE4
FreeLibrary.KERNEL32(00000000,?,004181A7,?,00000001,00000000,?,?,0047DFB8,00000000), ref: 0040DF11

Strings

GetDiskFreeSpaceA, xrefs: 0040DE71
GetDiskFreeSpaceExA, xrefs: 0040DE79
KERNEL32.DLL, xrefs: 0040DE55

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: FreeLibrary$AddressProc$DiskLoadSpace
String ID: GetDiskFreeSpaceA$GetDiskFreeSpaceExA$KERNEL32.DLL
API String ID: 3016050134-1388769091
Opcode ID: cac51339aa37a37c0b38b0e3ec0533b737a0eadd2afa2f44f55be0f5c1c07269
Instruction ID: 99b3d4768c8e1177031908bbf476e072c7793a15ef522b5f6e34da5629c1a8af
Opcode Fuzzy Hash: cac51339aa37a37c0b38b0e3ec0533b737a0eadd2afa2f44f55be0f5c1c07269
Instruction Fuzzy Hash: F0212335A0050AEBCB15DBD4CD84CEFB7B8EB95300B508166E502B7290DB34EE0ACBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00419D70, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 47
synchronizationwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419D70(void* __eflags) {
				char _v16;
				int _t17;
				struct HWND__* _t23;

				E0041BE99( &_v16, 0x47e350);
				_t17 = 0;
				E0041C047( &_v16, "mutex", 0);
				CreateMutexA(0, 1, E0041CD1E( &_v16)); // executed
				if(GetLastError() == 0xb7) {
					_t23 = FindWindowA("AstrumInstaller", E0041CD1E(0x47e850));
					if(_t23 != 0) {
						if(IsIconic(_t23) != 0) {
							ShowWindow(_t23, 3);
						}
						SetForegroundWindow(_t23);
						_t17 = 1;
					}
				}
				E0041BEFB( &_v16);
				return _t17;
			}

0x00419d80
0x00419d85
0x00419d90
0x00419da1
0x00419db2
0x00419dca
0x00419dce
0x00419dd9
0x00419dde
0x00419dde
0x00419de5
0x00419deb
0x00419deb
0x00419dce
0x00419df0
0x00419dfa

APIs

Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4

Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

CreateMutexA.KERNEL32(00000000,00000001,00000000,mutex,00000000,0047E350,0047DFB8,00000000,?,00000000), ref: 00419DA1
GetLastError.KERNEL32(?,00000000), ref: 00419DA7
FindWindowA.USER32 ref: 00419DC4
IsIconic.USER32(00000000), ref: 00419DD1
ShowWindow.USER32(00000000,00000003,?,00000000), ref: 00419DDE
SetForegroundWindow.USER32(00000000,?,00000000), ref: 00419DE5

Strings

AstrumInstaller, xrefs: 00419DBF
PG, xrefs: 00419DB4
mutex, xrefs: 00419D8B

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLockWindow$Unlock$CreateErrorFindForegroundIconicLastMutexShowlstrlen
String ID: AstrumInstaller$PG$mutex
API String ID: 4030978771-2862990435
Opcode ID: 152182e870bd79bf26f4c8501a28129793e7364b919e6823be7903c24ba0705c
Instruction ID: deed96b6678bf80ed0df7a8068bee0f5e1f9b93537221b2de1741e3818a98fb5
Opcode Fuzzy Hash: 152182e870bd79bf26f4c8501a28129793e7364b919e6823be7903c24ba0705c
Instruction Fuzzy Hash: 7301D131741215ABD720BBB6FC9AAEE3728DF10704B50417EF502A21D1DF280E46C6AD

Uniqueness

Uniqueness Score: -1.00%

Function 004253CA, Relevance: 6.1, APIs: 4, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 50%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				unsigned int _t15;
				void* _t17;
				signed int _t26;
				intOrPtr _t28;
				signed int _t34;
				void* _t37;
				unsigned int _t43;
				intOrPtr _t49;

				_push(0xffffffff);
				_push(0x428828);
				_push(E00424EE0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t49;
				_push(__esi);
				_v28 = _t49 - 0x58;
				_t15 = GetVersion();
				_t43 = _t15;
				 *0x47f344 = 0;
				_t34 = _t15 & 0x000000ff;
				 *0x47f340 = _t34;
				 *0x47f33c = _t34 << 8;
				 *0x47f338 = _t15 >> 0x10;
				_t17 = E00425509(0);
				_pop(_t37);
				if(_t17 == 0) {
					E004254E5(0x1c);
					_pop(_t37);
				}
				_v8 = 0;
				E00426871();
				 *0x47f840 = GetCommandLineA();
				 *0x47f378 = E0042673F();
				E004264F2();
				E00426439();
				E00424C10();
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_v104 = E004263E1();
				_t52 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t26 = 0xa;
				} else {
					_t26 = _v96.wShowWindow & 0x0000ffff;
				}
				_push(_t26);
				_push(_v104);
				_push(0);
				_push(GetModuleHandleA(0)); // executed
				_t28 = E00415089(_t37, _t43, _t52); // executed
				_v100 = _t28;
				E00424C3D(_t28);
				_t30 = _v24;
				_t39 =  *((intOrPtr*)( *_v24));
				_v108 =  *((intOrPtr*)( *_v24));
				return E0042625D(0, _t52, _t39, _t30);
			}

0x004253cd
0x004253cf
0x004253d4
0x004253df
0x004253e0
0x004253eb
0x004253ed
0x004253f0
0x004253f8
0x004253fa
0x00425402
0x00425408
0x00425413
0x0042541c
0x00425424
0x00425429
0x0042542c
0x00425430
0x00425435
0x00425435
0x00425436
0x00425439
0x00425444
0x0042544e
0x00425453
0x00425458
0x0042545d
0x00425462
0x00425469
0x00425474
0x00425477
0x0042547b
0x00425485
0x0042547d
0x0042547d
0x0042547d
0x00425486
0x00425487
0x0042548a
0x00425492
0x00425493
0x00425498
0x0042549c
0x004254a1
0x004254a6
0x004254a8
0x004254b4

APIs

GetVersion.KERNEL32 ref: 004253F0

Part of subcall function 00425509: HeapCreate.KERNEL32(00000000,00001000,00000000,00425429,00000000), ref: 0042551A
Part of subcall function 00425509: HeapDestroy.KERNEL32 ref: 00425538

GetCommandLineA.KERNEL32 ref: 0042543E
GetStartupInfoA.KERNEL32(?), ref: 00425469
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0042548C

Part of subcall function 004254E5: ExitProcess.KERNEL32 ref: 00425502

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID:
API String ID: 2057626494-0
Opcode ID: 87327f868d3716a83783dc37d80a842ebd0ba583f1b6c7b4a5a2c1a7df7ab565
Instruction ID: b8b399e28620826e2cfe63395139c0ad9996e83d5300fc954ab68d58050df6ad
Opcode Fuzzy Hash: 87327f868d3716a83783dc37d80a842ebd0ba583f1b6c7b4a5a2c1a7df7ab565
Instruction Fuzzy Hash: CE2183B1A017249FD714BFA6FC45A6EBBB9EF44714F90413EF80597290DB384481CA98

Uniqueness

Uniqueness Score: -1.00%

Function 0041D0FD, Relevance: 54.3, APIs: 1, Strings: 35, Instructions: 320
stringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0041D0FD(void* __ecx) {
				int _t14;
				signed int _t16;
				signed int _t17;
				signed int _t18;
				signed int _t19;
				signed int _t20;
				signed int _t21;
				signed int _t22;
				signed int _t23;
				signed int _t24;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t33;
				signed int _t34;
				signed int _t35;
				signed int _t36;
				signed int _t37;
				signed int _t38;
				void* _t44;
				intOrPtr _t53;
				void* _t55;
				void* _t111;
				intOrPtr _t117;
				signed int _t118;
				void* _t119;
				signed int _t120;
				void* _t121;
				void* _t126;
				void* _t128;

				_t55 = __ecx;
				_t54 =  *(_t121 + 8);
				_t14 = lstrcmpA( *(_t121 + 8), "<IT_Type>"); // executed
				_t117 =  *((intOrPtr*)(_t121 + 0x18));
				if(_t14 == 0) {
					_t53 = E0042504E(_t55, _t117);
					if(_t53 == 1 || _t53 == 2 || _t53 == 4) {
						 *0x47e65c = _t53;
					}
				}
				_t120 = 0;
				_t126 =  *0x47e4dc - _t120; // 0x8
				if(_t126 <= 0) {
					L8:
					if(E00424A30(_t54, "<CommonFiles>") != 0) {
						_t16 = E00424A30(_t54, "<Date>");
						__eflags = _t16;
						if(_t16 != 0) {
							_t17 = E00424A30(_t54, "<Desktop>");
							__eflags = _t17;
							if(_t17 != 0) {
								_t18 = E00424A30(_t54, "<DesktopNt>");
								__eflags = _t18;
								if(_t18 != 0) {
									_t19 = E00424A30(_t54, "<FontDir>");
									__eflags = _t19;
									if(_t19 != 0) {
										_t20 = E00424A30(_t54, "<InstallDir>");
										__eflags = _t20;
										if(_t20 != 0) {
											_t21 = E00424A30(_t54, "<ProgramFiles>");
											__eflags = _t21;
											if(_t21 != 0) {
												_t22 = E00424A30(_t54, "<Programs>");
												__eflags = _t22;
												if(_t22 != 0) {
													_t23 = E00424A30(_t54, "<ProgramsNt>");
													__eflags = _t23;
													if(_t23 != 0) {
														_t24 = E00424A30(_t54, "<SetupDir>");
														__eflags = _t24;
														if(_t24 != 0) {
															_t25 = E00424A30(_t54, "<ShortcutDir>");
															__eflags = _t25;
															if(_t25 != 0) {
																_t26 = E00424A30(_t54, "<StartMenu>");
																__eflags = _t26;
																if(_t26 != 0) {
																	_t27 = E00424A30(_t54, "<StartMenuNt>");
																	__eflags = _t27;
																	if(_t27 != 0) {
																		_t28 = E00424A30(_t54, "<StartUp>");
																		__eflags = _t28;
																		if(_t28 != 0) {
																			_t29 = E00424A30(_t54, "<StartUpNt>");
																			__eflags = _t29;
																			if(_t29 != 0) {
																				_t30 = E00424A30(_t54, "<SystemDir>");
																				__eflags = _t30;
																				if(_t30 != 0) {
																					_t31 = E00424A30(_t54, "<SystemDrive>");
																					__eflags = _t31;
																					if(_t31 != 0) {
																						_t32 = E00424A30(_t54, "<TempDir>");
																						__eflags = _t32;
																						if(_t32 != 0) {
																							_t33 = E00424A30(_t54, "<WindowsDir>");
																							__eflags = _t33;
																							if(_t33 != 0) {
																								_t34 = E00424A30(_t54, "<UserName>");
																								__eflags = _t34;
																								if(_t34 != 0) {
																									_t35 = E00424A30(_t54, "<UserCompany>");
																									__eflags = _t35;
																									if(_t35 != 0) {
																										_t36 = E00424A30(_t54, "<UserSerial>");
																										__eflags = _t36;
																										if(_t36 != 0) {
																											_t37 = E00424A30(_t54, "<UninstallerName>");
																											__eflags = _t37;
																											if(_t37 != 0) {
																												_t38 = E00424DD9(0x58);
																												__eflags = _t38;
																												if(_t38 == 0) {
																													_t118 = 0;
																													__eflags = 0;
																												} else {
																													_t118 = E00407ADD(_t38);
																												}
																												__eflags = _t118;
																												if(_t118 == 0) {
																													E0041D881(E0041CD1E(0x47e924));
																												}
																												 *(_t118 + 0x10) =  *(_t118 + 0x10) | 0xffffffff;
																												 *(_t118 + 0xc) =  *(_t118 + 0xc) & 0x00000000;
																												_t9 = _t118 + 0x44;
																												 *_t9 =  *(_t118 + 0x44) & 0x00000000;
																												__eflags =  *_t9;
																												_t11 = _t118 + 0x14; // 0x14
																												E0041BF12(_t11, _t117);
																												_t12 = _t118 + 0x48; // 0x48
																												E0041BF12(_t12, _t117);
																												E0041BF12(_t118, _t54);
																												 *((intOrPtr*)(_t118 + 0x54)) = E0042504E(_t118, _t117);
																												E0041E87A(0x47e4d0, _t118, 0xffffffff);
																												goto L62;
																											}
																											_push(_t117);
																											_t111 = 0x47e5ec;
																											L10:
																											E0041BF12(_t111);
																											goto L62;
																										}
																										_push(_t117);
																										_t111 = 0x47e1d0;
																										goto L10;
																									}
																									_push(_t117);
																									_t111 = 0x47e1c4;
																									goto L10;
																								}
																								_push(_t117);
																								_t111 = 0x47e1b8;
																								goto L10;
																							}
																							_push(_t117);
																							_t111 = 0x47dfbc;
																							goto L10;
																						}
																						_push(_t117);
																						_t111 = 0x47e0b8;
																						goto L10;
																					}
																					_push(_t117);
																					_t111 = 0x47e0e8;
																					goto L10;
																				}
																				_push(_t117);
																				_t111 = 0x47e0a0;
																				goto L10;
																			}
																			_push(_t117);
																			_t111 = 0x47e070;
																			goto L10;
																		}
																		_push(_t117);
																		_t111 = 0x47e01c;
																		goto L10;
																	}
																	_push(_t117);
																	_t111 = 0x47e058;
																	goto L10;
																}
																_push(_t117);
																_t111 = 0x47dfec;
																goto L10;
															}
															_push(_t117);
															_t111 = 0x47e344;
															goto L10;
														}
														_push(_t117);
														_t111 = 0x47e0dc;
														goto L10;
													}
													_push(_t117);
													_t111 = 0x47e064;
													goto L10;
												}
												_push(_t117);
												_t111 = 0x47e004;
												goto L10;
											}
											_push(_t117);
											_t111 = 0x47dfd4;
											goto L10;
										}
										_push(_t117);
										_t111 = 0x47e338;
										goto L10;
									}
									_push(_t117);
									_t111 = 0x47e04c;
									goto L10;
								}
								_push(_t117);
								_t111 = 0x47e07c;
								goto L10;
							}
							_push(_t117);
							_t111 = 0x47e034;
							goto L10;
						}
						_push(_t117);
						_t111 = 0x47e0f4;
						goto L10;
					}
					_push(_t117);
					_t111 = 0x47e088;
					goto L10;
				} else {
					while(1) {
						_t119 = E0041E860(0x47e4d0, _t120);
						if(E0041C1FA(_t119, _t126, _t54, 1) != 0) {
							break;
						}
						_t120 = _t120 + 1;
						_t128 = _t120 -  *0x47e4dc; // 0x8
						if(_t128 < 0) {
							continue;
						}
						goto L8;
					}
					_t3 = _t119 + 0x48; // 0x48
					E0041BF12(_t3, _t117);
					 *((intOrPtr*)(_t119 + 0x54)) = E0042504E(_t3, _t117);
					L62:
					_t44 = 1;
					return _t44;
				}
			}

0x0041d0fd
0x0041d0fe
0x0041d10b
0x0041d113
0x0041d117
0x0041d11a
0x0041d123
0x0041d12f
0x0041d12f
0x0041d123
0x0041d134
0x0041d136
0x0041d13c
0x0041d162
0x0041d171
0x0041d1a1
0x0041d1a7
0x0041d1aa
0x0041d1ba
0x0041d1c0
0x0041d1c3
0x0041d1d3
0x0041d1d9
0x0041d1dc
0x0041d1ec
0x0041d1f2
0x0041d1f5
0x0041d208
0x0041d20e
0x0041d211
0x0041d224
0x0041d22a
0x0041d22d
0x0041d240
0x0041d246
0x0041d249
0x0041d25c
0x0041d262
0x0041d265
0x0041d278
0x0041d27e
0x0041d281
0x0041d294
0x0041d29a
0x0041d29d
0x0041d2b0
0x0041d2b6
0x0041d2b9
0x0041d2cc
0x0041d2d2
0x0041d2d5
0x0041d2e8
0x0041d2ee
0x0041d2f1
0x0041d304
0x0041d30a
0x0041d30d
0x0041d320
0x0041d326
0x0041d329
0x0041d33c
0x0041d342
0x0041d345
0x0041d358
0x0041d35e
0x0041d361
0x0041d374
0x0041d37a
0x0041d37d
0x0041d390
0x0041d396
0x0041d399
0x0041d3ac
0x0041d3b2
0x0041d3b5
0x0041d3c8
0x0041d3ce
0x0041d3d1
0x0041d3e4
0x0041d3ea
0x0041d3ed
0x0041d3fc
0x0041d401
0x0041d404
0x0041d411
0x0041d411
0x0041d406
0x0041d40d
0x0041d40d
0x0041d413
0x0041d415
0x0041d422
0x0041d427
0x0041d428
0x0041d42c
0x0041d430
0x0041d430
0x0041d430
0x0041d435
0x0041d438
0x0041d43e
0x0041d441
0x0041d449
0x0041d455
0x0041d460
0x00000000
0x0041d460
0x0041d3ef
0x0041d3f0
0x0041d179
0x0041d179
0x00000000
0x0041d179
0x0041d3d3
0x0041d3d4
0x00000000
0x0041d3d4
0x0041d3b7
0x0041d3b8
0x00000000
0x0041d3b8
0x0041d39b
0x0041d39c
0x00000000
0x0041d39c
0x0041d37f
0x0041d380
0x00000000
0x0041d380
0x0041d363
0x0041d364
0x00000000
0x0041d364
0x0041d347
0x0041d348
0x00000000
0x0041d348
0x0041d32b
0x0041d32c
0x00000000
0x0041d32c
0x0041d30f
0x0041d310
0x00000000
0x0041d310
0x0041d2f3
0x0041d2f4
0x00000000
0x0041d2f4
0x0041d2d7
0x0041d2d8
0x00000000
0x0041d2d8
0x0041d2bb
0x0041d2bc
0x00000000
0x0041d2bc
0x0041d29f
0x0041d2a0
0x00000000
0x0041d2a0
0x0041d283
0x0041d284
0x00000000
0x0041d284
0x0041d267
0x0041d268
0x00000000
0x0041d268
0x0041d24b
0x0041d24c
0x00000000
0x0041d24c
0x0041d22f
0x0041d230
0x00000000
0x0041d230
0x0041d213
0x0041d214
0x00000000
0x0041d214
0x0041d1f7
0x0041d1f8
0x00000000
0x0041d1f8
0x0041d1de
0x0041d1df
0x00000000
0x0041d1df
0x0041d1c5
0x0041d1c6
0x00000000
0x0041d1c6
0x0041d1ac
0x0041d1ad
0x00000000
0x0041d1ad
0x0041d173
0x0041d174
0x00000000
0x0041d13e
0x0041d13e
0x0041d149
0x0041d157
0x00000000
0x00000000
0x0041d159
0x0041d15a
0x0041d160
0x00000000
0x00000000
0x00000000
0x0041d160
0x0041d184
0x0041d187
0x0041d193
0x0041d465
0x0041d467
0x0041d46c
0x0041d46c

APIs

lstrcmpA.KERNEL32(0047DFB8,<IT_Type>,00000004,00000000,?,00000000,004169A9,<IT_Typical>,0042B9BC,00000000,00000000,00000000,00000004,00000000,?,0047DFB8), ref: 0041D10B

Strings

LG, xrefs: 0041D1F8
<StartUpNt>, xrefs: 0041D2FE
pG, xrefs: 0041D310
<Desktop>, xrefs: 0041D1B4
<InstallDir>, xrefs: 0041D202
<Date>, xrefs: 0041D19B
<UserSerial>, xrefs: 0041D3C2
<UninstallerName>, xrefs: 0041D3DE
<UserName>, xrefs: 0041D38A
DG, xrefs: 0041D2A0
<TempDir>, xrefs: 0041D352
XG, xrefs: 0041D2D8
<StartMenu>, xrefs: 0041D2AA
<FontDir>, xrefs: 0041D1E6
<StartMenuNt>, xrefs: 0041D2C6
G, xrefs: 0041D3F0
<ShortcutDir>, xrefs: 0041D28E
$G, xrefs: 0041D417
<SystemDir>, xrefs: 0041D31A
<UserCompany>, xrefs: 0041D3A6
<CommonFiles>, xrefs: 0041D162
<ProgramFiles>, xrefs: 0041D21E
<IT_Type>, xrefs: 0041D105
dG, xrefs: 0041D268
<DesktopNt>, xrefs: 0041D1CD
<SetupDir>, xrefs: 0041D272
<StartUp>, xrefs: 0041D2E2
<WindowsDir>, xrefs: 0041D36E
<SystemDrive>, xrefs: 0041D336
4G, xrefs: 0041D1C6
|G, xrefs: 0041D1DF
<ProgramsNt>, xrefs: 0041D256
<Programs>, xrefs: 0041D23A
8G, xrefs: 0041D214
G, xrefs: 0041D348

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: lstrcmp
String ID: $G$4G$8G$<CommonFiles>$<Date>$<Desktop>$<DesktopNt>$<FontDir>$<IT_Type>$<InstallDir>$<ProgramFiles>$<Programs>$<ProgramsNt>$<SetupDir>$<ShortcutDir>$<StartMenu>$<StartMenuNt>$<StartUp>$<StartUpNt>$<SystemDir>$<SystemDrive>$<TempDir>$<UninstallerName>$<UserCompany>$<UserName>$<UserSerial>$<WindowsDir>$DG$LG$XG$dG$pG$|G$G$G
API String ID: 1534048567-2252700996
Opcode ID: 965772f510daaa82eba5f647ce9a628796fcdb8a04c4c29537554b68901b6f2c
Instruction ID: 4f8bdf6965de488ddb8f2261428f405e9a199b5eb2e7349d158717d0bbde119d
Opcode Fuzzy Hash: 965772f510daaa82eba5f647ce9a628796fcdb8a04c4c29537554b68901b6f2c
Instruction Fuzzy Hash: C281C7F5F48322765628A1377C52AB7839DCEA6729770952FF503E11D2EEACC8C1046E

Uniqueness

Uniqueness Score: -1.00%

Function 0041199C, Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 302
fileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0041199C(void* __edi, void* _a4, intOrPtr _a8, struct _FILETIME* _a12, intOrPtr* _a16) {
				long _v8;
				void _v12;
				long _v16;
				long _v20;
				void _v24;
				long _v28;
				intOrPtr _v32;
				long _v36;
				signed int _t117;
				void* _t120;
				long _t125;
				long _t126;
				long _t128;
				void* _t139;
				void* _t142;
				intOrPtr _t147;
				void* _t150;
				intOrPtr _t156;
				signed int _t163;
				intOrPtr* _t166;
				intOrPtr _t167;
				long _t186;
				void* _t187;
				long _t192;
				void* _t193;
				intOrPtr _t198;
				void* _t199;
				long _t232;
				intOrPtr _t238;
				void* _t242;
				void* _t244;

				_t244 = _a4;
				if(_t244 == 0 || _a12 == 0) {
					return _t117 | 0xffffffff;
				} else {
					_t120 = CreateFileA(E0041CD1E(0x47e6c8), 0x80000000, 1, 0, 4, 0x80, 0); // executed
					_a4 = _t120;
					if(_t120 != 0xffffffff) {
						_v8 = 0;
						SetFilePointer(_t120,  *0x47f200,  &_v8, 0); // executed
						ReadFile(_a4, _t244, 0x40,  &_v16, 0); // executed
						_v8 = 0;
						_t125 = SetFilePointer(_a4, 0,  &_v8, 1); // executed
						_v36 = _t125;
						_t12 = _t244 + 0x3c; // 0x217039c
						_t126 =  *_t12;
						_v28 = _t126;
						 *((intOrPtr*)(_t244 + 0x3c)) = 0;
						if(_t126 == 0) {
							L23:
							_v8 = 0;
							_t128 = SetFilePointer(_a4, 0,  &_v8, 1); // executed
							 *_a16 = _t128 - _v36;
							_t102 = _t244 + 0x2c; // 0x0
							_t242 = E00424DD9( *_t102 + 1);
							if(_t242 == 0) {
								E0041D881(E0041CD1E(0x47e924));
							}
							_t104 = _t244 + 0x2c; // 0x0
							ReadFile(_a4, _t242,  *_t104,  &_v16, 0);
							_t106 = _t244 + 0x2c; // 0x0
							 *((char*)(_t242 +  *_t106)) = 0;
							E0041BF12(_a8, _t242);
							E00424DCE(_t242);
							GetFileTime(_a4, 0, 0, _a12);
							_t139 =  *0x47f28c; // 0x2070010
							if(_t139 != 0) {
								E00424DCE(_t139);
							}
							_t111 = _t244 + 0x30; // 0x2170394
							_t142 = E00424DD9( *_t111 << 2);
							 *0x47f28c = _t142;
							if(_t142 == 0) {
								E0041D881(E0041CD1E(0x47e924));
							}
							_t113 = _t244 + 0x30; // 0x2170394
							ReadFile(_a4,  *0x47f28c,  *_t113 << 2,  &_v16, 0);
							_t147 =  *0x42bf9c; // 0x1
							 *0x47f21c = _t147;
							_t116 = _t244 + 0x30; // 0x2170394
							 *0x47e290 =  *_t116; // executed
							FindCloseChangeNotification(_a4); // executed
							_push(1);
							L30:
							_pop(_t150);
							return _t150;
						}
						_t156 = E00424DD9(0xc);
						 *((intOrPtr*)(_t244 + 0x3c)) = _t156;
						if(_t156 == 0) {
							E0041D881(E0041CD1E(0x47e924));
						}
						_t16 = _t244 + 0x3c; // 0x217039c
						 *((intOrPtr*)( *_t16)) = _v28;
						_t18 = _t244 + 0x3c; // 0x217039c
						 *((intOrPtr*)( *_t18 + 8)) = 0;
						ReadFile(_a4,  &_v24, 4,  &_v16, 0);
						_t23 = _t244 + 0x3c; // 0x217039c
						 *((intOrPtr*)( *_t23 + 4)) = _v24;
						_t163 = _v24;
						if(_t163 <= 0) {
							goto L23;
						} else {
							_v28 = _t163;
							_t166 = E00424DD9(4 + _t163 * 0x1c);
							if(_t166 == 0) {
								_t167 = 0;
								L14:
								_t43 = _t244 + 0x3c; // 0x217039c
								 *((intOrPtr*)( *_t43 + 8)) = _t167;
								_t45 = _t244 + 0x3c; // 0x217039c
								if( *((intOrPtr*)( *_t45 + 8)) == 0) {
									E0041D881(E0041CD1E(0x47e924));
								}
								_v28 = 0;
								if(_v24 > 0) {
									_v20 = 0;
									do {
										ReadFile(_a4,  &_v12, 4,  &_v16, 0);
										_v8 = 0;
										if(_v12 > 0) {
											_t192 = SetFilePointer(_a4, 0,  &_v8, 1);
											_t193 = E0041CD1E(0x47e6c8);
											_t58 = _t244 + 0x3c; // 0x217039c
											E0041CAC5( *((intOrPtr*)( *_t58 + 8)) + _v20, _t193, _t192, _v12);
										}
										_v8 = 0;
										SetFilePointer(_a4, _v12,  &_v8, 1);
										ReadFile(_a4,  &_v12, 4,  &_v16, 0);
										_t68 = _t244 + 0x3c; // 0x217039c
										 *((intOrPtr*)( *((intOrPtr*)( *_t68 + 8)) + _v20 + 0xc)) = _v12;
										ReadFile(_a4,  &_v12, 4,  &_v16, 0);
										_v8 = 0;
										if(_v12 > 0) {
											_t186 = SetFilePointer(_a4, 0,  &_v8, 1);
											_t187 = E0041CD1E(0x47e6c8);
											_t83 = _t244 + 0x3c; // 0x217039c
											E0041CAC5( *((intOrPtr*)( *_t83 + 8)) + _v20 + 0x10, _t187, _t186, _v12);
										}
										_v8 = 0;
										SetFilePointer(_a4, _v12,  &_v8, 1);
										_v28 = _v28 + 1;
										_v20 = _v20 + 0x1c;
									} while (_v28 < _v24);
								}
								goto L23;
							}
							_t232 = _v28;
							 *_t166 = _t232;
							_t198 = _t166 + 4;
							_v32 = _t198;
							_t238 = _t198;
							_t199 = _t232 - 1;
							_v20 = _t238;
							if(_t199 < 0) {
								L12:
								_t167 = _v32;
								goto L14;
							}
							_v12 = _t238 + 0x10;
							_v28 = _t199 + 1;
							do {
								E0041BDC5(_v20);
								E0041BDC5(_v12);
								_v20 = _v20 + 0x1c;
								_v12 = _v12 + 0x1c;
								_t40 =  &_v28;
								 *_t40 = _v28 - 1;
							} while ( *_t40 != 0);
							goto L12;
						}
					}
					_push(0xfffffffe);
					goto L30;
				}
			}

0x004119a4
0x004119ab
0x00000000
0x004119ba
0x004119d5
0x004119de
0x004119e1
0x004119f6
0x00411a00
0x00411a0d
0x00411a1d
0x00411a20
0x00411a22
0x00411a25
0x00411a25
0x00411a2a
0x00411a2d
0x00411a30
0x00411bfa
0x00411c04
0x00411c07
0x00411c0f
0x00411c11
0x00411c1b
0x00411c20
0x00411c2d
0x00411c32
0x00411c38
0x00411c3f
0x00411c45
0x00411c4c
0x00411c4f
0x00411c55
0x00411c63
0x00411c69
0x00411c71
0x00411c74
0x00411c79
0x00411c7a
0x00411c81
0x00411c89
0x00411c8e
0x00411c9b
0x00411ca0
0x00411ca6
0x00411cb6
0x00411cbc
0x00411cc4
0x00411cc9
0x00411ccc
0x00411cd1
0x00411cd7
0x00411cd9
0x00411cd9
0x00000000
0x00411cd9
0x00411a38
0x00411a40
0x00411a43
0x00411a50
0x00411a55
0x00411a56
0x00411a5d
0x00411a5f
0x00411a62
0x00411a72
0x00411a78
0x00411a7e
0x00411a81
0x00411a86
0x00000000
0x00411a8c
0x00411a8c
0x00411a96
0x00411a9e
0x00411ae3
0x00411ae5
0x00411ae5
0x00411ae8
0x00411aeb
0x00411af1
0x00411afe
0x00411b03
0x00411b07
0x00411b0a
0x00411b10
0x00411b13
0x00411b21
0x00411b2a
0x00411b2d
0x00411b3c
0x00411b44
0x00411b4a
0x00411b53
0x00411b53
0x00411b5e
0x00411b67
0x00411b77
0x00411b7d
0x00411b8a
0x00411b9b
0x00411ba4
0x00411ba7
0x00411bb6
0x00411bbe
0x00411bc7
0x00411bd1
0x00411bd1
0x00411bdc
0x00411be5
0x00411be7
0x00411bea
0x00411bf1
0x00411b13
0x00000000
0x00411b0a
0x00411aa0
0x00411aa3
0x00411aa5
0x00411aa8
0x00411aab
0x00411aad
0x00411ab0
0x00411ab5
0x00411ade
0x00411ade
0x00000000
0x00411ade
0x00411abb
0x00411abe
0x00411ac1
0x00411ac4
0x00411acc
0x00411ad1
0x00411ad5
0x00411ad9
0x00411ad9
0x00411ad9
0x00000000
0x00411ac1
0x00411a86
0x004119e3
0x00000000
0x004119e3

APIs

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000004,00000080,00000000,00000000,00000000,0047E880,?,?,000000C0,000000BC,00000003,0047E880), ref: 004119D5
SetFilePointer.KERNEL32(00000000,00000003,00000000,00000003), ref: 00411A00
ReadFile.KERNEL32(?,0047E880,00000040,?,00000000), ref: 00411A0D
SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 00411A20
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 00411A72

Strings

$G, xrefs: 00411AF3
$G, xrefs: 00411A45
$G, xrefs: 00411C90
$G, xrefs: 00411C22

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: File$Global$PointerRead$AllocCreateLockUnlock
String ID: $G$$G$$G$$G
API String ID: 2060509727-2871775856
Opcode ID: 8cd4d2b2247adbff645a87426702630cb84ac2af7220db2543cf6aa1f784a6c8
Instruction ID: e23cb7d3721408e8b3984eaefd08ecb3d1a621e16b0613ce2ece1385832bfd3b
Opcode Fuzzy Hash: 8cd4d2b2247adbff645a87426702630cb84ac2af7220db2543cf6aa1f784a6c8
Instruction Fuzzy Hash: 44B13AB5900209EFDB10DFA5DC81DEEBBB9FB08344F50856AF605A7261D734AA81CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041246C, Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 292
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0041246C(void* __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr _v0;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t39;
				signed char _t41;
				signed int _t53;
				signed int _t57;
				signed int _t60;
				signed int _t71;
				CHAR* _t74;
				void* _t77;
				CHAR* _t79;
				CHAR* _t82;
				void* _t85;
				CHAR* _t87;
				void* _t90;
				CHAR* _t92;
				void* _t99;
				intOrPtr _t112;
				intOrPtr _t113;
				void* _t114;
				void* _t155;
				int _t156;
				void* _t157;
				void* _t158;
				struct HDC__* _t159;
				void* _t160;
				void* _t161;
				void* _t162;
				void* _t163;
				void* _t164;
				void* _t165;
				void* _t166;
				void* _t167;

				_t155 = __edx;
				_t162 =  &_v24;
				_t158 = __ecx;
				_t114 = 0;
				 *((intOrPtr*)(__ecx + 8)) = _a4;
				_t163 =  *0x47f27c - _t114; // 0x1
				if(_t163 == 0) {
					L5:
					_t156 = 3;
					_t167 =  *0x47e338 - _t156; // 0x10
					if(_t167 <= 0) {
						L7:
						E0041A69C();
						 *0x47e658 = 1;
						E00414C1B(_t155, _t156, _t160, _t114, _t114);
						_t39 = E00411DF7(_t158, _t168); // executed
						if(_t39 == 0) {
							L12:
							return 0;
						}
						_t41 = 2;
						if(( *0x47e18c & _t41) == 0) {
							L10:
							if(( *0x47e18c & 0x00000004) == 0) {
								L13:
								__eflags =  *0x47f27c - _t114; // 0x1
								_t157 = SetWindowTextA;
								_t161 = GetDlgItem;
								 *0x47e658 = 4;
								if(__eflags == 0) {
									_t92 = E0041CD1E(0x47eed0);
									_t7 = _t158 + 8; // 0x0
									SetWindowTextA(GetDlgItem( *_t7, 0x14), _t92);
								}
								E00414C1B(_t155, _t157, _t161, _t114, _t114);
								E00414C1B(_t155, _t157, _t161, _t114, _t114);
								 *0x47e819 = 1;
								_v40 = _t114;
								_v36 = _t114;
								E0041BDC5( &_v28);
								_v12 = 0x47e380;
								do {
									_t162 = _t162 - 0xc;
									_v16 =  *_a4;
									E0041BE99(_t162,  &_v12);
									_push( &_v24);
									_push( &_v28);
									_push(_v0);
									_push(_v20);
									E00413399(_t158); // executed
									_v28 = _v28 + 0x44;
									__eflags = _v28 - 0x47e490;
								} while (_v28 < 0x47e490);
								__eflags = _v32 - _t114;
								if(_v32 <= _t114) {
									__eflags =  *0x47f27c - _t114; // 0x1
									 *0x47e658 = 5;
									if(__eflags == 0) {
										_t87 = E0041CD1E(0x47eee8);
										_t24 = _t158 + 8; // 0x0
										SetWindowTextA(GetDlgItem( *_t24, 0x14), _t87);
									}
									E00414C1B(_t155, _t157, _t161, _t114, _t114);
									_t53 = E00413211();
									__eflags = _t53;
									if(_t53 == 0) {
										_t85 = E0041CD1E(0x47eef4);
										_t25 = _t158 + 8; // 0x0
										E0041B2A8( *_t25, _t85, _t114);
									}
									__eflags =  *0x47f27c - _t114; // 0x1
									 *0x47e658 = 6;
									if(__eflags == 0) {
										_t82 = E0041CD1E(0x47ef00);
										_t26 = _t158 + 8; // 0x0
										SetWindowTextA(GetDlgItem( *_t26, 0x14), _t82);
									}
									E00414C1B(_t155, _t157, _t161, _t114, _t114);
									E00412E58();
									__eflags =  *0x47f27c - _t114; // 0x1
									 *0x47e658 = 7;
									if(__eflags == 0) {
										_t79 = E0041CD1E(0x47ef0c);
										_t27 = _t158 + 8; // 0x0
										SetWindowTextA(GetDlgItem( *_t27, 0x14), _t79);
									}
									E00414C1B(_t155, _t157, _t161, _t114, _t114);
									_t57 = E00410891(_t114, _t158, _t155, _t157, __eflags); // executed
									__eflags = _t57;
									if(_t57 == 0) {
										_t77 = E0041CD1E(0x47ef18);
										_t28 = _t158 + 8; // 0x0
										E0041B2A8( *_t28, _t77, _t114);
									}
									__eflags =  *0x47f27c - _t114; // 0x1
									 *0x47e658 = 8;
									if(__eflags == 0) {
										_t74 = E0041CD1E(0x47ef24);
										_t29 = _t158 + 8; // 0x0
										SetWindowTextA(GetDlgItem( *_t29, 0x14), _t74);
									}
									E00414C1B(_t155, _t157, _t161, _t114, _t114);
									E00413CFF(_t157, __eflags, 0x47e548);
									_t30 = _t158 + 8; // 0x0
									_t60 = E00422E9C(0x47e788,  *_t30); // executed
									__eflags = _t60;
									if(_t60 == 0) {
										L44:
										E0041BEFB( &_v20);
										return _t114;
									} else {
										E00414C1B(_t155, _t157, _t161, 0x64, _t114);
										__eflags =  *0x47e610 - _t114; // 0x0
										if(__eflags != 0) {
											L38:
											__eflags =  *0x47f27c - _t114; // 0x1
											if(__eflags != 0) {
												L40:
												E00423F22(__eflags); // executed
												E00423F52(); // executed
												E00424003();
												L41:
												__eflags =  *0x47e610 - _t114; // 0x0
												if(__eflags == 0) {
													SHChangeNotify(0x8000000, _t114, _t114, _t114); // executed
												}
												_t114 = 1;
												goto L44;
											}
											L39:
											E0040FC45(0x47f208);
											_t159 = GetDC( *0x47e178);
											BitBlt(_t159, _t114, _t114,  *0x47e170,  *0x47e174,  *0x47e184, _t114, _t114, 0xcc0020);
											ReleaseDC( *0x47e178, _t159);
											goto L41;
										}
										__eflags =  *0x47e4a0 - _t114; // 0x1
										_t71 =  *0x47e190; // 0x2080c08
										if(__eflags > 0) {
											L35:
											__eflags =  *0x47f27c - _t114; // 0x1
											if(__eflags != 0) {
												goto L40;
											}
											__eflags = _t71 & 0x00010000;
											if((_t71 & 0x00010000) == 0) {
												goto L39;
											}
											ShellExecuteA(_t114, "open", E00411811(), _t114, 0x42e0c8, 1);
											goto L38;
										}
										__eflags = _t71 & 0x00020000;
										if((_t71 & 0x00020000) != 0) {
											goto L38;
										}
										goto L35;
									}
								}
								_t90 = E0041CD1E(0x47eedc);
								_t23 = _t158 + 8; // 0x0
								E0041B2A8( *_t23, _t90, _t114);
								goto L44;
							}
							 *0x47e658 = _t156;
							E00414C1B(_t155, _t156, _t160, _t114, _t114);
							if(E004102F6(_t158) != 0) {
								goto L13;
							}
							goto L12;
						}
						 *0x47e658 = _t41;
						if(E004105CA(_t158) == 0) {
							goto L12;
						}
						goto L10;
					}
					_t99 = E0040DC10(E0041CD1E(0x47e338), _t114); // executed
					_t168 = _t99;
					if(_t99 == 0) {
						goto L12;
					}
					goto L7;
				}
				E004237B5();
				E00423832();
				E004238F0(_t163);
				E00423920(_t163);
				E00423950(_t163);
				E00423980();
				E00423A3D();
				E00423C00();
				E00423D1A();
				E00423E34();
				E00423EF2(_t163);
				E0041938D(0x47dfb8);
				_t164 =  *0x47f27c - _t114; // 0x1
				if(_t164 == 0) {
					goto L5;
				}
				_t112 =  *0x47e654; // 0x0
				_t165 = _t112 -  *0x47e64c; // 0x13
				if(_t165 < 0) {
					goto L5;
				}
				if(_t165 > 0) {
					goto L12;
				}
				_t113 =  *0x47e650; // 0x207a58a
				_t166 = _t113 -  *0x47e648; // 0xfff01000
				if(_t166 > 0) {
					goto L12;
				}
				goto L5;
			}

0x0041246c
0x00412470
0x00412476
0x00412478
0x0041247b
0x0041247e
0x00412484
0x004124f3
0x004124f5
0x004124f6
0x004124fc
0x00412515
0x0041251a
0x00412523
0x0041252d
0x00412534
0x0041253b
0x0041257b
0x00000000
0x0041257b
0x0041253f
0x00412546
0x00412558
0x0041255f
0x00412582
0x00412582
0x00412588
0x0041258e
0x00412594
0x0041259e
0x004125a5
0x004125ad
0x004125b3
0x004125b3
0x004125bc
0x004125c5
0x004125ce
0x004125d5
0x004125d9
0x004125dd
0x004125e2
0x004125ea
0x004125ee
0x004125f5
0x004125fe
0x00412609
0x0041260e
0x0041260f
0x00412613
0x00412617
0x0041261c
0x00412621
0x00412621
0x0041262b
0x0041262f
0x0041264f
0x00412655
0x0041265f
0x00412666
0x0041266e
0x00412674
0x00412674
0x0041267a
0x00412681
0x00412686
0x00412688
0x00412690
0x0041269b
0x0041269e
0x0041269e
0x004126a3
0x004126a9
0x004126b3
0x004126ba
0x004126c2
0x004126c8
0x004126c8
0x004126ce
0x004126d5
0x004126da
0x004126e0
0x004126ea
0x004126f1
0x004126f9
0x004126ff
0x004126ff
0x00412705
0x0041270c
0x00412711
0x00412713
0x0041271b
0x00412726
0x00412729
0x00412729
0x0041272e
0x00412734
0x0041273e
0x00412745
0x0041274d
0x00412753
0x00412753
0x00412759
0x00412765
0x0041276a
0x00412772
0x00412777
0x00412779
0x00412848
0x0041284c
0x00000000
0x0041277f
0x00412784
0x00412789
0x0041278f
0x004127d0
0x004127d0
0x004127d6
0x00412821
0x00412821
0x00412826
0x0041282b
0x00412830
0x00412830
0x00412836
0x00412840
0x00412840
0x00412846
0x00000000
0x00412846
0x004127d8
0x004127dd
0x004127f5
0x0041280c
0x00412819
0x00000000
0x00412819
0x00412791
0x00412797
0x0041279c
0x004127a5
0x004127a5
0x004127ab
0x00000000
0x00000000
0x004127ad
0x004127b2
0x00000000
0x00000000
0x004127ca
0x00000000
0x004127ca
0x0041279e
0x004127a3
0x00000000
0x00000000
0x00000000
0x004127a3
0x00412779
0x00412637
0x00412642
0x00412645
0x00000000
0x00412645
0x00412565
0x0041256b
0x00412579
0x00000000
0x00000000
0x00000000
0x00412579
0x0041254a
0x00412556
0x00000000
0x00000000
0x00000000
0x00412556
0x0041250a
0x00412510
0x00412513
0x00000000
0x00000000
0x00000000
0x00412513
0x00412486
0x0041248b
0x00412490
0x00412495
0x0041249a
0x0041249f
0x004124a4
0x004124a9
0x004124ae
0x004124b3
0x004124b8
0x004124c2
0x004124c7
0x004124cd
0x00000000
0x00000000
0x004124cf
0x004124d4
0x004124da
0x00000000
0x00000000
0x004124dc
0x00000000
0x00000000
0x004124e2
0x004124e7
0x004124ed
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00423A3D: lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,0047E50C,00000000,00000000,FFFFFFFF,0000000E,00000000,0047DFB8), ref: 00423B13
Part of subcall function 00423A3D: lstrcatA.KERNEL32(FFFFFFFF,00000000,?,?,?,?,?,?,0047E50C,00000000,00000000,FFFFFFFF,0000000E,00000000,0047DFB8), ref: 00423B23
Part of subcall function 00423A3D: lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,0047E50C,00000000,00000000,FFFFFFFF,0000000E,00000000,0047DFB8), ref: 00423B31

Part of subcall function 00423C00: lstrcatA.KERNEL32(00000000,00000000,0047E50C,00000000,00000000,00415294,00000000,?,?,00000000), ref: 00423C7C

Part of subcall function 00423D1A: lstrcatA.KERNEL32(00000000,00000000,0047E50C,00000000,00000000,00415294,00000000,?,?,00000000), ref: 00423D96

GetDlgItem.USER32 ref: 004125B0
SetWindowTextA.USER32(00000000), ref: 004125B3
GetDlgItem.USER32 ref: 00412671
SetWindowTextA.USER32(00000000), ref: 00412674
GetDlgItem.USER32 ref: 004126C5
SetWindowTextA.USER32(00000000), ref: 004126C8
GetDlgItem.USER32 ref: 004126FC
SetWindowTextA.USER32(00000000), ref: 004126FF
GetDlgItem.USER32 ref: 00412750
SetWindowTextA.USER32(00000000), ref: 00412753
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,0042E0C8,00000001), ref: 004127CA
GetDC.USER32(00000064), ref: 004127E8
BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,00CC0020), ref: 0041280C
ReleaseDC.USER32 ref: 00412819
SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00412840

Strings

8G, xrefs: 004124FF
open, xrefs: 004127C4
$G, xrefs: 00412740
D, xrefs: 0041261C
G, xrefs: 00412661

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: ItemTextWindowlstrcat$ChangeExecuteNotifyReleaseShell
String ID: $G$8G$D$open$G
API String ID: 3128010893-949649186
Opcode ID: fac09a023166b0941ac6e7ca7f52c8df8d85831ec59260659e9c2906b036ed5e
Instruction ID: 5d0c258a8902059559151b4f9015483af753c4e75ea8ed3ef354697f97ce35a3
Opcode Fuzzy Hash: fac09a023166b0941ac6e7ca7f52c8df8d85831ec59260659e9c2906b036ed5e
Instruction Fuzzy Hash: D99107702002406BDB10BB77AD95AEE3A5EEB9870CF40457FF509922A2CB7D4CC58B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040DF78, Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 137
registryCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0040DF78(void* __ecx, void* _a4, void* _a8) {
				struct _ITEMIDLIST* _v8;
				int _v12;
				long _t26;
				void* _t29;
				char* _t31;
				char* _t33;
				long _t34;
				long _t37;
				char* _t38;
				long _t39;
				long _t49;
				int _t51;

				_t51 = _a4;
				if(_t51 == 2 || _t51 == 7 || _t51 == 0x10 || _t51 == 0x14 || _t51 == 0xb || _t51 == 5) {
					_a4 = 0;
					_t26 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", 0, 0x20019,  &_a4); // executed
					if(_t26 != 0) {
						goto L31;
					}
					_v12 = 0x104;
					_t33 = "Programs";
					if(_t51 != 7) {
						if(_t51 != 0x10) {
							if(_t51 != 0x14) {
								if(_t51 != 0xb) {
									if(_t51 == 5) {
										_t33 = "Personal";
									}
								} else {
									_t33 = "Start Menu";
								}
							} else {
								_t33 = "Fonts";
							}
						} else {
							_t33 = "Desktop";
						}
					} else {
						_t33 = "Startup";
					}
					_t34 = RegQueryValueExA(_a4, _t33, 0, 0, _a8,  &_v12); // executed
					_push(_a4);
					_t49 = _t34; // executed
					goto L30;
				} else {
					if(_t51 == 0x17 || _t51 == 0x18 || _t51 == 0x19 || _t51 == 0x16) {
						_a4 = 0;
						_t37 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", 0, 0x20019,  &_a4); // executed
						if(_t37 == 0) {
							_v12 = 0x104;
							_t38 = "Common Programs";
							if(_t51 != 0x18) {
								if(_t51 != 0x19) {
									if(_t51 == 0x16) {
										_t38 = "Common Start Menu";
									}
								} else {
									_t38 = "Common Desktop";
								}
							} else {
								_t38 = "Common Startup";
							}
							_t39 = RegQueryValueExA(_a4, _t38, 0, 0, _a8,  &_v12); // executed
							_push(_a4);
							_t49 = _t39;
							L30:
							RegCloseKey(); // executed
							if(_t49 == 0) {
								goto L34;
							}
						}
						goto L31;
					} else {
						L31:
						_v8 = 0;
						if(SHGetSpecialFolderLocation(0, _t51,  &_v8) != 0) {
							_t29 = 0;
							L36:
							return _t29;
						}
						__imp__SHGetPathFromIDListA(_v8, _a8);
						_a8 = 0;
						__imp__SHGetMalloc( &_a8);
						_t31 = _a8;
						if(_t31 != 0) {
							 *((intOrPtr*)( *_t31 + 0x14))(_t31, _v8);
						}
						L34:
						_t29 = 1;
						goto L36;
					}
				}
			}

0x0040df7f
0x0040df88
0x0040e043
0x0040e057
0x0040e05f
0x00000000
0x00000000
0x0040e064
0x0040e06b
0x0040e070
0x0040e07c
0x0040e088
0x0040e094
0x0040e0a0
0x0040e0a2
0x0040e0a2
0x0040e096
0x0040e096
0x0040e096
0x0040e08a
0x0040e08a
0x0040e08a
0x0040e07e
0x0040e07e
0x0040e07e
0x0040e072
0x0040e072
0x0040e072
0x0040e0b4
0x0040e0ba
0x0040e0bd
0x00000000
0x0040dfbb
0x0040dfbe
0x0040dfd6
0x0040dfea
0x0040dff2
0x0040dffb
0x0040e002
0x0040e007
0x0040e013
0x0040e01f
0x0040e021
0x0040e021
0x0040e015
0x0040e015
0x0040e015
0x0040e009
0x0040e009
0x0040e009
0x0040e033
0x0040e039
0x0040e03c
0x0040e0bf
0x0040e0bf
0x0040e0c7
0x00000000
0x00000000
0x0040e0c7
0x00000000
0x0040e0c9
0x0040e0c9
0x0040e0cc
0x0040e0da
0x0040e109
0x0040e10b
0x0040e10f
0x0040e10f
0x0040e0e2
0x0040e0eb
0x0040e0ef
0x0040e0f5
0x0040e0fa
0x0040e102
0x0040e102
0x0040e105
0x0040e105
0x00000000
0x0040e105
0x0040dfbe

APIs

RegOpenKeyExA.KERNEL32(80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00020019,00000081,00000000,00000000,00000104,00000081,00000081,?,00411924,00000002,00000000), ref: 0040DFEA
RegQueryValueExA.KERNEL32(00000104,Common Programs,00000000,00000000,?,00000104), ref: 0040E033
RegOpenKeyExA.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00020019,00000081,00000000,00000000,00000104,00000081,00000081,?,00411924,00000002,00000000), ref: 0040E057
RegQueryValueExA.KERNEL32(00000104,Programs,00000000,00000000,?,00000104), ref: 0040E0B4
RegCloseKey.KERNEL32(00000104), ref: 0040E0BF
SHGetSpecialFolderLocation.SHELL32(00000000,00000081,?,?,00411924,00000002,00000000), ref: 0040E0D2
SHGetPathFromIDListA.SHELL32(?,?,?,00411924,00000002,00000000), ref: 0040E0E2
SHGetMalloc.SHELL32(?), ref: 0040E0EF

Strings

Common Startup, xrefs: 0040E009
Common Desktop, xrefs: 0040E015
Fonts, xrefs: 0040E08A
Startup, xrefs: 0040E072
Start Menu, xrefs: 0040E096
Common Programs, xrefs: 0040E002
Common Start Menu, xrefs: 0040E021, 0040E02F
Programs, xrefs: 0040E06B
Personal, xrefs: 0040E0A2, 0040E0B0
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040DFE0, 0040E04D
Desktop, xrefs: 0040E07E

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: OpenQueryValue$CloseFolderFromListLocationMallocPathSpecial
String ID: Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Fonts$Personal$Programs$Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders$Start Menu$Startup
API String ID: 175098910-3641352306
Opcode ID: 6591bdff9099b8907568320f9021f16a7d5070ed30756caa1d5b83c3fd258b09
Instruction ID: 22bfc95c8168e83bac89af4885a95f852bd8d2d22320a31b80b39fd04e5471fe
Opcode Fuzzy Hash: 6591bdff9099b8907568320f9021f16a7d5070ed30756caa1d5b83c3fd258b09
Instruction Fuzzy Hash: AD41E671A00138BBDF204F59DC889FE7769DB00354B86883BFA15B7291C3B98D91979A

Uniqueness

Uniqueness Score: -1.00%

Function 004160A6, Relevance: 31.8, APIs: 5, Strings: 13, Instructions: 330
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E004160A6(void* __ecx, void* __eflags) {
				char _v6;
				char _v7;
				char _v8;
				CHAR* _v12;
				char _v16;
				char _v32;
				char _v52;
				void* _t107;
				void* _t111;
				CHAR* _t114;
				int _t133;
				signed int _t140;
				signed int _t203;
				signed int _t204;
				void* _t236;
				void* _t237;
				void* _t238;
				intOrPtr _t248;

				_t236 = __ecx;
				_t1 = _t236 + 0x58; // 0x47e010
				_t2 = _t236 + 0x4c; // 0x47e004
				E00416462(__ecx, 2, _t2, _t1);
				_t3 = _t236 + 0x70; // 0x47e028
				_t4 = _t236 + 0x64; // 0x47e01c
				E00416462(_t236, 7, _t4, _t3);
				_t5 = _t236 + 0x88; // 0x47e040
				_t6 = _t236 + 0x7c; // 0x47e034
				E00416462(_t236, 0x10, _t6, _t5); // executed
				_t7 = _t236 + 0x94; // 0x47e04c
				E00416462(_t236, 0x14, _t7, 0);
				_t8 = _t236 + 0x40; // 0x47dff8
				_t9 = _t236 + 0x34; // 0x47dfec
				E00416462(_t236, 0xb, _t9, _t8);
				_t248 =  *0x47e19c; // 0x1
				_t10 = _t236 + 0xac; // 0x47e064
				_push(0);
				if(_t248 == 0) {
					_push(2);
					E00416462(_t236);
					_t14 = _t236 + 0xb8; // 0x47e070
					E00416462(_t236, 7, _t14, 0);
					_t15 = _t236 + 0xc4; // 0x47e07c
					E00416462(_t236, 0x10, _t15, 0);
					_t16 = _t236 + 0xa0; // 0x47e058
					_push(0);
					_push(0xb);
				} else {
					_push(0x17);
					E00416462(_t236);
					_t11 = _t236 + 0xb8; // 0x47e070
					E00416462(_t236, 0x18, _t11, 0);
					_t12 = _t236 + 0xc4; // 0x47e07c
					E00416462(_t236, 0x19, _t12, 0);
					_t13 = _t236 + 0xa0; // 0x47e058
					_push(0);
					_push(0x16);
				}
				E00416462(_t236);
				_t17 = _t236 + 0x118; // 0x47e0d0
				E00416462(_t236, 5, _t17, 0); // executed
				_t107 = E0041DAE7(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", "ProgramFilesDir",  &_v16); // executed
				if(_t107 <= 0) {
					_t23 = _t236 + 0x1c; // 0x47dfd4
					E0041BF12(_t23, "C:\\Program Files");
					_t24 = _t236 + 0x28; // 0x47dfe0
					E0041BF12(_t24, "C:\\Progra~1");
				} else {
					_t19 = _t236 + 0x28; // 0x47dfe0
					_t20 = _t236 + 0x1c; // 0x47dfd4
					E00416031(_v16, _t20, _t19); // executed
					E00424DCE(_v16);
				}
				_t111 = E0041DAE7(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", "CommonFilesDir",  &_v16); // executed
				if(_t111 <= 0) {
					_t30 = _t236 + 0xd0; // 0x47e088
					E0041BF12(_t30, "C:\\Program Files\\Common Files");
					_t31 = _t236 + 0x28; // 0x47dfe0
					E0041BF12(_t31, "C:\\Progra~1\\Common~1");
				} else {
					_t26 = _t236 + 0xdc; // 0x47e094
					_t27 = _t236 + 0xd0; // 0x47e088
					E00416031(_v16, _t27, _t26); // executed
					E00424DCE(_v16);
				}
				_t114 = E00424DD9(0x104);
				_v12 = _t114;
				if(_t114 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				E00424500(_v12, 0, 0x104);
				GetWindowsDirectoryA(_v12, 0x104);
				_t35 = _t236 + 0x10; // 0x47dfc8
				_t36 = _t236 + 4; // 0x47dfbc
				E00416031(_v12, _t36, _t35); // executed
				E00424500(_v12, 0, 0x104);
				GetSystemDirectoryA(_v12, 0x104);
				_t40 = _t236 + 0xf4; // 0x47e0ac
				_t41 = _t236 + 0xe8; // 0x47e0a0
				E00416031(_v12, _t41, _t40); // executed
				E00424500(_v12, 0, 0x104);
				GetTempPathA(0x104, _v12);
				_t45 = _t236 + 0x10c; // 0x47e0c4
				_t46 = _t236 + 0x100; // 0x47e0b8
				E00416031(_v12, _t46, _t45); // executed
				E00424DCE(_v12);
				_t49 = _t236 + 0xe8; // 0x47e0a0
				_v8 = E0041BFE3(_t49, 0);
				_t52 = _t236 + 0x130; // 0x47e0e8
				_v7 = 0x3a;
				_v6 = 0;
				E0041BF12(_t52,  &_v8);
				_t133 = GetDateFormatA(0x800, 0, 0, 0, 0, 0); // executed
				GetDateFormatA(0x800, 0, 0, 0,  &_v52, _t133);
				_t57 = _t236 + 0x13c; // 0x47e0f4
				E0041BF12(_t57,  &_v52);
				if(E00424DD9(0x58) == 0) {
					_t237 = 0;
				} else {
					_t237 = E00407ADD(_t138);
				}
				if(_t237 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				E0041BF12(_t237, "<DS2000>");
				 *(_t237 + 0x10) =  *(_t237 + 0x10) | 0xffffffff;
				 *((intOrPtr*)(_t237 + 0x44)) = 0;
				 *((intOrPtr*)(_t237 + 0xc)) = 1;
				_t140 = E0041DF41(0x7d0);
				_t203 = 0x3c;
				_t204 = 0x18;
				 *(_t237 + 0x54) = _t140 / _t203 / _t204;
				E004278E9(_t140 / _t203 / _t204,  &_v32, 0xa);
				_t73 = _t237 + 0x48; // 0x48
				E0041BF12(_t73,  &_v32);
				E0041E87A(0x47e4d0, _t237, 0xffffffff);
				if(E00424DD9(0x58) == 0) {
					_t238 = 0;
				} else {
					_t238 = E00407ADD(_t147);
				}
				if(_t238 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				E0041BF12(_t238, "<IsAdmin>");
				 *(_t238 + 0x10) =  *(_t238 + 0x10) | 0xffffffff;
				 *((intOrPtr*)(_t238 + 0x44)) = 0;
				 *((intOrPtr*)(_t238 + 0xc)) = 1;
				 *(_t238 + 0x54) = E0041E3EF() & 0x000000ff;
				E004278E9(E0041E3EF() & 0x000000ff,  &_v32, 0xa);
				_t81 = _t238 + 0x48; // 0x48
				E0041BF12(_t81,  &_v32);
				return E0041E87A(0x47e4d0, _t238, 0xffffffff);
			}

0x004160ae
0x004160b1
0x004160b5
0x004160bb
0x004160c0
0x004160c6
0x004160cc
0x004160d1
0x004160da
0x004160e0
0x004160e7
0x004160f3
0x004160f8
0x004160fe
0x00416104
0x00416109
0x0041610f
0x00416115
0x00416117
0x00416150
0x00416154
0x00416159
0x00416165
0x0041616a
0x00416176
0x0041617b
0x00416181
0x00416183
0x00416119
0x00416119
0x0041611d
0x00416122
0x0041612e
0x00416133
0x0041613f
0x00416144
0x0041614a
0x0041614c
0x0041614c
0x00416187
0x0041618c
0x00416198
0x004161b1
0x004161bb
0x004161df
0x004161e2
0x004161e7
0x004161ef
0x004161bd
0x004161bd
0x004161c3
0x004161ca
0x004161d2
0x004161d7
0x00416203
0x0041620d
0x00416237
0x0041623d
0x00416247
0x0041624a
0x0041620f
0x0041620f
0x00416218
0x00416222
0x0041622a
0x0041622f
0x00416255
0x0041625d
0x00416260
0x0041626d
0x00416272
0x00416278
0x00416284
0x0041628a
0x00416290
0x00416297
0x004162a1
0x004162ad
0x004162b3
0x004162b9
0x004162c6
0x004162d0
0x004162dc
0x004162e2
0x004162eb
0x004162f5
0x004162fd
0x00416304
0x0041630f
0x00416316
0x0041631c
0x00416320
0x00416323
0x00416338
0x00416347
0x0041634c
0x00416353
0x00416362
0x0041636f
0x00416364
0x0041636b
0x0041636b
0x00416373
0x00416380
0x00416385
0x0041638d
0x00416392
0x0041639b
0x0041639e
0x004163a5
0x004163ae
0x004163b5
0x004163bf
0x004163c2
0x004163cd
0x004163d1
0x004163e0
0x004163ef
0x004163fc
0x004163f1
0x004163f8
0x004163f8
0x00416400
0x0041640d
0x00416412
0x0041641a
0x0041641f
0x00416423
0x00416426
0x0041643c
0x0041643f
0x0041644a
0x0041644e
0x00416461

APIs

GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,C:\Progra~1\Common~1,C:\Program Files\Common Files,?,?,C:\Progra~1,C:\Program Files,0047E010,?,0047DFB8), ref: 00416284

Part of subcall function 0041BF12: GlobalUnlock.KERNEL32(0217020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
Part of subcall function 0041BF12: GlobalReAlloc.KERNEL32 ref: 0041BF3B
Part of subcall function 0041BF12: GlobalLock.KERNEL32 ref: 0041BF5C

Part of subcall function 0041BF12: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0047DFB8), ref: 0041BF2C

GetSystemDirectoryA.KERNEL32 ref: 004162AD

Part of subcall function 00416031: lstrlenA.KERNEL32(?,0047DFB8), ref: 0041603F
Part of subcall function 00416031: GetShortPathNameA.KERNEL32 ref: 0041608B

GetTempPathA.KERNEL32(00000104,00000000,?,?,?,00000000,0047E0A0,0047E0AC,?,C:\Progra~1\Common~1,C:\Program Files\Common Files,?,?,C:\Progra~1,C:\Program Files,0047E010), ref: 004162DC
GetDateFormatA.KERNEL32(00000800,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,0047E0B8,0047E0C4,?,?,?,00000000,0047E0A0), ref: 00416338
GetDateFormatA.KERNEL32(00000800,00000000,00000000,00000000,?,00000000,?,?,?,00000000,0047E0A0,0047E0AC,?,C:\Progra~1\Common~1,C:\Program Files\Common Files), ref: 00416347

Strings

<DS2000>, xrefs: 00416386
CommonFilesDir, xrefs: 004161F8
:, xrefs: 0041631C
$G, xrefs: 00416262
<IsAdmin>, xrefs: 00416413
$G, xrefs: 00416375
C:\Program Files\Common Files, xrefs: 00416232
C:\Progra~1\Common~1, xrefs: 00416242
$G, xrefs: 00416402
C:\Program Files, xrefs: 004161DA
Software\Microsoft\Windows\CurrentVersion, xrefs: 004161AB, 004161FD
ProgramFilesDir, xrefs: 004161A6
C:\Progra~1, xrefs: 004161EA

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$DateDirectoryFormatPathlstrlen$AllocLockNameShortSystemTempUnlockWindows
String ID: $G$$G$$G$:$<DS2000>$<IsAdmin>$C:\Program Files$C:\Program Files\Common Files$C:\Progra~1$C:\Progra~1\Common~1$CommonFilesDir$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 880143930-1700843775
Opcode ID: 1284512ab85f13844a776da148625e7314c0ea8e3898f022a80803ed96c005fa
Instruction ID: 24f78961b44f3abf352852fb93801fee76432e43d9f7ad736ed7ab52a5e3c0d5
Opcode Fuzzy Hash: 1284512ab85f13844a776da148625e7314c0ea8e3898f022a80803ed96c005fa
Instruction Fuzzy Hash: 10A109B1A006187EDB24F7A1DC82EFF77ACEF44708F00452FF55692181DF68A9858B68

Uniqueness

Uniqueness Score: -1.00%

Function 0041A393, Relevance: 31.8, APIs: 21, Instructions: 286
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041A393(void* __eflags) {
				void _v5;
				void* _v12;
				long _v16;
				void _v20;
				struct _OVERLAPPED* _v24;
				void _v28;
				void _v32;
				void _v36;
				void _v40;
				void _v44;
				long _v48;
				long _v52;
				long _v56;
				char _v68;
				signed int _t92;
				signed int _t93;
				long _t110;
				void* _t112;
				struct _OVERLAPPED* _t118;
				signed int _t120;
				void* _t129;
				void _t135;
				void* _t136;
				char _t151;
				void* _t152;
				signed char _t160;
				char _t162;
				void* _t185;
				intOrPtr _t187;

				_t92 = CreateFileA(E0041CD1E(0x47e6c8), 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t185 = _t92;
				_t93 = _t92 | 0xffffffff;
				_v12 = _t185;
				if(_t185 != _t93) {
					_v16 = 0;
					_v52 = 0;
					_v48 = GetFileSize(_t185,  &_v52);
					_v24 = 8;
					_v40 = 0;
					_v44 = 0;
					SetFilePointer(_t185, 0xfffffff8, 0, 2); // executed
					ReadFile(_t185,  &_v40, 4,  &_v16, 0); // executed
					ReadFile(_v12,  &_v44, 4,  &_v16, 0); // executed
					if(_v40 != 0xb1c2d3e || _v44 != 0x12345678) {
						SetFilePointer(_v12, 0x198, 0, 0);
						_v36 = 0;
						_v28 = 0;
						ReadFile(_v12,  &_v36, 4,  &_v16, 0);
						ReadFile(_v12,  &_v28, 4,  &_v16, 0);
						_t110 = _v36;
						if(_t110 == 0 || _t110 > _v48 || _v28 == 0) {
							L26:
							E0041B2A8(0,  *0x42c488, 0);
							_push(0xfffffffb);
							goto L27;
						} else {
							_v56 = 0;
							SetFilePointer(_v12, _t110,  &_v56, 0);
							_v24 = 0;
							while(1) {
								SetFilePointer(_v12, 0xffffffff, 0, 1);
								_v5 = 0;
								ReadFile(_v12,  &_v5, 1,  &_v16, 0);
								if(_v5 != 0) {
									break;
								}
								SetFilePointer(_v12, 0xffffffff, 0, 1);
								_v24 =  &(_v24->Internal);
								if(_v24 < 8) {
									continue;
								}
								break;
							}
							_t118 = _v24;
							_v36 = _v36 - _t118;
							_v28 = _v28 + _t118;
							_t120 = _v28 + 8;
							_v24 = _t120;
							SetFilePointer(_v12,  ~_t120, 0, 2);
							ReadFile(_v12,  &_v40, 4,  &_v16, 0);
							ReadFile(_v12,  &_v44, 4,  &_v16, 0);
							if(_v40 != 0xb1c2d3e || _v44 != 0x12345678) {
								goto L26;
							} else {
								goto L11;
							}
						}
					} else {
						L11:
						_push(2);
						_push(0);
						_v20 = 0;
						_t129 = 0xfffffffc;
						SetFilePointer(_v12, _t129 - _v24, ??, ??); // executed
						ReadFile(_v12,  &_v20, 4,  &_v16, 0);
						_t135 = _v20;
						if(_t135 == 0xffffffff) {
							_v20 = 0;
							 *0x47e114 = 1;
							L18:
							_push(2);
							_push(0);
							_t136 = 0xfffffff8;
							SetFilePointer(_v12, _t136 - _v20 - _v24, ??, ??); // executed
							_v32 = 0;
							if(ReadFile(_v12,  &_v32, 4,  &_v16, 0) != 0) {
								_t187 = _v48;
								__eflags = _t187 - _v32 - _v20 - _v24 - 8 - 0x3e8;
								if(_t187 - _v32 - _v20 - _v24 - 8 > 0x3e8) {
									L24:
									E0041B2A8(0,  *0x42c48c, 0);
									_push(0xfffffffc);
									L27:
									_pop(_t112);
									return _t112;
								}
								CloseHandle(_v12);
								_t151 = E0041CAC5(0x47e2f0, E0041CD1E(0x47e6c8), _v32, _t187 - _v32 - _v20 - _v24 - 8); // executed
								__eflags = _t151;
								if(_t151 >= 0) {
									_t152 = E0041C8FD(0x47e2f0, 0xe8);
									__eflags = _t152 - _v32;
									if(_t152 == _v32) {
										_push(1);
										goto L27;
									}
									goto L24;
								}
								_push(0xfffffffd);
								goto L27;
							}
							CloseHandle(_v12);
							_push(0xfffffffe);
							goto L27;
						}
						if(_t135 > 0x3e8) {
							goto L24;
						}
						E0041CAC5(0x47df68, E0041CD1E(0x47e6c8), _v48 - _t135 - _v24 - 4, _t135); // executed
						E0041BE99( &_v68, 0x47df68);
						if(E0041C2E0( &_v68) != 0) {
							E0041DCD0(__eflags,  &_v68);
							_t160 = E0041C2E0( &_v68);
							asm("sbb al, al");
							_t162 =  ~_t160 + 1;
							__eflags = _t162;
							 *0x47e114 = _t162;
						} else {
							 *0x47e114 = 1;
						}
						E0041BEFB( &_v68);
						goto L18;
					}
				}
				return _t93;
			}

0x0041a3b9
0x0041a3bf
0x0041a3c1
0x0041a3c6
0x0041a3c9
0x0041a3d2
0x0041a3d7
0x0041a3ec
0x0041a3ef
0x0041a3f6
0x0041a3f9
0x0041a3fc
0x0041a410
0x0041a420
0x0041a429
0x0041a442
0x0041a452
0x0041a455
0x0041a458
0x0041a468
0x0041a46a
0x0041a46f
0x0041a682
0x0041a68f
0x0041a694
0x00000000
0x0041a487
0x0041a490
0x0041a493
0x0041a495
0x0041a498
0x0041a4a0
0x0041a4b0
0x0041a4b3
0x0041a4b8
0x00000000
0x00000000
0x0041a4c2
0x0041a4c4
0x0041a4cb
0x00000000
0x00000000
0x00000000
0x0041a4cb
0x0041a4cd
0x0041a4d2
0x0041a4d5
0x0041a4dc
0x0041a4df
0x0041a4e8
0x0041a4f8
0x0041a508
0x0041a511
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a511
0x0041a524
0x0041a524
0x0041a524
0x0041a526
0x0041a529
0x0041a52c
0x0041a534
0x0041a544
0x0041a546
0x0041a54c
0x0041a5c4
0x0041a5c7
0x0041a5ce
0x0041a5ce
0x0041a5d0
0x0041a5d3
0x0041a5de
0x0041a5ee
0x0041a5f5
0x0041a607
0x0041a618
0x0041a61d
0x0041a668
0x0041a675
0x0041a67a
0x0041a696
0x0041a696
0x00000000
0x0041a696
0x0041a622
0x0041a64a
0x0041a64f
0x0041a651
0x0041a65e
0x0041a663
0x0041a666
0x0041a67e
0x00000000
0x0041a67e
0x00000000
0x0041a666
0x0041a653
0x00000000
0x0041a653
0x0041a5fa
0x0041a600
0x00000000
0x0041a600
0x0041a553
0x00000000
0x00000000
0x0041a576
0x0041a583
0x0041a592
0x0041a5a1
0x0041a5aa
0x0041a5b1
0x0041a5b3
0x0041a5b3
0x0041a5b5
0x0041a594
0x0041a594
0x0041a594
0x0041a5bd
0x00000000
0x0041a5bd
0x0041a429
0x0041a69b

APIs

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,0047DFB8), ref: 0041A3B9
GetFileSize.KERNEL32(00000000,?,?,0047DFB8), ref: 0041A3DA
SetFilePointer.KERNEL32(00000000,000000F8,00000000,00000002,?,0047DFB8), ref: 0041A3FC
ReadFile.KERNEL32(00000000,?,00000004,?,00000000,?,0047DFB8), ref: 0041A410
ReadFile.KERNEL32(0047DFB8,?,00000004,?,00000000,?,0047DFB8), ref: 0041A420
SetFilePointer.KERNEL32(0047DFB8,00000198,00000000,00000000,?,0047DFB8), ref: 0041A442
ReadFile.KERNEL32(0047DFB8,?,00000004,?,00000000,?,0047DFB8), ref: 0041A458
ReadFile.KERNEL32(0047DFB8,?,00000004,?,00000000,?,0047DFB8), ref: 0041A468
SetFilePointer.KERNEL32(0047DFB8,?,?,00000000,?,0047DFB8), ref: 0041A493
SetFilePointer.KERNEL32(0047DFB8,000000FF,00000000,00000001,?,0047DFB8), ref: 0041A4A0
ReadFile.KERNEL32(0047DFB8,?,00000001,?,00000000,?,0047DFB8), ref: 0041A4B3
SetFilePointer.KERNEL32(0047DFB8,000000FF,00000000,00000001,?,0047DFB8), ref: 0041A4C2
SetFilePointer.KERNEL32(0047DFB8,?,00000000,00000002,?,0047DFB8), ref: 0041A4E8
ReadFile.KERNEL32(0047DFB8,0B1C2D3E,00000004,?,00000000,?,0047DFB8), ref: 0041A4F8
ReadFile.KERNEL32(0047DFB8,?,00000004,?,00000000,?,0047DFB8), ref: 0041A508
SetFilePointer.KERNEL32(0047DFB8,00000008,00000000,00000002,?,0047DFB8), ref: 0041A534
ReadFile.KERNEL32(0047DFB8,0041690F,00000004,?,00000000,?,0047DFB8), ref: 0041A544
SetFilePointer.KERNEL32(0047DFB8,00000008,00000000,00000002,?,0047DFB8), ref: 0041A5DE
ReadFile.KERNEL32(0047DFB8,?,00000004,?,00000000,?,0047DFB8), ref: 0041A5F1
CloseHandle.KERNEL32(0047DFB8,?,0047DFB8), ref: 0041A5FA
CloseHandle.KERNEL32(0047DFB8,?,0047DFB8), ref: 0041A622

Part of subcall function 0041CAC5: CreateFileA.KERNEL32(0047DFB8,80000000,00000001,00000000,00000003,00000080,00000000,74E5FBD0,0047E2F0,00000000,?,0047DFB8), ref: 0041CAE5

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: File$Read$Pointer$Global$CloseCreateHandle$AllocLockSizeUnlock
String ID:
API String ID: 903399669-0
Opcode ID: 10fab780dbe6762485953172a9353f9cca6116cf811c5eddf77569a964fb74da
Instruction ID: 8fa286661f634b855119dcbb4edcbf0a63debd4ddf1a163e064186f337e81dee
Opcode Fuzzy Hash: 10fab780dbe6762485953172a9353f9cca6116cf811c5eddf77569a964fb74da
Instruction Fuzzy Hash: 7BA14CB1D4121DBEDF11DBA8CC85EEEBBBCEB04314F10426AF611B2190CB345E858B69

Uniqueness

Uniqueness Score: -1.00%

Function 0041A81A, Relevance: 31.7, APIs: 4, Strings: 14, Instructions: 235
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041A81A(void* __eflags, intOrPtr* _a4) {
				CHAR* _v8;
				CHAR* _v12;
				char _v24;
				void _v283;
				char _v284;
				void* _t29;
				void* _t34;
				signed int _t36;
				long _t42;
				void* _t45;
				void* _t57;
				void* _t71;
				signed int _t73;
				void* _t75;
				signed int _t76;
				int _t90;
				signed int _t117;
				intOrPtr _t140;
				CHAR* _t141;

				_t140 =  *_a4;
				_t29 = E0041CD1E(_a4);
				_t90 = 0;
				if(_t140 <= 0) {
					return _t29;
				}
				while( *((char*)(_t90 + _t29)) != 0x3c) {
					_t90 = _t90 + 1;
					if(_t90 < _t140) {
						continue;
					}
					return _t29;
				}
				E0041BE35( &_v24, E0041CD1E(0x47e338));
				_t34 = E0041BFE3( &_v24, _v24 - 1);
				__eflags = _t34 - 0x5c;
				if(_t34 == 0x5c) {
					__eflags = _v24 - 1;
					E0041C3A9( &_v24, _v24 - 1, 1);
				}
				_t141 = E00424DD9(0x104);
				__eflags = _t141;
				_v12 = _t141;
				if(_t141 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				_t36 = E00424DD9(0x104);
				__eflags = _t36;
				_v8 = _t36;
				if(_t36 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				E00424500(_t141, 0, 0x104);
				E00424500(_v8, 0, 0x104);
				GetShortPathNameA(E0041CD1E( &_v24), _t141, 0x104); // executed
				__eflags =  *0x47f2c4 & 0x00000001;
				if(( *0x47f2c4 & 0x00000001) == 0) {
					 *0x47f2c4 =  *0x47f2c4 | 0x00000001;
					__eflags =  *0x47f2c4;
					E0041BDC5(0x47f2c8);
					E004251DD(__eflags, E0041AAC3);
				}
				__eflags =  *0x47f2c8; // 0x4b
				if(__eflags == 0) {
					_t71 = E00411811(); // executed
					E0041BF12(0x47f2c8, _t71);
					_t73 =  *0x47f2c8; // 0x4b
					_t75 = E0041BFE3(0x47f2c8, _t73 - 1);
					__eflags = _t75 - 0x5c;
					if(_t75 == 0x5c) {
						_t76 =  *0x47f2c8; // 0x4b
						__eflags = _t76 - 1;
						E0041C3A9(0x47f2c8, _t76 - 1, 1);
					}
				}
				_t42 = GetFileAttributesA(E0041CD1E(0x47f2c8)); // executed
				__eflags = _t42 - 0xffffffff;
				if(_t42 == 0xffffffff) {
					lstrcpyA(_v8, E0041CD1E(0x47f2c8));
				} else {
					GetShortPathNameA(E0041CD1E(0x47f2c8), _v8, 0x104); // executed
				}
				_t45 = E0041CD1E(0x47e1b8);
				_t136 = _a4;
				E0041CBF9(_a4, __eflags, "<UserName>", _t45, 0, 0, 1);
				E0041CBF9(_a4, __eflags, "<UserCompany>", E0041CD1E(0x47e1c4), 0, 0, 1);
				E0041CBF9(_a4, __eflags, "<UserSerial>", E0041CD1E(0x47e1d0), 0, 0, 1);
				E0041CBF9(_t136, __eflags, "<ShortInstallDir>", _v12, 0, 0, 1);
				E0041CBF9(_t136, __eflags, "<ShortShortcutDir>", _v8, 0, 0, 1);
				E0041CBF9(_t136, __eflags, "<InstallDir>", E0041CD1E( &_v24), 0, 0, 1);
				E0041CBF9(_t136, __eflags, "<ShortcutDir>", E0041CD1E(0x47f2c8), 0, 0, 1);
				_push(1);
				_push(0);
				_push("<UninstallerName>");
				_t57 = E0041C6D0(_t136);
				__eflags = _t57 - 0xffffffff;
				if(_t57 != 0xffffffff) {
					__eflags = 0;
					_t117 = 0x40;
					_v284 = 0;
					memset( &_v283, 0, _t117 << 2);
					asm("stosw");
					asm("stosb");
					_push( &_v284);
					E00422A86();
					E0041CBF9(_a4, __eflags, "<UninstallerName>", E0041CD1E(0x47e5ec), 0, 0, 1);
					_t136 = _a4;
				}
				E0041CBF9(_t136, __eflags, "<ResourceDir>", E0041CD1E(0x47e628), 0, 0, 1);
				E00424DCE(_v12);
				E00424DCE(_v8);
				return E0041BEFB( &_v24);
			}

0x0041a828
0x0041a82a
0x0041a831
0x0041a835
0x0041aac0
0x0041aac0
0x0041a83b
0x0041a841
0x0041a844
0x00000000
0x00000000
0x00000000
0x0041a844
0x0041a859
0x0041a866
0x0041a86b
0x0041a86d
0x0041a874
0x0041a879
0x0041a879
0x0041a88a
0x0041a88d
0x0041a88f
0x0041a892
0x0041a89f
0x0041a8a4
0x0041a8a6
0x0041a8ab
0x0041a8ae
0x0041a8b1
0x0041a8be
0x0041a8c3
0x0041a8c7
0x0041a8d1
0x0041a8e4
0x0041a8ea
0x0041a8f6
0x0041a8f8
0x0041a8f8
0x0041a901
0x0041a90b
0x0041a910
0x0041a911
0x0041a917
0x0041a91e
0x0041a926
0x0041a92b
0x0041a934
0x0041a939
0x0041a93b
0x0041a93d
0x0041a944
0x0041a948
0x0041a948
0x0041a93b
0x0041a955
0x0041a95b
0x0041a95e
0x0041a97f
0x0041a960
0x0041a96c
0x0041a96c
0x0041a98e
0x0041a993
0x0041a99e
0x0041a9b9
0x0041a9d4
0x0041a9e7
0x0041a9fa
0x0041aa13
0x0041aa2b
0x0041aa30
0x0041aa37
0x0041aa38
0x0041aa3b
0x0041aa40
0x0041aa43
0x0041aa47
0x0041aa49
0x0041aa50
0x0041aa56
0x0041aa58
0x0041aa5a
0x0041aa66
0x0041aa67
0x0041aa7f
0x0041aa84
0x0041aa84
0x0041aa9d
0x0041aaa5
0x0041aaad
0x00000000

APIs

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

GetShortPathNameA.KERNEL32 ref: 0041A8E4
GetFileAttributesA.KERNEL32(00000000,?,0047E5F8,-00000001,00000000,00000000), ref: 0041A955
GetShortPathNameA.KERNEL32 ref: 0041A96C
lstrcpyA.KERNEL32(00000000,00000000,0047E5F8,-00000001,00000000,00000000), ref: 0041A97F

Part of subcall function 0041CBF9: lstrlenA.KERNEL32(00000000,00000001,0042DB90,74E06980,0042DB90,?,0041C63B,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041CC0B
Part of subcall function 0041CBF9: lstrlenA.KERNEL32(00000001,?,0041C63B,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041CC12

Part of subcall function 0041C6D0: lstrlenA.KERNEL32(0047E788,00000000,0042C1D8,00000001,00000000,0000005C,00000000,00000000,0047E490,0047E788,00000000), ref: 0041C6DE

Part of subcall function 00422A86: lstrcpyA.KERNEL32(00000000,00000000,0047E5EC,7FFFFFFF,0047E5EC,0047E5EC,?,<UninstallerName>,0041AA6C,?,<UninstallerName>,00000000,00000001,<ShortcutDir>,00000000,00000000), ref: 00422ABE

Strings

<UserCompany>, xrefs: 0041A9B2
$G, xrefs: 0041A894
$G, xrefs: 0041A8B3
(G, xrefs: 0041AA8B
<InstallDir>, xrefs: 0041AA0C
<ShortInstallDir>, xrefs: 0041A9E2
<UserSerial>, xrefs: 0041A9CD
<UninstallerName>, xrefs: 0041AA32, 0041AA38, 0041AA7E
<UserName>, xrefs: 0041A997
<ShortShortcutDir>, xrefs: 0041A9F5
8G, xrefs: 0041A84B
<ShortcutDir>, xrefs: 0041AA24
G, xrefs: 0041AA70
<ResourceDir>, xrefs: 0041AA96

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Globallstrlen$NamePathShortlstrcpy$AllocAttributesFileLockUnlock
String ID: $G$$G$(G$8G$<InstallDir>$<ResourceDir>$<ShortInstallDir>$<ShortShortcutDir>$<ShortcutDir>$<UninstallerName>$<UserCompany>$<UserName>$<UserSerial>$G
API String ID: 1113622837-4177031203
Opcode ID: 3d1607b8f73a2c2afd69416ffdef5a6a823f980733f46d813cb227c95a6c8cda
Instruction ID: 874ebafecc23487caac4c4c48189ade3aae39415cb4fe47aee413111b46b1fdd
Opcode Fuzzy Hash: 3d1607b8f73a2c2afd69416ffdef5a6a823f980733f46d813cb227c95a6c8cda
Instruction Fuzzy Hash: 7561E3B0B401187ADB1477A6ACC6EFE261EDB84748F60006FF105A62D2CF6D4DC6866E

Uniqueness

Uniqueness Score: -1.00%

Function 0040DC10, Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 191
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040DC10(char _a4, char _a5, char _a6, signed int _a7, char _a8) {
				CHAR* _v8;
				int _v12;
				signed int _v16;
				CHAR* _v20;
				signed int _v24;
				char _v36;
				CHAR* _t60;
				CHAR* _t61;
				char _t63;
				struct _SECURITY_ATTRIBUTES* _t68;
				int _t75;
				struct _SECURITY_ATTRIBUTES* _t77;
				signed int _t78;
				int _t79;
				long _t80;
				signed int _t102;
				struct _SECURITY_ATTRIBUTES* _t125;
				signed int _t127;
				CHAR* _t129;
				CHAR* _t130;
				CHAR* _t131;
				void* _t132;

				_t129 = _a4;
				if(_t129 == 0 ||  *_t129 == 0) {
					__eflags = 0;
					return 0;
				} else {
					_t60 = E00424DD9(0x104);
					_v8 = _t60;
					if(_t60 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					_t61 = E00424DD9(0x104);
					_v20 = _t61;
					if(_t61 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					GetCurrentDirectoryA(0x104, _v20);
					_t5 =  &(_t129[1]); // 0x0
					_t63 =  *_t5;
					if(_t63 != 0x3a || _t129[2] != 0x5c) {
						__eflags =  *_t129 - 0x5c;
						if( *_t129 != 0x5c) {
							goto L35;
						}
						__eflags = _t63 - 0x5c;
						if(_t63 != 0x5c) {
							goto L35;
						}
						_t13 =  &(_t129[2]); // 0x47e882
						_t68 = E004248B0(_t13, 0x5c);
						__eflags = _t68;
						if(_t68 == 0) {
							goto L35;
						}
						_t125 = E004248B0( &(_t68->nLength), 0x5c);
						__eflags = _t125;
						if(_t125 == 0) {
							goto L37;
						}
						__eflags = _t125->nLength;
						_t15 =  &(_t125->nLength); // 0x1
						_a4 = _t15;
						if(_t125->nLength == 0) {
							goto L37;
						}
						_t125->nLength = _t125->nLength & 0x00000000;
						__eflags = _t125->nLength;
						SetCurrentDirectoryA(_t129);
						_t130 = _a4;
						 *_t125 = 0x5c;
						goto L15;
					} else {
						_a7 = _a7 & 0x00000000;
						_a4 =  *_t129;
						_a5 = 0x3a;
						_a6 = 0x5c;
						SetCurrentDirectoryA( &_a4); // executed
						_t130 =  &(_t129[3]);
						L15:
						GetCurrentDirectoryA(0x104, _v8);
						_a7 = _a7 & 0x00000000;
						if( *(lstrlenA(_t130) + _t130 - 1) == 0x5c) {
							 *(lstrlenA(_t130) + _t130 - 1) =  *(_t92 + _t130 - 1) & 0x00000000;
							_a7 = 1;
						}
						_v24 = _v24 & 0x00000000;
						_t75 = lstrlenA(_t130);
						_v16 = _v16 & 0x00000000;
						_v12 = _t75;
						while(1) {
							_t127 = _v24;
							while(_t127 < _v12) {
								if( *(_t127 + _t130) == 0x5c) {
									__eflags = _t127 - _v12;
									break;
								}
								_t127 = _t127 + 1;
							}
							if(__eflags > 0) {
								SetCurrentDirectoryA(_v20); // executed
								L37:
								_t102 = 1;
								L38:
								E00424DCE(_v8);
								E00424DCE(_v20);
								return _t102;
							}
							 *(_t127 + _t130) =  *(_t127 + _t130) & 0x00000000;
							_t131 =  &(_t130[_v16]);
							_t77 = SetCurrentDirectoryA(_t131); // executed
							__eflags = _t77;
							if(_t77 != 0) {
								L27:
								_t130 = _t131 - _v16;
								__eflags = _t127 - _v12;
								_t78 = _t127 + 1;
								_v16 = _t78;
								if(__eflags != 0) {
									L29:
									 *(_t127 + _t130) = 0x5c;
									L30:
									_v24 = _t78;
									continue;
								}
								__eflags = _a7;
								if(__eflags == 0) {
									goto L30;
								}
								goto L29;
							}
							_t79 = CreateDirectoryA(_t131, _t77); // executed
							__eflags = _t79;
							if(_t79 == 0) {
								__eflags = _a8;
								if(_a8 == 0) {
									_t80 = GetLastError();
									E0041BDC5( &_v36);
									_push(_t131);
									E0041C467( &_v36, "Couldn\'t create directory \'%s\'.");
									__eflags = _t80 - 5;
									if(_t80 == 5) {
										E0041C047( &_v36, " Error: Access denied; You may not have required privileges for installing this software. Please have your system administrator (or other user with higher privileges) install this software.", 0);
									}
									E0041B2A8( *0x47e178, E0041CD1E( &_v36), 0);
									E0041BEFB( &_v36);
								}
								L35:
								_t102 = 0;
								goto L38;
							}
							SetCurrentDirectoryA(_t131); // executed
							E00424500(_v8, 0, 0x104);
							_t132 = _t132 + 0xc;
							GetCurrentDirectoryA(0x104, _v8);
							_push(0x47e7ac);
							_push(_v8);
							E00421CE6(__eflags);
							goto L27;
						}
					}
				}
			}

0x0040dc17
0x0040dc1c
0x0040de48
0x00000000
0x0040dc2b
0x0040dc33
0x0040dc3b
0x0040dc43
0x0040dc4d
0x0040dc52
0x0040dc54
0x0040dc5c
0x0040dc5f
0x0040dc69
0x0040dc6e
0x0040dc73
0x0040dc79
0x0040dc79
0x0040dc7e
0x0040dca6
0x0040dca9
0x00000000
0x00000000
0x0040dcaf
0x0040dcb1
0x00000000
0x00000000
0x0040dcb7
0x0040dcbd
0x0040dcc3
0x0040dcc6
0x00000000
0x00000000
0x0040dcd5
0x0040dcd8
0x0040dcdb
0x00000000
0x00000000
0x0040dce1
0x0040dce5
0x0040dce8
0x0040dceb
0x00000000
0x00000000
0x0040dcf1
0x0040dcf1
0x0040dcf5
0x0040dcfb
0x0040dcfe
0x00000000
0x0040dc86
0x0040dc88
0x0040dc8c
0x0040dc93
0x0040dc97
0x0040dc9b
0x0040dca1
0x0040dd01
0x0040dd05
0x0040dd11
0x0040dd1d
0x0040dd22
0x0040dd27
0x0040dd27
0x0040dd2b
0x0040dd30
0x0040dd32
0x0040dd36
0x0040dd39
0x0040dd39
0x0040dd3c
0x0040dd45
0x0040dd4a
0x00000000
0x0040dd4a
0x0040dd47
0x0040dd47
0x0040dd4d
0x0040de28
0x0040de2e
0x0040de2e
0x0040de30
0x0040de33
0x0040de3b
0x00000000
0x0040de45
0x0040dd53
0x0040dd57
0x0040dd5b
0x0040dd61
0x0040dd63
0x0040dda2
0x0040dda2
0x0040dda5
0x0040dda8
0x0040ddab
0x0040ddae
0x0040ddb6
0x0040ddb6
0x0040ddba
0x0040ddba
0x00000000
0x0040ddba
0x0040ddb0
0x0040ddb4
0x00000000
0x00000000
0x00000000
0x0040ddb4
0x0040dd67
0x0040dd6d
0x0040dd6f
0x0040ddc2
0x0040ddc6
0x0040ddc8
0x0040ddd3
0x0040ddd8
0x0040dde2
0x0040ddea
0x0040dded
0x0040ddf9
0x0040ddf9
0x0040de14
0x0040de1c
0x0040de1c
0x0040de21
0x0040de21
0x00000000
0x0040de21
0x0040dd72
0x0040dd7e
0x0040dd83
0x0040dd8a
0x0040dd90
0x0040dd9a
0x0040dd9d
0x00000000
0x0040dd9d
0x0040dd39
0x0040dc7e

APIs

GetCurrentDirectoryA.KERNEL32(00000104,00000001,00000000,00000004,0047DFB8,00000010,00000004,00000010,00000004,00000001,0047F208,0047E880,00000000), ref: 0040DC73
SetCurrentDirectoryA.KERNEL32(?), ref: 0040DC9B
SetCurrentDirectoryA.KERNEL32(0047E880,?,?,?,?,?,?,?,?,004237A4,00000000,00000000,0047F208,00000001), ref: 0040DCF5

Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
Part of subcall function 0041C467: lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649

Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095

GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,?,?,?,?,?,?,004237A4,00000000,00000000,0047F208,00000001), ref: 0040DD05
lstrlenA.KERNEL32(?), ref: 0040DD16
lstrlenA.KERNEL32(?), ref: 0040DD20
lstrlenA.KERNEL32(?), ref: 0040DD30
SetCurrentDirectoryA.KERNEL32(00000000), ref: 0040DD5B
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040DD67
SetCurrentDirectoryA.KERNEL32(00000000), ref: 0040DD72
GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0040DD8A
GetLastError.KERNEL32 ref: 0040DDC8

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

SetCurrentDirectoryA.KERNEL32(?), ref: 0040DE28

Strings

Error: Access denied; You may not have required privileges for installing this software. Please have your system administrator (or other user with higher privileges) install this software., xrefs: 0040DDF1
:, xrefs: 0040DC93
$G, xrefs: 0040DC3E
Couldn't create directory '%s'., xrefs: 0040DDDC
\, xrefs: 0040DC97

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Directory$Current$lstrlen$Global$AllocLockUnlock$CreateErrorLast
String ID: Error: Access denied; You may not have required privileges for installing this software. Please have your system administrator (or other user with higher privileges) install this software.$$G$:$Couldn't create directory '%s'.$\
API String ID: 2319152935-3132934772
Opcode ID: 10b8187df1e9e5800246315329471cc5e23cdffff360e27cd40447e0cf0cdf6d
Instruction ID: 94c75964f666fcdce0230e0e48fa668c59af869d0efc3a1ff44bd737de7ccc2d
Opcode Fuzzy Hash: 10b8187df1e9e5800246315329471cc5e23cdffff360e27cd40447e0cf0cdf6d
Instruction Fuzzy Hash: 91614571D04615AEEF11ABA0DC05BEE3BA9AF54308F14406FE400762C2DB7C9A46CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 004114E1, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 152
windowprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004114E1(CHAR* _a4, void* _a8) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				char _v24;
				struct _PROCESS_INFORMATION _v40;
				struct tagMSG _v68;
				struct _STARTUPINFOA _v136;
				intOrPtr _t37;
				intOrPtr _t38;
				struct HWND__* _t39;
				struct HWND__* _t40;
				void* _t42;
				int _t56;
				long _t62;
				int _t66;
				struct HWND__* _t74;
				struct HWND__* _t75;
				long _t76;
				int _t85;

				_t37 =  *0x47e110; // 0x0
				if(_t37 == 0) {
					L2:
					_t38 =  *0x47df60;
					if(_t38 == 0) {
						L4:
						_t39 =  *0x47e178; // 0x0
						_v8 = _t39;
					} else {
						_t74 =  *((intOrPtr*)(_t38 + 4));
						_v8 = _t74;
						if(_t74 == 0) {
							goto L4;
						}
					}
				} else {
					_t75 =  *((intOrPtr*)(_t37 + 4));
					_v8 = _t75;
					if(_t75 == 0) {
						goto L2;
					}
				}
				_t40 = CreateDialogParamA( *0x47e17c, 0x12, _v8, E00405811, 0); // executed
				_v12 = _t40;
				E0041BDC5( &_v24);
				_t42 = E0041D46F("<__Internal_WaitExternal__>");
				_t94 = _t42;
				if(_t42 == 0) {
					E0041BF80( &_v24, 0x47f044);
				} else {
					E0041BF12( &_v24, _t42);
				}
				_t85 = 1;
				E0041CBF9( &_v24, _t94, "<\\n>", "\n", 0, 0, _t85);
				SetDlgItemTextA(_v12, 0x422, E0041CD1E( &_v24)); // executed
				SetWindowTextA(_v12, E0041CD1E(0x47e850)); // executed
				EnableWindow(_v8, 0);
				E00424500( &_v40, 0, 0x10);
				_t76 = 0x44;
				E00424500( &_v136, 0, _t76);
				_v136.cb = _t76;
				_v136.dwFlags = _t85;
				_v136.wShowWindow = _t85;
				_t56 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, _a8,  &_v136,  &_v40); // executed
				if(_t56 != 0) {
					_a8 = _v40.hProcess;
					while(1) {
						L10:
						_t62 = MsgWaitForMultipleObjects(_t85,  &_a8, 0, 0xffffffff, 0xff);
						if(_t62 == 0 || _t62 != _t85) {
							break;
						} else {
							goto L12;
						}
						while(1) {
							L12:
							_t66 = PeekMessageA( &_v68, 0, 0, 0, 0); // executed
							if(_t66 == 0 || GetMessageA( &_v68, 0, 0, 0) == 0) {
								goto L10;
							}
							TranslateMessage( &_v68);
							DispatchMessageA( &_v68); // executed
						}
					}
					CloseHandle(_v40);
					CloseHandle(_v40.hThread);
				}
				EnableWindow(_v8, _t85);
				DestroyWindow(_v12); // executed
				return E0041BEFB( &_v24);
			}

0x004114ea
0x004114f6
0x00411502
0x00411502
0x00411509
0x00411515
0x00411515
0x0041151a
0x0041150b
0x0041150b
0x00411510
0x00411513
0x00000000
0x00000000
0x00411513
0x004114f8
0x004114f8
0x004114fd
0x00411500
0x00000000
0x00000000
0x00411500
0x0041152e
0x00411537
0x0041153a
0x00411544
0x00411549
0x0041154b
0x00411560
0x0041154d
0x00411551
0x00411551
0x0041156a
0x00411578
0x0041158e
0x004115a2
0x004115ac
0x004115b9
0x004115c6
0x004115ca
0x004115d5
0x004115db
0x004115e6
0x004115fa
0x00411602
0x0041160d
0x00411610
0x00411610
0x0041161d
0x00411625
0x00000000
0x00000000
0x00000000
0x00000000
0x0041162b
0x0041162b
0x00411633
0x00411637
0x00000000
0x00000000
0x0041164e
0x00411658
0x00411658
0x0041162b
0x00411669
0x0041166e
0x0041166e
0x00411674
0x0041167d
0x0041168f

APIs

CreateDialogParamA.USER32(00000012,?,00405811,00000000,00000000), ref: 0041152E
SetDlgItemTextA.USER32 ref: 0041158E
SetWindowTextA.USER32(0047F208,00000000), ref: 004115A2
EnableWindow.USER32(?,00000000), ref: 004115AC
CreateProcessA.KERNEL32(00000000,0047F208,00000000,00000000,00000000,04000000,00000000,00000000,?,?), ref: 004115FA
MsgWaitForMultipleObjects.USER32 ref: 0041161D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00411633
GetMessageA.USER32 ref: 00411640
TranslateMessage.USER32(?), ref: 0041164E
DispatchMessageA.USER32 ref: 00411658
CloseHandle.KERNEL32(?), ref: 00411669
CloseHandle.KERNEL32(?), ref: 0041166E
EnableWindow.USER32(?,00000001), ref: 00411674
KiUserCallbackDispatcher.NTDLL(0047F208), ref: 0041167D

Strings

<__Internal_WaitExternal__>, xrefs: 0041153F
<\n>, xrefs: 00411573
PG, xrefs: 00411594

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Message$Window$CloseCreateEnableHandleText$CallbackDialogDispatchDispatcherItemMultipleObjectsParamPeekProcessTranslateUserWait
String ID: <\n>$<__Internal_WaitExternal__>$PG
API String ID: 3347997246-3350838819
Opcode ID: bfa884291023257a9f65d2972e37a492a43a226f22e9939f5beada10b3afc87a
Instruction ID: 5e3da6e3fdd6bb9da70dcbe3b675b77a8ea80bc7bd688896f831291038cbc6ec
Opcode Fuzzy Hash: bfa884291023257a9f65d2972e37a492a43a226f22e9939f5beada10b3afc87a
Instruction Fuzzy Hash: D2517E71A01119BBCB20DB91DC49DEF7F78EF08754F50406AF605E2161DB399E81CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00411DF7, Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 497
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00411DF7(intOrPtr __ecx, void* __eflags) {
				signed int _v5;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v40;
				char _v44;
				struct _SECURITY_ATTRIBUTES* _v48;
				char _v60;
				signed int _v64;
				intOrPtr _v68;
				char _v80;
				char _v92;
				char _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				signed int _v112;
				intOrPtr _v116;
				signed int _v148;
				signed char _v151;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				char _v172;
				char _v180;
				void* __edi;
				void* __ebp;
				intOrPtr _t178;
				void* _t185;
				intOrPtr _t188;
				intOrPtr _t189;
				intOrPtr _t190;
				char _t199;
				void* _t211;
				signed int _t215;
				void* _t226;
				signed int _t227;
				signed int _t230;
				signed int _t232;
				void* _t243;
				signed int _t247;
				void* _t248;
				signed int _t250;
				intOrPtr _t251;
				signed int _t264;
				void* _t270;
				signed char _t273;
				signed int _t280;
				signed int _t284;
				CHAR* _t297;
				void* _t301;
				signed int _t302;
				signed int _t305;
				void* _t311;
				intOrPtr _t313;
				signed int _t314;
				void* _t317;
				intOrPtr _t318;
				signed int _t319;
				void* _t320;
				signed int _t328;
				intOrPtr _t407;
				signed int _t409;
				long _t410;
				char _t412;
				struct _SECURITY_ATTRIBUTES* _t414;
				long _t415;
				void* _t416;
				void* _t417;
				void* _t429;
				void* _t430;

				_v24 = __ecx;
				 *0x47f28a = 1;
				_v68 = E0041C8FD(0x47e2f0, 0xbc);
				_t178 = E0041C8FD(0x47e2f0, 0xc0);
				_v5 = _v5 & 0x00000000;
				_t412 = 0;
				 *0x47f200 = _t178;
				_v28 = 0;
				if(_v68 <= 0) {
					L82:
					 *0x47f28a =  *0x47f28a & 0x00000000;
					__eflags =  *0x47f28a;
					return 1;
				}
				L1:
				while(1) {
					if(_v5 == 0 && _v28 > _t412) {
						_t188 =  *0x42bf9c; // 0x1
						_t409 =  *0x47e290; // 0x1
						_t189 = _t188 + _t409 - 1;
						 *0x42bf9c = _t189;
						if(_t189 > _t188) {
							_v64 = _v64 | 0xffffffff;
							 *0x42bf9c = _t189 - 1;
							E00413A88(_v24,  &_v64);
							CloseHandle(_v64);
						}
						_t190 =  *0x47f28c; // 0x2070010
						_t328 =  *0x47e290; // 0x1
						 *0x47f200 =  *((intOrPtr*)(_t190 + _t328 * 4 - 4));
					}
					_v5 = _v5 & 0x00000000;
					 *0x47e6f8 = _t412;
					 *0x47f204 = _t412;
					E0041BDC5( &_v20);
					_t185 = E0041199C(_t410,  &_v160,  &_v20,  &_v180,  &_v96); // executed
					_t424 = _t185;
					if(_t185 < 0) {
						L77:
						E0041BEFB( &_v20);
						_v28 = _v28 + 1;
						if(_v28 >= _v68) {
							goto L82;
						}
						_t412 = 0;
						continue;
					}
					 *0x47f200 =  *0x47f200 + _v116 + 0x40 + _v112 * 4 + _v96;
					_t199 =  *0x47f200; // 0x168e995
					_v44 = _t199;
					E0041DCD0(_t424,  &_v20);
					if( *0x47f27c != 0) {
						_t317 = 0x47dfb8;
						L19:
						E0041BDC5( &_v40);
						__eflags = _v152 & 0x00000002;
						if(__eflags == 0) {
							L22:
							__eflags = E00412BA7(_v100);
							if(__eflags != 0) {
								E004164B1(_t317, __eflags,  &_v20);
								E0041A81A(__eflags,  &_v20); // executed
								E0041B3B9(_t317,  &_v20, 0x7fffffff);
								_t410 = 1;
								E0041CBF9( &_v20, __eflags, "\\\\", "\\", 2, _t412, _t410);
								_t211 = E0041C7DB( &_v20, "\\", 0, _t410);
								_t414 = 0;
								E0041BE99( &_v60, E0041CC95( &_v20, 0, _t211));
								__eflags = _v60 - 3;
								if(_v60 <= 3) {
									L26:
									_t215 = E0040DF52(E0041CD1E( &_v60));
									__eflags = _t215;
									if(_t215 == 0) {
										L81:
										E0041BE35( &_v80, "Failure while trying to install file ");
										E0041C0C5( &_v80, __eflags,  &_v20);
										E0041B2A8(_t414, E0041CD1E( &_v80), _t414);
										E0041BEFB( &_v80);
										L79:
										E0041BEFB( &_v60);
										L80:
										E0041BEFB( &_v40);
										E0041BEFB( &_v20);
										return 0;
									}
									_t226 = E0041CD1E( &_v60);
									_t318 = _v24;
									_t227 = E00414E57(_t226); // executed
									__eflags = _t227;
									if(_t227 == 0) {
										goto L79;
									}
									__eflags =  *0x47e610 - _t414; // 0x0
									if(__eflags != 0) {
										_t301 = E00424DD9(0xc);
										__eflags = _t301 - _t414;
										if(_t301 == _t414) {
											_t302 = 0;
											__eflags = 0;
										} else {
											_t302 = E0041BE99(_t301,  &_v20);
										}
										E0041E87A(0x47e634, _t302, 0xffffffff);
									}
									__eflags =  *0x47f27c;
									if( *0x47f27c == 0) {
										E0041BE99( &_v80, 0x47ede0);
										E0041BFF8( &_v80, 0x20);
										E0041C0C5( &_v80, __eflags,  &_v20);
										_t297 = E0041CD1E( &_v80);
										SetWindowTextA(GetDlgItem( *(_t318 + 8), 0x14), _t297);
										E0041BEFB( &_v80);
									}
									__eflags = _v148 & 0x00000002;
									if((_v148 & 0x00000002) != 0) {
										__eflags = _v152 >> 0x00000005 & 0x00000001;
										E00414081(E0041CD1E( &_v20), _v152 >> 0x00000005 & 0x00000001);
									}
									_t319 = 0;
									_v48 = _t414;
									E0041BDC5( &_v92);
									_t230 = E0040DF52(E0041CD1E( &_v20));
									__eflags = _t230;
									if(_t230 == 0) {
										L45:
										__eflags = _v152 & 0x00000080;
										if((_v152 & 0x00000080) != 0) {
											L47:
											__eflags = _v148 & 0x00000002;
											if((_v148 & 0x00000002) == 0) {
												__eflags = _v152 & 0x00000040;
												if((_v152 & 0x00000040) == 0) {
													_t270 = E0041CD1E( &_v20);
													_push(0x47e794);
													_push(_t270);
													E00421CE6(__eflags);
												}
											}
											L50:
											__eflags =  *0x47e18c & 0x00000006;
											if(( *0x47e18c & 0x00000006) == 0) {
												L60:
												__eflags = _v108 - _t414;
												_v5 = 1;
												if(_v108 != _t414) {
													_t232 = _v152 & _t410;
													__eflags = _t232;
													if(_t232 != 0) {
														L66:
														__eflags = _t232 - _t414;
														if(_t232 == _t414) {
															__eflags = _v152 & 0x00000002;
															if((_v152 & 0x00000002) != 0) {
																_t243 = E0041CD1E( &_v20);
																E00413C46(_v24, _t409, __eflags, E0041CD1E( &_v40), _t243);
															}
															L71:
															E0041455E(E0041CD1E( &_v20),  &_v160);
															__eflags = _v48 - 2;
															if(_v48 == 2) {
																MoveFileExA(E0041CD1E( &_v92), _t414, 4);
															}
															__eflags = _v152 & 0x00000020;
															if((_v152 & 0x00000020) != 0) {
																E004101AA( &_v20, _v104);
															}
															goto L75;
														}
														_t247 = E00410722(_t409, E0041CD1E( &_v20), _v44, _v108, _t410); // executed
														__eflags = _t247;
														if(_t247 != 0) {
															goto L71;
														}
														L68:
														_v5 = _v5 & 0x00000000;
														goto L75;
													}
													__eflags = _v152 & 0x00000002;
													if((_v152 & 0x00000002) != 0) {
														goto L66;
													}
													_t248 = E0041CD1E( &_v20);
													_t250 = E00401AC0(E0041CD1E(0x47e6c8), _t248, _v44, _v108); // executed
													_t417 = _t417 + 0x10;
													__eflags = _t250;
													if(_t250 != 0) {
														goto L68;
													}
													_t251 =  *0x47e6f8; // 0x12000
													E00414F7F(_t409, _t416, _t251 -  *0x47f204);
													goto L71;
												}
												CloseHandle(CreateFileA(E0041CD1E( &_v20), 0xc0000000, _t410, _t414, 2, 0x80, _t414));
												goto L71;
											}
											E0041BDC5( &_v172);
											E0041BF80( &_v172, E0041CC95( &_v20, _v20 + 0xfffffffd, 3));
											E0041CD68( &_v172);
											__eflags = E0041C1FA( &_v172, __eflags, "JPG", _t410);
											if(__eflags == 0) {
												L55:
												_t264 = E0041C1FA( &_v172, __eflags, "MP3", _t410);
												__eflags = _t264;
												if(_t264 == 0) {
													L59:
													E0041BEFB( &_v172);
													goto L60;
												}
												__eflags =  *0x47e18c & 0x00000002;
												if(__eflags == 0) {
													goto L59;
												}
												_t320 = 0x47e5b0;
												_push( &_v20);
												L58:
												E0041C0C5(_t320, __eflags);
												E0041C047(_t320, "\r\n", _t414);
												goto L59;
											}
											__eflags =  *0x47e18c & 0x00000004;
											if(__eflags == 0) {
												goto L55;
											}
											__eflags = _v151 & 0x00000001;
											if(__eflags != 0) {
												goto L59;
											}
											_t320 = 0x47e5bc;
											_push( &_v20);
											goto L58;
										}
										__eflags = _t319;
										if(_t319 != 0) {
											goto L50;
										}
										goto L47;
									} else {
										_t273 = GetFileAttributesA(E0041CD1E( &_v20));
										_t415 = _t273;
										SetFileAttributesA(E0041CD1E( &_v20), _t273 & 0x000000fe);
										_t319 = 1;
										_t280 = E00410AA5(_v24,  &_v160, E0041CD1E( &_v20),  &_v180);
										__eflags = _t280;
										if(_t280 != 0) {
											_t284 = E00414A3D(_v24,  &_v20,  &_v48,  &_v92);
											__eflags = _t284;
											if(_t284 != 0) {
												__eflags = _v48 - _t410;
												if(_v48 == _t410) {
													_v148 = _v148 & 0xfffffffd;
													_t319 = 0;
													_t97 =  &_v152;
													 *_t97 = _v152 & 0xffffff9f;
													__eflags =  *_t97;
												}
												_t414 = 0;
												__eflags = 0;
												goto L45;
											}
											L41:
											E00414F7F(_t409, _t416, _v108);
											L75:
											E0041BEFB( &_v92);
											E0041BEFB( &_v60);
											L76:
											E0041BEFB( &_v40);
											goto L77;
										}
										SetFileAttributesA(E0041CD1E( &_v20), _t415);
										goto L41;
									}
								}
								_t305 = E0040DC10(E0041CD1E( &_v60), 0); // executed
								__eflags = _t305;
								if(_t305 == 0) {
									goto L81;
								}
								goto L26;
							}
							E00414F7F(_t409, _t416, _v108);
							goto L76;
						}
						_t311 = E00411692(_v24, __eflags,  &_v160,  &_v40,  &_v44,  &_v5);
						__eflags = _t311 - _t412;
						if(_t311 == _t412) {
							goto L76;
						}
						__eflags = _t311 - 0xffffffff;
						if(_t311 == 0xffffffff) {
							goto L80;
						}
						goto L22;
					}
					_t317 = 0x47dfb8;
					_push(9);
					if(E00419E38() != 0) {
						L10:
						_t313 =  *0x47e65c; // 0x2
						if(_t313 != 4) {
							__eflags = _t313 - 2;
							if(_t313 != 2) {
								__eflags = _v156 & 0x00000001;
							} else {
								__eflags = _v156 & 0x00000003;
							}
							L16:
							if(_t430 != 0) {
								goto L19;
							}
							goto L77;
						}
						_t314 = _v160;
						_t429 = _t314 -  *0x47e608; // 0x0
						if(_t429 >= 0) {
							goto L77;
						} else {
							_t407 =  *0x47e604; // 0x0
							_t430 =  *((intOrPtr*)((_t314 << 4) + _t407)) - _t412;
							goto L16;
						}
					}
					_push(0xa);
					if(E00419E38() == 0) {
						goto L19;
					}
					goto L10;
				}
			}

0x00411e02
0x00411e12
0x00411e25
0x00411e28
0x00411e2d
0x00411e31
0x00411e36
0x00411e3b
0x00411e3e
0x0041245e
0x0041245e
0x0041245e
0x00000000
0x00412465
0x00000000
0x00411e44
0x00411e48
0x00411e4f
0x00411e54
0x00411e5c
0x00411e62
0x00411e67
0x00411e69
0x00411e71
0x00411e7a
0x00411e82
0x00411e82
0x00411e88
0x00411e8d
0x00411e97
0x00411e97
0x00411e9c
0x00411ea3
0x00411ea9
0x00411eaf
0x00411ecd
0x00411ed2
0x00411ed4
0x004123f3
0x004123f6
0x004123fb
0x00412404
0x00000000
0x00000000
0x00412406
0x00000000
0x00412406
0x00411ee7
0x00411eed
0x00411ef2
0x00411ef9
0x00411f06
0x00411f6d
0x00411f72
0x00411f75
0x00411f7a
0x00411f81
0x00411faf
0x00411fb7
0x00411fba
0x00411fd0
0x00411fdb
0x00411feb
0x00411ff5
0x00412005
0x00412011
0x00412016
0x00412026
0x0041202b
0x0041202f
0x0041204a
0x00412053
0x00412058
0x0041205b
0x00412429
0x00412431
0x0041243d
0x0041244f
0x00412457
0x0041240d
0x00412410
0x00412415
0x00412418
0x00412420
0x00000000
0x00412425
0x00412064
0x00412069
0x0041206f
0x00412074
0x00412076
0x00000000
0x00000000
0x0041207c
0x00412082
0x00412086
0x0041208b
0x0041208e
0x0041209d
0x0041209d
0x00412090
0x00412096
0x00412096
0x004120a7
0x004120a7
0x004120ac
0x004120b3
0x004120bd
0x004120c7
0x004120d3
0x004120db
0x004120ed
0x004120f6
0x004120f6
0x004120fb
0x00412102
0x00412110
0x0041211b
0x0041211b
0x00412123
0x00412125
0x00412128
0x00412136
0x0041213b
0x0041213e
0x004121db
0x004121db
0x004121e2
0x004121e8
0x004121e8
0x004121ef
0x004121f1
0x004121f8
0x004121fd
0x00412202
0x00412207
0x0041220d
0x0041220d
0x004121f8
0x00412212
0x00412212
0x00412219
0x004122ca
0x004122ca
0x004122cd
0x004122d1
0x00412303
0x00412303
0x00412305
0x0041234a
0x0041234a
0x0041234c
0x00412370
0x00412377
0x0041237c
0x0041238e
0x0041238e
0x00412393
0x004123a6
0x004123ab
0x004123af
0x004123bd
0x004123bd
0x004123c3
0x004123ca
0x004123d6
0x004123d6
0x00000000
0x004123ca
0x00412361
0x00412366
0x00412368
0x00000000
0x00000000
0x0041236a
0x0041236a
0x00000000
0x0041236a
0x00412307
0x0041230e
0x00000000
0x00000000
0x00412319
0x0041232a
0x0041232f
0x00412332
0x00412334
0x00000000
0x00000000
0x00412336
0x00412342
0x00000000
0x00412347
0x004122f2
0x00000000
0x004122f2
0x00412225
0x00412242
0x0041224d
0x00412263
0x00412265
0x00412284
0x00412290
0x00412295
0x00412297
0x004122bf
0x004122c5
0x00000000
0x004122c5
0x00412299
0x004122a0
0x00000000
0x00000000
0x004122a5
0x004122aa
0x004122ab
0x004122ad
0x004122ba
0x00000000
0x004122ba
0x00412267
0x0041226e
0x00000000
0x00000000
0x00412270
0x00412277
0x00000000
0x00000000
0x0041227c
0x00412281
0x00000000
0x00412281
0x004121e4
0x004121e6
0x00000000
0x00000000
0x00000000
0x00412144
0x0041214d
0x00412153
0x00412161
0x00412171
0x00412183
0x00412188
0x0041218a
0x004121ad
0x004121b2
0x004121b4
0x004121c4
0x004121c7
0x004121c9
0x004121d0
0x004121d2
0x004121d2
0x004121d2
0x004121d2
0x004121d9
0x004121d9
0x00000000
0x004121d9
0x004121b6
0x004121b9
0x004123db
0x004123de
0x004123e6
0x004123eb
0x004123ee
0x00000000
0x004123ee
0x00412196
0x00000000
0x00412196
0x0041213e
0x0041203b
0x00412041
0x00412044
0x00000000
0x00000000
0x00000000
0x00412044
0x00411fbf
0x00000000
0x00411fc4
0x00411f99
0x00411f9e
0x00411fa0
0x00000000
0x00000000
0x00411fa6
0x00411fa9
0x00000000
0x00000000
0x00000000
0x00411fa9
0x00411f08
0x00411f0d
0x00411f18
0x00411f27
0x00411f27
0x00411f2f
0x00411f51
0x00411f54
0x00411f5f
0x00411f56
0x00411f56
0x00411f56
0x00411f66
0x00411f66
0x00000000
0x00000000
0x00000000
0x00411f68
0x00411f31
0x00411f37
0x00411f3d
0x00000000
0x00411f43
0x00411f43
0x00411f4c
0x00000000
0x00411f4c
0x00411f3d
0x00411f1a
0x00411f25
0x00000000
0x00000000
0x00000000
0x00411f25

APIs

CloseHandle.KERNEL32(000000FF,000000FF,?,0047E880,?,?,000000C0,000000BC,00000003,0047E880,00000000), ref: 00411E82
GetDlgItem.USER32 ref: 004120E6
SetWindowTextA.USER32(00000000), ref: 004120ED

Part of subcall function 00414F7F: __aulldiv.LIBCMT ref: 00414FC3

Strings

4G, xrefs: 004120A2
, xrefs: 004123C3
JPG, xrefs: 00412253
Failure while trying to install file , xrefs: 00412429
MP3, xrefs: 00412285

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: CloseHandleItemTextWindow__aulldiv
String ID: $4G$Failure while trying to install file $JPG$MP3
API String ID: 1785463942-3341779268
Opcode ID: 3b4ae853b393d679cbaaa81c17081ebe1d8d2a2acb8db90a06e8683954f712a6
Instruction ID: 52c0b1d7d2d423da66c69b76bec9c1fcdb7d517e52c1b212b45019fb69bb26cf
Opcode Fuzzy Hash: 3b4ae853b393d679cbaaa81c17081ebe1d8d2a2acb8db90a06e8683954f712a6
Instruction Fuzzy Hash: 9D02D1319002199ACF14EBA1DD96FEE7778AF14308F1005AFE916E3192DB7C59CACB58

Uniqueness

Uniqueness Score: -1.00%

Function 00410722, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00410722(void* __edx, void* _a4, void* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				struct _OVERLAPPED* _v12;
				long _v16;
				long _v20;
				long _v24;
				void* __ebp;
				void* _t47;
				long _t48;
				void* _t49;
				void* _t50;
				long _t51;
				int _t57;
				intOrPtr _t79;
				void* _t89;
				void* _t90;

				_t84 = __edx;
				if(_a12 == 0 || _a8 == 0) {
					L5:
					return 0;
				} else {
					_t47 = CreateFileA(E0041CD1E(0x47e6c8), 0x80000000, 1, 0, 3, 0x80, 0); // executed
					_v8 = _t47;
					if(_t47 == 0xffffffff) {
						goto L5;
					}
					_v24 = 0;
					_t48 = SetFilePointer(_t47, _a8,  &_v24, 0); // executed
					if(_t48 != 0xffffffff) {
						_t49 = CreateFileA(_a4, 0xc0000000, 1, 0, 2, 0x80, 0); // executed
						_a4 = _t49;
						if(_t49 == 0xffffffff) {
							goto L5;
						}
						_t50 = E00424DD9(0x8000);
						_pop(_t78);
						_a8 = _t50;
						if(_t50 == 0) {
							CloseHandle(_v8);
							CloseHandle(_a4);
							E0041D881(E0041CD1E(0x47e924));
							_pop(_t78);
						}
						_v12 = 0;
						L11:
						while(1) {
							if(_a16 == 0) {
								_t79 = _v12;
								_t51 = 0x8000;
								_t84 = _t79 + 0x8000;
								if(_t79 + 0x8000 > _a12) {
									_t51 = _a12 - _t79;
								}
								_t78 =  &_v20;
								if(ReadFile(_v8, _a8, _t51,  &_v20, 0) == 0) {
									L21:
									E00424DCE(_a8);
									CloseHandle(_v8);
									CloseHandle(_a4);
									goto L5;
								} else {
									L16:
									_t57 = WriteFile(_a4, _a8, _v20,  &_v16, 0); // executed
									if(_t57 == 0) {
										goto L21;
									}
									_t58 = _v16;
									_v12 = _v12 + _v16;
									if(_a16 != 0) {
										E00414F7F(_t84, _t89, _t58);
										_pop(_t78);
									}
									if(_v12 >= _a12) {
										E00424DCE(_a8);
										FindCloseChangeNotification(_v8); // executed
										CloseHandle(_a4);
										return 0 | _v16 == _v20;
									}
									continue;
								}
							}
							E004111C2(_t78,  &_v8, _a8, 0x8000,  &_v20); // executed
							_t90 = _t90 + 0x10;
							goto L16;
						}
					}
					CloseHandle(_v8);
					goto L5;
				}
			}

0x00410722
0x00410730
0x00410783
0x00000000
0x00410737
0x00410759
0x0041075e
0x00410761
0x00000000
0x00000000
0x00410768
0x0041076f
0x00410778
0x0041079b
0x004107a0
0x004107a3
0x00000000
0x00000000
0x004107ab
0x004107b8
0x004107b9
0x004107bc
0x004107c1
0x004107c6
0x004107d3
0x004107d8
0x004107d8
0x004107d9
0x00000000
0x004107dc
0x004107df
0x004107f7
0x004107fa
0x004107fc
0x00410805
0x0041080a
0x0041080a
0x0041080c
0x00410820
0x00410856
0x00410859
0x00410862
0x00410867
0x00000000
0x00410822
0x00410822
0x00410830
0x00410838
0x00000000
0x00000000
0x0041083a
0x0041083d
0x00410843
0x00410846
0x0041084b
0x0041084b
0x00410852
0x00410871
0x0041087a
0x0041087f
0x00000000
0x00410889
0x00000000
0x00410854
0x00410820
0x004107ed
0x004107f2
0x00000000
0x004107f2
0x004107dc
0x0041077d
0x00000000
0x0041077d

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,0047E2F0,00000000,0047E880,0000005C,0047E1B8,00000001,?,00000000), ref: 00410759
SetFilePointer.KERNEL32(00000000,00000000,?,00000000,?,00000000), ref: 0041076F
CloseHandle.KERNEL32(00000000,?,00000000), ref: 0041077D
CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000,?,00000000), ref: 0041079B
CloseHandle.KERNEL32(00000000,?,00000000), ref: 004107C1
CloseHandle.KERNEL32(?,?,00000000), ref: 004107C6
ReadFile.KERNEL32(00000000,00000000,00008000,?,00000000,?,00000000), ref: 00410818
WriteFile.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 00410830
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00410862
CloseHandle.KERNEL32(?,?,00000000), ref: 00410867
FindCloseChangeNotification.KERNEL32(00000000,?,00000000), ref: 0041087A
CloseHandle.KERNEL32(?,?,00000000), ref: 0041087F

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Strings

$G, xrefs: 004107C8

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Close$Handle$File$Global$Create$AllocChangeFindLockNotificationPointerReadUnlockWrite
String ID: $G
API String ID: 1992528912-195990108
Opcode ID: b061d70fe9dfc114de7976bbab08d14934786dbddc87a350937ab6b52a7a071e
Instruction ID: dfb52f28007ce37c350004ecbd65c2d7c86bc8646004f923ca0ac160def92735
Opcode Fuzzy Hash: b061d70fe9dfc114de7976bbab08d14934786dbddc87a350937ab6b52a7a071e
Instruction Fuzzy Hash: 20419D7190010CBFDF20AFA5DC84AEE7B79EF04354F20816AF424A61A1CB759E91DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041CAC5, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 99
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041CAC5(long* __ecx, void* _a4, long _a8, long _a12) {
				long _v8;
				long _v12;
				long _v16;
				void* _t30;
				long _t31;
				long _t34;
				void* _t37;
				void* _t52;
				long _t56;
				long _t57;
				long* _t63;

				_t63 = __ecx; // executed
				_t30 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_a4 = _t30;
				if(_t30 != 0xffffffff) {
					_v8 = 0;
					_t31 = SetFilePointer(_t30, 0,  &_v8, 2); // executed
					_v16 = _t31;
					_v8 = 0;
					SetFilePointer(_a4, _a8,  &_v8, 0); // executed
					_t56 = _v16;
					if(_a8 > _t56) {
						_a8 = _t56;
					}
					_t57 = _t56 - _a8;
					_t34 = _a12;
					 *_t63 = _t34;
					if(_t57 < _t34 || _t34 <= 0) {
						 *_t63 = _t57;
					}
					_t15 =  &(_t63[1]); // 0x2170214
					GlobalUnlock( *_t15);
					_t16 =  &(_t63[1]); // 0x2170214
					GlobalFree( *_t16);
					_t37 = GlobalAlloc(0x42,  *_t63);
					_t63[1] = _t37;
					_t63[2] = GlobalLock(_t37);
					if( *_t63 != 0) {
						if(_t63[1] == 0) {
							CloseHandle(_a4);
							E0041D881(E0041CD1E(0x47e924));
						}
						_v12 = 0;
						_t24 =  &(_t63[2]); // 0x63f7e8
						ReadFile(_a4,  *_t24,  *_t63,  &_v12, 0); // executed
						FindCloseChangeNotification(_a4); // executed
						return ((0 | _v12 ==  *_t63) - 0x00000001 & 0x000000fe) + 1;
					} else {
						CloseHandle(_a4);
						return 0;
					}
				}
				_t52 = 0xfffffffd;
				return _t52;
			}

0x0041cae3
0x0041cae5
0x0041caee
0x0041caf1
0x0041cb09
0x0041cb0c
0x0041cb0e
0x0041cb19
0x0041cb1f
0x0041cb21
0x0041cb27
0x0041cb29
0x0041cb29
0x0041cb2c
0x0041cb2f
0x0041cb32
0x0041cb36
0x0041cb3c
0x0041cb3c
0x0041cb3e
0x0041cb41
0x0041cb47
0x0041cb4a
0x0041cb54
0x0041cb5b
0x0041cb66
0x0041cb69
0x0041cb81
0x0041cb86
0x0041cb93
0x0041cb98
0x0041cb9e
0x0041cba3
0x0041cba9
0x0041cbb2
0x00000000
0x0041cb6b
0x0041cb6e
0x00000000
0x0041cb74
0x0041cb69
0x0041caf5
0x00000000

APIs

CreateFileA.KERNEL32(0047DFB8,80000000,00000001,00000000,00000003,00000080,00000000,74E5FBD0,0047E2F0,00000000,?,0047DFB8), ref: 0041CAE5
SetFilePointer.KERNEL32(00000000,00000000,?,00000002,?,0047DFB8), ref: 0041CB0C
SetFilePointer.KERNEL32(0047DFB8,?,?,00000000,?,0047DFB8), ref: 0041CB1F
GlobalUnlock.KERNEL32(02170214,?,0047DFB8), ref: 0041CB41
GlobalFree.KERNEL32 ref: 0041CB4A
GlobalAlloc.KERNEL32(00000042,0047E2F0,?,0047DFB8), ref: 0041CB54
GlobalLock.KERNEL32 ref: 0041CB5E
CloseHandle.KERNEL32(0047DFB8,?,0047DFB8), ref: 0041CB6E

Strings

$G, xrefs: 0041CB88

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$File$Pointer$AllocCloseCreateFreeHandleLockUnlock
String ID: $G
API String ID: 45956072-195990108
Opcode ID: 3656ab980352cb8f8a756b1a1b3a56ded7d35eb993e2abca08c7b1c0df809143
Instruction ID: bab992acd45dbe21d36b9c17f1ecb0a5c71e46b83cab52e5c457c18eb4518899
Opcode Fuzzy Hash: 3656ab980352cb8f8a756b1a1b3a56ded7d35eb993e2abca08c7b1c0df809143
Instruction Fuzzy Hash: 63318DB1501209FFDF20AFA0DC8599EBBB9EF04350B20896EF555D6160CB34A981DF24

Uniqueness

Uniqueness Score: -1.00%

Function 004229A8, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 76
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004229A8(CHAR* _a4) {
				void* _v8;
				int _v12;
				char _v272;
				long _t24;
				CHAR* _t40;
				intOrPtr _t43;

				_t43 =  *0x47e58c; // 0x1b
				if(_t43 <= 0) {
					L6:
					_t40 = _a4;
					E00424500(_t40, 0, 0x104);
					GetWindowsDirectoryA(_t40, 0x104);
					if( *((char*)(lstrlenA(_t40) + _t40 - 1)) != 0x5c) {
						_t40[lstrlenA(_t40)] = 0x5c;
					}
					lstrcatA(_t40, E0041CD1E(0x47e35c));
					lstrcatA(_t40, " Uninstaller.exe");
				} else {
					_t24 = RegOpenKeyExA( *0x47e588, E0041CD1E(0x47e58c), 0, 0x20019,  &_v8); // executed
					if(_t24 != 0) {
						goto L6;
					} else {
						_v12 = 0x104;
						if(RegQueryValueExA(_v8, "Uninstaller", 0, 0,  &_v272,  &_v12) != 0 || E0040DF52( &_v272) == 0) {
							RegCloseKey(_v8);
							goto L6;
						} else {
							lstrcpyA(_a4,  &_v272);
						}
					}
				}
				return 1;
			}

0x004229b4
0x004229c0
0x00422a35
0x00422a37
0x00422a3b
0x00422a45
0x00422a59
0x00422a5e
0x00422a5e
0x00422a74
0x00422a7c
0x004229c2
0x004229dd
0x004229e5
0x00000000
0x004229e7
0x004229ea
0x00422a07
0x00422a2f
0x00000000
0x00422a1a
0x00422a24
0x00422a24
0x00422a07
0x004229e5
0x00422a83

APIs

RegOpenKeyExA.KERNEL32(00000000,00020019,00000000,0047DFB8,0047E788), ref: 004229DD
RegQueryValueExA.ADVAPI32(00000000,Uninstaller,00000000,00000000,?,0047E788), ref: 004229FF
lstrcpyA.KERNEL32(0047E788,?), ref: 00422A24
RegCloseKey.ADVAPI32(00000000), ref: 00422A2F
GetWindowsDirectoryA.KERNEL32(0047E788,00000104,?,0047DFB8,0047E788), ref: 00422A45
lstrlenA.KERNEL32(0047E788,?,0047DFB8,0047E788), ref: 00422A52
lstrlenA.KERNEL32(0047E788,?,0047DFB8,0047E788), ref: 00422A5C
lstrcatA.KERNEL32(0047E788,00000000,?,0047DFB8,0047E788), ref: 00422A74
lstrcatA.KERNEL32(0047E788, Uninstaller.exe,?,0047DFB8,0047E788), ref: 00422A7C

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Strings

Uninstaller.exe, xrefs: 00422A76
Uninstaller, xrefs: 004229F7
\G, xrefs: 00422A62

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$lstrcatlstrlen$AllocCloseDirectoryLockOpenQueryUnlockValueWindowslstrcpy
String ID: Uninstaller.exe$Uninstaller$\G
API String ID: 3305667709-651829472
Opcode ID: c1f1c48b22dd7b66c719fa597b738276a2fc1b2b4f1d39e557a6f66aa562f100
Instruction ID: 1bc53d22d2b43fdaff41b8ce2ad180c68364dd8d2d8a418ed7790eca1a8cb3a6
Opcode Fuzzy Hash: c1f1c48b22dd7b66c719fa597b738276a2fc1b2b4f1d39e557a6f66aa562f100
Instruction Fuzzy Hash: 5C21A435601528BBDB21AB61ED04EDF7F6CEF55304B8141BAF504A2121DBB85A428FAC

Uniqueness

Uniqueness Score: -1.00%

Function 00421D4B, Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00421D4B(int _a4, int _a8) {
				void* _v8;
				int _v12;
				char* _v16;
				char _v20;
				int _v24;
				int _v36;
				int _v48;
				char _v60;
				char _v72;
				char _v84;
				void* __ebx;
				long _t70;
				long _t73;
				char* _t75;
				int _t90;
				int _t91;
				int _t104;
				int _t114;
				char* _t124;
				signed int _t154;

				if(_a4 == 0) {
					L30:
					return _t70;
				}
				_t70 = RegOpenKeyExA(0x80000002, "SYSTEM\\CurrentControlSet\\Control\\Session Manager", 0, 0x2001f,  &_v8); // executed
				if(_t70 != 0) {
					goto L30;
				}
				_t124 = "PendingFileRenameOperations";
				_t73 = RegQueryValueExA(_v8, _t124, 0, 0, 0,  &_v12); // executed
				if(_t73 != 0 || _v12 == 0) {
					L8:
					return RegCloseKey(_v8);
				} else {
					_t75 = E00424DD9(_v12);
					_v16 = _t75;
					if(_t75 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					if(RegQueryValueExA(_v8, _t124, 0, 0, _v16,  &_v12) != 0 || E0041DD95(_t124, _v16, _v12,  &_v20,  &_v24) == 0) {
						goto L8;
					} else {
						E0041BDC5( &_v36);
						E0041BE35( &_v72, "\\??\\");
						E0041BE35( &_v60, "\\??\\");
						E0041C047( &_v72, _a4, 0);
						__eflags = _a8;
						if(_a8 != 0) {
							E0041C047( &_v60, _a8, 0);
						}
						_t154 = 0;
						__eflags = _v24;
						_a4 = 0;
						if(_v24 <= 0) {
							L18:
							E00424DCE(_v20);
							__eflags = _a4;
							if(_a4 != 0) {
								_t90 = _v36;
								__eflags = _t90;
								if(_t90 != 0) {
									_t91 = _t90 + 1;
									__eflags = _t91;
									RegSetValueExA(_v8, _t124, 0, 7, E0041CD1E( &_v36), _t91);
								} else {
									RegDeleteValueA(_v8, _t124);
								}
							}
							RegCloseKey(_v8);
							E0041BEFB( &_v60);
							E0041BEFB( &_v72);
							return E0041BEFB( &_v36);
						} else {
							do {
								E0041BE35( &_v84,  *((intOrPtr*)(_v20 + _t154 * 4)) + _v16);
								_t34 = _t154 * 4; // 0x4be5600
								E0041BE35( &_v48,  *((intOrPtr*)(_v20 + _t34 + 4)) + _v16);
								_t104 = E0041C176( &_v84, __eflags,  &_v72, 0);
								__eflags = _t104;
								if(_t104 != 0) {
									L14:
									__eflags = _v48;
									if(__eflags != 0) {
										if(__eflags <= 0) {
											L25:
											E0041C0C5( &_v36, __eflags,  &_v84);
											E0041BFF8( &_v36, 0);
											__eflags = _v48;
											if(__eflags > 0) {
												E0041C0C5( &_v36, __eflags,  &_v48);
											}
											E0041BFF8( &_v36, 0);
											goto L17;
										}
										__eflags = _a8;
										if(__eflags == 0) {
											goto L25;
										}
										_t114 = E0041C176( &_v48, __eflags,  &_v60, 0);
										__eflags = _t114;
										if(_t114 != 0) {
											L16:
											_t43 =  &_a4;
											 *_t43 = _a4 + 1;
											__eflags =  *_t43;
											goto L17;
										}
										__eflags = E0041C1FA( &_v48, __eflags, E0041CD1E( &_v60) + 4, 0);
										if(__eflags != 0) {
											goto L16;
										}
										goto L25;
									}
									__eflags = _a8;
									if(__eflags != 0) {
										goto L25;
									}
									goto L16;
								}
								__eflags = E0041C1FA( &_v84, __eflags, E0041CD1E( &_v72) + 4, 0);
								if(__eflags == 0) {
									goto L25;
								}
								goto L14;
								L17:
								E0041BEFB( &_v48);
								E0041BEFB( &_v84);
								_t154 = _t154 + 2;
								__eflags = _t154 - _v24;
							} while (_t154 < _v24);
							goto L18;
						}
					}
				}
			}

0x00421d59
0x00421f7e
0x00421f7e
0x00421f7e
0x00421d73
0x00421d7b
0x00000000
0x00000000
0x00421d8d
0x00421d97
0x00421d9b
0x00421df0
0x00000000
0x00421da2
0x00421da5
0x00421dad
0x00421db0
0x00421dbd
0x00421dc2
0x00421dd4
0x00000000
0x00421dfe
0x00421e01
0x00421e0f
0x00421e18
0x00421e24
0x00421e29
0x00421e2c
0x00421e35
0x00421e35
0x00421e3a
0x00421e3c
0x00421e3f
0x00421e42
0x00421eb7
0x00421eba
0x00421ebf
0x00421ec3
0x00421ec9
0x00421ecc
0x00421ece
0x00421f41
0x00421f41
0x00421f53
0x00421ed0
0x00421ed4
0x00421ed4
0x00421ece
0x00421f5c
0x00421f65
0x00421f6d
0x00000000
0x00421e44
0x00421e44
0x00421e51
0x00421e5c
0x00421e64
0x00421e71
0x00421e76
0x00421e78
0x00421e93
0x00421e93
0x00421e96
0x00421edc
0x00421f0d
0x00421f14
0x00421f1d
0x00421f22
0x00421f25
0x00421f2e
0x00421f2e
0x00421f37
0x00000000
0x00421f37
0x00421ede
0x00421ee1
0x00000000
0x00000000
0x00421eeb
0x00421ef0
0x00421ef2
0x00421e9d
0x00421e9d
0x00421e9d
0x00421e9d
0x00000000
0x00421e9d
0x00421f09
0x00421f0b
0x00000000
0x00000000
0x00000000
0x00421f0b
0x00421e98
0x00421e9b
0x00000000
0x00000000
0x00000000
0x00421e9b
0x00421e8f
0x00421e91
0x00000000
0x00000000
0x00000000
0x00421ea0
0x00421ea3
0x00421eab
0x00421eb1
0x00421eb2
0x00421eb2
0x00000000
0x00421e44
0x00421e42
0x00421dd4

APIs

RegOpenKeyExA.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00000000,0002001F,00000000,00000000,74E5FC30,00000000), ref: 00421D73
RegQueryValueExA.KERNEL32(00000000,PendingFileRenameOperations,00000000,00000000,00000000,00000000), ref: 00421D97
RegQueryValueExA.ADVAPI32(00000000,PendingFileRenameOperations,00000000,00000000,00422FC8,00000000), ref: 00421DD0
RegCloseKey.ADVAPI32(00000000), ref: 00421DF3
RegDeleteValueA.ADVAPI32(00000000,PendingFileRenameOperations,00000000,00000000,\??\,\??\), ref: 00421ED4
RegSetValueExA.ADVAPI32(00000000,PendingFileRenameOperations,00000000,00000007,00000000,?,00000000,00000000,\??\,\??\), ref: 00421F53

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

RegCloseKey.ADVAPI32(00000000,00000000,00000000,\??\,\??\), ref: 00421F5C

Strings

SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00421D69
\??\, xrefs: 00421E06, 00421E0E, 00421E14
$G, xrefs: 00421DB2
PendingFileRenameOperations, xrefs: 00421D8D, 00421D93, 00421DCC, 00421ED0, 00421F4F

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Value$Global$CloseQuery$AllocDeleteLockOpenUnlock
String ID: $G$PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$\??\
API String ID: 2436353709-4009966565
Opcode ID: 68a34fbecb34493b647c86804f01456a104d3ce6cf1cee37737e5b6993b5fb37
Instruction ID: e53f80f437188961418d61aab9e43297795e155952d25771359bb87d0b56d4ed
Opcode Fuzzy Hash: 68a34fbecb34493b647c86804f01456a104d3ce6cf1cee37737e5b6993b5fb37
Instruction Fuzzy Hash: 2B614172D00129EBCF15EBA1ED85DEEB738FF24344B51402BF515B2161DB386A45CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00422E9C, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 123
fileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00422E9C(intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				long _v12;
				void _v16;
				long _v28;
				char _v288;
				signed int _t30;
				void* _t40;
				long _t41;
				long _t64;
				void* _t81;
				intOrPtr _t83;

				_t83 = __ecx;
				_v8 = __ecx;
				if(( *0x47e192 & 0x00000002) == 0 || ( *0x47e18c & 0x00000040) != 0) {
					_push( &_v288);
					E00422A86();
					_t30 = E0040DF52( &_v288);
					__eflags = _t30;
					if(_t30 == 0) {
						__eflags =  *0x47e18c & 0x00000040;
						if(__eflags == 0) {
							E0041BDC5( &_v28);
							E004221B8(_t83, __eflags,  &_v28); // executed
							_t64 = 0;
							CopyFileA(E0041CD1E(_t83),  &_v288, 0); // executed
							DeleteFileA(E0041CD1E(_t83)); // executed
							_t40 = CreateFileA( &_v288, 0xc0000000, 1, 0, 3, 0x80, 0); // executed
							_t81 = _t40;
							_t41 = GetFileSize(_t81, 0);
							__eflags = _t81 - 0xffffffff;
							_v16 = _t41;
							if(_t81 == 0xffffffff) {
								L10:
								CloseHandle(_t81);
								DeleteFileA( &_v288);
								E0041B2A8(_a4, E0041CD1E(0x47ef30), _t64);
								L11:
								E0041BEFB( &_v28);
								return _t64;
							}
							__eflags = _t41;
							if(_t41 == 0) {
								goto L10;
							}
							SetFilePointer(_t81, 0, 0, 2); // executed
							WriteFile(_t81, E0041CD1E( &_v28), _v28,  &_v12, 0); // executed
							WriteFile(_t81,  &_v16, 4,  &_v12, 0); // executed
							CloseHandle(_t81);
							_t77 = _v8;
							 *((char*)(_v8 + 0x90)) = 1;
							E00421F81(_t77,  &_v288); // executed
							_t64 = 1;
							goto L11;
						}
						L6:
						return E00423006(_t83, __eflags);
					}
					E00421F81(_t83,  &_v288);
					goto L6;
				} else {
					return 1;
				}
			}

0x00422ead
0x00422eaf
0x00422eb2
0x00422ecc
0x00422ecd
0x00422ed9
0x00422ede
0x00422ee1
0x00422ef3
0x00422efa
0x00422f0d
0x00422f18
0x00422f1d
0x00422f2f
0x00422f43
0x00422f5c
0x00422f62
0x00422f66
0x00422f6c
0x00422f6f
0x00422f72
0x00422fcc
0x00422fcd
0x00422fda
0x00422ff0
0x00422ff5
0x00422ff8
0x00000000
0x00423000
0x00422f74
0x00422f76
0x00000000
0x00000000
0x00422f7d
0x00422f9b
0x00422fa9
0x00422fac
0x00422fb2
0x00422fbc
0x00422fc3
0x00422fc8
0x00000000
0x00422fc8
0x00422efc
0x00000000
0x00422efe
0x00422eec
0x00000000
0x00422ebd
0x00000000
0x00422ebd

APIs

CopyFileA.KERNEL32(00000000,?,00000000), ref: 00422F2F
DeleteFileA.KERNEL32(00000000), ref: 00422F43
CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000), ref: 00422F5C
GetFileSize.KERNEL32(00000000,00000000), ref: 00422F66
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002), ref: 00422F7D
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00422F9B
WriteFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 00422FA9
CloseHandle.KERNEL32(00000000), ref: 00422FAC

Strings

0G, xrefs: 00422FDD

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: File$Write$CloseCopyCreateDeleteHandlePointerSize
String ID: 0G
API String ID: 2532723989-2664342302
Opcode ID: ca4144e62418bdba7195bb517f03a4dcb76d34b809e772969f8e9d80428c3b2b
Instruction ID: b98738f73ffab4765dc9a84c4427e3d4cbec2d01dd80aca18e9737d41bc0417b
Opcode Fuzzy Hash: ca4144e62418bdba7195bb517f03a4dcb76d34b809e772969f8e9d80428c3b2b
Instruction Fuzzy Hash: 1041A771A0011C7ADB24A7A1AD86FEE7B7CDF05348F80416BF60593181CB784E46DBB9

Uniqueness

Uniqueness Score: -1.00%

Function 0041FD0E, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 170
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0041FD0E(void* __edx, intOrPtr _a4) {
				unsigned int _v8;
				char _v12;
				void _v523;
				char _v524;
				void _v1035;
				char _v1036;
				void* _t56;
				void* _t64;
				void* _t72;
				unsigned int _t74;
				void* _t79;
				unsigned int _t80;
				void* _t83;
				void* _t85;
				void* _t87;
				signed int _t90;
				void* _t102;
				void* _t107;
				intOrPtr _t108;
				void* _t111;
				void* _t113;

				_t102 = __edx;
				_v1036 = _v1036 & 0x00000000;
				_t90 = 0x7f;
				_v524 = _v524 & 0x00000000;
				memset( &_v1035, 0, _t90 << 2);
				asm("stosw");
				asm("stosb");
				_push(0x7f);
				memset( &_v523, 0, 0 << 2);
				_t113 = _t111 + 0x18;
				_t108 = _a4;
				asm("stosw");
				asm("stosb");
				_a4 = _t108;
				if(GetSystemDirectoryA( &_v1036, 0x104) != 0) {
					lstrcpyA( &_v524,  &_v1036);
					lstrcatA( &_v524, "\\d3d8.dll");
					_t56 = E0041F9CC(0,  &_v524,  &_v12); // executed
					_t95 = _t87;
					_t107 = 4;
					if(_t56 < 0) {
						L9:
						lstrcpyA( &_v524,  &_v1036);
						lstrcatA( &_v524, "\\dpnet.dll");
						_t64 = E0041F9CC(_t95,  &_v524,  &_v12); // executed
						_pop(_t97);
						if(_t64 < 0) {
							L16:
							lstrcpyA( &_v524,  &_v1036);
							lstrcatA( &_v524, "\\d3d9.dll");
							_t72 = E0041F9CC(_t97,  &_v524,  &_v12); // executed
							if(_t72 >= 0) {
								_a4 = 9;
							}
							return _a4;
						}
						_t74 = _v8;
						_t97 = _t74 >> 0x10;
						if(_t74 >> 0x10 != _t107) {
							L13:
							if(_t74 >> 0x10 == 5 && E0041FA8A(_v12, _v8, E0041FA6B(5, 2, 0xe5d, 0x86), _t102) >= 0) {
								L15:
								_a4 = 0x20008;
							}
							goto L16;
						}
						_t79 = E0041FA8A(_v12, _v8, E0041FA6B(_t107, 9, 0, 0x86), _t102);
						_t113 = _t113 + 0x20;
						if(_t79 >= 0) {
							goto L15;
						}
						_t74 = _v8;
						goto L13;
					}
					_t80 = _v8;
					_t95 = _t80 >> 0x10;
					if(_t80 >> 0x10 != _t107) {
						L6:
						if(_t80 >> 0x10 != 5) {
							goto L9;
						}
						_t83 = E0041FA8A(_v12, _v8, E0041FA6B(5, 1, 0xa28, 0x371), _t102);
						_t113 = _t113 + 0x20;
						if(_t83 < 0) {
							goto L9;
						}
						L8:
						_a4 = 0x10008;
						goto L9;
					}
					_t85 = E0041FA8A(_v12, _v8, E0041FA6B(_t107, 8, 1, 0x371), _t102);
					_t113 = _t113 + 0x20;
					if(_t85 >= 0) {
						goto L8;
					}
					_t80 = _v8;
					goto L6;
				}
				return _t108;
			}

0x0041fd0e
0x0041fd17
0x0041fd22
0x0041fd2b
0x0041fd32
0x0041fd34
0x0041fd36
0x0041fd37
0x0041fd42
0x0041fd42
0x0041fd44
0x0041fd4c
0x0041fd4e
0x0041fd55
0x0041fd61
0x0041fd7f
0x0041fd8d
0x0041fd9e
0x0041fda4
0x0041fda9
0x0041fdaa
0x0041fe13
0x0041fe21
0x0041fe2f
0x0041fe40
0x0041fe48
0x0041fe49
0x0041feb2
0x0041fec0
0x0041fece
0x0041fedf
0x0041fee9
0x0041feeb
0x0041feeb
0x00000000
0x0041fef2
0x0041fe4b
0x0041fe55
0x0041fe5b
0x0041fe7f
0x0041fe86
0x0041feab
0x0041feab
0x0041feab
0x00000000
0x0041fe86
0x0041fe70
0x0041fe75
0x0041fe7a
0x00000000
0x00000000
0x0041fe7c
0x00000000
0x0041fe7c
0x0041fdac
0x0041fdb6
0x0041fdbc
0x0041fde0
0x0041fde7
0x00000000
0x00000000
0x0041fe00
0x0041fe05
0x0041fe0a
0x00000000
0x00000000
0x0041fe0c
0x0041fe0c
0x00000000
0x0041fe0c
0x0041fdd1
0x0041fdd6
0x0041fddb
0x00000000
0x00000000
0x0041fddd
0x00000000
0x0041fddd
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 0041FD59
lstrcpyA.KERNEL32(00000000,00000000,6E815550), ref: 0041FD7F
lstrcatA.KERNEL32(00000000,\d3d8.dll), ref: 0041FD8D
lstrcpyA.KERNEL32(00000000,00000000), ref: 0041FE21
lstrcatA.KERNEL32(00000000,\dpnet.dll), ref: 0041FE2F

Strings

\d3d8.dll, xrefs: 0041FD87
\d3d9.dll, xrefs: 0041FEC8
\dpnet.dll, xrefs: 0041FE29

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: lstrcatlstrcpy$DirectorySystem
String ID: \d3d8.dll$\d3d9.dll$\dpnet.dll
API String ID: 3373222834-1488632820
Opcode ID: 1b981c1a0dbe33aa39520a2f075f097f621f4da949a6d66ba52bc3160ce5be0a
Instruction ID: 732007284f3f90403335b0d5d4dcae0cc413df0729f14511fe8dea38f26fffe4
Opcode Fuzzy Hash: 1b981c1a0dbe33aa39520a2f075f097f621f4da949a6d66ba52bc3160ce5be0a
Instruction Fuzzy Hash: 6751C972900318BAEF21DA95CC45FDF777CEF04354F5004BAF644E61A1EA789ACA8B58

Uniqueness

Uniqueness Score: -1.00%

Function 00401AC0, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 84
fileCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00401AC0(CHAR* _a4, CHAR* _a8, long _a12, intOrPtr _a16) {
				void* _v8;
				long _v12;
				void* __ecx;
				void* _t12;
				void* _t13;
				intOrPtr _t18;
				void* _t19;
				void* _t22;
				void* _t28;
				void* _t34;
				void* _t39;

				_push(_t28);
				_push(_t28);
				_t12 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v8 = _t12;
				if(_t12 != 0xffffffff) {
					_t13 = CreateFileA(_a8, 0xc0000000, 1, 0, 2, 0x80, 0); // executed
					_t34 = _t13;
					if(_t34 != 0xffffffff) {
						lstrcpyA("C:\Users\hardz\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe", _a4);
						lstrcpyA("C:\\ztg\\fillProxy\\spy++\\spyxxhk.dll", _a8);
						_t39 = _v8;
						_v12 = 0;
						SetFilePointer(_t39, _a12,  &_v12, 0); // executed
						_t18 = _a16;
						 *0x43aa58 = _t18;
						if(_t18 == 0) {
							 *0x43aa58 = 0x7fffffff;
						}
						_push(_t39);
						 *0x46ab78 = 0;
						 *0x42e1fc = _t39;
						 *0x436240 = _t34; // executed
						_t19 = E00401BA9(_t28); // executed
						if(_t19 >= 0) {
							 *0x43aa5c = 0; // executed
							_t19 = E00404CF3(_t39, _t34); // executed
						}
						FindCloseChangeNotification(_t39); // executed
						CloseHandle(_t34);
						_t22 = _t19;
					} else {
						CloseHandle(_v8);
						_t22 = 0xffff8002;
					}
				} else {
					_t22 = 0xffff8001;
				}
				return _t22;
			}

0x00401ac3
0x00401ac4
0x00401ae4
0x00401ae9
0x00401aec
0x00401b07
0x00401b09
0x00401b0e
0x00401b31
0x00401b3b
0x00401b3d
0x00401b48
0x00401b4c
0x00401b52
0x00401b57
0x00401b5c
0x00401b5e
0x00401b5e
0x00401b68
0x00401b69
0x00401b6f
0x00401b75
0x00401b7b
0x00401b83
0x00401b87
0x00401b8d
0x00401b93
0x00401b9d
0x00401ba0
0x00401ba2
0x00401b10
0x00401b13
0x00401b19
0x00401b19
0x00401aee
0x00401aee
0x00401aee
0x00401ba8

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,0047E2F0,00000000,000000A8,?,?,0047E6C8,004190BF,00000000,00000000), ref: 00401AE4
CreateFileA.KERNEL32(00000001,C0000000,00000001,00000000,00000002,00000080,00000000,?,?,0047E6C8,004190BF,00000000,00000000,00000000,000000AC,00000000), ref: 00401B07
CloseHandle.KERNEL32(00000000,?,?,0047E6C8,004190BF,00000000,00000000,00000000,000000AC,00000000,000000A8,000000A8,000000AC,00000000,000000A8,00000090), ref: 00401B13

Strings

C:\ztg\fillProxy\spy++\spyxxhk.dll, xrefs: 00401B36
C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe, xrefs: 00401B2C

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: CreateFile$CloseHandle
String ID: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe$C:\ztg\fillProxy\spy++\spyxxhk.dll
API String ID: 1443461169-2924726884
Opcode ID: f2cfa1f3ccd08063f9a4c4fc870ed02d8b161ee20ec0011e9c264b7ae7db8ae6
Instruction ID: 5bf05c727c74ca85f6202fa9bd64455a3e455176caad83a63985d6f1fde3d942
Opcode Fuzzy Hash: f2cfa1f3ccd08063f9a4c4fc870ed02d8b161ee20ec0011e9c264b7ae7db8ae6
Instruction Fuzzy Hash: 1921B071A01218BFDB105F69DC84E9E3B6CEB09364F60423BF910B32E0D7B46D419B69

Uniqueness

Uniqueness Score: -1.00%

Function 004145F6, Relevance: 16.1, APIs: 2, Strings: 7, Instructions: 346
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004145F6(intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				struct HWND__* _v12;
				void* _v16;
				char _v28;
				char _v40;
				char _v52;
				char _v64;
				char _v76;
				char _v104;
				char _v116;
				char _v128;
				void* _v132;
				void* _t94;
				intOrPtr _t107;
				intOrPtr _t110;
				intOrPtr _t113;
				intOrPtr _t114;
				void* _t121;
				void* _t123;
				intOrPtr _t126;
				void* _t131;
				char* _t135;
				char* _t136;
				char* _t137;
				void* _t144;
				int _t156;
				void* _t158;
				void* _t169;
				void* _t175;
				char* _t226;
				intOrPtr* _t258;
				void* _t260;
				intOrPtr _t261;
				void* _t281;

				_t261 =  *0x47e4f0; // 0x4
				_v8 = __ecx;
				_v12 = 0;
				if(_t261 <= 0) {
					L56:
					_t94 = 1;
					return _t94;
				} else {
					do {
						_t258 = E0041E860(0x47e4e4, _v12);
						if( *((intOrPtr*)(_t258 + 0x28)) == _a4 && E00412BA7( *((intOrPtr*)(_t258 + 0x34))) != 0 &&  *((intOrPtr*)(_t258 + 0x2c)) != 0) {
							_t8 = _t258 + 4; // 0x4
							E0041BE99( &_v28, _t8);
							_t10 = _t258 + 0x10; // 0x10
							E0041BE99( &_v40, _t10);
							_t12 = _t258 + 0x1c; // 0x1c
							E0041BE99( &_v52, _t12);
							_t265 =  *_t258 - 9;
							if( *_t258 != 9) {
								E004164B1(0x47dfb8, _t265,  &_v28);
							}
							E004164B1(0x47dfb8, _t265,  &_v40);
							_t107 =  *_t258;
							if(_t107 != 7) {
								_t267 = _t107 - 8;
								if(_t107 != 8) {
									E004164B1(0x47dfb8, _t267,  &_v52);
								}
							}
							_t268 =  *_t258 - 9;
							if( *_t258 != 9) {
								E0041A81A(_t268,  &_v28); // executed
							}
							E0041A81A(_t268,  &_v40);
							_t110 =  *_t258;
							if(_t110 != 7) {
								_t270 = _t110 - 8;
								if(_t110 != 8) {
									E0041A81A(_t270,  &_v52);
								}
							}
							if( *_t258 != 9) {
								E0041B3B9(0x47dfb8,  &_v28, 0x7fffffff);
							}
							E0041B3B9(0x47dfb8,  &_v40, 0x7fffffff);
							_t113 =  *_t258;
							if(_t113 != 7 && _t113 != 8) {
								E0041B3B9(0x47dfb8,  &_v52, 0x7fffffff);
							}
							_t114 =  *_t258;
							if(_t114 == 4 || _t114 == 7) {
								E0041CBF9( &_v28, __eflags, "<\\t>", "\t", 0, 0, 1);
								E0041CBF9( &_v28, __eflags, "<\\r>", "\r", 0, 0, 1);
								E0041CBF9( &_v28, __eflags, "<\\n>", "\n", 0, 0, 1);
								E0041CBF9( &_v40, __eflags, "<\\t>", "\t", 0, 0, 1);
								E0041CBF9( &_v40, __eflags, "<\\r>", "\r", 0, 0, 1);
								E0041CBF9( &_v40, __eflags, "<\\n>", "\n", 0, 0, 1);
								__eflags =  *_t258 - 4;
								if( *_t258 != 4) {
									_t121 = E0041CD1E( &_v40);
									_t123 = E0041B2CC(0x47dfb8, 0, E0041CD1E( &_v28), _t121, 4);
									_t123 - 6 = (_t123 != 6) + 1;
									E0041D728(E0041CD1E( &_v52), (_t123 != 6) + 1);
								} else {
									_t131 = E0041CD1E( &_v40);
									E0041B2CC(0x47dfb8, 0, E0041CD1E( &_v28), _t131, 0);
								}
							} else {
								if(_t114 != 5) {
									__eflags = _t114 - 6;
									if(_t114 != 6) {
										__eflags = _t114 - 8;
										if(_t114 != 8) {
											__eflags = _t114 - 9;
											if(_t114 != 9) {
												__eflags = _t114;
												if(_t114 != 0) {
													 *(_v8 + 8) = 0;
												}
												E0041BE35( &_v76, "open");
												__eflags =  *_t258 - 3;
												if( *_t258 == 3) {
													E0041BF12( &_v76, "explore");
												}
												_t135 = E0041CD1E( &_v52);
												_t136 = E0041CD1E( &_v40);
												_t137 = E0041CD1E( &_v28);
												ShellExecuteA( *(_v8 + 8), E0041CD1E( &_v76), _t137, _t136, _t135, 1);
												_t226 =  &_v76;
												L36:
												E0041BEFB(_t226);
												L51:
												_t126 =  *((intOrPtr*)(_t258 + 0x2c));
												if(_t126 != 0xffffffff) {
													 *((intOrPtr*)(_t258 + 0x2c)) = _t126 - 1;
												}
												E0041BEFB( &_v52);
												E0041BEFB( &_v40);
												E0041BEFB( &_v28);
												goto L54;
											}
											_t144 = E0041CD1E( &_v40);
											E0041D0FD( &_v28, E0041CD1E( &_v28), _t144);
											goto L51;
										}
										E00417B15( &_v132);
										E0041BF80( &_v116,  &_v40);
										E0041BF80( &_v128,  &_v28);
										E0041BF80( &_v104,  &_v52);
										_t156 = DialogBoxParamA( *0x47e17c, 0x9a,  *(_v8 + 8), E0040585D,  &_v132);
										__eflags = _t156 - 1;
										if(_t156 == 1) {
											_t158 = E0041CD1E( &_v104);
											E0041D0FD( &_v52, E0041CD1E( &_v52), _t158);
										}
										E00414A20( &_v132);
										goto L51;
									}
									__eflags = _v52;
									_v16 = 0;
									if(_v52 != 0) {
										L31:
										_v16 = E0041CD1E( &_v52);
										L32:
										E0041BDC5( &_v64);
										_push(E0041CD1E( &_v40));
										_push(E0041CD1E( &_v28));
										E0041C467( &_v64, "\"%s\" %s");
										_t260 = _t260 + 0x10;
										while(1) {
											_t169 = E0041BFE3( &_v64, _v64 - 1);
											__eflags = _t169 - 0x20;
											if(_t169 != 0x20) {
												break;
											}
											E0041C3A9( &_v64, _v64 - 1, 1);
										}
										E004114E1(E0041CD1E( &_v64), _v16); // executed
										_t226 =  &_v64;
										goto L36;
									}
									_t175 = E0041C7DB( &_v28, "\\", 0, 1);
									__eflags = _t175 - 0xffffffff;
									if(_t175 == 0xffffffff) {
										goto L32;
									}
									E0041BF80( &_v52, E0041CC95( &_v28, 0, _t175));
									goto L31;
								}
								if(( *(_t258 + 0x30) & 0x00000001) != 0 && _a4 != 0xd) {
									 *((intOrPtr*)(_t258 + 0x2c)) = 0;
									E004145F6(_v8, 0xd);
								}
								E0041A1B5(1);
							}
							goto L51;
						}
						L54:
						_v12 = _v12 + 1;
						_t281 = _v12 -  *0x47e4f0; // 0x4
					} while (_t281 < 0);
					goto L56;
				}
			}

0x00414602
0x00414608
0x0041460b
0x0041460e
0x00414a18
0x00414a1a
0x00414a1d
0x00414614
0x0041461b
0x00414628
0x00414630
0x00414650
0x00414657
0x0041465c
0x00414663
0x00414668
0x0041466f
0x00414674
0x00414677
0x0041467f
0x0041467f
0x0041468a
0x0041468f
0x00414694
0x00414696
0x00414699
0x004146a1
0x004146a1
0x00414699
0x004146a6
0x004146a9
0x004146b1
0x004146b1
0x004146bc
0x004146c1
0x004146c6
0x004146c8
0x004146cb
0x004146d3
0x004146d3
0x004146cb
0x004146db
0x004146e8
0x004146e8
0x004146f8
0x004146fd
0x00414702
0x00414714
0x00414714
0x00414719
0x0041471e
0x0041491a
0x00414930
0x00414946
0x0041495c
0x00414972
0x00414988
0x0041498d
0x00414993
0x004149af
0x004149c3
0x004149d0
0x004149db
0x00414995
0x00414995
0x004149a8
0x004149a8
0x0041472d
0x00414730
0x00414759
0x0041475c
0x0041480b
0x0041480e
0x00414885
0x00414888
0x004148a6
0x004148a8
0x004148ad
0x004148ad
0x004148b8
0x004148bd
0x004148c0
0x004148ca
0x004148ca
0x004148d4
0x004148dd
0x004148e6
0x004148fb
0x00414901
0x00414801
0x00414801
0x004149e0
0x004149e0
0x004149e6
0x004149e9
0x004149e9
0x004149ef
0x004149f7
0x004149ff
0x00000000
0x004149ff
0x0041488d
0x0041489c
0x00000000
0x0041489c
0x00414813
0x0041481f
0x0041482b
0x00414837
0x00414856
0x0041485c
0x0041485f
0x00414864
0x00414873
0x00414873
0x0041487b
0x00000000
0x0041487b
0x00414762
0x00414765
0x00414768
0x00414792
0x0041479a
0x0041479d
0x004147a0
0x004147ad
0x004147b6
0x004147c0
0x004147c5
0x004147c8
0x004147d0
0x004147d5
0x004147d7
0x00000000
0x00000000
0x004147e3
0x004147e3
0x004147f9
0x004147fe
0x00000000
0x004147fe
0x00414775
0x0041477a
0x0041477d
0x00000000
0x00000000
0x0041478d
0x00000000
0x0041478d
0x00414736
0x00414743
0x00414746
0x00414746
0x0041474f
0x0041474f
0x00000000
0x0041471e
0x00414a04
0x00414a04
0x00414a0a
0x00414a0a
0x00000000
0x00414a17

APIs

Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4

DialogBoxParamA.USER32 ref: 00414856

Part of subcall function 0041C7DB: lstrlenA.KERNEL32(0047DFB8,00000000,0047DE94,0042BC5C,0042BC5C,00000000,00000001,0047E6C8,?,0047DFB8), ref: 0041C7E9

Part of subcall function 0041BF80: GlobalUnlock.KERNEL32(?,00000000,00000000,004079C1,00000000), ref: 0041BF87
Part of subcall function 0041BF80: GlobalReAlloc.KERNEL32 ref: 0041BF9B
Part of subcall function 0041BF80: GlobalLock.KERNEL32 ref: 0041BFBC

ShellExecuteA.SHELL32(?,00000000,00000000,00000000,00000000,00000001), ref: 004148FB

Part of subcall function 0041CBF9: lstrlenA.KERNEL32(00000000,00000001,0042DB90,74E06980,0042DB90,?,0041C63B,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041CC0B
Part of subcall function 0041CBF9: lstrlenA.KERNEL32(00000001,?,0041C63B,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041CC12

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Part of subcall function 0041B2CC: MessageBoxA.USER32 ref: 0041B36B

Strings

open, xrefs: 004148B0
<\t>, xrefs: 00414912, 00414954
<\n>, xrefs: 0041493E, 00414980
explore, xrefs: 004148C2
G, xrefs: 0041461E
"%s" %s, xrefs: 004147BA
<\r>, xrefs: 00414928, 0041496A

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLocklstrlen$Unlock$DialogExecuteMessageParamShell
String ID: "%s" %s$<\n>$<\r>$<\t>$explore$open$G
API String ID: 1452395284-1601309190
Opcode ID: b32ea6b8dc2e2386d5696beb7c0628860914b136f3fc6d3117ff7bfb37aeea9b
Instruction ID: 1105ea7d2091e7ab335364e9980375d120ac9637aeae49fae9bfff40a707f2e4
Opcode Fuzzy Hash: b32ea6b8dc2e2386d5696beb7c0628860914b136f3fc6d3117ff7bfb37aeea9b
Instruction Fuzzy Hash: 46C15270A40209AACB24EBA1DCD6DEEB7B8EF55748F60052FF112A2191DB385DC5CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00421F81, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 132
stringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00421F81(void* __ecx, CHAR* _a4) {
				char _v8;
				char _v20;
				char _v32;
				char _v44;
				int _t28;
				CHAR* _t31;
				CHAR* _t41;
				CHAR* _t48;
				void* _t58;
				CHAR* _t61;
				CHAR* _t62;
				CHAR* _t86;
				intOrPtr _t95;

				_t95 =  *0x47e19c; // 0x1
				if(_t95 == 0) {
					_t86 = E00424DD9(0x104);
					__eflags = _t86;
					if(_t86 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					E00424500(_t86, 0, 0x104);
					GetWindowsDirectoryA(_t86, 0x104);
					_t28 = lstrlenA(_t86);
					__eflags =  *((char*)(_t28 + _t86 - 1)) - 0x5c;
					if( *((char*)(_t28 + _t86 - 1)) != 0x5c) {
						_t86[lstrlenA(_t86)] = 0x5c;
					}
					lstrcatA(_t86, "wininit.ini");
					E0041BDC5( &_v20);
					_t31 = E0041CAC5( &_v20, _t86, 0, 0);
					__eflags = _t31;
					if(_t31 <= 0) {
						L15:
						E00424DCE(_t86);
						return E0041BEFB( &_v20);
					} else {
						E0041BE35( &_v32, "NUL=");
						_t61 = E00424DD9(0x104);
						__eflags = _t61;
						if(_t61 == 0) {
							E0041D881(E0041CD1E(0x47e924));
						}
						E00424500(_t61, 0, 0x104);
						GetShortPathNameA(_a4, _t61, 0x104);
						E0041C047( &_v32, _t61, 0);
						E00424DCE(_t61);
						_v8 = 0;
						_t62 = 0;
						__eflags = 0;
						E0041BDC5( &_v44);
						_push(_v8);
						while(1) {
							_t41 = E0041C9D2( &_v20);
							__eflags = _t41;
							if(_t41 == 0) {
								break;
							}
							_t48 = E0041C176(E0041C92F( &_v20,  &_v8,  &_v44), __eflags,  &_v32, 0);
							__eflags = _t48;
							if(_t48 != 0) {
								__eflags = _v8 - _t62;
								E0041C3A9( &_v20, _t62, _v8 - _t62);
								E0041CE0E( &_v20, _t86);
								break;
							}
							_t62 = _v8;
							_push(_t62);
						}
						E0041BEFB( &_v44);
						E0041BEFB( &_v32);
						goto L15;
					}
				}
				_t58 = E00421D4B(_a4, 0); // executed
				return _t58;
			}

0x00421f8a
0x00421f90
0x00421fad
0x00421fb0
0x00421fb2
0x00421fbf
0x00421fc4
0x00421fc8
0x00421fd2
0x00421fdf
0x00421fe1
0x00421fe6
0x00421feb
0x00421feb
0x00421ff5
0x00421ffe
0x0042200b
0x00422010
0x00422012
0x004220d7
0x004220d8
0x00000000
0x00422018
0x00422020
0x0042202b
0x0042202e
0x00422030
0x0042203d
0x00422042
0x00422047
0x00422054
0x00422061
0x00422067
0x0042206d
0x00422073
0x00422073
0x00422075
0x0042207a
0x0042207d
0x00422080
0x00422085
0x00422087
0x00000000
0x00000000
0x004220a0
0x004220a5
0x004220a7
0x004220b5
0x004220b9
0x004220c2
0x00000000
0x004220c2
0x004220a9
0x004220ac
0x004220ac
0x004220ca
0x004220d2
0x00000000
0x004220d2
0x00422012
0x00421f96
0x00000000

APIs

GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,74E5FC30,00000000,?,?,?,?,?,?,?,?,00422FC8,?), ref: 00421FD2
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,00422FC8,?), ref: 00421FDF
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,00422FC8,?), ref: 00421FE9
lstrcatA.KERNEL32(00000000,wininit.ini,?,?,?,?,?,?,?,?,00422FC8,?), ref: 00421FF5
GetShortPathNameA.KERNEL32 ref: 00422054

Part of subcall function 00421D4B: RegOpenKeyExA.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00000000,0002001F,00000000,00000000,74E5FC30,00000000), ref: 00421D73
Part of subcall function 00421D4B: RegQueryValueExA.KERNEL32(00000000,PendingFileRenameOperations,00000000,00000000,00000000,00000000), ref: 00421D97
Part of subcall function 00421D4B: RegQueryValueExA.ADVAPI32(00000000,PendingFileRenameOperations,00000000,00000000,00422FC8,00000000), ref: 00421DD0
Part of subcall function 00421D4B: RegCloseKey.ADVAPI32(00000000), ref: 00421DF3

Strings

$G, xrefs: 00421FB4
$G, xrefs: 00422032
NUL=, xrefs: 00422018
wininit.ini, xrefs: 00421FEF

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: QueryValuelstrlen$CloseDirectoryNameOpenPathShortWindowslstrcat
String ID: $G$$G$NUL=$wininit.ini
API String ID: 1977061548-1344308195
Opcode ID: c19b345b2d664a0fb17d6cee8ed464d375989861d1c9d259e1e147767dbda658
Instruction ID: 77597a4c33dad6ede26680724295a841512df21fae1a842a703a7e267151be97
Opcode Fuzzy Hash: c19b345b2d664a0fb17d6cee8ed464d375989861d1c9d259e1e147767dbda658
Instruction Fuzzy Hash: 174192B2A00229AACB14BBB2EDC6DFF7B6CDF55358F50002FB20162092DE3C5945C668

Uniqueness

Uniqueness Score: -1.00%

Function 004158E2, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 114
registryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004158E2(intOrPtr __ecx) {
				void* _v8;
				char _v268;
				void* __esi;
				long _t19;
				long _t21;
				long _t27;
				CHAR* _t35;
				long _t41;
				intOrPtr _t49;
				void* _t66;
				intOrPtr _t70;
				long _t71;

				_t70 =  *0x47e58c; // 0x1b
				_t49 = __ecx;
				if(_t70 != 0) {
					L2:
					_t72 =  *0x47e18c & 0x00000040;
					if(( *0x47e18c & 0x00000040) == 0) {
						_t19 = RegOpenKeyExA( *0x47e588, E0041CD1E(0x47e58c), 0, 0x20019,  &_v8); // executed
						__eflags = _t19;
						if(_t19 == 0) {
							__eflags =  *0x47e598; // 0x0
							if(__eflags != 0) {
								_t21 = RegQueryValueExA(_v8, E0041CD1E(0x47e598), 0, 0, 0, 0);
								RegCloseKey(_v8);
								__eflags = _t21;
								if(_t21 == 0) {
									L9:
									return E004155D2(_t49, 0, 0);
								}
								E004229A8( &_v268);
								_t27 = E0040DF52( &_v268);
								__eflags = _t27;
								if(_t27 == 0) {
									L15:
									return 1;
								}
								E0041BF12(0x47e688,  &_v268);
								E0041C047(0x47e688, ".bak", 0);
								CopyFileA( &_v268, E0041CD1E(0x47e688), 0);
								_t35 =  &_v268;
								L14:
								DeleteFileA(_t35);
								goto L15;
							}
							RegCloseKey(_v8);
							goto L9;
						}
						E004229A8( &_v268); // executed
						_t41 = E0040DF52( &_v268);
						__eflags = _t41;
						if(_t41 == 0) {
							goto L15;
						}
						E0041BF12(0x47e688,  &_v268);
						E0041C047(0x47e688, ".bak", 0);
						CopyFileA( &_v268, E0041CD1E(0x47e688), 0);
						_t35 =  &_v268;
						goto L14;
					}
					return E0041B61B(_t49, _t66, _t72);
				}
				_t71 =  *0x47e598; // 0x0
				if(_t71 == 0) {
					goto L15;
				}
				goto L2;
			}

0x004158f0
0x004158f6
0x004158f8
0x00415906
0x00415906
0x0041590d
0x00415936
0x0041593c
0x0041593e
0x004159a7
0x004159ad
0x004159d8
0x004159e3
0x004159e9
0x004159eb
0x004159b8
0x00000000
0x004159bc
0x004159f9
0x00415a05
0x00415a0a
0x00415a0d
0x00415a52
0x00000000
0x00415a52
0x00415a1d
0x00415a2a
0x00415a3f
0x00415a45
0x00415a4b
0x00415a4c
0x00000000
0x00415a4c
0x004159b2
0x00000000
0x004159b2
0x0041594c
0x00415958
0x0041595d
0x00415960
0x00000000
0x00000000
0x00415974
0x00415981
0x00415996
0x0041599c
0x00000000
0x0041599c
0x00000000
0x00415911
0x004158fa
0x00415900
0x00000000
0x00000000
0x00000000

APIs

RegOpenKeyExA.KERNEL32(00000000,00000000,00020019,?,?,0047DFB8,00000000), ref: 00415936
CopyFileA.KERNEL32(?,00000000,00000000), ref: 00415996
RegCloseKey.ADVAPI32(?,?,0047DFB8,00000000), ref: 004159B2

Part of subcall function 004229A8: RegOpenKeyExA.KERNEL32(00000000,00020019,00000000,0047DFB8,0047E788), ref: 004229DD
Part of subcall function 004229A8: RegQueryValueExA.ADVAPI32(00000000,Uninstaller,00000000,00000000,?,0047E788), ref: 004229FF
Part of subcall function 004229A8: lstrcpyA.KERNEL32(0047E788,?), ref: 00422A24

Part of subcall function 0041BF12: GlobalUnlock.KERNEL32(0217020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
Part of subcall function 0041BF12: GlobalReAlloc.KERNEL32 ref: 0041BF3B
Part of subcall function 0041BF12: GlobalLock.KERNEL32 ref: 0041BF5C

Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095

RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,?,0047DFB8,00000000), ref: 004159D8
RegCloseKey.ADVAPI32(?,?,0047DFB8,00000000), ref: 004159E3
CopyFileA.KERNEL32(?,00000000,00000000), ref: 00415A3F
DeleteFileA.KERNEL32(?,?,0047DFB8,00000000), ref: 00415A4C

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Strings

.bak, xrefs: 0041597A, 00415A23

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocFileLockUnlock$CloseCopyOpenQueryValue$Deletelstrcpylstrlen
String ID: .bak
API String ID: 1416132717-2357000809
Opcode ID: 08ca60a45c3ec22fe705449950ea663ad066e449a9e26c8904edd6dda386771a
Instruction ID: 1342aa0dab926122372a12ed8d5b88198d96f9849dab4552937482bddcd53820
Opcode Fuzzy Hash: 08ca60a45c3ec22fe705449950ea663ad066e449a9e26c8904edd6dda386771a
Instruction Fuzzy Hash: C431E270600218EBCB20A7A69C85DEF767D9FD4704F4001BFB44AA2141DF3C4EC29A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00414E57, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 94
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00414E57(intOrPtr _a4) {
				char _v16;
				char _v28;
				char _v40;
				void* _t35;
				long _t71;
				void* _t73;

				_t71 = GetTickCount();
				E0041BE35( &_v28, _a4);
				if(E0041BFE3( &_v28, _v28 - 1) != 0x5c) {
					E0041BFF8( &_v28, 0x5c);
				}
				E0041BDC5( &_v16);
				do {
					E0041BF12( &_v16, 0x42e0c8);
					_push(_t71);
					_push(E0041CD1E( &_v28));
					E0041C467( &_v16, "%s%d.tmp");
					_t73 = _t73 + 0x10;
					_t71 = _t71 + 1;
				} while (E0040DF52(E0041CD1E( &_v16)) != 0);
				_t35 = CreateFileA(E0041CD1E( &_v16), 0x40000000, 0, 0, 2, 0x80, 0); // executed
				if(_t35 != 0xffffffff) {
					FindCloseChangeNotification(_t35); // executed
					DeleteFileA(E0041CD1E( &_v16)); // executed
					L8:
					E0041BEFB( &_v16);
					E0041BEFB( &_v28);
					return 1;
				}
				if(GetLastError() != 5) {
					goto L8;
				}
				E0041BDC5( &_v40);
				_push(_a4);
				E0041C467( &_v40, "You don\'t have write privilege to directory \'%s\'. Please have your system administrator (or other user with higher privileges) install this software.");
				E0041B2A8( *0x47e178, E0041CD1E( &_v40), 0);
				E0041BEFB( &_v40);
				E0041BEFB( &_v16);
				E0041BEFB( &_v28);
				return 0;
			}

0x00414e6a
0x00414e6c
0x00414e80
0x00414e87
0x00414e87
0x00414e8f
0x00414e94
0x00414e9c
0x00414ea1
0x00414eaa
0x00414eb4
0x00414eb9
0x00414ebf
0x00414ecd
0x00414eea
0x00414ef3
0x00414f53
0x00414f62
0x00414f68
0x00414f6b
0x00414f73
0x00000000
0x00414f78
0x00414efe
0x00000000
0x00000000
0x00414f03
0x00414f08
0x00414f14
0x00414f31
0x00414f39
0x00414f41
0x00414f49
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00414E5E

Part of subcall function 0041BE35: lstrlenA.KERNEL32(00000000,0047DFB8,0047F2B8,0041B2F4,Astrum Installer,00000000,0047DFB8,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000), ref: 0041BE49
Part of subcall function 0041BE35: GlobalAlloc.KERNEL32(00000042,00000000,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000,00000000,00000000,?,0047E924,0041D88F), ref: 0041BE54
Part of subcall function 0041BE35: GlobalLock.KERNEL32 ref: 0041BE75

CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00414EEA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0042E0C8,?,?), ref: 00414EF5

Part of subcall function 0041BFF8: GlobalUnlock.KERNEL32(8415FF57,0047E788,004221E2,00000000,00000000,00000000,0047E788,00000000), ref: 0041C000
Part of subcall function 0041BFF8: GlobalReAlloc.KERNEL32 ref: 0041C00D
Part of subcall function 0041BFF8: GlobalLock.KERNEL32 ref: 0041C02E

FindCloseChangeNotification.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0042E0C8,?,?), ref: 00414F53

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

DeleteFileA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0042E0C8,?,?), ref: 00414F62

Part of subcall function 0041BEFB: GlobalUnlock.KERNEL32(?,00000000,0041C1E9,00000000,00000010,00000000,0047E4D0,00000000), ref: 0041BF01
Part of subcall function 0041BEFB: GlobalFree.KERNEL32 ref: 0041BF0A

Strings

%s%d.tmp, xrefs: 00414EAE
You don't have write privilege to directory '%s'. Please have your system administrator (or other user with higher privileges) install this software., xrefs: 00414F0E

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLockUnlock$File$ChangeCloseCountCreateDeleteErrorFindFreeLastNotificationTicklstrlen
String ID: %s%d.tmp$You don't have write privilege to directory '%s'. Please have your system administrator (or other user with higher privileges) install this software.
API String ID: 409215279-4254885240
Opcode ID: 4dd871ea1558a27bb0bc6f9293b9cb6e81303aa579d2dada56ab6fabc6f365c3
Instruction ID: c2928e067eda20b2372ff203eb25b86f2129ffeaec6873f0e91b4a6b5d8251e1
Opcode Fuzzy Hash: 4dd871ea1558a27bb0bc6f9293b9cb6e81303aa579d2dada56ab6fabc6f365c3
Instruction Fuzzy Hash: 11314371940119A6CF14F7B2EC96DEE7738DF14308F90416EF502A2191DF385A86CAAC

Uniqueness

Uniqueness Score: -1.00%

Function 0040E110, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 41
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040E110(void* __ecx, signed int _a4, intOrPtr _a8) {
				struct _ITEMIDLIST* _v8;
				long _t14;
				_Unknown_base(*)()* _t17;
				void* _t18;
				int _t20;
				signed int _t23;
				signed int _t24;

				_t14 = SHGetSpecialFolderLocation(0, _a4,  &_v8); // executed
				if(_t14 != 0) {
					L5:
					return 0;
				} else {
					_t17 = GetProcAddress(LoadLibraryA("SHELL32.DLL"), "SHGetPathFromIDListW");
					if(_t17 == 0) {
						goto L5;
					} else {
						_t18 =  *_t17(_v8, _a8, _t23); // executed
						_t24 = _t23 & 0xffffff00 | _t18 != 0x00000000;
						_a4 = _a4 & 0x00000000;
						__imp__SHGetMalloc( &_a4);
						_t20 = _a4;
						if(_t20 != 0) {
							 *((intOrPtr*)( *_t20 + 0x14))(_t20, _v8);
						}
						return _t24;
					}
				}
			}

0x0040e11d
0x0040e125
0x0040e173
0x0040e176
0x0040e127
0x0040e138
0x0040e140
0x00000000
0x0040e142
0x0040e149
0x0040e150
0x0040e153
0x0040e158
0x0040e15e
0x0040e163
0x0040e16b
0x0040e16b
0x0040e172
0x0040e172
0x0040e140

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000081,?,00000081,?,004118E9,00000002,?), ref: 0040E11D
LoadLibraryA.KERNEL32(SHELL32.DLL,?,004118E9,00000002,?), ref: 0040E12C
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 0040E138
SHGetPathFromIDListW.SHELL32(?,?,00000104,?,004118E9,00000002,?), ref: 0040E149
SHGetMalloc.SHELL32(?), ref: 0040E158

Strings

SHELL32.DLL, xrefs: 0040E127
SHGetPathFromIDListW, xrefs: 0040E132

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: AddressFolderFromLibraryListLoadLocationMallocPathProcSpecial
String ID: SHELL32.DLL$SHGetPathFromIDListW
API String ID: 2352187698-3662343678
Opcode ID: 8fc71861e52f366a85564bc4e681427beed619db2cbf639fb9f84344a72cc2fc
Instruction ID: dfdffaa8b940ae14909e32c2bb16bffc942fafb9d917f1c150c9c4fd006f454b
Opcode Fuzzy Hash: 8fc71861e52f366a85564bc4e681427beed619db2cbf639fb9f84344a72cc2fc
Instruction Fuzzy Hash: 4CF04F35301209FBDF119FA1ED49F9F3BACAF04785F5044AAF805E6190DB35CA11AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00413399, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 336
registryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00413399(intOrPtr __ecx, void* _a4, intOrPtr _a8, intOrPtr* _a12, signed int* _a16, char _a20) {
				signed char _v8;
				signed int _v12;
				void* _v16;
				intOrPtr _v20;
				int _v24;
				char _v28;
				int _v32;
				int _v44;
				void* __edi;
				void* __ebp;
				intOrPtr* _t105;
				void* _t108;
				long _t117;
				signed int _t118;
				signed int _t119;
				void* _t143;
				int _t152;
				char* _t153;
				long _t155;
				signed int* _t156;
				signed int _t157;
				int _t168;
				void* _t173;
				signed char _t176;
				signed char _t180;
				intOrPtr _t187;
				signed int* _t189;
				int* _t190;
				int _t192;
				signed int _t202;
				signed int _t209;
				signed int _t222;
				signed int _t230;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t249;
				void* _t251;
				void* _t252;

				_t187 = _a8;
				_t105 = _t187 + 4;
				_t247 = 0;
				_v20 = __ecx;
				_t253 =  *_t105;
				if( *_t105 > 0) {
					E0041C0C5( &_a20, _t253, _t105);
					E0041BFF8( &_a20, 0x5c);
				}
				_v16 = _t247;
				if( *((intOrPtr*)(_t187 + 0x1c)) <= _t247) {
					L39:
					_v12 = _t247;
					if( *((intOrPtr*)(_t187 + 0x30)) <= _t247) {
						L54:
						return E0041BEFB( &_a20);
					} else {
						goto L40;
					}
					do {
						L40:
						_t248 = E0041E860(_t187 + 0x24, _v12);
						_t108 = E00412BA7( *((intOrPtr*)(_t187 + 0x40)));
						_t265 = _t108;
						if(_t108 != 0) {
							_t65 = _t248 + 4; // 0x4
							_t188 = _t65;
							E004164B1(0x47dfb8, _t265, _t65);
							E0041A81A(_t265, _t65);
							E0041B3B9(0x47dfb8, _t65, 0x7fffffff);
							_t117 = RegCreateKeyExA(_a4, E0041CD1E(_t188), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v24); // executed
							if(_t117 == 0 || RegCreateKeyExA(_a4, E0041CD1E(_t188), 0, 0, 0, 0x20006, 0,  &_v16,  &_v24) == 0 || RegCreateKeyExA(_a4, E0041CD1E(_t188), 0, 0, 0, 0x20019, 0,  &_v16,  &_v24) == 0) {
								_t189 = _a16;
								 *_t189 =  *_t189 + 1;
								_t202 =  *0x47e490; // 0xc
								_t118 =  *_t189;
								__eflags = _t202;
								if(_t202 > 0) {
									__eflags = _t118 * 0x64 % _t202;
									E00414C1B(_t118 * 0x64 % _t202, _t248, _t251, _t118 * 0x64 / _t202, 0);
								}
								_t119 = 1;
								__eflags = _v24 - _t119;
								if(_v24 != _t119) {
									_t90 = _t248 + 0x38;
									 *_t90 =  *(_t248 + 0x38) & 0x00000000;
									__eflags =  *_t90;
								} else {
									 *(_t248 + 0x38) = _t119;
								}
								_t92 = _t248 + 0x38;
								 *_t92 =  *(_t248 + 0x38) | 0x00000002;
								__eflags =  *_t92;
								_t252 = _t252 - 0xc;
								E0041BE99(_t252,  &_a20);
								_push(_t189);
								_push(_a12);
								_push(_t248);
								_push(_v16);
								E00413399(_v20); // executed
								RegCloseKey(_v16);
							} else {
								 *_a16 =  *_a16 + 1;
								 *_a12 =  *_a12 + 1;
								_t209 =  *0x47e490; // 0xc
								if(_t209 > 0) {
									E00414C1B( *_t137 * 0x64 % _t209, _t248, _t251,  *_t137 * 0x64 / _t209, 0);
								}
							}
							_t187 = _a8;
						}
						_v12 = _v12 + 1;
					} while (_v12 <  *((intOrPtr*)(_t187 + 0x30)));
					goto L54;
				} else {
					goto L3;
				}
				do {
					L3:
					_t249 = E0041E860(_t187 + 0x10, _v16);
					_t143 = E00412BA7( *((intOrPtr*)(_t249 + 0x24)));
					_t255 = _t143;
					if(_t143 == 0) {
						goto L37;
					}
					E004164B1(0x47dfb8, _t255, _t249);
					_t11 = _t249 + 0xc; // 0xc
					_t190 = _t11;
					E004164B1(0x47dfb8, _t255, _t190);
					E0041A81A(_t255, _t249);
					E0041A81A(_t255, _t190); // executed
					E0041B3B9(0x47dfb8, _t249, 0x7fffffff);
					E0041B3B9(0x47dfb8, _t190, 0x7fffffff);
					E0041BDC5( &_v44);
					_t152 =  *(_t249 + 0x18);
					if(_t152 == 1 || _t152 == 2) {
						L30:
						_t153 = E0041CD1E(_t190);
						_t192 =  *_t190 + 1;
						__eflags = _t192;
						goto L31;
					} else {
						if(_t152 != 4) {
							__eflags = _t152 - 3;
							if(__eflags != 0) {
								E0041CBF9(_t190, __eflags, "<\\0>", 0x42c1f0, 0, 0, 1);
								E0041CBC9(_t190, __eflags, 1, 0, 0, 0);
								_t168 = E0041BFE3(_t190,  *_t190 - 1);
								__eflags = _t168;
								if(_t168 != 0) {
									E0041BFF8(_t190, 0);
								}
								goto L30;
							}
							_v12 = _v12 & 0x00000000;
							__eflags =  *_t190;
							if( *_t190 <= 0) {
								L27:
								_t153 = E0041CD1E( &_v44);
								_t192 = _v44;
								goto L31;
							} else {
								goto L10;
							}
							do {
								L10:
								_t230 = 3;
								_t246 = _v12 % _t230;
								__eflags = _t246 - 2;
								_v32 = _t246;
								if(_t246 == 2) {
									goto L26;
								}
								_t173 = E0041BFE3(_t190, _v12);
								__eflags = _t173 - 0x30;
								if(_t173 < 0x30) {
									L14:
									__eflags = _t173 - 0x41;
									if(_t173 < 0x41) {
										L17:
										__eflags = _t173 - 0x61;
										if(_t173 < 0x61) {
											L21:
											E0041BF12( &_v44, 0x42e0c8);
											E0041CD1E( &_v44);
											L22:
											_t176 = _v8;
											L23:
											__eflags = _v32;
											if(_v32 != 0) {
												_t32 =  &_v24;
												 *_t32 = _v24 + _t176;
												__eflags =  *_t32;
												E0041BFF8( &_v44, _v24);
											} else {
												_v24 = _t176 << 4;
											}
											goto L26;
										}
										__eflags = _t173 - 0x66;
										if(_t173 > 0x66) {
											goto L21;
										}
										_t180 = _t173 - 0x57;
										__eflags = _t180;
										L20:
										_v8 = _t180;
										goto L22;
									}
									__eflags = _t173 - 0x46;
									if(_t173 > 0x46) {
										goto L17;
									}
									_t180 = _t173 - 0x37;
									goto L20;
								}
								__eflags = _t173 - 0x39;
								if(_t173 > 0x39) {
									goto L14;
								}
								_t176 = _t173 - 0x30;
								_v8 = _t176;
								goto L23;
								L26:
								_v12 = _v12 + 1;
								__eflags = _v12 -  *_t190;
							} while (_v12 <  *_t190);
							goto L27;
						} else {
							_v28 = E00424FC3(_t190, E0041CD1E(_t190));
							_t153 =  &_v28;
							_t192 = 4;
							L31:
							_t155 = RegSetValueExA(_a4, E0041CD1E(_t249), 0,  *(_t249 + 0x18), _t153, _t192); // executed
							if(_t155 == 0) {
								 *(_t249 + 0x1c) = 1;
							} else {
								 *_a12 =  *_a12 + 1;
								 *(_t249 + 0x1c) = 0;
							}
							_t156 = _a16;
							 *(_t249 + 0x1c) =  *(_t249 + 0x1c) | 0x00000002;
							 *_t156 =  *_t156 + 1;
							_t222 =  *0x47e490; // 0xc
							_t157 =  *_t156;
							if(_t222 > 0) {
								E00414C1B(_t157 * 0x64 % _t222, _t249, _t251, _t157 * 0x64 / _t222, 0);
							}
							E0041BEFB( &_v44);
							_t187 = _a8;
							goto L37;
						}
					}
					L37:
					_v16 = _v16 + 1;
				} while (_v16 <  *((intOrPtr*)(_t187 + 0x1c)));
				_t247 = 0;
				goto L39;
			}

0x004133a0
0x004133a5
0x004133a8
0x004133aa
0x004133ad
0x004133af
0x004133b5
0x004133bf
0x004133bf
0x004133c7
0x004133cf
0x004135dc
0x004135df
0x004135e2
0x00413739
0x00413745
0x00000000
0x00000000
0x00000000
0x004135e8
0x004135e8
0x004135f6
0x004135f8
0x004135fd
0x00413600
0x00413606
0x00413606
0x0041360c
0x00413614
0x00413621
0x00413644
0x0041364c
0x004136c8
0x004136cb
0x004136cd
0x004136d3
0x004136d5
0x004136d7
0x004136e0
0x004136e6
0x004136e6
0x004136ed
0x004136ee
0x004136f1
0x004136f8
0x004136f8
0x004136f8
0x004136f3
0x004136f3
0x004136f3
0x004136fc
0x004136fc
0x004136fc
0x00413700
0x00413709
0x0041370e
0x00413712
0x00413715
0x00413716
0x00413719
0x00413721
0x0041369e
0x004136a4
0x004136a6
0x004136a8
0x004136b0
0x004136c1
0x004136c1
0x004136b0
0x00413727
0x00413727
0x0041372a
0x00413730
0x00000000
0x00000000
0x00000000
0x00000000
0x004133d5
0x004133d5
0x004133e0
0x004133e5
0x004133ea
0x004133ed
0x00000000
0x00000000
0x004133f6
0x004133fb
0x004133fb
0x00413401
0x00413409
0x00413411
0x0041341e
0x0041342b
0x00413433
0x00413438
0x0041343e
0x00413562
0x00413564
0x0041356b
0x0041356b
0x00000000
0x0041344d
0x00413450
0x0041346e
0x00413471
0x00413537
0x00413545
0x00413550
0x00413555
0x00413557
0x0041355d
0x0041355d
0x00000000
0x00413557
0x00413477
0x0041347b
0x0041347e
0x00413518
0x0041351b
0x00413520
0x00000000
0x00000000
0x00000000
0x00000000
0x00413484
0x00413484
0x0041348b
0x0041348c
0x0041348e
0x00413491
0x00413494
0x00000000
0x00000000
0x0041349b
0x004134a0
0x004134a2
0x004134b3
0x004134b3
0x004134b5
0x004134c3
0x004134c3
0x004134c5
0x004134d6
0x004134de
0x004134e6
0x004134eb
0x004134eb
0x004134ee
0x004134ee
0x004134f2
0x004134fc
0x004134fc
0x004134fc
0x00413505
0x004134f4
0x004134f7
0x004134f7
0x00000000
0x004134f2
0x004134c7
0x004134c9
0x00000000
0x00000000
0x004134ce
0x004134ce
0x004134d1
0x004134d1
0x00000000
0x004134d1
0x004134b7
0x004134b9
0x00000000
0x00000000
0x004134be
0x00000000
0x004134be
0x004134a4
0x004134a6
0x00000000
0x00000000
0x004134ab
0x004134ae
0x00000000
0x0041350a
0x0041350a
0x00413510
0x00413510
0x00000000
0x00413452
0x00413460
0x00413465
0x00413468
0x0041356c
0x0041357f
0x00413587
0x00413593
0x00413589
0x0041358c
0x0041358e
0x0041358e
0x0041359a
0x0041359d
0x004135a1
0x004135a3
0x004135a9
0x004135ad
0x004135bb
0x004135bb
0x004135c3
0x004135c8
0x00000000
0x004135c8
0x00413450
0x004135cb
0x004135cb
0x004135d1
0x004135da
0x00000000

APIs

RegSetValueExA.KERNEL32(?,00000000,00000000,?,00000000,?,0000000C,7FFFFFFF,00000000,7FFFFFFF,0000000C,00000000,0000000C,00000000,?,76908BA0), ref: 0041357F

Part of subcall function 0041C0C5: GlobalUnlock.KERNEL32(?,00000000,0047E380,?,00421CA7,00000004,?,00000000,00000000,00000000,0047E490,0047E788,0047E380,0047E788,?,00422453), ref: 0041C0DE
Part of subcall function 0041C0C5: GlobalReAlloc.KERNEL32 ref: 0041C0EB
Part of subcall function 0041C0C5: GlobalLock.KERNEL32 ref: 0041C10C

Part of subcall function 0041BFF8: GlobalUnlock.KERNEL32(8415FF57,0047E788,004221E2,00000000,00000000,00000000,0047E788,00000000), ref: 0041C000
Part of subcall function 0041BFF8: GlobalReAlloc.KERNEL32 ref: 0041C00D
Part of subcall function 0041BFF8: GlobalLock.KERNEL32 ref: 0041C02E

RegCreateKeyExA.KERNEL32(?,00000000,00000000,00000000,00000000,0002001F,00000000,?,?,00000004,7FFFFFFF,00000004,00000004,?,76908BA0,0047E880), ref: 00413644
RegCreateKeyExA.ADVAPI32(?,00000000,00000000,00000000,00000000,00020006,00000000,?,?,?,?,?,769048C0,0041261C,?,?), ref: 0041366C
RegCreateKeyExA.ADVAPI32(?,00000000,00000000,00000000,00000000,00020019,00000000,?,?,?,?,?,769048C0,0041261C,?,?), ref: 00413694
RegCloseKey.ADVAPI32(?,?,?,?,?,769048C0,0041261C,?,?,?,?,?,0047DFB8,?,00000000,0041520C), ref: 00413721

Strings

<\0>, xrefs: 00413530

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$Create$AllocLockUnlock$CloseValue
String ID: <\0>
API String ID: 1559821772-3761792137
Opcode ID: 1e44c12d3141eaf93ce3f9a38760ec2083d20e5ef8763f70ce3a285e504954af
Instruction ID: 2f0f564a490fdef3454958fd33de17c8413e31ca42576e57c851ba0932c96666
Opcode Fuzzy Hash: 1e44c12d3141eaf93ce3f9a38760ec2083d20e5ef8763f70ce3a285e504954af
Instruction Fuzzy Hash: CDB17070A00109BBDF14EF66CC85AFE7779EB44745F10446FE802E6292CB389A86CA58

Uniqueness

Uniqueness Score: -1.00%

Function 00419EB2, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100
registryprocessCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00419EB2(void* __edi, void* __eflags) {
				void* _v8;
				char _v20;
				int _v24;
				struct _PROCESS_INFORMATION _v40;
				struct _STARTUPINFOA _v108;
				void _v419;
				char _v420;
				int _t26;
				long _t31;
				CHAR* _t49;
				signed int _t51;
				long _t64;

				_t49 = 0;
				_v8 = 0;
				_t26 = RegOpenKeyExA( *0x47e588, E0041CD1E(0x47e58c), 0, 0x20019,  &_v8); // executed
				if(_t26 != 0) {
					L2:
					return 0;
				}
				_t51 = 0x4d;
				_v420 = 0;
				_v24 = 0x136;
				memset( &_v419, _t26, _t51 << 2);
				asm("stosb");
				_t31 = RegQueryValueExA(_v8, "AutorunCommand", 0, 0,  &_v420,  &_v24);
				RegCloseKey(_v8);
				if(_t31 == 0) {
					E0041BE35( &_v20,  &_v420);
					if(E0041BFE3( &_v20, 0) != 0x22) {
						E0041CA01(0x22, 0);
						E0041BFF8( &_v20, 0x22);
					}
					_t64 = 0x44;
					E00424500( &_v108, _t49, _t64);
					_v108.cb = _t64;
					E00424500( &_v40, _t49, 0x10);
					if(CreateProcessA(_t49, E0041CD1E( &_v20), _t49, _t49, _t49, 0x4000000, _t49, _t49,  &_v108,  &_v40) != 0) {
						CloseHandle(_v40);
						_t49 = 1;
					}
					E0041BEFB( &_v20);
					return _t49;
				}
				goto L2;
			}

0x00419ec0
0x00419ece
0x00419edd
0x00419ee5
0x00419f2c
0x00000000
0x00419f2c
0x00419eea
0x00419ef1
0x00419ef7
0x00419efe
0x00419f00
0x00419f16
0x00419f21
0x00419f2a
0x00419f3d
0x00419f4d
0x00419f55
0x00419f5f
0x00419f5f
0x00419f69
0x00419f6d
0x00419f79
0x00419f7c
0x00419fa8
0x00419fad
0x00419fb3
0x00419fb3
0x00419fb8
0x00000000
0x00419fbd
0x00000000

APIs

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

RegOpenKeyExA.KERNEL32(00000000,00000000,00020019,?,0047DFB8), ref: 00419EDD
RegQueryValueExA.ADVAPI32(?,AutorunCommand,00000000,00000000,?,00000136), ref: 00419F16
RegCloseKey.ADVAPI32(?), ref: 00419F21
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000000,00000000,00000000,?,?,?,?,?,00000000,?), ref: 00419FA0
CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00419FAD

Strings

AutorunCommand, xrefs: 00419F0E

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$Close$AllocCreateHandleLockOpenProcessQueryUnlockValue
String ID: AutorunCommand
API String ID: 1534462961-524555554
Opcode ID: 356a647b93b262bc02b6de906de0307610b2515476185d37be7defd4c496741e
Instruction ID: 45c70dd0ee7c2c5c157e3503934c4b3842aff91b93e299f74d0a38b54150a939
Opcode Fuzzy Hash: 356a647b93b262bc02b6de906de0307610b2515476185d37be7defd4c496741e
Instruction Fuzzy Hash: E7317071A4121CBEEB11EBA1DC85EEFB77CEB04348F40046AF105A2191EB355E46CA69

Uniqueness

Uniqueness Score: -1.00%

Function 0041DAE7, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
registryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0041DAE7(void* _a4, int _a8, char* _a12, signed int _a16) {
				signed int _t16;
				long _t18;
				void* _t19;
				long _t21;
				long _t29;
				char* _t36;

				_t16 = _a16;
				if(_t16 == 0) {
					return _t16 | 0xffffffff;
				}
				 *_t16 = 0;
				_t18 = RegOpenKeyExA(_a4, _a8, 0, 1,  &_a4); // executed
				if(_t18 != 0) {
					_push(0xfffffffc);
				} else {
					_a8 = 0;
					_t21 = RegQueryValueExA(_a4, _a12, 0, 0, 0,  &_a8); // executed
					if(_t21 != 0) {
						_push(0xfffffffd);
					} else {
						_t36 = E00424DD9(_a8 + 1);
						if(_t36 == 0) {
							E0041D881(E0041CD1E(0x47e924));
						}
						E00424500(_t36, 0,  &(_a8[1]));
						_t29 = RegQueryValueExA(_a4, _a12, 0, 0, _t36,  &_a8); // executed
						if(_t29 != 0) {
							E00424DCE(_t36);
							_push(0xfffffffe);
						} else {
							 *_a16 = _t36; // executed
							RegCloseKey(_a4); // executed
							_push(1);
						}
					}
				}
				_pop(_t19);
				return _t19;
			}

0x0041daea
0x0041daf4
0x00000000
0x0041daf6
0x0041dafe
0x0041db0d
0x0041db15
0x0041db9c
0x0041db1b
0x0041db2b
0x0041db31
0x0041db35
0x0041db98
0x0041db37
0x0041db41
0x0041db46
0x0041db53
0x0041db58
0x0041db60
0x0041db75
0x0041db79
0x0041db8e
0x0041db94
0x0041db7b
0x0041db81
0x0041db83
0x0041db89
0x0041db89
0x0041db79
0x0041db35
0x0041db9e
0x00000000

APIs

RegOpenKeyExA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000020,00000000,00000000,?,0041AE3A,00000000,00000000,7FFFFFFF,7FFFFFFF,7FFFFFFF,0000000D), ref: 0041DB0D
RegQueryValueExA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,0041AE3A,00000000,00000000,7FFFFFFF,7FFFFFFF,7FFFFFFF,0000000D,00000000,00000000), ref: 0041DB31
RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0041DB75
RegCloseKey.KERNEL32(?), ref: 0041DB83

Strings

$G, xrefs: 0041DB48

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: $G
API String ID: 1586453840-195990108
Opcode ID: 8547bf2eccfc9803a6ea741f39ad0e586afbdc04502b290910525e8f85405c75
Instruction ID: 6feac726a0c399204c17f1fea59bfd65b2e621c23acb991bed09306465f74e76
Opcode Fuzzy Hash: 8547bf2eccfc9803a6ea741f39ad0e586afbdc04502b290910525e8f85405c75
Instruction Fuzzy Hash: 8521D1F2608228BFDF109F55EC44EEB3F1CEF053B4B114226F92AC6191D634D9818BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004111C2, Relevance: 7.6, APIs: 5, Instructions: 87
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004111C2(void* __ecx, long _a4, void* _a8, long _a12, intOrPtr* _a16) {
				long _v8;
				long _t26;
				int _t28;
				long _t30;
				void* _t31;
				intOrPtr _t32;
				long _t36;
				intOrPtr* _t42;
				intOrPtr _t45;
				intOrPtr _t47;
				long _t48;
				intOrPtr _t49;
				intOrPtr _t52;
				long _t54;
				intOrPtr _t58;
				intOrPtr _t60;
				long _t62;
				long _t64;
				void** _t66;

				_t66 = _a4;
				_v8 = 0;
				_t26 = SetFilePointer( *_t66, 0,  &_v8, 1);
				_t45 =  *0x42bf9c; // 0x1
				_t58 =  *0x47f28c; // 0x2070010
				_t62 = _a12;
				_a4 = 0;
				_a12 = _t62;
				_t47 =  *((intOrPtr*)(_t58 + (_t45 -  *0x47f21c) * 4));
				if(_t47 < _t26 + _t62) {
					_a12 = _t47 - _t26;
				}
				_t28 = ReadFile( *_t66, _a8, _a12,  &_a4, 0); // executed
				_t42 = _a16;
				_t48 = _a4;
				 *_t42 = _t48;
				if(_t28 != 0 && _t48 < _t62) {
					_t32 =  *0x42bf9c; // 0x1
					_t49 =  *0x47e290; // 0x1
					if(_t32 -  *0x47f21c < _t49 - 1) {
						CloseHandle( *_t66);
						E00413A88(0x47e880, _t66);
						_t52 =  *0x42bf9c; // 0x1
						_t60 =  *0x47f28c; // 0x2070010
						_t36 = _a4;
						_t64 = _t62 - _t36;
						_t54 =  *(_t60 + (_t52 -  *0x47f21c) * 4);
						if(_t54 < _t64) {
							_t64 = _t54;
						}
						ReadFile( *_t66, _t36 + _a8, _t64,  &_a4, 0);
						 *_t42 =  *_t42 + _a4;
					}
				}
				_v8 = _v8 & 0x00000000;
				_t30 = SetFilePointer( *_t66, 0,  &_v8, 1); // executed
				 *0x47f200 = _t30;
				_t31 = 1;
				return _t31;
			}

0x004111c8
0x004111d5
0x004111da
0x004111e0
0x004111e6
0x004111f2
0x004111f5
0x004111f8
0x004111fb
0x00411203
0x00411207
0x00411207
0x00411217
0x0041121d
0x00411220
0x00411225
0x00411227
0x0041122d
0x00411232
0x00411241
0x00411245
0x00411251
0x00411256
0x0041125c
0x00411268
0x0041126b
0x0041126d
0x00411272
0x00411274
0x00411274
0x00411285
0x0041128e
0x0041128e
0x00411241
0x00411290
0x0041129e
0x004112a6
0x004112ab
0x004112b0

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,00000000,00000000,?,?,00405157,0042E1FC,0042E200,00008000,00000000), ref: 004111DA
ReadFile.KERNEL32(?,00000001,0047E1B8,?,00000000,?,?,00405157,0042E1FC,0042E200,00008000,00000000,?,?,00401C31,00000000), ref: 00411217
CloseHandle.KERNEL32(?,?,?,00405157,0042E1FC,0042E200,00008000,00000000,?,?,00401C31,00000000,00000000,00000000,00000000), ref: 00411245
ReadFile.KERNEL32(?,?,0047E1B8,?,00000000,?,?,?,00405157,0042E1FC,0042E200,00008000,00000000,?,?,00401C31), ref: 00411285
SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,?,00405157,0042E1FC,0042E200,00008000,00000000,?,?,00401C31,00000000,00000000), ref: 0041129E

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: File$PointerRead$CloseHandle
String ID:
API String ID: 3662329253-0
Opcode ID: 9a715f74af9aced97fa2cc7814702e630d9b06d3ec473aa5b857c9868b8616ec
Instruction ID: 87e902479429b15a8da91e8312970394fd3861b8bc12bb4a4602a52f1f62b848
Opcode Fuzzy Hash: 9a715f74af9aced97fa2cc7814702e630d9b06d3ec473aa5b857c9868b8616ec
Instruction Fuzzy Hash: C1316F79201108EFEF14CF58EC80EA97BA9FB48344B5085BEF905D7260DB71A940CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041455E, Relevance: 7.6, APIs: 5, Instructions: 57
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0041455E(CHAR* _a4, intOrPtr _a8) {
				void* _t20;
				long _t21;
				int _t22;
				signed char _t29;
				signed char _t30;
				void* _t37;
				intOrPtr _t38;

				_t20 = CreateFileA(_a4, 0xc0000000, 1, 0, 3, 0x80, 0); // executed
				_t38 = _a8;
				_t37 = _t20;
				if(_t37 != 0xffffffff) {
					_t23 =  *(_t38 + 8);
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					SetFileTime(_t37,  ~( *(_t38 + 8) & 0x00000008) & _t38 + 0x00000018, 0,  ~(_t23 & 0x00000010) & _t38 + 0x00000010); // executed
					CloseHandle(_t37);
				}
				_t21 = GetFileAttributesA(_a4); // executed
				_t29 =  *(_t38 + 8);
				if((_t29 & 0x00000002) == 0 || (_t29 & 0x00000004) == 0) {
					_t30 =  *(_t38 + 0xc);
					_t21 = _t21 & 0x000000dc;
					if((_t30 & 0x00000004) != 0) {
						_t21 = _t21 | 0x00000002;
					}
					if((_t30 & 0x00000008) != 0) {
						_t21 = _t21 | 0x00000020;
					}
					if((_t30 & 0x00000010) != 0) {
						_t21 = _t21 | 0x00000001;
					}
				}
				_t22 = SetFileAttributesA(_a4, _t21); // executed
				return _t22;
			}

0x00414576
0x0041457c
0x00414580
0x00414585
0x00414587
0x00414594
0x004145a0
0x004145a8
0x004145af
0x004145af
0x004145b9
0x004145bf
0x004145c5
0x004145cc
0x004145cf
0x004145d4
0x004145d6
0x004145d6
0x004145db
0x004145dd
0x004145dd
0x004145e2
0x004145e4
0x004145e4
0x004145e2
0x004145eb
0x004145f3

APIs

CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000,00000001,00000000,004123AB,00000000,?,00000000,00000000,00000000,00000000), ref: 00414576
SetFileTime.KERNEL32(00000000,?,00000000,?), ref: 004145A8
CloseHandle.KERNEL32(00000000), ref: 004145AF
GetFileAttributesA.KERNEL32(?), ref: 004145B9
SetFileAttributesA.KERNEL32(?,00000000), ref: 004145EB

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: File$Attributes$CloseCreateHandleTime
String ID:
API String ID: 2679023027-0
Opcode ID: 5e6bf49b0514fb5268a2b7a99824789660fcd7f88bd95708de08d64637c02bd7
Instruction ID: 0ead6d7b38629994b517463a0e507b76f53350e195b9fe46be8a038f77a91ca1
Opcode Fuzzy Hash: 5e6bf49b0514fb5268a2b7a99824789660fcd7f88bd95708de08d64637c02bd7
Instruction Fuzzy Hash: D6118231300B05AFEB354A14CC5AFEB77A6EBD0711F048A1CFA92961E1DB785896D628

Uniqueness

Uniqueness Score: -1.00%

Function 00415A59, Relevance: 6.2, APIs: 4, Instructions: 150
registryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00415A59(intOrPtr __ecx, void* __eflags, void* _a4, intOrPtr _a8, char _a11, char* _a12, int _a16) {
				void* _v8;
				long _v12;
				char* _v16;
				intOrPtr _v20;
				char _v32;
				char _v44;
				char* _t52;
				long _t53;
				int _t54;
				int _t62;
				int* _t86;
				signed int _t88;
				intOrPtr _t109;
				void* _t110;
				char* _t111;

				_t109 = _a8;
				_v20 = __ecx;
				_t86 = _t109 + 4;
				_t52 = E0041CD1E(_t86);
				_v16 = _t52;
				_t53 = RegOpenKeyExA(_a4, _t52, 0, 0x20006,  &_v8); // executed
				_t111 = _a12;
				_v12 = _t53;
				if( *_t86 > 0) {
					E0041E87A(_t111, _v16, 0xffffffff);
				}
				_a11 = _v12 == 5;
				_t54 = 0;
				if(_v12 == 0) {
					L14:
					__eflags = _a11;
					if(_a11 == 0) {
						L16:
						__eflags =  *((intOrPtr*)(_t109 + 0x30)) - _t54;
						_a16 = _t54;
						if( *((intOrPtr*)(_t109 + 0x30)) <= _t54) {
							L20:
							RegCloseKey(_v8); // executed
							__eflags =  *_t86;
							goto L21;
						}
						__eflags = _a11;
						_t39 =  &_a4;
						 *_t39 = _a11 == 0;
						__eflags =  *_t39;
						while(1) {
							_t62 = E00415A59(_v20, __eflags, _v8, E0041E860(_t109 + 0x24, _a16), _t111, _a4); // executed
							__eflags = _t62;
							if(_t62 == 0) {
								break;
							}
							_a16 = _a16 + 1;
							__eflags = _a16 -  *((intOrPtr*)(_t109 + 0x30));
							if(_a16 <  *((intOrPtr*)(_t109 + 0x30))) {
								continue;
							}
							goto L20;
						}
						RegCloseKey(_v8);
						goto L10;
					}
					_t54 = RegOpenKeyExA(_a4, _v16, _t54, 0x20019,  &_v8);
					__eflags = _t54;
					if(_t54 != 0) {
						goto L10;
					}
					goto L16;
				} else {
					if(_a11 == 0) {
						__eflags = _v12 - 2;
						if(_v12 != 2) {
							L13:
							__eflags =  *_t86 - _t54;
							L21:
							if(__eflags > 0) {
								__eflags =  *((intOrPtr*)(_t111 + 0xc)) - 1;
								E0041E9EA(_t111, E0041E860(_t111,  *((intOrPtr*)(_t111 + 0xc)) - 1));
							}
							return 1;
						}
						__eflags = _a16;
						if(_a16 == 0) {
							L5:
							E0041BDC5( &_v44);
							E0041BDC5( &_v32);
							_t110 = 0;
							_t88 = 0 | _a11 == 0x00000000;
							if( *((intOrPtr*)(_t111 + 0xc)) - _t88 <= 0) {
								L9:
								_push(E0041CD1E( &_v32));
								E0041C467( &_v44, E0041CD1E(0x47e890));
								E0041B2CC(0x47dfb8, 0, E0041CD1E( &_v44), 0, 0);
								E0041BEFB( &_v32);
								E0041BEFB( &_v44);
								L10:
								return 0;
							} else {
								goto L6;
							}
							do {
								L6:
								E0041C047( &_v32, E0041E860(_t111, _t110), 0);
								_t110 = _t110 + 1;
								if(_t110 !=  *((intOrPtr*)(_t111 + 0xc)) - _t88) {
									E0041BFF8( &_v32, 0x5c);
								}
							} while (_t110 <  *((intOrPtr*)(_t111 + 0xc)) - _t88);
							goto L9;
						}
						goto L13;
					}
					if( *((intOrPtr*)(_t109 + 0x1c)) == 0) {
						goto L14;
					}
					goto L5;
				}
			}

0x00415a62
0x00415a65
0x00415a68
0x00415a6d
0x00415a75
0x00415a84
0x00415a8d
0x00415a90
0x00415a93
0x00415a9c
0x00415a9c
0x00415aa5
0x00415aa9
0x00415aae
0x00415b7c
0x00415b7c
0x00415b80
0x00415b9c
0x00415b9c
0x00415b9f
0x00415ba2
0x00415bd6
0x00415bd9
0x00415bdf
0x00000000
0x00415bdf
0x00415ba4
0x00415ba8
0x00415ba8
0x00415ba8
0x00415bac
0x00415bc2
0x00415bc7
0x00415bc9
0x00000000
0x00000000
0x00415bcb
0x00415bd1
0x00415bd4
0x00000000
0x00000000
0x00000000
0x00415bd4
0x00415c04
0x00000000
0x00415c04
0x00415b92
0x00415b98
0x00415b9a
0x00000000
0x00000000
0x00000000
0x00415ab4
0x00415ab7
0x00415b68
0x00415b6c
0x00415b78
0x00415b78
0x00415be2
0x00415be2
0x00415be9
0x00415bf3
0x00415bf3
0x00000000
0x00415bf8
0x00415b6e
0x00415b72
0x00415ac6
0x00415ac9
0x00415ad1
0x00415adb
0x00415ae0
0x00415ae7
0x00415b19
0x00415b21
0x00415b31
0x00415b4c
0x00415b54
0x00415b5c
0x00415b61
0x00000000
0x00000000
0x00000000
0x00000000
0x00415ae9
0x00415ae9
0x00415af7
0x00415aff
0x00415b04
0x00415b0b
0x00415b0b
0x00415b15
0x00000000
0x00415ae9
0x00000000
0x00415b72
0x00415ac0
0x00000000
0x00000000
0x00000000
0x00415ac0

APIs

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020006,0047DFB8,0047DFB8,0047E380,00000000,0041BB74,0047E380,0047E380,?,00000000,00000000,000000FF,HKEY_USERS), ref: 00415A84

Part of subcall function 0041E87A: GlobalUnlock.KERNEL32(00000000,00000000,0047E4D0,00407A66,00000000,000000FF), ref: 0041E899
Part of subcall function 0041E87A: GlobalReAlloc.KERNEL32 ref: 0041E8AE
Part of subcall function 0041E87A: GlobalLock.KERNEL32 ref: 0041E8B8

RegOpenKeyExA.ADVAPI32(00000005,?,00000000,00020019,0047DFB8), ref: 00415B92
RegCloseKey.KERNEL32(0047DFB8), ref: 00415BD9
RegCloseKey.ADVAPI32(0047DFB8,00000005,00000005), ref: 00415C04

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocCloseLockOpenUnlock
String ID:
API String ID: 881642839-0
Opcode ID: f3c6f8124622fcd55c1765f062e7bfd10f6d675911e2c533d8208ea5bb27512d
Instruction ID: 546902de1e45ab1e86f28b1f82b87d02cc3b91e633f15d591abc38803a8bd178
Opcode Fuzzy Hash: f3c6f8124622fcd55c1765f062e7bfd10f6d675911e2c533d8208ea5bb27512d
Instruction Fuzzy Hash: 8651A431A00609EFCF21EFA5DC85AEEBB75EF44344F10406EF405A6191DB38AE85CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB2C, Relevance: 6.1, APIs: 4, Instructions: 90
comCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E0040DB2C(void* __eax, intOrPtr _a4, char* _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* _v12;
				short _v532;
				char* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				intOrPtr* _t32;
				intOrPtr* _t35;
				intOrPtr* _t37;
				intOrPtr* _t39;
				intOrPtr* _t41;
				int _t45;
				intOrPtr* _t48;
				intOrPtr* _t49;
				intOrPtr* _t50;
				intOrPtr* _t52;

				_t45 = 0;
				__imp__CoInitialize(0); // executed
				if(__eax < 0) {
					return 0;
				}
				_t26 =  &_v8;
				__imp__CoCreateInstance(0x428788, 0, 1, 0x428798, _t26); // executed
				if(_t26 == 0) {
					_t28 = _v8;
					_push( &_v12);
					_push(0x4287a8);
					_push(_t28);
					if( *((intOrPtr*)( *_t28))() == 0) {
						_t30 = _v8;
						 *((intOrPtr*)( *_t30 + 0x50))(_t30, _a4);
						_t32 = _a16;
						if( *_t32 != 0) {
							_t52 = _v8;
							 *((intOrPtr*)( *_t52 + 0x24))(_t52, _t32);
						}
						_t48 = _a20;
						if( *_t48 != _t45) {
							_t41 = _v8;
							 *((intOrPtr*)( *_t41 + 0x44))(_t41, _t48, _a24);
						}
						_t49 = _a12;
						if( *_t49 != _t45) {
							_t39 = _v8;
							 *((intOrPtr*)( *_t39 + 0x1c))(_t39, _t49);
						}
						_t50 = _a28;
						if( *_t50 != _t45) {
							_t37 = _v8;
							 *((intOrPtr*)( *_t37 + 0x2c))(_t37, _t50);
						}
						MultiByteToWideChar(_t45, _t45, _a8, 0xffffffff,  &_v532, 0x104);
						_t35 = _v12;
						_push(_t45);
						_push( &_v532);
						_push(_t35); // executed
						if( *((intOrPtr*)( *_t35 + 0x18))() == 0) {
							_t45 = 1; // executed
						}
					}
				}
				__imp__CoUninitialize(); // executed
				return _t45;
			}

0x0040db36
0x0040db39
0x0040db41
0x00000000
0x0040db43
0x0040db4a
0x0040db5b
0x0040db63
0x0040db69
0x0040db6f
0x0040db70
0x0040db77
0x0040db7c
0x0040db82
0x0040db8b
0x0040db8e
0x0040db93
0x0040db95
0x0040db9c
0x0040db9c
0x0040db9f
0x0040dba4
0x0040dba6
0x0040dbb0
0x0040dbb0
0x0040dbb3
0x0040dbb8
0x0040dbba
0x0040dbc1
0x0040dbc1
0x0040dbc4
0x0040dbc9
0x0040dbcb
0x0040dbd2
0x0040dbd2
0x0040dbe8
0x0040dbee
0x0040dbf7
0x0040dbf8
0x0040dbfb
0x0040dc01
0x0040dc03
0x0040dc03
0x0040dc01
0x0040db7c
0x0040dc05
0x00000000

APIs

CoInitialize.OLE32(00000000), ref: 0040DB39
CoCreateInstance.OLE32(00428788,00000000,00000001,00428798,0047E880), ref: 0040DB5B
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0040DBE8
CoUninitialize.OLE32 ref: 0040DC05

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: ByteCharCreateInitializeInstanceMultiUninitializeWide
String ID:
API String ID: 2968213145-0
Opcode ID: 5b9b4fa9f3a0fcc0dea00caa49044db537f486f935e54cf1d83e50821e8d2bff
Instruction ID: d362e5221cfb36fa889861a4efd92f0fc1305b6baf1cca1b60ba2698d4b61a28
Opcode Fuzzy Hash: 5b9b4fa9f3a0fcc0dea00caa49044db537f486f935e54cf1d83e50821e8d2bff
Instruction Fuzzy Hash: A8316FB4A00209BFEB00CFA0CC88DAA7BBDBF45304B200199F401DB291DB75AD45DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00425BE2, Relevance: 6.1, APIs: 4, Instructions: 53
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00425BE2() {
				signed int _t15;
				void* _t17;
				void* _t19;
				void* _t25;
				signed int _t26;
				void* _t27;
				intOrPtr* _t29;

				_t15 =  *0x47f834; // 0x1
				_t26 =  *0x47f824; // 0x10
				if(_t15 != _t26) {
					L3:
					_t27 =  *0x47f838; // 0x2240488
					_t29 = _t27 + (_t15 + _t15 * 4) * 4;
					_t17 = RtlAllocateHeap( *0x47f83c, 8, 0x41c4); // executed
					 *(_t29 + 0x10) = _t17;
					if(_t17 == 0) {
						L6:
						return 0;
					}
					_t19 = VirtualAlloc(0, 0x100000, 0x2000, 4); // executed
					 *(_t29 + 0xc) = _t19;
					if(_t19 != 0) {
						 *(_t29 + 8) =  *(_t29 + 8) | 0xffffffff;
						 *_t29 = 0;
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *0x47f834 =  *0x47f834 + 1;
						 *( *(_t29 + 0x10)) =  *( *(_t29 + 0x10)) | 0xffffffff;
						return _t29;
					}
					HeapFree( *0x47f83c, 0,  *(_t29 + 0x10));
					goto L6;
				}
				_t2 = _t26 * 4; // 0x60
				_t25 = HeapReAlloc( *0x47f83c, 0,  *0x47f838, _t26 + _t2 + 0x50 << 2);
				if(_t25 == 0) {
					goto L6;
				}
				 *0x47f824 =  *0x47f824 + 0x10;
				 *0x47f838 = _t25;
				_t15 =  *0x47f834; // 0x1
				goto L3;
			}

0x00425be2
0x00425be7
0x00425bf3
0x00425c25
0x00425c25
0x00425c3b
0x00425c3e
0x00425c46
0x00425c49
0x00425c75
0x00000000
0x00425c75
0x00425c58
0x00425c60
0x00425c63
0x00425c79
0x00425c7d
0x00425c7f
0x00425c82
0x00425c8b
0x00000000
0x00425c8e
0x00425c6f
0x00000000
0x00425c6f
0x00425bf5
0x00425c0a
0x00425c12
0x00000000
0x00000000
0x00425c14
0x00425c1b
0x00425c20
0x00000000

APIs

HeapReAlloc.KERNEL32(00000000,00000060,?,00000000,004259AA,?,?,?,00000100,?,00000000), ref: 00425C0A
RtlAllocateHeap.NTDLL(00000008,000041C4,?,00000000,004259AA,?,?,?,00000100,?,00000000), ref: 00425C3E
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,004259AA,?,?,?,00000100,?,00000000), ref: 00425C58
HeapFree.KERNEL32(00000000,?,?,00000000,004259AA,?,?,?,00000100,?,00000000), ref: 00425C6F

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Heap$Alloc$AllocateFreeVirtual
String ID:
API String ID: 1005975451-0
Opcode ID: 7bfc0fe135117dfce8c54155b27920ee4db732f6a73948ea5b42ad1791b0d3f7
Instruction ID: e85dd14357cfd133c46ce20e6f70fc831c02b401b74bc27b0f8f5883340438cb
Opcode Fuzzy Hash: 7bfc0fe135117dfce8c54155b27920ee4db732f6a73948ea5b42ad1791b0d3f7
Instruction Fuzzy Hash: 8C118F30201700AFD730AF29EC4492A7BF5FF46310795453EE15AC65B4D731A89BCB19

Uniqueness

Uniqueness Score: -1.00%

Function 00422A86, Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 23
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00422A86() {
				CHAR* _v12;
				void* _t14;

				E0041A81A(_t14, 0x47e5ec); // executed
				E004164B1(0x47dfb8, _t14, 0x47e5ec);
				E0041B3B9(0x47dfb8, 0x47e5ec, 0x7fffffff);
				lstrcpyA(_v12, E0041CD1E(0x47e5ec));
				return 1;
			}

0x00422a95
0x00422a9d
0x00422aaa
0x00422abe
0x00422ac8

APIs

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

lstrcpyA.KERNEL32(00000000,00000000,0047E5EC,7FFFFFFF,0047E5EC,0047E5EC,?,<UninstallerName>,0041AA6C,?,<UninstallerName>,00000000,00000001,<ShortcutDir>,00000000,00000000), ref: 00422ABE

Strings

<UninstallerName>, xrefs: 00422A86
G, xrefs: 00422A88
G, xrefs: 00422AAF

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLockUnlocklstrcpy
String ID: <UninstallerName>$G$G
API String ID: 4161858792-2357334803
Opcode ID: 6ba68a0f358dbcf42ca9cf462f0cd6bf89d2e458b5780ff8d98569d2b6766966
Instruction ID: 9b5c910863a563f3ea1e258623e4cebb4c69ed5078cec323f7359b7f97f4b65a
Opcode Fuzzy Hash: 6ba68a0f358dbcf42ca9cf462f0cd6bf89d2e458b5780ff8d98569d2b6766966
Instruction Fuzzy Hash: DAE0C231300424634A00362B5C048DEE5AE9FF1B24300823FF426972E2CF5C4C4345BD

Uniqueness

Uniqueness Score: -1.00%

Function 00415089, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 192
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00415089(void* __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, signed int _a7) {
				char _v16;
				void* __edi;
				void* __esi;
				void* _t33;
				signed int _t36;
				void* _t37;
				signed int _t39;
				signed int _t42;
				signed char _t44;
				signed int _t47;
				signed char _t48;
				signed int _t54;
				signed int _t56;
				signed int _t68;
				signed int _t69;
				signed int _t70;
				signed int _t71;
				signed int _t73;
				intOrPtr _t103;
				void* _t105;
				void* _t106;
				signed int _t107;
				void* _t113;
				void* _t115;

				_t113 = __eflags;
				_t103 = __edx;
				__imp__#17(); // executed
				E0040D808(); // executed
				E00419146(0x47dfb8, _a4);
				E004160A6(0x47dfb8, _t113); // executed
				_t33 = E004168FE(0x47dfb8); // executed
				if(_t33 >= 0) {
					E0041B09C(0x47dfb8); // executed
					E0041A04C(0x47dfb8, __eflags);
					_t36 = E00419EB2(_t105, __eflags); // executed
					__eflags = _t36;
					if(_t36 == 0) {
						_t73 = 0;
						__eflags =  *0x47e610 - _t73; // 0x0
						if(__eflags != 0) {
							L10:
							__eflags =  *0x47e18c & 0x00000040;
							if(( *0x47e18c & 0x00000040) != 0) {
								__eflags =  *0x47e193 & 0x00000008;
								if(( *0x47e193 & 0x00000008) != 0) {
									 *0x47e193 =  *0x47e193 & 0x000000f7;
									__eflags =  *0x47e193;
								}
							}
							__eflags =  *0x47e610 - _t73; // 0x0
							if(__eflags != 0) {
								L15:
								_t37 = E00418092(0x47dfb8, _t103); // executed
								_t106 = _t37;
								__eflags = _t106 - _t73;
								if(_t106 >= _t73) {
									__eflags =  *0x47e160 - _t73; // 0x1
									if(__eflags != 0) {
										_t56 = E0041E3EF();
										__eflags = _t56;
										if(_t56 == 0) {
											E0041B2A8(_t73, E0041CD1E(0x47f0ec), _t73);
											E0041A1B5(1);
										}
									}
									__eflags =  *0x47f27c - _t73; // 0x1
									_push(_t73);
									if(__eflags == 0) {
										E00417EA6(0x47dfb8);
										_t39 = E0041A256(0x47dfb8);
										__eflags =  *0x47e610 - _t73; // 0x0
										_t107 = _t39;
										if(__eflags != 0) {
											_t44 = E00415DC6(0x47dfb8, __eflags);
											asm("sbb eax, eax");
											_t107 =  ~( ~_t44);
										}
										E0041B45D(0x47dfb8, 1);
										__eflags =  *0x47f2d5 - _t73; // 0x0
										if(__eflags == 0) {
											return _t107;
										} else {
											_t42 = 0;
											__eflags = _t107 - _t73;
											goto L44;
										}
									} else {
										_t47 = E0041246C(0x47e880, _t103);
										__eflags = _t47 - _t73;
										_a7 = _t47;
										if(_t47 != _t73) {
											__eflags =  *0x47e610 - _t73; // 0x0
											if(__eflags == 0) {
												_t48 =  *0x47e190; // 0x2080c08
												__eflags = _t48 & 0x00000002;
												if((_t48 & 0x00000002) == 0) {
													__eflags = _t48 & 0x00000004;
													if((_t48 & 0x00000004) == 0) {
														L31:
														__eflags = 0;
														L32:
														__eflags = _t48 & 0x00000008;
														if((_t48 & 0x00000008) == 0) {
															L35:
															__eflags = 0;
															L36:
															_t50 = _t48 >> 0x0000001b & 0x00000001;
															__eflags = _t48 >> 0x0000001b & 0x00000001;
															E00412C58(0, 0, _t50);
															L37:
															__eflags =  *0x47f2d5 - _t73; // 0x0
															if(__eflags == 0) {
																return _a7 & 0x000000ff;
															}
															_t42 = 0;
															__eflags = _a7 - _t73;
															L44:
															return _t42 & 0xffffff00 | __eflags == 0x00000000;
														}
														__eflags = _t48 & 0x00000040;
														if((_t48 & 0x00000040) == 0) {
															goto L35;
														}
														_push(1);
														_pop(0);
														goto L36;
													}
													__eflags = _t48 & 0x00000080;
													if((_t48 & 0x00000080) == 0) {
														goto L31;
													}
													_push(1);
													_pop(0);
													goto L32;
												}
												E00411D82();
												goto L37;
											}
											_a7 = E00415DC6(0x47dfb8, __eflags);
											goto L37;
										}
										goto L22;
									}
								}
								E0041BDC5( &_v16);
								_push(_t106);
								E0041C467( &_v16, "Initialization failed. Aborting. Error code: %d");
								E0041B2A8(_t73, E0041CD1E( &_v16), _t73);
								__eflags =  *0x47f2d5 - _t73; // 0x0
								E0041BEFB( &_v16);
								return 0 | __eflags != 0x00000000;
							} else {
								_t68 = E0041BBAF(0x47dfb8, 0x47dfb8);
								__eflags = _t68;
								if(_t68 == 0) {
									goto L22;
								}
								goto L15;
							}
						}
						_t69 = E00419D70(__eflags); // executed
						__eflags = _t69;
						if(_t69 != 0) {
							goto L22;
						}
						__eflags =  *0x47e610 - _t73; // 0x0
						if(__eflags != 0) {
							goto L10;
						}
						_t70 = E0041BAEC(0x47dfb8); // executed
						__eflags = _t70;
						if(_t70 == 0) {
							goto L22;
						}
						__eflags =  *0x47e610 - _t73; // 0x0
						if(__eflags != 0) {
							goto L10;
						}
						_t71 = E004158E2(0x47dfb8); // executed
						__eflags = _t71;
						if(_t71 == 0) {
							goto L22;
						}
						goto L10;
					}
					_t54 = 0;
					__eflags =  *0x47f2d5 - _t54; // 0x0
					goto L23;
				} else {
					_t73 = 0;
					E0041B2A8(0, "Couldn\'t read TOC. Aborting.", 0);
					L22:
					_t54 = 0;
					_t115 =  *0x47f2d5 - _t73; // 0x0
					L23:
					return _t54 & 0xffffff00 | _t115 != 0x00000000;
				}
			}

0x00415089
0x00415089
0x00415092
0x00415098
0x004150a7
0x004150ae
0x004150b5
0x004150bc
0x004150d5
0x004150dc
0x004150e3
0x004150e8
0x004150ea
0x004150f9
0x004150fb
0x00415101
0x00415140
0x00415140
0x00415147
0x00415149
0x00415150
0x00415152
0x00415152
0x00415152
0x00415150
0x00415159
0x0041515f
0x00415170
0x00415172
0x00415177
0x00415179
0x0041517b
0x004151c5
0x004151cb
0x004151cd
0x004151d2
0x004151d4
0x004151e5
0x004151ee
0x004151ee
0x004151d4
0x004151f3
0x004151f9
0x004151fa
0x0041528f
0x00415296
0x0041529b
0x004152a1
0x004152a3
0x004152a7
0x004152ae
0x004152b2
0x004152b2
0x004152b8
0x004152bd
0x004152c3
0x00000000
0x004152c5
0x004152c5
0x004152c7
0x00000000
0x004152c7
0x00415200
0x00415207
0x0041520c
0x0041520e
0x00415211
0x00415223
0x00415229
0x00415237
0x0041523c
0x0041523e
0x00415249
0x0041524b
0x00415257
0x00415257
0x00415259
0x00415259
0x0041525b
0x00415267
0x00415267
0x00415269
0x0041526c
0x0041526c
0x00415273
0x00415278
0x00415278
0x0041527e
0x00000000
0x00415287
0x00415280
0x00415282
0x004152c9
0x00000000
0x004152c9
0x0041525d
0x00415260
0x00000000
0x00000000
0x00415262
0x00415264
0x00000000
0x00415264
0x0041524d
0x00415250
0x00000000
0x00000000
0x00415252
0x00415254
0x00000000
0x00415254
0x00415242
0x00000000
0x00415242
0x00415232
0x00000000
0x00415232
0x00000000
0x00415211
0x004151fa
0x00415180
0x00415185
0x0041518f
0x004151a4
0x004151ab
0x004151b9
0x00000000
0x00415161
0x00415163
0x00415168
0x0041516a
0x00000000
0x00000000
0x00000000
0x0041516a
0x0041515f
0x00415105
0x0041510a
0x0041510c
0x00000000
0x00000000
0x00415112
0x00415118
0x00000000
0x00000000
0x0041511c
0x00415121
0x00415123
0x00000000
0x00000000
0x00415129
0x0041512f
0x00000000
0x00000000
0x00415133
0x00415138
0x0041513a
0x00000000
0x00000000
0x00000000
0x0041513a
0x004150ec
0x004150ee
0x00000000
0x004150be
0x004150be
0x004150c9
0x00415213
0x00415213
0x00415215
0x0041521b
0x00000000
0x0041521b

APIs

#17.COMCTL32(?,00000000), ref: 00415092

Part of subcall function 0040D808: GetTempPathA.KERNEL32(00000104,00000000), ref: 0040D835
Part of subcall function 0040D808: GetFileAttributesA.KERNEL32(00000000), ref: 0040D842
Part of subcall function 0040D808: CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040D857

Part of subcall function 00419146: GetVersionExA.KERNEL32(0047E1DC,?,0047DFB8), ref: 004191A1
Part of subcall function 00419146: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 00419287
Part of subcall function 00419146: GetCommandLineA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0047DFB8), ref: 004192A3

Part of subcall function 00415DC6: DestroyWindow.USER32(00000000,0047DFB8,00000000), ref: 00415DDA
Part of subcall function 00415DC6: GetModuleFileNameA.KERNEL32(00000000,?,00000104,0047E61C), ref: 00415E11
Part of subcall function 00415DC6: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000000,00000000,00000000,?,?,?,?,?,?,?,0042BC5C), ref: 00415EE9

Strings

Couldn't read TOC. Aborting., xrefs: 004150C3
Initialization failed. Aborting. Error code: %d, xrefs: 00415189

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: File$CreateModuleName$AttributesCommandDestroyDirectoryLinePathProcessTempVersionWindow
String ID: Couldn't read TOC. Aborting.$Initialization failed. Aborting. Error code: %d
API String ID: 454116223-1093334040
Opcode ID: 3de539716ba0038346de810c3990d51d0818943ae38c30ddeb02794bc9af9942
Instruction ID: b07b9ce401f6ec812fb25504cbe02601ec4789527652b2dd7e5e6d407422e868
Opcode Fuzzy Hash: 3de539716ba0038346de810c3990d51d0818943ae38c30ddeb02794bc9af9942
Instruction Fuzzy Hash: 10515632B00A50E6CF167B7268526FF16564BD5348B4805BFE906472C2DF7D4EC68B8E

Uniqueness

Uniqueness Score: -1.00%

Function 0041F9CC, Relevance: 4.6, APIs: 3, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041F9CC(void* __ecx, void* _a4, int _a8) {
				int _v8;
				void* _t16;
				int _t18;
				int _t20;
				char* _t25;
				char* _t35;
				void* _t38;

				if(_a4 == 0) {
					L11:
					_t16 = 0x80070057;
				} else {
					_t35 = _a8;
					if(_t35 == 0) {
						goto L11;
					} else {
						_t18 = GetFileVersionInfoSizeA(_a4,  &_v8); // executed
						_a8 = _t18;
						if(_t18 <= 0) {
							L10:
							_t16 = 0x80004005;
						} else {
							_t38 = E00424DD9(_t18);
							if(_t38 != 0) {
								_t20 = GetFileVersionInfoA(_a4, 0, _a8, _t38); // executed
								if(_t20 == 0) {
									L9:
									E00424DCE(_t38);
									goto L10;
								} else {
									_a4 = _a4 & 0x00000000;
									if(VerQueryValueA(_t38, "\\",  &_a4,  &_a8) == 0) {
										goto L9;
									} else {
										_t25 = _a4;
										if(_t25 == 0) {
											goto L9;
										} else {
											_t35[4] = _t25[8];
											 *_t35 = _t25[0xc];
											E00424DCE(_t38);
											_t16 = 0;
										}
									}
								}
							} else {
								_t16 = 0x8007000e;
							}
						}
					}
				}
				return _t16;
			}

0x0041f9d6
0x0041fa62
0x0041fa62
0x0041f9dc
0x0041f9dc
0x0041f9e1
0x00000000
0x0041f9e3
0x0041f9ea
0x0041f9f1
0x0041f9f4
0x0041fa5b
0x0041fa5b
0x0041f9f6
0x0041f9fc
0x0041fa01
0x0041fa13
0x0041fa1a
0x0041fa54
0x0041fa55
0x00000000
0x0041fa1c
0x0041fa1c
0x0041fa35
0x00000000
0x0041fa37
0x0041fa37
0x0041fa3c
0x00000000
0x0041fa3e
0x0041fa42
0x0041fa48
0x0041fa4a
0x0041fa50
0x0041fa50
0x0041fa3c
0x0041fa35
0x0041fa03
0x0041fa03
0x0041fa03
0x0041fa01
0x0041f9f4
0x0041f9e1
0x0041fa6a

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,?,?,?,?,0041FDA3), ref: 0041F9EA
GetFileVersionInfoA.VERSION(00000000,00000000,0041FDA3,00000000,00000000,?,?,?,?,?,0041FDA3), ref: 0041FA13
VerQueryValueA.VERSION(00000000,0042BC5C,00000000,0041FDA3,00000000,00000000,0041FDA3,00000000,00000000,?,?,?,?,?,0041FDA3), ref: 0041FA2E

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue
String ID:
API String ID: 2179348866-0
Opcode ID: 1f44381f4f1867ad494ef8ec683769e12b5e869821d9e96c7b395d348cdb3dd9
Instruction ID: 1f93746f0757c1243a97e16a57e9a2b1c48c6ef5f1f15e271ecef6eb9eb84ff0
Opcode Fuzzy Hash: 1f44381f4f1867ad494ef8ec683769e12b5e869821d9e96c7b395d348cdb3dd9
Instruction Fuzzy Hash: FE114276210115BACB109E25D800BDB3B98DF447E4F10812BBD0CDB251EB3CDA86C798

Uniqueness

Uniqueness Score: -1.00%

Function 00424C5F, Relevance: 4.5, APIs: 3, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00424C5F(void* __esi, int _a4, intOrPtr _a8, char _a12) {
				void* _t6;
				intOrPtr _t7;
				intOrPtr* _t9;
				char _t14;
				intOrPtr _t20;
				intOrPtr _t21;
				void* _t22;
				intOrPtr* _t23;
				void* _t25;
				void* _t30;

				_t22 = __esi;
				_t21 = 1;
				_t25 =  *0x47f374 - _t21; // 0x1
				if(_t25 == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				_t14 = _a12;
				 *0x47f370 = _t21;
				 *0x47f36c = _t14;
				if(_a8 == 0) {
					_t7 =  *0x47f850; // 0x20704d0
					if(_t7 != 0) {
						_t20 =  *0x47f84c; // 0x2070518
						_push(_t22);
						_t4 = _t20 - 4; // 0x2070514
						_t23 = _t4;
						if(_t23 >= _t7) {
							do {
								_t9 =  *_t23;
								if(_t9 != 0) {
									 *_t9();
								}
								_t23 = _t23 - 4;
								_t30 = _t23 -  *0x47f850; // 0x20704d0
							} while (_t30 >= 0);
						}
					}
					E00424CF8(0x42b058, 0x42b05c);
				}
				_t6 = E00424CF8(0x42b060, 0x42b064);
				if(_t14 == 0) {
					 *0x47f374 = _t21; // executed
					ExitProcess(_a4); // executed
				}
				return _t6;
			}

0x00424c5f
0x00424c62
0x00424c63
0x00424c69
0x00424c76
0x00424c76
0x00424c82
0x00424c86
0x00424c8c
0x00424c92
0x00424c94
0x00424c9b
0x00424c9d
0x00424ca3
0x00424ca4
0x00424ca4
0x00424ca9
0x00424cab
0x00424cab
0x00424caf
0x00424cb1
0x00424cb1
0x00424cb3
0x00424cb6
0x00424cb6
0x00424cab
0x00424cbe
0x00424cc9
0x00424ccf
0x00424cda
0x00424ce4
0x00424cea
0x00424cf0
0x00424cf0
0x00424cf7

APIs

GetCurrentProcess.KERNEL32(?,?,00424C4A,?,00000000,00000000,004254A1,00000000,00000000), ref: 00424C6F
TerminateProcess.KERNEL32(00000000,?,00424C4A,?,00000000,00000000,004254A1,00000000,00000000), ref: 00424C76
ExitProcess.KERNEL32 ref: 00424CF0

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 848db95d42081fa6aa036db98d338fbce556dcde82f886b44b0161e5a847643e
Instruction ID: 5c5bd13296f69dd5dfa009dbf4a1da1fba5c39e9250329cb05521c5ff099b87d
Opcode Fuzzy Hash: 848db95d42081fa6aa036db98d338fbce556dcde82f886b44b0161e5a847643e
Instruction Fuzzy Hash: A10104317053219AD621AB2EFD4461B7BE8EBC0750B92403FE914921A0DB686886CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D808, Relevance: 4.5, APIs: 3, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040D808() {
				void _v263;
				char _v264;
				long _t13;
				signed int _t16;

				_v264 = _v264 & 0x00000000;
				_t16 = 0x40;
				memset( &_v263, 0, _t16 << 2);
				asm("stosw");
				asm("stosb");
				GetTempPathA(0x104,  &_v264);
				_t13 = GetFileAttributesA( &_v264); // executed
				if(_t13 == 0xffffffff) {
					return CreateDirectoryA( &_v264, 0);
				}
				return _t13;
			}

0x0040d811
0x0040d81d
0x0040d824
0x0040d826
0x0040d828
0x0040d835
0x0040d842
0x0040d84c
0x00000000
0x0040d857
0x0040d85e

APIs

GetTempPathA.KERNEL32(00000104,00000000), ref: 0040D835
GetFileAttributesA.KERNEL32(00000000), ref: 0040D842
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040D857

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: AttributesCreateDirectoryFilePathTemp
String ID:
API String ID: 3518157937-0
Opcode ID: 22dbea3a5e86ba2f5d732e63e82f8cecc9fec2e0ebb150cf55f691dcafc1b103
Instruction ID: 26542657461be143d5f360e3921356412d4476b8e76cacc8970c96e366d55aee
Opcode Fuzzy Hash: 22dbea3a5e86ba2f5d732e63e82f8cecc9fec2e0ebb150cf55f691dcafc1b103
Instruction Fuzzy Hash: 4CF065B2A00519ABEB2097B4DD89BCA777CA764314F5005F5E3A4E10D0DAF49AC98A15

Uniqueness

Uniqueness Score: -1.00%

Function 004220ED, Relevance: 3.0, APIs: 2, Instructions: 42
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004220ED(void* __ecx, void* __eflags) {
				void _v263;
				char _v264;
				void* _t14;
				signed int _t18;
				void* _t24;

				_v264 = _v264 & 0x00000000;
				_t24 = __ecx;
				_t18 = 0x40;
				memset( &_v263, 0, _t18 << 2);
				asm("stosw");
				asm("stosb");
				_push( &_v264);
				E00422A86();
				_t14 = E0040DF52( &_v264);
				if(_t14 == 0) {
					_t14 = CreateFileA( &_v264, 0x40000000, 1, 0, 1, 0x80, 0); // executed
					if(_t14 != 0xffffffff) {
						 *((char*)(_t24 + 0x93)) = 1;
						return CloseHandle(_t14);
					}
				}
				return _t14;
			}

0x004220f6
0x004220ff
0x00422105
0x0042210c
0x0042210e
0x00422110
0x00422119
0x0042211a
0x00422126
0x0042212e
0x00422149
0x00422152
0x00422155
0x00000000
0x0042215c
0x00422152
0x00422165

APIs

Part of subcall function 00422A86: lstrcpyA.KERNEL32(00000000,00000000,0047E5EC,7FFFFFFF,0047E5EC,0047E5EC,?,<UninstallerName>,0041AA6C,?,<UninstallerName>,00000000,00000001,<ShortcutDir>,00000000,00000000), ref: 00422ABE

CreateFileA.KERNEL32(00000000,40000000,00000001,00000000,00000001,00000080,00000000,00000000,76908BA0,00000000), ref: 00422149
CloseHandle.KERNEL32(00000000), ref: 0042215C

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: CloseCreateFileHandlelstrcpy
String ID:
API String ID: 3205445448-0
Opcode ID: c5f7fb4a45ef95dec3c97b459b31658b4b7dc29c3574f163453a57723c1105db
Instruction ID: 9fbf33d1153e8f23a7b95228387ab3429903e99e354b960db3d1885316b66d90
Opcode Fuzzy Hash: c5f7fb4a45ef95dec3c97b459b31658b4b7dc29c3574f163453a57723c1105db
Instruction Fuzzy Hash: 32F0FC717002247BEF309274DD4AFDA775C9B50714F5005E6F349F20C1DAF46E888568

Uniqueness

Uniqueness Score: -1.00%

Function 00416031, Relevance: 3.0, APIs: 2, Instructions: 40
stringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00416031(CHAR* _a4, long* _a8, long* _a12) {
				void _v263;
				char _v264;
				int _t15;
				void* _t16;
				signed char* _t23;
				signed int _t25;
				CHAR* _t32;

				_t32 = _a4;
				_t15 = lstrlenA(_t32);
				if(_t15 > 0) {
					_t23 = _t15 + _t32 - 1;
					if( *(_t15 + _t32 - 1) == 0x5c) {
						 *_t23 =  *_t23 & 0x00000000;
					}
				}
				_t16 = E0041BF12(_a8, _t32);
				if(_a12 == 0) {
					return _t16;
				} else {
					_v264 = _v264 & 0x00000000;
					_t25 = 0x40;
					memset( &_v263, 0, _t25 << 2);
					asm("stosw");
					asm("stosb");
					GetShortPathNameA(_t32,  &_v264, 0x104); // executed
					return E0041BF12(_a12,  &_v264);
				}
			}

0x0041603b
0x0041603f
0x00416047
0x0041604e
0x00416052
0x00416054
0x00416054
0x00416052
0x0041605b
0x00416064
0x004160a3
0x00416066
0x00416066
0x00416072
0x00416079
0x0041607b
0x0041607d
0x0041608b
0x00000000
0x004160a0

APIs

lstrlenA.KERNEL32(?,0047DFB8), ref: 0041603F
GetShortPathNameA.KERNEL32 ref: 0041608B

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: NamePathShortlstrlen
String ID:
API String ID: 283637753-0
Opcode ID: 77996722eeb767453b962ff37f99368d2d9649ef3d1da6c7eaff12de2ab75ab0
Instruction ID: 55d437d64f90e084321ce4f602505d722649a2d51fb0552c0b71639499450712
Opcode Fuzzy Hash: 77996722eeb767453b962ff37f99368d2d9649ef3d1da6c7eaff12de2ab75ab0
Instruction Fuzzy Hash: 6E0186B65042586FEF21DB64CC44FDE3B68AF56304F0044AAE64097180DBF8DAC5CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00425509, Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00425509(intOrPtr _a4) {
				void* _t6;
				void* _t9;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x47f83c = _t6;
				if(_t6 == 0) {
					L3:
					return 0;
				} else {
					if(E00425545() != 0) {
						_t9 = 1;
						return _t9;
					} else {
						HeapDestroy( *0x47f83c);
						goto L3;
					}
				}
			}

0x0042551a
0x00425522
0x00425527
0x0042553e
0x00425540
0x00425529
0x00425530
0x00425543
0x00425544
0x00425532
0x00425538
0x00000000
0x00425538
0x00425530

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,00425429,00000000), ref: 0042551A

Part of subcall function 00425545: HeapAlloc.KERNEL32(00000000,00000140,0042552E), ref: 00425552

HeapDestroy.KERNEL32 ref: 00425538

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: 685862c25b9e257a1a33d9820af5b4d56f55cfe13c318de4e02fdf89a4f5bd88
Instruction ID: 56260dfde5bbf666cb3f8c2d4c1c05bfe55a9b91487234851ec9a7a54d7ee8be
Opcode Fuzzy Hash: 685862c25b9e257a1a33d9820af5b4d56f55cfe13c318de4e02fdf89a4f5bd88
Instruction Fuzzy Hash: 35E012703113107AEB601B31BC4677A36D99F44792F94843AB409C41F8EB7485D2DA09

Uniqueness

Uniqueness Score: -1.00%

Function 0041BDC5, Relevance: 3.0, APIs: 2, Instructions: 16
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BDC5(intOrPtr* __ecx) {
				void* _t6;
				long* _t10;

				_t10 = __ecx;
				 *((intOrPtr*)(__ecx)) = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((intOrPtr*)(__ecx + 8)) = 0;
				_t6 = GlobalAlloc(0x42, 0); // executed
				 *(_t10 + 4) = _t6;
				 *((intOrPtr*)(_t10 + 8)) = GlobalLock(_t6);
				return _t10;
			}

0x0041bdc8
0x0041bdcd
0x0041bdcf
0x0041bdd2
0x0041bdd5
0x0041bddc
0x0041bde5
0x0041bdeb

APIs

GlobalAlloc.KERNEL32(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
GlobalLock.KERNEL32 ref: 0041BDDF

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLock
String ID:
API String ID: 15508794-0
Opcode ID: 5b657dc407b8ba465fa7e35246d598dfe78b5aa2e00fb7615759032df6ccab74
Instruction ID: 4cb256bf1a12df4fe306abb846aa9358ba0d094adca8592e463de78986b3397d
Opcode Fuzzy Hash: 5b657dc407b8ba465fa7e35246d598dfe78b5aa2e00fb7615759032df6ccab74
Instruction Fuzzy Hash: 56D09EB1A05B21DFD7A0DF78ED08656BAE4FB08701750C87EA5DEC3610E67498418B54

Uniqueness

Uniqueness Score: -1.00%

Function 00405213, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405213(void* __ecx, void* __edi, void* __esi, void* _a4, void* _a8, long _a12) {
				void* __ebp;
				int _t8;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t13;
				intOrPtr _t16;
				void* _t21;

				_t8 = WriteFile(_a4, _a8, _a12,  &_a12, 0); // executed
				_t22 = _t8;
				if(_t8 == 0) {
					E00405408(__edi, __esi, _t22);
				}
				_t9 =  *0x47e6f8; // 0x12000
				_t16 =  *0x47f204; // 0x10000
				_t10 = _t9 + _a12;
				 *0x47e6f8 = _t10;
				_t6 = _t10 - 0x8400; // 0x3fca9e
				_t18 = _t6;
				if(_t6 > _t16 &&  *0x47f28a != 0) {
					E00414F7F(_t18, _t21, _t10 - _t16);
					_t13 =  *0x47e6f8; // 0x12000
					 *0x47f204 = _t13;
					return _t13;
				}
				return _t10;
			}

0x00405225
0x0040522b
0x0040522d
0x0040522f
0x0040522f
0x00405234
0x00405239
0x0040523f
0x00405242
0x00405247
0x00405247
0x0040524f
0x0040525d
0x00405262
0x00405268
0x00000000
0x00405268
0x0040526e

APIs

WriteFile.KERNEL32(00000000,00000000,00404E9E,00404E9E,00000000,?,004051FC,0045AA60,00000000,00404E9E,00000000,00000000,00000000,0047E1B8,00000001), ref: 00405225

Part of subcall function 00405408: GetLastError.KERNEL32(0045AA60), ref: 00405412
Part of subcall function 00405408: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000200,00000000,00000000), ref: 00405487
Part of subcall function 00405408: GetActiveWindow.USER32 ref: 004054D3

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: ActiveErrorFileFormatLastMessageWindowWrite
String ID:
API String ID: 3502244913-0
Opcode ID: 0688dff4318755a594bd27b086e0045b8f4095a176ae734f45c46700945b5c92
Instruction ID: c053740d9be796ded0a1399382876f6564ef076206494c8869437cd6c88d37de
Opcode Fuzzy Hash: 0688dff4318755a594bd27b086e0045b8f4095a176ae734f45c46700945b5c92
Instruction Fuzzy Hash: 6CF0B4312042069FDB01DF65EC44BAA3765FB08300F4445FAF818DA261DB3498908F1C

Uniqueness

Uniqueness Score: -1.00%

Function 00422166, Relevance: 1.5, APIs: 1, Instructions: 28
fileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00422166(void* __ecx) {
				void _v263;
				char _v264;
				char* _t8;
				int _t14;
				signed int _t17;

				_t2 = __ecx + 0x93; // 0x47e81b
				_t8 = _t2;
				if( *((intOrPtr*)(__ecx + 0x93)) != 0) {
					 *_t8 = 0;
					_v264 = 0;
					_t17 = 0x40;
					memset( &_v263, 0, _t17 << 2);
					asm("stosw");
					asm("stosb");
					_push( &_v264);
					E00422A86();
					_t14 = DeleteFileA( &_v264); // executed
					return _t14;
				}
				return _t8;
			}

0x00422179
0x00422179
0x0042217f
0x00422184
0x00422186
0x0042218c
0x00422195
0x00422197
0x00422199
0x004221a2
0x004221a3
0x004221af
0x00000000
0x004221b5
0x004221b7

APIs

Part of subcall function 00422A86: lstrcpyA.KERNEL32(00000000,00000000,0047E5EC,7FFFFFFF,0047E5EC,0047E5EC,?,<UninstallerName>,0041AA6C,?,<UninstallerName>,00000000,00000001,<ShortcutDir>,00000000,00000000), ref: 00422ABE

DeleteFileA.KERNEL32(?,?,76908BA0), ref: 004221AF

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: DeleteFilelstrcpy
String ID:
API String ID: 273707478-0
Opcode ID: 01d26465f659ceecabc542848d8a6bc1af02ee4b43eb77d485ea363210d6997a
Instruction ID: 7a16dd1c3e483f41c56ace4e77e305f4910fda4a27a36192b4b0db7fc35bc19e
Opcode Fuzzy Hash: 01d26465f659ceecabc542848d8a6bc1af02ee4b43eb77d485ea363210d6997a
Instruction Fuzzy Hash: D4F0ABB2A04299BBCF24C638D941BC7BBBC6B91300F0405F5C34897102C5B09EC8CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00424BDA, Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E00424BDA(intOrPtr _a4) {
				void* _t2;
				void* _t3;
				intOrPtr _t5;
				void* _t8;

				_t5 = _a4;
				_t8 = _t5 -  *0x42dc3c; // 0x3f8
				if(_t8 > 0) {
					L2:
					if(_t5 == 0) {
						_t5 = 1;
					}
					_t2 = RtlAllocateHeap( *0x47f83c, 0, _t5 + 0x0000000f & 0xfffffff0); // executed
					return _t2;
				}
				_push(_t5); // executed
				_t3 = E004258D9(); // executed
				if(_t3 == 0) {
					goto L2;
				}
				return _t3;
			}

0x00424bdb
0x00424bdf
0x00424be5
0x00424bf2
0x00424bf4
0x00424bf8
0x00424bf8
0x00424c08
0x00000000
0x00424c08
0x00424be7
0x00424be8
0x00424bf0
0x00000000
0x00000000
0x00424c0f

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,00424BBE,000000E0,00424BAB,?,00426882,00000100,?,00000000), ref: 00424C08

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e22c159e31fa6e31e118dcc324b50a6a923428170a7179d3c4037aad0beac77e
Instruction ID: d12446acdfa87ad338cebe496af38748ed8633463c9b05a537c1587fe7eccc4c
Opcode Fuzzy Hash: e22c159e31fa6e31e118dcc324b50a6a923428170a7179d3c4037aad0beac77e
Instruction Fuzzy Hash: C0E08C32A5653156DA306719BC00BCB2A44DF41720F974122FD48BA2E48BA4AC8281DC

Uniqueness

Uniqueness Score: -1.00%

Function 0040DF52, Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DF52(CHAR* _a4) {
				long _t6;

				if(E0040DB19(_a4) == 0) {
					_t6 = GetFileAttributesA(_a4); // executed
					return 0 | _t6 != 0xffffffff;
				} else {
					return 0;
				}
			}

0x0040df5e
0x0040df67
0x0040df77
0x0040df60
0x0040df62
0x0040df62

APIs

GetFileAttributesA.KERNEL32(?,00415702,?), ref: 0040DF67

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 823a333a0e4a5f3cd726773fbc63680087cdb6b230765bf0e44b85422161d674
Instruction ID: 96a0c72c5dfe155228d7528a4aa9cc0aed8d5236fd48d6e5c05c662c63777e89
Opcode Fuzzy Hash: 823a333a0e4a5f3cd726773fbc63680087cdb6b230765bf0e44b85422161d674
Instruction Fuzzy Hash: 34C0127910010157CD141B709E420DF37915F867E5B6446BDA072660F1CB34485A7905

Uniqueness

Uniqueness Score: -1.00%

Function 00425C93, Relevance: 1.3, APIs: 1, Instructions: 85
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00425C93(void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				signed int _t45;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				signed int _t54;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				void* _t69;
				void* _t70;
				void* _t77;
				signed int _t78;
				intOrPtr _t81;

				_t60 = _a4;
				_t81 =  *((intOrPtr*)(_t60 + 0x10));
				_t45 =  *(_t60 + 8);
				_t57 = 0;
				while(_t45 >= 0) {
					_t45 = _t45 << 1;
					_t57 = _t57 + 1;
				}
				_t69 = 0x3f;
				_t48 = _t57 * 0x204 + _t81 + 0x144;
				_v8 = _t48;
				do {
					 *((intOrPtr*)(_t48 + 8)) = _t48;
					 *((intOrPtr*)(_t48 + 4)) = _t48;
					_t48 = _t48 + 8;
					_t69 = _t69 - 1;
				} while (_t69 != 0);
				_t77 = (_t57 << 0xf) +  *((intOrPtr*)(_t60 + 0xc));
				_t49 = VirtualAlloc(_t77, 0x8000, 0x1000, 4); // executed
				if(_t49 != 0) {
					_t70 = _t77 + 0x7000;
					if(_t77 <= _t70) {
						_t55 = _t77 + 0x10;
						do {
							 *(_t55 - 8) =  *(_t55 - 8) | 0xffffffff;
							 *(_t55 + 0xfec) =  *(_t55 + 0xfec) | 0xffffffff;
							 *((intOrPtr*)(_t55 - 4)) = 0xff0;
							 *_t55 = _t55 + 0xffc;
							 *((intOrPtr*)(_t55 + 4)) = _t55 - 0x1004;
							 *((intOrPtr*)(_t55 + 0xfe8)) = 0xff0;
							_t55 = _t55 + 0x1000;
						} while (_t55 - 0x10 <= _t70);
					}
					_t61 = _t77 + 0xc;
					_t51 = _v8 + 0x1f8;
					_t78 = 1;
					 *((intOrPtr*)(_t51 + 4)) = _t61;
					 *((intOrPtr*)(_t61 + 8)) = _t51;
					_t62 = _t70 + 0xc;
					 *((intOrPtr*)(_t51 + 8)) = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t51;
					 *(_t81 + 0x44 + _t57 * 4) =  *(_t81 + 0x44 + _t57 * 4) & 0x00000000;
					 *(_t81 + 0xc4 + _t57 * 4) = _t78;
					_t52 =  *((intOrPtr*)(_t81 + 0x43));
					_t53 = _a4;
					 *((char*)(_t81 + 0x43)) = _t52 + 1;
					if(_t52 == 0) {
						 *(_t53 + 4) =  *(_t53 + 4) | _t78;
					}
					 *(_t53 + 8) =  *(_t53 + 8) &  !(0x80000000 >> _t57);
					_t54 = _t57;
				} else {
					_t54 = _t49 | 0xffffffff;
				}
				return _t54;
			}

0x00425c97
0x00425c9d
0x00425ca0
0x00425ca3
0x00425ca5
0x00425ca9
0x00425cab
0x00425cab
0x00425cb8
0x00425cb9
0x00425cc0
0x00425cc3
0x00425cc3
0x00425cc6
0x00425cc9
0x00425ccc
0x00425ccc
0x00425cd6
0x00425ce4
0x00425cec
0x00425cf6
0x00425cfe
0x00425d00
0x00425d03
0x00425d03
0x00425d07
0x00425d14
0x00425d1b
0x00425d23
0x00425d26
0x00425d30
0x00425d38
0x00425d03
0x00425d3f
0x00425d42
0x00425d49
0x00425d4a
0x00425d4d
0x00425d50
0x00425d53
0x00425d56
0x00425d59
0x00425d5e
0x00425d65
0x00425d6e
0x00425d71
0x00425d74
0x00425d76
0x00425d76
0x00425d84
0x00425d87
0x00425cee
0x00425cee
0x00425cee
0x00425d8d

APIs

VirtualAlloc.KERNEL32(?,00008000,00001000,00000004,?,00000000,000000E0,?,?,004259B9,000000E0,?,?,?,00000100), ref: 00425CE4

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b33778613888d7d30b70c6c83a6793fee3212429f56bb8057e77a0c8f4aad707
Instruction ID: 8bad7c566d353cdeb6ffff60e7d63a565d2dfb3871eae733b84a679171b490ba
Opcode Fuzzy Hash: b33778613888d7d30b70c6c83a6793fee3212429f56bb8057e77a0c8f4aad707
Instruction Fuzzy Hash: 18319C71600A069FD314CF19D488BA5BBE0FF54368F64C2BED1598B3A1E774D946CB44

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040E2EE, Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 156
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040E2EE(CHAR* _a4, CHAR* _a8, intOrPtr _a12, CHAR** _a16) {
				void* _v8;
				intOrPtr _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t38;
				void* _t56;
				int _t65;
				CHAR* _t99;
				CHAR* _t101;
				CHAR* _t103;
				void* _t105;

				if(_a4 == 0 || _a8 == 0 || _a16 == 0) {
					return _t38 | 0xffffffff;
				} else {
					_t99 = E00424DD9(lstrlenA(_a4) + 4);
					if(_t99 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					lstrcpyA(_t99, _a4);
					lstrcatA(_t99, "*.*");
					_v8 = FindFirstFileA(_t99,  &_v332);
					E00424DCE(_t99);
					if(_v8 != 0xffffffff) {
						L8:
						while(1) {
							if((_v332.dwFileAttributes & 0x00000010) == 0) {
								if(lstrcmpiA( &(_v332.cFileName), _a8) == 0) {
									FindClose(_v8);
									_t103 = E00424DD9(lstrlenA(_a4) + 1);
									if(_t103 == 0) {
										E0041D881(E0041CD1E(0x47e924));
									}
									lstrcpyA(_t103, _a4);
									_push(1);
									 *_a16 = _t103;
									goto L23;
								}
								L17:
								if(FindNextFileA(_v8,  &_v332) == 0) {
									FindClose(_v8);
									do {
									} while (E0041A207() == 1);
									return 0;
								}
								continue;
							}
							if(_v332.cFileName == 0x2e) {
								goto L17;
							}
							_t65 = lstrlenA( &(_v332.cFileName));
							_t16 = E00424970(_a4) + 2; // 0x2
							_t101 = E00424DD9(_t65 + _t16);
							if(_t101 == 0) {
								FindClose(_v8);
								E0041D881(E0041CD1E(0x47e924));
							}
							lstrcpyA(_t101, _a4);
							lstrcatA(_t101,  &(_v332.cFileName));
							if( *((char*)(lstrlenA(_t101) + _t101 - 1)) != 0x5c) {
								E00425090(_t101, "\\");
							}
							_v12 = E0040E2EE(_t101, _a8, _a12, _a16);
							E00424DCE(_t101);
							_t105 = _t105 + 0x14;
							if(_v12 > 0) {
								FindClose(_v8);
								return _v12;
							} else {
								goto L17;
							}
						}
					} else {
						_push(0xfffffffd);
						L23:
						_pop(_t56);
						return _t56;
					}
				}
			}

0x0040e2ff
0x00000000
0x0040e317
0x0040e32b
0x0040e330
0x0040e33d
0x0040e342
0x0040e347
0x0040e353
0x0040e368
0x0040e36b
0x0040e375
0x00000000
0x0040e384
0x0040e38b
0x0040e43d
0x0040e465
0x0040e473
0x0040e478
0x0040e485
0x0040e48a
0x0040e48f
0x0040e498
0x0040e49a
0x00000000
0x0040e49a
0x0040e43f
0x0040e451
0x0040e4a2
0x0040e4a9
0x0040e4b0
0x00000000
0x0040e4b5
0x00000000
0x0040e453
0x0040e398
0x00000000
0x00000000
0x0040e3a5
0x0040e3b1
0x0040e3bb
0x0040e3c1
0x0040e3c6
0x0040e3d3
0x0040e3d8
0x0040e3dd
0x0040e3eb
0x0040e3f9
0x0040e401
0x0040e407
0x0040e418
0x0040e41b
0x0040e420
0x0040e427
0x0040e45b
0x00000000
0x0040e429
0x00000000
0x0040e429
0x0040e427
0x0040e377
0x0040e377
0x0040e49c
0x0040e49c
0x00000000
0x0040e49c
0x0040e375

APIs

lstrlenA.KERNEL32(00000000,00000000,?,00000000), ref: 0040E320
lstrcpyA.KERNEL32(00000000,00000000), ref: 0040E347
lstrcatA.KERNEL32(00000000,*.*), ref: 0040E353
lstrlenA.KERNEL32(0000002E), ref: 0040E3A5
FindClose.KERNEL32(000000FF), ref: 0040E3C6
lstrcpyA.KERNEL32(00000000,00000000), ref: 0040E3DD
lstrcatA.KERNEL32(00000000,0000002E), ref: 0040E3EB
lstrlenA.KERNEL32(00000000), ref: 0040E3F2
lstrcmpiA.KERNEL32(?,00000000), ref: 0040E435
FindNextFileA.KERNEL32(000000FF,00000010), ref: 0040E449
FindClose.KERNEL32(000000FF), ref: 0040E45B
FindClose.KERNEL32(000000FF), ref: 0040E465
lstrlenA.KERNEL32(00000000), ref: 0040E46A
FindFirstFileA.KERNEL32(00000000,?), ref: 0040E361

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

lstrcpyA.KERNEL32(00000000,00000000), ref: 0040E48F
FindClose.KERNEL32(000000FF), ref: 0040E4A2

Strings

*.*, xrefs: 0040E34D
., xrefs: 0040E391
$G, xrefs: 0040E332
$G, xrefs: 0040E3C8
$G, xrefs: 0040E47A

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Find$Closelstrlen$Globallstrcpy$Filelstrcat$AllocFirstLockNextUnlocklstrcmpi
String ID: $G$$G$$G$*.*$.
API String ID: 2468804411-3051321286
Opcode ID: 932cd015faee0c205a51ef20c64411850b7a7af107f71e13ededf9564f1c7d93
Instruction ID: c1a7d0a76dffc011eed6e96b777b55868100850359ffe466908486324d22cad6
Opcode Fuzzy Hash: 932cd015faee0c205a51ef20c64411850b7a7af107f71e13ededf9564f1c7d93
Instruction Fuzzy Hash: BA51D672900119EBCF11AFB2EC859EE7B68EF44314B1045BFF605A21A1DF3C89529B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040C96B, Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 233
stringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040C96B(intOrPtr __ecx, intOrPtr* _a4, char _a7) {
				signed int _v8;
				intOrPtr _v12;
				int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v35;
				char _v36;
				void* _t76;
				intOrPtr _t90;
				void* _t91;
				intOrPtr _t98;
				intOrPtr _t101;
				signed int _t103;
				int _t105;
				int _t110;
				intOrPtr _t114;
				void* _t117;
				intOrPtr _t119;
				intOrPtr _t121;
				CHAR* _t122;
				intOrPtr _t126;
				intOrPtr _t128;
				void* _t129;
				signed int _t131;
				void* _t132;
				signed int _t134;
				signed int _t136;
				signed int _t137;
				signed int _t138;
				signed int _t139;
				intOrPtr _t145;
				intOrPtr _t146;
				intOrPtr _t147;
				intOrPtr _t157;
				intOrPtr* _t158;
				void* _t169;

				_t158 = _a4;
				_t121 = __ecx;
				 *_t158 = 0;
				 *((intOrPtr*)(_t158 + 4)) = 0;
				 *0x47e698 = 0;
				 *0x47e69c = 0;
				 *0x47e6a0 = 0;
				 *0x47e6a4 = 0;
				 *0x47e6a8 = 0;
				 *0x47e6ac = 0;
				_t124 =  *((intOrPtr*)(__ecx + 0xb0));
				_v24 = __ecx;
				_a4 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0xb0)) + 4)) > 0) {
					do {
						_t117 = E00406060(_t124, _a4);
						if(_t117 != 0 &&  *((intOrPtr*)(_t117 + 8)) != 0) {
							_t119 =  *((intOrPtr*)(_t117 + 4));
							 *_t158 =  *_t158 +  *((intOrPtr*)(_t119 + 0xc));
							asm("adc [esi+0x4], edi");
							 *0x47e698 =  *0x47e698 +  *((intOrPtr*)(_t119 + 0x14));
							asm("adc [0x47e69c], edi");
							 *0x47e6a0 =  *0x47e6a0 +  *((intOrPtr*)(_t119 + 0x10));
							asm("adc [0x47e6a4], edi");
							 *0x47e6a8 =  *0x47e6a8 +  *((intOrPtr*)(_t119 + 0x18));
							asm("adc [0x47e6ac], edi");
						}
						_a4 = _a4 + 1;
						_t124 =  *((intOrPtr*)(_t121 + 0xb0));
					} while (_a4 <  *((intOrPtr*)( *((intOrPtr*)(_t121 + 0xb0)) + 4)));
				}
				_t122 = E00424DD9(0x32);
				if(_t122 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				E00424500(_t122, 0, 0x32);
				_t145 =  *_t158;
				_t126 =  *0x47e648; // 0xfff01000
				_v12 = _t145;
				_v20 = _t126 - _t145;
				_t128 =  *0x47e64c; // 0x13
				_t146 = _t128;
				asm("sbb edx, eax");
				_t169 =  *((intOrPtr*)(_t158 + 4)) - _t128;
				if(_t169 >= 0) {
					if(_t169 > 0) {
						L10:
						_v20 = 0;
						_t146 = 0;
					} else {
						_t114 =  *0x47e648; // 0xfff01000
						if(_v12 > _t114) {
							goto L10;
						}
					}
				}
				_push(_t122);
				_t129 = 0xa;
				_t76 = E00425060(_v20, _t129, _t146);
				_push(_t146);
				_push(_t76);
				E0041DE38();
				_v36 = _v36 & 0x00000000;
				asm("stosd");
				asm("stosd");
				asm("stosb");
				if(GetLocaleInfoA(0x400, 0x17,  &_v36, 0xa) == 0) {
					lstrcpyA( &_v36, " ");
				}
				_a7 = _v36;
				if(lstrlenA( &_v36) > 1) {
					_a7 = 0x20;
				}
				_v16 = lstrlenA(_t122);
				_t131 = lstrlenA(_t122) - 1;
				_v8 = _t131;
				if(_t131 != 0) {
					while(1) {
						_t138 = 3;
						if((_v16 - _t131) % _t138 != 0) {
							goto L23;
						}
						_t110 = lstrlenA(_t122);
						_t139 = _v8;
						while(_t110 >= _t139) {
							_t122[_t110] =  *((intOrPtr*)(_t110 + _t122 - 1));
							_t110 = _t110 - 1;
						}
						 *((char*)(_t139 + _t122)) = _a7;
						L23:
						_t48 =  &_v8;
						 *_t48 = _v8 - 1;
						__eflags =  *_t48;
						if( *_t48 != 0) {
							_t131 = _v8;
							continue;
						}
						goto L24;
					}
				}
				L24:
				lstrcatA(_t122, " K");
				SetDlgItemTextA( *(_v24 + 4), 0x1a, _t122);
				E00424500(_t122, 0, 0x32);
				_t90 =  *0x47e648; // 0xfff01000
				_t147 =  *0x47e64c; // 0x13
				_push(_t122);
				_t132 = 0xa;
				_t91 = E00425060(_t90, _t132, _t147);
				_push(_t147);
				_push(_t91);
				E0041DE38();
				_v16 = lstrlenA(_t122);
				_t134 = lstrlenA(_t122) - 1;
				__eflags = _t134;
				_v8 = _t134;
				if(_t134 != 0) {
					while(1) {
						_t103 = _v16 - _t134;
						_t136 = 3;
						__eflags = _t103 % _t136;
						if(_t103 % _t136 != 0) {
							goto L32;
						}
						_t105 = lstrlenA(_t122);
						_t137 = _v8;
						while(1) {
							__eflags = _t105 - _t137;
							if(_t105 < _t137) {
								break;
							}
							_t122[_t105] =  *((intOrPtr*)(_t105 + _t122 - 1));
							_t105 = _t105 - 1;
						}
						 *((char*)(_t137 + _t122)) = _a7;
						L32:
						_t66 =  &_v8;
						 *_t66 = _v8 - 1;
						__eflags =  *_t66;
						if( *_t66 != 0) {
							_t134 = _v8;
							continue;
						}
						goto L33;
					}
				}
				L33:
				lstrcatA(_t122, " K");
				_t157 = _v24;
				SetDlgItemTextA( *(_t157 + 4), 0x19, _t122);
				E00424DCE(_t122);
				_t98 =  *0x47e64c; // 0x13
				__eflags = _t98 -  *((intOrPtr*)(_t158 + 4));
				if(__eflags > 0) {
					L37:
					_push(1);
				} else {
					if(__eflags < 0) {
						L36:
						_push(0);
					} else {
						_t101 =  *0x47e648; // 0xfff01000
						__eflags = _t101 -  *_t158;
						if(_t101 >=  *_t158) {
							goto L37;
						} else {
							goto L36;
						}
					}
				}
				return EnableWindow(GetDlgItem( *(_t157 + 4), 1), ??);
			}

0x0040c973
0x0040c979
0x0040c97b
0x0040c97d
0x0040c980
0x0040c986
0x0040c98c
0x0040c992
0x0040c998
0x0040c99e
0x0040c9a4
0x0040c9aa
0x0040c9ad
0x0040c9b3
0x0040c9b5
0x0040c9b8
0x0040c9bf
0x0040c9c6
0x0040c9cc
0x0040c9ce
0x0040c9d4
0x0040c9da
0x0040c9e3
0x0040c9e9
0x0040c9f2
0x0040c9f8
0x0040c9f8
0x0040c9fe
0x0040ca01
0x0040ca0a
0x0040c9b5
0x0040ca16
0x0040ca1b
0x0040ca28
0x0040ca2d
0x0040ca32
0x0040ca37
0x0040ca39
0x0040ca47
0x0040ca4a
0x0040ca4d
0x0040ca53
0x0040ca55
0x0040ca57
0x0040ca59
0x0040ca5b
0x0040ca67
0x0040ca67
0x0040ca6a
0x0040ca5d
0x0040ca5d
0x0040ca65
0x00000000
0x00000000
0x0040ca65
0x0040ca5b
0x0040ca6f
0x0040ca72
0x0040ca73
0x0040ca78
0x0040ca79
0x0040ca7a
0x0040ca7f
0x0040ca8b
0x0040ca8c
0x0040ca8d
0x0040caa3
0x0040caae
0x0040caae
0x0040cabd
0x0040cac9
0x0040cacb
0x0040cacb
0x0040cad3
0x0040cada
0x0040cadb
0x0040cade
0x0040cae5
0x0040caee
0x0040caf3
0x00000000
0x00000000
0x0040caf6
0x0040caf8
0x0040cafb
0x0040cb03
0x0040cb06
0x0040cb06
0x0040cb0c
0x0040cb0f
0x0040cb0f
0x0040cb0f
0x0040cb0f
0x0040cb12
0x0040cae2
0x00000000
0x0040cae2
0x00000000
0x0040cb12
0x0040cae5
0x0040cb14
0x0040cb1a
0x0040cb29
0x0040cb34
0x0040cb39
0x0040cb3e
0x0040cb47
0x0040cb4a
0x0040cb4b
0x0040cb50
0x0040cb51
0x0040cb52
0x0040cb5e
0x0040cb65
0x0040cb65
0x0040cb66
0x0040cb69
0x0040cb70
0x0040cb75
0x0040cb79
0x0040cb7c
0x0040cb7e
0x00000000
0x00000000
0x0040cb81
0x0040cb83
0x0040cb86
0x0040cb86
0x0040cb88
0x00000000
0x00000000
0x0040cb8e
0x0040cb91
0x0040cb91
0x0040cb97
0x0040cb9a
0x0040cb9a
0x0040cb9a
0x0040cb9a
0x0040cb9d
0x0040cb6d
0x00000000
0x0040cb6d
0x00000000
0x0040cb9d
0x0040cb70
0x0040cb9f
0x0040cba5
0x0040cbab
0x0040cbb4
0x0040cbbb
0x0040cbc0
0x0040cbc6
0x0040cbc9
0x0040cbda
0x0040cbda
0x0040cbcb
0x0040cbcb
0x0040cbd6
0x0040cbd6
0x0040cbcd
0x0040cbcd
0x0040cbd2
0x0040cbd4
0x00000000
0x00000000
0x00000000
0x00000000
0x0040cbd4
0x0040cbcb
0x0040cbf2

APIs

GetLocaleInfoA.KERNEL32(00000400,00000017,00000000,0000000A,?,?,?,76903BB0,?,00000000), ref: 0040CA9B
lstrcpyA.KERNEL32(00000000,0042BCFC,?,?,?,76903BB0,?,00000000), ref: 0040CAAE
lstrlenA.KERNEL32(00000000,?,?,?,76903BB0,?,00000000), ref: 0040CAC4
lstrlenA.KERNEL32(00000000,?,?,?,76903BB0,?,00000000), ref: 0040CAD0
lstrlenA.KERNEL32(00000000,?,?,?,76903BB0,?,00000000), ref: 0040CAD6
lstrlenA.KERNEL32(00000000,?,?,?,76903BB0,?,00000000), ref: 0040CAF6
lstrcatA.KERNEL32(00000000,0042BCF8,?,?,?,76903BB0,?,00000000), ref: 0040CB1A
SetDlgItemTextA.USER32 ref: 0040CB29
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,76903BB0,?,00000000), ref: 0040CB5B
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,76903BB0,?,00000000), ref: 0040CB61
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,76903BB0,?,00000000), ref: 0040CB81
lstrcatA.KERNEL32(00000000,0042BCF8,?,?,?,?,?,?,?,?,?,76903BB0,?,00000000), ref: 0040CBA5
SetDlgItemTextA.USER32 ref: 0040CBB4
GetDlgItem.USER32 ref: 0040CBE1
EnableWindow.USER32(00000000), ref: 0040CBE8

Strings

, xrefs: 0040CACB
$G, xrefs: 0040CA1D

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: lstrlen$Item$Textlstrcat$EnableInfoLocaleWindowlstrcpy
String ID: $$G
API String ID: 2738947291-56673411
Opcode ID: d41b59d147c222b39ebc6405e50d06d0baf1d898eb1c3b3290b133c6bb598b4b
Instruction ID: 5daeb72c31c3a18955e431724f6f6e82507b4141b754b0cf24e52faea933d9ee
Opcode Fuzzy Hash: d41b59d147c222b39ebc6405e50d06d0baf1d898eb1c3b3290b133c6bb598b4b
Instruction Fuzzy Hash: ED81C770A00204EFDB14DF66EDC1A5EB7B9EF58710F54456FE405AB292CA789940CF18

Uniqueness

Uniqueness Score: -1.00%

Function 0041E3EF, Relevance: 28.7, APIs: 19, Instructions: 171
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041E3EF() {
				int _v8;
				intOrPtr _v20;
				int _v32;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				struct _SID_IDENTIFIER_AUTHORITY _v44;
				long _v48;
				struct _GENERIC_MAPPING _v64;
				long _v68;
				void* _v72;
				long _v76;
				int _v80;
				struct _PRIVILEGE_SET _v100;
				void* _v104;
				int _v112;
				long _v116;
				void* _v120;
				long _v124;
				void* __ebx;
				void* __ebp;
				signed int _t63;
				struct _SECURITY_DESCRIPTOR* _t67;
				struct _ACL* _t70;
				intOrPtr _t94;
				long _t96;
				long _t99;
				long _t100;
				intOrPtr _t101;

				_push(0xffffffff);
				_push(0x4285e8);
				_push(E00424EE0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t101;
				_v80 = 0;
				_t96 = 0x14;
				_v48 = _t96;
				_v32 = 0;
				_v104 = 0;
				_v120 = 0;
				_v72 = 0;
				_v112 = 0;
				_v44.Value = 0;
				_v43 = 0;
				_v42 = 0;
				_v41 = 0;
				_v40 = 0;
				_v39 = 5;
				if(GetVersion() < 0x80000000) {
					_v8 = 0;
					if(OpenThreadToken(GetCurrentThread(), 0xa, 1,  &_v120) != 0 || GetLastError() == 0x3f0 && OpenProcessToken(GetCurrentProcess(), 0xa,  &_v120) != 0) {
						if(DuplicateToken(_v120, 2,  &_v72) != 0 && AllocateAndInitializeSid( &_v44, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v104) != 0) {
							_t67 = LocalAlloc(0x40, _t96);
							_v112 = _t67;
							if(_t67 != 0 && InitializeSecurityDescriptor(_t67, 1) != 0) {
								_t99 = GetLengthSid(_v104) + 0x10;
								_v68 = _t99;
								_t70 = LocalAlloc(0x40, _t99);
								_v32 = _t70;
								if(_t70 != 0 && InitializeAcl(_t70, _t99, 2) != 0) {
									_t94 = 3;
									_v124 = LocalAlloc;
									if(AddAccessAllowedAce(_v32, 2, LocalAlloc, _v104) != 0) {
										_push(0);
										_push(_v32);
										_t100 = 1;
										if(SetSecurityDescriptorDacl(_v112, _t100, ??, ??) != 0) {
											SetSecurityDescriptorGroup(_v112, _v104, 0);
											SetSecurityDescriptorOwner(_v112, _v104, 0);
											if(IsValidSecurityDescriptor(_v112) != 0) {
												_v116 = _t100;
												_v64.GenericRead = _t100;
												_v64.GenericWrite = 2;
												_v64.GenericExecute = 0;
												_v64.GenericAll = _t94;
												if(AccessCheck(_v112, _v72, _t100,  &_v64,  &_v100,  &_v48,  &_v76,  &_v80) == 0) {
													_v80 = 0;
												}
											}
										}
									}
								}
							}
						}
					}
					_v8 = _v8 | 0xffffffff;
					E0041E5E3(0);
					_t63 = 0 | _v80 != 0x00000000;
					goto L17;
				} else {
					_t63 = 1;
					L17:
					 *[fs:0x0] = _v20;
					return _t63;
				}
			}

0x0041e3f2
0x0041e3f4
0x0041e3f9
0x0041e404
0x0041e405
0x0041e414
0x0041e419
0x0041e41a
0x0041e41d
0x0041e420
0x0041e423
0x0041e426
0x0041e429
0x0041e42c
0x0041e42f
0x0041e432
0x0041e435
0x0041e438
0x0041e43b
0x0041e44a
0x0041e453
0x0041e46d
0x0041e4ac
0x0041e4e0
0x0041e4e2
0x0041e4e7
0x0041e509
0x0041e50c
0x0041e512
0x0041e514
0x0041e519
0x0041e533
0x0041e534
0x0041e548
0x0041e54a
0x0041e54b
0x0041e550
0x0041e55d
0x0041e566
0x0041e573
0x0041e584
0x0041e586
0x0041e589
0x0041e58c
0x0041e593
0x0041e596
0x0041e5bc
0x0041e5be
0x0041e5be
0x0041e5bc
0x0041e584
0x0041e55d
0x0041e548
0x0041e519
0x0041e4e7
0x0041e4ac
0x0041e5c1
0x0041e5c5
0x0041e5cf
0x00000000
0x0041e44c
0x0041e44c
0x0041e5d2
0x0041e5d5
0x0041e5e0
0x0041e5e0

APIs

GetVersion.KERNEL32(0047E4D0,00000000,00000000), ref: 0041E43F
GetCurrentThread.KERNEL32 ref: 0041E45E
OpenThreadToken.ADVAPI32(00000000), ref: 0041E465
GetLastError.KERNEL32 ref: 0041E46F
GetCurrentProcess.KERNEL32(0000000A,?), ref: 0041E486
OpenProcessToken.ADVAPI32(00000000), ref: 0041E48D
DuplicateToken.ADVAPI32(?,00000002,?), ref: 0041E4A4
AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0041E4C9
LocalAlloc.KERNEL32(00000040,00000014), ref: 0041E4E0
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 0041E4F0
GetLengthSid.ADVAPI32(?), ref: 0041E501
LocalAlloc.KERNEL32(00000040,-00000010), ref: 0041E512
InitializeAcl.ADVAPI32(00000000,-00000010,00000002), ref: 0041E523
AddAccessAllowedAce.ADVAPI32(000000FF,00000002,00000003,?), ref: 0041E540
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,000000FF,00000000), ref: 0041E555
SetSecurityDescriptorGroup.ADVAPI32(00000000,?,00000000), ref: 0041E566
SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 0041E573

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: DescriptorSecurity$InitializeToken$AllocCurrentLocalOpenProcessThread$AccessAllocateAllowedDaclDuplicateErrorGroupLastLengthOwnerVersion
String ID:
API String ID: 391627019-0
Opcode ID: 7b02ce2a8fc91034838d54e4a35e2769ec14eedf515d51013f3af73f8ad06c83
Instruction ID: ee05deb8910de79d19cf895011cf8c6bae4496e441d7c3eb43d7ad16ae5a6ca7
Opcode Fuzzy Hash: 7b02ce2a8fc91034838d54e4a35e2769ec14eedf515d51013f3af73f8ad06c83
Instruction Fuzzy Hash: AE512671E41208ABDF209FE6DD89BDEBBBDFB08750F50402AE605E7190DA748945CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040EE9C, Relevance: 19.6, APIs: 13, Instructions: 107
windowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040EE9C() {
				void* _v36;
				void* _v80;
				void* __ecx;
				int _t10;
				void* _t14;
				signed int _t15;
				int _t27;
				void* _t34;
				void* _t35;
				signed int _t36;
				void* _t44;
				struct HDC__* _t46;
				signed int _t47;
				struct HDC__* _t48;
				void* _t49;

				_t49 = _t35;
				_t46 = GetDC( *0x47e178);
				if(_t46 == 0) {
					L6:
					return 0;
				}
				 *0x47e184 = CreateCompatibleDC(_t46);
				_t10 = GetDeviceCaps(_t46, 0xa);
				_t44 = CreateCompatibleBitmap(_t46, GetDeviceCaps(_t46, 8), _t10);
				_v36 = _t44;
				ReleaseDC( *0x47e178, _t46);
				if(_t44 != 0) {
					_t14 = SelectObject( *0x47e184, _t44);
					__eflags = _t14;
					if(_t14 != 0) {
						_t47 =  *0x47e174; // 0x0
						_t15 =  *0x47e82c; // 0x32
						_t36 = 0x64;
						_t45 = _t15 * _t47 / _t36;
						E0040F1B2( *0x47e820,  *0x47e824, _t15 * _t47 / _t36, _t15 * _t47 / _t36, 0);
						E0040F1B2( *0x47e824,  *0x47e828, _t47, _t47 - _t45 - 1, _t45);
						E0040F999(_t49, __eflags);
						E0040F47A();
						_t48 = GetDC( *0x47e178);
						_t27 = BitBlt(_t48, 0, 0,  *0x47e170,  *0x47e174,  *0x47e184, 0, 0, 0xcc0020);
						__eflags = _t27;
						if(_t27 != 0) {
							ReleaseDC( *0x47e178, _t48);
							_t34 = 1;
							L8:
							DeleteObject(_v80);
							return _t34;
						}
						goto L6;
					}
					DeleteDC( *0x47e184);
					 *0x47e184 =  *0x47e184 & 0x00000000;
					_t34 = 0;
					goto L8;
				}
				DeleteDC( *0x47e184);
				 *0x47e184 =  *0x47e184 & _t44;
				goto L6;
			}

0x0040eea7
0x0040eeb1
0x0040eeb5
0x0040efc2
0x00000000
0x0040efc2
0x0040eecb
0x0040eed0
0x0040eee1
0x0040eee9
0x0040eeed
0x0040eef5
0x0040ef15
0x0040ef1b
0x0040ef1d
0x0040ef39
0x0040ef3f
0x0040ef4b
0x0040ef52
0x0040ef62
0x0040ef7d
0x0040ef84
0x0040ef8b
0x0040ef98
0x0040efb8
0x0040efbe
0x0040efc0
0x0040efcd
0x0040efd3
0x0040efd5
0x0040efd9
0x00000000
0x0040efdf
0x00000000
0x0040efc0
0x0040ef25
0x0040ef2b
0x0040ef32
0x00000000
0x0040ef32
0x0040eefd
0x0040ef03
0x00000000

APIs

GetDC.USER32(7697B290), ref: 0040EEAF
CreateCompatibleDC.GDI32(00000000), ref: 0040EEBC
GetDeviceCaps.GDI32(00000000,0000000A), ref: 0040EED0
GetDeviceCaps.GDI32(00000000,00000008), ref: 0040EED6
CreateCompatibleBitmap.GDI32(00000000,00000000), ref: 0040EEDA
ReleaseDC.USER32 ref: 0040EEED
DeleteDC.GDI32 ref: 0040EEFD
SelectObject.GDI32(00000000), ref: 0040EF15
DeleteDC.GDI32 ref: 0040EF25
ReleaseDC.USER32 ref: 0040EFCD
DeleteObject.GDI32(?), ref: 0040EFD9

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Delete$CapsCompatibleCreateDeviceObjectRelease$BitmapSelect
String ID:
API String ID: 3914743975-0
Opcode ID: f046746491cd2f5c9336f52545cfd5d6fa3729b5f8fa359b5acca7dd697ca9de
Instruction ID: c40cb558d7516ac9f94f8ff682cf68fd21e8b6fec1b385c180aef17db7d780d4
Opcode Fuzzy Hash: f046746491cd2f5c9336f52545cfd5d6fa3729b5f8fa359b5acca7dd697ca9de
Instruction Fuzzy Hash: C7316631202110FFEB215F23ED0AE2B3BAEFB897117850179F50996170CE365C569B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0041EEE8, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 198
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041EEE8(void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16) {
				char _v8;
				char _v12;
				char _v24;
				void* _v35;
				char _v36;
				struct HINSTANCE__* _v40;
				unsigned int _v360;
				char _v420;
				char _v1484;
				_Unknown_base(*)()* _t62;
				int _t63;
				intOrPtr* _t65;
				int _t66;
				int _t67;
				intOrPtr* _t70;
				int _t77;
				int _t93;
				int _t102;
				int _t106;
				int _t107;
				int _t108;
				signed int _t125;
				void* _t142;
				signed int _t144;
				struct HINSTANCE__* _t147;

				_t142 = __edi;
				 *0x47e2b0 =  *0x47e2b0 + 1;
				E0041BE99( &_v24, 0x47eaec);
				_push( *0x47e2b0);
				E0041C467( &_v24, " %d:\t");
				_v12 = 0;
				_v8 = 0;
				_t147 = LoadLibraryA("DDRAW.DLL");
				_v40 = _t147;
				if(_t147 == 0) {
					L22:
					E0041BEFB( &_v24);
					return 0;
				}
				_t62 = GetProcAddress(_t147, "DirectDrawCreate");
				if(_t62 != 0) {
					_t63 =  *_t62(_a4,  &_v12, 0);
					__eflags = _t63;
					if(_t63 < 0) {
						goto L2;
					}
					_t65 = _v12;
					_t66 =  *((intOrPtr*)( *_t65))(_t65, 0x428808,  &_v8);
					__eflags = _t66;
					if(_t66 < 0) {
						_v8 = 0;
					}
					_t67 = _v8;
					__eflags = _t67;
					if(_t67 == 0) {
						L12:
						E00424500( &_v420, 0, 0x17c);
						_t70 = _v12;
						_v420 = 0x17c;
						 *((intOrPtr*)( *_t70 + 0x2c))(_t70,  &_v420, 0, _t142);
						E0041C047( &_v24, _a8, 0);
						E0041EEC5(_a16,  &_v24);
						_v36 = 0;
						asm("stosd");
						asm("stosd");
						asm("stosb");
						_t77 = GetLocaleInfoA(0x400, 0xe,  &_v36, 0xa);
						__eflags = _t77;
						if(_t77 == 0) {
							lstrcpyA( &_v36, ",");
						}
						E0041BF12( &_v24, 0x42e0c8);
						_t125 = 0x64;
						_t144 = (_v360 - (_v360 >> 0x14 << 0x14) >> 0xa) / _t125;
						__eflags = _t144 - 9;
						if(_t144 > 9) {
							_t144 = 9;
						}
						E0041BFF8( &_v24, 9);
						E0041C0C5( &_v24, __eflags, 0x47eaf8);
						_push(_t144);
						_push( &_v36);
						_push(_v360 >> 0x14);
						E0041C467( &_v24, ": %d%s%d MB");
						E0041EEC5(_a16,  &_v24);
						E0041BF12( &_v24, 0x42e0c8);
						__eflags = _v8;
						if(_v8 != 0) {
							_push( &_v1484);
							_push(E0041CD1E(0x47eb04));
							E0041C467( &_v24, "\t%s: %s");
							_t102 = _v8;
							__eflags = _t102;
							if(_t102 != 0) {
								 *((intOrPtr*)( *_t102 + 8))(_t102);
							}
						}
						_t93 = _v12;
						__eflags = _t93;
						if(_t93 != 0) {
							 *((intOrPtr*)( *_t93 + 8))(_t93);
						}
						FreeLibrary(_v40);
						E0041EEC5(_a16,  &_v24);
						_push(1);
						_pop(0);
						goto L22;
					}
					_t106 =  *((intOrPtr*)( *_t67 + 0x6c))(_t67,  &_v1484, 0);
					__eflags = _t106;
					if(_t106 >= 0) {
						goto L12;
					}
					_t107 = _v8;
					__eflags = _t107;
					if(_t107 != 0) {
						 *((intOrPtr*)( *_t107 + 8))(_t107);
					}
					_t108 = _v12;
					__eflags = _t108;
					if(_t108 != 0) {
						 *((intOrPtr*)( *_t108 + 8))(_t108);
					}
				}
				L2:
				FreeLibrary(_t147);
				goto L22;
			}

0x0041eee8
0x0041eef1
0x0041ef01
0x0041ef06
0x0041ef15
0x0041ef1f
0x0041ef22
0x0041ef30
0x0041ef34
0x0041ef37
0x0041f104
0x0041f107
0x0041f111
0x0041f111
0x0041ef43
0x0041ef4b
0x0041ef61
0x0041ef63
0x0041ef65
0x00000000
0x00000000
0x0041ef67
0x0041ef76
0x0041ef78
0x0041ef7a
0x0041ef7c
0x0041ef7c
0x0041ef7f
0x0041ef82
0x0041ef84
0x0041efb4
0x0041efc3
0x0041efc8
0x0041efd4
0x0041efdf
0x0041efe9
0x0041eff5
0x0041efff
0x0041f004
0x0041f005
0x0041f006
0x0041f012
0x0041f018
0x0041f01a
0x0041f025
0x0041f025
0x0041f034
0x0041f04d
0x0041f053
0x0041f055
0x0041f058
0x0041f05c
0x0041f05c
0x0041f062
0x0041f06f
0x0041f077
0x0041f078
0x0041f082
0x0041f08c
0x0041f09b
0x0041f0a4
0x0041f0a9
0x0041f0ad
0x0041f0ba
0x0041f0c0
0x0041f0ca
0x0041f0cf
0x0041f0d5
0x0041f0d7
0x0041f0dc
0x0041f0dc
0x0041f0d7
0x0041f0df
0x0041f0e2
0x0041f0e4
0x0041f0e9
0x0041f0e9
0x0041f0ef
0x0041f0fc
0x0041f101
0x0041f103
0x00000000
0x0041f103
0x0041ef91
0x0041ef94
0x0041ef96
0x00000000
0x00000000
0x0041ef98
0x0041ef9b
0x0041ef9d
0x0041efa2
0x0041efa2
0x0041efa5
0x0041efa8
0x0041efaa
0x0041efaf
0x0041efaf
0x0041efaa
0x0041ef4d
0x0041ef4e
0x00000000

APIs

Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4

Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
Part of subcall function 0041C467: lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649

LoadLibraryA.KERNEL32(DDRAW.DLL), ref: 0041EF2A
GetProcAddress.KERNEL32(00000000,DirectDrawCreate), ref: 0041EF43
FreeLibrary.KERNEL32(00000000), ref: 0041EF4E

Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095

GetLocaleInfoA.KERNEL32(00000400,0000000E,?,0000000A,?,?,00000000), ref: 0041F012
lstrcpyA.KERNEL32(?,0042C0C8), ref: 0041F025
FreeLibrary.KERNEL32(?,?,?,?,0047EAF8,00000009,0042E0C8), ref: 0041F0EF

Strings

DirectDrawCreate, xrefs: 0041EF3D
%d:, xrefs: 0041EF0F
DDRAW.DLL, xrefs: 0041EF25
%s: %s, xrefs: 0041F0C4
: %d%s%d MB, xrefs: 0041F086

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$lstrlen$Library$AllocFreeLock$AddressInfoLoadLocaleProcUnlocklstrcpy
String ID: %s: %s$ %d:$: %d%s%d MB$DDRAW.DLL$DirectDrawCreate
API String ID: 3724619349-2030211027
Opcode ID: 846f708f0c6553d162b05b4e78bb1a539fc0c38a84fe2610caf7778b5554cf9b
Instruction ID: 3012dda7d57b04b111c5f8892c497247f7c2b1382b76468a7d00b522a6367528
Opcode Fuzzy Hash: 846f708f0c6553d162b05b4e78bb1a539fc0c38a84fe2610caf7778b5554cf9b
Instruction Fuzzy Hash: 9D617071A00219AFDB00DBE5DC85DEE7779EF48304F50046AF505E7281DB399E86CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041D95E, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 162
stringCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0041D95E(signed int _a4, int _a8, intOrPtr _a12) {
				void* _v15;
				char _v16;
				signed int _t20;
				signed int _t22;
				int _t25;
				signed int _t27;
				signed int _t29;
				signed int _t30;
				void* _t32;
				void* _t35;
				void* _t41;
				void* _t46;
				signed int _t53;
				int _t54;
				void* _t55;
				void* _t59;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t67;
				void* _t69;
				int _t70;
				int _t71;
				int _t76;
				signed int _t77;
				void* _t83;
				void* _t84;
				int _t88;

				E0041BF12(_a12, 0x42e0c8);
				_t70 = _a8;
				_t20 = _a4 & 0xfffffc00;
				_t88 = _t70;
				if(_t88 > 0 || _t88 >= 0 && _t20 >= 0x100000) {
					_t59 = 0xa;
					_t22 = E00425060(_a4, _t59, _t70);
					_v16 = _v16 & 0x00000000;
					_t53 = _t22;
					asm("stosd");
					asm("stosd");
					asm("stosb");
					_a8 = _t70;
					_t25 = GetLocaleInfoA(0x400, 0xe,  &_v16, 0xa);
					__eflags = _t25;
					if(_t25 == 0) {
						lstrcpyA( &_v16, ",");
					}
					_t76 = _a8;
					_t27 = _t53 & 0xfffffc00;
					__eflags = _t76;
					if(__eflags > 0) {
						L12:
						_t61 = 0xa;
						_t71 = _t76;
						_t29 = E00425060(_t53, _t61, _t71);
						_t77 = _t29;
						_t54 = _t71;
						_t30 = _t29 & 0xfffffc00;
						__eflags = _t54;
						if(__eflags > 0) {
							L18:
							_t62 = 0xa;
							_t72 = _t54;
							_t32 = E00425060(_t77, _t62, _t54);
							_t63 = 0xa;
							_t55 = E00425060(_t32, _t63, _t72);
							asm("sbb edi, ecx");
							_t35 = E00425250(_t32 - (_t33 << 0xa), _t72, 0x64, 0);
							__eflags = _t35 - 0xa;
							if(_t35 >= 0xa) {
								_t35 = 9;
							}
							_push(_t35);
							_push( &_v16);
							_push(_t55);
							_push("%d%s%d TB");
							goto L21;
						}
						if(__eflags < 0) {
							L15:
							_t65 = 0xa;
							_t83 = E00425060(_t77, _t65, _t54);
							asm("sbb ebx, ecx");
							_t41 = E00425250(_t77 - (_t39 << 0xa), _t54, 0x64, 0);
							__eflags = _t41 - 0xa;
							if(_t41 >= 0xa) {
								_t41 = 9;
							}
							_push(_t41);
							_push( &_v16);
							_push(_t83);
							_push("%d%s%d GB");
							goto L21;
						}
						__eflags = _t30 - 0x100000;
						if(_t30 >= 0x100000) {
							goto L18;
						}
						goto L15;
					} else {
						if(__eflags < 0) {
							L9:
							_t67 = 0xa;
							_t84 = E00425060(_t53, _t67, _t76);
							asm("sbb edi, ecx");
							_t46 = E00425250(_t53 - (_t44 << 0xa), _t76, 0x64, 0);
							__eflags = _t46 - 0xa;
							if(_t46 >= 0xa) {
								_t46 = 9;
							}
							_push(_t46);
							_push( &_v16);
							_push(_t84);
							_push("%d%s%d MB");
							L21:
							_push(_a12);
							return E0041C467();
						}
						__eflags = _t27 - 0x100000;
						if(_t27 >= 0x100000) {
							goto L12;
						}
						goto L9;
					}
				} else {
					_t69 = 0xa;
					_push(E00425060(_a4, _t69, _t70));
					return E0041C467(_a12, "%d KB");
				}
			}

0x0041d96f
0x0041d974
0x0041d981
0x0041d983
0x0041d985
0x0041d9b6
0x0041d9b7
0x0041d9bc
0x0041d9c0
0x0041d9c7
0x0041d9c8
0x0041d9c9
0x0041d9d7
0x0041d9da
0x0041d9e0
0x0041d9e2
0x0041d9ed
0x0041d9ed
0x0041d9f3
0x0041d9fa
0x0041d9fc
0x0041d9fe
0x0041da42
0x0041da46
0x0041da47
0x0041da49
0x0041da4e
0x0041da50
0x0041da52
0x0041da54
0x0041da56
0x0041da97
0x0041da9b
0x0041da9c
0x0041da9e
0x0041daa7
0x0041daaf
0x0041dab9
0x0041dabf
0x0041dac4
0x0041dac7
0x0041dacb
0x0041dacb
0x0041dacc
0x0041dad0
0x0041dad1
0x0041dad2
0x00000000
0x0041dad2
0x0041da58
0x0041da61
0x0041da65
0x0041da6d
0x0041da77
0x0041da7d
0x0041da82
0x0041da85
0x0041da89
0x0041da89
0x0041da8a
0x0041da8e
0x0041da8f
0x0041da90
0x00000000
0x0041da90
0x0041da5a
0x0041da5f
0x00000000
0x00000000
0x00000000
0x0041da00
0x0041da00
0x0041da09
0x0041da0d
0x0041da15
0x0041da1f
0x0041da25
0x0041da2a
0x0041da2d
0x0041da31
0x0041da31
0x0041da32
0x0041da36
0x0041da37
0x0041da38
0x0041dad7
0x0041dad7
0x00000000
0x0041dadf
0x0041da02
0x0041da07
0x00000000
0x00000000
0x00000000
0x0041da07
0x0041d990
0x0041d995
0x0041d99b
0x00000000
0x0041d9a9

APIs

Part of subcall function 0041BF12: GlobalUnlock.KERNEL32(0217020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
Part of subcall function 0041BF12: GlobalReAlloc.KERNEL32 ref: 0041BF3B
Part of subcall function 0041BF12: GlobalLock.KERNEL32 ref: 0041BF5C

GetLocaleInfoA.KERNEL32(00000400,0000000E,00000000,0000000A,0042E0C8,00000000,00000000,00000000), ref: 0041D9DA
lstrcpyA.KERNEL32(00000000,0042C0C8), ref: 0041D9ED
__aulldiv.LIBCMT ref: 0041DA25
__aulldiv.LIBCMT ref: 0041DA7D
__aulldiv.LIBCMT ref: 0041DABF

Strings

%d%s%d MB, xrefs: 0041DA38
%d KB, xrefs: 0041D99C
%d%s%d TB, xrefs: 0041DAD2
%d%s%d GB, xrefs: 0041DA90

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global__aulldiv$AllocInfoLocaleLockUnlocklstrcpy
String ID: %d KB$%d%s%d GB$%d%s%d MB$%d%s%d TB
API String ID: 2912751820-1851159777
Opcode ID: 61237b5f1ee841af03de9891e0d30280989a1bdbeb4c3c3c60aed83f3c037d64
Instruction ID: bfa3e1734765f5e35e2b0a15e4957904babfb08cd35756a16585f01112cbd073
Opcode Fuzzy Hash: 61237b5f1ee841af03de9891e0d30280989a1bdbeb4c3c3c60aed83f3c037d64
Instruction Fuzzy Hash: 384125B2B403147AEB18D564AC92FBF2759DB81B94F54453BFA01EB2C0D9BCC98142AC

Uniqueness

Uniqueness Score: -1.00%

Function 0041FB81, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 119
filestringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041FB81() {
				int _v8;
				char _v20;
				char _v32;
				char _v44;
				char _v317;
				struct _WIN32_FIND_DATAA _v364;
				void _v623;
				char _v624;
				signed int _t92;
				void* _t103;
				void* _t105;
				void* _t106;
				int _t108;

				E0041BE99( &_v20, 0x47dfbc);
				if(E0041BFE3( &_v20, _v20 - 1) != 0x5c) {
					E0041BFF8( &_v20, 0x5c);
				}
				E0041C047( &_v20, "Microsoft.NET\\Framework\\", 0);
				_v8 = _v8 | 0xffffffff;
				E0041BE99( &_v44,  &_v20);
				E0041C047( &_v44, "*.*", 0);
				E00424500( &_v364, 0, 0x140);
				_t106 = _t105 + 0xc;
				_t103 = FindFirstFileA(E0041CD1E( &_v44),  &_v364);
				_t108 = _t103 - 0xffffffff;
				while(_t108 != 0) {
					if((_v364.dwFileAttributes & 0x00000010) == 0 || _v364.cFileName == 0x2e) {
						L12:
						_t108 = FindNextFileA(_t103,  &_v364);
						continue;
					} else {
						E0041BE99( &_v32,  &_v20);
						E0041C047( &_v32,  &(_v364.cFileName), 0);
						E0041C047( &_v32, "\\system.dll", 0);
						if(GetFileAttributesA(E0041CD1E( &_v32)) == 0xffffffff || lstrlenA( &(_v364.cFileName)) < 4) {
							L11:
							E0041BEFB( &_v32);
							goto L12;
						} else {
							_t92 = 0x40;
							_v624 = 0;
							memset( &_v623, 0, _t92 << 2);
							_t106 = _t106 + 0xc;
							asm("stosw");
							asm("stosb");
							E00425080( &_v624,  &_v317);
							if(_v624 == 0x31) {
								_v8 = 1;
								E0041BEFB( &_v32);
								break;
							}
							if(_v624 == 0x30) {
								_v8 = 0;
							}
							goto L11;
						}
					}
				}
				FindClose(_t103);
				E0041BEFB( &_v44);
				E0041BEFB( &_v20);
				return _v8;
			}

0x0041fb92
0x0041fba6
0x0041fbad
0x0041fbad
0x0041fbc0
0x0041fbc5
0x0041fbd0
0x0041fbde
0x0041fbf0
0x0041fbf5
0x0041fc0e
0x0041fc10
0x0041fc13
0x0041fc20
0x0041fccb
0x0041fcd9
0x00000000
0x0041fc33
0x0041fc3a
0x0041fc4a
0x0041fc58
0x0041fc6f
0x0041fcc3
0x0041fcc6
0x00000000
0x0041fc83
0x0041fc87
0x0041fc8e
0x0041fc94
0x0041fc94
0x0041fc96
0x0041fc98
0x0041fca7
0x0041fcb5
0x0041fce3
0x0041fcea
0x00000000
0x0041fcea
0x0041fcbe
0x0041fcc0
0x0041fcc0
0x00000000
0x0041fcbe
0x0041fc6f
0x0041fc20
0x0041fcf0
0x0041fcf9
0x0041fd01
0x0041fd0d

APIs

Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4

FindFirstFileA.KERNEL32(00000000,?,00000001,00420E9E,0047DFBC), ref: 0041FC08
GetFileAttributesA.KERNEL32(00000000,\system.dll,00000000,0000002E,00000000,00420E9F), ref: 0041FC66
lstrlenA.KERNEL32(0000002E), ref: 0041FC78
FindNextFileA.KERNEL32(00000000,00000010), ref: 0041FCD3
FindClose.KERNEL32(00000000), ref: 0041FCF0

Part of subcall function 0041BFF8: GlobalUnlock.KERNEL32(8415FF57,0047E788,004221E2,00000000,00000000,00000000,0047E788,00000000), ref: 0041C000
Part of subcall function 0041BFF8: GlobalReAlloc.KERNEL32 ref: 0041C00D
Part of subcall function 0041BFF8: GlobalLock.KERNEL32 ref: 0041C02E

Strings

*.*, xrefs: 0041FBD6
\system.dll, xrefs: 0041FC50
Microsoft.NET\Framework\, xrefs: 0041FBB8

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$FileFind$AllocLock$AttributesCloseFirstNextUnlocklstrlen
String ID: *.*$Microsoft.NET\Framework\$\system.dll
API String ID: 1301902778-4236999259
Opcode ID: 23e69a58573cbe043e2e4b7cc6a2ed4d1c5bdbe2034a486dc8d181821954c2ac
Instruction ID: 0c49fdb927465f1edeeb5f710294b29b2c00870386440977898a730bf9e491ee
Opcode Fuzzy Hash: 23e69a58573cbe043e2e4b7cc6a2ed4d1c5bdbe2034a486dc8d181821954c2ac
Instruction Fuzzy Hash: 04419771D0061D9ADF14EBA5DC85EEF7778EF04308F50046BE511A21D1EB385E8ACB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6B3, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 71
windowfilestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B6B3(void* __eflags, struct HWND__* _a4, void* _a8) {
				long _v8;
				struct _WIN32_FIND_DATAA _v328;
				char _v588;
				void* _t24;
				long _t28;
				int _t42;

				_t24 = FindFirstFileA(E0041CD1E(_a8),  &_v328);
				_a8 = _t24;
				if(_t24 != 0xffffffff) {
					do {
						if((_v328.dwFileAttributes & 0x00000010) != 0 && _v328.cFileName != 0x2e && _v328.cFileName != 0) {
							_t28 = SendDlgItemMessageA(_a4, 0xb, 0x18b, 0, 0);
							_t42 = 0;
							_v8 = _t28;
							if(_t28 <= 0) {
								L8:
								SendDlgItemMessageA(_a4, 0xb, 0x180, 0,  &(_v328.cFileName));
							} else {
								while(1) {
									_v588 = 0;
									SendDlgItemMessageA(_a4, 0xb, 0x189, _t42,  &_v588);
									if(lstrcmpiA( &_v588,  &(_v328.cFileName)) == 0) {
										goto L9;
									}
									_t42 = _t42 + 1;
									if(_t42 < _v8) {
										continue;
									} else {
										goto L8;
									}
									goto L9;
								}
							}
						}
						L9:
					} while (FindNextFileA(_a8,  &_v328) != 0);
				}
				return FindClose(_a8);
			}

0x0040b6cc
0x0040b6d5
0x0040b6d8
0x0040b6e9
0x0040b6f0
0x0040b70f
0x0040b711
0x0040b715
0x0040b718
0x0040b752
0x0040b764
0x00000000
0x0040b71a
0x0040b720
0x0040b732
0x0040b74a
0x00000000
0x00000000
0x0040b74c
0x0040b750
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b750
0x0040b71a
0x0040b718
0x0040b766
0x0040b776
0x0040b780
0x0040b78b

APIs

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

FindFirstFileA.KERNEL32(00000000,?), ref: 0040B6CC
SendDlgItemMessageA.USER32(?,0000000B,0000018B,00000000,00000000), ref: 0040B70F
SendDlgItemMessageA.USER32(?,0000000B,00000189,00000000,?), ref: 0040B732
lstrcmpiA.KERNEL32(?,0000002E), ref: 0040B742
SendDlgItemMessageA.USER32(?,0000000B,00000180,00000000,0000002E), ref: 0040B764
FindNextFileA.KERNEL32(?,00000010), ref: 0040B770
FindClose.KERNEL32(?), ref: 0040B784

Strings

., xrefs: 0040B6F2

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: FindGlobalItemMessageSend$File$AllocCloseFirstLockNextUnlocklstrcmpi
String ID: .
API String ID: 1519698938-248832578
Opcode ID: 73f62b74efa56c8f7f30f9d3253f8eaf9d6e2ae22a43afcaa83a08a3e9caaa7d
Instruction ID: f0f2f29fac367435beece934399d940b04a20419ed95f58ff49edb3295910553
Opcode Fuzzy Hash: 73f62b74efa56c8f7f30f9d3253f8eaf9d6e2ae22a43afcaa83a08a3e9caaa7d
Instruction Fuzzy Hash: 6921627194021CBADB219F64DC85BEE7B6CEB40344F5045B6B508E71E0CB749F868BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00411D82, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411D82() {
				void* _v8;
				int _v12;
				struct _TOKEN_PRIVILEGES _v24;
				intOrPtr _t23;

				OpenProcessToken(GetCurrentProcess(), 0x28,  &_v8);
				LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				AdjustTokenPrivileges(_v8, 0,  &_v24, 0, 0, 0);
				E0041B45D(0x47dfb8, 1);
				ExitWindowsEx(2, 0);
				_t23 =  *0x47f2d5; // 0x0
				ExitProcess(0 | _t23 == 0x00000000);
			}

0x00411d96
0x00411da8
0x00411db9
0x00411dc0
0x00411dc7
0x00411dd4
0x00411ddc
0x00411de4
0x00411dee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,00000000,?,?,00000000), ref: 00411D8F
OpenProcessToken.ADVAPI32(00000000,?,00000000), ref: 00411D96
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00411DA8
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000000), ref: 00411DC7

Part of subcall function 0041B45D: DeleteDC.GDI32(00000000), ref: 0041B482
Part of subcall function 0041B45D: FreeLibrary.KERNEL32(00000000), ref: 0041B4D7
Part of subcall function 0041B45D: DeleteFileA.KERNEL32(00000000), ref: 0041B509
Part of subcall function 0041B45D: DeleteFileA.KERNEL32(00000000), ref: 0041B541

ExitWindowsEx.USER32(00000002,00000000), ref: 00411DDC
ExitProcess.KERNEL32 ref: 00411DEE

Strings

SeShutdownPrivilege, xrefs: 00411DA2

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: DeleteProcess$ExitFileToken$AdjustCurrentFreeLibraryLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 734271878-3733053543
Opcode ID: 3fdd3162940341f4b6ce602b71c2e9c46b16e3be0a0e270c8c1905840b76af95
Instruction ID: 27af0f3acf54203deb88264b71c3d0253eb2b99b993e4cc3fa31c3676b6438a9
Opcode Fuzzy Hash: 3fdd3162940341f4b6ce602b71c2e9c46b16e3be0a0e270c8c1905840b76af95
Instruction Fuzzy Hash: D5F012B5601208BFE710ABF09D8EEBF7B7CEF04348F504469B50195191DA755E498B39

Uniqueness

Uniqueness Score: -1.00%

Function 004068F2, Relevance: 12.2, APIs: 8, Instructions: 189
threadCOMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E004068F2(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				int _v28;
				signed int _v32;
				int _v36;
				int _v40;
				intOrPtr _v44;
				union _LARGE_INTEGER _v48;
				intOrPtr _v52;
				union _LARGE_INTEGER _v56;
				union _LARGE_INTEGER _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				int _t115;
				void* _t120;
				signed int _t126;
				signed int _t141;
				int _t157;
				int _t160;
				signed int _t162;
				unsigned int _t168;
				signed int _t171;
				signed int _t197;
				unsigned int _t199;
				signed int _t201;
				signed int _t203;
				signed int _t206;
				void* _t208;
				signed int _t209;

				_t203 = 0;
				_t162 = 0;
				_v8 = 0;
				_v20 = 0;
				_v24 = 0;
				_v12 = GetCurrentThread();
				E00424500( &_v80, 0, 0x10);
				if(QueryPerformanceFrequency( &_v64) != 0) {
					while(1) {
						_v8 = _v8 + 1;
						_v32 = _t203;
						_v16 = _t162;
						QueryPerformanceCounter( &_v56);
						_v48.LowPart = _v56.LowPart;
						_v44 = _v52;
						_t115 = GetThreadPriority(_v12);
						_v28 = _t115;
						if(_t115 != 0x7fffffff) {
							SetThreadPriority(_v12, 0xf);
						}
						while(_v48.LowPart - _v56.LowPart < 0x32) {
							_t160 = QueryPerformanceCounter( &_v48);
							asm("rdtsc");
							_v40 = _t160;
						}
						_v56.LowPart = _v48.LowPart;
						_v52 = _v44;
						_t120 = 0;
						while(_t120 < 0x3e8) {
							_t157 = QueryPerformanceCounter( &_v48);
							asm("rdtsc");
							_v36 = _t157;
							_t120 = _v48.LowPart - _v56.LowPart;
						}
						if(_v28 != 0x7fffffff) {
							SetThreadPriority(_v12, _v28);
						}
						_v28 = _v48.LowPart * 0x186a0 - _v56.LowPart * 0x186a0;
						_t168 = _v64.LowPart;
						_t197 = 0xa;
						_t206 = _v36 - _v40;
						_v20 = _v20 + _t206;
						_t126 = _v28 / _t168 / _t197;
						_t199 = _t126;
						_v24 = _v24 + _t199;
						if(_t126 % _t168 > _t168 >> 1) {
							_t199 = _t199 + 1;
						}
						_t162 = _t206 / _t199;
						if(_t206 % _t199 > _t199 >> 1) {
							_t162 = _t162 + 1;
						}
						_t208 = _v32 + _v16 + _t162;
						if(_v8 < 3 || _v8 < 0x14 && (E00424FB8(_t162 + _t162 * 2 - _t208) > 3 || E00424FB8(_v16 + _v16 * 2 - _t208) > 3 || E00424FB8(_v32 + _v32 * 2 - _t208) > 3)) {
							_t203 = _v16;
							continue;
						} else {
							_t209 = _v20;
							_t201 = _v24;
							_t171 = (_t209 + _t209 * 4 << 1) / _t201;
							if(_t209 * 0x64 / _t201 - (_t171 + _t171 * 4 << 1) >= 6) {
								_t171 = _t171 + 1;
							}
							_t141 = _t209 / _t201;
							_v72 = _t141;
							_v68 = _t141;
							if(_t171 - (_t141 + _t141 * 4 << 1) >= 6) {
								_v68 = _t141 + 1;
							}
							_v76 = _t201;
							_v80 = _t209;
							L26:
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							return _a4;
						}
					}
				}
				goto L26;
			}

0x004068fa
0x004068fd
0x004068ff
0x00406902
0x00406905
0x0040690e
0x00406918
0x0040692c
0x00406936
0x00406936
0x0040693c
0x00406946
0x00406949
0x00406951
0x00406957
0x0040695a
0x00406965
0x0040696a
0x00406971
0x00406971
0x00406977
0x00406986
0x00406988
0x0040698a
0x0040698a
0x00406997
0x0040699d
0x004069a0
0x004069a2
0x004069aa
0x004069ac
0x004069ae
0x004069b4
0x004069b4
0x004069bc
0x004069c4
0x004069c4
0x004069e0
0x004069e3
0x004069ea
0x004069f2
0x004069f5
0x004069fd
0x00406a01
0x00406a05
0x00406a0c
0x00406a0e
0x00406a0e
0x00406a17
0x00406a21
0x00406a23
0x00406a23
0x00406a2d
0x00406a33
0x00406933
0x00000000
0x00406a84
0x00406a84
0x00406a87
0x00406a95
0x00406aa8
0x00406aaa
0x00406aaa
0x00406aaf
0x00406ab1
0x00406ab4
0x00406ac1
0x00406ac4
0x00406ac4
0x00406ac7
0x00406aca
0x00406acd
0x00406ad5
0x00406ad6
0x00406ad7
0x00406ad8
0x00406add
0x00406add
0x00406a33
0x00406936
0x00000000

APIs

GetCurrentThread.KERNEL32 ref: 00406908
QueryPerformanceFrequency.KERNEL32(?), ref: 00406924
QueryPerformanceCounter.KERNEL32(?), ref: 00406949
GetThreadPriority.KERNEL32(00000000), ref: 0040695A
SetThreadPriority.KERNEL32(00000000,0000000F), ref: 00406971
QueryPerformanceCounter.KERNEL32(?), ref: 00406986
QueryPerformanceCounter.KERNEL32(?), ref: 004069AA
SetThreadPriority.KERNEL32(00000000,?), ref: 004069C4

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: PerformanceQueryThread$CounterPriority$CurrentFrequency
String ID:
API String ID: 2690025377-0
Opcode ID: 21c5f011b2195c8c9bff15734cc6403b1004b299103327292053f7440adbf331
Instruction ID: 4741820a0f69f9f72e1260d4724c1cc29db21601ea20d2f0773cff9e7e866b8d
Opcode Fuzzy Hash: 21c5f011b2195c8c9bff15734cc6403b1004b299103327292053f7440adbf331
Instruction Fuzzy Hash: B4615C71E002299FCF14DFA9D9849DDBBF6FF88310B25812AE416F7250DB349A528F94

Uniqueness

Uniqueness Score: -1.00%

Function 0040E4C1, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040E4C1(void* __ecx, CHAR* _a4, intOrPtr _a8, signed int _a12) {
				CHAR* _v8;
				signed int _t12;
				signed int _t13;
				CHAR* _t15;
				long _t33;
				signed int _t34;
				CHAR* _t38;
				void* _t39;

				_push(__ecx);
				if(_a4 == 0) {
					L14:
					_t13 = _t12 | 0xffffffff;
				} else {
					_t12 = _a12;
					if(_t12 == 0) {
						goto L14;
					} else {
						 *_t12 = 0;
						_t33 = GetLogicalDriveStringsA(0, 0);
						if(_t33 != 0) {
							_t15 = E00424DD9(_t33);
							_v8 = _t15;
							if(_t15 == 0) {
								E0041D881(E0041CD1E(0x47e924));
							}
							if(GetLogicalDriveStringsA(_t33, _v8) != 0) {
								_t38 = _v8;
								_t34 = 0;
								while( *_t38 != 0) {
									if(GetDriveTypeA(_t38) != 3) {
										L13:
										_t38 =  &(_t38[lstrlenA(_t38) + 1]);
										continue;
									} else {
										_t34 = E0040E2EE(_t38, _a4, _a8, _a12);
										_t39 = _t39 + 0x10;
										if(_t34 > 0) {
											goto L8;
										} else {
											goto L13;
										}
									}
									L16:
								}
							} else {
								_t34 = 0xfffffffc;
							}
							L8:
							E00424DCE(_v8);
							_t13 = _t34;
						} else {
							_t13 = 0xfffffffe;
						}
					}
				}
				return _t13;
				goto L16;
			}

0x0040e4c4
0x0040e4cd
0x0040e568
0x0040e568
0x0040e4d3
0x0040e4d3
0x0040e4d8
0x00000000
0x0040e4de
0x0040e4e6
0x0040e4ea
0x0040e4ee
0x0040e4f6
0x0040e4fe
0x0040e501
0x0040e50e
0x0040e513
0x0040e51c
0x0040e52e
0x0040e531
0x0040e533
0x0040e541
0x0040e55b
0x0040e562
0x00000000
0x0040e543
0x0040e552
0x0040e554
0x0040e559
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e559
0x00000000
0x0040e541
0x0040e51e
0x0040e520
0x0040e520
0x0040e521
0x0040e524
0x0040e52a
0x0040e4f0
0x0040e4f2
0x0040e4f2
0x0040e4ee
0x0040e4d8
0x0040e56f
0x00000000

APIs

GetLogicalDriveStringsA.KERNEL32 ref: 0040E4E8
GetLogicalDriveStringsA.KERNEL32 ref: 0040E518

Strings

$G, xrefs: 0040E503

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: DriveLogicalStrings
String ID: $G
API String ID: 2022863570-195990108
Opcode ID: 3d1d540a6a88f082cc1a3ba0afdbfb45200d432d18d79c6dca5e1d0268ba5307
Instruction ID: 8f66edfa5cea6a3be9a48e500a5b831e0e92dd8d919ec7223e24ad8b1a82bd81
Opcode Fuzzy Hash: 3d1d540a6a88f082cc1a3ba0afdbfb45200d432d18d79c6dca5e1d0268ba5307
Instruction Fuzzy Hash: E2110632505415FBCF116FAA9C8086F3A69EA453A83600D7FF111B72C1EA389E629719

Uniqueness

Uniqueness Score: -1.00%

Function 00405408, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00405408(void* __edi, void* __esi, void* __eflags) {
				char _v16;
				char _v28;
				void _v539;
				char _v540;
				void* _t26;
				void* _t27;
				signed int _t50;
				long _t59;
				void* _t61;
				void* _t62;

				_t59 = GetLastError();
				E00401A5C();
				E0041BDC5( &_v16);
				_push(E0041CD1E(0x47f038));
				E0041C467( &_v16, E0041CD1E(0x47efd8));
				_t62 = _t61 + 0xc;
				E0041BDC5( &_v28);
				if(_t59 == 0) {
					E0041BF80( &_v28,  &_v16);
				} else {
					_t50 = 0x7f;
					_v540 = 0;
					memset( &_v539, 0, _t50 << 2);
					asm("stosw");
					asm("stosb");
					FormatMessageA(0x1000, 0, _t59, 0x400,  &_v540, 0x200, 0);
					_push( &_v540);
					_push(E0041CD1E( &_v16));
					E0041C467( &_v28, "%s (%s)");
					_t62 = _t62 + 0x1c;
				}
				_t26 = E0041CD1E(0x47e700);
				_t27 = E0041CD1E( &_v28);
				if(E0041D0E2(GetActiveWindow(), _t27, _t26, 4) == 7) {
					E0041D0D5(_t29);
				}
				E0041BEFB( &_v28);
				return E0041BEFB( &_v16);
			}

0x00405418
0x0040541a
0x00405422
0x00405431
0x00405441
0x00405446
0x0040544c
0x00405455
0x004054b8
0x00405457
0x0040545a
0x00405463
0x00405469
0x0040546b
0x0040546d
0x00405487
0x00405496
0x0040549c
0x004054a6
0x004054ab
0x004054ae
0x004054c4
0x004054cd
0x004054e6
0x004054e8
0x004054e8
0x004054f0
0x004054fe

APIs

GetLastError.KERNEL32(0045AA60), ref: 00405412

Part of subcall function 00401A5C: CloseHandle.KERNEL32(00000000,00405328), ref: 00401A72
Part of subcall function 00401A5C: CloseHandle.KERNEL32 ref: 00401A7A
Part of subcall function 00401A5C: DeleteFileA.KERNEL32(C:\ztg\fillProxy\spy++\spyxxhk.dll), ref: 00401A81

Part of subcall function 0041BDC5: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
Part of subcall function 0041C467: lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649

FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000200,00000000,00000000), ref: 00405487
GetActiveWindow.USER32 ref: 004054D3

Strings

%s (%s), xrefs: 004054A0

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$lstrlen$AllocCloseHandleLock$ActiveDeleteErrorFileFormatLastMessageUnlockWindow
String ID: %s (%s)
API String ID: 2124624523-1363028141
Opcode ID: 9926dca7a21f68fba4a6149231b11a340a5456c6529c6873e1fe70bef8a37943
Instruction ID: a826c34f9ea8de3a7754797514cf1cef73ed9f77526bf85fb78512e69db77130
Opcode Fuzzy Hash: 9926dca7a21f68fba4a6149231b11a340a5456c6529c6873e1fe70bef8a37943
Instruction Fuzzy Hash: DB21B3B1D4010966CB14F7B2DC8AEEE772C9F54308F5041BFF205A21C2EF3856868AA9

Uniqueness

Uniqueness Score: -1.00%

Function 0042037B, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0042037B(void* __ecx) {
				char _v16;
				struct _SYSTEM_INFO _v52;
				void* _t21;

				_t21 = __ecx;
				E00424500( &_v52, 0, 0x24);
				GetSystemInfo( &_v52);
				E0041BE99( &_v16, 0x47eae0);
				_push(_v52.dwNumberOfProcessors);
				E0041C467( &_v16, "\t%d");
				E0041EEC5(_t21,  &_v16);
				return E0041BEFB( &_v16);
			}

0x00420389
0x0042038c
0x00420398
0x004203a6
0x004203ab
0x004203b7
0x004203c5
0x004203d4

APIs

GetSystemInfo.KERNEL32(?,?,?,00000000,?,?,?,?,?,0041F2E6,0047EAA4,00000000,0042E0C8,00000000,00000001,00000001), ref: 00420398

Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4

Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
Part of subcall function 0041C467: lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649

Part of subcall function 0041BEFB: GlobalUnlock.KERNEL32(?,00000000,0041C1E9,00000000,00000010,00000000,0047E4D0,00000000), ref: 0041BF01
Part of subcall function 0041BEFB: GlobalFree.KERNEL32 ref: 0041BF0A

Strings

%d, xrefs: 004203B1

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$lstrlen$AllocFreeInfoLockSystemUnlock
String ID: %d
API String ID: 1419721734-1388091195
Opcode ID: def3bb214524da11732d8fb86412fc1ad98892293c4584f52fc3f0f417dcfd7a
Instruction ID: 9e698bb6c94f990cdf2613955bba22d743c49f97e2d58bdffb568d269f19e01b
Opcode Fuzzy Hash: def3bb214524da11732d8fb86412fc1ad98892293c4584f52fc3f0f417dcfd7a
Instruction Fuzzy Hash: 73F0FEB5D0021977CF00F6E2EC4AEEEB76CAB04748F44446ABA15A2181FB78964986D4

Uniqueness

Uniqueness Score: -1.00%

Function 0041DF41, Relevance: 1.6, APIs: 1, Instructions: 92
timeCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0041DF41(signed int _a4) {
				struct _SYSTEMTIME _v20;
				void* _t55;
				void* _t69;
				void* _t77;
				signed short _t79;
				void* _t80;
				signed int _t83;
				signed int _t85;
				signed int _t86;
				signed short _t95;
				signed int _t96;
				signed int _t97;
				signed int _t98;

				GetSystemTime( &_v20);
				_t79 = _a4;
				_a4 = _a4 & 0x00000000;
				_t95 = _t79;
				if(_t79 < _v20.wYear) {
					_t98 = _t79 & 0x0000ffff;
					_t69 = (_v20.wYear & 0x0000ffff) - _t98;
					_t77 = _t69;
					_t95 = _t69 + _t79;
					do {
						asm("cdq");
						_t85 = 4;
						if(_t98 % _t85 != 0) {
							L6:
							_a4 = _a4 + 0x16d;
						} else {
							asm("cdq");
							_t86 = 0x64;
							if(_t98 % _t86 != 0) {
								L5:
								_a4 = _a4 + 0x16e;
							} else {
								asm("cdq");
								if(_t98 % 0x190 != 0) {
									goto L6;
								} else {
									goto L5;
								}
							}
						}
						_t98 = _t98 + 1;
						_t77 = _t77 - 1;
					} while (_t77 != 0);
				}
				_t80 = 0;
				_t55 = (_v20.wMonth & 0x0000ffff) - 1;
				if(_t55 > 0) {
					do {
						_t25 = _t80 + 0x42d538; // 0x1e1f1c1f
						_a4 = _a4 + ( *_t25 & 0x000000ff);
						_t80 = _t80 + 1;
					} while (_t80 < _t55);
				}
				if(_v20.wMonth > 2) {
					_t83 = _t95 & 0x0000ffff;
					asm("cdq");
					_t96 = 4;
					if(_t83 % _t96 == 0) {
						asm("cdq");
						_t97 = 0x64;
						if(_t83 % _t97 != 0) {
							L15:
							_a4 = _a4 + 1;
						} else {
							asm("cdq");
							if(_t83 % 0x190 == 0) {
								goto L15;
							}
						}
					}
				}
				return ((_v20.wHour & 0x0000ffff) + ((_v20.wDay & 0x0000ffff) + _a4 + ((_v20.wDay & 0x0000ffff) + _a4) * 2) * 8) * 0x3c + (_v20.wMinute & 0x0000ffff) - 0x5a0;
			}

0x0041df4d
0x0041df53
0x0041df56
0x0041df5e
0x0041df60
0x0041df66
0x0041df69
0x0041df6c
0x0041df6e
0x0041df71
0x0041df75
0x0041df76
0x0041df7b
0x0041dfa0
0x0041dfa0
0x0041df7d
0x0041df81
0x0041df82
0x0041df87
0x0041df97
0x0041df97
0x0041df89
0x0041df90
0x0041df95
0x00000000
0x00000000
0x00000000
0x00000000
0x0041df95
0x0041df87
0x0041dfa7
0x0041dfa8
0x0041dfa8
0x0041dfab
0x0041dfb0
0x0041dfb2
0x0041dfb5
0x0041dfb7
0x0041dfb7
0x0041dfbe
0x0041dfc1
0x0041dfc2
0x0041dfb7
0x0041dfcb
0x0041dfcd
0x0041dfd4
0x0041dfd5
0x0041dfda
0x0041dfe0
0x0041dfe1
0x0041dfe6
0x0041dff6
0x0041dff6
0x0041dfe8
0x0041dfef
0x0041dff4
0x00000000
0x00000000
0x0041dff4
0x0041dfe6
0x0041dfda
0x0041e01b

APIs

GetSystemTime.KERNEL32(004163AA,74E07410,00000000,004163AA,000007D0,<DS2000>,?,?,?,?,00000000,0047E0A0,0047E0AC,?,C:\Progra~1\Common~1,C:\Program Files\Common Files), ref: 0041DF4D

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: SystemTime
String ID:
API String ID: 2656138-0
Opcode ID: 04075d0329c4232b47023c1f67a198e412aec773a428f5dab92961e47bb612c5
Instruction ID: 393f1518c483c4a74f0349017b4f4b7990fdcbe3f63e43843c9d5bb9b10d14ad
Opcode Fuzzy Hash: 04075d0329c4232b47023c1f67a198e412aec773a428f5dab92961e47bb612c5
Instruction Fuzzy Hash: 84213AB6F0032A57DB185B0AD8456FF77B6EB90718F10401FF906CA184E675CAC2C298

Uniqueness

Uniqueness Score: -1.00%

Function 004054FF, Relevance: 1.5, Strings: 1, Instructions: 211
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E004054FF(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				char _v12;
				void* __ebx;
				void* __esi;
				void* __ebp;
				char _t25;
				unsigned int _t26;
				unsigned int _t27;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t40;
				intOrPtr _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t53;
				void* _t59;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr* _t72;
				char _t76;
				char _t77;
				unsigned int _t83;
				unsigned int _t85;
				unsigned int _t87;
				unsigned int _t88;
				intOrPtr _t115;
				void* _t118;
				intOrPtr _t121;
				intOrPtr _t125;

				_push(__ecx);
				_push(__ecx);
				 *0x42e1fc = _a4;
				 *0x436240 = _a8;
				_t76 =  *0x42b160; // 0x1f
				 *0x436258 = _t76;
				_t77 =  *0x42b161; // -117
				_t25 = 0;
				_t121 =  *0x42e0f0; // 0x0
				_t115 = 8;
				_v12 = 0;
				_v8 = 0;
				 *0x42b0f4 = _t115;
				 *0x436259 = _t77;
				 *0x43625a = 8;
				if(_t121 != 0) {
					_t25 = 8;
				}
				 *0x43625b = _t25;
				_t26 =  *0x42e0ec; // 0x0
				 *0x43625c = _t26;
				 *0x43625d = _t26;
				_t27 = _t26 >> 0x10;
				 *0x43625e = _t27;
				 *0x43625f = _t27;
				 *0x436254 = _t115;
				 *0x47df40 = E004050EA(_t27, 0, 0);
				E00401000(_t28);
				E00403050( &_v12, 0x42b0f4);
				E004012BC(_t27,  *0x42b0f8,  &_v8);
				_t34 =  *0x436254; // 0x0
				_t82 = _v8;
				 *((char*)(_t34 + 0x436258)) = _v8;
				_t35 = _t34 + 1;
				 *0x436254 = _t35;
				if(_t35 == 0x4000) {
					E00405199();
				}
				_t36 =  *0x436254; // 0x0
				 *((char*)(_t36 + 0x436258)) = 0xb;
				_t37 = _t36 + 1;
				 *0x436254 = _t37;
				if(_t37 == 0x4000) {
					E00405199();
				}
				_t125 =  *0x42e0f0; // 0x0
				if(_t125 == 0) {
					L11:
					_t38 =  *0x436254; // 0x0
					 *0x47df44 = _t38;
					E004015E9(0, 0x4000, _t118);
					_t40 =  *0x436254; // 0x0
					_t83 =  *0x47df40;
					 *(_t40 + 0x436258) = _t83;
					_t41 = _t40 + 1;
					if(_t41 >= 0) {
						 *0x436254 = _t41;
						if(_t41 == 0x4000) {
							E00405199();
							_t41 =  *0x436254; // 0x0
							_t83 =  *0x47df40;
						}
						_t42 = _t41 + 1;
						 *(_t42 + 0x436257) = _t83;
						 *0x436254 = _t42;
						if(_t42 == 0x4000) {
							E00405199();
							_t42 =  *0x436254; // 0x0
							_t83 =  *0x47df40;
						}
					} else {
						_t42 = _t41 + 1;
						 *(_t42 + 0x436257) = _t83;
					}
					if(_t42 >= 0x3ffe) {
						 *(_t42 + 0x436258) = _t83 >> 0x10;
						_t43 = _t42 + 1;
						 *0x436254 = _t43;
						if(_t43 == 0x4000) {
							E00405199();
							_t43 =  *0x436254; // 0x0
							_t83 =  *0x47df40;
						}
						_t44 = _t43 + 1;
						 *((char*)(_t44 + 0x436257)) = _t83 >> 0x10;
						 *0x436254 = _t44;
						if(_t44 == 0x4000) {
							E00405199();
							_t44 =  *0x436254; // 0x0
						}
					} else {
						_t88 = _t83 >> 0x10;
						 *(_t42 + 0x436258) = _t88;
						_t59 = _t42 + 1;
						 *(_t59 + 0x436258) = _t88;
						_t44 = _t59 + 1;
					}
					_t85 =  *0x46ab68; // 0x165e367
					 *(_t44 + 0x436258) = _t85;
					_t45 = _t44 + 1;
					if(_t45 >= 0) {
						 *0x436254 = _t45;
						if(_t45 == 0x4000) {
							E00405199();
							_t45 =  *0x436254; // 0x0
							_t85 =  *0x46ab68; // 0x165e367
						}
						_t46 = _t45 + 1;
						 *(_t46 + 0x436257) = _t85;
						 *0x436254 = _t46;
						if(_t46 == 0x4000) {
							E00405199();
							_t46 =  *0x436254; // 0x0
							_t85 =  *0x46ab68; // 0x165e367
						}
					} else {
						_t46 = _t45 + 1;
						 *(_t46 + 0x436257) = _t85;
					}
					if(_t46 >= 0x3ffe) {
						 *(_t46 + 0x436258) = _t85 >> 0x10;
						_t47 = _t46 + 1;
						 *0x436254 = _t47;
						if(_t47 == 0x4000) {
							E00405199();
							_t47 =  *0x436254; // 0x0
							_t85 =  *0x46ab68; // 0x165e367
						}
						_t48 = _t47 + 1;
						 *((char*)(_t48 + 0x436257)) = _t85 >> 0x10;
						 *0x436254 = _t48;
						if(_t48 == 0x4000) {
							E00405199();
						}
					} else {
						_t87 = _t85 >> 0x10;
						 *(_t46 + 0x436258) = _t87;
						_t53 = _t46 + 1;
						 *(_t53 + 0x436258) = _t87;
						 *0x436254 = _t53 + 1;
					}
					 *0x47df44 =  *0x47df44 + 8;
					E00405199();
					return 0;
				}
				_t72 = E0040526F(_t82, "C:\Users\hardz\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe");
				do {
					_t63 =  *0x436254; // 0x0
					 *((char*)(_t63 + 0x436258)) =  *_t72;
					_t64 = _t63 + 1;
					 *0x436254 = _t64;
					if(_t64 == 0x4000) {
						E00405199();
					}
					_t65 =  *_t72;
					_t72 = _t72 + 1;
				} while (_t65 != 0);
				goto L11;
			}

0x00405502
0x00405503
0x00405508
0x00405512
0x00405518
0x00405523
0x00405529
0x0040552f
0x00405531
0x00405537
0x00405538
0x0040553b
0x0040553e
0x00405544
0x0040554a
0x00405551
0x00405553
0x00405553
0x00405555
0x0040555a
0x00405561
0x00405569
0x00405571
0x00405577
0x0040557c
0x00405582
0x0040558d
0x00405592
0x004055a0
0x004055af
0x004055b4
0x004055b9
0x004055c4
0x004055ca
0x004055cd
0x004055d2
0x004055d4
0x004055d4
0x004055d9
0x004055de
0x004055e5
0x004055e8
0x004055ed
0x004055ef
0x004055ef
0x004055f4
0x004055fa
0x0040562c
0x0040562c
0x00405631
0x00405636
0x0040563b
0x00405640
0x0040564d
0x00405653
0x00405654
0x00405665
0x0040566a
0x0040566c
0x00405671
0x00405676
0x00405676
0x0040567e
0x00405683
0x00405689
0x0040568e
0x00405690
0x00405695
0x0040569a
0x0040569a
0x00405656
0x00405658
0x0040565b
0x0040565b
0x004056a2
0x004056c0
0x004056c6
0x004056c9
0x004056ce
0x004056d0
0x004056d5
0x004056da
0x004056da
0x004056e5
0x004056ea
0x004056f0
0x004056f5
0x004056f7
0x004056fc
0x004056fc
0x004056a4
0x004056a4
0x004056a7
0x004056af
0x004056b2
0x004056b8
0x004056b8
0x00405701
0x00405709
0x0040570f
0x00405710
0x00405721
0x00405726
0x00405728
0x0040572d
0x00405732
0x00405732
0x0040573a
0x0040573f
0x00405745
0x0040574a
0x0040574c
0x00405751
0x00405756
0x00405756
0x00405712
0x00405714
0x00405717
0x00405717
0x0040575e
0x00405781
0x00405787
0x0040578a
0x0040578f
0x00405791
0x00405796
0x0040579b
0x0040579b
0x004057a6
0x004057ab
0x004057b1
0x004057b6
0x004057b8
0x004057b8
0x00405760
0x00405760
0x00405763
0x0040576b
0x0040576e
0x00405775
0x00405775
0x004057bd
0x004057c4
0x004057cf
0x004057cf
0x00405607
0x00405609
0x00405609
0x00405610
0x00405616
0x00405619
0x0040561e
0x00405620
0x00405620
0x00405625
0x00405627
0x00405628
0x00000000

Strings

C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe, xrefs: 004055FC

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
API String ID: 0-4204489282
Opcode ID: 89c60029d23e2c111f0756f3e622102273aa2a2f9fffd08b3253f037f41585e2
Instruction ID: 31e7195787edc1ead20c002d7c0b1effab7620ffafd4d63cf561ab72b5c9ba81
Opcode Fuzzy Hash: 89c60029d23e2c111f0756f3e622102273aa2a2f9fffd08b3253f037f41585e2
Instruction Fuzzy Hash: CE81D130A045C3AFD320EB6AA88552BBBE6E7A9304317A4FFD149D7362D5780409CF6D

Uniqueness

Uniqueness Score: -1.00%

Function 00425D8E, Relevance: .3, Instructions: 259
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00425D8E(signed int* _a4, intOrPtr* _a8, char _a11, signed int _a12, char _a15) {
				signed int _v8;
				signed char _v12;
				intOrPtr _v16;
				intOrPtr _t186;
				void* _t187;
				signed int _t188;
				signed int* _t189;
				intOrPtr _t191;
				signed int* _t192;
				signed int* _t193;
				signed char _t194;
				intOrPtr _t195;
				intOrPtr* _t196;
				signed int _t199;
				signed int _t202;
				signed int _t207;
				signed int _t209;
				signed int _t218;
				signed int _t221;
				signed int* _t222;
				signed int _t227;
				intOrPtr _t228;
				intOrPtr _t229;
				intOrPtr _t230;
				char _t233;
				signed int _t234;
				signed char _t235;
				signed int* _t237;
				signed int* _t239;
				signed int* _t244;
				signed int* _t245;
				signed char _t250;
				intOrPtr _t256;
				signed int _t257;
				char _t258;
				char _t259;
				signed char _t260;
				signed int* _t262;
				signed int* _t267;
				signed int* _t268;
				char* _t270;
				signed int _t274;
				unsigned int _t275;
				intOrPtr _t277;
				unsigned int _t278;
				intOrPtr* _t280;
				void* _t281;
				signed char _t290;
				signed int _t292;
				signed char _t295;
				signed int _t298;
				signed int _t302;
				signed int* _t304;

				_t222 = _a4;
				_t280 = _a8;
				_t5 = _t222 + 0xc; // 0x80084689
				_t6 = _t222 + 0x10; // 0x8b000124
				_t186 =  *_t6;
				_t292 = _a12 + 0x00000017 & 0xfffffff0;
				_t274 = _t280 -  *_t5 >> 0xf;
				_v16 = _t274 * 0x204 + _t186 + 0x144;
				_t227 =  *((intOrPtr*)(_t280 - 4)) - 1;
				_a12 = _t227;
				_t194 =  *(_t227 + _t280 - 4);
				_t281 = _t227 + _t280 - 4;
				_v8 = _t194;
				if(_t292 <= _t227) {
					if(__eflags < 0) {
						_t195 = _a8;
						_a12 = _a12 - _t292;
						_t228 = _t292 + 1;
						 *((intOrPtr*)(_t195 - 4)) = _t228;
						_t196 = _t195 + _t292 - 4;
						_a8 = _t196;
						_t295 = (_a12 >> 4) - 1;
						 *((intOrPtr*)(_t196 - 4)) = _t228;
						__eflags = _t295 - 0x3f;
						if(_t295 > 0x3f) {
							_t295 = 0x3f;
						}
						__eflags = _v8 & 0x00000001;
						if((_v8 & 0x00000001) == 0) {
							_t298 = (_v8 >> 4) - 1;
							__eflags = _t298 - 0x3f;
							if(_t298 > 0x3f) {
								_t298 = 0x3f;
							}
							__eflags =  *((intOrPtr*)(_t281 + 4)) -  *((intOrPtr*)(_t281 + 8));
							if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
								__eflags = _t298 - 0x20;
								if(_t298 >= 0x20) {
									_t128 = _t298 - 0x20; // -32
									_t130 = _t186 + 4; // 0x4
									_t244 = _t298 + _t130;
									_t199 =  !(0x80000000 >> _t128);
									 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
									 *_t244 =  *_t244 - 1;
									__eflags =  *_t244;
									if( *_t244 == 0) {
										_t245 = _a4;
										_t138 = _t245 + 4;
										 *_t138 =  *(_t245 + 4) & _t199;
										__eflags =  *_t138;
									}
								} else {
									_t304 = _t298 + _t186 + 4;
									_t202 =  !(0x80000000 >> _t298);
									 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
									 *_t304 =  *_t304 - 1;
									__eflags =  *_t304;
									if( *_t304 == 0) {
										 *_a4 =  *_a4 & _t202;
									}
								}
								_t196 = _a8;
							}
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
							_t302 = _a12 + _v8;
							_a12 = _t302;
							_t295 = (_t302 >> 4) - 1;
							__eflags = _t295 - 0x3f;
							if(_t295 > 0x3f) {
								_t295 = 0x3f;
							}
						}
						_t229 = _v16;
						_t230 = _t229 + _t295 * 8;
						 *((intOrPtr*)(_t196 + 4)) =  *((intOrPtr*)(_t229 + 4 + _t295 * 8));
						 *((intOrPtr*)(_t196 + 8)) = _t230;
						 *((intOrPtr*)(_t230 + 4)) = _t196;
						 *((intOrPtr*)( *((intOrPtr*)(_t196 + 4)) + 8)) = _t196;
						__eflags =  *((intOrPtr*)(_t196 + 4)) -  *((intOrPtr*)(_t196 + 8));
						if( *((intOrPtr*)(_t196 + 4)) ==  *((intOrPtr*)(_t196 + 8))) {
							_t164 = _t186 + 4; // 0x6415ff04
							_t233 =  *((intOrPtr*)(_t295 + _t164));
							__eflags = _t295 - 0x20;
							_a11 = _t233;
							_t234 = _t233 + 1;
							__eflags = _t234;
							 *(_t295 + _t186 + 4) = _t234;
							if(_t234 >= 0) {
								__eflags = _a11;
								if(_a11 == 0) {
									_t174 = _t295 - 0x20; // 0x41cd2f
									_t237 = _a4;
									_t176 = _t237 + 4;
									 *_t176 =  *(_t237 + 4) | 0x80000000 >> _t174;
									__eflags =  *_t176;
								}
								_t189 = _t186 + 0xc4 + _t274 * 4;
								_t181 = _t295 - 0x20; // 0x41cd2f
								_t235 = _t181;
								_t275 = 0x80000000;
							} else {
								__eflags = _a11;
								if(_a11 == 0) {
									_t239 = _a4;
									 *_t239 =  *_t239 | 0x80000000 >> _t295;
									__eflags =  *_t239;
								}
								_t189 = _t186 + 0x44 + _t274 * 4;
								_t275 = 0x80000000;
								_t235 = _t295;
							}
							 *_t189 =  *_t189 | _t275 >> _t235;
							__eflags =  *_t189;
						}
						_t188 = _a12;
						 *_t196 = _t188;
						_t184 = _t196 - 4; // 0x476ff59
						 *((intOrPtr*)(_t188 + _t184)) = _t188;
					}
					L52:
					_t187 = 1;
					return _t187;
				}
				if((_t194 & 0x00000001) != 0 || _t292 > _t194 + _t227) {
					return 0;
				} else {
					_t250 = (_v8 >> 4) - 1;
					_v12 = _t250;
					if(_t250 > 0x3f) {
						_t250 = 0x3f;
						_v12 = _t250;
					}
					if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
						if(_t250 >= 0x20) {
							_t36 = _t186 + 4; // 0x826415ff
							_t267 = _v12 + _t36;
							_t218 =  !(0x80000000 >> _t250 + 0xffffffe0);
							 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
							 *_t267 =  *_t267 - 1;
							__eflags =  *_t267;
							if( *_t267 == 0) {
								_t268 = _a4;
								_t44 = _t268 + 4;
								 *_t44 =  *(_t268 + 4) & _t218;
								__eflags =  *_t44;
							}
						} else {
							_t26 = _t186 + 4; // 0x826415ff
							_t270 = _v12 + _t26;
							_t221 =  !(0x80000000 >> _t250);
							 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
							 *_t270 =  *_t270 - 1;
							if( *_t270 == 0) {
								 *_a4 =  *_a4 & _t221;
							}
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
					_v8 = _v8 + _a12 - _t292;
					if(_v8 <= 0) {
						_t277 = _a8;
					} else {
						_t290 = (_v8 >> 4) - 1;
						_t256 = _a8 + _t292 - 4;
						if(_t290 > 0x3f) {
							_t290 = 0x3f;
						}
						_t207 = _v16 + _t290 * 8;
						_a12 = _t207;
						 *((intOrPtr*)(_t256 + 4)) =  *((intOrPtr*)(_t207 + 4));
						_t209 = _a12;
						 *(_t256 + 8) = _t209;
						 *((intOrPtr*)(_t209 + 4)) = _t256;
						 *((intOrPtr*)( *((intOrPtr*)(_t256 + 4)) + 8)) = _t256;
						if( *((intOrPtr*)(_t256 + 4)) ==  *(_t256 + 8)) {
							_t258 =  *((intOrPtr*)(_t290 + _t186 + 4));
							_a15 = _t258;
							_t259 = _t258 + 1;
							 *((char*)(_t290 + _t186 + 4)) = _t259;
							if(_t259 >= 0) {
								__eflags = _a15;
								if(_a15 == 0) {
									_t84 = _t290 - 0x20; // -33
									_t262 = _a4;
									_t86 = _t262 + 4;
									 *_t86 =  *(_t262 + 4) | 0x80000000 >> _t84;
									__eflags =  *_t86;
								}
								_t193 = _t186 + 0xc4 + _t274 * 4;
								_t91 = _t290 - 0x20; // -33
								_t260 = _t91;
								_t278 = 0x80000000;
							} else {
								if(_a15 == 0) {
									 *_a4 =  *_a4 | 0x80000000 >> _t290;
								}
								_t193 = _t186 + 0x44 + _t274 * 4;
								_t278 = 0x80000000;
								_t260 = _t290;
							}
							 *_t193 =  *_t193 | _t278 >> _t260;
						}
						_t277 = _a8;
						_t257 = _v8;
						_t95 = _t292 - 4; // -4
						_t192 = _t277 + _t95;
						 *_t192 = _t257;
						 *(_t257 + _t192 - 4) = _t257;
					}
					_t191 = _t292 + 1;
					 *((intOrPtr*)(_t277 - 4)) = _t191;
					 *((intOrPtr*)(_t277 + _t292 - 8)) = _t191;
					goto L52;
				}
			}

0x00425d94
0x00425d9d
0x00425da5
0x00425da8
0x00425da8
0x00425dab
0x00425dae
0x00425dc0
0x00425dc6
0x00425dc9
0x00425dcc
0x00425dd0
0x00425dd4
0x00425dd7
0x00425f3c
0x00425f42
0x00425f45
0x00425f48
0x00425f4b
0x00425f4e
0x00425f55
0x00425f5b
0x00425f5c
0x00425f5f
0x00425f62
0x00425f66
0x00425f66
0x00425f67
0x00425f6b
0x00425f77
0x00425f78
0x00425f7b
0x00425f7f
0x00425f7f
0x00425f83
0x00425f86
0x00425f88
0x00425f8b
0x00425fab
0x00425fb5
0x00425fb5
0x00425fb9
0x00425fbb
0x00425fc2
0x00425fc2
0x00425fc4
0x00425fc6
0x00425fc9
0x00425fc9
0x00425fc9
0x00425fc9
0x00425f8d
0x00425f96
0x00425f9a
0x00425f9c
0x00425fa0
0x00425fa0
0x00425fa2
0x00425fa7
0x00425fa7
0x00425fa2
0x00425fcc
0x00425fcc
0x00425fd5
0x00425fde
0x00425fe4
0x00425fe7
0x00425fed
0x00425fee
0x00425ff1
0x00425ff5
0x00425ff5
0x00425ff1
0x00425ff6
0x00425ffd
0x00426000
0x00426003
0x00426006
0x0042600c
0x00426012
0x00426015
0x00426017
0x00426017
0x0042601b
0x0042601e
0x00426021
0x00426021
0x00426023
0x00426027
0x0042604a
0x0042604e
0x00426050
0x0042605a
0x0042605d
0x0042605d
0x0042605d
0x0042605d
0x00426060
0x00426067
0x00426067
0x0042606a
0x00426029
0x00426029
0x0042602d
0x00426038
0x0042603b
0x0042603b
0x0042603b
0x0042603d
0x00426041
0x00426046
0x00426046
0x00426071
0x00426071
0x00426071
0x00426073
0x00426076
0x00426078
0x00426078
0x00426078
0x0042607c
0x0042607e
0x00000000
0x0042607e
0x00425de0
0x00000000
0x00425df0
0x00425df6
0x00425dfa
0x00425dfd
0x00425e01
0x00425e02
0x00425e02
0x00425e0b
0x00425e10
0x00425e3e
0x00425e3e
0x00425e42
0x00425e44
0x00425e4b
0x00425e4b
0x00425e4d
0x00425e4f
0x00425e52
0x00425e52
0x00425e52
0x00425e52
0x00425e12
0x00425e1c
0x00425e1c
0x00425e20
0x00425e22
0x00425e26
0x00425e28
0x00425e2d
0x00425e2d
0x00425e28
0x00425e10
0x00425e5b
0x00425e64
0x00425e6c
0x00425e73
0x00425f23
0x00425e79
0x00425e82
0x00425e83
0x00425e8a
0x00425e8e
0x00425e8e
0x00425e92
0x00425e95
0x00425e9b
0x00425e9e
0x00425ea1
0x00425ea4
0x00425eaa
0x00425eb3
0x00425eb5
0x00425ebc
0x00425ebf
0x00425ec1
0x00425ec5
0x00425ee8
0x00425eec
0x00425eee
0x00425ef8
0x00425efb
0x00425efb
0x00425efb
0x00425efb
0x00425efe
0x00425f05
0x00425f05
0x00425f08
0x00425ec7
0x00425ecb
0x00425ed9
0x00425ed9
0x00425edb
0x00425edf
0x00425ee4
0x00425ee4
0x00425f0f
0x00425f0f
0x00425f11
0x00425f14
0x00425f17
0x00425f17
0x00425f1b
0x00425f1d
0x00425f1d
0x00425f26
0x00425f29
0x00425f2c
0x00000000
0x00425f2c

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: c4621f83079c2b295144d07c399f912a9076ad7fb258d784a0cfb602abd1e52e
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: BAB19F31A0061ADFDB15CF04D5D0AA9FBA1BF48314F55C19ED81A5B382C735EE42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00406575, Relevance: .0, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00406575(void* __ecx) {
				signed int _v8;
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _t21;

				_push(0xffffffff);
				_push(0x4285a0);
				_push(E00424EE0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t21;
				_v28 = _t21;
				_v8 = _v8 & 0x00000000;
				asm("cpuid");
				_v8 = _v8 | 0xffffffff;
				 *[fs:0x0] = _v20;
				return 0;
			}

0x00406578
0x0040657a
0x0040657f
0x0040658a
0x0040658b
0x00406597
0x0040659a
0x004065a6
0x004065a8
0x004065c0
0x004065cb

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ad53483d4e9a70b08509dec6a19da61fc9bce7f9b9a50697fa689c3e07880a
Instruction ID: 88203458e02d4d55aa16c308c74dcae1cd9d43e1f7f29c91fe00b44d5d76ba1c
Opcode Fuzzy Hash: c6ad53483d4e9a70b08509dec6a19da61fc9bce7f9b9a50697fa689c3e07880a
Instruction Fuzzy Hash: FFF0E572708654FFD714CF99DC46B6BF769E741A70F20833EE022926C0D7B9650086A4

Uniqueness

Uniqueness Score: -1.00%

Function 0040A8C4, Relevance: 133.5, APIs: 74, Strings: 2, Instructions: 483
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040A8C4(void* __ebx, char __ecx, struct HWND__* _a4) {
				char _v12;
				char _v24;
				char _v28;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v56;
				char _v60;
				char _v76;
				char _v80;
				char _v100;
				intOrPtr _v112;
				signed char _t135;
				signed char _t141;
				intOrPtr _t146;
				signed char _t150;
				signed char _t191;
				int _t194;
				int _t195;
				int _t199;
				int _t204;
				int _t214;
				void* _t228;
				CHAR* _t229;
				void* _t235;
				int _t260;
				int _t267;
				intOrPtr _t281;
				struct HWND__* _t286;
				void* _t304;

				_t228 = __ebx;
				 *((char*)(__ecx + 0xb0)) = 1;
				_t286 = _a4;
				_v40 = __ecx;
				if( *0x42bf98 <= 0) {
					EnableWindow(GetDlgItem(_t286, 3), 0);
				}
				_t235 = 0x47e850;
				if(( *0x47e193 & 0x00000002) == 0) {
					_t235 = 0x47eb94;
				}
				SetWindowTextA(_t286, E0041CD1E(_t235));
				SetDlgItemTextA(_t286, 0x2d, E0041CD1E(0x47eba0));
				SetDlgItemTextA(_t286, 3, E0041CD1E(0x47e8a0));
				SetDlgItemTextA(_t286, 1, E0041CD1E(0x47e8d0));
				SetDlgItemTextA(_t286, 2, E0041CD1E(0x47e8b8));
				if(E00419E8A() != 0) {
					SetDlgItemTextA(_t286, 1, E0041CD1E(0x47e8c4));
				}
				_push(_t228);
				E0041BE99( &_v12, 0x47ebb8);
				E0041BE99( &_v28, 0x47ebc4);
				E0041BE99( &_v44, 0x47ebd0);
				E0041BFF8( &_v24, 0x3a);
				E0041BFF8( &_v40, 0x3a);
				E0041BFF8( &_v56, 0x3a);
				SetDlgItemTextA(_t286, 0xa, E0041CD1E( &_v36));
				SetDlgItemTextA(_t286, 0xb, E0041CD1E( &_v48));
				SetDlgItemTextA(_t286, 0xc, E0041CD1E( &_v60));
				_t229 = "-";
				SetDlgItemTextA(_t286, 0x1f, _t229);
				SetDlgItemTextA(_t286, 0x20, _t229);
				SendDlgItemMessageA(_t286, 0x14, 0xc5, 0x103, 0);
				SendDlgItemMessageA(_t286, 0x15, 0xc5, 0x103, 0);
				SendDlgItemMessageA(_t286, 0x16, 0xc5, 0x103, 0);
				E0041C3A9( &_v36, _v36 - 1, 1);
				E0041C3A9( &_v56, _v56 - 1, 1);
				E0041C3A9( &_v76, _v76 - 1, 1);
				E0041C047( &_v60, " *:", 0);
				E0041C047( &_v80, " *:", 0);
				E0041C047( &_v100, " *:", 0);
				 *((char*)(_v112 + 0xb1)) = 1;
				_t135 =  *0x47e194; // 0x0
				if((_t135 & 0x00000001) == 0) {
					ShowWindow(GetDlgItem(_t286, 0xa), 0);
					ShowWindow(GetDlgItem(_t286, 0x14), 0);
				} else {
					if((_t135 & 0x00000002) != 0) {
						SetDlgItemTextA(_t286, 0xa, E0041CD1E( &_v12));
					}
					SetDlgItemTextA(_t286, 0x14, E0041CD1E(0x47e1b8));
					if(( *0x47e194 & 0x00000002) != 0) {
						 *((char*)(_v40 + 0xb1)) = GetWindowTextLengthA(GetDlgItem(_t286, 0x14)) & 0xffffff00 | _t220 != 0x00000000;
					}
				}
				 *((char*)(_v40 + 0xb2)) = 1;
				_t141 =  *0x47e194; // 0x0
				if((_t141 & 0x00000004) == 0) {
					ShowWindow(GetDlgItem(_t286, 0xb), 0);
					ShowWindow(GetDlgItem(_t286, 0x15), 0);
					goto L18;
				} else {
					if((_t141 & 0x00000008) != 0) {
						SetDlgItemTextA(_t286, 0xb, E0041CD1E( &_v24));
					}
					SetDlgItemTextA(_t286, 0x15, E0041CD1E(0x47e1c4));
					if(( *0x47e194 & 0x00000008) == 0) {
						L18:
						_t146 = _v40;
						goto L19;
					} else {
						_t214 = GetWindowTextLengthA(GetDlgItem(_t286, 0x15));
						_t146 = _v40;
						 *((char*)(_t146 + 0xb2)) = 0x47e100 | _t214 != 0x00000000;
						L19:
						 *((char*)(_t146 + 0xb3)) = 1;
						 *((char*)(_t146 + 0xb4)) = 1;
						 *((char*)(_t146 + 0xb5)) = 1;
						 *((char*)(_t146 + 0xb6)) = 1;
						SendDlgItemMessageA(_t286, 0x17, 0xc5,  *0x47e664, 0);
						SendDlgItemMessageA(_t286, 0x18, 0xc5,  *0x47e668, 0);
						SendDlgItemMessageA(_t286, 0x19, 0xc5,  *0x47e66c, 0);
						_t150 =  *0x47e194; // 0x0
						if((_t150 & 0x00000010) == 0) {
							ShowWindow(GetDlgItem(_t286, 0xc), 0);
							ShowWindow(GetDlgItem(_t286, 0x16), 0);
							ShowWindow(GetDlgItem(_t286, 0x17), 0);
							ShowWindow(GetDlgItem(_t286, 0x18), 0);
							ShowWindow(GetDlgItem(_t286, 0x19), 0);
							ShowWindow(GetDlgItem(_t286, 0x1f), 0);
							ShowWindow(GetDlgItem(_t286, 0x20), 0);
							L40:
							_t281 = _v40;
							L41:
							if( *((char*)(_t281 + 0xb1)) == 0 ||  *((char*)(_t281 + 0xb2)) == 0 ||  *(_t281 + 0xb3) == 0 ||  *((char*)(_t281 + 0xb4)) == 0 ||  *((char*)(_t281 + 0xb5)) == 0 ||  *((char*)(_t281 + 0xb6)) == 0) {
								_push(0);
							} else {
								_push(1);
							}
							EnableWindow(GetDlgItem(_t286, 1), ??);
							 *(_t281 + 0xb0) =  *(_t281 + 0xb0) & 0x00000000;
							E0041BEFB( &_v36);
							E0041BEFB( &_v24);
							E0041BEFB( &_v12);
							return 1;
						}
						if((_t150 & 0x00000020) != 0) {
							SetDlgItemTextA(_t286, 0xc, E0041CD1E( &_v36));
						}
						if(( *0x47e190 & 0x00000080) == 0) {
							if( *0x47e1d0 > 0) {
								SetDlgItemTextA(_t286, 0x16, E0041CD1E(0x47e1d0));
							}
							ShowWindow(GetDlgItem(_t286, 0x17), 0);
							ShowWindow(GetDlgItem(_t286, 0x18), 0);
							ShowWindow(GetDlgItem(_t286, 0x19), 0);
							ShowWindow(GetDlgItem(_t286, 0x1f), 0);
							_push(0);
							_push(0x20);
						} else {
							_t194 =  *0x47e66c; // 0x4
							_t260 =  *0x47e668; // 0x4
							_t195 =  *0x47e664; // 0x4
							_t304 =  *0x47e1d0 - _t260 + _t194 + _t195 + 2; // 0x0
							if(_t304 == 0) {
								SetDlgItemTextA(_t286, 0x17, E0041CD1E(E0041CC95(0x47e1d0, 0, _t195)));
								_t199 =  *0x47e664; // 0x4
								SetDlgItemTextA(_t286, 0x18, E0041CD1E(E0041CC95(0x47e1d0, _t199 + 1,  *0x47e668)));
								_t204 =  *0x47e668; // 0x4
								_t267 =  *0x47e664; // 0x4
								SetDlgItemTextA(_t286, 0x19, E0041CD1E(E0041CC95(0x47e1d0, _t204 + _t267 + 2,  *0x47e66c)));
							}
							_push(0);
							_push(0x16);
						}
						ShowWindow(GetDlgItem(), _t286);
						if(( *0x47e194 & 0x00000020) == 0) {
							goto L40;
						} else {
							if(( *0x47e190 & 0x00000080) != 0) {
								if(GetWindowTextLengthA(GetDlgItem(_t286, 0x17)) !=  *0x47e664) {
									 *(_v40 + 0xb4) =  *(_v40 + 0xb4) & 0x00000000;
								}
								if(GetWindowTextLengthA(GetDlgItem(_t286, 0x18)) !=  *0x47e668) {
									 *(_v40 + 0xb5) =  *(_v40 + 0xb5) & 0x00000000;
								}
								if(GetWindowTextLengthA(GetDlgItem(_t286, 0x19)) !=  *0x47e66c) {
									 *(_v40 + 0xb6) =  *(_v40 + 0xb6) & 0x00000000;
								}
								goto L40;
							}
							_t191 = GetWindowTextLengthA(GetDlgItem(_t286, 0x16));
							if(_t191 != 0) {
								goto L40;
							}
							_t281 = _v40;
							 *(_t281 + 0xb3) =  *(_t281 + 0xb3) & _t191;
							goto L41;
						}
					}
				}
			}

0x0040a8c4
0x0040a8ce
0x0040a8dd
0x0040a8e2
0x0040a8e6
0x0040a8f0
0x0040a8f0
0x0040a8fd
0x0040a902
0x0040a904
0x0040a904
0x0040a910
0x0040a92a
0x0040a93a
0x0040a94a
0x0040a95a
0x0040a968
0x0040a978
0x0040a978
0x0040a97a
0x0040a984
0x0040a992
0x0040a9a0
0x0040a9ab
0x0040a9b6
0x0040a9c1
0x0040a9d3
0x0040a9e2
0x0040a9f1
0x0040a9f3
0x0040a9fc
0x0040aa02
0x0040aa14
0x0040aa25
0x0040aa36
0x0040aa48
0x0040aa59
0x0040aa6a
0x0040aa7b
0x0040aa87
0x0040aa93
0x0040aaa2
0x0040aaa9
0x0040aab0
0x0040ab03
0x0040ab0d
0x0040aab2
0x0040aab4
0x0040aac3
0x0040aac3
0x0040aad3
0x0040aadc
0x0040aaf3
0x0040aaf3
0x0040aadc
0x0040ab13
0x0040ab1a
0x0040ab21
0x0040ab74
0x0040ab7e
0x00000000
0x0040ab23
0x0040ab25
0x0040ab34
0x0040ab34
0x0040ab44
0x0040ab4d
0x0040ab80
0x0040ab80
0x00000000
0x0040ab4f
0x0040ab55
0x0040ab5d
0x0040ab64
0x0040ab84
0x0040ab86
0x0040ab8d
0x0040ab94
0x0040ab9b
0x0040abb0
0x0040abc6
0x0040abdc
0x0040abe2
0x0040abe9
0x0040ad82
0x0040ad8b
0x0040ad94
0x0040ad9d
0x0040ada6
0x0040adaf
0x0040adb8
0x0040adba
0x0040adba
0x0040adbe
0x0040adc6
0x0040adf9
0x0040adf5
0x0040adf5
0x0040adf5
0x0040ae01
0x0040ae07
0x0040ae12
0x0040ae1b
0x0040ae24
0x0040ae31
0x0040ae31
0x0040abf1
0x0040ac00
0x0040ac00
0x0040ac09
0x0040aca5
0x0040acb5
0x0040acb5
0x0040acbf
0x0040acca
0x0040acd3
0x0040acdc
0x0040acde
0x0040acdf
0x0040ac0f
0x0040ac0f
0x0040ac14
0x0040ac1c
0x0040ac25
0x0040ac2b
0x0040ac45
0x0040ac47
0x0040ac69
0x0040ac6b
0x0040ac70
0x0040ac96
0x0040ac96
0x0040ac98
0x0040ac9a
0x0040ac9a
0x0040ace5
0x0040acee
0x00000000
0x0040acf4
0x0040acfb
0x0040ad34
0x0040ad3a
0x0040ad3a
0x0040ad4f
0x0040ad55
0x0040ad55
0x0040ad6a
0x0040ad70
0x0040ad70
0x00000000
0x0040ad6a
0x0040ad03
0x0040ad0b
0x00000000
0x00000000
0x0040ad11
0x0040ad15
0x00000000
0x0040ad15
0x0040acee
0x0040ab4d

APIs

GetDlgItem.USER32 ref: 0040A8ED
EnableWindow.USER32(00000000), ref: 0040A8F0
SetWindowTextA.USER32(?,00000000), ref: 0040A910
SetDlgItemTextA.USER32 ref: 0040A92A
SetDlgItemTextA.USER32 ref: 0040A93A
SetDlgItemTextA.USER32 ref: 0040A94A
SetDlgItemTextA.USER32 ref: 0040A95A
SetDlgItemTextA.USER32 ref: 0040A978
SetDlgItemTextA.USER32 ref: 0040A9D3
SetDlgItemTextA.USER32 ref: 0040A9E2
SetDlgItemTextA.USER32 ref: 0040A9F1
SetDlgItemTextA.USER32 ref: 0040A9FC
SetDlgItemTextA.USER32 ref: 0040AA02
SendDlgItemMessageA.USER32(?,00000014,000000C5,00000103,00000000), ref: 0040AA14
SendDlgItemMessageA.USER32(?,00000015,000000C5,00000103,00000000), ref: 0040AA25
SendDlgItemMessageA.USER32(?,00000016,000000C5,00000103,00000000), ref: 0040AA36

Part of subcall function 0041C3A9: GlobalUnlock.KERNEL32(?,00000000,00000000,00421A09,00000000,00000001,0000005C,00000000,00000000,00000000,0000005C,00000000,00000000,0047E490,0047E788,00000000), ref: 0041C3D8
Part of subcall function 0041C3A9: GlobalReAlloc.KERNEL32 ref: 0041C3E5
Part of subcall function 0041C3A9: GlobalLock.KERNEL32 ref: 0041C406

Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095

SetDlgItemTextA.USER32 ref: 0040AAC3
SetDlgItemTextA.USER32 ref: 0040AAD3
GetDlgItem.USER32 ref: 0040AAE1
GetWindowTextLengthA.USER32(00000000), ref: 0040AAE4
GetDlgItem.USER32 ref: 0040AB00
ShowWindow.USER32(00000000), ref: 0040AB03
GetDlgItem.USER32 ref: 0040AB0A
ShowWindow.USER32(00000000), ref: 0040AB0D
SetDlgItemTextA.USER32 ref: 0040AB34
SetDlgItemTextA.USER32 ref: 0040AB44
GetDlgItem.USER32 ref: 0040AB52
GetWindowTextLengthA.USER32(00000000), ref: 0040AB55
GetDlgItem.USER32 ref: 0040AB71
ShowWindow.USER32(00000000), ref: 0040AB74
GetDlgItem.USER32 ref: 0040AB7B
ShowWindow.USER32(00000000), ref: 0040AB7E
SendDlgItemMessageA.USER32(?,00000017,000000C5,00000000), ref: 0040ABB0
SendDlgItemMessageA.USER32(?,00000018,000000C5,00000000), ref: 0040ABC6
SendDlgItemMessageA.USER32(?,00000019,000000C5,00000000), ref: 0040ABDC
SetDlgItemTextA.USER32 ref: 0040AC00
SetDlgItemTextA.USER32 ref: 0040AC45
SetDlgItemTextA.USER32 ref: 0040AC69
SetDlgItemTextA.USER32 ref: 0040AC96
SetDlgItemTextA.USER32 ref: 0040ACB5
GetDlgItem.USER32 ref: 0040ACBC
ShowWindow.USER32(00000000), ref: 0040ACBF
GetDlgItem.USER32 ref: 0040ACC7
ShowWindow.USER32(00000000), ref: 0040ACCA
GetDlgItem.USER32 ref: 0040ACD0
ShowWindow.USER32(00000000), ref: 0040ACD3
GetDlgItem.USER32 ref: 0040ACD9
ShowWindow.USER32(00000000), ref: 0040ACDC
GetDlgItem.USER32 ref: 0040ACE2
ShowWindow.USER32(00000000), ref: 0040ACE5
GetDlgItem.USER32 ref: 0040AD00
GetWindowTextLengthA.USER32(00000000), ref: 0040AD03
GetDlgItem.USER32 ref: 0040AD23
GetWindowTextLengthA.USER32(00000000), ref: 0040AD2C
GetDlgItem.USER32 ref: 0040AD44
GetWindowTextLengthA.USER32(00000000), ref: 0040AD47
GetDlgItem.USER32 ref: 0040AD5F
GetWindowTextLengthA.USER32(00000000), ref: 0040AD62
GetDlgItem.USER32 ref: 0040AD7F
ShowWindow.USER32(00000000), ref: 0040AD82
GetDlgItem.USER32 ref: 0040AD88
ShowWindow.USER32(00000000), ref: 0040AD8B
GetDlgItem.USER32 ref: 0040AD91
ShowWindow.USER32(00000000), ref: 0040AD94
GetDlgItem.USER32 ref: 0040AD9A
ShowWindow.USER32(00000000), ref: 0040AD9D
GetDlgItem.USER32 ref: 0040ADA3
ShowWindow.USER32(00000000), ref: 0040ADA6
GetDlgItem.USER32 ref: 0040ADAC
ShowWindow.USER32(00000000), ref: 0040ADAF
GetDlgItem.USER32 ref: 0040ADB5
ShowWindow.USER32(00000000), ref: 0040ADB8
GetDlgItem.USER32 ref: 0040ADFE
EnableWindow.USER32(00000000), ref: 0040AE01

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Strings

PG, xrefs: 0040A8FD
*:, xrefs: 0040AA6F, 0040AA76, 0040AA82, 0040AA8E

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Item$Text$Window$Show$Global$LengthMessageSend$AllocLockUnlock$Enable$lstrlen
String ID: *:$PG
API String ID: 4025793253-1572763361
Opcode ID: c2233555d261a09f4db66d793c1b20fb3d5c75a06fb9833033005f03d8b724d8
Instruction ID: 4ebb24ae434b6306264965b08b50a1bab40d74009ba8edf4197c7e526d008c02
Opcode Fuzzy Hash: c2233555d261a09f4db66d793c1b20fb3d5c75a06fb9833033005f03d8b724d8
Instruction Fuzzy Hash: 58E1F430244344BAE221E7328C5AFEF3A5DDF49748F00056DF6446A1D2CBBD9986C66F

Uniqueness

Uniqueness Score: -1.00%

Function 0040906D, Relevance: 79.1, APIs: 17, Strings: 28, Instructions: 306
registrylibrarywindowCOMMON

Download Yara Rule

C-Code - Quality: 33%

			E0040906D(void* __edi, struct HWND__* _a4) {
				signed int _v8;
				int _v12;
				char _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void _v135;
				signed char _v136;
				_Unknown_base(*)()* _t64;
				long _t68;
				signed int _t71;
				void* _t83;
				signed int _t90;
				long _t99;
				CHAR* _t102;
				void* _t110;
				signed int _t115;
				void* _t133;
				intOrPtr _t137;
				struct HWND__* _t139;
				void* _t143;

				_t133 = __edi;
				if( *0x42bf98 <= 0) {
					EnableWindow(GetDlgItem(_a4, 3), 0);
				}
				if(E00419E8A() == 0) {
					_t139 = _a4;
				} else {
					_t102 = E0041CD1E(0x47e8c4);
					_t139 = _a4;
					SetDlgItemTextA(_t139, 1, _t102);
				}
				_t110 = 0x47e850;
				if(( *0x47e193 & 0x00000002) == 0) {
					_t110 = 0x47e5d4;
				}
				SetWindowTextA(_t139, E0041CD1E(_t110));
				_push(_t133);
				SetDlgItemTextA(_t139, 0x1e, E0041CD1E(0x47e5e0));
				SetDlgItemTextA(_t139, 1, "&Next >>");
				SetDlgItemTextA(_t139, 3, "<< &Back");
				SetDlgItemTextA(_t139, 2, "&Cancel");
				_v36 = E0041C8FD(0x47e2f0, 0x9c);
				_v12 = E0041C8FD(0x47e2f0, 0xa0);
				_v32 = E0041C8FD(0x47e2f0, 0xa4);
				_t64 = GetProcAddress(LoadLibraryA("KERNEL32.DLL"), "GetUserDefaultUILanguage");
				if(_t64 == 0) {
					_v136 = _v136 & 0x00000000;
					_t115 = 0x18;
					memset( &_v135, 0, _t115 << 2);
					asm("stosw");
					__eflags =  *0x47e19c; // 0x1
					_v28 = 0x64;
					asm("stosb");
					_v8 = 0;
					_push( &_v8);
					_push(0x20019);
					_push(0);
					if(__eflags == 0) {
						_t68 = RegOpenKeyExA(0x80000001, "Control Panel\\desktop\\ResourceLocale", ??, ??, ??);
						__eflags = _t68;
						if(_t68 != 0) {
							L15:
							RegCloseKey(_v8);
							_t71 = E0041D911( &_v136);
							goto L16;
						}
						_push( &_v28);
						_push( &_v136);
						_push(0);
						_push(0);
						_push(0x42e0c8);
						L14:
						RegQueryValueExA(_v8, ??, ??, ??, ??, ??);
						goto L15;
					}
					_t99 = RegOpenKeyExA(0x80000003, ".DEFAULT\\Control Panel\\International", ??, ??, ??);
					__eflags = _t99;
					if(_t99 != 0) {
						goto L15;
					}
					_push( &_v28);
					_push( &_v136);
					_push(0);
					_push(0);
					_push("Locale");
					goto L14;
				} else {
					_t71 =  *_t64();
					L16:
					_v28 = _t71 & 0x000003ff;
					E0041BDC5( &_v24);
					_v8 = _v8 & 0x00000000;
					if(_v36 <= 0) {
						L56:
						SendDlgItemMessageA(_a4, 0xa, 0x186, _v12, 0);
						if( *0x47e114 != 0) {
							SetDlgItemTextA(_a4, 0x41f, E0041CD1E(0x47df68));
							E0040EFE7();
						}
						E0041BEFB( &_v24);
						return 1;
					} else {
						goto L17;
					}
					do {
						L17:
						if(E0041CAC5( &_v24, E0041CD1E(0x47e6c8), _v32, 8) < 0) {
							E0041D881("Unknown error");
						}
						_t143 = E0041C8FD( &_v24, 0);
						_t83 = E0041C8FD( &_v24, 4);
						_t137 = _v32;
						if(E0041CAC5( &_v24, E0041CD1E(0x47e6c8), _t137 + 8, _t83) < 0) {
							E0041D881("Unknown error");
						}
						SendDlgItemMessageA(_a4, 0xa, 0x180, 0, E0041CD1E( &_v24));
						_v32 = _t137 + _t143 + 4;
						_t90 = _v28;
						if(_t90 != 0xb) {
							__eflags = _t90 - 9;
							if(_t90 != 9) {
								__eflags = _t90 - 0xa;
								if(_t90 != 0xa) {
									__eflags = _t90 - 0x13;
									if(_t90 != 0x13) {
										__eflags = _t90 - 0xc;
										if(_t90 != 0xc) {
											__eflags = _t90 - 7;
											if(_t90 != 7) {
												__eflags = _t90 - 8;
												if(_t90 != 8) {
													__eflags = _t90 - 0xe;
													if(_t90 != 0xe) {
														__eflags = _t90 - 0x10;
														if(_t90 != 0x10) {
															__eflags = _t90 - 0x15;
															if(_t90 != 0x15) {
																__eflags = _t90 - 0x16;
																if(_t90 != 0x16) {
																	__eflags = _t90 - 0x19;
																	if(_t90 != 0x19) {
																		__eflags = _t90 - 0x1a;
																		if(_t90 != 0x1a) {
																			__eflags = _t90 - 0x1d;
																			if(_t90 != 0x1d) {
																				__eflags = _t90 - 0x1f;
																				if(_t90 != 0x1f) {
																					__eflags = _t90 - 0x22;
																					if(_t90 != 0x22) {
																						goto L55;
																					}
																					_push(0);
																					_push(0);
																					_push("Ukrainian");
																					goto L53;
																				}
																				_push(0);
																				_push(0);
																				_push("Turkish");
																				goto L53;
																			}
																			_push(0);
																			_push(0);
																			_push("Swedish");
																			goto L53;
																		}
																		_push(0);
																		_push(0);
																		_push("Serbian");
																		goto L53;
																	}
																	_push(0);
																	_push(0);
																	_push("Russian");
																	goto L53;
																}
																_push(0);
																_push(0);
																_push("Portuguese");
																goto L53;
															}
															_push(0);
															_push(0);
															_push("Polish");
															goto L53;
														}
														_push(0);
														_push(0);
														_push("Italian");
														goto L53;
													}
													_push(0);
													_push(0);
													_push("Hungarian");
													goto L53;
												}
												_push(0);
												_push(0);
												_push("Greek");
												goto L53;
											}
											_push(0);
											_push(0);
											_push("German");
											goto L53;
										}
										_push(0);
										_push(0);
										_push("French");
										goto L53;
									}
									_push(0);
									_push(0);
									_push("Dutch");
									goto L53;
								}
								_push(0);
								_push(0);
								_push("Spanish");
								goto L53;
							}
							_push(0);
							_push(0);
							_push("English");
							goto L53;
						} else {
							_push(0);
							_push(0);
							_push("Finnish");
							L53:
							if(E0041C6D0( &_v24) != 0xffffffff) {
								_v12 = _v8;
							}
						}
						L55:
						_v8 = _v8 + 1;
					} while (_v8 < _v36);
					goto L56;
				}
			}

0x0040906d
0x0040907d
0x0040908d
0x0040908d
0x004090a7
0x004090be
0x004090a9
0x004090ae
0x004090b3
0x004090ba
0x004090ba
0x004090c8
0x004090cd
0x004090cf
0x004090cf
0x004090db
0x004090e1
0x004090f0
0x004090fa
0x00409104
0x0040910e
0x00409128
0x00409137
0x00409144
0x00409153
0x0040915b
0x00409164
0x0040916d
0x00409178
0x0040917a
0x0040917c
0x00409182
0x00409189
0x0040918d
0x00409190
0x00409191
0x00409196
0x00409197
0x004091cb
0x004091d1
0x004091d3
0x004091f0
0x004091f3
0x00409200
0x00000000
0x00409205
0x004091d8
0x004091df
0x004091e0
0x004091e1
0x004091e2
0x004091e7
0x004091ea
0x00000000
0x004091ea
0x004091a3
0x004091a9
0x004091ab
0x00000000
0x00000000
0x004091b0
0x004091b7
0x004091b8
0x004091b9
0x004091ba
0x00000000
0x0040915d
0x0040915d
0x00409206
0x0040920e
0x00409211
0x00409216
0x0040921e
0x004093f8
0x00409407
0x00409415
0x0040942a
0x00409431
0x00409431
0x00409439
0x00409443
0x00000000
0x00000000
0x00000000
0x00409224
0x00409224
0x0040923e
0x00409245
0x0040924a
0x0040925a
0x0040925c
0x00409261
0x0040927e
0x00409285
0x0040928a
0x004092a0
0x004092aa
0x004092ad
0x004092b4
0x004092c4
0x004092c8
0x004092d8
0x004092dc
0x004092ec
0x004092f0
0x00409300
0x00409304
0x00409314
0x00409318
0x00409328
0x0040932c
0x0040933c
0x00409340
0x00409350
0x00409354
0x00409361
0x00409365
0x00409372
0x00409376
0x00409383
0x00409387
0x00409394
0x00409398
0x004093a5
0x004093a9
0x004093b6
0x004093ba
0x004093c7
0x004093cb
0x00000000
0x00000000
0x004093cd
0x004093cf
0x004093d1
0x00000000
0x004093d1
0x004093bc
0x004093be
0x004093c0
0x00000000
0x004093c0
0x004093ab
0x004093ad
0x004093af
0x00000000
0x004093af
0x0040939a
0x0040939c
0x0040939e
0x00000000
0x0040939e
0x00409389
0x0040938b
0x0040938d
0x00000000
0x0040938d
0x00409378
0x0040937a
0x0040937c
0x00000000
0x0040937c
0x00409367
0x00409369
0x0040936b
0x00000000
0x0040936b
0x00409356
0x00409358
0x0040935a
0x00000000
0x0040935a
0x00409342
0x00409344
0x00409346
0x00000000
0x00409346
0x0040932e
0x00409330
0x00409332
0x00000000
0x00409332
0x0040931a
0x0040931c
0x0040931e
0x00000000
0x0040931e
0x00409306
0x00409308
0x0040930a
0x00000000
0x0040930a
0x004092f2
0x004092f4
0x004092f6
0x00000000
0x004092f6
0x004092de
0x004092e0
0x004092e2
0x00000000
0x004092e2
0x004092ca
0x004092cc
0x004092ce
0x00000000
0x004092b6
0x004092b6
0x004092b8
0x004092ba
0x004093d6
0x004093e1
0x004093e6
0x004093e6
0x004093e1
0x004093e9
0x004093e9
0x004093ef
0x00000000
0x00409224

APIs

GetDlgItem.USER32 ref: 00409086
EnableWindow.USER32(00000000), ref: 0040908D
SetDlgItemTextA.USER32 ref: 004090BA
SetWindowTextA.USER32(?,00000000), ref: 004090DB
SetDlgItemTextA.USER32 ref: 004090F0
SetDlgItemTextA.USER32 ref: 004090FA
SetDlgItemTextA.USER32 ref: 00409104
SetDlgItemTextA.USER32 ref: 0040910E
LoadLibraryA.KERNEL32(KERNEL32.DLL,000000A4,000000A0,0000009C), ref: 00409147
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00409153
RegOpenKeyExA.ADVAPI32(80000003,.DEFAULT\Control Panel\International,00000000,00020019,?), ref: 004091A3
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\desktop\ResourceLocale,00000000,00020019,?), ref: 004091CB
RegQueryValueExA.ADVAPI32(?,0042E0C8,00000000,00000000,00000000,00000064), ref: 004091EA
RegCloseKey.ADVAPI32(?), ref: 004091F3
SendDlgItemMessageA.USER32(?,0000000A,00000180,00000000,00000000), ref: 004092A0
SendDlgItemMessageA.USER32(?,0000000A,00000186,?,00000000), ref: 00409407
SetDlgItemTextA.USER32 ref: 0040942A

Strings

Unknown error, xrefs: 00409240, 00409280
Serbian, xrefs: 0040939E
Control Panel\desktop\ResourceLocale, xrefs: 004091C1
Hungarian, xrefs: 00409346
Finnish, xrefs: 004092BA
Polish, xrefs: 0040936B
Russian, xrefs: 0040938D
Ukrainian, xrefs: 004093D1
French, xrefs: 0040930A
Spanish, xrefs: 004092E2
Locale, xrefs: 004091BA
d, xrefs: 00409182
.DEFAULT\Control Panel\International, xrefs: 00409199
Italian, xrefs: 0040935A
GetUserDefaultUILanguage, xrefs: 0040914D
&Next >>, xrefs: 004090F2
G, xrefs: 004090E2
Greek, xrefs: 00409332
Swedish, xrefs: 004093AF
German, xrefs: 0040931E
&Cancel, xrefs: 00409106
Turkish, xrefs: 004093C0
<< &Back, xrefs: 004090FC
English, xrefs: 004092CE
Portuguese, xrefs: 0040937C
Dutch, xrefs: 004092F6
PG, xrefs: 004090C8
KERNEL32.DLL, xrefs: 0040913F

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Item$Text$MessageOpenSendWindow$AddressCloseEnableLibraryLoadProcQueryValue
String ID: &Cancel$&Next >>$.DEFAULT\Control Panel\International$<< &Back$Control Panel\desktop\ResourceLocale$Dutch$English$Finnish$French$German$GetUserDefaultUILanguage$Greek$Hungarian$Italian$KERNEL32.DLL$Locale$Polish$Portuguese$PG$Russian$Serbian$Spanish$Swedish$Turkish$Ukrainian$Unknown error$d$G
API String ID: 197437431-3923757053
Opcode ID: 932b0a1320e2d8e500f9c6d51e8da7430af6cd8b5ecf0549b4374da9cdf5794b
Instruction ID: bb1e0e259d96a11ac7e4365f6f5e7a16268a53fcd0579c9adc81d8e9e1168d7a
Opcode Fuzzy Hash: 932b0a1320e2d8e500f9c6d51e8da7430af6cd8b5ecf0549b4374da9cdf5794b
Instruction Fuzzy Hash: ACA18830B81319B6EB20A651DC57FEE7764EB04B04FA0407BBA01B51D2DBBC6D429B5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040D42A, Relevance: 66.7, APIs: 33, Strings: 5, Instructions: 245
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040D42A(void* __ebx, char __ecx, void* __ebp, struct HWND__* _a4) {
				char _v12;
				char _v16;
				signed int _t35;
				CHAR* _t36;
				signed char _t65;
				signed char _t66;
				signed int _t68;
				void* _t74;
				void* _t97;
				struct HWND__* _t99;
				void* _t102;
				void* _t105;
				struct HWND__* _t126;
				void* _t128;

				_t128 = __ebp;
				_t97 = __ebx;
				_t35 =  *0x47e190; // 0x2080c08
				_v16 = __ecx;
				if( *0x47e6b0 > 0) {
					_t35 = _t35 & 0xf7fffff3 | 0x00000002;
					 *0x47e190 = _t35;
				}
				_t102 = 0x47e850;
				if((_t35 & 0x02000000) == 0) {
					_t102 = 0x47ef60;
				}
				_t36 = E0041CD1E(_t102);
				_t126 = _a4;
				SetWindowTextA(_t126, _t36);
				E0041BDC5( &_v12);
				if(( *0x47e18c & 0x00000040) == 0) {
					_push(E0041CD1E(0x47e350));
					_t105 = 0x47ef78;
				} else {
					_push(E0041CD1E(0x47e350));
					_t105 = 0x47ef84;
				}
				E0041C467( &_v12, E0041CD1E(_t105));
				SetDlgItemTextA(_t126, 0xa, E0041CD1E( &_v12));
				SetDlgItemTextA(_t126, 3, E0041CD1E(0x47e8a0));
				SetDlgItemTextA(_t126, 1, E0041CD1E(0x47e8d0));
				SetDlgItemTextA(_t126, 2, E0041CD1E(0x47e8b8));
				if(E00419E6A() != 0) {
					SetDlgItemTextA(_t126, 1, E0041CD1E(0x47ef6c));
				}
				_push(_t97);
				_push(_t128);
				SetDlgItemTextA(_t126, 0xb, E0041CD1E(0x47ef90));
				SetDlgItemTextA(_t126, 0x14, E0041CD1E(0x47ef9c));
				SetDlgItemTextA(_t126, 0x15, E0041CD1E(0x47efa8));
				SetDlgItemTextA(_t126, 0x16, E0041CD1E(0x47efb4));
				SetDlgItemTextA(_t126, 0x17, E0041CD1E(0x47efc0));
				SetDlgItemTextA(_t126, 0xc, E0041CD1E(0x47efcc));
				_push(0);
				if(( *0x47e190 & 0x00000002) != 0) {
					SendDlgItemMessageA(_t126, 0x14, 0xf1, 1, ??);
					if(( *0x47e192 & 0x00000010) != 0) {
						EnableWindow(GetDlgItem(_t126, 0x15), 0);
					}
				} else {
					ShowWindow(GetDlgItem(_t126, 0xb), ??);
					ShowWindow(GetDlgItem(_t126, 0x14), 0);
					ShowWindow(GetDlgItem(_t126, 0x15), 0);
				}
				_t65 =  *0x47e190; // 0x2080c08
				if((_t65 & 0x00000008) != 0) {
					if((_t65 & 0x00000040) != 0) {
						SendDlgItemMessageA(_t126, 0x16, 0xf1, 1, 0);
					}
				} else {
					ShowWindow(GetDlgItem(_t126, 0x16), 0);
				}
				_t66 =  *0x47e190; // 0x2080c08
				if((_t66 & 0x00000004) != 0) {
					if((_t66 & 0x00000080) != 0) {
						SendDlgItemMessageA(_t126, 0x17, 0xf1, 1, 0);
					}
				} else {
					ShowWindow(GetDlgItem(_t126, 0x17), 0);
				}
				if(( *0x47e193 & 0x00000008) != 0) {
					_t99 = 0;
					SendDlgItemMessageA(_t126, 0x46, 0xf1, 1, 0);
				} else {
					ShowWindow(GetDlgItem(_t126, 0x46), 0);
					_t99 = 0;
				}
				_t68 =  *0x47e190; // 0x2080c08
				if((_t68 & 0x00000008) != 0 || (_t68 & 0x08000000) == 0) {
					if((_t68 & 0x00000004) != 0 || (_t68 & 0x08000000) == 0) {
						goto L32;
					} else {
						_push(0x17);
						goto L30;
					}
				} else {
					_push(0x16);
					L30:
					_t74 = E0040710F(_v16);
					if(_t74 != _t99) {
						SetWindowPos(GetDlgItem(_t126, 0x46), _t99,  *(_t74 + 0x14),  *(_t74 + 0x18), _t99, _t99, 0x215);
					}
					L32:
					if( *0x47e114 != 0) {
						SetDlgItemTextA(_t126, 0x41f, E0041CD1E(0x47df68));
						E0040EFE7();
					}
					E0041BEFB( &_v12);
					return 1;
				}
			}

0x0040d42a
0x0040d42a
0x0040d434
0x0040d439
0x0040d43d
0x0040d444
0x0040d446
0x0040d446
0x0040d452
0x0040d457
0x0040d459
0x0040d459
0x0040d45e
0x0040d463
0x0040d469
0x0040d473
0x0040d484
0x0040d498
0x0040d499
0x0040d486
0x0040d48b
0x0040d48c
0x0040d48c
0x0040d4a9
0x0040d4c4
0x0040d4d4
0x0040d4e4
0x0040d4f4
0x0040d502
0x0040d512
0x0040d512
0x0040d514
0x0040d515
0x0040d524
0x0040d534
0x0040d544
0x0040d554
0x0040d564
0x0040d574
0x0040d589
0x0040d58b
0x0040d5b5
0x0040d5c2
0x0040d5cc
0x0040d5cc
0x0040d58d
0x0040d593
0x0040d59d
0x0040d5a7
0x0040d5a7
0x0040d5d2
0x0040d5d9
0x0040d5ea
0x0040d5f8
0x0040d5f8
0x0040d5db
0x0040d5e3
0x0040d5e3
0x0040d5fe
0x0040d605
0x0040d616
0x0040d624
0x0040d624
0x0040d607
0x0040d60f
0x0040d60f
0x0040d631
0x0040d641
0x0040d64e
0x0040d633
0x0040d63b
0x0040d63d
0x0040d63d
0x0040d654
0x0040d65b
0x0040d66a
0x00000000
0x0040d673
0x0040d673
0x00000000
0x0040d673
0x0040d664
0x0040d664
0x0040d675
0x0040d679
0x0040d680
0x0040d696
0x0040d696
0x0040d69c
0x0040d6a5
0x0040d6b8
0x0040d6bf
0x0040d6bf
0x0040d6c8
0x0040d6d4
0x0040d6d4

APIs

SetWindowTextA.USER32(?,00000000), ref: 0040D469
SetDlgItemTextA.USER32 ref: 0040D4C4
SetDlgItemTextA.USER32 ref: 0040D4D4
SetDlgItemTextA.USER32 ref: 0040D4E4
SetDlgItemTextA.USER32 ref: 0040D4F4
SetDlgItemTextA.USER32 ref: 0040D512
SetDlgItemTextA.USER32 ref: 0040D524
SetDlgItemTextA.USER32 ref: 0040D534
SetDlgItemTextA.USER32 ref: 0040D544
SetDlgItemTextA.USER32 ref: 0040D554
SetDlgItemTextA.USER32 ref: 0040D564
SetDlgItemTextA.USER32 ref: 0040D574

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

GetDlgItem.USER32 ref: 0040D590
ShowWindow.USER32(00000000), ref: 0040D593
GetDlgItem.USER32 ref: 0040D59A
ShowWindow.USER32(00000000), ref: 0040D59D
GetDlgItem.USER32 ref: 0040D5A4
ShowWindow.USER32(00000000), ref: 0040D5A7
SendDlgItemMessageA.USER32(?,00000014,000000F1,00000001,00000000), ref: 0040D5B5
GetDlgItem.USER32 ref: 0040D5C9
EnableWindow.USER32(00000000), ref: 0040D5CC
GetDlgItem.USER32 ref: 0040D5E0
ShowWindow.USER32(00000000), ref: 0040D5E3
SendDlgItemMessageA.USER32(?,00000016,000000F1,00000001,00000000), ref: 0040D5F8
GetDlgItem.USER32 ref: 0040D60C
ShowWindow.USER32(00000000), ref: 0040D60F
SendDlgItemMessageA.USER32(?,00000017,000000F1,00000001,00000000), ref: 0040D624
GetDlgItem.USER32 ref: 0040D638
ShowWindow.USER32(00000000), ref: 0040D63B
SendDlgItemMessageA.USER32(?,00000046,000000F1,00000001,00000000), ref: 0040D64E
GetDlgItem.USER32 ref: 0040D693
SetWindowPos.USER32(00000000), ref: 0040D696
SetDlgItemTextA.USER32 ref: 0040D6B8

Strings

xG, xrefs: 0040D499
`G, xrefs: 0040D459
lG, xrefs: 0040D504
PG, xrefs: 0040D452
PG, xrefs: 0040D47F

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Item$Text$Window$Show$MessageSend$Global$AllocEnableLockUnlock
String ID: PG$PG$`G$lG$xG
API String ID: 3032138065-1923768288
Opcode ID: 05dfcc1085d6eedecaa10e0d44eb7dceb23ed1d2773465519599df6e1f284045
Instruction ID: 49fdebd98fac3304353a2dd6f13cbc95544f1438b6f99baf14de67e434ed9392
Opcode Fuzzy Hash: 05dfcc1085d6eedecaa10e0d44eb7dceb23ed1d2773465519599df6e1f284045
Instruction Fuzzy Hash: 2C61D2706802087AE63077625C47FFF264D9F45B48F10457AF7097A1D2CFBE4846956E

Uniqueness

Uniqueness Score: -1.00%

Function 0040F6CB, Relevance: 61.8, APIs: 41, Instructions: 251
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040F6CB(int _a4, int _a8, int _a12, int _a16, struct HDC__* _a20, struct HDC__* _a24, struct HDC__* _a28) {
				struct HDC__* _v8;
				struct HBITMAP__* _v12;
				struct HBITMAP__* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				void* _t96;
				void* _t101;
				struct HBITMAP__* _t113;
				struct HDC__* _t149;
				void* _t156;

				_t149 = CreateCompatibleDC( *0x47e184);
				_v8 = _t149;
				_t96 = CreateCompatibleBitmap( *0x47e184, _a12, _a16);
				_v24 = _t96;
				if(_t149 == 0 || _t96 == 0) {
					E00424DCE(_a28->i);
					DeleteDC(_t149);
					DeleteObject(_v24);
					_push(0xfffffff0);
					goto L19;
				} else {
					if(SelectObject(_t149, _t96) != 0) {
						_v28 = StretchDIBits(_v8, 0, 0, _a12, _a16, 0, 0,  *(_a20 + 4),  *(_a20 + 8), _a24, _a20, 0, 0xcc0020);
						E00424DCE(_a28->i);
						_a28->i = 0;
						_a20 = CreateCompatibleDC( *0x47e184);
						_v12 = CreateBitmap(_a12, _a16, 1, 1, 0);
						_a24 = CreateCompatibleDC(_v8);
						_v16 = CreateCompatibleBitmap(_v8, _a12, _a16);
						_a28 = CreateCompatibleDC( *0x47e184);
						_t113 = CreateCompatibleBitmap( *0x47e184, _a12, _a16);
						_v20 = _t113;
						if(_a20 == 0 || _a24 == 0 || _v12 == 0 || _v16 == 0 || _a28 == 0 || _t113 == 0 || _v28 == 0xffffffff) {
							DeleteDC(_v8);
							DeleteDC(_a20);
							DeleteDC(_a24);
							DeleteDC(_a28);
							DeleteObject(_v24);
							DeleteObject(_v12);
							DeleteObject(_v16);
							DeleteObject(_v20);
							return (0 | _v28 != 0xffffffff) + 0xffffffed;
						} else {
							if(SelectObject(_a20, _v12) == 0 || SelectObject(_a24, _v16) == 0 || SelectObject(_a28, _v20) == 0) {
								_push(0xffffffec);
							} else {
								SetBkColor(_v8, 0);
								BitBlt(_a20, 0, 0, _a12, _a16, _v8, 0, 0, 0xcc0020);
								BitBlt(_a24, 0, 0, _a12, _a16, _v8, 0, 0, 0xcc0020);
								BitBlt(_a24, 0, 0, _a12, _a16, _a20, 0, 0, 0x220326);
								BitBlt(_a28, 0, 0, _a12, _a16,  *0x47e184, _a4, _a8, 0xcc0020);
								BitBlt(_a28, 0, 0, _a12, _a16, _a20, 0, 0, 0x8800c6);
								BitBlt(_a28, 0, 0, _a12, _a16, _a24, 0, 0, 0xee0086);
								BitBlt( *0x47e184, _a4, _a8, _a12, _a16, _a28, 0, 0, 0xcc0020);
								_push(1);
							}
							_pop(_t156);
							DeleteDC(_v8);
							DeleteDC(_a20);
							DeleteDC(_a24);
							DeleteDC(_a28);
							DeleteObject(_v24);
							DeleteObject(_v12);
							DeleteObject(_v16);
							DeleteObject(_v20);
							return _t156;
						}
					}
					E00424DCE( *_a28);
					DeleteDC(_t149);
					DeleteObject(_v24);
					_push(0xffffffef);
					L19:
					_pop(_t101);
					return _t101;
				}
			}

0x0040f6e5
0x0040f6e7
0x0040f6f3
0x0040f6fb
0x0040f700
0x0040f979
0x0040f980
0x0040f989
0x0040f98f
0x00000000
0x0040f70e
0x0040f718
0x0040f763
0x0040f76b
0x0040f774
0x0040f783
0x0040f795
0x0040f79d
0x0040f7b2
0x0040f7ba
0x0040f7c6
0x0040f7cf
0x0040f7d2
0x0040f93b
0x0040f940
0x0040f945
0x0040f94a
0x0040f955
0x0040f95a
0x0040f95f
0x0040f964
0x00000000
0x0040f80e
0x0040f81e
0x0040f92e
0x0040f844
0x0040f848
0x0040f865
0x0040f878
0x0040f88f
0x0040f8a9
0x0040f8c0
0x0040f8d7
0x0040f8f1
0x0040f8f3
0x0040f8f3
0x0040f8fb
0x0040f8ff
0x0040f904
0x0040f909
0x0040f90e
0x0040f919
0x0040f91e
0x0040f923
0x0040f928
0x00000000
0x0040f92a
0x0040f7d2
0x0040f71f
0x0040f726
0x0040f72f
0x0040f735
0x0040f991
0x0040f991
0x00000000
0x0040f991

APIs

CreateCompatibleDC.GDI32(00CC0020), ref: 0040F6E0
CreateCompatibleBitmap.GDI32(?,?), ref: 0040F6F3
SelectObject.GDI32(00000000,00000000), ref: 0040F710
DeleteDC.GDI32(00000000), ref: 0040F726
DeleteObject.GDI32(?), ref: 0040F72F
StretchDIBits.GDI32(00CC0020,00000000,00000000,?,?,00000000,00000000,?,?,?,?,00000000,00CC0020), ref: 0040F75D
CreateCompatibleDC.GDI32 ref: 0040F77C
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0040F78C
CreateCompatibleDC.GDI32(?), ref: 0040F798
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0040F7A6
CreateCompatibleDC.GDI32 ref: 0040F7B5
CreateCompatibleBitmap.GDI32(?,?), ref: 0040F7C6
SelectObject.GDI32(000000FF,?), ref: 0040F81A
SelectObject.GDI32(?,?), ref: 0040F82A
SelectObject.GDI32(?,?), ref: 0040F83A
SetBkColor.GDI32(?,00000000), ref: 0040F848
BitBlt.GDI32(000000FF,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0040F865
DeleteDC.GDI32(00000000), ref: 0040F980
DeleteObject.GDI32(?), ref: 0040F989

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Create$Compatible$Object$BitmapDeleteSelect$BitsColorStretch
String ID:
API String ID: 2205707287-0
Opcode ID: c67d60daae90353adcdfeae3e4c12f8c60b2230a5a186e30fd6dfb6ac8044501
Instruction ID: 4482fd01da12e19a8ba615bb7988d16a4b5e2bf5455e3b8baba2561fa1554ba7
Opcode Fuzzy Hash: c67d60daae90353adcdfeae3e4c12f8c60b2230a5a186e30fd6dfb6ac8044501
Instruction Fuzzy Hash: B991E272901129FFCF229FA2DC08D9F7F76FF08360B154125BA1861170CA368961EFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040A208, Relevance: 61.6, APIs: 32, Strings: 3, Instructions: 387
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040A208(void* __ecx) {
				void* __edi;
				void* __esi;
				unsigned int _t77;
				unsigned int _t78;
				signed int _t79;
				signed int _t83;
				int _t89;
				signed int _t90;
				signed int _t97;
				int _t100;
				signed int _t101;
				signed int _t104;
				signed int _t110;
				signed int _t113;
				signed int _t114;
				int _t117;
				signed int _t119;
				signed int _t122;
				signed int _t127;
				unsigned int _t132;
				void* _t136;
				void* _t138;
				signed int _t157;
				int _t160;
				signed int _t163;
				void* _t199;
				signed int _t201;
				signed int _t202;
				signed int _t203;
				signed int _t204;
				signed int _t208;
				signed int _t211;
				signed int _t212;
				void* _t214;

				_t199 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xb0)) != 0) {
					L3:
					return 0;
				}
				_t77 =  *(_t214 + 0x20);
				_t201 = _t77 & 0x0000ffff;
				_t78 = _t77 >> 0x10;
				if(_t78 == 0 || _t78 == 0x300) {
					__eflags = _t201 - 2;
					if(_t201 != 2) {
						L6:
						__eflags = _t201 - 0x15;
						if(__eflags > 0) {
							_t202 = _t201 - 0x16;
							__eflags = _t202;
							if(_t202 == 0) {
								_t79 =  *0x47e194; // 0x0
								__eflags = (_t79 & 0x00000030) - 0x30;
								if((_t79 & 0x00000030) != 0x30) {
									L91:
									return 1;
								}
								 *(_t199 + 0xb3) = 1;
								_t83 = GetWindowTextLengthA(GetDlgItem( *(_t199 + 4), 0x16));
								__eflags = _t83;
								if(_t83 != 0) {
									__eflags =  *(_t199 + 0xb2);
									if( *(_t199 + 0xb2) == 0) {
										goto L91;
									}
									__eflags =  *(_t199 + 0xb1);
									L88:
									if(__eflags == 0) {
										goto L91;
									}
									_push(1);
									L90:
									EnableWindow(GetDlgItem( *(_t199 + 4), 1), ??);
									goto L91;
								}
								EnableWindow(GetDlgItem( *(_t199 + 4), 1), 0);
								 *(_t199 + 0xb3) = 0;
								goto L91;
							}
							_t203 = _t202 - 1;
							__eflags = _t203;
							if(_t203 == 0) {
								 *(_t199 + 0xb4) = 0;
								_t89 = GetWindowTextLengthA(GetDlgItem( *(_t199 + 4), 0x17));
								__eflags = _t89 -  *0x47e664;
								_t90 =  *0x47e194; // 0x0
								if(_t89 !=  *0x47e664) {
									__eflags = (_t90 & 0x00000030) - 0x30;
									if((_t90 & 0x00000030) != 0x30) {
										goto L91;
									}
									L82:
									_push(0);
									goto L90;
								}
								__eflags = (_t90 & 0x00000030) - 0x30;
								if((_t90 & 0x00000030) != 0x30) {
									L79:
									_push(0x18);
									L80:
									SetFocus(GetDlgItem( *(_t199 + 4), ??));
									goto L91;
								}
								__eflags =  *(_t199 + 0xb2);
								 *(_t199 + 0xb4) = 1;
								if( *(_t199 + 0xb2) == 0) {
									goto L79;
								}
								__eflags =  *(_t199 + 0xb1);
								if( *(_t199 + 0xb1) == 0) {
									goto L79;
								}
								__eflags =  *(_t199 + 0xb5);
								if( *(_t199 + 0xb5) == 0) {
									goto L79;
								}
								__eflags =  *(_t199 + 0xb6);
								if( *(_t199 + 0xb6) == 0) {
									goto L79;
								}
								__eflags =  *(_t199 + 0xb3);
								if( *(_t199 + 0xb3) == 0) {
									goto L79;
								}
								_push(1);
								L78:
								EnableWindow(GetDlgItem( *(_t199 + 4), 1), ??);
								goto L79;
							}
							_t204 = _t203 - 1;
							__eflags = _t204;
							if(_t204 == 0) {
								_t97 =  *0x47e194; // 0x0
								__eflags = (_t97 & 0x00000030) - 0x30;
								if((_t97 & 0x00000030) == 0x30) {
									 *(_t199 + 0xb5) = 0;
								}
								_t100 = GetWindowTextLengthA(GetDlgItem( *(_t199 + 4), 0x18));
								__eflags = _t100 -  *0x47e668;
								_t101 =  *0x47e194; // 0x0
								if(_t100 !=  *0x47e668) {
									__eflags = (_t101 & 0x00000030) - 0x30;
									if((_t101 & 0x00000030) == 0x30) {
										EnableWindow(GetDlgItem( *(_t199 + 4), 1), 0);
									}
									_t104 = GetWindowTextLengthA(GetDlgItem( *(_t199 + 4), 0x18));
									__eflags = _t104;
									if(_t104 != 0) {
										goto L91;
									} else {
										_push(0x17);
										goto L80;
									}
								} else {
									__eflags = (_t101 & 0x00000030) - 0x30;
									if((_t101 & 0x00000030) == 0x30) {
										__eflags =  *(_t199 + 0xb2);
										 *(_t199 + 0xb5) = 1;
										if( *(_t199 + 0xb2) != 0) {
											__eflags =  *(_t199 + 0xb1);
											if( *(_t199 + 0xb1) != 0) {
												__eflags =  *(_t199 + 0xb4);
												if( *(_t199 + 0xb4) != 0) {
													__eflags =  *(_t199 + 0xb6);
													if( *(_t199 + 0xb6) != 0) {
														__eflags =  *(_t199 + 0xb3);
														if( *(_t199 + 0xb3) != 0) {
															EnableWindow(GetDlgItem( *(_t199 + 4), 1), 1);
														}
													}
												}
											}
										}
									}
									_push(0x19);
									goto L80;
								}
							}
							__eflags = _t204 != 1;
							if(_t204 != 1) {
								goto L91;
							}
							_t110 =  *0x47e194; // 0x0
							__eflags = (_t110 & 0x00000030) - 0x30;
							if((_t110 & 0x00000030) == 0x30) {
								 *(_t199 + 0xb6) = 0;
							}
							_t113 = GetWindowTextLengthA(GetDlgItem( *(_t199 + 4), 0x19));
							__eflags = _t113;
							_t114 =  *0x47e194; // 0x0
							if(_t113 != 0) {
								__eflags = (_t114 & 0x00000030) - 0x30;
								if((_t114 & 0x00000030) != 0x30) {
									goto L91;
								}
								_t117 = GetWindowTextLengthA(GetDlgItem( *(_t199 + 4), 0x19));
								__eflags = _t117 -  *0x47e66c;
								if(_t117 !=  *0x47e66c) {
									goto L82;
								}
								__eflags =  *(_t199 + 0xb2);
								 *(_t199 + 0xb6) = 1;
								if( *(_t199 + 0xb2) == 0) {
									goto L91;
								}
								__eflags =  *(_t199 + 0xb1);
								if( *(_t199 + 0xb1) == 0) {
									goto L91;
								}
								__eflags =  *(_t199 + 0xb5);
								if( *(_t199 + 0xb5) == 0) {
									goto L91;
								}
								__eflags =  *(_t199 + 0xb4);
								if( *(_t199 + 0xb4) == 0) {
									goto L91;
								}
								__eflags =  *(_t199 + 0xb3);
								goto L88;
							} else {
								__eflags = (_t114 & 0x00000030) - 0x30;
								if((_t114 & 0x00000030) != 0x30) {
									goto L79;
								}
								_push(0);
								goto L78;
							}
						}
						if(__eflags == 0) {
							_t119 =  *0x47e194; // 0x0
							__eflags = (_t119 & 0x0000000c) - 0xc;
							if((_t119 & 0x0000000c) != 0xc) {
								goto L91;
							}
							 *(_t199 + 0xb2) = 1;
							_t122 = GetWindowTextLengthA(GetDlgItem( *(_t199 + 4), 0x15));
							__eflags = _t122;
							if(_t122 != 0) {
								__eflags =  *(_t199 + 0xb1);
								L34:
								if(__eflags == 0) {
									goto L91;
								}
								__eflags =  *(_t199 + 0xb3);
								if( *(_t199 + 0xb3) == 0) {
									goto L91;
								}
								__eflags =  *(_t199 + 0xb4);
								if( *(_t199 + 0xb4) == 0) {
									goto L91;
								}
								__eflags =  *(_t199 + 0xb5);
								if( *(_t199 + 0xb5) == 0) {
									goto L91;
								}
								__eflags =  *(_t199 + 0xb6);
								goto L88;
							}
							EnableWindow(GetDlgItem( *(_t199 + 4), 1), 0);
							 *(_t199 + 0xb2) = 0;
							goto L91;
						}
						_t208 = _t201 - 1;
						__eflags = _t208;
						if(_t208 == 0) {
							 *(_t214 + 0x20) = 0;
							E0040A736(_t199);
							_t127 = E0040AE34(_t199, _t214 + 0x20);
							__eflags = _t127;
							if(_t127 != 0) {
								_t11 = _t214 + 0x14; // 0x47ebe8
								E0041BE99(_t11, 0x47ebe8);
								E0041C047(_t214 + 0x18, "\r\n", 0);
								__eflags =  *0x47e194 & 0x00000001;
								_t209 = "\r\n%s: %s";
								if(( *0x47e194 & 0x00000001) != 0) {
									_push(E0041CD1E(0x47e1b8));
									_push(E0041CD1E(0x47ebb8));
									E0041C467(_t214 + 0x18, "\r\n%s: %s");
									_t214 = _t214 + 0x10;
								}
								__eflags =  *0x47e194 & 0x00000004;
								if(( *0x47e194 & 0x00000004) != 0) {
									_push(E0041CD1E(0x47e1c4));
									_push(E0041CD1E(0x47ebc4));
									E0041C467(_t214 + 0x18, _t209);
									_t214 = _t214 + 0x10;
								}
								__eflags =  *0x47e194 & 0x00000010;
								if(( *0x47e194 & 0x00000010) != 0) {
									_push(E0041CD1E(0x47e1d0));
									_push(E0041CD1E(0x47ebd0));
									E0041C467(_t214 + 0x18, _t209);
									_t214 = _t214 + 0x10;
								}
								E0041C047(_t214 + 0x18, "\r\n\r\n", 0);
								_t23 = _t214 + 0x14; // 0x47ebe8
								E0041C0C5(_t23, __eflags, 0x47ebf4);
								__eflags =  *0x47e190 & 0x00000001;
								if(( *0x47e190 & 0x00000001) == 0) {
									L28:
									_t132 =  *(_t214 + 0x20);
									_push(0);
									 *_t132 =  *_t132 + 0x57;
									__eflags =  *_t132;
									E00407827(_t199, 0x47dfb8, _t199);
									E00417EA6(0x47dfb8, 0);
									goto L29;
								} else {
									_t136 = E0041CD1E(0x47e700);
									_t138 = E0041B2CC(0x47dfb8,  *(_t199 + 4), E0041CD1E(_t214 + 0x18), _t136, 4);
									__eflags = _t138 - 7;
									if(_t138 == 7) {
										L29:
										E0041BEFB(_t214 + 0x10);
										goto L91;
									}
									goto L28;
								}
							}
							E0041B2CC(0x47dfb8,  *(_t199 + 4), E0041CD1E(0x47ebdc), 0, 0);
							goto L91;
						}
						_t211 = _t208 - 1;
						__eflags = _t211;
						if(_t211 == 0) {
							_push(0);
							E00407827(_t199, 0x47dfb8, _t199);
							E0041A1B5(1);
							goto L91;
						}
						_t212 = _t211 - 1;
						__eflags = _t212;
						if(_t212 == 0) {
							E0040A736(_t199);
							_push(0);
							E00407827(_t199, 0x47dfb8, _t199);
							E00417D26(0x47dfb8, 0);
							goto L91;
						}
						__eflags = _t212 != 0x11;
						if(_t212 != 0x11) {
							goto L91;
						}
						_t157 =  *0x47e194; // 0x0
						__eflags = (_t157 & 0x00000003) - 3;
						if((_t157 & 0x00000003) != 3) {
							goto L91;
						}
						 *(_t199 + 0xb1) = 1;
						_t160 = GetWindowTextLengthA(GetDlgItem( *(_t199 + 4), 0x14));
						__eflags = _t160;
						if(_t160 != 0) {
							__eflags =  *(_t199 + 0xb2);
							goto L34;
						} else {
							EnableWindow(GetDlgItem( *(_t199 + 4), 1), 0);
							 *(_t199 + 0xb1) = 0;
							goto L91;
						}
					}
					_t163 = E0041BC79(0x47dfb8);
					__eflags = _t163;
					if(_t163 == 0) {
						goto L91;
					}
					goto L6;
				} else {
					goto L3;
				}
			}

0x0040a20e
0x0040a219
0x0040a22e
0x00000000
0x0040a22e
0x0040a21b
0x0040a21f
0x0040a222
0x0040a225
0x0040a235
0x0040a23d
0x0040a24e
0x0040a24e
0x0040a251
0x0040a4d0
0x0040a4d0
0x0040a4d3
0x0040a6c8
0x0040a6d0
0x0040a6d2
0x0040a72a
0x00000000
0x0040a72a
0x0040a6df
0x0040a6e9
0x0040a6ef
0x0040a6f1
0x0040a70a
0x0040a710
0x00000000
0x00000000
0x0040a712
0x0040a718
0x0040a718
0x00000000
0x00000000
0x0040a71a
0x0040a71c
0x0040a724
0x00000000
0x0040a724
0x0040a6fc
0x0040a702
0x00000000
0x0040a702
0x0040a4d9
0x0040a4d9
0x0040a4da
0x0040a64c
0x0040a655
0x0040a65b
0x0040a661
0x0040a666
0x0040a6c1
0x0040a6c3
0x00000000
0x00000000
0x0040a6c5
0x0040a6c5
0x00000000
0x0040a6c5
0x0040a66b
0x0040a66d
0x0040a6ae
0x0040a6ae
0x0040a6b0
0x0040a6b6
0x00000000
0x0040a6b6
0x0040a66f
0x0040a675
0x0040a67c
0x00000000
0x00000000
0x0040a67e
0x0040a684
0x00000000
0x00000000
0x0040a686
0x0040a68c
0x00000000
0x00000000
0x0040a68e
0x0040a694
0x00000000
0x00000000
0x0040a696
0x0040a69c
0x00000000
0x00000000
0x0040a69e
0x0040a6a0
0x0040a6a8
0x00000000
0x0040a6a8
0x0040a4e0
0x0040a4e0
0x0040a4e1
0x0040a593
0x0040a59b
0x0040a59d
0x0040a59f
0x0040a59f
0x0040a5b9
0x0040a5bb
0x0040a5c1
0x0040a5c6
0x0040a618
0x0040a61a
0x0040a625
0x0040a625
0x0040a633
0x0040a635
0x0040a637
0x00000000
0x0040a63d
0x0040a63d
0x00000000
0x0040a63d
0x0040a5c8
0x0040a5cb
0x0040a5cd
0x0040a5cf
0x0040a5d5
0x0040a5dc
0x0040a5de
0x0040a5e4
0x0040a5e6
0x0040a5ec
0x0040a5ee
0x0040a5f4
0x0040a5f6
0x0040a5fc
0x0040a608
0x0040a608
0x0040a5fc
0x0040a5f4
0x0040a5ec
0x0040a5e4
0x0040a5dc
0x0040a60e
0x00000000
0x0040a60e
0x0040a5c6
0x0040a4e7
0x0040a4e8
0x00000000
0x00000000
0x0040a4ee
0x0040a4f6
0x0040a4f8
0x0040a4fa
0x0040a4fa
0x0040a514
0x0040a516
0x0040a518
0x0040a51d
0x0040a533
0x0040a535
0x00000000
0x00000000
0x0040a543
0x0040a545
0x0040a54b
0x00000000
0x00000000
0x0040a551
0x0040a557
0x0040a55e
0x00000000
0x00000000
0x0040a564
0x0040a56a
0x00000000
0x00000000
0x0040a570
0x0040a576
0x00000000
0x00000000
0x0040a57c
0x0040a582
0x00000000
0x00000000
0x0040a588
0x00000000
0x0040a51f
0x0040a522
0x0040a524
0x00000000
0x00000000
0x0040a52a
0x00000000
0x0040a52a
0x0040a51d
0x0040a257
0x0040a44c
0x0040a454
0x0040a456
0x00000000
0x00000000
0x0040a467
0x0040a471
0x0040a477
0x0040a479
0x0040a495
0x0040a49b
0x0040a49b
0x00000000
0x00000000
0x0040a4a1
0x0040a4a7
0x00000000
0x00000000
0x0040a4ad
0x0040a4b3
0x00000000
0x00000000
0x0040a4b9
0x0040a4bf
0x00000000
0x00000000
0x0040a4c5
0x00000000
0x0040a4c5
0x0040a484
0x0040a48a
0x00000000
0x0040a48a
0x0040a25d
0x0040a25d
0x0040a25e
0x0040a2fb
0x0040a2ff
0x0040a30b
0x0040a310
0x0040a312
0x0040a336
0x0040a33a
0x0040a349
0x0040a34e
0x0040a355
0x0040a35a
0x0040a366
0x0040a371
0x0040a378
0x0040a37d
0x0040a37d
0x0040a380
0x0040a387
0x0040a393
0x0040a39e
0x0040a3a5
0x0040a3aa
0x0040a3aa
0x0040a3ad
0x0040a3b4
0x0040a3c0
0x0040a3cb
0x0040a3d2
0x0040a3d7
0x0040a3d7
0x0040a3e4
0x0040a3ee
0x0040a3f2
0x0040a3f7
0x0040a3fe
0x0040a427
0x0040a427
0x0040a42b
0x0040a42e
0x0040a42e
0x0040a431
0x0040a439
0x00000000
0x0040a400
0x0040a405
0x0040a41d
0x0040a422
0x0040a425
0x0040a43e
0x0040a442
0x00000000
0x0040a442
0x00000000
0x0040a425
0x0040a3fe
0x0040a327
0x00000000
0x0040a327
0x0040a264
0x0040a264
0x0040a265
0x0040a2e3
0x0040a2e6
0x0040a2ef
0x00000000
0x0040a2ef
0x0040a267
0x0040a267
0x0040a268
0x0040a2c9
0x0040a2ce
0x0040a2d1
0x0040a2d9
0x00000000
0x0040a2d9
0x0040a26a
0x0040a26d
0x00000000
0x00000000
0x0040a273
0x0040a27b
0x0040a27d
0x00000000
0x00000000
0x0040a28e
0x0040a298
0x0040a29e
0x0040a2a0
0x0040a2bc
0x00000000
0x0040a2a2
0x0040a2ab
0x0040a2b1
0x00000000
0x0040a2b1
0x0040a2a0
0x0040a241
0x0040a246
0x0040a248
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000

APIs

GetDlgItem.USER32 ref: 0040A295
GetWindowTextLengthA.USER32(00000000), ref: 0040A298
GetDlgItem.USER32 ref: 0040A2A8
EnableWindow.USER32(00000000), ref: 0040A2AB
GetDlgItem.USER32 ref: 0040A721
EnableWindow.USER32(00000000), ref: 0040A724

Part of subcall function 0040A736: GetDlgItemTextA.USER32 ref: 0040A7D8
Part of subcall function 0040A736: lstrlenA.KERNEL32(?), ref: 0040A7E7
Part of subcall function 0040A736: GetDlgItemTextA.USER32 ref: 0040A825
Part of subcall function 0040A736: lstrlenA.KERNEL32(?), ref: 0040A82E
Part of subcall function 0040A736: GetDlgItemTextA.USER32 ref: 0040A865
Part of subcall function 0040A736: lstrlenA.KERNEL32(?), ref: 0040A86E

Part of subcall function 00407827: GetWindowTextLengthA.USER32(?), ref: 004078A0

Strings

%s: %s, xrefs: 0040A355, 0040A376, 0040A3A3, 0040A3D0
, xrefs: 0040A3DB
G, xrefs: 0040A336, 0040A3EE

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Item$Text$Window$lstrlen$EnableLength
String ID: $%s: %s$G
API String ID: 3337122462-2356399927
Opcode ID: 7ee84b8dd8312172b3a059aeb61dd93444f64e87a211af6e345f0ab10acbdc47
Instruction ID: 221bc5c8d733b3f505849e16dbfb439457003c1b78ab7289a70c632a7fb1e998
Opcode Fuzzy Hash: 7ee84b8dd8312172b3a059aeb61dd93444f64e87a211af6e345f0ab10acbdc47
Instruction Fuzzy Hash: 47D17C31548784AAE730E3318C56BAB7BA69B50344F08487FE186633D2DB3E9895D71F

Uniqueness

Uniqueness Score: -1.00%

Function 0041E6A9, Relevance: 61.4, APIs: 18, Strings: 17, Instructions: 123
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E6A9(intOrPtr* __ecx, intOrPtr _a4) {
				CHAR* _v0;
				struct HINSTANCE__* _t54;
				_Unknown_base(*)()* _t72;
				intOrPtr* _t79;

				_t79 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x60)) != 0) {
					L18:
					return 1;
				}
				_t3 = _t79 + 0x64; // 0x47e774
				E0041BF12(_t3, _a4);
				_t54 = LoadLibraryA(_v0);
				 *(_t79 + 0x60) = _t54;
				if(_t54 == 0) {
					L19:
					return 0;
				}
				 *_t79 = GetProcAddress(_t54, "MP3Close");
				_t6 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 4)) = GetProcAddress( *_t6, "MP3DeInit");
				_t8 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 8)) = GetProcAddress( *_t8, "MP3GetCurrentPos");
				_t10 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 0xc)) = GetProcAddress( *_t10, "MP3GetLength");
				_t12 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 0x10)) = GetProcAddress( *_t12, "MP3GetMPEG_Args");
				_t14 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 0x14)) = GetProcAddress( *_t14, "MP3GetPlayer");
				_t16 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 0x18)) = GetProcAddress( *_t16, "MP3GetPlayerMode");
				_t18 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 0x1c)) = GetProcAddress( *_t18, "MP3Init");
				_t20 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 0x20)) = GetProcAddress( *_t20, "MP3Open");
				_t22 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 0x24)) = GetProcAddress( *_t22, "MP3Pause");
				_t24 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 0x28)) = GetProcAddress( *_t24, "MP3Play");
				_t26 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 0x2c)) = GetProcAddress( *_t26, "MP3SetDevice");
				_t28 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 0x30)) = GetProcAddress( *_t28, "MP3SetExternalValues");
				_t30 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 0x34)) = GetProcAddress( *_t30, "MP3SetPriority");
				_t32 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 0x38)) = GetProcAddress( *_t32, "MP3Stop");
				_t34 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 0x40)) = GetProcAddress( *_t34, "MP3Resume");
				_t36 = _t79 + 0x60; // 0x0
				_t72 = GetProcAddress( *_t36, "MP3Suspend");
				 *(_t79 + 0x3c) = _t72;
				if( *((intOrPtr*)(_t79 + 0x2c)) == 0 ||  *((intOrPtr*)(_t79 + 0x20)) == 0 ||  *((intOrPtr*)(_t79 + 0x34)) == 0 ||  *((intOrPtr*)(_t79 + 0x28)) == 0 ||  *_t79 == 0 ||  *((intOrPtr*)(_t79 + 0x10)) == 0 ||  *((intOrPtr*)(_t79 + 0x14)) == 0 ||  *((intOrPtr*)(_t79 + 8)) == 0 ||  *((intOrPtr*)(_t79 + 0xc)) == 0 ||  *((intOrPtr*)(_t79 + 0x18)) == 0 ||  *((intOrPtr*)(_t79 + 4)) == 0 ||  *((intOrPtr*)(_t79 + 0x1c)) == 0 ||  *((intOrPtr*)(_t79 + 0x30)) == 0 ||  *((intOrPtr*)(_t79 + 0x24)) == 0 || _t72 == 0 ||  *((intOrPtr*)(_t79 + 0x40)) == 0) {
					goto L19;
				} else {
					goto L18;
				}
			}

0x0041e6ab
0x0041e6b2
0x0041e809
0x00000000
0x0041e809
0x0041e6bc
0x0041e6bf
0x0041e6c8
0x0041e6d0
0x0041e6d3
0x0041e80d
0x00000000
0x0041e80d
0x0041e6ed
0x0041e6ef
0x0041e6f9
0x0041e6fc
0x0041e706
0x0041e709
0x0041e713
0x0041e716
0x0041e720
0x0041e723
0x0041e72d
0x0041e730
0x0041e73a
0x0041e73d
0x0041e747
0x0041e74a
0x0041e754
0x0041e757
0x0041e761
0x0041e764
0x0041e76e
0x0041e771
0x0041e77b
0x0041e77e
0x0041e788
0x0041e78b
0x0041e795
0x0041e798
0x0041e7a2
0x0041e7a5
0x0041e7af
0x0041e7b2
0x0041e7b5
0x0041e7ba
0x0041e7be
0x00000000
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 0041BF12: GlobalUnlock.KERNEL32(0217020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
Part of subcall function 0041BF12: GlobalReAlloc.KERNEL32 ref: 0041BF3B
Part of subcall function 0041BF12: GlobalLock.KERNEL32 ref: 0041BF5C

LoadLibraryA.KERNEL32(00000001,00000001,00000000,0047E880,00418994,00000000,00000000,00000000,00000060,0000005C,0047E1B8,00000001,?,00000000), ref: 0041E6C8
GetProcAddress.KERNEL32(00000000,MP3Close), ref: 0041E6E6
GetProcAddress.KERNEL32(00000000,MP3DeInit), ref: 0041E6F2
GetProcAddress.KERNEL32(00000000,MP3GetCurrentPos), ref: 0041E6FF
GetProcAddress.KERNEL32(00000000,MP3GetLength), ref: 0041E70C
GetProcAddress.KERNEL32(00000000,MP3GetMPEG_Args), ref: 0041E719
GetProcAddress.KERNEL32(00000000,MP3GetPlayer), ref: 0041E726
GetProcAddress.KERNEL32(00000000,MP3GetPlayerMode), ref: 0041E733
GetProcAddress.KERNEL32(00000000,MP3Init), ref: 0041E740
GetProcAddress.KERNEL32(00000000,MP3Open), ref: 0041E74D
GetProcAddress.KERNEL32(00000000,MP3Pause), ref: 0041E75A
GetProcAddress.KERNEL32(00000000,MP3Play), ref: 0041E767
GetProcAddress.KERNEL32(00000000,MP3SetDevice), ref: 0041E774
GetProcAddress.KERNEL32(00000000,MP3SetExternalValues), ref: 0041E781
GetProcAddress.KERNEL32(00000000,MP3SetPriority), ref: 0041E78E
GetProcAddress.KERNEL32(00000000,MP3Stop), ref: 0041E79B
GetProcAddress.KERNEL32(00000000,MP3Resume), ref: 0041E7A8
GetProcAddress.KERNEL32(00000000,MP3Suspend), ref: 0041E7B5

Strings

MP3GetMPEG_Args, xrefs: 0041E70E
MP3Pause, xrefs: 0041E74F
MP3GetPlayerMode, xrefs: 0041E728
MP3Resume, xrefs: 0041E79D
MP3Suspend, xrefs: 0041E7AA
MP3Play, xrefs: 0041E75C
MP3Open, xrefs: 0041E742
MP3DeInit, xrefs: 0041E6E8
MP3Close, xrefs: 0041E6E0
MP3Init, xrefs: 0041E735
MP3SetPriority, xrefs: 0041E783
MP3SetDevice, xrefs: 0041E769
MP3SetExternalValues, xrefs: 0041E776
MP3GetPlayer, xrefs: 0041E71B
MP3GetCurrentPos, xrefs: 0041E6F4
MP3GetLength, xrefs: 0041E701
MP3Stop, xrefs: 0041E790

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: AddressProc$Global$AllocLibraryLoadLockUnlock
String ID: MP3Close$MP3DeInit$MP3GetCurrentPos$MP3GetLength$MP3GetMPEG_Args$MP3GetPlayer$MP3GetPlayerMode$MP3Init$MP3Open$MP3Pause$MP3Play$MP3Resume$MP3SetDevice$MP3SetExternalValues$MP3SetPriority$MP3Stop$MP3Suspend
API String ID: 965071145-3235912515
Opcode ID: 20784e80a0a34f3acdc7371813bb123dc37661cd575c96a1689c7c4cf3d30629
Instruction ID: 1619fba8f7bcf3451f2e6772190591f9765ac1e1d8174a758dadbc188b95dfea
Opcode Fuzzy Hash: 20784e80a0a34f3acdc7371813bb123dc37661cd575c96a1689c7c4cf3d30629
Instruction Fuzzy Hash: 9941C875900B55AFCB306F62DC448ABFAE2FE80B01751493FE5C642A60D775A880DF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040F47A, Relevance: 50.9, APIs: 22, Strings: 7, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F47A() {
				struct tagSIZE _v80;
				struct tagSIZE _v88;
				intOrPtr _v92;
				intOrPtr _v108;
				intOrPtr _v112;
				void* _v124;
				void* _v140;
				int _t11;
				CHAR* _t18;
				intOrPtr _t19;
				intOrPtr _t22;
				void* _t27;
				void* _t39;
				void* _t51;
				int _t63;
				int _t65;
				int _t69;

				_t11 = SetBkMode( *0x47e184, 1);
				_t63 =  *0x47e85c; // 0xe
				if(_t63 > 0) {
					_t39 = CreateFontA(0x1c, 0x12, 0, 0, 0x258, 0, 0, 0, 1, 0, 0, 2, 0, "Times New Roman");
					_v80.cx = _t39;
					SelectObject( *0x47e184, _t39);
					GetTextExtentPoint32A( *0x47e184, E0041CD1E(0x47e85c),  *0x47e85c,  &_v80);
					SetTextColor( *0x47e184,  *0x47e834);
					if( *0x47e834 != 0xffffff) {
						TextOutA( *0x47e184, 0xc, 0xb, E0041CD1E(0x47e85c),  *0x47e85c);
					}
					SetTextColor( *0x47e184,  *0x47e830);
					TextOutA( *0x47e184, 0xa, 0xa, E0041CD1E(0x47e85c),  *0x47e85c);
					_t11 = DeleteObject(_v140);
				}
				_t65 =  *0x47e868; // 0xc
				if(_t65 > 0) {
					_t27 = CreateFontA(0x10, 9, 0, 0, 0x2bc, 0, 0, 0, 1, 0, 0, 2, 0, "Times New Roman");
					_v80.cx = _t27;
					SelectObject( *0x47e184, _t27);
					SetTextColor( *0x47e184,  *0x47e83c);
					if( *0x47e83c != 0xffffff) {
						TextOutA( *0x47e184, 0xc, _v88.cy + 0x10, E0041CD1E(0x47e868),  *0x47e868);
					}
					SetTextColor( *0x47e184,  *0x47e838);
					TextOutA( *0x47e184, 0xa, _v92 + 0xf, E0041CD1E(0x47e868),  *0x47e868);
					_t11 = DeleteObject(_v124);
				}
				_t69 =  *0x47e874; // 0x16
				if(_t69 > 0) {
					_t51 = CreateFontA(0xe, 8, 0, 0, 0x2bc, 0, 0, 0, 1, 0, 0, 2, 0, "Times New Roman");
					SelectObject( *0x47e184, _t51);
					GetTextExtentPoint32A( *0x47e184, E0041CD1E(0x47e874),  *0x47e874,  &_v88);
					SetTextColor( *0x47e184,  *0x47e840);
					_t18 = E0041CD1E(0x47e874);
					_t19 =  *0x47e174; // 0x0
					_t22 =  *0x47e170; // 0x0
					TextOutA( *0x47e184, _t22 - _v112 - 0xa, _t19 - _v108 - 8, _t18,  *0x47e874);
					return DeleteObject(_t51);
				}
				return _t11;
			}

0x0040f489
0x0040f4a3
0x0040f4a9
0x0040f4c9
0x0040f4cc
0x0040f4d6
0x0040f4f4
0x0040f506
0x0040f512
0x0040f52f
0x0040f52f
0x0040f541
0x0040f55e
0x0040f568
0x0040f568
0x0040f56e
0x0040f574
0x0040f594
0x0040f597
0x0040f5a1
0x0040f5af
0x0040f5bb
0x0040f5de
0x0040f5de
0x0040f5f0
0x0040f613
0x0040f61d
0x0040f61d
0x0040f623
0x0040f629
0x0040f64b
0x0040f654
0x0040f674
0x0040f686
0x0040f690
0x0040f696
0x0040f6a3
0x0040f6b6
0x00000000
0x0040f6bd
0x0040f6ca

APIs

SetBkMode.GDI32(00000001,00000032), ref: 0040F489
CreateFontA.GDI32(0000001C,00000012,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000000,00000000,00000002,00000000,Times New Roman), ref: 0040F4C9
GetTextExtentPoint32A.GDI32(00000000,?,?,0047E850), ref: 0040F4F4
SetTextColor.GDI32(?,0047E850), ref: 0040F506
TextOutA.GDI32(0000000C,0000000B,00000000,?,0047E850), ref: 0040F52F
SetTextColor.GDI32(?,0047E850), ref: 0040F541
TextOutA.GDI32(0000000A,0000000A,00000000,?,0047E850), ref: 0040F55E
DeleteObject.GDI32(?), ref: 0040F568
SelectObject.GDI32(00000000), ref: 0040F4D6

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

CreateFontA.GDI32(00000010,00000009,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000000,00000000,00000002,00000000,Times New Roman), ref: 0040F594
SelectObject.GDI32(00000000), ref: 0040F5A1
SetTextColor.GDI32(?,0047E850), ref: 0040F5AF
TextOutA.GDI32(0000000C,?,00000000,?,0047E850), ref: 0040F5DE
SetTextColor.GDI32(?,0047E850), ref: 0040F5F0
TextOutA.GDI32(0000000A,?,00000000,?,0047E850), ref: 0040F613
DeleteObject.GDI32(?), ref: 0040F61D
CreateFontA.GDI32(0000000E,00000008,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000000,00000000,00000002,00000000,Times New Roman), ref: 0040F649
SelectObject.GDI32(00000000), ref: 0040F654
GetTextExtentPoint32A.GDI32(00000000,?,?,0047E850), ref: 0040F674
SetTextColor.GDI32(?,0047E850), ref: 0040F686
TextOutA.GDI32(?,?,00000000,?,0047E850), ref: 0040F6B6
DeleteObject.GDI32(00000000), ref: 0040F6BD

Strings

hG, xrefs: 0040F5C3
\G, xrefs: 0040F4DC
\G, xrefs: 0040F549
hG, xrefs: 0040F5F8
Times New Roman, xrefs: 0040F4AF, 0040F57A, 0040F62F
\G, xrefs: 0040F51A
tG, xrefs: 0040F65A

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Text$Object$Color$CreateDeleteFontGlobalSelect$ExtentPoint32$AllocLockModeUnlock
String ID: Times New Roman$\G$\G$\G$hG$hG$tG
API String ID: 3925784853-825372909
Opcode ID: e40a0036ea07f2b8a7558271e1f6f941f65df4797eaf26ba6e08b467d0ced6cc
Instruction ID: 99419c99bfa201b0603410c1c4a6b0ae38e5c226678128a219e58409f66074ab
Opcode Fuzzy Hash: e40a0036ea07f2b8a7558271e1f6f941f65df4797eaf26ba6e08b467d0ced6cc
Instruction Fuzzy Hash: CE519030241214BFE7216B63ED4AE5B3F69FB49760F410279F60C621B1CB314895DB6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040C0A9, Relevance: 49.2, APIs: 19, Strings: 9, Instructions: 208
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040C0A9(void* __ecx, struct HWND__* _a4) {
				char _v8;
				char _v12;
				char _v20;
				char _v32;
				struct HWND__* _t38;
				struct HWND__* _t41;
				struct HBITMAP__* _t42;
				signed char _t63;
				long _t64;
				void* _t68;
				void* _t69;
				char _t73;
				struct HWND__* _t85;
				void* _t100;
				void* _t129;

				_t38 = _a4;
				_t129 = __ecx;
				 *(__ecx + 4) = _t38;
				if( *0x42bf98 <= 0) {
					EnableWindow(GetDlgItem(_t38, 3), 0);
				}
				if(GetDlgItem( *(_t129 + 4), 0xa) == 0) {
					E0041D881("Invalid dialog template or tree-view creation failed.");
				}
				if(E00424DD9(0x14) == 0) {
					_t41 = 0;
					__eflags = 0;
				} else {
					_t41 = E00405EC8(_t40);
				}
				 *((intOrPtr*)(_t129 + 0xb0)) = _t41;
				if(_t41 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				_t42 = LoadBitmapA( *0x47e17c, 0x7f);
				E004060B6( *((intOrPtr*)(_t129 + 0xb0)), GetDlgItem( *(_t129 + 4), 0xa), _t42);
				_t100 = 0x47e850;
				if(( *0x47e193 & 0x00000002) == 0) {
					_t100 = 0x47ed2c;
				}
				SetWindowTextA( *(_t129 + 4), E0041CD1E(_t100));
				SetDlgItemTextA( *(_t129 + 4), 3, E0041CD1E(0x47e8a0));
				SetDlgItemTextA( *(_t129 + 4), 1, E0041CD1E(0x47e8d0));
				SetDlgItemTextA( *(_t129 + 4), 2, E0041CD1E(0x47e8b8));
				SetDlgItemTextA( *(_t129 + 4), 0x1e, E0041CD1E(0x47ed38));
				SetDlgItemTextA( *(_t129 + 4), 0x21, E0041CD1E(0x47ed44));
				SetDlgItemTextA( *(_t129 + 4), 0x1f, E0041CD1E(0x47ed50));
				SetDlgItemTextA( *(_t129 + 4), 0x20, E0041CD1E(0x47ed5c));
				if(E00419E8A() != 0) {
					SetDlgItemTextA( *(_t129 + 4), 1, E0041CD1E(0x47e8c4));
				}
				_t63 = GetWindowLongA(GetDlgItem( *(_t129 + 4), 0xa), 0xfffffff0);
				if(( *0x47e190 & 0x00000020) != 0) {
					_t64 = _t63 | 0x00000004;
					__eflags = _t64;
				} else {
					_t64 = _t63 & 0x000000fb;
				}
				SetWindowLongA(GetDlgItem( *(_t129 + 4), 0xa), 0xfffffff0, _t64);
				 *0x47e65c = 4;
				E0041BDC5( &_v32);
				_t68 = E0041C8FD(0x47e2f0, 0xb8);
				_t69 = E0041C8FD(0x47e2f0, 0xb4);
				if(E0041CAC5( &_v32, E0041CD1E(0x47e6c8), _t69, _t68) < 0) {
					E0041D881("Unknown error");
				}
				 *0x47e698 = 0;
				 *0x47e69c = 0;
				 *0x47e6a0 = 0;
				 *0x47e6a4 = 0;
				 *0x47e6a8 = 0;
				 *0x47e6ac = 0;
				_a4 = 0;
				_t73 = E0041C8FD(0x47e2f0, 0xb0);
				_t138 = _t73;
				_v12 = 0;
				if(_t73 > 0) {
					_v8 = _t73;
					do {
						_t85 = E0040C3A0(_t129, _t138,  &_v32, _a4,  &_v12, 0);
						_t30 =  &_v8;
						 *_t30 = _v8 - 1;
						_a4 = _t85;
					} while ( *_t30 != 0);
				}
				E00406506( *((intOrPtr*)(_t129 + 0xb0)));
				E0040629C( *((intOrPtr*)(_t129 + 0xb0)), 0);
				_push( &_v20);
				E0040C96B(_t129);
				if( *0x47e114 != 0) {
					SetDlgItemTextA( *(_t129 + 4), 0x41f, E0041CD1E(0x47df68));
					E0040EFE7();
				}
				E0041BEFB( &_v32);
				return 1;
			}

0x0040c0af
0x0040c0ba
0x0040c0bd
0x0040c0c7
0x0040c0d1
0x0040c0d1
0x0040c0e0
0x0040c0e7
0x0040c0ec
0x0040c0f7
0x0040c102
0x0040c102
0x0040c0f9
0x0040c0fb
0x0040c0fb
0x0040c106
0x0040c10c
0x0040c119
0x0040c11e
0x0040c127
0x0040c13c
0x0040c148
0x0040c14d
0x0040c14f
0x0040c14f
0x0040c15d
0x0040c179
0x0040c18b
0x0040c19d
0x0040c1af
0x0040c1c1
0x0040c1d3
0x0040c1e5
0x0040c1f3
0x0040c205
0x0040c205
0x0040c211
0x0040c21e
0x0040c224
0x0040c224
0x0040c220
0x0040c220
0x0040c220
0x0040c231
0x0040c23a
0x0040c244
0x0040c255
0x0040c262
0x0040c27d
0x0040c284
0x0040c289
0x0040c293
0x0040c298
0x0040c29d
0x0040c2a2
0x0040c2a7
0x0040c2ac
0x0040c2b1
0x0040c2b4
0x0040c2bb
0x0040c2bd
0x0040c2c0
0x0040c2c2
0x0040c2c5
0x0040c2d3
0x0040c2d8
0x0040c2d8
0x0040c2db
0x0040c2db
0x0040c2c5
0x0040c2e6
0x0040c2f2
0x0040c2fc
0x0040c2fd
0x0040c309
0x0040c31e
0x0040c325
0x0040c325
0x0040c32d
0x0040c338

APIs

GetDlgItem.USER32 ref: 0040C0CE
EnableWindow.USER32(00000000), ref: 0040C0D1
GetDlgItem.USER32 ref: 0040C0DC
LoadBitmapA.USER32 ref: 0040C127
GetDlgItem.USER32 ref: 0040C133
SetWindowTextA.USER32(?,00000000), ref: 0040C15D
SetDlgItemTextA.USER32 ref: 0040C179
SetDlgItemTextA.USER32 ref: 0040C18B
SetDlgItemTextA.USER32 ref: 0040C19D
SetDlgItemTextA.USER32 ref: 0040C1AF
SetDlgItemTextA.USER32 ref: 0040C1C1
SetDlgItemTextA.USER32 ref: 0040C1D3
SetDlgItemTextA.USER32 ref: 0040C1E5
SetDlgItemTextA.USER32 ref: 0040C205
GetDlgItem.USER32 ref: 0040C20E
GetWindowLongA.USER32 ref: 0040C211
GetDlgItem.USER32 ref: 0040C22E
SetWindowLongA.USER32(00000000), ref: 0040C231
SetDlgItemTextA.USER32 ref: 0040C31E

Strings

Unknown error, xrefs: 0040C27F
DG, xrefs: 0040C1B1
PG, xrefs: 0040C1C3
,G, xrefs: 0040C14F
8G, xrefs: 0040C19F
Invalid dialog template or tree-view creation failed., xrefs: 0040C0E2
$G, xrefs: 0040C10E
PG, xrefs: 0040C148
\G, xrefs: 0040C1D5

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Item$Text$Window$Long$BitmapEnableLoad
String ID: $G$,G$8G$DG$Invalid dialog template or tree-view creation failed.$PG$PG$Unknown error$\G
API String ID: 3899850823-1744149094
Opcode ID: f1ed27bd11f40985a3ae38480d279baaa47c525fd336369dc1ca43c4ce602c06
Instruction ID: e9724913dde6e49aaf8b8cc420de5cb2d47973a8f667f7f0ac012c5886f2ab73
Opcode Fuzzy Hash: f1ed27bd11f40985a3ae38480d279baaa47c525fd336369dc1ca43c4ce602c06
Instruction Fuzzy Hash: B0610970640305AED720BB76DC86BAA7A99EF44704F00857FF61AA61E2CF7858409A1D

Uniqueness

Uniqueness Score: -1.00%

Function 0040EFE7, Relevance: 47.4, APIs: 11, Strings: 16, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EFE7() {
				void* _v8;
				int _v20;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				char _v57;
				char _v58;
				char _v59;
				char _v60;
				void* _t53;
				intOrPtr _t92;

				_t92 =  *0x47e114; // 0x0
				if(_t92 != 0) {
					_t53 = CreateFontA(0x1e, 0, 0x5a, 0x5a, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0, "Times New Roman");
					_v8 = _t53;
					SelectObject( *0x47e184, _t53);
					SetTextColor( *0x47e184, 0xa0a0a);
					TextOutA( *0x47e184, 0xc, 0x6f, E0041CD1E(0x47df68),  *0x47df68);
					SetTextColor( *0x47e184, 0xff);
					TextOutA( *0x47e184, 0xa, 0x6e, E0041CD1E(0x47df68),  *0x47df68);
					_v60 = 0x61;
					_v59 = 0x84;
					_v58 = 0x6a;
					_v57 = 0xb7;
					_v56 = 0x15;
					_v55 = 0x42;
					_v54 = 0x6c;
					_v53 = 0x9b;
					_v52 = 0xbf;
					_v51 = 0x9e;
					_v50 = 0xf3;
					_v49 = 0x44;
					_v48 = 0x75;
					_v47 = 0xa2;
					_v46 = 0xbb;
					_v45 = 0xf2;
					_v44 = 0x1e;
					_v43 = 0x43;
					_v42 = 0x7c;
					_v41 = 0x31;
					_v40 = 0x94;
					_v39 = 0xa;
					_v38 = 5;
					_v37 = 0x4d;
					_v36 = 0x74;
					_v35 = 0x3a;
					_v34 = 0x1b;
					_v33 = 0x48;
					_v32 = 0x98;
					_v31 = 0x16;
					_v30 = 0x63;
					_v29 = 0xb2;
					_v28 = 0x9f;
					_v27 = 0xf4;
					_v26 = 0x74;
					_v25 = 0xb6;
					_v24 = 4;
					_v23 = 0x8f;
					_v22 = 0xda;
					E0041BDC5( &_v20);
					E0041C047( &_v20,  &_v60, 0x27);
					E0041C2E0( &_v20);
					E0041C2E0( &_v20);
					SetTextColor( *0x47e184, 0xa0a0a);
					TextOutA( *0x47e184, 0x13, 0x8d, E0041CD1E( &_v20), _v20);
					SetTextColor( *0x47e184, 0xff);
					TextOutA( *0x47e184, 0x11, 0x8c, E0041CD1E( &_v20), _v20);
					DeleteObject(_v8);
					return E0041BEFB( &_v20);
				}
				return 0;
			}

0x0040efef
0x0040eff5
0x0040f017
0x0040f01e
0x0040f027
0x0040f03e
0x0040f061
0x0040f06f
0x0040f08c
0x0040f08e
0x0040f092
0x0040f096
0x0040f09a
0x0040f09e
0x0040f0a2
0x0040f0a6
0x0040f0aa
0x0040f0ae
0x0040f0b2
0x0040f0b6
0x0040f0ba
0x0040f0be
0x0040f0c2
0x0040f0c6
0x0040f0ca
0x0040f0ce
0x0040f0d2
0x0040f0d6
0x0040f0da
0x0040f0de
0x0040f0e2
0x0040f0e6
0x0040f0ea
0x0040f0ee
0x0040f0f2
0x0040f0f6
0x0040f0fa
0x0040f0fe
0x0040f102
0x0040f106
0x0040f10a
0x0040f10e
0x0040f112
0x0040f119
0x0040f11d
0x0040f121
0x0040f125
0x0040f129
0x0040f12d
0x0040f13b
0x0040f143
0x0040f14b
0x0040f15b
0x0040f176
0x0040f17f
0x0040f19a
0x0040f19f
0x00000000
0x0040f1af
0x0040f1b1

APIs

CreateFontA.GDI32(0000001E,00000000,0000005A,0000005A,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,Times New Roman), ref: 0040F017
SelectObject.GDI32(00000000), ref: 0040F027
SetTextColor.GDI32(000A0A0A), ref: 0040F03E

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

TextOutA.GDI32(0000000C,0000006F,00000000), ref: 0040F061
SetTextColor.GDI32(000000FF), ref: 0040F06F
TextOutA.GDI32(0000000A,0000006E,00000000), ref: 0040F08C

Part of subcall function 0041BDC5: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF

Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095

SetTextColor.GDI32(000A0A0A,00000061), ref: 0040F15B
TextOutA.GDI32(00000013,0000008D,00000000,?), ref: 0040F176
SetTextColor.GDI32(000000FF), ref: 0040F17F
TextOutA.GDI32(00000011,0000008C,00000000,?), ref: 0040F19A
DeleteObject.GDI32(00000000), ref: 0040F19F

Part of subcall function 0041BEFB: GlobalUnlock.KERNEL32(?,00000000,0041C1E9,00000000,00000010,00000000,0047E4D0,00000000), ref: 0041BF01
Part of subcall function 0041BEFB: GlobalFree.KERNEL32 ref: 0041BF0A

Strings

c, xrefs: 0040F106
l, xrefs: 0040F0A6
a, xrefs: 0040F08E
D, xrefs: 0040F0BA
H, xrefs: 0040F0FA
j, xrefs: 0040F096
u, xrefs: 0040F0BE
Times New Roman, xrefs: 0040EFFE
M, xrefs: 0040F0EA
t, xrefs: 0040F119
|, xrefs: 0040F0D6
C, xrefs: 0040F0D2
t, xrefs: 0040F0EE
B, xrefs: 0040F0A2
:, xrefs: 0040F0F2
1, xrefs: 0040F0DA

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$Text$Color$AllocLockUnlock$Object$CreateDeleteFontFreeSelectlstrlen
String ID: 1$:$B$C$D$H$M$Times New Roman$a$c$j$l$t$t$u$|
API String ID: 1504305052-3776954210
Opcode ID: 0898f61e26a57f1fa401cbf66ffe2bfefa2e0da7bd6eb85c7d141dea550474d7
Instruction ID: b96e83faf94bd855eac5d28af4e6b08fe524ba3b2a2faf81bbdc3322f893e8cf
Opcode Fuzzy Hash: 0898f61e26a57f1fa401cbf66ffe2bfefa2e0da7bd6eb85c7d141dea550474d7
Instruction Fuzzy Hash: 295173309043CAEDDB2297B9DC49BDEBF719F26324F4402A9F190361E2C7A50545D77A

Uniqueness

Uniqueness Score: -1.00%

Function 004203D5, Relevance: 44.0, APIs: 4, Strings: 21, Instructions: 284
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E004203D5(void* __ebx, intOrPtr __ecx) {
				char _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				int _v32;
				intOrPtr _v36;
				struct _OSVERSIONINFOA _v184;
				int _t77;
				signed char _t81;
				signed char _t86;
				intOrPtr _t92;
				intOrPtr _t93;
				intOrPtr _t99;
				signed int _t105;
				signed int _t108;
				signed char _t113;
				void* _t122;
				int _t123;
				intOrPtr _t134;
				intOrPtr _t135;
				intOrPtr _t137;
				signed int _t148;
				signed int _t149;
				signed int _t150;
				int* _t151;
				char _t153;
				void* _t156;
				void* _t157;

				_t122 = __ebx;
				_t151 = 0;
				_v36 = __ecx;
				E00424500( &_v184, 0, 0x94);
				_t157 = _t156 + 0xc;
				_v184.dwOSVersionInfoSize = 0x94;
				_t77 = GetVersionExA( &_v184);
				if(_t77 == 0) {
					 *0x47e2c8 =  *0x47e2c8 + 1;
					return _t77;
				}
				_v20 = 0;
				E0041BE99( &_v16, 0x47ea14);
				E0041BFF8( &_v16, 9);
				__eflags = _v184.dwPlatformId;
				_t153 = " SP%d";
				if(_v184.dwPlatformId != 0) {
					__eflags = _v184.dwPlatformId - 1;
					if(_v184.dwPlatformId != 1) {
						__eflags = _v184.dwPlatformId - 2;
						if(_v184.dwPlatformId == 2) {
							__eflags = _v184.dwMajorVersion - 5;
							if(_v184.dwMajorVersion != 5) {
								_push(_v184.dwMinorVersion);
								_push(_v184.dwMajorVersion);
								E0041C467( &_v16, "Windows NT %d.%d");
								_t157 = _t157 + 0x10;
							} else {
								__eflags = _v184.dwMinorVersion;
								if(_v184.dwMinorVersion != 0) {
									__eflags = _v184.dwMinorVersion - 1;
									_push(0);
									if(_v184.dwMinorVersion != 1) {
										_push("Windows 2003");
									} else {
										_push("Windows XP");
									}
								} else {
									_push(0);
									_push("Windows 2000");
								}
								E0041C047( &_v16);
							}
							_v24 = _t151;
							_v32 = 4;
							_t105 = RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Windows", _t151, 1,  &_v28);
							__eflags = _t105;
							if(_t105 == 0) {
								_t108 = RegQueryValueExA(_v28, "CSDVersion", _t151, _t151,  &_v24,  &_v32);
								__eflags = _t108;
								if(_t108 == 0) {
									_t113 = _v24;
									__eflags = _t113 - 0xff;
									_v20 = _t113;
									if(_t113 > 0xff) {
										__eflags = 0;
										_v20 = _t113 & 0x000000ff;
									}
								}
								RegCloseKey(_v28);
								__eflags = _v20 - _t151;
								if(_v20 > _t151) {
									_push(_v20 & 0x0000ffff);
									E0041C467( &_v16, _t153);
									_t157 = _t157 + 0xc;
								}
							}
						}
						goto L27;
					}
					__eflags = _v184.dwMinorVersion - 0x5a;
					if(_v184.dwMinorVersion == 0x5a) {
						L10:
						_push(_t151);
						_push("Windows ME");
						L11:
						E0041C047( &_v16);
						_push(_v184.dwBuildNumber & 0x0000ffff);
						_push(_v184.dwMinorVersion);
						_push(_v184.dwMajorVersion);
						E0041C467( &_v16, " (%d.%d.%d)");
						_t157 = _t157 + 0x14;
						goto L27;
					}
					__eflags = _v184.dwMajorVersion - 4;
					if(_v184.dwMajorVersion != 4) {
						goto L10;
					} else {
						__eflags = _v184.dwMinorVersion;
						_push(0);
						if(_v184.dwMinorVersion != 0) {
							_push("Windows 98 ");
						} else {
							_push("Windows 95 ");
						}
						goto L11;
					}
				} else {
					E0041C047( &_v16, "Windows 32s ", 0);
					L27:
					__eflags =  *0x47e118 - _t151; // 0x5
					_push(_t151);
					if(__eflags != 0) {
						_push("\tWin ");
					} else {
						_push("\t-/");
					}
					E0041C047( &_v16);
					_t81 =  *0x47e118; // 0x5
					__eflags = _t81 & 0x00000001;
					if((_t81 & 0x00000001) == 0) {
						__eflags = _t81 & 0x00000002;
						if((_t81 & 0x00000002) == 0) {
							__eflags = _t81 & 0x00000008;
							if((_t81 & 0x00000008) == 0) {
								goto L41;
							}
							_push(_t151);
							_push("ME/");
							goto L40;
						}
						__eflags =  *0x47e11c - 0x8ad;
						_push(_t151);
						if( *0x47e11c <= 0x8ad) {
							_push("98/");
						} else {
							_push("98 SE/");
						}
						goto L40;
					} else {
						__eflags =  *0x47e11c - 0x3e8;
						_push(_t151);
						if( *0x47e11c <= 0x3e8) {
							_push("95/");
						} else {
							_push("95 (OSR2)/");
						}
						L40:
						E0041C047( &_v16);
						L41:
						__eflags =  *0x47e118 & 0x00000004;
						if(( *0x47e118 & 0x00000004) == 0) {
							L53:
							_push(_t122);
							E0041C3A9( &_v16, _v16 - 1, 1);
							E0041BFF8( &_v16, 9);
							_t86 =  *0x47e118; // 0x5
							_t123 = 0;
							__eflags = _v184.dwPlatformId - 1;
							if(_v184.dwPlatformId != 1) {
								L62:
								__eflags = _v184.dwPlatformId - 2;
								if(_v184.dwPlatformId != 2) {
									L71:
									__eflags = _t86 - _t151;
									if(_t86 == _t151) {
										_t123 = 1;
									}
									__eflags = _t123;
									if(__eflags == 0) {
										 *0x47e2c0 =  *0x47e2c0 + 1;
										__eflags =  *0x47e2c0;
										_push(0x47e8dc);
									} else {
										_push(0x47e8f4);
									}
									E0041C0C5( &_v16, __eflags);
									E0041EEC5(_v36,  &_v16);
									return E0041BEFB( &_v16);
								}
								_t134 =  *0x47e120; // 0x5
								_t148 = _t86 & 0x00000004;
								__eflags = _t148;
								if(_t148 == 0) {
									L65:
									__eflags = _t148 - _t151;
									if(_t148 == _t151) {
										goto L71;
									}
									__eflags = _v184.dwMajorVersion - _t134;
									if(_v184.dwMajorVersion != _t134) {
										goto L71;
									}
									_t135 =  *0x47e124; // 0x2
									__eflags = _v184.dwMinorVersion - _t135;
									if(__eflags > 0) {
										L70:
										_t123 = 1;
										goto L71;
									}
									if(__eflags != 0) {
										goto L71;
									}
									__eflags = (_v20 & 0x0000ffff) -  *0x47e128; // 0x0
									if(__eflags < 0) {
										goto L71;
									}
									goto L70;
								}
								__eflags = _v184.dwMajorVersion - _t134;
								if(_v184.dwMajorVersion > _t134) {
									goto L70;
								}
								goto L65;
							}
							_t149 = _v184.dwBuildNumber;
							_t137 =  *0x47e11c; // 0x0
							__eflags = _t86 & 0x00000001;
							if((_t86 & 0x00000001) != 0) {
								__eflags = (_t149 & 0x0000ffff) - _t137;
								if((_t149 & 0x0000ffff) >= _t137) {
									_t123 = 1;
									_t151 = 0;
									__eflags = 0;
								}
							}
							__eflags = _t86 & 0x00000002;
							if((_t86 & 0x00000002) == 0) {
								goto L71;
							} else {
								_t150 = _t149 & 0x0000ffff;
								__eflags = _t150 - 0x7ce;
								if(_t150 < 0x7ce) {
									goto L71;
								}
								__eflags = _t150 - _t137;
								if(_t150 < _t137) {
									goto L71;
								}
								__eflags = _v184.dwMinorVersion - 1;
								if(_v184.dwMinorVersion < 1) {
									goto L71;
								}
								_t123 = 1;
								goto L62;
							}
						}
						__eflags =  *0x47e120 - 5;
						if( *0x47e120 != 5) {
							E0041C047( &_v16, "NT", _t151);
							_t92 =  *0x47e120; // 0x5
							__eflags = _t92 - _t151;
							if(_t92 != _t151) {
								_push( *0x47e124);
								_push(_t92);
								E0041C467( &_v16, " %d.%d");
								_t157 = _t157 + 0x10;
							}
							L50:
							_t93 =  *0x47e128; // 0x0
							__eflags = _t93 - _t151;
							if(_t93 > _t151) {
								_push(_t93);
								E0041C467( &_v16, _t153);
							}
							E0041C047( &_v16, "/", _t151);
							goto L53;
						}
						_t99 =  *0x47e124; // 0x2
						__eflags = _t99 - _t151;
						if(_t99 != _t151) {
							__eflags = _t99 - 1;
							if(_t99 != 1) {
								goto L50;
							}
							_push(_t151);
							_push("XP");
							L45:
							E0041C047( &_v16);
							goto L50;
						}
						_push(_t151);
						_push("2000");
						goto L45;
					}
				}
			}

0x004203d5
0x004203e5
0x004203ef
0x004203f3
0x004203f8
0x00420401
0x00420408
0x00420410
0x00420412
0x00000000
0x00420412
0x00420425
0x00420428
0x00420432
0x00420437
0x0042043d
0x00420442
0x00420457
0x0042045e
0x004204c5
0x004204cc
0x004204d2
0x004204d9
0x0042050b
0x00420514
0x00420520
0x00420525
0x004204db
0x004204db
0x004204e1
0x004204eb
0x004204f2
0x004204f3
0x00420504
0x004204f5
0x004204f5
0x004204f5
0x004204e3
0x004204e3
0x004204e4
0x004204e4
0x004204fd
0x004204fd
0x0042052b
0x0042053c
0x00420543
0x00420549
0x0042054b
0x0042055f
0x00420565
0x00420567
0x00420569
0x0042056c
0x00420570
0x00420573
0x00420575
0x0042057d
0x0042057d
0x00420573
0x00420584
0x0042058a
0x0042058e
0x00420594
0x0042059a
0x0042059f
0x0042059f
0x0042058e
0x0042054b
0x00000000
0x004204cc
0x00420460
0x00420467
0x00420489
0x00420489
0x0042048a
0x0042048f
0x00420492
0x004204a2
0x004204a6
0x004204ac
0x004204b8
0x004204bd
0x00000000
0x004204bd
0x00420469
0x00420470
0x00000000
0x00420472
0x00420472
0x00420478
0x00420479
0x00420482
0x0042047b
0x0042047b
0x0042047b
0x00000000
0x00420479
0x00420444
0x0042044d
0x004205a2
0x004205a2
0x004205a8
0x004205a9
0x004205b2
0x004205ab
0x004205ab
0x004205ab
0x004205ba
0x004205bf
0x004205c4
0x004205c6
0x004205e3
0x004205e5
0x00420602
0x00420604
0x00000000
0x00000000
0x00420606
0x00420607
0x00000000
0x00420607
0x004205e7
0x004205f1
0x004205f2
0x004205fb
0x004205f4
0x004205f4
0x004205f4
0x00000000
0x004205c8
0x004205c8
0x004205d2
0x004205d3
0x004205dc
0x004205d5
0x004205d5
0x004205d5
0x0042060c
0x0042060f
0x00420614
0x00420614
0x0042061b
0x004206a4
0x004206a7
0x004206af
0x004206b9
0x004206be
0x004206c3
0x004206c5
0x004206cc
0x0042070f
0x0042070f
0x00420716
0x00420757
0x00420757
0x00420759
0x0042075b
0x0042075b
0x0042075d
0x00420760
0x00420769
0x00420769
0x0042076f
0x00420762
0x00420762
0x00420762
0x00420777
0x00420783
0x00000000
0x0042078b
0x00420718
0x00420720
0x00420720
0x00420723
0x0042072d
0x0042072d
0x0042072f
0x00000000
0x00000000
0x00420731
0x00420737
0x00000000
0x00000000
0x00420739
0x0042073f
0x00420745
0x00420755
0x00420755
0x00000000
0x00420755
0x00420747
0x00000000
0x00000000
0x0042074d
0x00420753
0x00000000
0x00000000
0x00000000
0x00420753
0x00420725
0x0042072b
0x00000000
0x00000000
0x00000000
0x0042072b
0x004206ce
0x004206d4
0x004206da
0x004206dc
0x004206e6
0x004206e8
0x004206ea
0x004206ec
0x004206ec
0x004206ec
0x004206e8
0x004206ee
0x004206f0
0x00000000
0x004206f2
0x004206f2
0x004206f8
0x004206fe
0x00000000
0x00000000
0x00420700
0x00420702
0x00000000
0x00000000
0x00420704
0x0042070b
0x00000000
0x00000000
0x0042070d
0x00000000
0x0042070d
0x004206f0
0x00420621
0x00420628
0x00420659
0x0042065e
0x00420663
0x00420665
0x00420667
0x0042066d
0x00420677
0x0042067c
0x0042067c
0x0042067f
0x0042067f
0x00420684
0x00420686
0x00420688
0x0042068e
0x00420693
0x0042069f
0x00000000
0x0042069f
0x0042062a
0x0042062f
0x00420631
0x00420643
0x00420646
0x00000000
0x00000000
0x00420648
0x00420649
0x00420639
0x0042063c
0x00000000
0x0042063c
0x00420633
0x00420634
0x00000000
0x00420634
0x004205c6

APIs

GetVersionExA.KERNEL32(?,?,00000000,00000001), ref: 00420408

Strings

-/, xrefs: 004205AB
Windows NT %d.%d, xrefs: 0042051A
Windows XP, xrefs: 004204F5
98 SE/, xrefs: 004205F4
98/, xrefs: 004205FB
CSDVersion, xrefs: 00420557
Windows 2000, xrefs: 004204E4
2000, xrefs: 00420634
System\CurrentControlSet\Control\Windows, xrefs: 00420532
ME/, xrefs: 00420607
%d.%d, xrefs: 00420671
Windows ME, xrefs: 0042048A
95/, xrefs: 004205DC
SP%d, xrefs: 0042043D, 00420598, 0042068C
Windows 98 , xrefs: 00420482
Windows 32s , xrefs: 00420445
(%d.%d.%d), xrefs: 004204B2
Windows 95 , xrefs: 0042047B
Win , xrefs: 004205B2
Windows 2003, xrefs: 00420504
95 (OSR2)/, xrefs: 004205D5

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Version
String ID: -/$Win $ %d.%d$ (%d.%d.%d)$ SP%d$2000$95 (OSR2)/$95/$98 SE/$98/$CSDVersion$ME/$System\CurrentControlSet\Control\Windows$Windows 2000$Windows 2003$Windows 32s $Windows 95 $Windows 98 $Windows ME$Windows NT %d.%d$Windows XP
API String ID: 1889659487-740960729
Opcode ID: 6a0f525bd7985fdb30faff8a1c78a6b5a2a9e847dc414c89a137130ad6e84491
Instruction ID: 2417f0839384a8edb32b0f15c93a5ee3403d1f3a49fea074af27b245caaf526f
Opcode Fuzzy Hash: 6a0f525bd7985fdb30faff8a1c78a6b5a2a9e847dc414c89a137130ad6e84491
Instruction Fuzzy Hash: 55A1BC70F40224AACB20DB42EC46FEF77B9EB95704FA041ABE44562252D7785AC4CE5E

Uniqueness

Uniqueness Score: -1.00%

Function 0041E01C, Relevance: 43.8, APIs: 29, Instructions: 279
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041E01C(void* __eflags, struct HWND__* _a4, int _a8, signed char _a11, intOrPtr* _a12) {
				int _v8;
				long _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _v40;
				void* _v56;
				struct HDC__* _v60;
				void* _v64;
				int _v68;
				int _v72;
				int _v76;
				signed int _v80;
				signed int _v84;
				struct _DOCINFOA _v104;
				struct tagRECT _v120;
				signed int _v124;
				signed int _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				signed int _v140;
				signed int _v144;
				long _v152;
				char _v164;
				char _v180;
				char _v196;
				int _t137;
				int _t138;
				struct HDC__* _t143;
				signed int _t151;
				long _t157;
				struct HDC__* _t166;
				intOrPtr* _t171;
				int _t195;
				int _t196;
				struct tagPOINT* _t211;
				int _t217;
				int _t221;
				signed int* _t224;
				long _t225;
				void* _t226;
				void* _t227;

				_t195 = _a8;
				_v8 = GetDeviceCaps( *(_t195 + 0x10), 0x6e);
				_v12 = GetDeviceCaps( *(_t195 + 0x10), 0x6f);
				_a8 = GetDeviceCaps( *(_t195 + 0x10), 0x58);
				_v16 = GetDeviceCaps( *(_t195 + 0x10), 0x5a);
				_t137 = MulDiv(_v8, 0x5a0, _a8);
				_v80 = _v80 & 0x00000000;
				_v84 = _v84 & 0x00000000;
				_v8 = _t137;
				_v76 = _t137;
				_t138 = MulDiv(_v12, 0x5a0, _v16);
				_v140 = _v140 & 0x00000000;
				_v144 = _v144 & 0x00000000;
				_v72 = _t138;
				_v136 = _v8 + 0xfffff4c0;
				_v132 = _t138 + 0xfffff4c0;
				E0041E814( &_v164);
				_v128 = _v128 & 0x00000000;
				E00424500( &_v64, 0, 0x30);
				_t143 =  *(_t195 + 0x10);
				_t227 = _t226 + 0xc;
				_v20 = _v20 | 0xffffffff;
				_v64 = _t143;
				_v60 = _t143;
				_v24 = _v128;
				_v12 = SendMessageA(_a4, 0xe, 0, 0);
				SendMessageA(_a4, 0x439, 0, 0);
				SaveDC(_v64);
				SetMapMode(_v64, 1);
				_v8 =  ~(GetDeviceCaps( *(_t195 + 0x10), 0x70));
				_t151 = GetDeviceCaps( *(_t195 + 0x10), 0x71);
				_v8 = _v8 + MulDiv(0x5a0, _a8, 0x5a0);
				_t217 =  ~_t151 + MulDiv(0x5a0, _v16, 0x5a0);
				_v68 = _t217;
				SetViewportOrgEx(_v64, _v8, _t217, 0);
				_v16 = _v16 | 0xffffffff;
				_a11 = 1;
				L1:
				L1:
				if(_a11 == 0) {
					_v16 = _v24;
				}
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_a11 = _a11 & 0x00000000;
				_v128 = _v24;
				_t157 = SendMessageA(_a4, 0x439, 0,  &_v64);
				_t70 = _t157 - 1; // -1
				_v24 = _t157;
				_v124 = _t70;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if(_v16 >= _t157) {
					goto L6;
				}
				_t224 = E00424DD9(0x18);
				 *_t224 = _v128;
				_t224[1] = _v124;
				_t80 =  &(_t224[2]); // 0x8
				CopyRect(_t80,  &_v120);
				E0041E87A( &_v164, _t224, 0xffffffff);
				E00427836(_v24,  &_v196, 0xa);
				_t225 = _v12;
				E00427836(_t225,  &_v180, 0xa);
				_t227 = _t227 + 0x18;
				if(_v24 != 0xffffffff && _v24 < _t225) {
					goto L1;
				}
				L6:
				_t211 = 0;
				_v12 = _v152;
				SendMessageA(_a4, 0x439, 0, 0);
				RestoreDC(_v64, 0xffffffff);
				_t221 = 0x14;
				E00424500( &_v104, 0, _t221);
				_v104.lpszDocName = _a12;
				_v104.cbSize = _t221;
				_v104.lpszOutput = 0;
				_v104.lpszDatatype = 0;
				_v104.fwType = 0;
				if(StartDocA( *(_t195 + 0x10),  &_v104) != 0xffffffff) {
					_t166 =  *(_t195 + 0x10);
					_v64 = _t166;
					_v60 = _t166;
					SaveDC(_t166);
					_a8 = 0;
					while(1) {
						StartPage( *(_t195 + 0x10));
						SetMapMode( *(_t195 + 0x10), 1);
						SetViewportOrgEx(_v64, _v8, _v68, _t211);
						_t171 = E0041E860( &_v164, _a8);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_a12 = _t171;
						_v24 =  *_t171;
						_v20 =  *(_t171 + 4);
						_v24 = SendMessageA(_a4, 0x439, 1,  &_v64);
						EndPage( *(_t195 + 0x10));
						E00424DCE(_a12);
						_a8 = _a8 + 1;
						if(_a8 >= _v12) {
							break;
						}
						_t211 = 0;
					}
					RestoreDC(_v64, 0xffffffff);
					EndDoc( *(_t195 + 0x10));
					SendMessageA(_a4, 0x439, 0, 0);
					_t196 = 1;
				} else {
					_t196 = 0;
				}
				E0041E841( &_v164);
				return _t196;
			}

0x0041e026
0x0041e03a
0x0041e044
0x0041e04e
0x0041e05e
0x0041e065
0x0041e06e
0x0041e072
0x0041e076
0x0041e07a
0x0041e080
0x0041e089
0x0041e090
0x0041e09d
0x0041e0a0
0x0041e0b1
0x0041e0b4
0x0041e0b9
0x0041e0c5
0x0041e0ca
0x0041e0cd
0x0041e0d0
0x0041e0d4
0x0041e0dd
0x0041e0e6
0x0041e0f8
0x0041e0fe
0x0041e107
0x0041e112
0x0041e126
0x0041e129
0x0041e13a
0x0041e148
0x0041e14d
0x0041e156
0x0041e15c
0x0041e160
0x00000000
0x0041e164
0x0041e168
0x0041e16d
0x0041e16d
0x0041e179
0x0041e17a
0x0041e17b
0x0041e17c
0x0041e183
0x0041e184
0x0041e185
0x0041e186
0x0041e18a
0x0041e18e
0x0041e19f
0x0041e1a5
0x0041e1ae
0x0041e1b1
0x0041e1b7
0x0041e1b8
0x0041e1b9
0x0041e1ba
0x0041e1bb
0x00000000
0x00000000
0x0041e1c4
0x0041e1ca
0x0041e1cf
0x0041e1d6
0x0041e1da
0x0041e1e9
0x0041e1fa
0x0041e1ff
0x0041e20c
0x0041e211
0x0041e218
0x00000000
0x00000000
0x0041e223
0x0041e229
0x0041e232
0x0041e238
0x0041e243
0x0041e24e
0x0041e252
0x0041e25d
0x0041e264
0x0041e26a
0x0041e26d
0x0041e270
0x0041e27c
0x0041e285
0x0041e289
0x0041e28c
0x0041e28f
0x0041e295
0x0041e29c
0x0041e29f
0x0041e2aa
0x0041e2ba
0x0041e2c9
0x0041e2d4
0x0041e2d5
0x0041e2d6
0x0041e2d7
0x0041e2de
0x0041e2df
0x0041e2e0
0x0041e2e1
0x0041e2e4
0x0041e2e7
0x0041e2ed
0x0041e307
0x0041e30a
0x0041e313
0x0041e318
0x0041e322
0x00000000
0x00000000
0x0041e29a
0x0041e29a
0x0041e32d
0x0041e336
0x0041e348
0x0041e34e
0x0041e27e
0x0041e27e
0x0041e27e
0x0041e356
0x0041e361

APIs

GetDeviceCaps.GDI32(?,0000006E), ref: 0041E036
GetDeviceCaps.GDI32(?,0000006F), ref: 0041E040
GetDeviceCaps.GDI32(?,00000058), ref: 0041E04A
GetDeviceCaps.GDI32(?,0000005A), ref: 0041E054
MulDiv.KERNEL32(?,000005A0,?), ref: 0041E065
MulDiv.KERNEL32(?,000005A0,?), ref: 0041E080

Part of subcall function 0041E814: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0040E8F7,00000000,0042290E,00000000,00000001,00000000,00000000,00000000,0000005C,00000000,00000000,00000000,00000001), ref: 0041E82A
Part of subcall function 0041E814: GlobalLock.KERNEL32 ref: 0041E834

SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 0041E0E9
SendMessageA.USER32(?,00000439,00000000,00000000), ref: 0041E0FE
SaveDC.GDI32(?), ref: 0041E107
SetMapMode.GDI32(?,00000001), ref: 0041E112
GetDeviceCaps.GDI32(000000FF,00000070), ref: 0041E11D
GetDeviceCaps.GDI32(000000FF,00000071), ref: 0041E129
MulDiv.KERNEL32(000005A0,?,000005A0), ref: 0041E134
MulDiv.KERNEL32(000005A0,?,000005A0), ref: 0041E142
SetViewportOrgEx.GDI32(?,?,00000000,00000000), ref: 0041E156
SendMessageA.USER32(?,00000439,00000000,?), ref: 0041E19F
CopyRect.USER32 ref: 0041E1DA
SendMessageA.USER32(?,00000439,00000000,00000000), ref: 0041E238
RestoreDC.GDI32(?,000000FF), ref: 0041E243
StartDocA.GDI32(000000FF,?), ref: 0041E273
SaveDC.GDI32(000000FF), ref: 0041E28F
StartPage.GDI32(000000FF), ref: 0041E29F
SetMapMode.GDI32(000000FF,00000001), ref: 0041E2AA
SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 0041E2BA
SendMessageA.USER32(?,00000439,00000001,?), ref: 0041E2FE
EndPage.GDI32(000000FF), ref: 0041E30A
RestoreDC.GDI32(?,000000FF), ref: 0041E32D
EndDoc.GDI32(000000FF), ref: 0041E336
SendMessageA.USER32(?,00000439,00000000,00000000), ref: 0041E348

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: CapsDeviceMessageSend$GlobalModePageRestoreSaveStartViewport$AllocCopyLockRect
String ID:
API String ID: 54228542-0
Opcode ID: 29e6c191569b3bbdfa7c37b12c6a74977c0f2874edb9c76f228611af02002a36
Instruction ID: 8899b8a3c47762d5e30adf8522a6582b7fb057d6e4100d733f1496dcfd388cca
Opcode Fuzzy Hash: 29e6c191569b3bbdfa7c37b12c6a74977c0f2874edb9c76f228611af02002a36
Instruction Fuzzy Hash: E8B10F71E01218EFDF219FA5DC48B9EBBB5EF05310F10816AF924AA2A0CB719A55CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00413CFF, Relevance: 42.3, APIs: 17, Strings: 7, Instructions: 286
comlibrarysleepCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00413CFF(void* __edi, void* __eflags, intOrPtr _a4) {
				char _v8;
				CHAR* _v12;
				CHAR* _v16;
				struct HINSTANCE__* _v28;
				char _v40;
				char _v52;
				char _v64;
				char _v76;
				struct _PROCESS_INFORMATION _v92;
				struct _STARTUPINFOA _v160;
				void _v678;
				short _v680;
				char _v940;
				void* _t90;
				void* _t99;
				void* _t113;
				struct HINSTANCE__* _t121;
				struct HINSTANCE__* _t132;
				struct HINSTANCE__* _t133;
				void* _t135;
				void* _t136;
				_Unknown_base(*)()* _t139;
				struct HINSTANCE__* _t144;
				void* _t212;
				struct HINSTANCE__* _t221;
				long _t222;
				void* _t223;

				_v8 = 0;
				E0041BDC5( &_v28);
				_v16 = 0;
				if( *((intOrPtr*)(_a4 + 0xc)) > 0) {
					do {
						_t99 = E0041E860(_a4, _v16);
						_t9 = _t99 + 4; // 0x4
						_t218 = _t9;
						E0041BE99( &_v52, _t9);
						if(_t99 != 0) {
							E0041BEFB(_t218);
							E00424DCE(_t211);
						}
						GetCurrentDirectoryA(0x104,  &_v940);
						E0041BE99( &_v76,  &_v52);
						_t212 = E0041C7DB( &_v76, "\\", 0, 1);
						_t227 = _t212 - 0xffffffff;
						if(_t212 != 0xffffffff) {
							(E0041CD1E( &_v76))[_t212] = 0;
						}
						SetCurrentDirectoryA(E0041CD1E( &_v76));
						E0041BE99( &_v40, E0041CC95( &_v52, _v52 + 0xfffffffc, 4));
						E0041CD68( &_v40);
						_t113 = E0041C1FA( &_v40, _t227, ".TLB", 1);
						_t228 = _t113;
						if(_t113 != 0) {
							L21:
							_v680 = 0;
							memset( &_v678, 0, 0x81 << 2);
							_t223 = _t223 + 0xc;
							asm("stosw");
							MultiByteToWideChar(0, 0, E0041CD1E( &_v52), 0xffffffff,  &_v680, 0x104);
							SetErrorMode(1);
							__imp__CoInitialize(0);
							_v12 = 0;
							_t121 =  &_v680;
							__imp__#161(_t121,  &_v12);
							__eflags = _t121;
							if(_t121 != 0) {
								L24:
								_v8 = _v8 + 1;
								__eflags = _v28;
								if(__eflags > 0) {
									E0041BFF8( &_v28, 0xa);
								}
								E0041C0C5( &_v28, __eflags,  &_v52);
							} else {
								__eflags = _v12;
								if(_v12 != 0) {
									_t132 =  &_v680;
									__imp__#163(_v12, _t132, 0);
									_t133 = _v12;
									 *((intOrPtr*)(_t133->i + 8))(_t133);
									__eflags = _t132;
									if(_t132 != 0) {
										goto L24;
									}
								}
							}
							__imp__CoUninitialize();
							SetErrorMode(0);
						} else {
							_t135 = E0041C1FA( &_v40, _t228, ".OLB", 1);
							_t229 = _t135;
							if(_t135 != 0) {
								goto L21;
							} else {
								_t136 = E0041C1FA( &_v40, _t229, ".EXE", 1);
								_t230 = _t136;
								if(_t136 == 0) {
									__imp__OleInitialize(0);
									_t221 = LoadLibraryA(E0041CD1E( &_v52));
									__eflags = _t221;
									if(_t221 != 0) {
										_t139 = GetProcAddress(_t221, "DllRegisterServer");
										__eflags = _t139;
										if(_t139 == 0) {
											L16:
											__eflags = _v28;
											if(__eflags > 0) {
												E0041C047( &_v28, "\n", 0);
											}
											E0041C0C5( &_v28, __eflags,  &_v52);
											_t46 =  &_v8;
											 *_t46 = _v8 + 1;
											__eflags =  *_t46;
										} else {
											_t144 =  *_t139();
											__eflags = _t144;
											if(_t144 != 0) {
												goto L16;
											}
										}
										FreeLibrary(_t221);
									} else {
										__eflags = _v28;
										if(__eflags > 0) {
											E0041C047( &_v28, "\n", 0);
										}
										E0041C0C5( &_v28, __eflags,  &_v52);
										_v8 = _v8 + 1;
									}
									__imp__OleUninitialize();
								} else {
									E0041BE35( &_v64, "\"");
									E0041C0C5( &_v64, _t230,  &_v52);
									E0041C047( &_v64, "\" /RegServer", 0);
									_t222 = 0x44;
									E00424500( &_v160, 0, _t222);
									_v160.cb = _t222;
									E00424500( &_v92, 0, 0x10);
									_t223 = _t223 + 0x18;
									CreateProcessA(0, E0041CD1E( &_v64), 0, 0, 0, 0, 0, 0,  &_v160,  &_v92);
									Sleep(0x32);
									E0041BEFB( &_v64);
								}
							}
						}
						SetCurrentDirectoryA( &_v940);
						E0041BEFB( &_v40);
						E0041BEFB( &_v76);
						E0041BEFB( &_v52);
						_v16 = _v16 + 1;
					} while (_v16 <  *((intOrPtr*)(_a4 + 0xc)));
				}
				E0041E921(_a4);
				if(_v8 > 0) {
					_t90 = E0041D46F("<__Internal_RegistrationFailed__>");
					_t233 = _t90;
					if(_t90 == 0) {
						_t90 = E0041CD1E(0x47f0e0);
					}
					E0041BE35( &_v40, _t90);
					E0041CBF9( &_v40, _t233, "<\\n>", "\n", 0, 0, 1);
					E0041C047( &_v40, "\n", 0);
					E0041C0C5( &_v40, _t233,  &_v28);
					E0041B2A8( *0x47e178, E0041CD1E( &_v40), 0);
					E0041BEFB( &_v40);
				}
				return E0041BEFB( &_v28);
			}

0x00413d0f
0x00413d12
0x00413d1a
0x00413d20
0x00413d27
0x00413d2d
0x00413d37
0x00413d37
0x00413d3b
0x00413d42
0x00413d46
0x00413d4c
0x00413d51
0x00413d5f
0x00413d6c
0x00413d81
0x00413d83
0x00413d86
0x00413d90
0x00413d90
0x00413d9c
0x00413db7
0x00413dbf
0x00413dce
0x00413dd3
0x00413dd5
0x00413f16
0x00413f23
0x00413f2a
0x00413f2a
0x00413f2c
0x00413f43
0x00413f51
0x00413f54
0x00413f5d
0x00413f61
0x00413f68
0x00413f6e
0x00413f70
0x00413f97
0x00413f97
0x00413f9a
0x00413f9d
0x00413fa4
0x00413fa4
0x00413fb0
0x00413f72
0x00413f72
0x00413f75
0x00413f77
0x00413f82
0x00413f8a
0x00413f90
0x00413f93
0x00413f95
0x00000000
0x00000000
0x00413f95
0x00413f75
0x00413fb5
0x00413fbc
0x00413ddb
0x00413de5
0x00413dea
0x00413dec
0x00000000
0x00413df2
0x00413dfc
0x00413e01
0x00413e03
0x00413e8d
0x00413ea2
0x00413ea4
0x00413ea6
0x00413ed2
0x00413ed8
0x00413eda
0x00413ee2
0x00413ee2
0x00413ee5
0x00413ef0
0x00413ef0
0x00413efc
0x00413f01
0x00413f01
0x00413f01
0x00413edc
0x00413edc
0x00413ede
0x00413ee0
0x00000000
0x00000000
0x00413ee0
0x00413f05
0x00413ea8
0x00413ea8
0x00413eab
0x00413eb6
0x00413eb6
0x00413ec2
0x00413ec7
0x00413ec7
0x00413f0b
0x00413e09
0x00413e11
0x00413e1d
0x00413e2b
0x00413e38
0x00413e3c
0x00413e48
0x00413e4e
0x00413e53
0x00413e71
0x00413e79
0x00413e82
0x00413e82
0x00413e03
0x00413dec
0x00413fc5
0x00413fce
0x00413fd6
0x00413fde
0x00413fe3
0x00413fec
0x00413ff5
0x00413ff9
0x00414001
0x00414008
0x0041400d
0x0041400f
0x00414016
0x00414016
0x0041401f
0x00414036
0x00414040
0x0041404c
0x00414066
0x0041406e
0x0041406e
0x0041407e

APIs

Part of subcall function 0041BDC5: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF

Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4

GetCurrentDirectoryA.KERNEL32(00000104,?,00000004,?,76908BA0,0047E880,00000000), ref: 00413D5F
SetCurrentDirectoryA.KERNEL32(00000000,0042BC5C,00000000,00000001,?), ref: 00413D9C
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000001,.TLB,00000001,00000000,?,00000004), ref: 00413E71
LoadLibraryA.KERNEL32(00000000), ref: 00413E9C
GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 00413ED2
FreeLibrary.KERNEL32(00000000,?), ref: 00413F05
OleUninitialize.OLE32 ref: 00413F0B
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104,.TLB,00000001,00000000,?,00000004), ref: 00413F43
SetErrorMode.KERNEL32(00000001), ref: 00413F51
CoInitialize.OLE32(00000000), ref: 00413F54
LoadTypeLib.OLEAUT32(?,?), ref: 00413F68
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00413F82
CoUninitialize.OLE32(?), ref: 00413FB5
SetErrorMode.KERNEL32(00000000), ref: 00413FBC

Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095

SetCurrentDirectoryA.KERNEL32(?), ref: 00413FC5
OleInitialize.OLE32(00000000), ref: 00413E8D

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Sleep.KERNEL32(00000032), ref: 00413E79

Part of subcall function 0041BEFB: GlobalUnlock.KERNEL32(?,00000000,0041C1E9,00000000,00000010,00000000,0047E4D0,00000000), ref: 0041BF01
Part of subcall function 0041BEFB: GlobalFree.KERNEL32 ref: 0041BF0A

Strings

<\n>, xrefs: 0041402E
DllRegisterServer, xrefs: 00413ECC
<__Internal_RegistrationFailed__>, xrefs: 00414003
" /RegServer, xrefs: 00413E23
.OLB, xrefs: 00413DDD
.EXE, xrefs: 00413DF4
.TLB, xrefs: 00413DC6

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLock$CurrentDirectoryUnlock$ErrorFreeInitializeLibraryLoadModeTypeUninitialize$AddressByteCharCreateMultiProcProcessRegisterSleepWidelstrlen
String ID: " /RegServer$.EXE$.OLB$.TLB$<\n>$<__Internal_RegistrationFailed__>$DllRegisterServer
API String ID: 4104066615-2501933237
Opcode ID: 75c37d0b52bb14feb4aa97639a786b202e0c3cf3cc6146b2f471712ea1ac7ff9
Instruction ID: 4537c82b285972284a216b033d865e15a8dd3af8c18363ac8b515f199ec2a324
Opcode Fuzzy Hash: 75c37d0b52bb14feb4aa97639a786b202e0c3cf3cc6146b2f471712ea1ac7ff9
Instruction Fuzzy Hash: DBA11E71940219ABCB14EFA1DC96DEEB778EF14309F50006EF506A3192DF385E86CA69

Uniqueness

Uniqueness Score: -1.00%

Function 00407300, Relevance: 40.7, APIs: 15, Strings: 8, Instructions: 446
windowlibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00407300(intOrPtr __ecx, void* __eflags, struct HINSTANCE__* _a4, long* _a8, signed int _a11) {
				signed int _v5;
				signed int _v6;
				signed int _v7;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				CHAR* _v24;
				char _v36;
				char _v48;
				char _v60;
				char _v72;
				char _v84;
				unsigned int _t149;
				signed int _t151;
				long _t162;
				struct HWND__* _t169;
				long _t171;
				long _t173;
				long _t175;
				void* _t180;
				signed int _t185;
				intOrPtr _t187;
				struct HINSTANCE__* _t188;
				signed int _t189;
				signed int _t191;
				long _t196;
				CHAR* _t207;
				signed int _t208;
				void* _t214;
				CHAR* _t220;
				void* _t226;
				void* _t229;
				signed int _t238;
				long _t239;
				long _t241;
				signed int _t256;
				intOrPtr _t259;
				signed int* _t260;
				CHAR* _t261;
				CHAR* _t262;
				long _t276;
				CHAR* _t282;
				long _t317;
				intOrPtr _t318;
				long* _t321;

				_t318 = __ecx;
				_v20 = __ecx;
				if(E00407D82(__ecx) == 0) {
					_v16 =  *((intOrPtr*)(__ecx + 0x1c));
				} else {
					_v16 = _v16 & 0x00000000;
				}
				if(E00407D82(_t318) == 0) {
					_v12 =  *((intOrPtr*)(_t318 + 0x20));
				} else {
					_v12 = _v12 & 0x00000000;
				}
				_t321 = _a8;
				_v5 = _v5 & 0x00000000;
				if(_t321[2] == 6) {
					_t261 = "RichEd20.dll";
					if(GetModuleHandleA(_t261) != 0 || LoadLibraryA(_t261) != 0) {
						_v5 = 1;
					} else {
						_t262 = "RichEd32.dll";
						_t256 = GetModuleHandleA(_t262);
						__eflags = _t256;
						if(_t256 == 0) {
							LoadLibraryA(_t262);
						}
					}
				}
				_t317 = _t321[2];
				if(_t317 != 0xc) {
					_a11 = _a11 & 0x00000000;
					_v6 = _v6 & 0x00000000;
					_v7 = _v7 & 0x00000000;
					__eflags = _t317 - 3;
					if(_t317 == 3) {
						L25:
						_t149 = _t321[1];
						_t321[1] = _t149 & 0x7fffffff;
						__eflags = _t149 >> 0x0000001f & 0x00000001;
						if((_t149 >> 0x0000001f & 0x00000001) != 0) {
							__eflags = _t317 - 2;
							if(_t317 != 2) {
								__eflags = _t317 - 9;
								if(_t317 != 9) {
									__eflags = _t317 - 6;
									if(_t317 != 6) {
										_v7 = 1;
									}
								}
							}
						}
						L30:
						__eflags = _t317 - 1;
						if(_t317 == 1) {
							_t238 = _t321[1];
							__eflags = _t238 & 0x80000000;
							if((_t238 & 0x80000000) != 0) {
								_t239 = _t238 & 0x7fffffff;
								__eflags = _t239;
								_a11 = _t317;
								_t321[1] = _t239;
							}
						}
						__eflags = _t317 - 1;
						if(_t317 == 1) {
							_push(0);
							_push(0);
							_t42 =  &(_t321[0xe]); // 0x38
							_push("hyperlink:");
							_t208 = E0041C6D0(_t42);
							__eflags = _t208;
							if(_t208 == 0) {
								E0041BDC5( &_v84);
								E0041BDC5( &_v72);
								_t45 =  &(_t321[0xe]); // 0x38
								E0041BE99( &_v36, _t45);
								E0041C3A9( &_v36, 0, 0xa);
								_push(0);
								_push(0);
								_push("text=\"");
								_t214 = E0041C6D0( &_v36);
								__eflags = _t214 - 0xffffffff;
								if(_t214 != 0xffffffff) {
									E0041C3A9( &_v36, 0, _t214 + 6);
									_t220 = E0041C6AD( &_v36, 0x22, 0);
									__eflags = _t220 - 0xffffffff;
									_v24 = _t220;
									if(_t220 != 0xffffffff) {
										E0041BF80( &_v84, E0041CC95( &_v36, 0, _t220));
										E0041C3A9( &_v36, 0,  &(_v24[1]));
										_push(0);
										_push(0);
										_push("link=\"");
										_t226 = E0041C6D0( &_v36);
										__eflags = _t226 - 0xffffffff;
										if(_t226 != 0xffffffff) {
											E0041C3A9( &_v36, 0, _t226 + 6);
											_t229 = E0041C6AD( &_v36, 0x22, 0);
											__eflags = _t229 - 0xffffffff;
											if(_t229 != 0xffffffff) {
												E0041BF80( &_v72, E0041CC95( &_v36, 0, _t229));
												_t62 =  &(_t321[0x11]); // 0x44
												_v6 = 1;
												E0041BF80(_t62,  &_v72);
												_t64 =  &(_t321[0x11]); // 0x44
												E0041B3B9(0x47dfb8, _t64, 0x7fffffff);
												_t66 =  &(_t321[0xe]); // 0x38
												E0041BF80(_t66,  &_v84);
											}
										}
									}
								}
								E0041BEFB( &_v36);
								E0041BEFB( &_v72);
								E0041BEFB( &_v84);
							}
						}
						_t151 = _t321[2];
						__eflags = _t151 - 6;
						_v24 =  *((intOrPtr*)(0x42b920 + _t151 * 4));
						if(_t151 == 6) {
							__eflags = _v5;
							if(_v5 != 0) {
								_t207 =  *0x42b954; // 0x42b958
								_v24 = _t207;
							}
						}
						_t76 =  &(_t321[0xe]); // 0x38
						E0041BE99( &_v48, _t76);
						E0041B3B9(0x47dfb8,  &_v48, 0x7fffffff);
						E0041A81A(__eflags,  &_v48);
						E004164B1(0x47dfb8, __eflags,  &_v48);
						E0041BE99( &_v60,  &_v48);
						_t162 = _t321[2];
						__eflags = _t162 - 7;
						if(_t162 == 7) {
							L46:
							E0041BF12( &_v60, 0x42e0c8);
							goto L47;
						} else {
							__eflags = _t162 - 8;
							if(_t162 != 8) {
								L47:
								_t259 = _v20;
								_t91 = _t259 + 4; // 0x7d808b7c
								_t169 = CreateWindowExA(_t321[1], _v24, E0041CD1E( &_v60),  *_t321, _t321[5] + _v16, _t321[6] + _v12, _t321[7], _t321[8],  *_t91, _t321[4], _a4, 0);
								__eflags = _t169;
								_t321[0x14] = _t169;
								if(_t169 != 0) {
									_t276 = _t321[2];
									__eflags = _t276 - 6;
									if(_t276 == 6) {
										L52:
										SendMessageA(_t169, 0xc5, 0x2ffffffe, 0);
										L53:
										_t171 = _t321[2];
										__eflags = _t171 - 7;
										if(_t171 == 7) {
											L55:
											__eflags = _t321[0xe];
											if(_t321[0xe] <= 0) {
												L59:
												_t173 = _t321[2];
												__eflags = _t173 - 4;
												if(_t173 == 4) {
													L61:
													__eflags =  *0x47e19c;
													if( *0x47e19c == 0) {
														L68:
														__eflags = _v6;
														if(_v6 == 0) {
															__eflags = _a11;
															_push(0);
															if(_a11 == 0) {
																_t136 = _t259 + 0x48; // 0x774c085
																_push( *_t136);
															} else {
																_t135 = _t259 + 0x4c; // 0x8244c8b
																_push( *_t135);
															}
															SendMessageA(_t321[0x14], 0x30, ??, ??);
														} else {
															SetWindowLongA(_t321[0x14], 0xffffffeb, 1);
															__eflags = _a11;
															_push(0);
															if(_a11 == 0) {
																_t125 = _t259 + 0x50; // 0xc2244889
																_push( *_t125);
															} else {
																_t124 = _t259 + 0x54; // 0x56530008
																_push( *_t124);
															}
															SendMessageA(_t321[0x14], 0x30, ??, ??);
															__eflags =  *(_t259 + 0x9c) & 0x00000001;
															if(( *(_t259 + 0x9c) & 0x00000001) == 0) {
																_t185 = LoadCursorA(0, 0x7f89);
																_t260 = _t259 + 0xa0;
																__eflags = _t185;
																 *_t260 = _t185;
																if(_t185 == 0) {
																	 *_t260 = LoadCursorA(_a4, 0x98);
																}
																_t259 = _v20;
															}
															 *(_t259 + 0x9c) =  *(_t259 + 0x9c) | 0x00000001;
														}
														_t175 = _t321[2];
														__eflags = _t175 - 6;
														if(_t175 != 6) {
															__eflags = _t175 - 0xb;
															if(_t175 != 0xb) {
																goto L86;
															}
															_push(_t321[0xb]);
															_push(0);
															_push(0x111d);
															goto L85;
														} else {
															_push(_t321[0xb]);
															_push(0);
															_push(0x443);
															L85:
															SendMessageA(_t321[0x14], ??, ??, ??);
															L86:
															__eflags = _v7;
															if(_v7 != 0) {
																E00406E4B(_t259, _t321);
															}
															_push(_t321);
															E00406F81();
															E00408006(_t321);
															E0041BEFB( &_v60);
															E0041BEFB( &_v48);
															goto L89;
														}
													}
													_t187 =  *0x47e1e0; // 0x6
													__eflags = _t187 - 5;
													if(__eflags > 0) {
														L65:
														_t188 = LoadLibraryA("UxTheme.dll");
														__eflags = _t188;
														if(_t188 != 0) {
															_t189 = GetProcAddress(_t188, "SetWindowTheme");
															__eflags = _t189;
															if(_t189 != 0) {
																_t282 = " ";
																 *_t189(_t321[0x14], _t282, _t282);
															}
														}
														goto L68;
													}
													if(__eflags != 0) {
														goto L68;
													}
													__eflags =  *0x47e1e4 - 1;
													if( *0x47e1e4 < 1) {
														goto L68;
													}
													goto L65;
												}
												__eflags = _t173 - 3;
												if(_t173 != 3) {
													goto L68;
												}
												goto L61;
											}
											_v24 = 0;
											_push(0);
											while(1) {
												_t191 = E0041C9D2( &_v48);
												__eflags = _t191;
												if(_t191 == 0) {
													goto L59;
												}
												E0041BDC5( &_v84);
												E0041C92F( &_v48,  &_v24,  &_v84);
												_t196 = E0041CD1E( &_v84);
												__eflags = _t321[2] - 7;
												SendMessageA(_t321[0x14], ((0 | _t321[2] != 0x00000007) - 0x00000001 & 0x0000003d) + 0x143, 0, _t196);
												E0041BEFB( &_v84);
												_push(_v24);
											}
											goto L59;
										}
										__eflags = _t171 - 8;
										if(_t171 != 8) {
											goto L59;
										}
										goto L55;
									}
									__eflags = _t276 - 5;
									if(_t276 != 5) {
										goto L53;
									}
									__eflags =  *_t321 & 0x00000004;
									if(( *_t321 & 0x00000004) == 0) {
										goto L53;
									}
									goto L52;
								}
								E0041BEFB( &_v60);
								return E0041BEFB( &_v48) | 0xffffffff;
							}
							goto L46;
						}
					}
					__eflags = _t317 - 4;
					if(_t317 == 4) {
						goto L25;
					}
					__eflags = _t317 - 5;
					if(_t317 == 5) {
						goto L25;
					}
					__eflags = _t317 - 6;
					if(_t317 == 6) {
						goto L25;
					}
					__eflags = _t317 - 2;
					if(_t317 == 2) {
						goto L25;
					}
					__eflags = _t317 - 9;
					if(_t317 != 9) {
						goto L30;
					}
					goto L25;
				} else {
					if(E00424DD9(0x2c) == 0) {
						_t241 = 0;
						__eflags = 0;
					} else {
						_t241 = E0041EA76(_t240);
					}
					_t321[0x14] = _t241;
					if(_t241 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					asm("sbb eax, eax");
					E0041EBAF(_t321[0x14],  *((intOrPtr*)(_t318 + 4)), _t321[5] + _v16, _t321[6] + _v12, _t321[7], _t321[8], _t321[9],  ~( *_t321 & 0x00000001) + 2);
					 *(_t318 + 0x13) =  *(_t318 + 0x13) | 0x00000080;
					L89:
					_t180 = 1;
					return _t180;
				}
			}

0x00407309
0x0040730b
0x00407315
0x00407320
0x00407317
0x00407317
0x00407317
0x0040732c
0x00407337
0x0040732e
0x0040732e
0x0040732e
0x0040733a
0x0040733d
0x00407345
0x00407347
0x00407355
0x00407362
0x00407368
0x00407368
0x0040736e
0x00407374
0x00407376
0x00407379
0x00407379
0x00407376
0x00407355
0x0040737f
0x00407385
0x004073ec
0x004073f0
0x004073f4
0x004073f8
0x00407400
0x0040741b
0x0040741b
0x00407428
0x0040742b
0x0040742d
0x0040742f
0x00407432
0x00407434
0x00407437
0x00407439
0x0040743c
0x0040743e
0x0040743e
0x0040743c
0x00407437
0x00407432
0x00407442
0x00407442
0x00407445
0x00407447
0x0040744a
0x0040744f
0x00407451
0x00407451
0x00407453
0x00407456
0x00407456
0x0040744f
0x00407459
0x00407461
0x00407467
0x00407469
0x0040746b
0x0040746e
0x00407473
0x00407478
0x0040747a
0x00407483
0x0040748b
0x00407490
0x00407497
0x004074a3
0x004074a8
0x004074aa
0x004074ac
0x004074b4
0x004074b9
0x004074bc
0x004074cb
0x004074d7
0x004074dc
0x004074df
0x004074e2
0x004074f7
0x00407506
0x0040750b
0x0040750d
0x0040750f
0x00407517
0x0040751c
0x0040751f
0x0040752a
0x00407536
0x0040753b
0x0040753e
0x0040754f
0x00407557
0x0040755b
0x0040755f
0x00407564
0x0040756b
0x00407573
0x00407577
0x00407577
0x0040753e
0x0040751f
0x004074e2
0x0040757f
0x00407587
0x0040758f
0x0040758f
0x0040747a
0x00407594
0x00407597
0x004075a1
0x004075a4
0x004075a6
0x004075aa
0x004075ac
0x004075b1
0x004075b1
0x004075aa
0x004075b4
0x004075bb
0x004075c7
0x004075d2
0x004075dd
0x004075e9
0x004075ee
0x004075f1
0x004075f4
0x004075fb
0x00407603
0x00000000
0x004075f6
0x004075f6
0x004075f9
0x00407608
0x00407608
0x0040761c
0x0040763b
0x00407641
0x00407643
0x00407646
0x00407660
0x00407669
0x0040766c
0x00407678
0x00407685
0x00407687
0x00407687
0x0040768a
0x0040768d
0x00407694
0x00407696
0x00407699
0x004076f3
0x004076f3
0x004076f6
0x004076f9
0x00407700
0x00407700
0x00407707
0x00407749
0x00407749
0x0040774d
0x004077b1
0x004077b5
0x004077b7
0x004077be
0x004077be
0x004077b9
0x004077b9
0x004077b9
0x004077b9
0x004077c6
0x0040774f
0x00407756
0x0040775c
0x00407760
0x00407762
0x00407769
0x00407769
0x00407764
0x00407764
0x00407764
0x00407764
0x00407771
0x00407773
0x0040777a
0x00407783
0x00407789
0x0040778f
0x00407791
0x00407793
0x004077a3
0x004077a3
0x004077a5
0x004077a5
0x004077a8
0x004077a8
0x004077c8
0x004077cb
0x004077ce
0x004077dc
0x004077df
0x00000000
0x00000000
0x004077e1
0x004077e4
0x004077e6
0x00000000
0x004077d0
0x004077d0
0x004077d3
0x004077d5
0x004077eb
0x004077ee
0x004077f0
0x004077f0
0x004077f4
0x004077f9
0x004077f9
0x004077fe
0x00407801
0x00407807
0x00407810
0x00407818
0x00000000
0x00407818
0x004077ce
0x00407709
0x0040770e
0x00407711
0x0040771e
0x00407723
0x00407729
0x0040772b
0x00407733
0x00407739
0x0040773b
0x0040773d
0x00407747
0x00407747
0x0040773b
0x00000000
0x0040772b
0x00407713
0x00000000
0x00000000
0x00407715
0x0040771c
0x00000000
0x00000000
0x00000000
0x0040771c
0x004076fb
0x004076fe
0x00000000
0x00000000
0x00000000
0x004076fe
0x0040769b
0x0040769e
0x0040769f
0x004076a2
0x004076a7
0x004076a9
0x00000000
0x00000000
0x004076ae
0x004076be
0x004076c6
0x004076ce
0x004076e4
0x004076e9
0x004076ee
0x004076ee
0x00000000
0x0040769f
0x0040768f
0x00407692
0x00000000
0x00000000
0x00000000
0x00407692
0x0040766e
0x00407671
0x00000000
0x00000000
0x00407673
0x00407676
0x00000000
0x00000000
0x00000000
0x00407676
0x0040764b
0x00000000
0x00407658
0x00000000
0x004075f9
0x004075f4
0x00407402
0x00407405
0x00000000
0x00000000
0x00407407
0x0040740a
0x00000000
0x00000000
0x0040740c
0x0040740f
0x00000000
0x00000000
0x00407411
0x00407414
0x00000000
0x00000000
0x00407416
0x00407419
0x00000000
0x00000000
0x00000000
0x00407387
0x00407391
0x0040739c
0x0040739c
0x00407393
0x00407395
0x00407395
0x004073a0
0x004073a3
0x004073b0
0x004073b5
0x004073bf
0x004073de
0x004073e3
0x0040781d
0x0040781f
0x00000000
0x0040781f

APIs

GetModuleHandleA.KERNEL32(RichEd20.dll,?,00000000,00000000), ref: 0040734D
LoadLibraryA.KERNEL32(RichEd20.dll), ref: 00407358
GetModuleHandleA.KERNEL32(RichEd32.dll), ref: 0040736E
LoadLibraryA.KERNEL32(RichEd32.dll), ref: 00407379
CreateWindowExA.USER32 ref: 0040763B

Part of subcall function 0041C3A9: GlobalUnlock.KERNEL32(?,00000000,00000000,00421A09,00000000,00000001,0000005C,00000000,00000000,00000000,0000005C,00000000,00000000,0047E490,0047E788,00000000), ref: 0041C3D8
Part of subcall function 0041C3A9: GlobalReAlloc.KERNEL32 ref: 0041C3E5
Part of subcall function 0041C3A9: GlobalLock.KERNEL32 ref: 0041C406

SendMessageA.USER32(00000000,000000C5,2FFFFFFE,00000000), ref: 00407685
SendMessageA.USER32(?,-00000144,00000000,00000000), ref: 004076E4
LoadLibraryA.KERNEL32(UxTheme.dll), ref: 00407723
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00407733
SetWindowLongA.USER32(?,000000EB,00000001), ref: 00407756
SendMessageA.USER32(?,00000030,C2244889,00000000), ref: 00407771
LoadCursorA.USER32 ref: 00407783

Part of subcall function 0041BF80: GlobalUnlock.KERNEL32(?,00000000,00000000,004079C1,00000000), ref: 0041BF87
Part of subcall function 0041BF80: GlobalReAlloc.KERNEL32 ref: 0041BF9B
Part of subcall function 0041BF80: GlobalLock.KERNEL32 ref: 0041BFBC

LoadCursorA.USER32 ref: 0040779D
SendMessageA.USER32(?,00000030,0774C085,00000000), ref: 004077C6
SendMessageA.USER32(?,0000111D,00000000,?), ref: 004077EE

Strings

link=", xrefs: 0040750F
$G, xrefs: 004073A5
RichEd32.dll, xrefs: 00407368, 0040736D, 00407378
RichEd20.dll, xrefs: 00407347, 0040734C, 00407357
UxTheme.dll, xrefs: 0040771E
SetWindowTheme, xrefs: 0040772D
text=", xrefs: 004074AC
hyperlink:, xrefs: 0040746E

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$LoadMessageSend$Library$AllocCursorHandleLockModuleUnlockWindow$AddressCreateLongProc
String ID: $G$RichEd20.dll$RichEd32.dll$SetWindowTheme$UxTheme.dll$hyperlink:$link="$text="
API String ID: 177784201-3124033326
Opcode ID: 4ee4922ab18f7ac4cef60481175f6aba00ff1f9fe77b4889e2f26e4254a1ce61
Instruction ID: a4660ac1969131d1af0a58f9a131e4f7bdd23c77902d1825a1c3448cfc6067af
Opcode Fuzzy Hash: 4ee4922ab18f7ac4cef60481175f6aba00ff1f9fe77b4889e2f26e4254a1ce61
Instruction Fuzzy Hash: FFF1D070E04205ABDB24EBA5CC81BEEB7B5EF04304F10442EF542B66E1DB78B945CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00415DC6, Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 196
sleepprocessfileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00415DC6(void* __ecx, void* __eflags) {
				long _v8;
				char _v20;
				char _v32;
				char _v44;
				char _v56;
				char _v68;
				struct _PROCESS_INFORMATION _v84;
				struct _STARTUPINFOA _v152;
				void _v411;
				char _v412;
				CHAR* _t64;
				signed int _t84;
				CHAR* _t85;
				CHAR* _t100;
				signed int _t103;
				long _t139;
				void* _t140;
				void* _t146;
				void* _t149;
				void* _t150;
				void* _t152;

				_t146 = __eflags;
				DestroyWindow( *0x47e178);
				E0041A81A(_t146, 0x47e61c);
				_t100 = 0;
				_t103 = 0x40;
				_v412 = 0;
				memset( &_v411, 0, _t103 << 2);
				asm("stosw");
				asm("stosb");
				GetModuleFileNameA(0,  &_v412, 0x104);
				E0041BE35( &_v32,  &_v412);
				if(E0041C7DB( &_v32, "\\", 0, 1) != 0xffffffff) {
					E0041C3A9( &_v32, _t53 + 1, _v32 - _t53 - 1);
				}
				_t139 = 0x44;
				E00424500( &_v152, _t100, _t139);
				_v152.cb = _t139;
				E00424500( &_v84, _t100, 0x10);
				E0041BDC5( &_v20);
				_push(E0041CD1E(0x47e61c));
				E0041C467( &_v20, "\"%s\"");
				_t149 =  *0x47f27c - _t100; // 0x1
				if(_t149 != 0) {
					E0041C047( &_v20, " /silent", _t100);
				}
				_t150 =  *0x47f2d5 - _t100; // 0x0
				if(_t150 != 0) {
					E0041C047( &_v20, " /revert", _t100);
				}
				_t64 = E0041CD1E( &_v32);
				if(CreateProcessA(_t100, E0041CD1E( &_v20), _t100, _t100, _t100, 0x4000000, _t100, _t64,  &_v152,  &_v84) != 0) {
					WaitForSingleObject(_v84.hProcess, 0xffffffff);
					Sleep(0x32);
					_t140 = 0;
					__eflags =  *0x47e640 - _t100; // 0x0
					if(__eflags <= 0) {
						L11:
						E0041BE99( &_v68, 0x47e628);
						E0041C047( &_v68, "\\installer", _t100);
						RemoveDirectoryA(E0041CD1E( &_v68));
						E0041BE99( &_v44, 0x47e628);
						E0041C047( &_v44, "\\slideshow", _t100);
						RemoveDirectoryA(E0041CD1E( &_v44));
						E0041BE99( &_v56, 0x47e628);
						E0041C047( &_v56, "\\3rd-party", _t100);
						RemoveDirectoryA(E0041CD1E( &_v56));
						RemoveDirectoryA(E0041CD1E(0x47e628));
						_v8 = _t100;
						GetExitCodeProcess(_v84.hProcess,  &_v8);
						_t84 = CloseHandle(_v84);
						__eflags = _v8 - _t100;
						_t85 = _t84 & 0xffffff00 | _v8 != _t100;
						__eflags =  *0x47f2d5 - _t100; // 0x0
						if(__eflags == 0) {
							_t100 = _t85;
						} else {
							__eflags = _t85 - _t100;
							_t100 = _t100 & 0xffffff00 | _t85 == _t100;
						}
						E0041BEFB( &_v56);
						E0041BEFB( &_v44);
						E0041BEFB( &_v68);
						goto L15;
					} else {
						goto L10;
					}
					do {
						L10:
						DeleteFileA(E0041CD1E(E0041E860(0x47e634, _t140)));
						_t140 = _t140 + 1;
						__eflags = _t140 -  *0x47e640; // 0x0
					} while (__eflags < 0);
					goto L11;
				} else {
					_t152 =  *0x47f27c - _t100; // 0x1
					if(_t152 == 0) {
						E0041B2A8(_t100, "Failed to launch installer. (CreateProcess failed)", _t100);
					}
					L15:
					E0041BEFB( &_v20);
					E0041BEFB( &_v32);
					return _t100;
				}
			}

0x00415dc6
0x00415dda
0x00415de7
0x00415dee
0x00415df0
0x00415df9
0x00415dff
0x00415e01
0x00415e03
0x00415e11
0x00415e21
0x00415e39
0x00415e47
0x00415e47
0x00415e54
0x00415e58
0x00415e64
0x00415e6a
0x00415e75
0x00415e84
0x00415e8e
0x00415e96
0x00415e9c
0x00415ea7
0x00415ea7
0x00415eac
0x00415eb2
0x00415ebd
0x00415ebd
0x00415ed0
0x00415ef1
0x00415f1a
0x00415f22
0x00415f28
0x00415f2a
0x00415f30
0x00415f54
0x00415f5d
0x00415f6b
0x00415f7f
0x00415f85
0x00415f93
0x00415fa1
0x00415fa7
0x00415fb5
0x00415fc3
0x00415fd0
0x00415fd5
0x00415fdc
0x00415fe5
0x00415feb
0x00415fee
0x00415ff1
0x00415ff7
0x00416000
0x00415ff9
0x00415ff9
0x00415ffb
0x00415ffb
0x00416005
0x0041600d
0x00416015
0x00000000
0x00000000
0x00000000
0x00000000
0x00415f32
0x00415f32
0x00415f45
0x00415f4b
0x00415f4c
0x00415f4c
0x00000000
0x00415ef3
0x00415ef3
0x00415ef9
0x00415f0b
0x00415f0b
0x0041601a
0x0041601d
0x00416025
0x00416030
0x00416030

APIs

DestroyWindow.USER32(00000000,0047DFB8,00000000), ref: 00415DDA
GetModuleFileNameA.KERNEL32(00000000,?,00000104,0047E61C), ref: 00415E11

Part of subcall function 0041BE35: lstrlenA.KERNEL32(00000000,0047DFB8,0047F2B8,0041B2F4,Astrum Installer,00000000,0047DFB8,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000), ref: 0041BE49
Part of subcall function 0041BE35: GlobalAlloc.KERNEL32(00000042,00000000,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000,00000000,00000000,?,0047E924,0041D88F), ref: 0041BE54
Part of subcall function 0041BE35: GlobalLock.KERNEL32 ref: 0041BE75

Part of subcall function 0041C7DB: lstrlenA.KERNEL32(0047DFB8,00000000,0047DE94,0042BC5C,0042BC5C,00000000,00000001,0047E6C8,?,0047DFB8), ref: 0041C7E9

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000000,00000000,00000000,?,?,?,?,?,?,?,0042BC5C), ref: 00415EE9

Part of subcall function 0041C3A9: GlobalUnlock.KERNEL32(?,00000000,00000000,00421A09,00000000,00000001,0000005C,00000000,00000000,00000000,0000005C,00000000,00000000,0047E490,0047E788,00000000), ref: 0041C3D8
Part of subcall function 0041C3A9: GlobalReAlloc.KERNEL32 ref: 0041C3E5
Part of subcall function 0041C3A9: GlobalLock.KERNEL32 ref: 0041C406

WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,0042BC5C,00000000,00000001,?), ref: 00415F1A
Sleep.KERNEL32(00000032,?,?,?,?,?,0042BC5C,00000000,00000001,?), ref: 00415F22
DeleteFileA.KERNEL32(00000000,00000000,?,?,?,?,?,0042BC5C,00000000,00000001,?), ref: 00415F45
RemoveDirectoryA.KERNEL32(00000000,\installer,00000000,0047E628,?,?,?,?,?,0042BC5C,00000000,00000001,?), ref: 00415F7F
RemoveDirectoryA.KERNEL32(00000000,\slideshow,00000000,0047E628,?,?,?,?,?,0042BC5C,00000000,00000001,?), ref: 00415FA1
RemoveDirectoryA.KERNEL32(00000000,\3rd-party,00000000,0047E628,?,?,?,?,?,0042BC5C,00000000,00000001,?), ref: 00415FC3
RemoveDirectoryA.KERNEL32(00000000,?,?,?,?,?,0042BC5C,00000000,00000001,?), ref: 00415FD0
GetExitCodeProcess.KERNEL32 ref: 00415FDC
CloseHandle.KERNEL32(?,?,?,?,?,?,0042BC5C,00000000,00000001,?), ref: 00415FE5

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Strings

/silent, xrefs: 00415E9F
\3rd-party, xrefs: 00415FAD
Failed to launch installer. (CreateProcess failed), xrefs: 00415F00
/revert, xrefs: 00415EB5
4G, xrefs: 00415F33
\slideshow, xrefs: 00415F8B
(G, xrefs: 00415FC5
(G, xrefs: 00415F54
\installer, xrefs: 00415F63
"%s", xrefs: 00415E88

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$DirectoryRemove$AllocLock$FileProcessUnlocklstrlen$CloseCodeCreateDeleteDestroyExitHandleModuleNameObjectSingleSleepWaitWindow
String ID: /revert$ /silent$"%s"$(G$(G$4G$Failed to launch installer. (CreateProcess failed)$\3rd-party$\installer$\slideshow
API String ID: 2727010560-1226287940
Opcode ID: 5398187f917318cc6776e3c3fdb12b5de82adc2cc83cb376463ad335155050c8
Instruction ID: c84c90120c8cb0b02637a7889d897b933ea34145bef4a6e03f7a32fae6314024
Opcode Fuzzy Hash: 5398187f917318cc6776e3c3fdb12b5de82adc2cc83cb376463ad335155050c8
Instruction Fuzzy Hash: EC518171940219AADB14FBA5EC96DFF7B3CEF14748F50406FB105A2092DF781D86CA68

Uniqueness

Uniqueness Score: -1.00%

Function 00408768, Relevance: 37.1, APIs: 19, Strings: 2, Instructions: 396
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00408768(struct HWND__* _a4, intOrPtr _a8, struct HDC__* _a12, signed int _a16) {
				signed int _v5;
				RECT* _v12;
				struct tagRECT _v28;
				intOrPtr _t163;
				void* _t167;
				void* _t169;
				void* _t170;
				void* _t172;
				void* _t174;
				void* _t176;
				intOrPtr _t180;
				void* _t183;
				signed int* _t184;
				void* _t185;
				long _t192;
				intOrPtr _t198;
				char* _t210;
				intOrPtr _t213;
				intOrPtr _t218;
				intOrPtr _t226;
				void* _t227;
				intOrPtr _t233;
				void* _t234;
				void* _t235;
				unsigned int _t237;
				void* _t238;
				void* _t239;
				struct HWND__* _t240;
				void* _t241;
				intOrPtr _t251;
				intOrPtr _t253;
				RECT* _t268;
				RECT* _t269;
				void* _t270;
				void* _t271;
				intOrPtr* _t272;
				void* _t273;

				_t233 = _a8;
				if(_t233 == 0x112 && _a12 == 1) {
					_t240 = _a4;
					EnableWindow(_t240, 0);
					DialogBoxParamA( *0x47e17c, 0x72, _t240, E00405955, 0);
					EnableWindow(_t240, 1);
					SetForegroundWindow(_t240);
					return 0;
				}
				_t272 = E00407E63(_a4);
				_pop(_t241);
				if(_t272 == 0) {
					_t272 =  *0x47df64;
				}
				if(( *0x47e18c & 0x80000000) == 0) {
					L9:
					if(_t272 != 0) {
						if(_t233 != 0x14) {
							if(_t233 != 0x402) {
								L23:
								if(_a8 != 0xf) {
									L30:
									_t163 = _a8;
									_t234 = 0x133;
									if(_t163 != 0x133) {
										_t234 = 0x134;
										if(_t163 != 0x134) {
											if(_t163 != 0x138) {
												if(_t163 != 0x135) {
													if(_t163 != 0x201) {
														_t268 = 0;
														L58:
														if(_a8 != 0x200) {
															L73:
															if(_a8 != 0x20) {
																if(_a8 != 6) {
																	L83:
																	if(_a8 != 0x111) {
																		if(_a8 == 0x10) {
																			return SendMessageA(_a4, 0x111, 2, _t268);
																		}
																		if(_a8 == 0x110 || _a8 == 0x4e || _a8 == 0xf || _a8 == 0x113) {
																			L93:
																			_t167 = _a8 - 0xf;
																			if(_t167 == 0) {
																				_t169 =  *((intOrPtr*)( *_t272 + 0x14))(_a12, _a16);
																			} else {
																				_t172 = _t167 - 0x3f;
																				if(_t172 == 0) {
																					_t169 =  *((intOrPtr*)( *_t272 + 0x10))(_a12, _a16);
																				} else {
																					_t174 = _t172 - 0xc2;
																					if(_t174 == 0) {
																						_t169 =  *((intOrPtr*)( *_t272 + 8))(_a4, _a12, _a16);
																					} else {
																						_t176 = _t174 - 1;
																						if(_t176 == 0) {
																							_t169 =  *((intOrPtr*)( *_t272 + 4))(_a12, _a16);
																						} else {
																							_push(_a16);
																							_t180 =  *_t272;
																							_push(_a12);
																							if(_t176 == 0) {
																								_t169 =  *((intOrPtr*)(_t180 + 0x18))();
																							} else {
																								_t169 =  *((intOrPtr*)(_t180 + 0xc))(_a8);
																							}
																						}
																					}
																				}
																			}
																			if(_t169 != 0) {
																				L14:
																				_t170 = 1;
																				return _t170;
																			} else {
																				goto L105;
																			}
																		} else {
																			L105:
																			_push(_a16);
																			_push(_a12);
																			_push(_a8);
																			L11:
																			return DefWindowProcA(_a4, ??, ??, ??);
																		}
																	}
																	E00408E91(_t272);
																	_v5 = _v5 & 0x00000000;
																	_t183 = E00408658(_t272, _a12, _a16,  &_v5);
																	if(_v5 == 0) {
																		goto L93;
																	}
																	return _t183;
																}
																if(_a12 != _t268) {
																	goto L105;
																}
																_t118 = _t272 + 0x9c; // 0x9c
																_t184 = _t118;
																if(( *(_t272 + 0x9c) & 0x00000002) == 0) {
																	goto L105;
																}
																 *_t184 =  *_t184 & 0xfffffffd;
																 *(_t272 + 0x98) = _t268;
																_t235 = 0;
																if( *((intOrPtr*)(_t272 + 0x7c)) <= _t268) {
																	goto L105;
																} else {
																	goto L80;
																}
																do {
																	L80:
																	_t121 = _t272 + 0x70; // 0x70
																	_t185 = E0041E860(_t121, _t235);
																	_t251 =  *((intOrPtr*)(_t185 + 0x28));
																	if( *((intOrPtr*)(_t185 + 0x24)) != _t251) {
																		 *((intOrPtr*)(_t185 + 0x24)) = _t251;
																		InvalidateRect( *(_t185 + 0x50), _t268, _t268);
																	}
																	_t235 = _t235 + 1;
																} while (_t235 <  *((intOrPtr*)(_t272 + 0x7c)));
																goto L83;
															}
															if(( *(_t272 + 0x9c) & 0x00000002) == 0) {
																goto L105;
															}
															SetCursor( *(_t272 + 0xa0));
															goto L14;
														}
														if(( *(_t272 + 0x9c) & 0x00000001) == 0) {
															goto L105;
														}
														_v12 = _t268;
														_t237 = _a16 >> 0x10;
														 *(_t272 + 0x98) = _t268;
														_v5 =  *(_t272 + 0x98) != _t268;
														 *(_t272 + 0x9c) =  *(_t272 + 0x9c) & 0xfffffffd;
														if( *((intOrPtr*)(_t272 + 0x7c)) <= _t268) {
															L70:
															if( *(_t272 + 0x98) != 0 || _v5 == 0) {
																goto L105;
															} else {
																SetCursor( *(_t272 + 0xa4));
																_t268 = 0;
																goto L73;
															}
														} else {
															goto L61;
														}
														do {
															L61:
															_t75 = _t272 + 0x70; // 0x70
															_t269 = E0041E860(_t75, _v12);
															if( *((intOrPtr*)(_t269 + 0x44)) > 0 && IsWindowVisible( *(_t269 + 0x50)) != 0) {
																_t192 =  *(_t269 + 0x14);
																_t253 =  *((intOrPtr*)(_t269 + 0x18));
																_v28.left = _t192;
																_push(_t237);
																_v28.bottom =  *((intOrPtr*)(_t269 + 0x20)) + _t253;
																_v28.top = _t253;
																_v28.right =  *((intOrPtr*)(_t269 + 0x1c)) + _t192;
																if(PtInRect( &_v28, _a16 & 0x0000ffff) == 0) {
																	_t198 =  *((intOrPtr*)(_t269 + 0x28));
																	if( *((intOrPtr*)(_t269 + 0x24)) == _t198) {
																		goto L69;
																	}
																	 *((intOrPtr*)(_t269 + 0x24)) = _t198;
																	L68:
																	InvalidateRect( *(_t269 + 0x50), 0, 0);
																	goto L69;
																}
																 *(_t272 + 0x9c) =  *(_t272 + 0x9c) | 0x00000002;
																 *(_t272 + 0x98) = _t269;
																if( *((intOrPtr*)(_t269 + 0x24)) !=  *((intOrPtr*)(_t269 + 0x28))) {
																	goto L69;
																}
																SetCursor( *(_t272 + 0xa0));
																 *((intOrPtr*)(_t269 + 0x24)) = 0xff;
																 *((intOrPtr*)(_t269 + 0x28)) =  *((intOrPtr*)(_t269 + 0x24));
																goto L68;
															}
															L69:
															_v12 =  &(_v12->left);
														} while (_v12 <  *((intOrPtr*)(_t272 + 0x7c)));
														goto L70;
													}
													if(( *(_t272 + 0x9c) & 0x00000002) == 0) {
														goto L105;
													}
													_t203 =  *(_t272 + 0x98);
													_t268 = 0;
													if( *(_t272 + 0x98) == 0) {
														goto L105;
													}
													ShellExecuteA(0, "open", E0041CD1E(_t203 + 0x44), 0, 0, 3);
													goto L58;
												}
												_t273 = E004070D7(_t272, _a16);
												if(_t273 == 0) {
													goto L105;
												}
												SetTextColor(_a12,  *(_t273 + 0x24));
												L52:
												SetBkMode(_a12, 1);
												L36:
												return  *((intOrPtr*)(_t273 + 0x54));
											}
											_t48 = _t272 + 0xac; // 0xac
											_t210 = _t48;
											if( *((char*)(_t272 + 0xac)) == 0) {
												 *_t210 = 1;
											}
											_t273 = E004070D7(_t272, _a16);
											if(_t273 == 0) {
												goto L105;
											} else {
												SetTextColor(_a12,  *(_t273 + 0x24));
												_t213 =  *((intOrPtr*)(_t273 + 8));
												if(_t213 == 5 || _t213 == 6) {
													L35:
													SetBkColor(_a12,  *(_t273 + 0x2c));
													goto L36;
												} else {
													goto L52;
												}
											}
										}
										_t273 = E004070D7(_t272, _a16);
										if(_t273 == 0) {
											goto L105;
										}
										if( *((intOrPtr*)(_t273 + 8)) != 7 ||  *((intOrPtr*)(_t273 + 0x54)) == 0) {
											goto L10;
										} else {
											L34:
											SetTextColor(_a12,  *(_t273 + 0x24));
											goto L35;
										}
									}
									_t273 = E004070D7(_t272, _a16);
									if(_t273 == 0) {
										goto L105;
									}
									_t218 =  *((intOrPtr*)(_t273 + 8));
									if(_t218 == 5 || _t218 == 6) {
										goto L34;
									} else {
										goto L10;
									}
								}
								if(( *(_t272 + 0x13) & 0x00000080) == 0) {
									goto L93;
								}
								_t238 = 0;
								if( *((intOrPtr*)(_t272 + 0x7c)) <= 0) {
									goto L93;
								}
								_t32 = _t272 + 0x70; // 0x70
								_t270 = _t32;
								do {
									if( *((intOrPtr*)(E0041E860(_t270, _t238) + 8)) == 0xc) {
										E0041ED05( *((intOrPtr*)(E0041E860(_t270, _t238) + 0x50)));
									}
									_t238 = _t238 + 1;
								} while (_t238 <  *((intOrPtr*)(_t272 + 0x7c)));
								goto L30;
							}
							if(( *(_t272 + 0x10) & 0x80000000) == 0) {
								goto L105;
							}
							_t271 = 0;
							if( *((intOrPtr*)(_t272 + 0x7c)) <= 0) {
								goto L105;
							} else {
								goto L19;
							}
							do {
								L19:
								_t19 = _t272 + 0x70; // 0x70
								_t239 = E0041E860(_t19, _t271);
								if( *((intOrPtr*)(_t239 + 8)) == 0xc &&  *((intOrPtr*)(_t239 + 0x10)) == _a16) {
									E0041EE7E( *((intOrPtr*)(_t239 + 0x50)), _a12);
									E0041ED05( *((intOrPtr*)(_t239 + 0x50)));
								}
								_t271 = _t271 + 1;
							} while (_t271 <  *((intOrPtr*)(_t272 + 0x7c)));
							goto L23;
						}
						if( *((char*)(_t272 + 0xac)) != 0) {
							goto L105;
						}
						goto L14;
					}
					L10:
					_push(_a16);
					_push(_a12);
					_push(_t234);
					goto L11;
				}
				_t226 = 0;
				if(_t272 != 0) {
					_t226 =  *((intOrPtr*)(_t272 + 0x14));
				}
				_t227 = E004241D8(_t241, _a4, _t233, _a12, _a16, _t226);
				if(_t227 != 0) {
					return _t227;
				} else {
					goto L9;
				}
			}

0x0040876f
0x0040877a
0x00408782
0x0040878e
0x004087a0
0x004087a9
0x004087ac
0x00000000
0x004087b2
0x004087be
0x004087c0
0x004087c3
0x004087c5
0x004087c5
0x004087d6
0x004087f8
0x004087fa
0x00408811
0x00408830
0x00408878
0x0040887c
0x004088ba
0x004088ba
0x004088bd
0x004088c4
0x0040890b
0x00408912
0x00408943
0x00408993
0x004089ca
0x00408a04
0x00408a06
0x00408a0d
0x00408b19
0x00408b1d
0x00408b41
0x00408b99
0x00408ba1
0x00408bce
0x00000000
0x00408bfa
0x00408bd7
0x00408c05
0x00408c08
0x00408c0b
0x00408c73
0x00408c0d
0x00408c0d
0x00408c10
0x00408c64
0x00408c12
0x00408c12
0x00408c17
0x00408c55
0x00408c19
0x00408c19
0x00408c1a
0x00408c43
0x00408c1c
0x00408c1c
0x00408c21
0x00408c23
0x00408c26
0x00408c34
0x00408c28
0x00408c2d
0x00408c2d
0x00408c26
0x00408c1a
0x00408c17
0x00408c10
0x00408c78
0x00408820
0x00408822
0x00000000
0x00000000
0x00000000
0x00000000
0x00408bee
0x00408c7e
0x00408c7e
0x00408c81
0x00408c84
0x00408803
0x00000000
0x00408806
0x00408bd7
0x00408ba5
0x00408bad
0x00408bba
0x00408bc3
0x00000000
0x00000000
0x00000000
0x00408bc3
0x00408b47
0x00000000
0x00000000
0x00408b54
0x00408b54
0x00408b5a
0x00000000
0x00000000
0x00408b60
0x00408b63
0x00408b69
0x00408b6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00408b74
0x00408b74
0x00408b75
0x00408b78
0x00408b7d
0x00408b83
0x00408b8a
0x00408b8d
0x00408b8d
0x00408b93
0x00408b94
0x00000000
0x00408b74
0x00408b26
0x00000000
0x00000000
0x00408b32
0x00000000
0x00408b32
0x00408a1a
0x00000000
0x00000000
0x00408a23
0x00408a26
0x00408a2f
0x00408a35
0x00408a39
0x00408a43
0x00408af4
0x00408afb
0x00000000
0x00408b0b
0x00408b11
0x00408b17
0x00000000
0x00408b17
0x00000000
0x00000000
0x00000000
0x00408a49
0x00408a49
0x00408a4c
0x00408a54
0x00408a5a
0x00408a6d
0x00408a73
0x00408a76
0x00408a80
0x00408a81
0x00408a84
0x00408a90
0x00408a9b
0x00408acd
0x00408ad3
0x00000000
0x00000000
0x00408ad5
0x00408ad8
0x00408adf
0x00000000
0x00408adf
0x00408a9d
0x00408aa4
0x00408ab0
0x00000000
0x00000000
0x00408ab8
0x00408ac1
0x00408ac8
0x00000000
0x00408ac8
0x00408ae5
0x00408ae5
0x00408aeb
0x00000000
0x00408a49
0x004089d3
0x00000000
0x00000000
0x004089d9
0x004089df
0x004089e3
0x00000000
0x00000000
0x004089fc
0x00000000
0x004089fc
0x0040899f
0x004089a3
0x00000000
0x00000000
0x004089af
0x004089b5
0x004089ba
0x00408903
0x00000000
0x00408903
0x0040894c
0x0040894c
0x00408952
0x00408954
0x00408954
0x00408961
0x00408965
0x00000000
0x0040896b
0x00408971
0x00408977
0x0040897d
0x004088f7
0x004088fd
0x00000000
0x0040898c
0x00000000
0x0040898c
0x0040897d
0x00408965
0x0040891e
0x00408922
0x00000000
0x00000000
0x0040892c
0x00000000
0x0040893c
0x004088eb
0x004088f1
0x00000000
0x004088f1
0x0040892c
0x004088d0
0x004088d4
0x00000000
0x00000000
0x004088da
0x004088e0
0x00000000
0x00000000
0x00000000
0x00000000
0x004088e0
0x00408882
0x00000000
0x00000000
0x00408888
0x0040888d
0x00000000
0x00000000
0x00408893
0x00408893
0x00408896
0x004088a2
0x004088af
0x004088af
0x004088b4
0x004088b5
0x00000000
0x00408896
0x00408835
0x00000000
0x00000000
0x0040883b
0x00408840
0x00000000
0x00000000
0x00000000
0x00000000
0x00408846
0x00408846
0x00408847
0x0040884f
0x00408855
0x00408865
0x0040886d
0x0040886d
0x00408872
0x00408873
0x00000000
0x00408846
0x0040881a
0x00000000
0x00000000
0x00000000
0x0040881a
0x004087fc
0x004087fc
0x004087ff
0x00408802
0x00000000
0x00408802
0x004087d8
0x004087dc
0x004087de
0x004087de
0x004087ec
0x004087f6
0x00408827
0x00000000
0x00000000
0x00000000

APIs

EnableWindow.USER32(?,00000000), ref: 0040878E
DialogBoxParamA.USER32 ref: 004087A0
EnableWindow.USER32(?,00000001), ref: 004087A9
SetForegroundWindow.USER32(?), ref: 004087AC
DefWindowProcA.USER32(00000007,00000134,?,?,?,00000400,00000112,00000000), ref: 00408806
SetTextColor.GDI32(?,?), ref: 004088F1
SetBkColor.GDI32(?,?), ref: 004088FD
SetTextColor.GDI32(?,?), ref: 00408971
SetTextColor.GDI32(?,?), ref: 004089AF
SetBkMode.GDI32(?,00000001), ref: 004089BA
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000003), ref: 004089FC
IsWindowVisible.USER32 ref: 00408A63
PtInRect.USER32(?,?,?), ref: 00408A93
SetCursor.USER32(?), ref: 00408AB8
InvalidateRect.USER32(?,00000000,00000000), ref: 00408ADF
SetCursor.USER32(?,?), ref: 00408B11
SetCursor.USER32(?), ref: 00408B32
InvalidateRect.USER32(?,00000000,00000000,00000000), ref: 00408B8D
SendMessageA.USER32(?,00000111,00000002,00000000), ref: 00408BFA

Strings

open, xrefs: 004089F6
N, xrefs: 00408BD9

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Window$Color$CursorRectText$EnableInvalidate$DialogExecuteForegroundMessageModeParamProcSendShellVisible
String ID: N$open
API String ID: 3906583626-904208323
Opcode ID: 793b6bc99f52ec241c5777074f5b58d0a80f154596fac2008537b918d8063120
Instruction ID: ff61c556d1a4f47141abc3fa5068174e258a9013b54a303101cef0423bcc2c65
Opcode Fuzzy Hash: 793b6bc99f52ec241c5777074f5b58d0a80f154596fac2008537b918d8063120
Instruction Fuzzy Hash: 32E1AF31500605EFDB319F25CA48AAB7BB1FF08710F00843EE996666A1CB39EC51DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00413748, Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 268
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00413748(struct HWND__* _a4, intOrPtr _a8, char _a12, char _a13, char _a14, char _a15, CHAR* _a16) {
				char _v16;
				char _v28;
				char _v44;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v88;
				CHAR* _v92;
				int _v96;
				intOrPtr _v108;
				struct HWND__* _v116;
				struct tagOFNA _v120;
				void* _t65;
				CHAR* _t66;
				int _t83;
				signed int _t89;
				void* _t93;
				void* _t95;
				signed int _t99;
				void* _t101;
				int _t118;
				intOrPtr _t127;
				int _t130;
				int _t140;
				CHAR* _t146;
				intOrPtr _t152;
				intOrPtr _t155;
				char* _t160;
				intOrPtr _t161;
				intOrPtr _t166;
				void* _t171;
				intOrPtr _t180;
				void* _t187;
				struct HWND__* _t191;
				int _t192;
				CHAR* _t193;
				struct tagOFNA _t194;

				_t65 = _a8 - 0x110;
				if(_t65 == 0) {
					_t66 = E0041CD1E(0x47e8e8);
					_t191 = _a4;
					SetDlgItemTextA(_t191, 1, _t66);
					SetDlgItemTextA(_t191, 4, E0041CD1E(0x47e8ac));
					SetDlgItemTextA(_t191, 2, E0041CD1E(0x47e8b8));
					 *0x47f2a4 = _a16;
					SetWindowTextA(_t191, E0041CD1E(0x47e700));
					E0041BDC5( &_v16);
					_t152 =  *0x47f2a4; // 0x0
					_push(E0041CD1E(_t152));
					E0041C467( &_v16, E0041CD1E(0x47ee4c));
					E0041BFF8( &_v16, 0x20);
					_t155 =  *0x47f2a4; // 0x0
					_a12 = E0041BFE3(_t155, 0);
					_a13 = 0x3a;
					_a14 = 0x5c;
					_a15 = 0;
					_t83 = GetDriveTypeA( &_a12);
					__eflags = _t83 - 3;
					if(__eflags == 0) {
						L20:
						_push(0x47ee64);
						L21:
						E0041C0C5( &_v16, __eflags);
						E0041BFF8( &_v16, 0x20);
						E0041C0C5( &_v16, __eflags, 0x47ee70);
						SetDlgItemTextA(_t191, 0x42a, E0041CD1E( &_v16));
						_t160 =  &_v16;
						L22:
						_t89 = E0041BEFB(_t160);
						L23:
						return (_t89 & 0xffffff00 | _a8 == 0x00000110) & 0x000000ff;
					}
					__eflags = _t83 - 4;
					if(__eflags == 0) {
						goto L20;
					}
					_push(0x47ee58);
					goto L21;
				}
				_t89 = _t65 - 1;
				if(_t89 != 0) {
					goto L23;
				}
				_t93 = (_a12 & 0x0000ffff) - 1;
				if(_t93 == 0) {
					_t161 =  *0x47f2a4; // 0x0
					_t95 = E0040DF52(E0041CD1E(_t161));
					__eflags = _t95;
					if(_t95 != 0) {
						_t192 = 1;
						EndDialog(_a4, _t192);
						L12:
						return _t192;
					}
					_t89 = E0041B2CC(0x47dfb8, _a4, E0041CD1E(0x47ee7c), 0, 0);
					goto L23;
				}
				_t99 = _t93 - 1;
				if(_t99 == 0) {
					EndDialog(_a4, 0);
					_t101 = 1;
					return _t101;
				}
				_t89 = _t99;
				if(_t89 != 0) {
					goto L23;
				}
				_t193 = E00424DD9(0x104);
				_a16 = _t193;
				if(_t193 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				E00424500(_t193, 0, 0x104);
				_t166 =  *0x47f2a4; // 0x0
				lstrcatA(_t193, E0041CD1E(_t166));
				_t194 = 0x4c;
				E00424500( &_v120, 0, _t194);
				_v120 = _t194;
				_v116 = _a4;
				E0041BE35( &_v16, "Astrum Installer package #");
				E00427836( *0x42bf9c,  &_v44, 0xa);
				E0041C047( &_v16,  &_v44, 0);
				E0041C047( &_v16, " (*.", 0);
				E0041BDC5( &_v28);
				_a12 = 0;
				_t118 = lstrlenA( &_v44);
				_t171 = 3;
				if(_t171 == _t118) {
					L9:
					E0041C047( &_v28,  &_v44, 0);
					E0041C0C5( &_v16, _t210,  &_v28);
					E0041C047( &_v16, 0x42c1f4, 4);
					E0041C0C5( &_v16, _t210,  &_v28);
					E0041C047( &_v16, 0x47f2b0, 2);
					_t127 = E0041CD1E( &_v16);
					_t146 = _a16;
					_t192 = 1;
					_v108 = _t127;
					_v96 = _t192;
					_v92 = _t146;
					_v88 = 0x104;
					_v68 = 0x1804;
					_v72 = E0041CD1E(0x47ee88);
					_t130 = GetOpenFileNameA( &_v120);
					_push(_t146);
					if(_t130 != 0) {
						_t180 =  *0x47f2a4; // 0x0
						E0041BF12(_t180);
						E00424DCE(_t146);
						EndDialog(_a4, _t192);
						E0041BEFB( &_v28);
						E0041BEFB( &_v16);
						goto L12;
					}
					E00424DCE();
					E0041BEFB( &_v28);
					_t160 =  &_v16;
					goto L22;
				} else {
					do {
						E0041BFF8( &_v28, 0x30);
						_a12 = _a12 + 1;
						_t140 = lstrlenA( &_v44);
						_t187 = 3;
						_t210 = _a12 - _t187 - _t140;
					} while (_a12 < _t187 - _t140);
					goto L9;
				}
			}

0x00413753
0x00413759
0x0041397d
0x00413982
0x0041398f
0x0041399f
0x004139af
0x004139b9
0x004139c5
0x004139ce
0x004139d3
0x004139de
0x004139ee
0x004139fb
0x00413a00
0x00413a0e
0x00413a15
0x00413a19
0x00413a1d
0x00413a20
0x00413a26
0x00413a29
0x00413a37
0x00413a37
0x00413a3c
0x00413a3f
0x00413a49
0x00413a56
0x00413a6a
0x00413a6c
0x00413a6f
0x00413a6f
0x00413a74
0x00000000
0x00413a7e
0x00413a2b
0x00413a2e
0x00000000
0x00000000
0x00413a30
0x00000000
0x00413a30
0x0041375f
0x00413760
0x00000000
0x00000000
0x0041376a
0x0041376b
0x00413932
0x0041393e
0x00413943
0x00413946
0x0041396b
0x00413970
0x00413918
0x00000000
0x00413918
0x0041395f
0x00000000
0x0041395f
0x00413771
0x00413772
0x00413924
0x0041392c
0x00000000
0x0041392c
0x00413779
0x0041377a
0x00000000
0x00000000
0x0041378b
0x00413792
0x00413795
0x004137a2
0x004137a7
0x004137ab
0x004137b0
0x004137c0
0x004137cb
0x004137cf
0x004137dd
0x004137e5
0x004137e8
0x004137f9
0x00413809
0x00413817
0x0041381f
0x0041382e
0x00413831
0x00413835
0x00413838
0x00413857
0x0041385f
0x0041386b
0x0041387a
0x00413886
0x00413895
0x0041389d
0x004138a2
0x004138a7
0x004138ad
0x004138b0
0x004138b3
0x004138b6
0x004138b9
0x004138c5
0x004138cc
0x004138d3
0x004138d4
0x004138ec
0x004138f2
0x004138f8
0x00413902
0x0041390b
0x00413913
0x00000000
0x00413913
0x004138d6
0x004138df
0x004138e4
0x00000000
0x0041383a
0x0041383a
0x0041383f
0x00413844
0x0041384b
0x0041384f
0x00413852
0x00413852
0x00000000
0x0041383a

APIs

lstrcatA.KERNEL32(00000000,00000000), ref: 004137C0
lstrlenA.KERNEL32(?, (*.,00000000,?,00000000), ref: 00413831
lstrlenA.KERNEL32(?,00000030), ref: 0041384B
EndDialog.USER32(?,00000001), ref: 00413902

Part of subcall function 0041BEFB: GlobalUnlock.KERNEL32(?,00000000,0041C1E9,00000000,00000010,00000000,0047E4D0,00000000), ref: 0041BF01
Part of subcall function 0041BEFB: GlobalFree.KERNEL32 ref: 0041BF0A

GetOpenFileNameA.COMDLG32(?,0047F2B0,00000002,?,0042C1F4,00000004,?,?,00000000), ref: 004138CC

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

EndDialog.USER32(?,00000000), ref: 00413924
SetDlgItemTextA.USER32 ref: 0041398F
SetDlgItemTextA.USER32 ref: 0041399F
SetDlgItemTextA.USER32 ref: 004139AF
SetWindowTextA.USER32(?,00000000), ref: 004139C5
GetDriveTypeA.KERNEL32(?,00000000,00000020), ref: 00413A20
SetDlgItemTextA.USER32 ref: 00413A6A

Strings

(*., xrefs: 0041380F
\, xrefs: 00413A19
LG, xrefs: 004139DF
:, xrefs: 00413A15
$G, xrefs: 00413797
|G, xrefs: 0041394A
Astrum Installer package #, xrefs: 004137E0
G, xrefs: 00413978

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: GlobalText$Item$DialogUnlocklstrlen$AllocDriveFileFreeLockNameOpenTypeWindowlstrcat
String ID: (*.$$G$:$Astrum Installer package #$LG$\$|G$G
API String ID: 1704251759-1853225045
Opcode ID: 26e77d59309514d4294a95995032ecbbd080c6fb48c5b310bc7d7efad43cac87
Instruction ID: fc77d3e9e13320066b9983e77b152ba6fdb0cba62896dbaa18d01fc9fa2dd16e
Opcode Fuzzy Hash: 26e77d59309514d4294a95995032ecbbd080c6fb48c5b310bc7d7efad43cac87
Instruction Fuzzy Hash: 4E91D571940209AADB14EFA2EC86EEE7B78EF44344F50402FF501A7192DF785A85CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041425E, Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 235
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E0041425E(void* __edx, char _a4) {
				char _v8;
				char _v12;
				char _v16;
				struct _MEMORYSTATUS _v48;
				signed int _t38;
				signed int _t45;
				intOrPtr _t47;
				intOrPtr _t51;
				intOrPtr _t55;
				signed int _t59;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t70;
				intOrPtr _t76;
				intOrPtr _t77;
				signed int _t79;
				void* _t86;
				signed short _t98;
				signed int _t101;
				void* _t109;
				void* _t111;
				intOrPtr* _t112;
				signed int _t113;
				struct HDC__* _t114;
				struct HDC__* _t115;
				struct HDC__* _t116;

				_t109 = __edx;
				_t112 = _a4;
				if( *_t112 == 0) {
					L44:
					__eflags = 0;
					return 0;
				}
				if(E0041BFE3(_t112, 0) == 0x3c) {
					__eflags =  *0x47e4dc; // 0x8
					_a4 = 0;
					_t111 = 1;
					if(__eflags <= 0) {
						L6:
						_t88 = _t112;
						__eflags = E0041C1FA(_t112, __eflags, "<CPUSpeed>", _t111);
						if(__eflags == 0) {
							_t89 = _t112;
							__eflags = E0041C1FA(_t112, __eflags, "<CPUType>", _t111);
							if(__eflags == 0) {
								_t90 = _t112;
								__eflags = E0041C1FA(_t112, __eflags, "<CPUFlags>", _t111);
								if(__eflags == 0) {
									__eflags = E0041C1FA(_t112, __eflags, "<LanguageID>", _t111);
									if(__eflags == 0) {
										__eflags = E0041C1FA(_t112, __eflags, "<OSBuild>", _t111);
										if(__eflags == 0) {
											__eflags = E0041C1FA(_t112, __eflags, "<CurXRes>", _t111);
											if(__eflags == 0) {
												__eflags = E0041C1FA(_t112, __eflags, "<CurYRes>", _t111);
												if(__eflags == 0) {
													__eflags = E0041C1FA(_t112, __eflags, "<CurBPP>", _t111);
													if(__eflags == 0) {
														__eflags = E0041C1FA(_t112, __eflags, "<RAM>", _t111);
														if(__eflags == 0) {
															_t38 = E0041C1FA(_t112, __eflags, "<DirectXVer>", _t111);
															__eflags = _t38;
															if(_t38 == 0) {
																goto L44;
															}
															_t98 =  *0x47e6f4; // 0x9
															__eflags = _t98 - 0xffffffff;
															if(_t98 == 0xffffffff) {
																_t98 = E0041FEF9();
																 *0x47e6f4 = _t98;
															}
															return _t98 >> 0x00000010 | (_t98 & 0x0000ffff) << 0x00000010;
														}
														_t101 =  *0x47e6f0; // 0xffffffff
														__eflags = _t101 - 0xffffffff;
														if(_t101 == 0xffffffff) {
															_v48.dwLength = 0x20;
															GlobalMemoryStatus( &_v48);
															_t101 = _v48.dwTotalPhys >> 0x14;
															_t45 = _t101;
															_t113 = 2;
															asm("cdq");
															 *0x47e6f0 = _t101;
															__eflags = _t45 % _t113;
															if(_t45 % _t113 != 0) {
																_t101 = _t101 + 1;
																__eflags = _t101;
																 *0x47e6f0 = _t101;
															}
														}
														return _t101;
													}
													__eflags =  *0x47e6ec - 0xffffffff;
													if( *0x47e6ec == 0xffffffff) {
														_t114 = GetDC( *0x47e178);
														 *0x47e6ec = GetDeviceCaps(_t114, 0xc);
														ReleaseDC( *0x47e178, _t114);
													}
													_t47 =  *0x47e6ec; // 0xffffffff
													return _t47;
												}
												__eflags =  *0x47e6e8 - 0xffffffff;
												if( *0x47e6e8 == 0xffffffff) {
													_t115 = GetDC( *0x47e178);
													 *0x47e6e8 = GetDeviceCaps(_t115, 0xa);
													ReleaseDC( *0x47e178, _t115);
												}
												_t51 =  *0x47e6e8; // 0xffffffff
												return _t51;
											}
											__eflags =  *0x47e6e4 - 0xffffffff;
											if( *0x47e6e4 == 0xffffffff) {
												_t116 = GetDC( *0x47e178);
												 *0x47e6e4 = GetDeviceCaps(_t116, 8);
												ReleaseDC( *0x47e178, _t116);
											}
											_t55 =  *0x47e6e4; // 0xffffffff
											return _t55;
										}
										_t59 =  *0x47e1e8; // 0x23f0
										return _t59 & 0x0000ffff;
									}
									_t61 =  *0x47e60c; // 0x0
									return _t61;
								}
								__eflags =  *0x47e6dc - 0xffffffff;
								if( *0x47e6dc == 0xffffffff) {
									E004066E0(_t90, _t109,  &_v12,  &_a4,  &_v8,  &_v16);
									 *0x47e6dc = _a4;
									 *0x47e6e0 = _v8;
								}
								_t62 =  *0x47e6e0; // 0xffffffff
								return _t62;
							}
							_t70 =  *0x47e6dc; // 0xffffffff
							__eflags = _t70 - 0xffffffff;
							if(_t70 != 0xffffffff) {
								L45:
								return _t70;
							}
							E004066E0(_t89, _t109,  &_v16,  &_a4,  &_v8,  &_v12);
							_t76 = _a4;
							 *0x47e6dc = _t76;
							 *0x47e6e0 = _v8;
							return _t76;
						}
						_t70 =  *0x47e6d8; // 0xffffffff
						__eflags = _t70 - 0xffffffff;
						if(__eflags != 0) {
							goto L45;
						}
						_t77 = E00406C98(_t88, __eflags);
						 *0x47e6d8 = _t77;
						return _t77;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t86 = E0041E860(0x47e4d0, _a4);
						_t79 = E0041C176(_t86, __eflags, _t112, _t111);
						__eflags = _t79;
						if(_t79 != 0) {
							break;
						}
						_a4 = _a4 + 1;
						__eflags = _a4 -  *0x47e4dc; // 0x8
						if(__eflags < 0) {
							continue;
						}
						goto L6;
					}
					__eflags =  *((intOrPtr*)(_t86 + 0x10)) - 0xffffffff;
					if(__eflags != 0) {
						E0041AACD(0x47dfb8, __eflags, _a4);
					}
					return  *((intOrPtr*)(_t86 + 0x54));
				}
				return E00424FC3(_t112, E0041CD1E(_t112));
			}

0x0041425e
0x00414266
0x0041426e
0x00414557
0x00414557
0x00000000
0x00414557
0x0041427e
0x00414293
0x0041429b
0x0041429e
0x0041429f
0x004142cb
0x004142d1
0x004142d8
0x004142da
0x0041431a
0x00414321
0x00414323
0x00414367
0x0041436e
0x00414370
0x004143ba
0x004143bc
0x004143d5
0x004143d7
0x004143f5
0x004143f7
0x00414442
0x00414444
0x0041448f
0x00414491
0x004144dc
0x004144de
0x00414527
0x0041452c
0x0041452e
0x00000000
0x00000000
0x00414530
0x00414536
0x00414539
0x00414540
0x00414542
0x00414542
0x00000000
0x00414553
0x004144e0
0x004144e6
0x004144e9
0x004144ee
0x004144f6
0x00414501
0x00414504
0x00414506
0x00414507
0x0041450a
0x00414510
0x00414512
0x00414514
0x00414514
0x00414515
0x00414515
0x00414512
0x00000000
0x0041451b
0x00414493
0x0041449a
0x004144a8
0x004144b4
0x004144bf
0x004144bf
0x004144c5
0x00000000
0x004144c5
0x00414446
0x0041444d
0x0041445b
0x00414467
0x00414472
0x00414472
0x00414478
0x00000000
0x00414478
0x004143f9
0x00414400
0x0041440e
0x0041441a
0x00414425
0x00414425
0x0041442b
0x00000000
0x0041442b
0x004143d9
0x00000000
0x004143de
0x004143be
0x00000000
0x004143be
0x00414372
0x00414379
0x0041438b
0x00414396
0x0041439e
0x0041439e
0x004143a3
0x00000000
0x004143a3
0x00414325
0x0041432a
0x0041432d
0x0041455d
0x0041455d
0x0041455d
0x00414343
0x00414348
0x00414351
0x00414356
0x00000000
0x00414356
0x004142dc
0x004142e1
0x004142e4
0x00000000
0x00000000
0x004142ea
0x004142ef
0x00000000
0x00000000
0x00000000
0x00000000
0x004142a1
0x004142a1
0x004142ae
0x004142b4
0x004142b9
0x004142bb
0x00000000
0x00000000
0x004142bd
0x004142c3
0x004142c9
0x00000000
0x00000000
0x00000000
0x004142c9
0x004142f9
0x004142fd
0x00414307
0x00414307
0x00000000
0x0041430c
0x00000000

Strings

<DirectXVer>, xrefs: 00414520
<OSBuild>, xrefs: 004143C9
<RAM>, xrefs: 004144D0
<CPUSpeed>, xrefs: 004142CC
, xrefs: 004144EE
<LanguageID>, xrefs: 004143AE
<CPUFlags>, xrefs: 00414362
<CPUType>, xrefs: 00414315
<CurBPP>, xrefs: 00414483
<CurYRes>, xrefs: 00414436
<CurXRes>, xrefs: 004143E9

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLockUnlock
String ID: $<CPUFlags>$<CPUSpeed>$<CPUType>$<CurBPP>$<CurXRes>$<CurYRes>$<DirectXVer>$<LanguageID>$<OSBuild>$<RAM>
API String ID: 3972497268-815162245
Opcode ID: bcd4e52eb266c46fd5636fc65d7aca031b21fa9503f878899f2192197056ed69
Instruction ID: 3105dd021db19612d1c9d2ca186850fd31b29f9c8cd7eefb7947060dc7c6eec1
Opcode Fuzzy Hash: bcd4e52eb266c46fd5636fc65d7aca031b21fa9503f878899f2192197056ed69
Instruction Fuzzy Hash: 1F81D730600214ABDB14DF2AEC459EE3775EB99714B90437BF916AB2D1C73C89C28B8D

Uniqueness

Uniqueness Score: -1.00%

Function 00409446, Relevance: 36.9, APIs: 13, Strings: 8, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00409446(struct HWND__* _a4) {
				char _v16;
				void* _t42;
				struct HWND__* _t60;

				_t60 = _a4;
				if( *0x42bf98 <= 0) {
					EnableWindow(GetDlgItem(_t60, 3), 0);
				}
				_t42 = 0x47e850;
				if(( *0x47e193 & 0x00000002) == 0) {
					_t42 = 0x47e930;
				}
				SetWindowTextA(_t60, E0041CD1E(_t42));
				E0041BDC5( &_v16);
				_push(E0041CD1E(0x47e350));
				_push(E0041CD1E(0x47e350));
				E0041C467( &_v16, E0041CD1E(0x47e93c));
				SetDlgItemTextA(_t60, 0xa, E0041CD1E( &_v16));
				SetDlgItemTextA(_t60, 0xb, E0041CD1E(0x47e948));
				SetDlgItemTextA(_t60, 0xc, E0041CD1E(0x47e954));
				SetDlgItemTextA(_t60, 0xd, E0041CD1E(0x47e960));
				SetDlgItemTextA(_t60, 0xe, E0041CD1E(0x47e96c));
				SetDlgItemTextA(_t60, 3, E0041CD1E(0x47e8a0));
				SetDlgItemTextA(_t60, 1, E0041CD1E(0x47e8d0));
				SetDlgItemTextA(_t60, 2, E0041CD1E(0x47e8b8));
				if(E00419E8A() != 0) {
					SetDlgItemTextA(_t60, 1, E0041CD1E(0x47e8c4));
				}
				if( *0x47e114 != 0) {
					SetDlgItemTextA(_t60, 0x41f, E0041CD1E(0x47df68));
					E0040EFE7();
				}
				E0041BEFB( &_v16);
				return 1;
			}

0x00409455
0x00409458
0x00409466
0x00409466
0x00409473
0x00409478
0x0040947a
0x0040947a
0x00409486
0x0040948f
0x004094a0
0x004094a8
0x004094b8
0x004094d2
0x004094e2
0x004094f2
0x00409502
0x00409512
0x00409522
0x00409532
0x00409542
0x00409550
0x00409560
0x00409560
0x00409569
0x0040957c
0x00409583
0x00409583
0x0040958b
0x00409595

APIs

GetDlgItem.USER32 ref: 0040945F
EnableWindow.USER32(00000000), ref: 00409466
SetWindowTextA.USER32(?,00000000), ref: 00409486
SetDlgItemTextA.USER32 ref: 004094D2
SetDlgItemTextA.USER32 ref: 004094E2
SetDlgItemTextA.USER32 ref: 004094F2
SetDlgItemTextA.USER32 ref: 00409502
SetDlgItemTextA.USER32 ref: 00409512
SetDlgItemTextA.USER32 ref: 00409522
SetDlgItemTextA.USER32 ref: 00409532
SetDlgItemTextA.USER32 ref: 00409542
SetDlgItemTextA.USER32 ref: 00409560
SetDlgItemTextA.USER32 ref: 0040957C

Strings

<G, xrefs: 004094A9
0G, xrefs: 0040947A
PG, xrefs: 00409494
`G, xrefs: 004094F4
TG, xrefs: 004094E4
PG, xrefs: 00409473
HG, xrefs: 004094D4
lG, xrefs: 00409504

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: ItemText$Window$Enable
String ID: 0G$<G$HG$PG$PG$TG$`G$lG
API String ID: 43940206-1470656634
Opcode ID: 9e0cf94691ae7aae7209686407adddb972dc44465b93ee7827a8b19faa09c670
Instruction ID: 6f7eff01a6f98409c8fd215d112adea29b7d19b614916cbc6a3e109e305d1433
Opcode Fuzzy Hash: 9e0cf94691ae7aae7209686407adddb972dc44465b93ee7827a8b19faa09c670
Instruction Fuzzy Hash: 8E3194B1A4010976E61573665C96FFE1A5E8B85B48F10817FB606B61C3CF6C0882967E

Uniqueness

Uniqueness Score: -1.00%

Function 00409637, Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 233
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00409637(intOrPtr __ecx, struct HWND__* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed char _v23;
				long _v24;
				intOrPtr _v28;
				char _v40;
				char _v52;
				CHAR* _t54;
				void* _t73;
				CHAR* _t74;
				intOrPtr _t86;
				void* _t99;
				intOrPtr _t105;
				struct HWND__* _t115;
				void* _t119;
				void* _t123;
				intOrPtr _t156;
				void* _t157;
				void* _t158;
				intOrPtr _t165;
				void* _t169;

				_v28 = __ecx;
				if( *0x42bf98 <= 0) {
					EnableWindow(GetDlgItem(_a4, 3), 0);
				}
				_t119 = 0x47e850;
				if(( *0x47e193 & 0x00000002) == 0) {
					_t119 = 0x47e978;
				}
				_t54 = E0041CD1E(_t119);
				_t115 = _a4;
				SetWindowTextA(_t115, _t54);
				SetDlgItemTextA(_t115, 0xa, E0041CD1E(0x47e984));
				SetDlgItemTextA(_t115, 0xb, E0041CD1E(0x47e990));
				SetDlgItemTextA(_t115, 3, E0041CD1E(0x47e8a0));
				_t123 = 0x47e8f4;
				if( *0x47e6c0 == 0) {
					_t123 = 0x47e8d0;
				}
				SetDlgItemTextA(_t115, 1, E0041CD1E(_t123));
				SetDlgItemTextA(_t115, 2, E0041CD1E(0x47e8b8));
				E0041BDC5( &_v52);
				if(E0041C8FD(0x47e2f0, 0x30) == 0) {
					L22:
					_v24 = GetWindowLongA(GetDlgItem(_a4, 0xc), 0xfffffff0);
					SendMessageA(GetDlgItem(_a4, 0xc), 0xcf, 0, 0);
					_t73 = E004070D7(_v28, GetDlgItem(_a4, 0xc));
					if(_t73 == 0 ||  *((intOrPtr*)(_t73 + 8)) != 6 || ( *0x47e191 & 0x00000001) != 0) {
						_t74 = E0041CD1E( &_v52);
						SetWindowTextA(GetDlgItem(_a4, 0xc), _t74);
					} else {
						E0041D8DA( *((intOrPtr*)(_t73 + 0x50)),  &_v52);
					}
					if((_v23 & 0x00000008) != 0) {
						SendMessageA(GetDlgItem(_a4, 0xc), 0xcf, 1, 0);
					}
					if( *0x47e114 != 0) {
						SetDlgItemTextA(_a4, 0x41f, E0041CD1E(0x47df68));
						E0040EFE7();
					}
					goto L31;
				} else {
					_v8 = E0041C8FD(0x47e2f0, 0x34);
					_t86 = E0041C8FD(0x47e2f0, 0x38);
					_t156 = 0;
					_v24 = _t86;
					if(_v8 == 0) {
						L31:
						E0041BEFB( &_v52);
						return 1;
					}
					_t165 = _t86;
					if(_t165 == 0) {
						goto L31;
					}
					_v12 = 0;
					if(_t165 <= 0) {
						goto L22;
					}
					while(1) {
						E0041BDC5( &_v40);
						if(E0041CAC5( &_v40, E0041CD1E(0x47e6c8), _v8 + _t156, 4) < 0) {
							break;
						}
						_t157 = _t156 + 4;
						_v20 = E0041C8FD( &_v40, 0);
						_t99 = E0041CAC5( &_v40, E0041CD1E(0x47e6c8), _v8 + _t157, 4);
						_push(0);
						if(_t99 < 0) {
							L20:
							_push(E0041CD1E(0x47e99c));
							_push(_a4);
							E0041B2A8();
							E0041BEFB( &_v40);
							goto L31;
						}
						_v16 = E0041C8FD( &_v40);
						_t158 = _t157 + 4;
						if(E0041CAC5( &_v40, E0041CD1E(0x47e6c8), _v8 + _t158, _t100) < 0) {
							break;
						}
						_t105 = _v20;
						_t156 = _t158 + _v16;
						_t169 = _t105 -  *0x47e60c; // 0x0
						if(_t169 == 0) {
							E0041BF80( &_v52,  &_v40);
							E0041BEFB( &_v40);
							goto L22;
						}
						if(_t105 == 0) {
							E0041BF80( &_v52,  &_v40);
						}
						E0041BEFB( &_v40);
						_v12 = _v12 + 1;
						if(_v12 < _v24) {
							continue;
						} else {
							goto L22;
						}
					}
					_push(0);
					goto L20;
				}
			}

0x0040964d
0x00409650
0x0040965c
0x0040965c
0x00409669
0x0040966e
0x00409670
0x00409670
0x00409675
0x0040967a
0x0040967f
0x00409699
0x004096a9
0x004096b9
0x004096c2
0x004096c7
0x004096c9
0x004096c9
0x004096d7
0x004096e7
0x004096ec
0x00409701
0x00409831
0x0040984d
0x0040985c
0x00409869
0x00409870
0x00409894
0x004098a2
0x00409881
0x00409888
0x0040988e
0x004098ac
0x004098bb
0x004098bb
0x004098c4
0x004098d9
0x004098e4
0x004098e4
0x00000000
0x00409707
0x00409714
0x00409717
0x0040971c
0x0040971e
0x00409724
0x004098e9
0x004098ec
0x004098f7
0x004098f7
0x0040972a
0x0040972c
0x00000000
0x00000000
0x00409732
0x00409735
0x00000000
0x00000000
0x00409740
0x00409743
0x00409762
0x00000000
0x00000000
0x0040976d
0x00409775
0x0040978b
0x00409792
0x00409794
0x004097f8
0x00409802
0x00409808
0x0040980b
0x00409813
0x00000000
0x00409813
0x0040979e
0x004097a5
0x004097bd
0x00000000
0x00000000
0x004097bf
0x004097c2
0x004097c5
0x004097cb
0x00409824
0x0040982c
0x00000000
0x0040982c
0x004097cf
0x004097d8
0x004097d8
0x004097e0
0x004097e5
0x004097ee
0x00000000
0x004097f4
0x00000000
0x004097f4
0x004097ee
0x004097f6
0x00000000
0x004097f6

APIs

GetDlgItem.USER32 ref: 00409659
EnableWindow.USER32(00000000), ref: 0040965C

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Part of subcall function 0041CAC5: CreateFileA.KERNEL32(0047DFB8,80000000,00000001,00000000,00000003,00000080,00000000,74E5FBD0,0047E2F0,00000000,?,0047DFB8), ref: 0041CAE5

SetWindowTextA.USER32(?,00000000), ref: 0040967F
SetDlgItemTextA.USER32 ref: 00409699
SetDlgItemTextA.USER32 ref: 004096A9
SetDlgItemTextA.USER32 ref: 004096B9
SetDlgItemTextA.USER32 ref: 004096D7
SetDlgItemTextA.USER32 ref: 004096E7
GetDlgItem.USER32 ref: 00409838
GetWindowLongA.USER32 ref: 0040983B
GetDlgItem.USER32 ref: 00409853
SendMessageA.USER32(00000000), ref: 0040985C
GetDlgItem.USER32 ref: 00409863
GetDlgItem.USER32 ref: 0040989F
SetWindowTextA.USER32(00000000), ref: 004098A2

Part of subcall function 0041BF80: GlobalUnlock.KERNEL32(?,00000000,00000000,004079C1,00000000), ref: 0041BF87
Part of subcall function 0041BF80: GlobalReAlloc.KERNEL32 ref: 0041BF9B
Part of subcall function 0041BF80: GlobalLock.KERNEL32 ref: 0041BFBC

GetDlgItem.USER32 ref: 004098B8
SendMessageA.USER32(00000000), ref: 004098BB
SetDlgItemTextA.USER32 ref: 004098D9

Strings

PG, xrefs: 00409669
xG, xrefs: 00409670

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Item$Text$Global$Window$AllocLockMessageSendUnlock$CreateEnableFileLong
String ID: PG$xG
API String ID: 3181886133-570473810
Opcode ID: c42083a09af4f97d8826f838adace99b710d5d26bb73f142417c0969db62e7a4
Instruction ID: deb672f3dba8153a638bbbe562cc6a0016075999e4d0a6927899504e7a5f6053
Opcode Fuzzy Hash: c42083a09af4f97d8826f838adace99b710d5d26bb73f142417c0969db62e7a4
Instruction Fuzzy Hash: E971A271A40208AAEB10FB62CD96FEE7B69AF44344F10447FF605B62D2CF795D41CA68

Uniqueness

Uniqueness Score: -1.00%

Function 0040B314, Relevance: 35.1, APIs: 15, Strings: 5, Instructions: 134
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040B314(struct HWND__* _a4) {
				char _v16;
				CHAR* _t22;
				void* _t52;
				struct HWND__* _t72;

				_t72 = _a4;
				if( *0x42bf98 <= 0) {
					EnableWindow(GetDlgItem(_t72, 3), 0);
				}
				_t52 = 0x47e850;
				if(( *0x47e193 & 0x00000002) == 0) {
					_t52 = 0x47ec00;
				}
				SetWindowTextA(_t72, E0041CD1E(_t52));
				SetDlgItemTextA(_t72, 3, E0041CD1E(0x47e8a0));
				SetDlgItemTextA(_t72, 1, E0041CD1E(0x47e8d0));
				SetDlgItemTextA(_t72, 2, E0041CD1E(0x47e8b8));
				SetDlgItemTextA(_t72, 4, E0041CD1E(0x47e8ac));
				if(E00419E8A() != 0) {
					SetDlgItemTextA(_t72, 1, E0041CD1E(0x47e8c4));
				}
				_t22 = E0041CD1E(0x47e338);
				SetWindowTextA(GetDlgItem(_t72, 0xa), _t22);
				E0041BDC5( &_v16);
				_push(E0041CD1E(0x47e350));
				E0041C467( &_v16, E0041CD1E(0x47ec0c));
				SetDlgItemTextA(_t72, 0x1e, E0041CD1E( &_v16));
				E0041BF12( &_v16, 0x42e0c8);
				_push(E0041CD1E(0x47e35c));
				E0041C467( &_v16, E0041CD1E(0x47ec18));
				SetDlgItemTextA(_t72, 0x1f, E0041CD1E( &_v16));
				SetDlgItemTextA(_t72, 0x20, E0041CD1E(0x47ec24));
				SendDlgItemMessageA(_t72, 0xa, 0xc5, 0x103, 0);
				if( *0x47e114 != 0) {
					SetDlgItemTextA(_t72, 0x41f, E0041CD1E(0x47df68));
					E0040EFE7();
				}
				E0041BEFB( &_v16);
				return 1;
			}

0x0040b32a
0x0040b32d
0x0040b337
0x0040b337
0x0040b344
0x0040b349
0x0040b34b
0x0040b34b
0x0040b357
0x0040b371
0x0040b381
0x0040b391
0x0040b3a1
0x0040b3af
0x0040b3bf
0x0040b3bf
0x0040b3c6
0x0040b3d2
0x0040b3db
0x0040b3ea
0x0040b3fa
0x0040b40e
0x0040b418
0x0040b427
0x0040b437
0x0040b44b
0x0040b45b
0x0040b46c
0x0040b479
0x0040b48c
0x0040b493
0x0040b493
0x0040b49b
0x0040b4a6

APIs

GetDlgItem.USER32 ref: 0040B334
EnableWindow.USER32(00000000), ref: 0040B337

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

SetWindowTextA.USER32(?,00000000), ref: 0040B357
SetDlgItemTextA.USER32 ref: 0040B371
SetDlgItemTextA.USER32 ref: 0040B381
SetDlgItemTextA.USER32 ref: 0040B391
SetDlgItemTextA.USER32 ref: 0040B3A1
SetDlgItemTextA.USER32 ref: 0040B3BF
GetDlgItem.USER32 ref: 0040B3CF
SetWindowTextA.USER32(00000000), ref: 0040B3D2
SetDlgItemTextA.USER32 ref: 0040B40E
SetDlgItemTextA.USER32 ref: 0040B44B
SetDlgItemTextA.USER32 ref: 0040B45B
SendDlgItemMessageA.USER32(?,0000000A,000000C5,00000103,00000000), ref: 0040B46C
SetDlgItemTextA.USER32 ref: 0040B48C

Part of subcall function 0040EFE7: CreateFontA.GDI32(0000001E,00000000,0000005A,0000005A,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,Times New Roman), ref: 0040F017
Part of subcall function 0040EFE7: SelectObject.GDI32(00000000), ref: 0040F027
Part of subcall function 0040EFE7: SetTextColor.GDI32(000A0A0A), ref: 0040F03E
Part of subcall function 0040EFE7: TextOutA.GDI32(0000000C,0000006F,00000000), ref: 0040F061
Part of subcall function 0040EFE7: SetTextColor.GDI32(000000FF), ref: 0040F06F
Part of subcall function 0040EFE7: TextOutA.GDI32(0000000A,0000006E,00000000), ref: 0040F08C

Strings

\G, xrefs: 0040B41D
8G, xrefs: 0040B3C1
PG, xrefs: 0040B3E0
$G, xrefs: 0040B44D
PG, xrefs: 0040B344

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Text$Item$GlobalWindow$Color$AllocCreateEnableFontLockMessageObjectSelectSendUnlock
String ID: $G$8G$PG$PG$\G
API String ID: 1413699155-721960894
Opcode ID: a0d9d8fccdb9081172e89fa577caae926867bca15e60fbfc26177545783e6c0e
Instruction ID: d30331ef3bcde2c4e3323b7d76a48e8f567f138a6d1759f739aa7ffe92caea70
Opcode Fuzzy Hash: a0d9d8fccdb9081172e89fa577caae926867bca15e60fbfc26177545783e6c0e
Instruction Fuzzy Hash: 1E31A770A4010876E21573666C9AFFE2A2DDF89B48F10857FF605A61C2CF6C1981967E

Uniqueness

Uniqueness Score: -1.00%

Function 00415C0F, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 135
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00415C0F(struct HMENU__* __ecx) {
				struct HMENU__* _v8;
				struct _WNDCLASSA _v48;
				struct HINSTANCE__* _t27;
				signed char _t33;
				int _t35;
				struct HWND__* _t37;
				struct HMENU__* _t38;
				int _t40;
				long _t48;
				intOrPtr _t52;
				int _t54;
				intOrPtr _t60;
				CHAR* _t62;
				intOrPtr _t69;
				intOrPtr _t72;

				_t27 =  *0x47e17c; // 0x400000
				_v8 = __ecx;
				_v48.style = 3;
				_v48.lpfnWndProc = E00405A9B;
				_v48.cbClsExtra = 0;
				_v48.cbWndExtra = 0;
				_v48.hInstance = _t27;
				_v48.hIcon = LoadIconA(_t27, 0x65);
				_v48.hCursor = LoadCursorA(0, 0x7f00);
				_t62 = "AstrumInstaller";
				_v48.hbrBackground = 0;
				_v48.lpszMenuName = 0;
				_v48.lpszClassName = _t62;
				RegisterClassA( &_v48);
				if(SystemParametersInfoA(0x30, 0, 0x47e168, 0) == 0) {
					GetWindowRect(GetDesktopWindow(), 0x47e168);
				}
				_t33 =  *0x47e84c; // 0x10
				if((_t33 & 0x00000010) == 0) {
					if((_t33 & 0x00000001) != 0) {
						0x47e168->left = 0;
						 *0x47e16c = 0;
						 *0x47e170 = GetSystemMetrics(0);
						 *0x47e174 = GetSystemMetrics(1);
						_t33 =  *0x47e84c; // 0x10
					}
					_t48 = 0x80000000;
				} else {
					_t48 = 0x1cf0000;
					if((_t33 & 0x00000001) != 0) {
						_t48 = 0x81ca0000;
					}
				}
				if((_t33 & 0x00000002) == 0) {
					L10:
					_t48 = 0x80000000;
					SetRectEmpty(0x47e168);
					goto L11;
				} else {
					_t69 =  *0x47e610; // 0x0
					if(_t69 == 0) {
						L11:
						_t35 =  *0x47e16c; // 0x0
						_t52 =  *0x47e174; // 0x0
						_t60 =  *0x47e170; // 0x0
						_t54 = 0x47e168->left; // 0x0
						_t37 = CreateWindowExA(0, _t62, E0041CD1E(0x47e850), _t48, _t54, _t35, _t60 - _t54, _t52 - _t35, 0, 0,  *0x47e17c, 0);
						 *0x47e178 = _t37;
						_v8->i = _t37;
						_t38 = GetSystemMenu( *0x47e178, 0);
						_v8 = _t38;
						AppendMenuA(_t38, 0x800, 2, "-");
						_t40 = AppendMenuA(_v8, 0, 1, "About...");
						if(( *0x47e84c & 0x00000010) != 0) {
							_t40 = GetClientRect( *0x47e178, 0x47e168);
						}
						if(( *0x47e84c & 0x00000002) == 0) {
							L17:
							return _t40;
						} else {
							_t72 =  *0x47e610; // 0x0
							if(_t72 != 0) {
								goto L17;
							}
							_t40 = E0040EE9C();
							if(_t40 != 0) {
								goto L17;
							}
							return E0041B2CC(0x47dfb8, 0, "Graphics initialization failed", E0041CD1E(0x47e850), 0x30);
						}
					}
					goto L10;
				}
			}

0x00415c15
0x00415c21
0x00415c25
0x00415c2c
0x00415c33
0x00415c36
0x00415c39
0x00415c48
0x00415c51
0x00415c57
0x00415c5d
0x00415c60
0x00415c63
0x00415c66
0x00415c7e
0x00415c88
0x00415c88
0x00415c8e
0x00415c95
0x00415ca9
0x00415cb2
0x00415cb8
0x00415cc2
0x00415cc9
0x00415cce
0x00415cce
0x00415cd3
0x00415c97
0x00415c99
0x00415c9e
0x00415ca0
0x00415ca0
0x00415c9e
0x00415cda
0x00415ce4
0x00415ce9
0x00415cee
0x00000000
0x00415cdc
0x00415cdc
0x00415ce2
0x00415cf4
0x00415cf4
0x00415cf9
0x00415d00
0x00415d11
0x00415d2c
0x00415d35
0x00415d3b
0x00415d43
0x00415d5c
0x00415d5f
0x00415d6c
0x00415d75
0x00415d82
0x00415d82
0x00415d8f
0x00415dc5
0x00415dc5
0x00415d91
0x00415d91
0x00415d97
0x00000000
0x00000000
0x00415d9e
0x00415da5
0x00000000
0x00000000
0x00000000
0x00415dbc
0x00415d8f
0x00000000
0x00415ce2

APIs

LoadIconA.USER32 ref: 00415C3C
LoadCursorA.USER32 ref: 00415C4B
RegisterClassA.USER32 ref: 00415C66
SystemParametersInfoA.USER32(00000030,00000000,0047E168,00000000), ref: 00415C76
GetDesktopWindow.USER32 ref: 00415C81
GetWindowRect.USER32 ref: 00415C88
GetSystemMetrics.USER32 ref: 00415CBE
GetSystemMetrics.USER32 ref: 00415CC7
SetRectEmpty.USER32(0047E168), ref: 00415CEE
CreateWindowExA.USER32 ref: 00415D2C
GetSystemMenu.USER32(00000000), ref: 00415D43
AppendMenuA.USER32 ref: 00415D5F
AppendMenuA.USER32 ref: 00415D6C
GetClientRect.USER32 ref: 00415D82

Strings

hG, xrefs: 00415C6C
Graphics initialization failed, xrefs: 00415DB1
AstrumInstaller, xrefs: 00415C57, 00415D2A
PG, xrefs: 00415D1D
About..., xrefs: 00415D61

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: System$MenuRectWindow$AppendLoadMetrics$ClassClientCreateCursorDesktopEmptyIconInfoParametersRegister
String ID: About...$AstrumInstaller$Graphics initialization failed$PG$hG
API String ID: 465687589-1226465133
Opcode ID: 77b50cf9f7da1eaea1bfab1b0edd4f534d28b8b0f47e48231d6c08afcebacf7d
Instruction ID: 097d18280a4a8a077a5ed2b2894a9038ec6d3db9919c27a42d9944593a3069de
Opcode Fuzzy Hash: 77b50cf9f7da1eaea1bfab1b0edd4f534d28b8b0f47e48231d6c08afcebacf7d
Instruction Fuzzy Hash: 83416570A01314EFE7119F66AC49AEF7FA8EB4DB04F90426AF905A6251CB750881CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 004155D2, Relevance: 31.8, APIs: 7, Strings: 11, Instructions: 266
stringsleepprocessCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004155D2(intOrPtr __ecx, char _a4, CHAR* _a8) {
				long _v8;
				char _v20;
				char _v32;
				char _v44;
				intOrPtr _v48;
				void* _v52;
				struct _PROCESS_INFORMATION _v68;
				struct _STARTUPINFOA _v136;
				char _v396;
				char _v656;
				int _t59;
				void* _t61;
				int _t78;
				long _t81;
				void* _t92;
				void* _t101;
				void* _t108;
				void* _t110;
				void* _t114;
				void* _t115;
				CHAR* _t123;
				void* _t125;
				void* _t128;
				char* _t139;
				void* _t161;
				long _t163;
				long _t164;
				char* _t165;
				void* _t166;
				void* _t167;
				void* _t171;

				_t123 = 0;
				_t171 =  *0x47f27c - _t123; // 0x1
				_v48 = __ecx;
				if(_t171 != 0) {
					_a4 = 1;
				}
				if(_a4 != _t123) {
					_t161 = 0x47dfb8;
					L14:
					__eflags = _a8 - _t123;
					if(_a8 != _t123) {
						lstrcpyA( &_v396, _a8);
					} else {
						E004229A8( &_v396);
					}
					_t59 = E0040DF52( &_v396);
					__eflags = _t59;
					_pop(_t125);
					if(_t59 != 0) {
						_t61 = E00424D20(_t125,  &_v396, 0x5c);
						_t128 = 1;
						lstrcpynA( &_v656,  &_v396, _t61 + _t128 -  &_v396);
						_t163 = 0x44;
						E00424500( &_v136, _t123, _t163);
						_v136.cb = _t163;
						E00424500( &_v68, _t123, 0x10);
						E0041BDC5( &_v32);
						_push( &_v396);
						E0041C467( &_v32, "\"%s\" ");
						__eflags = _a4 - _t123;
						if(_a4 != _t123) {
							E0041C047( &_v32, "/SILENT /NOREMOVE", _t123);
						}
						_t78 = CreateProcessA(_t123, E0041CD1E( &_v32), _t123, _t123, _t123, 0x4000000, _t123,  &_v656,  &_v136,  &_v68);
						__eflags = _t78;
						if(_t78 != 0) {
							_v52 = _v68.hProcess;
							while(1) {
								_push(0xff);
								_push(0xffffffff);
								_push(_t123);
								_push( &_v52);
								_t164 = 1;
								_t81 = MsgWaitForMultipleObjects(_t164, ??, ??, ??, ??);
								__eflags = _t81 - _t123;
								if(_t81 == _t123) {
									break;
								}
								__eflags = _t81 - _t164;
								if(_t81 != _t164) {
									break;
								}
								_t101 = E0041A207();
								__eflags = _t101 - 0xffffffff;
								if(_t101 != 0xffffffff) {
									continue;
								}
								goto L34;
							}
							Sleep(0x32);
							_v8 = _t164;
							GetExitCodeProcess(_v68,  &_v8);
							__eflags = _v8 - _t164;
							if(_v8 == _t164) {
								DeleteFileA( &_v396);
							}
							__eflags = _a4 - _t123;
							if(_a4 == _t123) {
								__eflags = _v8 - _t123;
								if(_v8 != _t123) {
									L42:
									E0041BEFB( &_v32);
									goto L43;
								}
								_t165 = E0041D46F("<__Internal_InstallationNotRemoved__>");
								__eflags = _t165 - _t123;
								if(_t165 == _t123) {
									_t165 = "The installation was not removed. Do you still want to re-install?";
								}
								E0041BDC5( &_v20);
								_push(E0041CD1E(0x47e350));
								E0041C467( &_v20, _t165);
								_t92 = E0041B2CC(_t161, _t123, E0041CD1E( &_v20), _t123, 0x104);
								__eflags = _t92 - 7;
								if(_t92 != 7) {
									E0041BEFB( &_v20);
									goto L42;
								} else {
									E0041BEFB( &_v20);
									E0041BEFB( &_v32);
									return 0;
								}
							} else {
								goto L33;
							}
						} else {
							__eflags = _a4 - _t123;
							if(_a4 == _t123) {
								E0041B2A8(_t123, "Couldn\'t launch uninstaller. Previous installation was not removed!", _t123);
							}
							L33:
							_t123 = 1;
							L34:
							_t139 =  &_v32;
							L35:
							E0041BEFB(_t139);
							return _t123;
						}
					} else {
						__eflags = _a4 - _t123;
						if(_a4 == _t123) {
							E0041B2A8(_t123, "Couldn\'t find uninstaller. Previous installation was not removed!", _t123);
						}
						L43:
						return 1;
					}
				}
				E0041BE35( &_v44, "%s is already installed on your system. It is highly recommended to uninstall the application before re-installing. Do you want to uninstall %s before re-installing?");
				_t108 = E0041D46F("<__Internal_AlreadyInstalled__>");
				_t162 = _t108;
				if(_t108 == _t123) {
					L8:
					E0041BDC5( &_v20);
					_t110 = E0041CD1E(0x47e350);
					_push(_t110);
					_push(_t110);
					E0041C467( &_v20, E0041CD1E( &_v44));
					_t167 = _t167 + 0x10;
					_t114 = E0041CD1E( &_v20);
					_t161 = 0x47dfb8;
					_t115 = E0041B2CC(0x47dfb8, _t123, _t114, _t123, 3);
					if(_t115 == 2) {
						L11:
						E0041BEFB( &_v20);
						_t139 =  &_v44;
						goto L35;
					}
					if(_t115 != 7) {
						E0041BEFB( &_v20);
						E0041BEFB( &_v44);
						goto L14;
					}
					_t123 = 1;
					goto L11;
				}
				_t166 = 0;
				if(E004248B0(_t162, 0x25) == _t123) {
					L7:
					E0041BF12( &_v44, _t162);
					E0041CBF9( &_v44, _t176, "<\\n>", "\n", _t123, _t123, 1);
					goto L8;
				} else {
					goto L5;
				}
				do {
					L5:
					_t166 = _t166 + 1;
				} while (_t119 != _t123);
				_t176 = _t166 - 3;
				if(_t166 >= 3) {
					goto L8;
				}
				goto L7;
			}

0x004155dc
0x004155de
0x004155e6
0x004155e9
0x004155eb
0x004155eb
0x004155f2
0x004156c9
0x004156ce
0x004156ce
0x004156d1
0x004156f0
0x004156d3
0x004156df
0x004156df
0x004156fd
0x00415702
0x00415704
0x00415705
0x0041572c
0x0041573b
0x0041574f
0x0041575d
0x00415761
0x0041576d
0x00415773
0x0041577e
0x00415789
0x00415793
0x0041579b
0x0041579e
0x004157a9
0x004157a9
0x004157d3
0x004157d9
0x004157db
0x004157f5
0x004157f8
0x004157f8
0x004157fd
0x00415802
0x00415803
0x00415806
0x00415808
0x0041580e
0x00415810
0x00000000
0x00000000
0x00415812
0x00415814
0x00000000
0x00000000
0x00415819
0x0041581e
0x00415821
0x00000000
0x00000000
0x00000000
0x00415823
0x00415827
0x00415830
0x00415837
0x0041583d
0x00415840
0x00415849
0x00415849
0x0041584f
0x00415852
0x00415862
0x00415865
0x004158d1
0x004158d4
0x00000000
0x004158d4
0x00415871
0x00415873
0x00415875
0x00415877
0x00415877
0x0041587f
0x0041588e
0x00415894
0x004158ae
0x004158b3
0x004158b9
0x004158cc
0x00000000
0x004158bb
0x004158bb
0x004158c3
0x00000000
0x004158c8
0x00000000
0x00000000
0x00000000
0x004157dd
0x004157dd
0x004157e0
0x004157eb
0x004157eb
0x00415854
0x00415854
0x00415856
0x00415856
0x00415859
0x00415859
0x00000000
0x0041585e
0x00415707
0x00415707
0x0041570a
0x00415719
0x00415719
0x004158d9
0x00000000
0x004158d9
0x00415705
0x00415600
0x0041560a
0x0041560f
0x00415613
0x00415659
0x0041565c
0x00415666
0x0041566b
0x0041566c
0x0041567a
0x0041567f
0x00415688
0x0041568d
0x00415696
0x0041569e
0x004156a7
0x004156aa
0x004156af
0x00000000
0x004156af
0x004156a3
0x004156ba
0x004156c2
0x00000000
0x004156c2
0x004156a5
0x00000000
0x004156a5
0x00415618
0x00415623
0x0041563a
0x0041563e
0x00415654
0x00000000
0x00000000
0x00000000
0x00000000
0x00415625
0x00415625
0x00415625
0x00415632
0x00415635
0x00415638
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 0041BEFB: GlobalUnlock.KERNEL32(?,00000000,0041C1E9,00000000,00000010,00000000,0047E4D0,00000000), ref: 0041BF01
Part of subcall function 0041BEFB: GlobalFree.KERNEL32 ref: 0041BF0A

lstrcpyA.KERNEL32(?,00422DD8,74E5FC30,0047E788,00000000), ref: 004156F0

Part of subcall function 004229A8: RegOpenKeyExA.KERNEL32(00000000,00020019,00000000,0047DFB8,0047E788), ref: 004229DD
Part of subcall function 004229A8: RegQueryValueExA.ADVAPI32(00000000,Uninstaller,00000000,00000000,?,0047E788), ref: 004229FF
Part of subcall function 004229A8: lstrcpyA.KERNEL32(0047E788,?), ref: 00422A24

lstrcpynA.KERNEL32(?,?,00000000), ref: 0041574F

Part of subcall function 0041BDC5: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF

Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
Part of subcall function 0041C467: lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000000,00000000,?,?,?), ref: 004157D3

Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095

MsgWaitForMultipleObjects.USER32 ref: 00415808
Sleep.KERNEL32(00000032), ref: 00415827
GetExitCodeProcess.KERNEL32 ref: 00415837
DeleteFileA.KERNEL32(?), ref: 00415849

Part of subcall function 0041A207: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041A218
Part of subcall function 0041A207: GetMessageA.USER32 ref: 0041A229

Strings

<\n>, xrefs: 0041564C
PG, xrefs: 00415661
/SILENT /NOREMOVE, xrefs: 004157A1
%s is already installed on your system. It is highly recommended to uninstall the application before re-installing. Do you want to uninstall %s before re-installing?, xrefs: 004155F8
PG, xrefs: 00415884
<__Internal_AlreadyInstalled__>, xrefs: 00415605
Couldn't launch uninstaller. Previous installation was not removed!, xrefs: 004157E3
"%s" , xrefs: 0041578D
The installation was not removed. Do you still want to re-install?, xrefs: 00415877, 00415892
<__Internal_InstallationNotRemoved__>, xrefs: 00415867
Couldn't find uninstaller. Previous installation was not removed!, xrefs: 00415711

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$lstrlen$AllocLockMessageProcessUnlocklstrcpy$CodeCreateDeleteExitFileFreeMultipleObjectsOpenPeekQuerySleepValueWaitlstrcpyn
String ID: "%s" $%s is already installed on your system. It is highly recommended to uninstall the application before re-installing. Do you want to uninstall %s before re-installing?$/SILENT /NOREMOVE$<\n>$<__Internal_AlreadyInstalled__>$<__Internal_InstallationNotRemoved__>$Couldn't find uninstaller. Previous installation was not removed!$Couldn't launch uninstaller. Previous installation was not removed!$PG$PG$The installation was not removed. Do you still want to re-install?
API String ID: 5953620-3108517879
Opcode ID: a0c72cbc21d4021cace9b81552925521a9cfbd9e81944c9cd3dc9f1d37cb1d68
Instruction ID: a27e536e62ffa8f343b590eff34a559a4dd4de782d666e018237867d81a44d9f
Opcode Fuzzy Hash: a0c72cbc21d4021cace9b81552925521a9cfbd9e81944c9cd3dc9f1d37cb1d68
Instruction Fuzzy Hash: 5A819171940219EADF20FAA1DC85AFE776CEF54318F90406FF106A6181DF385EC58BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00409999, Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 229
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00409999(intOrPtr __ecx, struct HWND__* _a4) {
				intOrPtr _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed char _v23;
				long _v24;
				intOrPtr _v28;
				char _v40;
				char _v52;
				void* _t74;
				CHAR* _t75;
				intOrPtr _t87;
				void* _t92;
				void* _t100;
				intOrPtr _t106;
				void* _t122;
				void* _t159;
				void* _t160;
				void* _t161;
				intOrPtr _t163;
				void* _t173;

				_t163 =  *0x42bf98; // 0xffffffff
				_v28 = __ecx;
				if(_t163 <= 0) {
					EnableWindow(GetDlgItem(_a4, 3), 0);
				}
				_t122 = 0x47e850;
				if(( *0x47e193 & 0x00000002) == 0) {
					_t122 = 0x47e9a8;
				}
				SetWindowTextA(_a4, E0041CD1E(_t122));
				SetDlgItemTextA(_a4, 3, E0041CD1E(0x47e8a0));
				SetDlgItemTextA(_a4, 1, E0041CD1E(0x47e8d0));
				SetDlgItemTextA(_a4, 2, E0041CD1E(0x47e8b8));
				if(E00419E8A() != 0) {
					SetDlgItemTextA(_a4, 1, E0041CD1E(0x47e8c4));
				}
				E0041BDC5( &_v52);
				if(E0041C8FD(0x47e2f0, 0x3c) == 0) {
					L22:
					_v24 = GetWindowLongA(GetDlgItem(_a4, 0xa), 0xfffffff0);
					SendMessageA(GetDlgItem(_a4, 0xa), 0xcf, 0, 0);
					_t74 = E004070D7(_v28, GetDlgItem(_a4, 0xa));
					if(_t74 == 0 ||  *((intOrPtr*)(_t74 + 8)) != 6 || ( *0x47e191 & 0x00000002) != 0) {
						_t75 = E0041CD1E( &_v52);
						SetWindowTextA(GetDlgItem(_a4, 0xa), _t75);
					} else {
						E0041D8DA( *((intOrPtr*)(_t74 + 0x50)),  &_v52);
					}
					if((_v23 & 0x00000008) != 0) {
						SendMessageA(GetDlgItem(_a4, 0xa), 0xcf, 1, 0);
					}
					if( *0x47e114 != 0) {
						SetDlgItemTextA(_a4, 0x41f, E0041CD1E(0x47df68));
						E0040EFE7();
					}
					goto L31;
				} else {
					_v8 = E0041C8FD(0x47e2f0, 0x40);
					_t87 = E0041C8FD(0x47e2f0, 0x44);
					_v24 = _t87;
					if(_v8 == 0 || _t87 == 0) {
						L31:
						E0041BEFB( &_v52);
						return 1;
					} else {
						_t159 = 0;
						_v12 = 0;
						if(_t87 <= 0) {
							goto L22;
						}
						while(1) {
							E0041BDC5( &_v40);
							_t92 = E0041CAC5( &_v40, E0041CD1E(0x47e6c8), _v8 + _t159, 4);
							_push(0);
							if(_t92 < 0) {
								break;
							}
							_v20 = E0041C8FD( &_v40);
							_t160 = _t159 + 4;
							_t100 = E0041CAC5( &_v40, E0041CD1E(0x47e6c8), _v8 + _t160, 4);
							_push(0);
							if(_t100 < 0) {
								break;
							}
							_v16 = E0041C8FD( &_v40);
							_t161 = _t160 + 4;
							if(E0041CAC5( &_v40, E0041CD1E(0x47e6c8), _v8 + _t161, _t101) < 0) {
								_push(0);
								break;
							}
							_t106 = _v20;
							_t159 = _t161 + _v16;
							_t173 = _t106 -  *0x47e60c; // 0x0
							if(_t173 == 0) {
								E0041BF80( &_v52,  &_v40);
								E0041BEFB( &_v40);
								goto L22;
							}
							if(_t106 == 0) {
								E0041BF80( &_v52,  &_v40);
							}
							E0041BEFB( &_v40);
							_v12 = _v12 + 1;
							if(_v12 < _v24) {
								continue;
							} else {
								goto L22;
							}
						}
						_push(E0041CD1E(0x47e9b4));
						_push(_a4);
						E0041B2A8();
						E0041BEFB( &_v40);
						goto L31;
					}
				}
			}

0x004099a2
0x004099b0
0x004099b3
0x004099be
0x004099be
0x004099cb
0x004099d0
0x004099d2
0x004099d2
0x004099e0
0x004099fc
0x00409a0e
0x00409a20
0x00409a2e
0x00409a40
0x00409a40
0x00409a45
0x00409a5a
0x00409b8c
0x00409ba8
0x00409bb7
0x00409bc4
0x00409bcb
0x00409bef
0x00409bfd
0x00409bdc
0x00409be3
0x00409be9
0x00409c07
0x00409c16
0x00409c16
0x00409c1f
0x00409c34
0x00409c3f
0x00409c3f
0x00000000
0x00409a60
0x00409a6d
0x00409a70
0x00409a78
0x00409a7b
0x00409c44
0x00409c47
0x00409c52
0x00409a89
0x00409a89
0x00409a8d
0x00409a90
0x00000000
0x00000000
0x00409a9b
0x00409a9e
0x00409ab6
0x00409abd
0x00409abf
0x00000000
0x00000000
0x00409acd
0x00409ad3
0x00409ae6
0x00409aed
0x00409aef
0x00000000
0x00000000
0x00409af9
0x00409b00
0x00409b18
0x00409b51
0x00000000
0x00409b51
0x00409b1a
0x00409b1d
0x00409b20
0x00409b26
0x00409b7f
0x00409b87
0x00000000
0x00409b87
0x00409b2a
0x00409b33
0x00409b33
0x00409b3b
0x00409b40
0x00409b49
0x00000000
0x00409b4f
0x00000000
0x00409b4f
0x00409b49
0x00409b5d
0x00409b63
0x00409b66
0x00409b6e
0x00000000
0x00409b6e
0x00409a7b

APIs

GetDlgItem.USER32 ref: 004099BB
EnableWindow.USER32(00000000), ref: 004099BE

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Part of subcall function 0041CAC5: CreateFileA.KERNEL32(0047DFB8,80000000,00000001,00000000,00000003,00000080,00000000,74E5FBD0,0047E2F0,00000000,?,0047DFB8), ref: 0041CAE5

SetWindowTextA.USER32(?,00000000), ref: 004099E0
SetDlgItemTextA.USER32 ref: 004099FC
SetDlgItemTextA.USER32 ref: 00409A0E
SetDlgItemTextA.USER32 ref: 00409A20
SetDlgItemTextA.USER32 ref: 00409A40
GetDlgItem.USER32 ref: 00409B93
GetWindowLongA.USER32 ref: 00409B96
GetDlgItem.USER32 ref: 00409BAE
SendMessageA.USER32(00000000), ref: 00409BB7
GetDlgItem.USER32 ref: 00409BBE
GetDlgItem.USER32 ref: 00409BFA
SetWindowTextA.USER32(00000000), ref: 00409BFD

Part of subcall function 0041BF80: GlobalUnlock.KERNEL32(?,00000000,00000000,004079C1,00000000), ref: 0041BF87
Part of subcall function 0041BF80: GlobalReAlloc.KERNEL32 ref: 0041BF9B
Part of subcall function 0041BF80: GlobalLock.KERNEL32 ref: 0041BFBC

GetDlgItem.USER32 ref: 00409C13
SendMessageA.USER32(00000000), ref: 00409C16
SetDlgItemTextA.USER32 ref: 00409C34

Strings

PG, xrefs: 004099CB

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Item$Text$Global$Window$AllocLockMessageSendUnlock$CreateEnableFileLong
String ID: PG
API String ID: 3181886133-134009939
Opcode ID: 50855ed6c324d4a01632b148dba64e7988e052d9a48d98e0a6eab7eb2b3b6176
Instruction ID: d1ef8cf44ac91c91fcabe9bb5089d668b09125659dcb00a9096ae25bfe5b6d19
Opcode Fuzzy Hash: 50855ed6c324d4a01632b148dba64e7988e052d9a48d98e0a6eab7eb2b3b6176
Instruction Fuzzy Hash: 56719471A402086ADB14EB62DD86FEE7AB9EF44344F10407FF605B61E2CB785D41CA59

Uniqueness

Uniqueness Score: -1.00%

Function 0040BE43, Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 125
windowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E0040BE43(struct HWND__* _a4) {
				intOrPtr _t26;
				void* _t27;
				void* _t39;
				struct HWND__* _t54;
				intOrPtr _t56;

				_t56 =  *0x42bf98; // 0xffffffff
				_t54 = _a4;
				if(_t56 <= 0) {
					EnableWindow(GetDlgItem(_t54, 3), 0);
				}
				_t39 = 0x47e850;
				if(( *0x47e193 & 0x00000002) == 0) {
					_t39 = 0x47ecc0;
				}
				SetWindowTextA(_t54, E0041CD1E(_t39));
				SetDlgItemTextA(_t54, 3, E0041CD1E(0x47e8a0));
				SetDlgItemTextA(_t54, 1, E0041CD1E(0x47e8d0));
				SetDlgItemTextA(_t54, 2, E0041CD1E(0x47e8b8));
				if(E00419E8A() != 0) {
					SetDlgItemTextA(_t54, 1, E0041CD1E(0x47e8c4));
				}
				SetDlgItemTextA(_t54, 0x1e, E0041CD1E(0x47eccc));
				SetDlgItemTextA(_t54, 0x19, E0041CD1E(0x47ece4));
				SetDlgItemTextA(_t54, 0x1b, E0041CD1E(0x47ecfc));
				SetDlgItemTextA(_t54, 0x1a, E0041CD1E(0x47ed14));
				SetDlgItemTextA(_t54, 0xa, E0041CD1E(0x47ecd8));
				SetDlgItemTextA(_t54, 0xb, E0041CD1E(0x47ecf0));
				SetDlgItemTextA(_t54, 0xc, E0041CD1E(0x47ed08));
				_t26 =  *0x47e65c; // 0x2
				_t27 = _t26 - 1;
				if(_t27 == 0) {
					_push(0);
					_push(1);
					_push(0xf1);
					_push(0xb);
				} else {
					_push(0);
					_push(1);
					_push(0xf1);
					if(_t27 == 3) {
						_push(0xc);
					} else {
						_push(0xa);
					}
				}
				SendDlgItemMessageA(_t54, ??, ??, ??, ??);
				if( *0x47e114 != 0) {
					SetDlgItemTextA(_t54, 0x41f, E0041CD1E(0x47df68));
					E0040EFE7();
				}
				return 1;
			}

0x0040be46
0x0040be4e
0x0040be52
0x0040be5f
0x0040be5f
0x0040be6c
0x0040be71
0x0040be73
0x0040be73
0x0040be7f
0x0040be99
0x0040bea9
0x0040beb9
0x0040bec7
0x0040bed7
0x0040bed7
0x0040bee7
0x0040bef7
0x0040bf07
0x0040bf17
0x0040bf27
0x0040bf37
0x0040bf47
0x0040bf49
0x0040bf4e
0x0040bf4f
0x0040bf66
0x0040bf67
0x0040bf69
0x0040bf6e
0x0040bf51
0x0040bf51
0x0040bf55
0x0040bf57
0x0040bf5c
0x0040bf62
0x0040bf5e
0x0040bf5e
0x0040bf5e
0x0040bf5c
0x0040bf71
0x0040bf7e
0x0040bf91
0x0040bf98
0x0040bf98
0x0040bfa2

APIs

GetDlgItem.USER32 ref: 0040BE58
EnableWindow.USER32(00000000), ref: 0040BE5F

Part of subcall function 0040EFE7: CreateFontA.GDI32(0000001E,00000000,0000005A,0000005A,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,Times New Roman), ref: 0040F017
Part of subcall function 0040EFE7: SelectObject.GDI32(00000000), ref: 0040F027
Part of subcall function 0040EFE7: SetTextColor.GDI32(000A0A0A), ref: 0040F03E
Part of subcall function 0040EFE7: TextOutA.GDI32(0000000C,0000006F,00000000), ref: 0040F061
Part of subcall function 0040EFE7: SetTextColor.GDI32(000000FF), ref: 0040F06F
Part of subcall function 0040EFE7: TextOutA.GDI32(0000000A,0000006E,00000000), ref: 0040F08C

SetWindowTextA.USER32(?,00000000), ref: 0040BE7F
SetDlgItemTextA.USER32 ref: 0040BE99
SetDlgItemTextA.USER32 ref: 0040BEA9
SetDlgItemTextA.USER32 ref: 0040BEB9
SetDlgItemTextA.USER32 ref: 0040BED7
SetDlgItemTextA.USER32 ref: 0040BEE7
SetDlgItemTextA.USER32 ref: 0040BEF7
SetDlgItemTextA.USER32 ref: 0040BF07
SetDlgItemTextA.USER32 ref: 0040BF17
SetDlgItemTextA.USER32 ref: 0040BF27
SetDlgItemTextA.USER32 ref: 0040BF37
SetDlgItemTextA.USER32 ref: 0040BF47
SendDlgItemMessageA.USER32(?,0000000B,000000F1,00000001,00000000), ref: 0040BF71
SetDlgItemTextA.USER32 ref: 0040BF91

Strings

G, xrefs: 0040BEE9
PG, xrefs: 0040BE6C

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Text$Item$ColorWindow$CreateEnableFontMessageObjectSelectSend
String ID: PG$G
API String ID: 2240931465-1134899898
Opcode ID: fbf63a2e6e865f56f20177791816b4740162252679370649d026e09afa41e30c
Instruction ID: 4de78865ab571ced7cf8cf875867d43830bb34964b65dd31c01aee71d4a6cb9e
Opcode Fuzzy Hash: fbf63a2e6e865f56f20177791816b4740162252679370649d026e09afa41e30c
Instruction Fuzzy Hash: 663183707901097AF12133665C9AFFF195ECB89B44F10857FBA05B61D28FAC0881A67F

Uniqueness

Uniqueness Score: -1.00%

Function 00420AA9, Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 253
registryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00420AA9(intOrPtr _a4) {
				void* _v8;
				void* _v12;
				int _v16;
				void* _v20;
				char _v24;
				int* _v28;
				int _v32;
				int _v36;
				char _v44;
				char _v56;
				void _v107;
				char _v108;
				void _v159;
				char _v160;
				void _v259;
				char _v260;
				void _v519;
				char _v520;
				void _v779;
				char _v780;
				int _t85;
				int _t99;
				int _t109;
				signed int _t150;
				signed int _t155;
				signed int _t158;
				signed int _t160;
				signed int _t162;
				signed int _t173;
				void* _t198;
				void* _t199;
				void* _t200;
				void* _t201;
				intOrPtr _t209;

				_v8 = 0;
				_t85 = RegOpenKeyExA(0x80000002, "Software\\JavaSoft\\Java Runtime Environment", 0, 0x20019,  &_v8);
				if(_t85 == 0) {
					_t150 = 0xc;
					_v160 = 0;
					memset( &_v159, _t85, _t150 << 2);
					_t199 = _t198 + 0xc;
					asm("stosb");
					_v16 = 0x32;
					if(RegQueryValueExA(_v8, "CurrentVersion", 0, 0,  &_v160,  &_v16) != 0) {
						L20:
						return RegCloseKey(_v8);
					}
					_t182 = _a4;
					E0041BF12(_a4,  &_v160);
					if(E0041C6AD(_a4, 0x2e, 0) == 0xffffffff || E0041C6AD(_t182, 0x2e, _t93 + 1) == 0xffffffff) {
						E0041BE99( &_v56, _t182);
						_t155 = 0x40;
						_v520 = 0;
						_v20 = 0;
						memset( &_v519, 0, _t155 << 2);
						_t200 = _t199 + 0xc;
						asm("stosw");
						asm("stosb");
						_t99 = RegOpenKeyExA(_v8,  &_v160, 0, 0x20019,  &_v20);
						if(_t99 == 0) {
							_t173 = 0xc;
							_v108 = 0;
							memset( &_v107, _t99, _t173 << 2);
							_t200 = _t200 + 0xc;
							asm("stosb");
							_v16 = 0x32;
							if(RegQueryValueExA(_v20, "MicroVersion", 0, 0,  &_v108,  &_v16) == 0) {
								E0041BFF8(_a4, 0x2e);
								E0041C047(_a4,  &_v108, 0);
							}
							_v16 = 0x104;
							RegQueryValueExA(_v20, "JavaHome", 0, 0,  &_v520,  &_v16);
							RegCloseKey(_v20);
						}
						_t209 =  *0x47e19c; // 0x1
						if(_t209 != 0) {
							L19:
							E0041BEFB( &_v56);
							goto L20;
						} else {
							_t158 = 0x18;
							_v260 = 0;
							_v28 = 0;
							memset( &_v259, 0, _t158 << 2);
							_t201 = _t200 + 0xc;
							asm("stosw");
							asm("stosb");
							_v24 = 0x64;
							_push( &_v44);
							_push(0);
							_push(0);
							_push(0);
							_push( &_v24);
							_push( &_v260);
							_push(0);
							while(RegEnumKeyExA(_v8, ??, ??, ??, ??, ??, ??, ??) == 0) {
								_v12 = 0;
								_t109 = RegOpenKeyExA(_v8,  &_v260, 0, 0x20019,  &_v12);
								if(_t109 != 0) {
									L17:
									_v28 = _v28 + 1;
									_t160 = 0x18;
									_v260 = 0;
									memset( &_v259, 0, _t160 << 2);
									_t201 = _t201 + 0xc;
									asm("stosw");
									asm("stosb");
									_v24 = 0x64;
									_push( &_v44);
									_push(0);
									_push(0);
									_push(0);
									_push( &_v24);
									_push( &_v260);
									_push(_v28);
									continue;
								}
								_t162 = 0xc;
								_v108 = 0;
								memset( &_v107, _t109, _t162 << 2);
								asm("stosb");
								_push(0x40);
								_v780 = 0;
								_v36 = 0x104;
								memset( &_v779, 0, 0 << 2);
								_t201 = _t201 + 0x18;
								asm("stosw");
								asm("stosb");
								_v32 = 0x32;
								if(RegQueryValueExA(_v12, "JavaHome", 0, 0,  &_v780,  &_v36) != 0 || RegQueryValueExA(_v12, "MicroVersion", 0, 0,  &_v108,  &_v32) != 0 || E00427910(0,  &_v780,  &_v520) != 0 || E00424A30( &_v108, "0") <= 0) {
									RegCloseKey(_v12);
									goto L17;
								} else {
									E0041BF80(_a4,  &_v56);
									E0041C047(_a4, ".", 0);
									E0041C047(_a4,  &_v108, 0);
									RegCloseKey(_v12);
									goto L19;
								}
							}
							goto L19;
						}
					} else {
						goto L20;
					}
				}
				return _t85;
			}

0x00420ac9
0x00420acc
0x00420ad4
0x00420ae4
0x00420ae5
0x00420aeb
0x00420aeb
0x00420aed
0x00420b09
0x00420b14
0x00420d77
0x00000000
0x00420d81
0x00420b1a
0x00420b26
0x00420b38
0x00420b52
0x00420b5b
0x00420b62
0x00420b68
0x00420b6b
0x00420b6b
0x00420b6d
0x00420b6f
0x00420b84
0x00420b8c
0x00420b93
0x00420b94
0x00420b97
0x00420b97
0x00420b99
0x00420b9d
0x00420bb7
0x00420bbe
0x00420bcb
0x00420bcb
0x00420bd3
0x00420bec
0x00420bf1
0x00420bf1
0x00420bf7
0x00420bfd
0x00420d6f
0x00420d72
0x00000000
0x00420c03
0x00420c07
0x00420c0e
0x00420c14
0x00420c17
0x00420c17
0x00420c19
0x00420c1b
0x00420c1f
0x00420c26
0x00420c27
0x00420c28
0x00420c2c
0x00420c2d
0x00420c34
0x00420c35
0x00420c36
0x00420c4a
0x00420c5e
0x00420c66
0x00420d05
0x00420d05
0x00420d0a
0x00420d13
0x00420d19
0x00420d19
0x00420d1b
0x00420d1d
0x00420d21
0x00420d28
0x00420d29
0x00420d2a
0x00420d2e
0x00420d2f
0x00420d36
0x00420d37
0x00000000
0x00420d37
0x00420c71
0x00420c72
0x00420c75
0x00420c77
0x00420c78
0x00420c83
0x00420c89
0x00420c90
0x00420c90
0x00420c92
0x00420c94
0x00420c98
0x00420cb5
0x00420cff
0x00000000
0x00420d3f
0x00420d46
0x00420d54
0x00420d61
0x00420d69
0x00000000
0x00420d69
0x00420cb5
0x00000000
0x00420c36
0x00000000
0x00000000
0x00000000
0x00420b38
0x00420d84

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\JavaSoft\Java Runtime Environment,00000000,00020019,00000001,00000000), ref: 00420ACC
RegQueryValueExA.ADVAPI32(00000001,CurrentVersion,00000000,00000000,?,00000000,00000000,00000001), ref: 00420B10
RegCloseKey.ADVAPI32(00000001), ref: 00420D7A

Part of subcall function 0041BF12: GlobalUnlock.KERNEL32(0217020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
Part of subcall function 0041BF12: GlobalReAlloc.KERNEL32 ref: 0041BF3B
Part of subcall function 0041BF12: GlobalLock.KERNEL32 ref: 0041BF5C

RegOpenKeyExA.ADVAPI32(00000001,?,00000000,00020019,00420DA0,00000000,0000002E,00000000,?), ref: 00420B84
RegQueryValueExA.ADVAPI32(00420DA0,MicroVersion,00000000,00000000,?,00000032), ref: 00420BB3
RegQueryValueExA.ADVAPI32(00420DA0,JavaHome,00000000,00000000,?,00000032), ref: 00420BEC
RegCloseKey.ADVAPI32(00420DA0), ref: 00420BF1
RegEnumKeyExA.ADVAPI32(00000001,00000000,?,00000064,00000000,00000000,00000000,?), ref: 00420C39
RegOpenKeyExA.ADVAPI32(00000001,?,00000000,00020019,00000000), ref: 00420C5E
RegQueryValueExA.ADVAPI32(00000000,JavaHome,00000000,00000000,?,00000104), ref: 00420CB1
RegQueryValueExA.ADVAPI32(00000000,MicroVersion,00000000,00000000,?,00000032), ref: 00420CC9
RegCloseKey.ADVAPI32(00000000), ref: 00420CFF
RegCloseKey.ADVAPI32(00000000,?,00000000,0042DA60,00000000,?), ref: 00420D69

Strings

JavaHome, xrefs: 00420BE4, 00420CA9
Software\JavaSoft\Java Runtime Environment, xrefs: 00420ABF
CurrentVersion, xrefs: 00420B01
MicroVersion, xrefs: 00420BAB, 00420CC1

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: QueryValue$Close$GlobalOpen$AllocEnumLockUnlock
String ID: CurrentVersion$JavaHome$MicroVersion$Software\JavaSoft\Java Runtime Environment
API String ID: 70163249-2505188448
Opcode ID: dbd1b0d162f727fcd93d84ea524a9d01fcdd93a7bbf0c53bbf031b63f6c95dd6
Instruction ID: f064f4b1a39d29ecacb366c45173f128611cdb4614f83e65575f7f39dd4475f1
Opcode Fuzzy Hash: dbd1b0d162f727fcd93d84ea524a9d01fcdd93a7bbf0c53bbf031b63f6c95dd6
Instruction Fuzzy Hash: 97815EB1A4021DBEEF11CBA4DC85EEEBBBCEB08348F50006AF605A6151DB745E49CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00407147, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 144
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00407147(intOrPtr __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t25;
				void* _t29;
				void* _t35;
				void* _t58;
				void* _t59;
				struct HMENU__* _t60;
				void* _t75;
				intOrPtr _t79;

				_t75 = __edx;
				_t79 = __ecx;
				 *0x47df64 = __ecx;
				_t58 = E00408121(__ecx, _a4);
				if(_t58 < 0) {
					E0041BDC5( &_v16);
					_push(_t58);
					E0041C467( &_v16, "Load template failed (%d)");
					E0041D881(E0041CD1E( &_v16));
					E0041BEFB( &_v16);
				}
				_push(_a8);
				_push(_a12);
				E00408C8C(_t79, _t75);
				_t25 = _a16;
				 *0x47df64 = 0;
				if(_t25 != 0) {
					 *_t25 = _t79;
				}
				 *(_t79 + 0x6c) = _t25;
				if( *(_t79 + 4) != 0) {
					 *0x47df54 =  *0x47df54 + 1;
					GlobalUnlock( *0x47df5c);
					_t29 = GlobalReAlloc( *0x47df5c,  *0x47df54 << 2, 0x42);
					 *0x47df5c = _t29;
					 *0x47df58 = GlobalLock(_t29);
					if( *0x47df5c == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					 *((intOrPtr*)( *0x47df58 +  *0x47df54 * 4 - 4)) = _t79;
					E00408E91(_t79);
					SendMessageA( *(_t79 + 4), 0x110, 0, 0);
					_t59 = 0;
					if( *((intOrPtr*)(_t79 + 0x7c)) <= 0) {
						L13:
						if(E00407D82(_t79) != 0) {
							_t60 = GetSystemMenu( *(_t79 + 4), 0);
							DeleteMenu(_t60, 0xf120, 0);
							DeleteMenu(_t60, 0xf020, 0);
							DeleteMenu(_t60, 0xf030, 0);
							DeleteMenu(_t60, 0xf000, 0);
							DeleteMenu(_t60, 1, 0x400);
							AppendMenuA(_t60, 0x800, 2, "-");
							AppendMenuA(_t60, 0, 1, "About...");
							ShowWindow( *(_t79 + 4), 1);
							E00407B45(_t60, AppendMenuA, _t79, 1);
							 *0x47e110 = _t79;
						}
						_t35 = 1;
						return _t35;
					} else {
						while(1) {
							_t16 = _t79 + 0x70; // 0x70
							if( *((intOrPtr*)(E0041E860(_t16, _t59) + 0x10)) == 1) {
								break;
							}
							_t59 = _t59 + 1;
							if(_t59 <  *((intOrPtr*)(_t79 + 0x7c))) {
								continue;
							}
							goto L13;
						}
						_t19 = _t79 + 0x70; // 0x70
						SetFocus( *(E0041E860(_t19, _t59) + 0x50));
						goto L13;
					}
				} else {
					return _t25 | 0xffffffff;
				}
			}

0x00407147
0x00407150
0x00407155
0x00407160
0x00407166
0x0040716b
0x00407170
0x0040717a
0x0040718b
0x00407194
0x00407194
0x00407199
0x0040719e
0x004071a1
0x004071a6
0x004071a9
0x004071b1
0x004071b3
0x004071b3
0x004071b8
0x004071bb
0x004071cb
0x004071d1
0x004071e8
0x004071ef
0x00407200
0x00407205
0x00407212
0x00407217
0x00407223
0x00407229
0x00407238
0x0040723e
0x00407243
0x0040726e
0x00407277
0x00407283
0x00407292
0x0040729c
0x004072a6
0x004072b0
0x004072ba
0x004072cf
0x004072db
0x004072e2
0x004072ea
0x004072f0
0x004072f0
0x004072f8
0x00000000
0x00407245
0x00407245
0x00407246
0x00407252
0x00000000
0x00000000
0x00407254
0x00407258
0x00000000
0x00000000
0x00000000
0x0040725a
0x0040725d
0x00407268
0x00000000
0x00407268
0x004071bd
0x00000000
0x004071bd

APIs

Part of subcall function 0041BDC5: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF

Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
Part of subcall function 0041C467: lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Part of subcall function 0041BEFB: GlobalUnlock.KERNEL32(?,00000000,0041C1E9,00000000,00000010,00000000,0047E4D0,00000000), ref: 0041BF01
Part of subcall function 0041BEFB: GlobalFree.KERNEL32 ref: 0041BF0A

GlobalUnlock.KERNEL32(00000000,?,?,00000400,00000000,00000000), ref: 004071D1
GlobalReAlloc.KERNEL32 ref: 004071E8
GlobalLock.KERNEL32 ref: 004071F4
SendMessageA.USER32(?,00000110,00000000,00000000), ref: 00407238
SetFocus.USER32(?,00000000), ref: 00407268
GetSystemMenu.USER32(?,00000000), ref: 0040727D
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00407292
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 0040729C
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004072A6
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 004072B0
DeleteMenu.USER32(00000000,00000001,00000400), ref: 004072BA
AppendMenuA.USER32 ref: 004072CF
AppendMenuA.USER32 ref: 004072DB
ShowWindow.USER32(?,00000001), ref: 004072E2

Strings

$G, xrefs: 00407207
About..., xrefs: 004072D1
Load template failed (%d), xrefs: 00407174

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$Menu$Delete$AllocLockUnlocklstrlen$Append$FocusFreeMessageSendShowSystemWindow
String ID: $G$About...$Load template failed (%d)
API String ID: 4201493354-4259950461
Opcode ID: 13d18569783887c689b1cedd7764c6d1cc9bc3f1867207fa8ad77af0ad2be610
Instruction ID: 866d9aeac3c835f741d54545ca8fe705d8432e42f4f522c6dab8da38ea409ca8
Opcode Fuzzy Hash: 13d18569783887c689b1cedd7764c6d1cc9bc3f1867207fa8ad77af0ad2be610
Instruction Fuzzy Hash: EA419670A40704ABD721AF62DC86F5A7779EF84704F10443FF517661E2CBB96481CA5C

Uniqueness

Uniqueness Score: -1.00%

Function 00409CDD, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00409CDD(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, struct HWND__* _a4) {
				intOrPtr _v8;
				CHAR* _t8;
				void* _t39;
				intOrPtr _t50;
				struct HWND__* _t54;
				void* _t57;

				_push(__ecx);
				_t54 = _a4;
				_v8 = __ecx;
				if( *0x42bf98 <= 0) {
					EnableWindow(GetDlgItem(_t54, 3), 0);
				}
				_t39 = 0x47e850;
				if(( *0x47e193 & 0x00000002) == 0) {
					_t39 = 0x47e9d8;
				}
				SetWindowTextA(_t54, E0041CD1E(_t39));
				_t8 = E0041CD1E(0x47e9e4);
				_t57 = SetDlgItemTextA;
				SetDlgItemTextA(_t54, 0xa, _t8);
				SetDlgItemTextA(_t54, 0xb, E0041CD1E(0x47e9f0));
				SetDlgItemTextA(_t54, 0xc, E0041CD1E(0x47e9fc));
				SetDlgItemTextA(_t54, 0xd, E0041CD1E(0x47ea08));
				SetDlgItemTextA(_t54, 3, E0041CD1E(0x47e8a0));
				SetDlgItemTextA(_t54, 1, E0041CD1E(0x47e8d0));
				SetDlgItemTextA(_t54, 2, E0041CD1E(0x47e8b8));
				SetDlgItemTextA(_t54, 4, E0041CD1E(0x47eb70));
				if(E00419E8A() != 0) {
					SetDlgItemTextA(_t54, 1, E0041CD1E(0x47e8c4));
				}
				_push(GetDlgItem(_t54, 0xf));
				E00409E0C(_t54, _t57);
				_t50 =  *0x47e274; // 0x0
				if(_t50 != 0) {
					E0042138A(_t50, _v8);
				}
				SetForegroundWindow(_t54);
				if( *0x47e114 != 0) {
					E0040EFE7();
				}
				return 1;
			}

0x00409ce0
0x00409cf1
0x00409cf4
0x00409cf7
0x00409d01
0x00409d01
0x00409d0e
0x00409d13
0x00409d15
0x00409d15
0x00409d21
0x00409d2c
0x00409d31
0x00409d3b
0x00409d4b
0x00409d5b
0x00409d6b
0x00409d7b
0x00409d8b
0x00409d9b
0x00409dab
0x00409db9
0x00409dc9
0x00409dc9
0x00409dd0
0x00409dd1
0x00409dd7
0x00409ddf
0x00409de4
0x00409de4
0x00409dea
0x00409dfa
0x00409e01
0x00409e01
0x00409e09

APIs

GetDlgItem.USER32 ref: 00409CFE
EnableWindow.USER32(00000000), ref: 00409D01
SetWindowTextA.USER32(?,00000000), ref: 00409D21
SetDlgItemTextA.USER32 ref: 00409D3B
SetDlgItemTextA.USER32 ref: 00409D4B
SetDlgItemTextA.USER32 ref: 00409D5B
SetDlgItemTextA.USER32 ref: 00409D6B
SetDlgItemTextA.USER32 ref: 00409D7B
SetDlgItemTextA.USER32 ref: 00409D8B
SetDlgItemTextA.USER32 ref: 00409D9B
SetDlgItemTextA.USER32 ref: 00409DAB
SetDlgItemTextA.USER32 ref: 00409DC9
GetDlgItem.USER32 ref: 00409DCE
SetForegroundWindow.USER32(?), ref: 00409DEA

Strings

G, xrefs: 00409D27
PG, xrefs: 00409D0E
pG, xrefs: 00409D9D

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Item$Text$Window$EnableForeground
String ID: PG$pG$G
API String ID: 588041497-2689831273
Opcode ID: f3daa2747dbba6a4ebaccdfe6f895ee9e141ce91d27a0abc31df0bababac09f6
Instruction ID: 423ab95a91abf6a2929d521cd3dd1b830fa26b07c3f81d625dc7f3cfa57831cc
Opcode Fuzzy Hash: f3daa2747dbba6a4ebaccdfe6f895ee9e141ce91d27a0abc31df0bababac09f6
Instruction Fuzzy Hash: BD21C37064010536E22473666C96FBF2A5ECFC9B48F10817FF605A62C38FAC0C41A67E

Uniqueness

Uniqueness Score: -1.00%

Function 0042138A, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 146
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0042138A(intOrPtr __ecx, signed int _a4) {
				intOrPtr _v8;
				struct HWND__* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _v24;
				char _v36;
				char _v48;
				struct HWND__* _t40;
				signed int _t80;
				char* _t89;
				struct HWND__* _t107;

				_t80 = _a4;
				_v8 = __ecx;
				_t40 = GetDlgItem( *(_t80 + 4), 0xf);
				_v12 = _t40;
				_v24 = 0x40;
				_v20 = 0xa0;
				_v16 = 0x100;
				SendMessageA(_t40, 0x192, 3,  &_v24);
				_a4 = _a4 & 0x00000000;
				E0041BDC5( &_v48);
				L1:
				_push(_a4);
				if(E0041C9D2(_v8) != 0) {
					E0041C92F(_v8,  &_a4,  &_v48);
					SendMessageA(_v12, 0x180, 0, E0041CD1E( &_v48));
					goto L1;
				}
				_t107 = GetDlgItem( *(_t80 + 4), 0xe);
				__eflags =  *0x47e2c0; // 0x0
				if(__eflags != 0) {
					__eflags =  *0x47e2c8; // 0x0
					if(__eflags == 0) {
						E0041BDC5( &_v36);
						_push(E0041CD1E(0x47e350));
						E0041C467( &_v36, E0041CD1E(0x47eb4c));
						SetWindowTextA(_t107, E0041CD1E( &_v36));
						__eflags =  *0x47e192 & 0x00000008;
						if(( *0x47e192 & 0x00000008) != 0) {
							E00408E7A(_t80, _t107, 0xff);
						}
						_t89 =  &_v36;
					} else {
						E0041BDC5( &_v36);
						_push(E0041CD1E(0x47e350));
						E0041C467( &_v36, E0041CD1E(0x47eb64));
						SetWindowTextA(_t107, E0041CD1E( &_v36));
						__eflags =  *0x47e192 & 0x00000008;
						if(( *0x47e192 & 0x00000008) != 0) {
							E00408E7A(_t80, _t107, 0xff);
						}
						_t89 =  &_v36;
					}
					L10:
					E0041BEFB(_t89);
					L11:
					return E0041BEFB( &_v48);
				}
				__eflags =  *0x47e2c8; // 0x0
				if(__eflags != 0) {
					SetWindowTextA(_t107, E0041CD1E(0x47eb58));
					__eflags =  *0x47e192 & 0x00000008;
					if(( *0x47e192 & 0x00000008) != 0) {
						E00408E7A(_t80, _t107, 0xffff);
					}
					goto L11;
				}
				E0041BDC5( &_v36);
				_push(E0041CD1E(0x47e350));
				E0041C467( &_v36, E0041CD1E(0x47eb40));
				SetWindowTextA(_t107, E0041CD1E( &_v36));
				_t89 =  &_v36;
				goto L10;
			}

0x00421391
0x004213a1
0x004213a5
0x004213b9
0x004213bc
0x004213c3
0x004213ca
0x004213d1
0x004213d3
0x004213da
0x004213df
0x004213df
0x004213ec
0x004213f9
0x00421411
0x00000000
0x00421411
0x0042141d
0x00421421
0x00421427
0x00421474
0x0042147a
0x00421514
0x00421523
0x00421533
0x00421545
0x0042154b
0x00421552
0x0042155c
0x0042155c
0x00421561
0x00421480
0x00421483
0x00421492
0x004214a2
0x004214b4
0x004214ba
0x004214c1
0x004214cb
0x004214cb
0x004214d0
0x004214d0
0x004214d3
0x004214d3
0x004214d8
0x004214e4
0x004214e4
0x00421429
0x0042142f
0x004214f3
0x004214f9
0x00421500
0x0042150a
0x0042150a
0x00000000
0x00421500
0x00421438
0x00421447
0x00421457
0x00421469
0x0042146f
0x00000000

APIs

GetDlgItem.USER32 ref: 004213A5
SendMessageA.USER32(00000000,00000192,00000003,?), ref: 004213D1

Part of subcall function 0041BDC5: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF

SendMessageA.USER32(00000000,00000180,00000000,00000000), ref: 00421411
GetDlgItem.USER32 ref: 0042141B
SetWindowTextA.USER32(00000000,00000000), ref: 004214B4
SetWindowTextA.USER32(00000000,00000000), ref: 004214F3
SetWindowTextA.USER32(00000000,00000000), ref: 00421469

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

SetWindowTextA.USER32(00000000,00000000), ref: 00421545

Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
Part of subcall function 0041C467: lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649

Strings

PG, xrefs: 0042143D
PG, xrefs: 00421519
XG, xrefs: 004214E7
dG, xrefs: 00421493
LG, xrefs: 00421524
@G, xrefs: 00421448
@, xrefs: 004213BC
PG, xrefs: 00421488

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$TextWindow$lstrlen$AllocItemLockMessageSend$Unlock
String ID: @$@G$LG$PG$PG$PG$XG$dG
API String ID: 435120884-2778522185
Opcode ID: 996a918e6309023e079e4b7f1d51968db3e82d47320e26d52fae00e1e8fb2819
Instruction ID: 16a7887dbd8dfa4a05515dd7873a9adc68804f2da8967db5dfc7659aed23bba8
Opcode Fuzzy Hash: 996a918e6309023e079e4b7f1d51968db3e82d47320e26d52fae00e1e8fb2819
Instruction Fuzzy Hash: 1341A571900119AADF04EBA2EC96EEE7779AF18308F40807EF505B6192DF7C5945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040B9F9, Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 127
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B9F9(intOrPtr __ecx, struct HWND__* _a4) {
				intOrPtr _v8;
				char _v20;
				void* _t24;
				CHAR* _t29;
				void* _t53;
				struct HWND__* _t71;

				_t71 = _a4;
				_v8 = __ecx;
				if( *0x42bf98 <= 0) {
					EnableWindow(GetDlgItem(_t71, 3), 0);
				}
				_t53 = 0x47e850;
				if(( *0x47e193 & 0x00000002) == 0) {
					_t53 = 0x47ec84;
				}
				SetWindowTextA(_t71, E0041CD1E(_t53));
				SetDlgItemTextA(_t71, 3, E0041CD1E(0x47e8a0));
				SetDlgItemTextA(_t71, 1, E0041CD1E(0x47e8d0));
				SetDlgItemTextA(_t71, 2, E0041CD1E(0x47e8b8));
				_t24 = E00419E8A();
				_t75 = _t24;
				if(_t24 != 0) {
					SetDlgItemTextA(_t71, 1, E0041CD1E(0x47e8c4));
				}
				SetDlgItemTextA(_t71, 0x1e, E0041CD1E(0x47ec90));
				SetDlgItemTextA(_t71, 0x1f, E0041CD1E(0x47ec9c));
				_t29 = E0041CD1E(0x47e344);
				SetWindowTextA(GetDlgItem(_t71, 0xa), _t29);
				E0041BE99( &_v20, 0x47e064);
				_t51 = "\\*.*";
				E0041C047( &_v20, "\\*.*", 0);
				E0040B6B3(_t75, _t71,  &_v20);
				if(( *0x47e192 & 0x00000080) == 0) {
					_t77 =  *0x47e19c;
					if( *0x47e19c != 0) {
						E0041BF80( &_v20, 0x47e004);
						E0041C047( &_v20, _t51, 0);
						E0040B6B3(_t77, _t71,  &_v20);
					}
				}
				SendDlgItemMessageA(_t71, 0xa, 0xc5, 0xd2, 0);
				if( *0x47e114 != 0) {
					SetDlgItemTextA(_t71, 0x41f, E0041CD1E(0x47df68));
					E0040EFE7();
				}
				E0041BEFB( &_v20);
				return 1;
			}

0x0040ba0f
0x0040ba12
0x0040ba15
0x0040ba1f
0x0040ba1f
0x0040ba2c
0x0040ba31
0x0040ba33
0x0040ba33
0x0040ba3f
0x0040ba59
0x0040ba69
0x0040ba79
0x0040ba80
0x0040ba85
0x0040ba87
0x0040ba97
0x0040ba97
0x0040baa7
0x0040bab7
0x0040babe
0x0040baca
0x0040bad8
0x0040badd
0x0040bae8
0x0040baf5
0x0040bb01
0x0040bb03
0x0040bb0a
0x0040bb14
0x0040bb1f
0x0040bb2c
0x0040bb2c
0x0040bb0a
0x0040bb40
0x0040bb4d
0x0040bb60
0x0040bb67
0x0040bb67
0x0040bb6f
0x0040bb7a

APIs

GetDlgItem.USER32 ref: 0040BA1C
EnableWindow.USER32(00000000), ref: 0040BA1F

Part of subcall function 0040EFE7: CreateFontA.GDI32(0000001E,00000000,0000005A,0000005A,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,Times New Roman), ref: 0040F017
Part of subcall function 0040EFE7: SelectObject.GDI32(00000000), ref: 0040F027
Part of subcall function 0040EFE7: SetTextColor.GDI32(000A0A0A), ref: 0040F03E
Part of subcall function 0040EFE7: TextOutA.GDI32(0000000C,0000006F,00000000), ref: 0040F061
Part of subcall function 0040EFE7: SetTextColor.GDI32(000000FF), ref: 0040F06F
Part of subcall function 0040EFE7: TextOutA.GDI32(0000000A,0000006E,00000000), ref: 0040F08C

Part of subcall function 0041BEFB: GlobalUnlock.KERNEL32(?,00000000,0041C1E9,00000000,00000010,00000000,0047E4D0,00000000), ref: 0041BF01
Part of subcall function 0041BEFB: GlobalFree.KERNEL32 ref: 0041BF0A

SetWindowTextA.USER32(?,00000000), ref: 0040BA3F
SetDlgItemTextA.USER32 ref: 0040BA59
SetDlgItemTextA.USER32 ref: 0040BA69
SetDlgItemTextA.USER32 ref: 0040BA79
SetDlgItemTextA.USER32 ref: 0040BA97
SetDlgItemTextA.USER32 ref: 0040BAA7
SetDlgItemTextA.USER32 ref: 0040BAB7
GetDlgItem.USER32 ref: 0040BAC7
SetWindowTextA.USER32(00000000), ref: 0040BACA
SendDlgItemMessageA.USER32(?,0000000A,000000C5,000000D2,00000000), ref: 0040BB40
SetDlgItemTextA.USER32 ref: 0040BB60

Strings

\*.*, xrefs: 0040BADD, 0040BAE4, 0040BB1B
PG, xrefs: 0040BA2C
DG, xrefs: 0040BAB9

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Text$Item$Window$ColorGlobal$CreateEnableFontFreeMessageObjectSelectSendUnlock
String ID: DG$PG$\*.*
API String ID: 1573608945-4063998206
Opcode ID: 55b0961a9734f431be93e9acbb95f164460e1c960aad09dd4823f354d4e25df6
Instruction ID: 98bb2e4754260d3fde4e02e62b7a5bbe3a8d5a751bfae680a84eb71d1c3eba76
Opcode Fuzzy Hash: 55b0961a9734f431be93e9acbb95f164460e1c960aad09dd4823f354d4e25df6
Instruction Fuzzy Hash: FB31A2307402096AE711B7A69C96FFE2A2DDB89B08F50847FB605761D2CFBC1841D66E

Uniqueness

Uniqueness Score: -1.00%

Function 00405955, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 121
stringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00405955(struct HWND__* _a4, signed int _a8, void* _a12) {
				void* _t29;
				signed int _t34;
				int _t37;
				CHAR* _t38;
				void* _t49;
				void* _t51;
				void* _t53;
				signed int _t54;
				signed int _t59;
				struct HDC__* _t62;
				struct HDC__* _t63;

				_t29 = _a8 - 0xf;
				if(_t29 == 0) {
					_t62 = GetDC(_a4);
					_a12 = SelectObject(_t62,  *0x47df50);
					SetBkMode(_t62, 1);
					_t34 = MulDiv(0xf4240, GetDeviceCaps(_t62, 0x5a), 0x48);
					asm("cdq");
					_a8 = _t34 / 0x535;
					_t37 = lstrlenA(E0041CD1E(0x47df68));
					_t38 = E0041CD1E(0x47df68);
					asm("cdq");
					asm("cdq");
					TextOutA(_t62, _a8 * 0xb / 0x3e8, _a8 * 0x2f / 0x3e8, _t38, _t37);
					SelectObject(_t62, _a12);
					ReleaseDC(_a4, _t62);
					return 0;
				}
				_t49 = _t29 - 1;
				if(_t49 == 0) {
					L6:
					EndDialog(_a4, 1);
					_t51 = 1;
					return _t51;
				}
				_t53 = _t49;
				if(_t53 == 0) {
					goto L6;
				}
				_t54 = _t53 - 0xfe;
				if(_t54 == 0) {
					if( *0x47df50 == 0) {
						_t63 = GetDC(_a4);
						_t59 = MulDiv(8, GetDeviceCaps(_t63, 0x5a), 0x48);
						ReleaseDC(_a4, _t63);
						_t54 = CreateFontA( ~_t59, 0, 0, 0, 0x190, 0, 0, 0, 0, 0, 0, 0, 0, "MS Sans Serif");
						 *0x47df50 = _t54;
					}
					L9:
					return (_t54 & 0xffffff00 | _a8 == 0x00000110) & 0x000000ff;
				}
				_t54 = _t54 - 1;
				if(_t54 != 0) {
					goto L9;
				}
				_t54 = (_a12 & 0x0000ffff) - 1;
				if(_t54 != 0) {
					goto L9;
				}
				goto L6;
			}

0x0040595d
0x00405961
0x00405a11
0x00405a19
0x00405a1c
0x00405a33
0x00405a39
0x00405a48
0x00405a51
0x00405a5a
0x00405a6b
0x00405a77
0x00405a7c
0x00405a86
0x00405a8c
0x00000000
0x00405a92
0x00405967
0x00405968
0x0040597f
0x00405984
0x0040598c
0x00000000
0x0040598c
0x0040596b
0x0040596c
0x00000000
0x00000000
0x0040596e
0x00405973
0x0040599a
0x004059a5
0x004059b5
0x004059c3
0x004059df
0x004059e5
0x004059e5
0x004059ea
0x00000000
0x004059f4
0x00405975
0x00405976
0x00000000
0x00000000
0x0040597c
0x0040597d
0x00000000
0x00000000
0x00000000

APIs

EndDialog.USER32(?,00000001), ref: 00405984
GetDC.USER32(?), ref: 0040599F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004059AC
MulDiv.KERNEL32(00000008,00000000), ref: 004059B5
ReleaseDC.USER32 ref: 004059C3
CreateFontA.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,MS Sans Serif), ref: 004059DF
GetDC.USER32(?), ref: 004059FF
SelectObject.GDI32(00000000), ref: 00405A14
SetBkMode.GDI32(00000000,00000001), ref: 00405A1C
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00405A27
MulDiv.KERNEL32(000F4240,00000000), ref: 00405A33
lstrlenA.KERNEL32(00000000), ref: 00405A51
TextOutA.GDI32(00000000,?,?,00000000,00000000), ref: 00405A7C
SelectObject.GDI32(00000000,?), ref: 00405A86
ReleaseDC.USER32 ref: 00405A8C

Strings

MS Sans Serif, xrefs: 004059C9

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: CapsDeviceObjectReleaseSelect$CreateDialogFontModeTextlstrlen
String ID: MS Sans Serif
API String ID: 2026860755-168460110
Opcode ID: 2bde214ab076bee1b329f64bfcf69bc31db3ce320ef66d49dd554740dd07ac0f
Instruction ID: 2ddddb358181ba5cffd402e6d9347990a9f589195ce739888bb5f732dde058e7
Opcode Fuzzy Hash: 2bde214ab076bee1b329f64bfcf69bc31db3ce320ef66d49dd554740dd07ac0f
Instruction Fuzzy Hash: 25317071301618BFDB205F659C49E6F3F6DFB48751F408436FA0AEA1A0CA788842DF68

Uniqueness

Uniqueness Score: -1.00%

Function 0040FEB9, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 172
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040FEB9(void* __ecx, void** _a4, struct HDC__* _a8, int _a12, int _a16) {
				BITMAPINFOHEADER* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				void* _v24;
				char _v28;
				char _v44;
				signed int _t41;
				void* _t42;
				intOrPtr* _t43;
				long _t46;
				int _t47;
				struct HDC__* _t49;
				void* _t50;
				int _t57;
				BITMAPINFOHEADER* _t58;
				void* _t60;
				int _t63;
				void* _t68;
				void* _t71;
				struct HDC__* _t73;
				int _t88;
				void* _t93;
				void* _t94;
				int _t95;
				void** _t97;

				_t41 = _a4;
				_v20 = __ecx;
				if(_t41 != 0) {
					 *_t41 = 0;
					_t71 = 0;
					__eflags =  *0x47e540; // 0x0
					if(__eflags <= 0) {
						L8:
						_t93 = 0;
						__eflags =  *0x47e52c; // 0x0
						if(__eflags <= 0) {
							L13:
							_push(0xfffffffe);
							L14:
							_pop(_t42);
							return _t42;
						} else {
							goto L9;
						}
						while(1) {
							L9:
							_t43 = E0041E860(0x47e520, _t93);
							__eflags =  *_t43 - _a8;
							if( *_t43 == _a8) {
								break;
							}
							_t93 = _t93 + 1;
							__eflags = _t93 -  *0x47e52c; // 0x0
							if(__eflags < 0) {
								continue;
							}
							goto L13;
						}
						_t6 = _t43 + 4; // 0x4
						_t79 = _t6;
						__eflags = _t6;
						if(_t6 != 0) {
							_t94 = CreateFileA(E0041CD1E(_t79), 0x80000000, 1, 0, 3, 0x80, 0);
							__eflags = _t94 - 0xffffffff;
							if(_t94 != 0xffffffff) {
								_t46 = GetFileSize(_t94, 0);
								_v16 = 0;
								_t47 = E00410087(_v20, _t94, _t46,  &_v44,  &_v8,  &_v28,  &_v12,  &_v16);
								CloseHandle(_t94);
								__eflags = _t47;
								if(_t47 >= 0) {
									_t49 = GetDC( *0x47e178);
									_a8 = _t49;
									_t50 = CreateDIBitmap(_t49, _v8, 4, _v12, _v8, 0);
									_t95 = _a12;
									__eflags = _t95;
									 *_a4 = _t50;
									if(_t95 <= 0) {
										L25:
										ReleaseDC( *0x47e178, _a8);
										E00424DCE(_v28);
										asm("sbb eax, eax");
										_t57 = ( ~( *_a4) & 0x00000007) + 0xfffffffa;
										__eflags = _t57;
										return _t57;
									}
									_t88 = _a16;
									__eflags = _t88;
									if(_t88 <= 0) {
										goto L25;
									}
									_t58 = _v8;
									__eflags = _t95 - _t58->biWidth;
									if(_t95 != _t58->biWidth) {
										L23:
										_t73 = CreateCompatibleDC(_a8);
										_t60 = CreateCompatibleBitmap(_a8, _t95, _a16);
										_v24 = _t60;
										_v20 = SelectObject(_t73, _t60);
										_t63 = StretchDIBits(_t73, 0, 0, _a12, _a16, 0, 0, _v8->biWidth, _v8->biHeight, _v12, _t62, 0, 0xcc0020);
										SelectObject(_t73, _v20);
										DeleteDC(_t73);
										__eflags = _t63 - 0xffffffff;
										if(_t63 != 0xffffffff) {
											_t97 = _a4;
											DeleteObject( *_t97);
											 *_t97 = _v24;
										}
										goto L25;
									}
									__eflags = _t88 - _t58->biHeight;
									if(_t88 == _t58->biHeight) {
										goto L25;
									}
									goto L23;
								}
								_push(0xfffffffc);
								goto L14;
							}
							_push(0xfffffffd);
							goto L14;
						}
						goto L13;
					}
					while(1) {
						_t68 = E0041E860(0x47e534, _t71);
						__eflags = _t68 - _a8;
						if(_t68 == _a8) {
							break;
						}
						_t71 = _t71 + 2;
						__eflags = _t71 -  *0x47e540; // 0x0
						if(__eflags < 0) {
							continue;
						}
						goto L8;
					}
					_t74 = _t71 + 1;
					__eflags = _t71 + 1;
					_a8 = E0041E860(0x47e534, _t74);
					goto L8;
				}
				return _t41 | 0xffffffff;
			}

0x0040febf
0x0040fec7
0x0040fecc
0x0040fed6
0x0040fed8
0x0040feda
0x0040fee0
0x0040ff0c
0x0040ff0c
0x0040ff0e
0x0040ff14
0x0040ff3a
0x0040ff3a
0x0040ff3c
0x0040ff3c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ff16
0x0040ff16
0x0040ff1c
0x0040ff24
0x0040ff26
0x00000000
0x00000000
0x0040ff28
0x0040ff29
0x0040ff2f
0x00000000
0x00000000
0x00000000
0x0040ff31
0x0040ff33
0x0040ff33
0x0040ff36
0x0040ff38
0x0040ff5e
0x0040ff60
0x0040ff63
0x0040ff6b
0x0040ff74
0x0040ff8d
0x0040ff95
0x0040ff9b
0x0040ff9d
0x0040ffa9
0x0040ffb0
0x0040ffbf
0x0040ffc8
0x0040ffcb
0x0040ffcd
0x0040ffcf
0x00410059
0x00410062
0x0041006b
0x00410078
0x0041007d
0x0041007d
0x00000000
0x0041007d
0x0040ffd5
0x0040ffd8
0x0040ffda
0x00000000
0x00000000
0x0040ffdc
0x0040ffdf
0x0040ffe2
0x0040ffe9
0x0040fff5
0x0040fffb
0x00410009
0x0041000e
0x0041002f
0x0041003b
0x0041003e
0x00410044
0x00410047
0x00410049
0x0041004e
0x00410057
0x00410057
0x00000000
0x00410047
0x0040ffe4
0x0040ffe7
0x00000000
0x00000000
0x00000000
0x0040ffe7
0x0040ff9f
0x00000000
0x0040ff9f
0x0040ff65
0x00000000
0x0040ff65
0x00000000
0x0040ff38
0x0040fee7
0x0040feea
0x0040feef
0x0040fef2
0x00000000
0x00000000
0x0040fef5
0x0040fef6
0x0040fefc
0x00000000
0x00000000
0x00000000
0x0040fefe
0x0040ff00
0x0040ff00
0x0040ff09
0x00000000
0x0040ff09
0x00000000

Strings

4G, xrefs: 0040FEE2
G, xrefs: 0040FF17

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID:
String ID: G$4G
API String ID: 0-1092705001
Opcode ID: 9889fd5ce7184eb904817bde8fa419fbe9a3674419646645692c0059565c0ba5
Instruction ID: e53022e69f18fc5ab630e4aebfff8f01bf5cca682b6cc4f9dc27a10370132a16
Opcode Fuzzy Hash: 9889fd5ce7184eb904817bde8fa419fbe9a3674419646645692c0059565c0ba5
Instruction Fuzzy Hash: 4351D071900119FFCB209FA6DC44DAE7B79FF49324B10463AF926A31E0DB349981CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00422CBD, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 160
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00422CBD(void* __ecx) {
				void* _v8;
				void _v12;
				long _v16;
				long _v28;
				char _v288;
				void* _t29;
				CHAR* _t30;
				CHAR* _t31;
				void* _t33;
				void* _t35;
				long _t38;
				void* _t91;
				void* _t92;
				void* _t93;
				void* _t95;
				void* _t97;
				intOrPtr _t101;

				_t95 = __ecx;
				SetCurrentDirectoryA("c:\\");
				if(( *0x47e18c & 0x00000040) != 0 || ( *0x47e192 & 0x00000002) != 0) {
					_push(1);
					__eflags =  *(_t95 + 0x90);
					if( *(_t95 + 0x90) != 0) {
						goto L10;
					}
					_pop(_t91);
					_t25 = _t95 + 0x20; // 0x0
					_t30 = E0040DF1F( *_t25, 0);
					while(1) {
						__eflags = _t30;
						if(_t30 == 0) {
							break;
						}
						E0040D85F(_t30);
						_t35 = _t91;
						_t91 = _t91 + 1;
						_t26 = _t95 + 0x20; // 0x0
						_t30 = E0040DF1F( *_t26, _t35);
						_t97 = _t97 + 0xc;
					}
					_t92 = 1;
					_push(0);
					while(1) {
						_t27 = _t95 + 0x38; // 0x0
						_push( *_t27);
						_t31 = E0040DF1F();
						__eflags = _t31;
						if(_t31 == 0) {
							goto L9;
						}
						RemoveDirectoryA(_t31);
						_t33 = _t92;
						_t92 = _t92 + 1;
						_push(_t33);
					}
					goto L9;
				} else {
					if( *(_t95 + 0x90) == 0) {
						_t93 = CreateFileA(E0041CD1E(_t95), 0xc0000000, 1, 0, 3, 0x80, 0);
						_v8 = _t93;
						_t38 = GetFileSize(_t93, 0);
						__eflags = _t93 - 0xffffffff;
						_v12 = _t38;
						if(_t93 == 0xffffffff) {
							L11:
							CloseHandle(_t93);
							L9:
							_push(1);
							L10:
							_pop(_t29);
							return _t29;
						}
						__eflags = _t38;
						if(_t38 == 0) {
							goto L11;
						}
						 *((char*)(_t95 + 0x92)) = 1;
						E0041BDC5( &_v28);
						E004221B8(_t95, __eflags,  &_v28);
						SetFilePointer(_t93, 0, 0, 2);
						WriteFile(_t93, E0041CD1E( &_v28), _v28,  &_v16, 0);
						WriteFile(_v8,  &_v12, 4,  &_v16, 0);
						CloseHandle(_v8);
						E004155D2(0x47dfb8, 1, E0041CD1E(_t95));
						DeleteFileA(E0041CD1E(_t95));
						E0041BEFB( &_v28);
						L7:
						_t101 =  *0x47e688; // 0x0
						if(_t101 > 0) {
							E004229A8( &_v288);
							CopyFileA(E0041CD1E(0x47e688),  &_v288, 0);
							DeleteFileA(E0041CD1E(0x47e688));
							E0041BF12(0x47e688, 0x42e0c8);
						}
						goto L9;
					}
					_push( &_v288);
					E00422A86();
					E004155D2(0x47dfb8, 1,  &_v288);
					DeleteFileA( &_v288);
					goto L7;
				}
			}

0x00422cc9
0x00422cd0
0x00422cdd
0x00422e4c
0x00422e4e
0x00422e54
0x00000000
0x00000000
0x00422e56
0x00422e58
0x00422e5b
0x00422e62
0x00422e62
0x00422e64
0x00000000
0x00000000
0x00422e67
0x00422e6c
0x00422e6e
0x00422e70
0x00422e73
0x00422e78
0x00422e78
0x00422e7f
0x00422e80
0x00422e81
0x00422e81
0x00422e81
0x00422e84
0x00422e8a
0x00422e8d
0x00000000
0x00000000
0x00422e90
0x00422e96
0x00422e98
0x00422e99
0x00422e99
0x00000000
0x00422cf0
0x00422cf8
0x00422d4b
0x00422d4f
0x00422d52
0x00422d58
0x00422d5b
0x00422d5e
0x00422e41
0x00422e42
0x00422e39
0x00422e39
0x00422e3b
0x00422e3b
0x00422e40
0x00422e40
0x00422d64
0x00422d66
0x00000000
0x00000000
0x00422d6f
0x00422d76
0x00422d81
0x00422d8b
0x00422da9
0x00422db9
0x00422dbe
0x00422dd3
0x00422de0
0x00422de9
0x00422dee
0x00422dee
0x00422df4
0x00422dff
0x00422e19
0x00422e27
0x00422e34
0x00422e34
0x00000000
0x00422df4
0x00422d02
0x00422d03
0x00422d16
0x00422d22
0x00000000
0x00422d22

APIs

SetCurrentDirectoryA.KERNEL32(c:\,00000000,0047DFB8,00000094), ref: 00422CD0
DeleteFileA.KERNEL32(?,00000001,?,?), ref: 00422D22
CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,00000080,00000000), ref: 00422D45
GetFileSize.KERNEL32(00000000,00000000), ref: 00422D52
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?), ref: 00422D8B
WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 00422DA9
WriteFile.KERNEL32(00000000,0041CD50,00000004,00000000,00000000), ref: 00422DB9
CloseHandle.KERNEL32(00000000), ref: 00422DBE
DeleteFileA.KERNEL32(00000000,00000001,00000000), ref: 00422DE0
CopyFileA.KERNEL32(00000000,?,00000000), ref: 00422E19
DeleteFileA.KERNEL32(00000000), ref: 00422E27

Part of subcall function 00422A86: lstrcpyA.KERNEL32(00000000,00000000,0047E5EC,7FFFFFFF,0047E5EC,0047E5EC,?,<UninstallerName>,0041AA6C,?,<UninstallerName>,00000000,00000001,<ShortcutDir>,00000000,00000000), ref: 00422ABE

CloseHandle.KERNEL32(00000000), ref: 00422E42
RemoveDirectoryA.KERNEL32(00000000), ref: 00422E90

Strings

c:\, xrefs: 00422CCB

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: File$Delete$CloseDirectoryHandleWrite$CopyCreateCurrentPointerRemoveSizelstrcpy
String ID: c:\
API String ID: 962263428-4070862797
Opcode ID: d648af31b864197961dd8fa533a14e86025cb730b5bac282c79746e591d72605
Instruction ID: f31a6bf3ed29a462fb3031c6dc7a7310197cb22e6e3723504f367eecada30cce
Opcode Fuzzy Hash: d648af31b864197961dd8fa533a14e86025cb730b5bac282c79746e591d72605
Instruction Fuzzy Hash: BC41B571B00219BBDB206761AD4AFFF7A6DDF40714F90406FF606A2191CBB84D86D668

Uniqueness

Uniqueness Score: -1.00%

Function 00405A9B, Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 286
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A9B(void* __edx, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t24;
				signed int _t25;
				void* _t26;
				int _t31;
				signed int _t37;
				signed int _t39;
				signed int _t43;
				int _t52;
				signed int _t55;
				void* _t67;
				signed int _t74;

				_t67 = __edx;
				_t55 =  *0x47e110; // 0x0
				if(_t55 == 0) {
					L8:
					_t24 = _a8;
					__eflags = _t24 - 0x10;
					if(_t24 == 0x10) {
						L61:
						_t25 = E0041BC79(0x47dfb8);
						__eflags = _t25;
						if(_t25 != 0) {
							DestroyWindow(_a4);
							E0041A1B5(1);
						}
						L63:
						_t26 = 1;
						return _t26;
					}
					__eflags = _t24 - 0x14;
					if(_t24 == 0x14) {
						BitBlt(_a12, 0, 0,  *0x47e170,  *0x47e174,  *0x47e184, 0, 0, 0xcc0020);
						goto L63;
					}
					__eflags = _t24 - 0x7e;
					if(_t24 == 0x7e) {
						__eflags =  *0x47e84c & 0x00000002;
						if(( *0x47e84c & 0x00000002) != 0) {
							DeleteDC( *0x47e184);
							_t31 = SystemParametersInfoA(0x30, 0, 0x47e168, 0);
							__eflags = _t31;
							if(_t31 == 0) {
								GetWindowRect(GetDesktopWindow(), 0x47e168);
							}
							E0040EE9C();
							__eflags =  *0x47e114; // 0x0
							if(__eflags != 0) {
								__eflags =  *0x47f27c; // 0x1
								if(__eflags == 0) {
									E0040EFE7();
								}
							}
						}
						L59:
						return DefWindowProcA(_a4, _a8, _a12, _a16);
					}
					__eflags = _t24 - 0x112;
					if(_t24 == 0x112) {
						__eflags = _a12 - 1;
						if(_a12 == 1) {
							__eflags = _t55;
							if(_t55 != 0) {
								EnableWindow( *(_t55 + 4), 0);
							}
							DialogBoxParamA( *0x47e17c, 0x72, _a4, E00405955, 0);
							_t37 =  *0x47e110; // 0x0
							__eflags = _t37;
							if(_t37 != 0) {
								EnableWindow( *(_t37 + 4), 1);
								_t39 =  *0x47e110; // 0x0
								SetForegroundWindow( *(_t39 + 4));
							}
						}
						goto L59;
					}
					__eflags = _t24 - 0x400;
					if(_t24 != 0x400) {
						goto L59;
					}
					__eflags = _a16 - 1;
					if(_a16 != 1) {
						goto L59;
					}
					_t43 = _a12 - 1;
					__eflags = _t43 - 0xc;
					if(_t43 > 0xc) {
						_t74 = E00424DD9(0xb0);
						__eflags = _t74;
						if(__eflags == 0) {
							L18:
							_t74 = 0;
							__eflags = 0;
							L19:
							__eflags = _t74;
							if(__eflags == 0) {
								E0041D881(E0041CD1E(0x47e924));
							}
							E00407147(_t74, _t67, __eflags, _a12,  *0x47e178,  *0x47e17c, 0x47e110);
							goto L59;
						}
						E00406D11(_t74, __eflags);
						 *_t74 = 0x428418;
						goto L19;
					}
					switch( *((intOrPtr*)(_t43 * 4 +  &M00405E94))) {
						case 0:
							_t74 = E00424DD9(0xb0);
							__eflags = _t74;
							if(__eflags == 0) {
								goto L18;
							} else {
								E00406D11(_t74, __eflags);
								 *_t74 = 0x428584;
								goto L19;
							}
						case 1:
							__esi = E00424DD9(0xb0);
							__eflags = __esi - __ebx;
							if(__eflags == 0) {
								goto L18;
							} else {
								__ecx = __esi;
								__eax = E00406D11(__ecx, __eflags);
								 *__esi = 0x428568;
								goto L19;
							}
						case 2:
							__esi = E00424DD9(0xb0);
							__eflags = __esi - __ebx;
							if(__eflags == 0) {
								goto L18;
							}
							__ecx = __esi;
							__eax = E00406D11(__ecx, __eflags);
							 *__esi = 0x42854c;
							goto L19;
						case 3:
							__esi = E00424DD9(0xb0);
							__eflags = __esi - __ebx;
							if(__eflags == 0) {
								goto L18;
							}
							__ecx = __esi;
							__eax = E00406D11(__ecx, __eflags);
							 *__esi = 0x428530;
							goto L19;
						case 4:
							__esi = E00424DD9(0xb0);
							__eflags = __esi - __ebx;
							if(__eflags == 0) {
								goto L18;
							}
							__ecx = __esi;
							__eax = E00406D11(__ecx, __eflags);
							 *__esi = 0x428514;
							goto L19;
						case 5:
							__esi = E00424DD9(0xb8);
							__eflags = __esi - __ebx;
							if(__eflags == 0) {
								goto L18;
							}
							__ecx = __esi;
							__eax = E00406D11(__ecx, __eflags);
							 *__esi = 0x4284f8;
							goto L19;
						case 6:
							__esi = E00424DD9(0xb0);
							__eflags = __esi - __ebx;
							if(__eflags == 0) {
								goto L18;
							}
							__ecx = __esi;
							__eax = E00406D11(__ecx, __eflags);
							 *__esi = 0x4284dc;
							goto L19;
						case 7:
							__esi = E00424DD9(0xb0);
							__eflags = __esi - __ebx;
							if(__eflags == 0) {
								goto L18;
							}
							__ecx = __esi;
							__eax = E00406D11(__ecx, __eflags);
							 *__esi = 0x4284c0;
							goto L19;
						case 8:
							__esi = E00424DD9(0xb0);
							__eflags = __esi - __ebx;
							if(__eflags == 0) {
								goto L18;
							}
							__ecx = __esi;
							__eax = E00406D11(__ecx, __eflags);
							 *__esi = 0x4284a4;
							goto L19;
						case 9:
							__esi = E00424DD9(0xb4);
							__eflags = __esi - __ebx;
							if(__eflags == 0) {
								goto L18;
							}
							__ecx = __esi;
							__eax = E00406D11(__ecx, __eflags);
							 *__esi = 0x428488;
							goto L19;
						case 0xa:
							__esi = E00424DD9(0xb0);
							__eflags = __esi - __ebx;
							if(__eflags == 0) {
								goto L18;
							}
							__ecx = __esi;
							__eax = E00406D11(__ecx, __eflags);
							 *__esi = 0x42846c;
							goto L19;
						case 0xb:
							__esi = E00424DD9(0xb0);
							__eflags = __esi - __ebx;
							if(__eflags == 0) {
								goto L18;
							}
							__ecx = __esi;
							__eax = E00406D11(__ecx, __eflags);
							 *__esi = 0x428434;
							goto L19;
						case 0xc:
							__esi = E00424DD9(0xb0);
							__eflags = __esi - __ebx;
							if(__eflags == 0) {
								goto L18;
							}
							__ecx = __esi;
							__eax = E00406D11(__ecx, __eflags);
							 *__esi = 0x428450;
							goto L19;
					}
				}
				if(E00407D82(_t55) != 0) {
					L7:
					_t55 =  *0x47e110; // 0x0
					goto L8;
				}
				_t52 = _a8;
				if(_t52 == 0x14 || _t52 == 0x112 || _t52 == 0x400) {
					goto L7;
				} else {
					if(_t52 == 0x10) {
						goto L61;
					} else {
						return E00408768(_a4, _t52, _a12, _a16);
					}
				}
			}

0x00405a9b
0x00405a9e
0x00405ab5
0x00405af3
0x00405af3
0x00405af6
0x00405af9
0x00405e68
0x00405e6f
0x00405e74
0x00405e76
0x00405e7b
0x00405e85
0x00405e85
0x00405e8a
0x00405e8c
0x00000000
0x00405e8c
0x00405aff
0x00405b02
0x00405e60
0x00000000
0x00405e60
0x00405b08
0x00405b0b
0x00405dd4
0x00405ddb
0x00405de3
0x00405df3
0x00405df9
0x00405dfb
0x00405e05
0x00405e05
0x00405e12
0x00405e17
0x00405e1d
0x00405e1f
0x00405e25
0x00405e29
0x00405e29
0x00405e25
0x00405e1d
0x00405e2e
0x00000000
0x00405e3a
0x00405b11
0x00405b13
0x00405d83
0x00405d87
0x00405d93
0x00405d95
0x00405d9b
0x00405d9b
0x00405dae
0x00405db4
0x00405db9
0x00405dbb
0x00405dc2
0x00405dc4
0x00405dcc
0x00405dcc
0x00405dbb
0x00000000
0x00405d87
0x00405b19
0x00405b1b
0x00000000
0x00000000
0x00405b21
0x00405b25
0x00000000
0x00000000
0x00405b2e
0x00405b2f
0x00405b32
0x00405d66
0x00405d69
0x00405d6b
0x00405b5f
0x00405b5f
0x00405b5f
0x00405b61
0x00405b61
0x00405b63
0x00405b70
0x00405b75
0x00405b8c
0x00000000
0x00405b8c
0x00405d73
0x00405d78
0x00000000
0x00405d78
0x00405b38
0x00000000
0x00405b49
0x00405b4c
0x00405b4e
0x00000000
0x00405b50
0x00405b52
0x00405b57
0x00000000
0x00405b57
0x00000000
0x00405ba0
0x00405ba3
0x00405ba5
0x00000000
0x00405ba7
0x00405ba7
0x00405ba9
0x00405bae
0x00000000
0x00405bae
0x00000000
0x00405bc0
0x00405bc3
0x00405bc5
0x00000000
0x00000000
0x00405bc7
0x00405bc9
0x00405bce
0x00000000
0x00000000
0x00405be0
0x00405be3
0x00405be5
0x00000000
0x00000000
0x00405beb
0x00405bed
0x00405bf2
0x00000000
0x00000000
0x00405c07
0x00405c0a
0x00405c0c
0x00000000
0x00000000
0x00405c12
0x00405c14
0x00405c19
0x00000000
0x00000000
0x00405c2e
0x00405c31
0x00405c33
0x00000000
0x00000000
0x00405c39
0x00405c3b
0x00405c40
0x00000000
0x00000000
0x00405c55
0x00405c58
0x00405c5a
0x00000000
0x00000000
0x00405c60
0x00405c62
0x00405c67
0x00000000
0x00000000
0x00405c7c
0x00405c7f
0x00405c81
0x00000000
0x00000000
0x00405c87
0x00405c89
0x00405c8e
0x00000000
0x00000000
0x00405ca3
0x00405ca6
0x00405ca8
0x00000000
0x00000000
0x00405cae
0x00405cb0
0x00405cb5
0x00000000
0x00000000
0x00405cca
0x00405ccd
0x00405ccf
0x00000000
0x00000000
0x00405cd5
0x00405cd7
0x00405cdc
0x00000000
0x00000000
0x00405cf1
0x00405cf4
0x00405cf6
0x00000000
0x00000000
0x00405cfc
0x00405cfe
0x00405d03
0x00000000
0x00000000
0x00405d3f
0x00405d42
0x00405d44
0x00000000
0x00000000
0x00405d4a
0x00405d4c
0x00405d51
0x00000000
0x00000000
0x00405d18
0x00405d1b
0x00405d1d
0x00000000
0x00000000
0x00405d23
0x00405d25
0x00405d2a
0x00000000
0x00000000
0x00405b38
0x00405abe
0x00405aed
0x00405aed
0x00000000
0x00405aed
0x00405ac0
0x00405ac6
0x00000000
0x00405ad0
0x00405ad3
0x00000000
0x00405ad9
0x00000000
0x00405ae3
0x00405ad3

APIs

EnableWindow.USER32(?,00000000), ref: 00405D9B
DialogBoxParamA.USER32 ref: 00405DAE
EnableWindow.USER32(?,00000001), ref: 00405DC2
SetForegroundWindow.USER32(?), ref: 00405DCC
DeleteDC.GDI32 ref: 00405DE3
SystemParametersInfoA.USER32(00000030,00000000,0047E168,00000000), ref: 00405DF3
GetDesktopWindow.USER32 ref: 00405DFE
GetWindowRect.USER32 ref: 00405E05
DefWindowProcA.USER32(?,?,?,?), ref: 00405E3A
BitBlt.GDI32(?,00000000,00000000,00000000,00000000,00CC0020), ref: 00405E60
DestroyWindow.USER32(?), ref: 00405E7B

Part of subcall function 00408768: EnableWindow.USER32(?,00000000), ref: 0040878E
Part of subcall function 00408768: DialogBoxParamA.USER32 ref: 004087A0
Part of subcall function 00408768: EnableWindow.USER32(?,00000001), ref: 004087A9
Part of subcall function 00408768: SetForegroundWindow.USER32(?), ref: 004087AC

Strings

hG, xrefs: 00405DE9
$G, xrefs: 00405B65

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Window$Enable$DialogForegroundParam$DeleteDesktopDestroyInfoParametersProcRectSystem
String ID: $G$hG
API String ID: 3857719481-203099041
Opcode ID: 2f3b12d5543e14b79b981c452a303d4a0eca5a49f133cdee6d41fc202542ed02
Instruction ID: fa91adb50b79aa072a828a9bd1838e9d073234fdb9740b73cce90f07b5154bab
Opcode Fuzzy Hash: 2f3b12d5543e14b79b981c452a303d4a0eca5a49f133cdee6d41fc202542ed02
Instruction Fuzzy Hash: 6391D132B00620ABDB243FA1AC4262F7661DB40714B65417FF9467B2D1EB7E5C918F8E

Uniqueness

Uniqueness Score: -1.00%

Function 00420F79, Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 210
registryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00420F79(intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				int _v12;
				int* _v16;
				intOrPtr _v20;
				int _v24;
				void* _v28;
				char* _v32;
				void* _v36;
				int _v40;
				int _v44;
				int _v48;
				int _v52;
				struct _FILETIME _v60;
				char _v72;
				char _v84;
				char _v96;
				char _v108;
				char* _t146;
				char* _t147;
				void* _t151;
				void* _t152;
				void* _t153;
				void* _t154;

				_t154 = __eflags;
				_v20 = __ecx;
				E0041BDC5( &_v108);
				E0041EEC5(_v20,  &_v108);
				E0041BDC5( &_v96);
				_push(E0041CD1E(0x47e368));
				E0041C467( &_v96, E0041CD1E(0x47eb10));
				_t152 = _t151 + 0xc;
				E0041EEC5(_v20,  &_v96);
				_v8 = 0;
				E0041BE35( &_v84, "Software\\");
				E0041C0C5( &_v84, _t154, 0x47e368);
				if(RegOpenKeyExA(0x80000002, E0041CD1E( &_v84), 0, 0x20019,  &_v28) != 0 || RegQueryInfoKeyA(_v28, 0, 0, 0,  &_v40,  &_v24, 0, 0, 0, 0, 0, 0) != 0) {
					L21:
					E0041EEC5(_v20, 0x47eb34);
					goto L22;
				} else {
					_v32 = E00424DD9(_v24);
					_v16 = 0;
					if(_v40 <= 0) {
						L18:
						if(_v32 != 0) {
							E00424DCE(_v32);
						}
						L20:
						if(_v8 != 0) {
							L22:
							E0041BEFB( &_v84);
							E0041BEFB( &_v96);
							return E0041BEFB( &_v108);
						}
						goto L21;
					}
					while(1) {
						_t146 = _v32;
						if(_t146 == 0) {
							break;
						}
						E00424500(_t146, 0, _v24);
						_t152 = _t152 + 0xc;
						_v44 = _v24;
						RegEnumKeyExA(_v28, _v16, _t146,  &_v44, 0, 0, 0,  &_v60);
						E0041BE35( &_v72, _t146);
						if(RegOpenKeyExA(_v28, _t146, 0, 0x20019,  &_v36) != 0) {
							L14:
							E0041BEFB( &_v72);
							_v16 =  &(_v16[0]);
							if(_v16 < _v40) {
								continue;
							}
							goto L18;
						}
						_t147 = E00424DD9(0x100);
						if(_t147 == 0) {
							_t56 =  &_v8;
							 *_t56 = _v8 + 1;
							__eflags =  *_t56;
							E0041BEFB( &_v72);
							goto L18;
						}
						E00424500(_t147, 0, 0x100);
						_t153 = _t152 + 0xc;
						_v48 = 0x100;
						_v12 = 1;
						RegQueryValueExA(_v36, "Version", 0,  &_v12, _t147,  &_v48);
						if( *_t147 != 0 && _v12 == 1) {
							_push(_t147);
							_push(E0041CD1E(0x47eb1c));
							E0041C467( &_v72, " %s %s");
							_t153 = _t153 + 0x10;
						}
						E00424500(_t147, 0, 0x100);
						_t152 = _t153 + 0xc;
						_v52 = 0x100;
						RegQueryValueExA(_v36, "Installed", 0,  &_v12, _t147,  &_v52);
						if( *_t147 != 0 && _v12 == 1) {
							_push(_t147);
							_push(E0041CD1E(0x47eb28));
							E0041C467( &_v72, ", %s: %s");
							_t152 = _t152 + 0x10;
						}
						E0041EEC5(_v20,  &_v72);
						_v8 = _v8 + 1;
						E00424DCE(_t147);
						goto L14;
					}
					_v8 = _v8 + 1;
					goto L20;
				}
			}

0x00420f79
0x00420f7f
0x00420f86
0x00420f92
0x00420f9a
0x00420fa9
0x00420fb9
0x00420fc1
0x00420fc8
0x00420fd7
0x00420fda
0x00420fe7
0x0042100c
0x004211b4
0x004211bc
0x00000000
0x00421034
0x00421042
0x00421045
0x00421048
0x0042119f
0x004211a2
0x004211a7
0x004211ac
0x004211ad
0x004211b2
0x004211c1
0x004211c4
0x004211cc
0x004211db
0x004211db
0x00000000
0x004211b2
0x00421053
0x00421053
0x00421058
0x00000000
0x00000000
0x00421063
0x0042106b
0x0042106e
0x00421083
0x0042108d
0x004210a8
0x00421176
0x00421179
0x0042117e
0x00421187
0x00000000
0x00000000
0x00000000
0x0042118d
0x004210b4
0x004210b9
0x00421194
0x00421194
0x00421194
0x0042119a
0x00000000
0x0042119a
0x004210c2
0x004210c7
0x004210cd
0x004210d0
0x004210e6
0x004210ee
0x004210f6
0x00421101
0x0042110b
0x00421110
0x00421110
0x00421116
0x0042111b
0x00421121
0x00421133
0x0042113b
0x00421143
0x0042114e
0x00421158
0x0042115d
0x0042115d
0x00421167
0x0042116c
0x00421170
0x00000000
0x00421175
0x0042118f
0x00000000
0x0042118f

APIs

Part of subcall function 0041BDC5: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
Part of subcall function 0041C467: lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649

Part of subcall function 0041BE35: lstrlenA.KERNEL32(00000000,0047DFB8,0047F2B8,0041B2F4,Astrum Installer,00000000,0047DFB8,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000), ref: 0041BE49
Part of subcall function 0041BE35: GlobalAlloc.KERNEL32(00000042,00000000,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000,00000000,00000000,?,0047E924,0041D88F), ref: 0041BE54
Part of subcall function 0041BE35: GlobalLock.KERNEL32 ref: 0041BE75

Part of subcall function 0041C0C5: GlobalUnlock.KERNEL32(?,00000000,0047E380,?,00421CA7,00000004,?,00000000,00000000,00000000,0047E490,0047E788,0047E380,0047E788,?,00422453), ref: 0041C0DE
Part of subcall function 0041C0C5: GlobalReAlloc.KERNEL32 ref: 0041C0EB
Part of subcall function 0041C0C5: GlobalLock.KERNEL32 ref: 0041C10C

RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020019,00000000,0047E368,Software\,00000000,?,?,00000001,?,00000000,00000000,00000000,00000000), ref: 00421004
RegQueryInfoKeyA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000001,?), ref: 00421026
RegEnumKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000001,?,?,00000001,?,00000000), ref: 00421083
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,00000000,00000000,?,00000000,00000001,?,?,00000001,?,00000000,00000000,00000000), ref: 004210A0
RegQueryValueExA.ADVAPI32(00000000,Version,00000000,00000001,00000000,00000000,?,?,?,?,00000000,00000001,?,?,00000001,?), ref: 004210E6
RegQueryValueExA.ADVAPI32(00000000,Installed,00000000,00000001,00000000,00000000,?,?,?,?,?,?,?,00000000,00000001), ref: 00421133

Strings

Software\, xrefs: 00420FCF
, %s: %s, xrefs: 00421152
%s %s, xrefs: 00421105
(G, xrefs: 00421144
Version, xrefs: 004210DE
hG, xrefs: 00420F9F
Installed, xrefs: 0042112B

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLocklstrlen$Query$OpenUnlockValue$EnumInfo
String ID: %s %s$(G$, %s: %s$Installed$Software\$Version$hG
API String ID: 1052176546-1597445898
Opcode ID: eb21f44b1c9ad5e9903d96cc4743d310b631aa8d9bb6d41590713c3ff336ad93
Instruction ID: bc104e200bd05c96be64d5b001c431f16b8f9d0cb8a15f8c22d70380ef4f1218
Opcode Fuzzy Hash: eb21f44b1c9ad5e9903d96cc4743d310b631aa8d9bb6d41590713c3ff336ad93
Instruction Fuzzy Hash: BC611A71E0011DAADF10EBE2EC86DFFBB7DEE58708B50402BF501A2151EB395A55CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00407B45, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 169
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407B45(void* __ebx, void* __edi, void* __esi, char _a4) {
				struct HWND__** _t37;
				void* _t39;
				void* _t41;
				void* _t43;
				void* _t45;
				void* _t53;
				void* _t69;
				void* _t71;
				void* _t77;
				signed int _t86;
				signed int _t98;
				void* _t101;
				struct HWND__* _t102;

				_t32 =  *0x47df60;
				_t102 = 0;
				if(_t32 == 0) {
					L44:
					return _t32;
				}
				_t77 = 0;
				if( *((intOrPtr*)(_t32 + 0x7c)) <= 0) {
					L14:
					E0041E921(_t32 + 0x70);
					if(E00407D82( *0x47df60) != 0) {
						DestroyWindow( *( *0x47df60 + 4));
					}
					 *( *0x47df60 + 4) = _t102;
					_t37 =  *( *0x47df60 + 0x6c);
					if(_t37 != _t102) {
						 *_t37 = _t102;
					}
					_t39 =  *( *0x47df60 + 0x48);
					if(_t39 != _t102) {
						DeleteObject(_t39);
						 *( *0x47df60 + 0x48) = _t102;
					}
					_t41 =  *( *0x47df60 + 0x4c);
					if(_t41 != _t102) {
						DeleteObject(_t41);
						 *( *0x47df60 + 0x4c) = _t102;
					}
					_t43 =  *( *0x47df60 + 0x50);
					if(_t43 != _t102) {
						DeleteObject(_t43);
						 *( *0x47df60 + 0x50) = _t102;
					}
					_t45 =  *( *0x47df60 + 0x54);
					if(_t45 != _t102) {
						DeleteObject(_t45);
						 *( *0x47df60 + 0x54) = _t102;
					}
					_t32 =  *( *0x47df60 + 0xa0);
					if(_t32 != _t102) {
						DeleteObject(_t32);
						_t32 =  *0x47df60;
						 *(_t32 + 0xa0) = _t102;
					}
					_t98 = 0;
					if( *0x47df54 <= _t102) {
						L38:
						if(_a4 != 0) {
							_t100 =  *0x47df60;
							if( *0x47df60 != _t102) {
								E00406E01(_t100);
								_t32 = E00424DCE(_t100);
							}
						}
						 *0x47df60 = _t102;
						if( *0x47df5c != _t102 ||  *0x47df54 <= _t102) {
							goto L44;
						} else {
							return E0041D881(E0041CD1E(0x47e924));
						}
					} else {
						_t32 =  *0x47df58;
						do {
							if( *((intOrPtr*)(_t32 + _t98 * 4)) !=  *0x47df60) {
								goto L37;
							}
							_t86 = _t98;
							if(_t98 >=  *0x47df54 - 1) {
								L36:
								 *0x47df54 =  *0x47df54 - 1;
								GlobalUnlock( *0x47df5c);
								_t53 = GlobalReAlloc( *0x47df5c,  *0x47df54 << 2, 0x42);
								 *0x47df5c = _t53;
								_t32 = GlobalLock(_t53);
								 *0x47df58 = _t32;
								goto L37;
							}
							while(1) {
								 *((intOrPtr*)(_t32 + _t86 * 4)) =  *((intOrPtr*)(_t32 + 4 + _t86 * 4));
								_t86 = _t86 + 1;
								if(_t86 >=  *0x47df54 - 1) {
									goto L36;
								}
								_t32 =  *0x47df58;
							}
							goto L36;
							L37:
							_t98 = _t98 + 1;
						} while (_t98 <  *0x47df54);
						goto L38;
					}
				} else {
					goto L2;
				}
				do {
					L2:
					_t101 = E0041E860(_t32 + 0x70, _t77);
					if( *((intOrPtr*)(_t101 + 8)) != 0xc) {
						DestroyWindow( *(_t101 + 0x50));
						goto L6;
					}
					_t103 =  *(_t101 + 0x50);
					if( *(_t101 + 0x50) != 0) {
						E0041EA84(_t103);
						E00424DCE(_t103);
					}
					_t102 = 0;
					L6:
					_t69 =  *(_t101 + 0x54);
					if(_t69 != _t102) {
						DeleteObject(_t69);
					}
					if( *((intOrPtr*)(_t101 + 0x34)) < 0xfffffffe) {
						_t71 =  *(_t101 + 0x58);
						if(_t71 != _t102) {
							DeleteObject(_t71);
						}
					}
					if(_t101 != _t102) {
						E00407D5B(_t101, 1);
					}
					_t32 =  *0x47df60;
					_t77 = _t77 + 1;
				} while (_t77 <  *((intOrPtr*)( *0x47df60 + 0x7c)));
				goto L14;
			}

0x00407b45
0x00407b4b
0x00407b4f
0x00407d5a
0x00407d5a
0x00407d5a
0x00407b57
0x00407b63
0x00407bc3
0x00407bc6
0x00407bd8
0x00407be2
0x00407be2
0x00407bed
0x00407bf5
0x00407bfa
0x00407bfc
0x00407bfc
0x00407c03
0x00407c08
0x00407c0b
0x00407c12
0x00407c12
0x00407c1a
0x00407c1f
0x00407c22
0x00407c29
0x00407c29
0x00407c31
0x00407c36
0x00407c39
0x00407c40
0x00407c40
0x00407c48
0x00407c4d
0x00407c50
0x00407c57
0x00407c57
0x00407c5f
0x00407c67
0x00407c6a
0x00407c6c
0x00407c71
0x00407c71
0x00407c77
0x00407c7f
0x00407d10
0x00407d15
0x00407d17
0x00407d1f
0x00407d23
0x00407d29
0x00407d2e
0x00407d1f
0x00407d37
0x00407d3e
0x00000000
0x00407d48
0x00000000
0x00407d58
0x00407c85
0x00407c85
0x00407c8a
0x00407c93
0x00000000
0x00000000
0x00407c9b
0x00407ca0
0x00407cc9
0x00407ccf
0x00407cd5
0x00407cec
0x00407cf3
0x00407cf8
0x00407cfe
0x00000000
0x00407cfe
0x00407cb7
0x00407cbb
0x00407cc3
0x00407cc7
0x00000000
0x00000000
0x00407cb2
0x00407cb2
0x00000000
0x00407d03
0x00407d03
0x00407d04
0x00000000
0x00407c8a
0x00000000
0x00000000
0x00000000
0x00407b65
0x00407b65
0x00407b6e
0x00407b74
0x00407ca7
0x00000000
0x00407ca7
0x00407b7a
0x00407b7f
0x00407b83
0x00407b89
0x00407b8e
0x00407b8f
0x00407b91
0x00407b91
0x00407b96
0x00407b99
0x00407b99
0x00407b9f
0x00407ba1
0x00407ba6
0x00407ba9
0x00407ba9
0x00407ba6
0x00407bad
0x00407bb3
0x00407bb3
0x00407bb8
0x00407bbd
0x00407bbe
0x00000000

APIs

DeleteObject.GDI32(?), ref: 00407B99
DeleteObject.GDI32(?), ref: 00407BA9

Part of subcall function 0041EA84: DeleteDC.GDI32(?), ref: 0041EAE0
Part of subcall function 0041EA84: DeleteObject.GDI32(0000000C), ref: 0041EAF8
Part of subcall function 0041EA84: DeleteObject.GDI32(?), ref: 0041EB06

DestroyWindow.USER32(?,00000000,0047DFB8,00000094,?,0041A1BF,00000001,0047DFB8,0041A044,00000001,00000000,00000000,00000000,?,0047E924,0041D88F), ref: 00407BE2
DeleteObject.GDI32(?), ref: 00407C0B
DeleteObject.GDI32(?), ref: 00407C22
DeleteObject.GDI32(?), ref: 00407C39
DeleteObject.GDI32(?), ref: 00407C50
DeleteObject.GDI32(?), ref: 00407C6A
DestroyWindow.USER32(?,00000000,00000000,0047DFB8,00000094,?,0041A1BF,00000001,0047DFB8,0041A044,00000001,00000000,00000000,00000000,?,0047E924), ref: 00407CA7
GlobalUnlock.KERNEL32(00000000,0047DFB8,00000094,?,0041A1BF,00000001,0047DFB8,0041A044,00000001,00000000,00000000,00000000,?,0047E924,0041D88F,00000000), ref: 00407CD5
GlobalReAlloc.KERNEL32 ref: 00407CEC
GlobalLock.KERNEL32 ref: 00407CF8

Strings

$G, xrefs: 00407D48

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Delete$Object$Global$DestroyWindow$AllocLockUnlock
String ID: $G
API String ID: 4261534367-195990108
Opcode ID: 4cbbb553f0697c4bd6378f99e2a20ecd54ae89e0639677ce42858f0b454cafb8
Instruction ID: e471fc44e6ccc1b89dc971079bd39713c39b082186c56252f11c08beb7781c98
Opcode Fuzzy Hash: 4cbbb553f0697c4bd6378f99e2a20ecd54ae89e0639677ce42858f0b454cafb8
Instruction Fuzzy Hash: 59512975E182488FC620EF69ED8492A77B5BF48304761447EE40AB76A1CB38BC85CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 0041B45D, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 141
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0041B45D(void* __ecx, signed char _a4) {
				signed char _v8;
				char _v20;
				void* __edi;
				void* __esi;
				void* _t42;
				intOrPtr _t56;
				struct HINSTANCE__* _t60;
				signed char _t66;
				void* _t67;
				void* _t87;
				void* _t91;
				void* _t94;
				signed char* _t95;
				void* _t98;
				void* _t103;
				void* _t106;
				void* _t107;
				void* _t109;

				_t1 = __ecx + 0x158; // 0x47e110
				_t95 = _t1;
				_t66 = 0;
				_t69 =  *_t95;
				if( *_t95 != 0) {
					_push(0);
					E00407827(_t69, _t91, _t95);
				}
				 *_t95 = _t66;
				DeleteDC( *0x47e184);
				_t98 =  *0x47e770 - _t66; // 0x0
				if(_t98 != 0) {
					if( *0x47f289 != 0) {
						 *0x47e714(_t66);
					}
					if( *0x47f288 != 0) {
						 *0x47e714(1);
					}
					E0041E681(0x47e710);
				}
				E0041BD2D(0x47e2d0);
				if(_a4 != 0) {
					_t60 =  *0x47f26c; // 0x0
					if(_t60 != _t66) {
						FreeLibrary(_t60);
						 *0x47f26c = _t66;
					}
				}
				_t103 =  *0x47e784 - _t66; // 0x0
				_a4 = _t66;
				if(_t103 <= 0) {
					L16:
					_t107 =  *0x47e52c - _t66; // 0x0
					_a4 = _t66;
					if(_t107 <= 0) {
						L21:
						E0041E921(0x47e520);
						E0041BDC5( &_v20);
						_v8 = _t66;
						_push(_t66);
						while(E0041C9D2(0x47e570) != 0) {
							_t66 = _t66 + 1;
							E0041C92F(0x47e570,  &_v8,  &_v20);
							if((_t66 & 0x00000001) != 0) {
								RemoveFontResourceA(E0041CD1E( &_v20));
							}
							DeleteFileA(E0041CD1E( &_v20));
							_push(_v8);
						}
						E0041BF12(0x47e570, 0x42e0c8);
						DeleteFileA(E0041CD1E(0x47df9c));
						DeleteFileA(E0041CD1E(0x47dfa8));
						DeleteFileA(E0041CD1E(0x47df90));
						DeleteFileA(E0041CD1E(0x47e788));
						DeleteObject( *0x47e180);
						E0041BEFB( &_v20);
						_t42 = 1;
						return _t42;
					} else {
						goto L17;
					}
					do {
						L17:
						_t67 = E0041E860(0x47e520, _a4);
						_t11 = _t67 + 4; // 0x4
						DeleteFileA(E0041CD1E(_t11));
						if(_t67 != 0) {
							_t12 = _t67 + 4; // 0x4
							E0041BEFB(_t12);
							E00424DCE(_t67);
						}
						_a4 = _a4 + 1;
						_t109 = _a4 -  *0x47e52c; // 0x0
					} while (_t109 < 0);
					_t66 = 0;
					goto L21;
				} else {
					_t94 = 0;
					do {
						_t56 =  *0x47e780; // 0x0
						_t87 = _t94 + _t56;
						if( *((intOrPtr*)(_t94 + _t56)) > _t66) {
							DeleteFileA(E0041CD1E(_t87));
						}
						_a4 = _a4 + 1;
						_t94 = _t94 + 0xc;
						_t106 = _a4 -  *0x47e784; // 0x0
					} while (_t106 < 0);
					goto L16;
				}
			}

0x0041b465
0x0041b465
0x0041b46b
0x0041b46e
0x0041b472
0x0041b474
0x0041b475
0x0041b475
0x0041b47a
0x0041b482
0x0041b488
0x0041b48e
0x0041b497
0x0041b49a
0x0041b4a0
0x0041b4a8
0x0041b4ac
0x0041b4b2
0x0041b4b8
0x0041b4b8
0x0041b4c2
0x0041b4cb
0x0041b4cd
0x0041b4d4
0x0041b4d7
0x0041b4dd
0x0041b4dd
0x0041b4d4
0x0041b4e3
0x0041b4ef
0x0041b4f2
0x0041b51c
0x0041b51c
0x0041b522
0x0041b52a
0x0041b566
0x0041b568
0x0041b570
0x0041b575
0x0041b578
0x0041b57e
0x0041b593
0x0041b594
0x0041b59c
0x0041b5a7
0x0041b5a7
0x0041b5b6
0x0041b5b8
0x0041b5b8
0x0041b5c4
0x0041b5d4
0x0041b5e1
0x0041b5ee
0x0041b5fb
0x0041b603
0x0041b60c
0x0041b613
0x0041b618
0x00000000
0x00000000
0x00000000
0x0041b52c
0x0041b52c
0x0041b536
0x0041b538
0x0041b541
0x0041b545
0x0041b547
0x0041b54a
0x0041b550
0x0041b555
0x0041b556
0x0041b55c
0x0041b55c
0x0041b564
0x00000000
0x0041b4f4
0x0041b4f4
0x0041b4f6
0x0041b4f6
0x0041b4fe
0x0041b501
0x0041b509
0x0041b509
0x0041b50b
0x0041b50e
0x0041b514
0x0041b514
0x00000000
0x0041b4f6

APIs

DeleteDC.GDI32(00000000), ref: 0041B482
FreeLibrary.KERNEL32(00000000), ref: 0041B4D7
DeleteFileA.KERNEL32(00000000), ref: 0041B509
DeleteFileA.KERNEL32(00000000), ref: 0041B541
RemoveFontResourceA.GDI32(00000000), ref: 0041B5A7
DeleteFileA.KERNEL32(00000000,?,00000000), ref: 0041B5B6

Part of subcall function 00407827: GetWindowTextLengthA.USER32(?), ref: 004078A0

Part of subcall function 0041BF12: GlobalUnlock.KERNEL32(0217020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
Part of subcall function 0041BF12: GlobalReAlloc.KERNEL32 ref: 0041BF3B
Part of subcall function 0041BF12: GlobalLock.KERNEL32 ref: 0041BF5C

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

DeleteFileA.KERNEL32(00000000,0042E0C8,00000000), ref: 0041B5D4
DeleteFileA.KERNEL32(00000000), ref: 0041B5E1
DeleteFileA.KERNEL32(00000000), ref: 0041B5EE
DeleteFileA.KERNEL32(00000000), ref: 0041B5FB
DeleteObject.GDI32 ref: 0041B603

Part of subcall function 0041BEFB: GlobalUnlock.KERNEL32(?,00000000,0041C1E9,00000000,00000010,00000000,0047E4D0,00000000), ref: 0041BF01
Part of subcall function 0041BEFB: GlobalFree.KERNEL32 ref: 0041BF0A

Strings

pG, xrefs: 0041B579
G, xrefs: 0041B525

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Delete$Global$File$Unlock$AllocFreeLock$FontLengthLibraryObjectRemoveResourceTextWindow
String ID: G$pG
API String ID: 1984375292-3964839008
Opcode ID: d5626b5a65b0072f64c185abbc8683852ebb99e60611248915683e9ff468a930
Instruction ID: 296a2eed25ec2761f059183916520a0246cc43fa241ca85157825788f96731bb
Opcode Fuzzy Hash: d5626b5a65b0072f64c185abbc8683852ebb99e60611248915683e9ff468a930
Instruction Fuzzy Hash: E641B570A00105ABCB14AFA6EDD55EE3B6AEB44348B50847FF50597152CF3899C1CA9D

Uniqueness

Uniqueness Score: -1.00%

Function 0041EBAF, Relevance: 22.6, APIs: 15, Instructions: 120
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0041EBAF(struct HWND__** __ecx, struct HDC__* _a4, intOrPtr _a8, intOrPtr _a12, int _a16, int _a20, long _a24, signed char _a28) {
				struct tagRECT _v20;
				intOrPtr _t46;
				signed char _t48;
				struct HDC__* _t49;
				void* _t50;
				void* _t51;
				struct HDC__* _t52;
				void* _t54;
				struct HBRUSH__* _t61;
				void* _t63;
				int _t72;
				intOrPtr _t74;
				int _t79;
				void* _t81;
				struct HWND__** _t82;

				_t82 = __ecx;
				_t74 = _a12;
				_t72 = _a20;
				 *((intOrPtr*)(__ecx)) = _a4;
				_t46 = _a8;
				 *(__ecx + 0x10) =  *(__ecx + 0x10) & 0x00000000;
				_t79 = _a16;
				 *((intOrPtr*)(__ecx + 0x14)) = _t46;
				 *((intOrPtr*)(__ecx + 0x18)) = _t74;
				 *((intOrPtr*)(__ecx + 0x1c)) = _t46 + _t79;
				_t48 = _a28;
				 *(__ecx + 0x24) = _t48;
				 *((intOrPtr*)(__ecx + 0x20)) = _t74 + _t72;
				if((_t48 & 0x00000002) != 0 && (_t48 & 0x00000001) != 0) {
					 *(__ecx + 0x24) = _t48 & 0x000000fd;
				}
				_t49 = _t82[1];
				if(_t49 != 0) {
					DeleteDC(_t49);
				}
				_t50 = _t82[2];
				if(_t50 != 0) {
					DeleteObject(_t50);
				}
				_t51 = _t82[3];
				if(_t51 != 0) {
					DeleteObject(_t51);
				}
				_t52 = GetDC( *_t82);
				_a4 = _t52;
				if(_t52 != 0) {
					_t82[1] = CreateCompatibleDC(_t52);
					_t54 = CreateCompatibleBitmap(_a4, _t79, _t72);
					_t82[2] = _t54;
					if(_t54 != 0) {
						if(SelectObject(_t82[1], _t54) != 0) {
							ReleaseDC( *_t82, _a4);
							_v20.left = _v20.left & 0x00000000;
							_v20.top = _v20.top & 0x00000000;
							_v20.right = _t79;
							_v20.bottom = _t72;
							if(DrawEdge(_t82[1],  &_v20, 0xa, 0xf) != 0) {
								SetBkMode(_t82[1], 1);
								SetTextColor(_t82[1], 0xffffff);
								_t61 = CreateSolidBrush(_a24);
								_t82[3] = _t61;
								if(_t61 != 0) {
									if((_t82[9] & 0x00000002) != 0) {
										E0041EA89(_t82);
									}
									E0041ED05(_t82);
									_push(1);
									goto L23;
								} else {
									_push(0xfffffffb);
									goto L19;
								}
							} else {
								_push(0xfffffffc);
								L19:
								_pop(_t81);
								DeleteDC(_t82[1]);
								DeleteObject(_t82[2]);
								_t63 = _t81;
							}
						} else {
							_push(0xfffffff1);
							goto L23;
						}
					} else {
						DeleteDC(_t82[1]);
						_push(0xfffffffd);
						goto L23;
					}
				} else {
					_push(0xfffffffe);
					L23:
					_pop(_t63);
				}
				return _t63;
			}

0x0041ebba
0x0041ebbc
0x0041ebbf
0x0041ebc2
0x0041ebc4
0x0041ebc7
0x0041ebcc
0x0041ebcf
0x0041ebd4
0x0041ebd7
0x0041ebda
0x0041ebdf
0x0041ebe4
0x0041ebe7
0x0041ebef
0x0041ebef
0x0041ebf2
0x0041ebf7
0x0041ebfa
0x0041ebfa
0x0041ec00
0x0041ec05
0x0041ec08
0x0041ec08
0x0041ec0e
0x0041ec13
0x0041ec16
0x0041ec16
0x0041ec1e
0x0041ec26
0x0041ec29
0x0041ec3e
0x0041ec41
0x0041ec49
0x0041ec4c
0x0041ec6a
0x0041ec78
0x0041ec7e
0x0041ec82
0x0041ec91
0x0041ec94
0x0041ec9f
0x0041ecaa
0x0041ecb8
0x0041ecc1
0x0041ecc9
0x0041eccc
0x0041eceb
0x0041ecef
0x0041ecef
0x0041ecf6
0x0041ecfb
0x00000000
0x0041ecce
0x0041ecce
0x00000000
0x0041ecce
0x0041eca1
0x0041eca1
0x0041ecd0
0x0041ecd0
0x0041ecd4
0x0041ecdd
0x0041ece3
0x0041ece3
0x0041ec6c
0x0041ec6c
0x00000000
0x0041ec6c
0x0041ec4e
0x0041ec51
0x0041ec57
0x00000000
0x0041ec57
0x0041ec2b
0x0041ec2b
0x0041ecfd
0x0041ecfd
0x0041ecfd
0x0041ed02

APIs

DeleteDC.GDI32(?), ref: 0041EBFA
DeleteObject.GDI32(?), ref: 0041EC08
DeleteObject.GDI32(?), ref: 0041EC16
GetDC.USER32(00000000), ref: 0041EC1E
CreateCompatibleDC.GDI32(00000000), ref: 0041EC33
CreateCompatibleBitmap.GDI32(00000000,00000000,00000000), ref: 0041EC41
DeleteDC.GDI32(?), ref: 0041EC51
SelectObject.GDI32(?,00000000), ref: 0041EC62
ReleaseDC.USER32 ref: 0041EC78
DrawEdge.USER32(?,00000000,0000000A,0000000F), ref: 0041EC97
DeleteDC.GDI32(?), ref: 0041ECD4
DeleteObject.GDI32(?), ref: 0041ECDD

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Delete$Object$CompatibleCreate$BitmapDrawEdgeReleaseSelect
String ID:
API String ID: 608369310-0
Opcode ID: 3e7d02a4a00b271197cd033e0c72544b9dcc0dc4ebf2123fa6d999bac16dbade
Instruction ID: 5f70c00956729426acaa749462fe2811b3bdc1d437f37c264a0df7fd35e865d3
Opcode Fuzzy Hash: 3e7d02a4a00b271197cd033e0c72544b9dcc0dc4ebf2123fa6d999bac16dbade
Instruction Fuzzy Hash: 2B418F74600705EFDB308F2ADD09B9A7BE5BF04711B10892EF966D22A0EB34D841CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00407827, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 236
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00407827(intOrPtr __ecx, void* __edi, void* __esi) {
				void* __ebx;
				void* _t53;
				struct HWND__* _t66;
				long _t67;
				void* _t70;
				signed int _t92;
				int _t100;
				void* _t101;
				void* _t103;
				intOrPtr _t109;
				int _t110;
				void* _t139;
				void* _t141;
				int _t142;
				int _t144;
				void* _t145;
				void* _t147;
				void* _t148;
				void* _t149;
				intOrPtr _t150;
				void* _t151;
				void* _t167;
				void* _t170;

				_t145 = __esi;
				_t139 = __edi;
				_t150 = __ecx;
				_t100 = 0;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					L45:
					_t53 = 1;
					return _t53;
				}
				if(E00407D82(__ecx) == 0) {
					 *((char*)(_t151 + 0x34)) = 1;
				}
				_push(_t145);
				_push(_t139);
				 *(_t151 + 0x14) = _t100;
				if( *((intOrPtr*)(_t150 + 0x64)) <= _t100) {
					L41:
					E0041E921(_t150 + 0x58);
					_t170 =  *0x47e110 - _t150; // 0x0
					if(_t170 == 0) {
						 *0x47e110 = _t100;
					}
					EnableWindow(GetDlgItem( *(_t150 + 4), 1), _t100);
					EnableWindow(GetDlgItem( *(_t150 + 4), 2), _t100);
					EnableWindow(GetDlgItem( *(_t150 + 4), 3), _t100);
					_pop(_t141);
					 *0x47df60 = _t150;
					_pop(_t147);
					if( *((char*)(_t151 + 0x3c)) != 0) {
						E00407B45(_t100, _t141, _t147, _t100);
					}
					goto L45;
				} else {
					do {
						_t148 = E0041E860(_t150 + 0x58,  *(_t151 + 0x14));
						_t101 = E0040710F(_t150,  *((intOrPtr*)(_t148 + 0xc)));
						_t142 = 0;
						if(_t101 == 0) {
							goto L39;
						}
						_t66 =  *(_t101 + 0x50);
						if(_t66 == 0) {
							goto L39;
						}
						_t109 =  *((intOrPtr*)(_t101 + 8));
						if(_t109 == 3 || _t109 == 4) {
							_t67 = SendMessageA(_t66, 0xf0, _t142, _t142);
							_t110 = 1;
							__eflags = _t67 - _t110;
							if(_t67 == _t110) {
								L21:
								 *(_t148 + 0x1c) = _t110;
								L22:
								E004278E9( *(_t148 + 0x1c), _t151 + 0x28, 0xa);
								_t151 = _t151 + 0xc;
								_t70 = _t151 + 0x28;
								goto L23;
							}
							__eflags = _t67 - 2;
							if(_t67 == 2) {
								goto L21;
							}
							 *(_t148 + 0x1c) = _t142;
							goto L22;
						} else {
							if(_t109 != 5) {
								__eflags = _t109 - 7;
								if(_t109 == 7) {
									L17:
									__eflags = _t109 - 7;
									 *(_t148 + 0x1c) = SendMessageA(_t66, ((0 | _t109 != 0x00000007) - 0x00000001 & 0x00000041) + 0x147, _t142, _t142);
									E00427836(_t89, _t151 + 0x18, 0xa);
									_t151 = _t151 + 0xc;
									_t70 = _t151 + 0x18;
									L23:
									_t29 = _t148 + 0x10; // 0x10
									E0041BF12(_t29, _t70);
									L24:
									if(E00424DD9(0x58) != _t142) {
										_t142 = E00407ADD(_t72);
									}
									if(_t142 == 0) {
										E0041D881(E0041CD1E(0x47e924));
									}
									E0041BF80(_t142, _t148);
									 *(_t142 + 0x10) =  *(_t142 + 0x10) | 0xffffffff;
									_t32 = _t148 + 0x10; // 0x10
									_t102 = _t32;
									_t33 = _t142 + 0x48; // 0x48
									 *(_t142 + 0xc) = 1;
									E0041BF80(_t33, _t32);
									 *(_t142 + 0x54) =  *(_t148 + 0x1c);
									if(_t148 != 0) {
										E0041BEFB(_t102);
										E0041BEFB(_t148);
										E00424DCE(_t148);
									}
									 *(_t151 + 0x10) =  *(_t151 + 0x10) & 0x00000000;
									_t165 =  *0x47e4dc;
									if( *0x47e4dc <= 0) {
										_t149 = 0x47e4d0;
										goto L38;
									} else {
										while(1) {
											_t149 = 0x47e4d0;
											_t103 = E0041E860(0x47e4d0,  *(_t151 + 0x10));
											if(E0041C176(_t103, _t165, _t142, 1) != 0) {
												break;
											}
											 *(_t151 + 0x10) =  *(_t151 + 0x10) + 1;
											_t167 =  *(_t151 + 0x10) -  *0x47e4dc; // 0x8
											if(_t167 < 0) {
												continue;
											}
											L38:
											E0041E87A(_t149, _t142, 0xffffffff);
											goto L39;
										}
										__eflags = _t103;
										if(_t103 != 0) {
											E00407B11(_t103);
											E00424DCE(_t103);
										}
										E0041E907(_t149,  *(_t151 + 0x14), _t142);
										goto L39;
									}
								}
								__eflags = _t109 - 8;
								if(_t109 != 8) {
									goto L24;
								}
								goto L17;
							}
							_t144 = GetWindowTextLengthA(_t66) + 1;
							_t92 = E00424DD9(_t144);
							 *(_t151 + 0x10) = _t92;
							if(_t92 == 0) {
								E0041D881(E0041CD1E(0x47e924));
							}
							if(_t144 != 1) {
								GetWindowTextA( *(_t101 + 0x50),  *(_t151 + 0x14), _t144);
							} else {
								 *( *(_t151 + 0x10)) =  *( *(_t151 + 0x10)) & 0x00000000;
							}
							_t15 = _t148 + 0x10; // 0x10
							E0041BF12(_t15,  *(_t151 + 0x10));
							 *(_t148 + 0x1c) = E00424FC3(_t15,  *(_t151 + 0x10));
							E00424DCE( *(_t151 + 0x14));
							_t142 = 0;
							goto L24;
						}
						L39:
						 *(_t151 + 0x14) =  &(( *(_t151 + 0x14))[1]);
					} while ( *(_t151 + 0x14) <  *((intOrPtr*)(_t150 + 0x64)));
					_t100 = 0;
					goto L41;
				}
			}

0x00407827
0x00407827
0x0040782c
0x0040782e
0x00407833
0x00407ad2
0x00407ad4
0x00407ada
0x00407ada
0x00407840
0x00407842
0x00407842
0x0040784a
0x0040784b
0x0040784c
0x00407850
0x00407a79
0x00407a7c
0x00407a81
0x00407a87
0x00407a89
0x00407a89
0x00407aa4
0x00407aaf
0x00407aba
0x00407ac1
0x00407ac2
0x00407ac8
0x00407ac9
0x00407acc
0x00407ad1
0x00000000
0x00407856
0x00407856
0x00407862
0x0040786e
0x00407870
0x00407874
0x00000000
0x00000000
0x0040787a
0x0040787f
0x00000000
0x00000000
0x00407885
0x0040788b
0x00407956
0x0040795e
0x0040795f
0x00407961
0x0040796d
0x0040796d
0x00407970
0x0040797a
0x0040797f
0x00407982
0x00000000
0x00407982
0x00407963
0x00407966
0x00000000
0x00000000
0x00407968
0x00000000
0x0040789a
0x0040789d
0x0040790f
0x00407912
0x00407919
0x0040791b
0x0040793d
0x00407940
0x00407945
0x00407948
0x00407986
0x00407987
0x0040798a
0x0040798f
0x00407999
0x004079a2
0x004079a2
0x004079a6
0x004079b3
0x004079b8
0x004079bc
0x004079c1
0x004079c5
0x004079c5
0x004079c9
0x004079cc
0x004079d3
0x004079dd
0x004079e0
0x004079e4
0x004079eb
0x004079f1
0x004079f6
0x004079f7
0x004079fc
0x00407a03
0x00407a57
0x00000000
0x00407a05
0x00407a05
0x00407a09
0x00407a15
0x00407a23
0x00000000
0x00000000
0x00407a25
0x00407a2d
0x00407a33
0x00000000
0x00000000
0x00407a5c
0x00407a61
0x00000000
0x00407a61
0x00407a37
0x00407a39
0x00407a3d
0x00407a43
0x00407a48
0x00407a50
0x00000000
0x00407a50
0x00407a03
0x00407914
0x00407917
0x00000000
0x00000000
0x00000000
0x00407917
0x004078a8
0x004078aa
0x004078b2
0x004078b6
0x004078c3
0x004078c8
0x004078cc
0x004078df
0x004078ce
0x004078d2
0x004078d2
0x004078e9
0x004078ec
0x004078fe
0x00407901
0x00407907
0x00000000
0x00407909
0x00407a66
0x00407a66
0x00407a6e
0x00407a77
0x00000000
0x00407a77

APIs

GetWindowTextLengthA.USER32(?), ref: 004078A0
GetWindowTextA.USER32 ref: 004078DF
SendMessageA.USER32(?,-00000148,00000000,00000000), ref: 0040792F
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00407956
GetDlgItem.USER32 ref: 00407A9B
EnableWindow.USER32(00000000), ref: 00407AA4
GetDlgItem.USER32 ref: 00407AAC
EnableWindow.USER32(00000000), ref: 00407AAF
GetDlgItem.USER32 ref: 00407AB7
EnableWindow.USER32(00000000), ref: 00407ABA

Strings

$G, xrefs: 004078B8
$G, xrefs: 004079A8

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Window$EnableItem$MessageSendText$Length
String ID: $G$$G
API String ID: 1281374264-2434318057
Opcode ID: f4f2855c8cab32bc9d209eaa5381aa18ebcf6ff6885c2313637300ec8d4ce2d5
Instruction ID: 834a23fe4f7e8a8072a0548f6f657284474bb3ca5693f3cc7dd4fb70d565ed91
Opcode Fuzzy Hash: f4f2855c8cab32bc9d209eaa5381aa18ebcf6ff6885c2313637300ec8d4ce2d5
Instruction Fuzzy Hash: 1B711871A08301ABDB24EF62DC85A6F77A9EF80704F10493FF501A62D1DB78AD45CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B78E, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 209
stringCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040B78E(unsigned int _a4) {
				int _v8;
				void* __ecx;
				void* __edi;
				void* __esi;
				unsigned int _t39;
				int _t40;
				void* _t41;
				int _t42;
				long _t43;
				int _t66;
				int _t67;
				intOrPtr _t68;
				int _t74;
				intOrPtr _t76;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t90;
				char* _t98;
				void* _t99;
				void* _t104;
				void* _t105;
				intOrPtr _t107;
				struct HWND__* _t109;
				void* _t110;
				void* _t116;

				_push(_t80);
				_t39 = _a4 >> 0x10;
				_t74 = 0;
				_push(_t110);
				_t107 = _t80;
				if(_t39 == 0 || _t39 == 1) {
					_t40 = _a4 & 0x0000ffff;
					if(_t40 != 2) {
						if(_t40 != 1) {
							if(_t40 != 3) {
								if(_t40 == 0xb) {
									_t42 = SendDlgItemMessageA( *(_t107 + 4), _t40, 0x188, _t74, _t74);
									_t76 =  *0x47e35c; // 0x9
									_a4 = _t42;
									_t43 = SendDlgItemMessageA( *(_t107 + 4), 0xb, 0x18a, _t42, 0);
									_t32 = _t76 + 1; // 0x1
									_t78 = E00424DD9(_t43 + _t32);
									if(_t78 == 0) {
										E0041D881(E0041CD1E(0x47e924));
									}
									SendDlgItemMessageA( *(_t107 + 4), 0xb, 0x189, _a4, _t78);
									if(( *0x47e193 & 0x00000004) == 0) {
										if( *_t78 != 0) {
											lstrcatA(_t78, "\\");
										}
										lstrcatA(_t78, E0041CD1E(0x47e35c));
									}
									SetDlgItemTextA( *(_t107 + 4), 0xa, _t78);
									E00424DCE(_t78);
								}
							} else {
								E0041DBA4( *(_t107 + 4), 0xa,  &_a4);
								E0041BF12(0x47e344, _a4);
								E00424DCE(_a4);
								E00407827(_t107, _t107, _t110, _t74);
								E00417D26(0x47dfb8, _t74);
							}
							goto L41;
						}
						E0041DBA4( *(_t107 + 4), 0xa,  &_a4);
						_t90 = _a4;
						if( *_t90 == 0) {
							L26:
							E0041BF12(0x47e344, _t90);
							E0041CDAE(0x47e344);
							E00424DCE(_a4);
							E00407827(_t107, _t107, 0x47e344, _t74);
							E00417EA6(0x47dfb8, _t74);
							goto L41;
						}
						_t66 = lstrlenA(_t90);
						_t90 = _a4;
						_t104 = 0;
						_v8 = _t66;
						if(_t66 <= _t74) {
							L21:
							if( *_t90 != 0x5c) {
								goto L26;
							}
							_t67 = lstrlenA(_t90);
							_t12 = _t67 - 1; // -1
							_t116 = _t12;
							_t105 = 0;
							if(_t116 <= _t74) {
								L25:
								 *(_t67 + _a4 - 1) =  *(_t67 + _a4 - 1) & 0x00000000;
								_t90 = _a4;
								goto L26;
							} else {
								goto L23;
							}
							do {
								L23:
								_t98 = _a4 + _t105;
								_t105 = _t105 + 1;
								 *_t98 =  *((intOrPtr*)(_t98 + 1));
							} while (_t105 < _t116);
							_t74 = 0;
							goto L25;
						} else {
							goto L9;
						}
						while(1) {
							L9:
							_t68 =  *((intOrPtr*)(_t104 + _t90));
							if(_t68 == 0x7c || _t68 == 0x2a || _t68 == 0x2f || _t68 == 0x3e || _t68 == 0x3c || _t68 == 0x3f || _t68 == 0x22 || _t68 == 0x3a) {
								break;
							}
							if(_t104 <= _t74 || _t68 != 0x5c ||  *((intOrPtr*)(_t104 + _t90 - 1)) != _t68) {
								_t104 = _t104 + 1;
								if(_t104 < _v8) {
									continue;
								}
								goto L21;
							} else {
								_t109 =  *(_t107 + 4);
								_push(_t74);
								_push(_t74);
								_t99 = 0x47eca8;
								L29:
								_push(E0041CD1E(_t99));
								_push(_t109);
								E0041B2CC(0x47dfb8);
								goto L41;
							}
						}
						_t109 =  *(_t107 + 4);
						_push(_t74);
						_push(_t74);
						_t99 = 0x47ecb4;
						goto L29;
					} else {
						if(E0041BC79(0x47dfb8) != 0) {
							E00407827(_t107, _t107, 0x47dfb8, _t74);
							E0041A1B5(1);
						}
						L41:
						_t41 = 1;
						goto L42;
					}
				} else {
					_t41 = 0;
					L42:
					return _t41;
				}
			}

0x0040b791
0x0040b796
0x0040b799
0x0040b79b
0x0040b7a0
0x0040b7a2
0x0040b7b1
0x0040b7b8
0x0040b7d6
0x0040b8f6
0x0040b950
0x0040b967
0x0040b969
0x0040b979
0x0040b97f
0x0040b981
0x0040b98b
0x0040b990
0x0040b99d
0x0040b9a2
0x0040b9b1
0x0040b9ba
0x0040b9c5
0x0040b9cd
0x0040b9cd
0x0040b9db
0x0040b9db
0x0040b9e3
0x0040b9ea
0x0040b9ef
0x0040b8f8
0x0040b901
0x0040b911
0x0040b919
0x0040b922
0x0040b92d
0x0040b92d
0x00000000
0x0040b8f6
0x0040b7e5
0x0040b7ea
0x0040b7f3
0x0040b892
0x0040b89a
0x0040b8a1
0x0040b8a9
0x0040b8b2
0x0040b8bd
0x00000000
0x0040b8bd
0x0040b800
0x0040b802
0x0040b805
0x0040b809
0x0040b80c
0x0040b865
0x0040b868
0x00000000
0x00000000
0x0040b86b
0x0040b86d
0x0040b86d
0x0040b870
0x0040b874
0x0040b887
0x0040b88a
0x0040b88f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b876
0x0040b876
0x0040b879
0x0040b87b
0x0040b881
0x0040b881
0x0040b885
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b80e
0x0040b80e
0x0040b80e
0x0040b813
0x00000000
0x00000000
0x0040b853
0x0040b85f
0x0040b863
0x00000000
0x00000000
0x00000000
0x0040b8c7
0x0040b8c7
0x0040b8ca
0x0040b8cb
0x0040b8cc
0x0040b8dd
0x0040b8e2
0x0040b8e3
0x0040b8e9
0x00000000
0x0040b8e9
0x0040b853
0x0040b8d3
0x0040b8d6
0x0040b8d7
0x0040b8d8
0x00000000
0x0040b7ba
0x0040b7c8
0x0040b93a
0x0040b943
0x0040b943
0x0040b9f0
0x0040b9f0
0x00000000
0x0040b9f0
0x0040b7aa
0x0040b7aa
0x0040b9f2
0x0040b9f6
0x0040b9f6

APIs

lstrlenA.KERNEL32(?), ref: 0040B800
lstrlenA.KERNEL32(?), ref: 0040B86B

Strings

DG, xrefs: 0040B909
DG, xrefs: 0040B892
$G, xrefs: 0040B992
\G, xrefs: 0040B9CF

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: lstrlen
String ID: $G$DG$DG$\G
API String ID: 1659193697-1102624840
Opcode ID: 7cc0d782bb13f3d62aeb052e18f8a0e6684ca34ee81895a96f0c97fc2e82626e
Instruction ID: 62e0240078fb073b421d73022b5cc11b0d737a4f48bb43ae6e36991704f46cf2
Opcode Fuzzy Hash: 7cc0d782bb13f3d62aeb052e18f8a0e6684ca34ee81895a96f0c97fc2e82626e
Instruction Fuzzy Hash: 0F5107B16001147ADB246B668C81BBA771DEF85344F44C03BF6096B2E2CB3D5C8297DE

Uniqueness

Uniqueness Score: -1.00%

Function 00406BA4, Relevance: 19.6, APIs: 13, Instructions: 85
threadsleepCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00406BA4() {
				signed int _v8;
				intOrPtr _v20;
				intOrPtr _v28;
				long _v32;
				long _v36;
				int _v40;
				long _v48;
				void* _v52;
				long _v56;
				long _t42;
				long _t48;
				signed int _t52;
				signed int _t57;
				void* _t59;
				signed int _t62;
				signed int _t80;
				intOrPtr _t82;

				_push(0xffffffff);
				_push(0x4285c0);
				_push(E00424EE0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t82;
				_v28 = _t82 - 0x24;
				_t59 = GetCurrentThread();
				_v52 = _t59;
				_v40 = GetThreadPriority(_t59);
				SetThreadPriority(_t59, 0xf);
				_v36 = GetTickCount();
				do {
				} while (GetTickCount() == _v36);
				_t42 = GetTickCount();
				_v36 = _t42;
				_v8 = _v8 & 0x00000000;
				asm("rdtsc");
				_v32 = _t42;
				_v8 = _v8 | 0xffffffff;
				SetThreadPriority(_t59, _v40);
				Sleep(0x3c);
				SetThreadPriority(_t59, 0xf);
				_v48 = GetTickCount();
				do {
				} while (GetTickCount() == _v48);
				_t48 = GetTickCount();
				asm("rdtsc");
				_v56 = _t48;
				SetThreadPriority(_t59, _v40);
				_t52 = (_v56 - _v32) / (_t48 - _v36);
				_t62 = _t52 / 0x3e8;
				_t80 = 0x64;
				if(_t52 / _t80 - (_t62 + _t62 * 4 << 1) >= 5) {
					_t62 = _t62 + 1;
				}
				_t57 = _t62;
				 *[fs:0x0] = _v20;
				return _t57;
			}

0x00406ba7
0x00406ba9
0x00406bae
0x00406bb9
0x00406bba
0x00406bc7
0x00406bd0
0x00406bd2
0x00406bdc
0x00406be8
0x00406bf2
0x00406bf5
0x00406bf7
0x00406bfc
0x00406bfe
0x00406c01
0x00406c05
0x00406c07
0x00406c0a
0x00406c12
0x00406c16
0x00406c1f
0x00406c23
0x00406c26
0x00406c28
0x00406c2d
0x00406c31
0x00406c33
0x00406c3a
0x00406c47
0x00406c54
0x00406c5c
0x00406c69
0x00406c6b
0x00406c6b
0x00406c6c
0x00406c8c
0x00406c97

APIs

GetCurrentThread.KERNEL32 ref: 00406BCA
GetThreadPriority.KERNEL32(00000000,?,FFFFFFFF,00424EE0,004285C0,000000FF,?,00406CAB,00000001,00000000), ref: 00406BD6
SetThreadPriority.KERNEL32(00000000,0000000F,?,FFFFFFFF,00424EE0,004285C0,000000FF,?,00406CAB,00000001,00000000), ref: 00406BE8
GetTickCount.KERNEL32 ref: 00406BF0
GetTickCount.KERNEL32 ref: 00406BF5
GetTickCount.KERNEL32 ref: 00406BFC
SetThreadPriority.KERNEL32(00000000,?,?,FFFFFFFF,00424EE0,004285C0,000000FF,?,00406CAB,00000001), ref: 00406C12
Sleep.KERNEL32(0000003C,?,FFFFFFFF,00424EE0,004285C0,000000FF,?,00406CAB,00000001), ref: 00406C16
SetThreadPriority.KERNEL32(00000000,0000000F,?,FFFFFFFF,00424EE0,004285C0,000000FF,?,00406CAB,00000001), ref: 00406C1F
GetTickCount.KERNEL32 ref: 00406C21
GetTickCount.KERNEL32 ref: 00406C26
GetTickCount.KERNEL32 ref: 00406C2D
SetThreadPriority.KERNEL32(00000000,?,?,FFFFFFFF,00424EE0,004285C0,000000FF,?,00406CAB,00000001), ref: 00406C3A

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: CountThreadTick$Priority$CurrentSleep
String ID:
API String ID: 291737148-0
Opcode ID: 9f8002935701d1ec369be861fcc2b505056c39e40581bdc00d2ea3d26c99d62e
Instruction ID: 9f3291b0cac2f927a9765f977a280d8983fceb87df8d02e1d93569ae2ed6f9ff
Opcode Fuzzy Hash: 9f8002935701d1ec369be861fcc2b505056c39e40581bdc00d2ea3d26c99d62e
Instruction Fuzzy Hash: 88218D71E00628AFDB10DFB9DD44A9DBBB9FF88710F11426AE405F3294DB7859018FA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409F55, Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 239
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00409F55(intOrPtr __ecx, void* __eflags) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				char _v32;
				char _v44;
				char _v56;
				char _v68;
				long _t75;
				long _t80;
				void* _t96;
				long _t101;
				long _t103;
				void* _t188;
				void* _t191;

				_v16 = __ecx;
				E0041BDC5( &_v68);
				_t75 = SendMessageA(GetDlgItem( *(__ecx + 4), 0xf), 0x18b, 0, 0);
				_v20 = _t75;
				_v12 = 0;
				if(_t75 > 0) {
					do {
						_t101 = SendMessageA(GetDlgItem( *(_v16 + 4), 0xf), 0x18a, _v12, 0);
						_t102 = _t101 + 1;
						if(_t101 + 1 > 1) {
							_t103 = E00424DD9(_t102);
							__eflags = _t103;
							_v8 = _t103;
							if(_t103 == 0) {
								E0041D881(E0041CD1E(0x47e924));
							}
							SendMessageA(GetDlgItem( *(_v16 + 4), 0xf), 0x189, _v12, _v8);
							E0041BE35( &_v44, _v8);
							E00424DCE(_v8);
							_v8 = E0041C6AD( &_v44, 9, 0);
							E0041BE99( &_v32, E0041CC95( &_v44, 0, _t109));
							__eflags = _v8;
							if(_v8 >= 0) {
								while(1) {
									__eflags = _v32 - 0x16;
									if(_v32 >= 0x16) {
										break;
									}
									E0041BFF8( &_v32, 0x20);
								}
								E0041C3A9( &_v44, 0, _v8 + 1);
								_v8 = E0041C6AD( &_v44, 9, 0);
								E0041C0C5( &_v32, __eflags, E0041CC95( &_v44, 0, _t121));
								__eflags = _v8;
								if(_v8 >= 0) {
									while(1) {
										__eflags = _v32 - 0x36;
										if(_v32 >= 0x36) {
											break;
										}
										E0041BFF8( &_v32, 0x20);
									}
									E0041C3A9( &_v44, 0, _v8 + 1);
									_v8 = E0041C6AD( &_v44, 9, 0);
									E0041C0C5( &_v32, __eflags, E0041CC95( &_v44, 0, _t127));
									__eflags = _v8;
									if(_v8 >= 0) {
										while(1) {
											__eflags = _v32 - 0x56;
											if(_v32 >= 0x56) {
												break;
											}
											E0041BFF8( &_v32, 0x20);
										}
										__eflags = _v8 + 1;
										E0041C3A9( &_v44, 0, _v8 + 1);
										E0041C0C5( &_v32, __eflags,  &_v44);
									}
								}
							}
							E0041C047( &_v32, "\r\n", 0);
							E0041C0C5( &_v68, __eflags,  &_v32);
							E0041BEFB( &_v32);
							E0041BEFB( &_v44);
						} else {
							E0041C047( &_v68, "\r\n", 0);
						}
						_v12 = _v12 + 1;
					} while (_v12 < _v20);
				}
				E0041BE35( &_v56, "c:\\sysinfo.txt");
				_t188 = 1;
				while(E0040DF52(E0041CD1E( &_v56)) != 0) {
					E0041BF12( &_v56, 0x42e0c8);
					_t96 = _t188;
					_t188 = _t188 + 1;
					_push(_t96);
					E0041C467( &_v56, "c:\\sysinfo%d.txt");
					_t191 = _t191 + 0xc;
				}
				_t80 = E0041CE0E( &_v68, E0041CD1E( &_v56));
				__eflags = _t80;
				if(_t80 >= 0) {
					E0041BDC5( &_v44);
					_push(E0041CD1E( &_v56));
					E0041C467( &_v44, E0041CD1E(0x47eb88));
					E0041B2CC(0x47dfb8,  *(_v16 + 4), E0041CD1E( &_v44), 0, 0);
					E0041BEFB( &_v44);
				} else {
					E0041B2A8( *(_v16 + 4), E0041CD1E(0x47eb7c), 0);
				}
				E0041BEFB( &_v56);
				return E0041BEFB( &_v68);
			}

0x00409f63
0x00409f66
0x00409f88
0x00409f8c
0x00409f8f
0x00409f92
0x00409f98
0x00409fac
0x00409fae
0x00409fb2
0x00409fc8
0x00409fcd
0x00409fd0
0x00409fd3
0x00409fe0
0x00409fe5
0x00409ffc
0x0040a004
0x0040a00c
0x0040a022
0x0040a02e
0x0040a033
0x0040a036
0x0040a03c
0x0040a03c
0x0040a040
0x00000000
0x00000000
0x0040a047
0x0040a047
0x0040a057
0x0040a06c
0x0040a078
0x0040a07d
0x0040a080
0x0040a082
0x0040a082
0x0040a086
0x00000000
0x00000000
0x0040a08d
0x0040a08d
0x0040a09d
0x0040a0b2
0x0040a0be
0x0040a0c3
0x0040a0c6
0x0040a0c8
0x0040a0c8
0x0040a0cc
0x00000000
0x00000000
0x0040a0d3
0x0040a0d3
0x0040a0e0
0x0040a0e3
0x0040a0ef
0x0040a0ef
0x0040a0c6
0x0040a080
0x0040a0fd
0x0040a109
0x0040a111
0x0040a119
0x00409fb4
0x00409fbd
0x00409fbd
0x0040a11e
0x0040a124
0x00409f98
0x0040a135
0x0040a13c
0x0040a13d
0x0040a158
0x0040a15d
0x0040a15f
0x0040a160
0x0040a16a
0x0040a16f
0x0040a16f
0x0040a180
0x0040a185
0x0040a187
0x0040a1aa
0x0040a1b7
0x0040a1c7
0x0040a1e6
0x0040a1ee
0x0040a189
0x0040a1a0
0x0040a1a0
0x0040a1f6
0x0040a207

APIs

Part of subcall function 0041BDC5: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF

GetDlgItem.USER32 ref: 00409F7F
SendMessageA.USER32(00000000), ref: 00409F88
GetDlgItem.USER32 ref: 00409FA9
SendMessageA.USER32(00000000), ref: 00409FAC
GetDlgItem.USER32 ref: 00409FF9
SendMessageA.USER32(00000000), ref: 00409FFC

Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095

Strings

c:\sysinfo%d.txt, xrefs: 0040A164
|G, xrefs: 0040A18A
V, xrefs: 0040A0C8
c:\sysinfo.txt, xrefs: 0040A12D
$G, xrefs: 00409FD5

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$ItemMessageSend$AllocLock$Unlocklstrlen
String ID: $G$V$c:\sysinfo%d.txt$c:\sysinfo.txt$|G
API String ID: 215810071-2601299066
Opcode ID: aaccd5eaf1d424c07c0ffe865da935311192873e6d83439d8d26d8d17e0f14d3
Instruction ID: 16a20c480a5d05e8d8be944ef17e2098a89b4b13602600d0f02d6ddf1aec6615
Opcode Fuzzy Hash: aaccd5eaf1d424c07c0ffe865da935311192873e6d83439d8d26d8d17e0f14d3
Instruction Fuzzy Hash: D2818671D40219AACF04EBA2DD86DEEBB78EF14314F10402FF506B31D2DB385A86DA59

Uniqueness

Uniqueness Score: -1.00%

Function 0040F999, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 235
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040F999(intOrPtr __ecx, void* __eflags) {
				int _v5;
				int _v6;
				int _v7;
				long _v12;
				int _v16;
				int _v20;
				int _v24;
				intOrPtr _v28;
				void* _v32;
				char _v36;
				int _v40;
				BITMAPINFO* _v44;
				int _v48;
				char _v64;
				void* _t74;
				void* _t82;
				void* _t84;
				long _t85;
				BITMAPINFO* _t88;
				int _t89;
				void* _t92;
				struct HDC__* _t93;
				int _t95;
				void* _t104;
				signed int _t111;
				int _t121;
				signed int _t132;
				long _t134;
				signed char _t135;
				int _t138;
				int _t141;
				int _t143;
				long _t144;
				int _t148;
				int _t150;
				int _t153;

				_v28 = __ecx;
				_t74 = E0041C8FD(0x47e2f0, 0x80);
				if(_t74 == 0) {
					return _t74;
				}
				_t111 =  *0x47e844; // 0x14
				_t132 =  *0x47e848; // 0x3c
				_v6 = _t111 >> 0x0000001f & 0x00000001;
				_v7 = _t132 >> 0x0000001f & 0x00000001;
				_v20 = _t111 & 0x7fffffff;
				_v16 = _t132 & 0x7fffffff;
				_v5 = 0;
				_t82 = E0041C8FD(0x47e2f0, 0x84);
				_t157 = _t82 - 1;
				if(_t82 == 1 || E0040FCA0(_t157, E0041C8FD(0x47e2f0, 0x88)) == 2) {
					_t147 = 0x47df9c;
					_t84 = CreateFileA(E0041CD1E(0x47df9c), 0x80000000, 1, 0, 3, 0x80, 0);
					__eflags = _t84 - 0xffffffff;
					_v24 = _t84;
					if(_t84 != 0xffffffff) {
						_v5 = 1;
						_t85 = GetFileSize(_t84, 0);
						goto L9;
					}
					DeleteFileA(E0041CD1E(0x47df9c));
					_push(0xfffffffa);
				} else {
					_t104 = CreateFileA(E0041CD1E(0x47e6c8), 0x80000000, 1, 0, 3, 0x80, 0);
					_v24 = _t104;
					if(_t104 != 0xffffffff) {
						_v12 = 0;
						SetFilePointer(_v24, E0041C8FD(0x47e2f0, 0x84),  &_v12, 0);
						_t85 = E0041C8FD(0x47e2f0, 0x88);
						_t147 = 0x47df9c;
						L9:
						_v40 = 0;
						_t16 =  &_v36; // 0x32
						_t143 = E00410087(_v28, _v24, _t85,  &_v64,  &_v44, _t16,  &_v32,  &_v40);
						CloseHandle(_v24);
						__eflags = _v5;
						if(_v5 != 0) {
							DeleteFileA(E0041CD1E(_t147));
						}
						__eflags = _t143;
						if(_t143 >= 0) {
							_t88 = _v44;
							__eflags = _v6;
							_t144 =  *0x47e170; // 0x0
							_t121 = _t88->bmiHeader.biWidth;
							_t134 = _t88->bmiHeader.biHeight;
							_v12 = _t121;
							_v48 = _t134;
							_v24 = _t134;
							if(_v6 != 0) {
								_t141 = _t144 - _t121 - _v20;
								__eflags = _t141;
								_v20 = _t141;
							}
							__eflags = _v7;
							_t148 =  *0x47e174; // 0x0
							if(_v7 != 0) {
								_t138 = _t148 - _v24 - _v16;
								__eflags = _t138;
								_v16 = _t138;
							}
							_t135 =  *0x47e84c; // 0x10
							__eflags = _t135 & 0x00000004;
							if((_t135 & 0x00000004) == 0) {
								__eflags = _t135 & 0x00000008;
								if((_t135 & 0x00000008) != 0) {
									_v20 = 0;
									_v16 = 0;
								}
							} else {
								_v20 = 0;
								_v16 = 0;
								_v12 = _t144;
								_v24 = _t148;
							}
							__eflags = _t135 & 0x00000040;
							if((_t135 & 0x00000040) == 0) {
								_t89 = StretchDIBits( *0x47e184, _v20, _v16, _v12, _v24, 0, 0, _t121, _v48, _v32, _t88, 0, 0xcc0020);
								_t61 =  &_v36; // 0x32
								E00424DCE( *_t61);
								__eflags = _t89 - 0xffffffff;
								if(_t89 != 0xffffffff) {
									goto L26;
								}
								_push(0xfffffff4);
								goto L33;
							} else {
								_t48 =  &_v36; // 0x32
								_t95 = E0040F6CB(_v20, _v16, _v12, _v24, _t88, _v32, _t48);
								__eflags = _t95;
								if(_t95 >= 0) {
									L26:
									DeleteObject(_v40);
									__eflags =  *0x47e84c & 0x00000008;
									if(( *0x47e84c & 0x00000008) == 0) {
										L32:
										_push(1);
										L33:
										_pop(_t92);
										return _t92;
									}
									_t150 = 0;
									__eflags =  *0x47e174; // 0x0
									_v20 = 0;
									if(__eflags <= 0) {
										goto L32;
									} else {
										goto L28;
									}
									do {
										L28:
										asm("sbb esi, esi");
										_t153 =  !( ~_t150) & _v12;
										__eflags = _t153;
										while(1) {
											__eflags = _t153 -  *0x47e170; // 0x0
											if(__eflags >= 0) {
												goto L31;
											}
											_t93 =  *0x47e184; // 0x0
											BitBlt(_t93, _t153, _v20, _v12, _v24, _t93, 0, 0, 0xcc0020);
											_t153 = _t153 + _v12;
										}
										L31:
										_t150 = _v20 + _v24;
										__eflags = _t150 -  *0x47e174; // 0x0
										_v20 = _t150;
									} while (__eflags < 0);
									goto L32;
								}
								return _t95;
							}
						} else {
							return _t143;
						}
					}
					_push(0xfffffff9);
				}
			}

0x0040f9a1
0x0040f9b1
0x0040f9b8
0x0040fc44
0x0040fc44
0x0040f9be
0x0040f9c4
0x0040f9d8
0x0040f9e3
0x0040f9ef
0x0040f9f4
0x0040f9f7
0x0040f9fa
0x0040f9ff
0x0040fa02
0x0040fa86
0x0040fa9a
0x0040faa0
0x0040faa3
0x0040faa6
0x0040fabf
0x0040fac3
0x00000000
0x0040fac3
0x0040fab0
0x0040fab6
0x0040fa20
0x0040fa3b
0x0040fa44
0x0040fa47
0x0040fa58
0x0040fa64
0x0040fa71
0x0040fa76
0x0040fac9
0x0040facc
0x0040fad4
0x0040faef
0x0040faf1
0x0040faf7
0x0040fafa
0x0040fb04
0x0040fb04
0x0040fb0a
0x0040fb0c
0x0040fb15
0x0040fb18
0x0040fb1b
0x0040fb21
0x0040fb24
0x0040fb27
0x0040fb2a
0x0040fb2d
0x0040fb30
0x0040fb36
0x0040fb36
0x0040fb39
0x0040fb39
0x0040fb3c
0x0040fb3f
0x0040fb45
0x0040fb4c
0x0040fb4c
0x0040fb4f
0x0040fb4f
0x0040fb52
0x0040fb58
0x0040fb5b
0x0040fb6b
0x0040fb6e
0x0040fb70
0x0040fb73
0x0040fb73
0x0040fb5d
0x0040fb5d
0x0040fb60
0x0040fb63
0x0040fb66
0x0040fb66
0x0040fb76
0x0040fb7e
0x0040fbc3
0x0040fbc9
0x0040fbce
0x0040fbd3
0x0040fbd7
0x00000000
0x00000000
0x0040fbd9
0x00000000
0x0040fb80
0x0040fb80
0x0040fb97
0x0040fb9c
0x0040fb9e
0x0040fbdd
0x0040fbe0
0x0040fbe6
0x0040fbed
0x0040fc3d
0x0040fc3d
0x0040fc3f
0x0040fc3f
0x00000000
0x0040fc3f
0x0040fbef
0x0040fbf1
0x0040fbf7
0x0040fbfa
0x00000000
0x00000000
0x00000000
0x00000000
0x0040fbfc
0x0040fbfc
0x0040fbfe
0x0040fc02
0x0040fc02
0x0040fc05
0x0040fc05
0x0040fc0b
0x00000000
0x00000000
0x0040fc0d
0x0040fc21
0x0040fc27
0x0040fc27
0x0040fc2c
0x0040fc2f
0x0040fc32
0x0040fc38
0x0040fc38
0x00000000
0x0040fbfc
0x00000000
0x0040fb9e
0x0040fb0e
0x00000000
0x0040fb0e
0x0040fb0c
0x0040fa49
0x0040fa49

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000088,00000084,00000080,00000032,00000000,733AAC50), ref: 0040FA3B
SetFilePointer.KERNEL32(00000000,00000000,00000084,0047F208,00000000,?,?,?,0047F208,0040EF89,00000000,-00000001,00000032,00000032,00000032,00000000), ref: 0040FA64
CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000084,00000080,00000032,00000000,733AAC50,?,?,?,0047F208), ref: 0040FA9A
DeleteFileA.KERNEL32(00000000,?,?,?,0047F208,0040EF89,00000000,-00000001,00000032,00000032,00000032,00000000,?,0047E850,0047F208,00415DA3), ref: 0040FAB0

Part of subcall function 0040FCA0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,0047E2F0,00000088,00000001,?,00000000), ref: 0040FCC5
Part of subcall function 0040FCA0: SetFilePointer.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040FCE0
Part of subcall function 0040FCA0: ReadFile.KERNEL32(00000000,00000000,00000002,?,00000000,?,00000000), ref: 0040FCF5
Part of subcall function 0040FCA0: CloseHandle.KERNEL32(00000000,?,00000000), ref: 0040FCFC

GetFileSize.KERNEL32(00000000,00000000,?,?,?,0047F208,0040EF89,00000000,-00000001,00000032,00000032,00000032,00000000,?,0047E850,0047F208), ref: 0040FAC3
CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000000,222,00000032,-00000001,?,?,?,0047F208,0040EF89,00000000,-00000001,00000032), ref: 0040FAF1
DeleteFileA.KERNEL32(00000000,?,?,?,0047F208,0040EF89,00000000,-00000001,00000032,00000032,00000032,00000000,?,0047E850,0047F208,00415DA3), ref: 0040FB04

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Strings

222, xrefs: 0040FAD4, 0040FBC9, 0040FB80, 0040FAD7, 0040FB83

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: File$CreateGlobal$CloseDeleteHandlePointer$AllocLockReadSizeUnlock
String ID: 222
API String ID: 403409666-4245286173
Opcode ID: 419b895022984bd4935cd07fae2d7e32c9077eb33cc33c2e0760b108c1800f97
Instruction ID: 314133e16cfcfab220549e2d3526c5f80cf69c47e80d0841942c05dbe0d527e2
Opcode Fuzzy Hash: 419b895022984bd4935cd07fae2d7e32c9077eb33cc33c2e0760b108c1800f97
Instruction Fuzzy Hash: 9481AF71E00109ABDF259FA5CC81AEEBB79FB48304F54827AE515B32E0CB381D45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00408C8C, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 170
registryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00408C8C(intOrPtr __ecx, void* __edx, struct HINSTANCE__* _a4, struct HWND__* _a8, signed int _a11) {
				signed int _v5;
				signed int _v6;
				signed int _v7;
				struct tagRECT _v24;
				struct _WNDCLASSEXA _v72;
				int _t78;
				int _t80;
				int _t82;
				signed int _t95;
				void* _t98;
				void* _t99;
				void* _t109;
				void* _t111;
				signed int* _t112;
				void* _t113;
				intOrPtr _t118;
				void* _t121;
				int _t131;
				CHAR* _t132;
				intOrPtr _t133;
				intOrPtr _t134;

				_t121 = __edx;
				_t134 = __ecx;
				_t78 = GetSystemMetrics(0x2d);
				_t109 = _t78 + GetSystemMetrics(5);
				if(_t109 > 2) {
					_t2 = _t109 - 4; // -4
					 *(_t134 + 0x24) =  *(_t134 + 0x24) + _t109 + _t2;
				}
				_t80 = GetSystemMetrics(0x2e);
				_t111 = _t80 + GetSystemMetrics(6);
				if(_t111 > 2) {
					_t6 = _t111 - 4; // -4
					 *(_t134 + 0x28) =  *(_t134 + 0x28) + _t111 + _t6;
				}
				_t82 = GetSystemMetrics(4);
				if(_t82 > 0x12) {
					 *(_t134 + 0x28) =  *(_t134 + 0x28) + _t82 + 0xffffffee;
				}
				E00406E5F(_t134, _t121);
				if(( *(_t134 + 0xb) & 0x00000010) != 0 || ( *0x47e84c & 0x00000002) == 0) {
					_t131 = 0x30;
					E00424500( &_v72, 0, _t131);
					_v72.cbSize = _t131;
					_v72.lpfnWndProc = E00408768;
					_v72.hInstance = _a4;
					_v72.hCursor = LoadCursorA(0, 0x7f00);
					_t132 = "AIDialogTemplate";
					_v72.hbrBackground = 0x10;
					_v72.lpszClassName = _t132;
					RegisterClassExA( &_v72);
					_t29 = _t134 + 0x2c; // 0x2c
					_t112 = _t29;
					_t95 = CreateWindowExA( *(_t134 + 0xc) | 0x00000001, _t132, E0041CD1E(_t112),  *(_t134 + 8) & 0xefffffff,  *(_t134 + 0x1c),  *(_t134 + 0x20),  *(_t134 + 0x24),  *(_t134 + 0x28), _a8, 0, _a4, 0);
					__eflags = _t95;
					 *(_t134 + 4) = _t95;
					if(_t95 != 0) {
						__eflags =  *_t112;
						if( *_t112 > 0) {
							SetWindowTextA( *(_t134 + 4), E0041CD1E(_t112));
						}
						goto L13;
					}
					return _t95 | 0xffffffff;
				} else {
					 *(_t134 + 4) = _a8;
					L13:
					GetClientRect( *(_t134 + 4),  &_v24);
					_a11 = _a11 & 0x00000000;
					_v5 = _v5 & 0x00000000;
					_v6 = _v6 & 0x00000000;
					_v7 = _v7 & 0x00000000;
					_t113 = 0;
					if( *((intOrPtr*)(_t134 + 0x7c)) <= 0) {
						L34:
						if( *((intOrPtr*)(_t134 + 0xa8)) == 0) {
							 *(_t134 + 0xac) = 1;
						}
						_t98 = 1;
						return _t98;
					} else {
						goto L14;
					}
					do {
						L14:
						_t49 = _t134 + 0x70; // 0x70
						_t99 = E0041E860(_t49, _t113);
						if( *((intOrPtr*)(_t99 + 8)) == 1) {
							 *((intOrPtr*)(_t134 + 0xa8)) =  *((intOrPtr*)(_t134 + 0xa8)) + 1;
						}
						_t133 =  *((intOrPtr*)(_t99 + 0x14));
						if(_t133 == 0 &&  *((intOrPtr*)(_t99 + 0x18)) == _t133) {
							_a11 = 1;
						}
						_t118 =  *((intOrPtr*)(_t99 + 0x18));
						if(_t118 == 0 &&  *((intOrPtr*)(_t99 + 0x1c)) + _t133 >= _v24.right) {
							_v5 = 1;
						}
						if(_t133 == 0 &&  *((intOrPtr*)(_t99 + 0x20)) + _t118 >= _v24.bottom) {
							_v6 = 1;
						}
						if( *((intOrPtr*)(_t99 + 0x1c)) + _t133 >= _v24.right) {
							_t155 =  *((intOrPtr*)(_t99 + 0x20)) + _t118 - _v24.bottom;
							if( *((intOrPtr*)(_t99 + 0x20)) + _t118 >= _v24.bottom) {
								_v7 = 1;
							}
						}
						E00407300(_t134, _t155, _a4, _t99);
						_t113 = _t113 + 1;
					} while (_t113 <  *((intOrPtr*)(_t134 + 0x7c)));
					if(_a11 != 0 && _v5 != 0 && _v6 != 0 && _v7 != 0) {
						 *(_t134 + 0xac) =  *(_t134 + 0xac) & 0x00000000;
					}
					goto L34;
				}
			}

0x00408c8c
0x00408c9b
0x00408c9f
0x00408ca7
0x00408cac
0x00408cae
0x00408cb2
0x00408cb2
0x00408cb7
0x00408cbf
0x00408cc4
0x00408cc6
0x00408cca
0x00408cca
0x00408ccf
0x00408cd4
0x00408cd9
0x00408cd9
0x00408cde
0x00408ce7
0x00408d02
0x00408d07
0x00408d12
0x00408d15
0x00408d23
0x00408d2c
0x00408d32
0x00408d38
0x00408d3f
0x00408d42
0x00408d55
0x00408d55
0x00408d79
0x00408d7f
0x00408d81
0x00408d84
0x00408d8e
0x00408d91
0x00408d9e
0x00408d9e
0x00000000
0x00408d91
0x00000000
0x00408cf2
0x00408cf5
0x00408da4
0x00408dab
0x00408db1
0x00408db5
0x00408db9
0x00408dbd
0x00408dc1
0x00408dc6
0x00408e60
0x00408e67
0x00408e69
0x00408e69
0x00408e72
0x00000000
0x00000000
0x00000000
0x00000000
0x00408dcc
0x00408dcc
0x00408dcd
0x00408dd0
0x00408dd9
0x00408ddb
0x00408ddb
0x00408de1
0x00408de6
0x00408ded
0x00408ded
0x00408df1
0x00408df6
0x00408e02
0x00408e02
0x00408e08
0x00408e14
0x00408e14
0x00408e20
0x00408e27
0x00408e2a
0x00408e2c
0x00408e2c
0x00408e2a
0x00408e36
0x00408e3b
0x00408e3c
0x00408e45
0x00408e59
0x00408e59
0x00000000
0x00408e45

APIs

GetSystemMetrics.USER32 ref: 00408C9F
GetSystemMetrics.USER32 ref: 00408CA5
GetSystemMetrics.USER32 ref: 00408CB7
GetSystemMetrics.USER32 ref: 00408CBD
GetSystemMetrics.USER32 ref: 00408CCF
LoadCursorA.USER32 ref: 00408D26
RegisterClassExA.USER32(?), ref: 00408D42

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

CreateWindowExA.USER32 ref: 00408D79
SetWindowTextA.USER32(?,00000000), ref: 00408D9E
GetClientRect.USER32 ref: 00408DAB

Strings

AIDialogTemplate, xrefs: 00408D32, 00408D77

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: MetricsSystem$Global$Window$AllocClassClientCreateCursorLoadLockRectRegisterTextUnlock
String ID: AIDialogTemplate
API String ID: 3571883037-4222934468
Opcode ID: 1e8d9bac3a663781097ae67bd8c0ef134702edf52ea0c7c6aa142e5a863f0f83
Instruction ID: 24c035e23e800b72e4b6700e17649694f93ddb37957115fe27950d462b3cf6bc
Opcode Fuzzy Hash: 1e8d9bac3a663781097ae67bd8c0ef134702edf52ea0c7c6aa142e5a863f0f83
Instruction Fuzzy Hash: 20611930A00748AFDB21CF64CA85B9F7BF1AF44714F14857EE485A72D2CB78A845CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B4A9, Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040B4A9(void* __ecx, intOrPtr _a4, signed int _a7, CHAR** _a8) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				CHAR* _v12;
				char _v24;
				char _t41;
				int _t43;
				int _t47;
				intOrPtr _t50;
				CHAR* _t62;
				void* _t63;
				signed int _t67;
				char _t75;
				CHAR* _t76;
				void* _t77;
				intOrPtr _t78;

				_t77 = __ecx;
				E0041DBA4( *((intOrPtr*)(__ecx + 4)), 0xa,  &_v12);
				E0041BF12(_a4, _v12);
				_t62 = _v12;
				 *_a8 = _t62;
				_t41 =  *_t62;
				if(_t41 != 0) {
					_v8 = _t41;
					_v7 = 0x3a;
					_v6 = 0x5c;
					_v5 = 0;
					__eflags =  *_t62 - 0x5c;
					_a7 = 0;
					if( *_t62 != 0x5c) {
						L21:
						_t43 = GetDriveTypeA( &_v8);
						_t62 = _v12;
						__eflags = _t62[1] - 0x3a;
						if(_t62[1] != 0x3a) {
							L37:
							_t78 =  *((intOrPtr*)(_t77 + 4));
							_push(0);
							_push(0);
							_t63 = 0x47ec3c;
							L38:
							_push(E0041CD1E(_t63));
							_push(_t78);
							E0041B2CC(0x47dfb8);
							L39:
							return 0;
						}
						__eflags = _t62[2] - 0x5c;
						if(_t62[2] != 0x5c) {
							goto L37;
						}
						__eflags = _t43 - 1;
						if(_t43 != 1) {
							__eflags = _t43 - 3;
							if(_t43 == 3) {
								L5:
								_t47 = lstrlenA(_t62);
								asm("sbb ecx, ecx");
								_t67 =  ~_a7 & 0x00000002;
								__eflags = _t67 - _t47;
								if(_t67 >= _t47) {
									L31:
									__eflags = _a7;
									if(_a7 != 0) {
										L36:
										return 1;
									}
									_t50 = E0040DE4D( &_v8, 1);
									__eflags = _t75 -  *0x47e654; // 0x0
									 *0x47e648 = _t50;
									 *0x47e64c = _t75;
									if(__eflags > 0) {
										goto L36;
									}
									if(__eflags < 0) {
										L35:
										E0041BDC5( &_v24);
										_push( &_v8);
										E0041C467( &_v24, E0041CD1E(0x47ec78));
										E0041B2CC(0x47dfb8,  *((intOrPtr*)(_t77 + 4)), E0041CD1E( &_v24), 0, 0);
										E0041BEFB( &_v24);
										goto L39;
									}
									__eflags = _t50 -  *0x47e650; // 0x207a58a
									if(__eflags >= 0) {
										goto L36;
									}
									goto L35;
								}
								_t76 = _v12;
								do {
									_t75 = _t76[_t67];
									__eflags = _t75 - 0x3a;
									if(_t75 != 0x3a) {
										L9:
										__eflags = _t75 - 0x7c;
										if(_t75 == 0x7c) {
											L30:
											_t78 =  *((intOrPtr*)(_t77 + 4));
											_push(0);
											_push(0);
											_t63 = 0x47ec6c;
											goto L38;
										}
										__eflags = _t75 - 0x2a;
										if(_t75 == 0x2a) {
											goto L30;
										}
										__eflags = _t75 - 0x2f;
										if(_t75 == 0x2f) {
											goto L30;
										}
										__eflags = _t75 - 0x3e;
										if(_t75 == 0x3e) {
											goto L30;
										}
										__eflags = _t75 - 0x3c;
										if(_t75 == 0x3c) {
											goto L30;
										}
										__eflags = _t75 - 0x3f;
										if(_t75 == 0x3f) {
											goto L30;
										}
										__eflags = _t75 - 0x22;
										if(_t75 == 0x22) {
											goto L30;
										}
										__eflags = _t67;
										if(_t67 <= 0) {
											goto L19;
										}
										__eflags = _t75 - 0x5c;
										if(_t75 != 0x5c) {
											goto L19;
										}
										__eflags =  *((intOrPtr*)(_t67 + _t76 - 1)) - _t75;
										if( *((intOrPtr*)(_t67 + _t76 - 1)) == _t75) {
											_t78 =  *((intOrPtr*)(_t77 + 4));
											_push(0);
											_push(0);
											_t63 = 0x47ec60;
											goto L38;
										}
										goto L19;
									}
									__eflags = _t67 - 1;
									if(_t67 != 1) {
										goto L30;
									}
									goto L9;
									L19:
									_t67 = _t67 + 1;
									__eflags = _t67 - _t47;
								} while (_t67 < _t47);
								goto L31;
							}
							__eflags = _t43 - 4;
							if(_t43 == 4) {
								goto L5;
							}
							__eflags = _t43 - 2;
							if(_t43 == 2) {
								goto L5;
							}
							_t78 =  *((intOrPtr*)(_t77 + 4));
							_push(0);
							_push(0);
							_t63 = 0x47ec54;
							goto L38;
						}
						_t78 =  *((intOrPtr*)(_t77 + 4));
						_push(0);
						_push(0);
						_t63 = 0x47ec48;
						goto L38;
					}
					__eflags = _t62[1] - 0x5c;
					if(_t62[1] != 0x5c) {
						goto L21;
					}
					_a7 = 1;
					goto L5;
				}
				_t78 =  *((intOrPtr*)(_t77 + 4));
				_push(0);
				_push(0);
				_t63 = 0x47ec30;
				goto L38;
			}

0x0040b4b5
0x0040b4bd
0x0040b4cb
0x0040b4d3
0x0040b4d8
0x0040b4da
0x0040b4de
0x0040b4ef
0x0040b4f2
0x0040b4f6
0x0040b4fa
0x0040b4fd
0x0040b500
0x0040b503
0x0040b599
0x0040b59d
0x0040b5a3
0x0040b5a6
0x0040b5aa
0x0040b68f
0x0040b68f
0x0040b692
0x0040b693
0x0040b694
0x0040b699
0x0040b69e
0x0040b69f
0x0040b6a5
0x0040b6aa
0x00000000
0x0040b6aa
0x0040b5b0
0x0040b5b4
0x00000000
0x00000000
0x0040b5ba
0x0040b5bd
0x0040b5ce
0x0040b5d1
0x0040b517
0x0040b518
0x0040b523
0x0040b525
0x0040b528
0x0040b52a
0x0040b616
0x0040b616
0x0040b619
0x0040b68b
0x00000000
0x0040b68b
0x0040b621
0x0040b626
0x0040b62e
0x0040b633
0x0040b639
0x00000000
0x00000000
0x0040b63b
0x0040b645
0x0040b648
0x0040b655
0x0040b660
0x0040b67c
0x0040b684
0x00000000
0x0040b684
0x0040b63d
0x0040b643
0x00000000
0x00000000
0x00000000
0x0040b643
0x0040b530
0x0040b533
0x0040b533
0x0040b536
0x0040b539
0x0040b544
0x0040b544
0x0040b547
0x0040b607
0x0040b607
0x0040b60a
0x0040b60b
0x0040b60c
0x00000000
0x0040b60c
0x0040b54d
0x0040b550
0x00000000
0x00000000
0x0040b556
0x0040b559
0x00000000
0x00000000
0x0040b55f
0x0040b562
0x00000000
0x00000000
0x0040b568
0x0040b56b
0x00000000
0x00000000
0x0040b571
0x0040b574
0x00000000
0x00000000
0x0040b57a
0x0040b57d
0x00000000
0x00000000
0x0040b583
0x0040b585
0x00000000
0x00000000
0x0040b587
0x0040b58a
0x00000000
0x00000000
0x0040b58c
0x0040b590
0x0040b5f8
0x0040b5fb
0x0040b5fc
0x0040b5fd
0x00000000
0x0040b5fd
0x00000000
0x0040b590
0x0040b53b
0x0040b53e
0x00000000
0x00000000
0x00000000
0x0040b592
0x0040b592
0x0040b593
0x0040b593
0x00000000
0x0040b597
0x0040b5d7
0x0040b5da
0x00000000
0x00000000
0x0040b5e0
0x0040b5e3
0x00000000
0x00000000
0x0040b5e9
0x0040b5ec
0x0040b5ed
0x0040b5ee
0x00000000
0x0040b5ee
0x0040b5bf
0x0040b5c2
0x0040b5c3
0x0040b5c4
0x00000000
0x0040b5c4
0x0040b509
0x0040b50d
0x00000000
0x00000000
0x0040b513
0x00000000
0x0040b513
0x0040b4e0
0x0040b4e3
0x0040b4e4
0x0040b4e5
0x00000000

APIs

Part of subcall function 0041DBA4: GetDlgItem.USER32 ref: 0041DBAF
Part of subcall function 0041DBA4: GetWindowTextLengthA.USER32(00000000), ref: 0041DBB8

Part of subcall function 0041BF12: GlobalUnlock.KERNEL32(0217020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
Part of subcall function 0041BF12: GlobalReAlloc.KERNEL32 ref: 0041BF3B
Part of subcall function 0041BF12: GlobalLock.KERNEL32 ref: 0041BF5C

lstrlenA.KERNEL32(?,?,?,00000000,?,?), ref: 0040B518

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Part of subcall function 0041B2CC: MessageBoxA.USER32 ref: 0041B36B

Strings

HG, xrefs: 0040B5C4
<G, xrefs: 0040B694
`G, xrefs: 0040B5FD
lG, xrefs: 0040B60C
TG, xrefs: 0040B5EE
xG, xrefs: 0040B650
:, xrefs: 0040B4F2
0G, xrefs: 0040B4E5
\, xrefs: 0040B4F6

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLockUnlock$ItemLengthMessageTextWindowlstrlen
String ID: 0G$:$<G$HG$TG$\$`G$lG$xG
API String ID: 3911724838-62612203
Opcode ID: b60614546ce4b64ccd8c6c398c567348f97f6a539659fa82b4afc6692a0c2dcc
Instruction ID: 254c4a2ed5f8620f2d7e97b4e7a902eafb2fc37a61131f3e50cd657c08c11bdf
Opcode Fuzzy Hash: b60614546ce4b64ccd8c6c398c567348f97f6a539659fa82b4afc6692a0c2dcc
Instruction Fuzzy Hash: 4B51E3B0504244AEEB258A55C8859BF776DDB09308F5488BFE046772C2C73F5D458B9F

Uniqueness

Uniqueness Score: -1.00%

Function 0041DBFF, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041DBFF(void* __ecx, CHAR* _a4, CHAR* _a8) {
				long _v8;
				char _v24;
				long _t18;
				CHAR* _t19;
				signed char* _t36;
				CHAR* _t43;
				void* _t46;
				void* _t47;
				void* _t48;

				E00424500(_a4, 0, 0x104);
				_t43 = E00424DD9(0x104);
				_t47 = _t46 + 0x10;
				if(_t43 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				E00424500(_t43, 0, 0x104);
				_t48 = _t47 + 0xc;
				_t18 = GetTempPathA(0x104, _t43);
				if(_t18 != 0) {
					_t19 =  &(_t43[_t18]);
					if( *((char*)(_t19 - 1)) != 0x5c) {
						 *_t19 = 0x5c;
						_t19[1] = _t19[1] & 0x00000000;
					}
				} else {
					lstrcatA(_t43, "C:\\");
				}
				_v8 = GetTickCount();
				_t36 = lstrlenA(_t43) + 1 + _t43;
				do {
					 *_t36 =  *_t36 & 0x00000000;
					_v8 = _v8 + 1;
					E004278BF(_v8,  &_v24, 0xa);
					_t48 = _t48 + 0xc;
					lstrcatA(_t43, "aiw");
					lstrcatA(_t43,  &_v24);
					lstrcatA(_t43, _a8);
				} while (E0040DF52(_t43) != 0);
				lstrcatA(_a4, _t43);
				E00424DCE(_t43);
				return _a4;
			}

0x0041dc13
0x0041dc1e
0x0041dc20
0x0041dc25
0x0041dc32
0x0041dc37
0x0041dc3c
0x0041dc41
0x0041dc46
0x0041dc54
0x0041dc60
0x0041dc66
0x0041dc68
0x0041dc6b
0x0041dc6b
0x0041dc56
0x0041dc5c
0x0041dc5c
0x0041dc76
0x0041dc80
0x0041dc83
0x0041dc86
0x0041dc89
0x0041dc93
0x0041dc98
0x0041dca1
0x0041dca8
0x0041dcae
0x0041dcb8
0x0041dcbf
0x0041dcc2
0x0041dccf

APIs

GetTempPathA.KERNEL32(00000104,00000000,?,?,?,?,0047E2F0,00000000,000000A8,0000005C,0047E1B8,00000001,?,00000000), ref: 0041DC46
lstrcatA.KERNEL32(00000000,C:\,?,?,?,?,0047E2F0,00000000,000000A8,0000005C,0047E1B8,00000001,?,00000000), ref: 0041DC5C
GetTickCount.KERNEL32 ref: 0041DC6F
lstrlenA.KERNEL32(00000000,?,?,?,?,0047E2F0,00000000,000000A8,0000005C,0047E1B8,00000001,?,00000000), ref: 0041DC79
lstrcatA.KERNEL32(00000000,aiw,?,?,?,?,?,?,?,0047E2F0,00000000,000000A8,0000005C,0047E1B8,00000001), ref: 0041DCA1
lstrcatA.KERNEL32(00000000,0000005C,?,?,?,?,?,?,?,0047E2F0,00000000,000000A8,0000005C,0047E1B8,00000001), ref: 0041DCA8
lstrcatA.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,0047E2F0,00000000,000000A8,0000005C,0047E1B8,00000001), ref: 0041DCAE
lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?,?,0047E2F0,00000000,000000A8,0000005C,0047E1B8,00000001), ref: 0041DCBF

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Strings

aiw, xrefs: 0041DC9B
C:\, xrefs: 0041DC56
$G, xrefs: 0041DC27

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: lstrcat$Global$AllocCountLockPathTempTickUnlocklstrlen
String ID: $G$C:\$aiw
API String ID: 3489367307-134002492
Opcode ID: 4e07409cfee2efb9507d2a4139d42ef7d9eff0a91c427968297d4f32c2d88f12
Instruction ID: 21fd020d6b833b70e9635ac0daadd9853640b5548da898f286ea95a036024011
Opcode Fuzzy Hash: 4e07409cfee2efb9507d2a4139d42ef7d9eff0a91c427968297d4f32c2d88f12
Instruction Fuzzy Hash: 8921F872E00224BBD7117761AC49FEF3F68DF81754F50006AF50466151EAB85942D6A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC6F, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 78
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040CC6F(intOrPtr __ecx, void* _a4) {
				intOrPtr _v8;
				void* _t16;
				void* _t29;
				struct HWND__* _t39;

				_push(__ecx);
				_t39 = _a4;
				_v8 = __ecx;
				if( *0x42bf98 <= 0) {
					EnableWindow(GetDlgItem(_t39, 3), 0);
				}
				_t29 = 0x47e850;
				if(( *0x47e193 & 0x00000002) == 0) {
					_t29 = 0x47ed68;
				}
				SetWindowTextA(_t39, E0041CD1E(_t29));
				SetDlgItemTextA(_t39, 3, E0041CD1E(0x47e8a0));
				SetDlgItemTextA(_t39, 1, E0041CD1E(0x47e8d0));
				SetDlgItemTextA(_t39, 2, E0041CD1E(0x47e8b8));
				_t16 = E00419E8A();
				_t46 = _t16;
				if(_t16 != 0) {
					SetDlgItemTextA(_t39, 1, E0041CD1E(0x47e8c4));
				}
				_a4 = 0xc;
				SendDlgItemMessageA(_t39, 0xa, 0xcb, 1,  &_a4);
				E0040CD5C(_t46, _t39);
				if( *0x47e114 != 0) {
					SetDlgItemTextA(_t39, 0x41f, E0041CD1E(0x47df68));
					E0040EFE7();
				}
				return 1;
			}

0x0040cc72
0x0040cc7c
0x0040cc7f
0x0040cc82
0x0040cc90
0x0040cc90
0x0040cc9d
0x0040cca2
0x0040cca4
0x0040cca4
0x0040ccb0
0x0040ccca
0x0040ccda
0x0040ccea
0x0040ccf1
0x0040ccf6
0x0040ccf8
0x0040cd08
0x0040cd08
0x0040cd0d
0x0040cd1f
0x0040cd29
0x0040cd35
0x0040cd48
0x0040cd4f
0x0040cd4f
0x0040cd59

APIs

GetDlgItem.USER32 ref: 0040CC89
EnableWindow.USER32(00000000), ref: 0040CC90
SetWindowTextA.USER32(?,00000000), ref: 0040CCB0
SetDlgItemTextA.USER32 ref: 0040CCCA
SetDlgItemTextA.USER32 ref: 0040CCDA
SetDlgItemTextA.USER32 ref: 0040CCEA
SetDlgItemTextA.USER32 ref: 0040CD08
SendDlgItemMessageA.USER32(?,0000000A,000000CB,00000001,?), ref: 0040CD1F
SetDlgItemTextA.USER32 ref: 0040CD48

Strings

PG, xrefs: 0040CC9D
hG, xrefs: 0040CCA4

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Item$Text$Window$EnableMessageSend
String ID: PG$hG
API String ID: 1822530713-1121987280
Opcode ID: cf505d6a6191c09efaf2904ecc069a71a5d2d75c91a9b0f8291144f8a2e3fe09
Instruction ID: c72ef2b5710ee1801feb2adf7e7504814bb845c99ed04c2887ed1bab3c43658b
Opcode Fuzzy Hash: cf505d6a6191c09efaf2904ecc069a71a5d2d75c91a9b0f8291144f8a2e3fe09
Instruction Fuzzy Hash: 8921C970640204B6E62077559C9AFFE2A6DDF89B44F10817FFA05672D2CFBC0841966E

Uniqueness

Uniqueness Score: -1.00%

Function 0040CD5C, Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 185
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040CD5C(void* __eflags, long _a4) {
				struct HWND__* _v8;
				char _v20;
				char _v32;
				void* _t48;
				intOrPtr _t51;
				intOrPtr _t85;
				intOrPtr _t88;
				void* _t93;
				void* _t96;
				void* _t130;
				void* _t136;

				_t136 = __eflags;
				_v8 = GetDlgItem(_a4, 0xa);
				E0041BDC5( &_v20);
				E0041C0C5( &_v20, _t136, 0x47ed74);
				E0041C047( &_v20, "\r\n=====================================\r\n\r\n", 0);
				_push(9);
				_t48 = E00419E38();
				_t130 = "\r\n";
				if(_t48 != 0) {
					L2:
					E0041C0C5( &_v20, _t138, 0x47ed80);
					E0041C047( &_v20, _t130, 0);
					_t51 =  *0x47e65c; // 0x2
					_t139 = _t51 - 1;
					if(_t51 != 1) {
						__eflags = _t51 - 2;
						if(__eflags != 0) {
							__eflags = _t51 - 4;
							if(__eflags == 0) {
								E0041C0C5( &_v20, __eflags, 0x47ed08);
								E0041C047( &_v20, _t130, 0);
								E0041C0C5( &_v20, __eflags, 0x47ed8c);
								E0041C047( &_v20, _t130, 0);
								__eflags =  *0x47e608; // 0x0
								_a4 = 0;
								if(__eflags > 0) {
									_t96 = 0;
									__eflags = 0;
									do {
										_t85 =  *0x47e604; // 0x0
										__eflags =  *((intOrPtr*)(_t96 + _t85));
										if( *((intOrPtr*)(_t96 + _t85)) != 0) {
											E0041BFF8( &_v20, 9);
											_t88 =  *0x47e604; // 0x0
											_t18 = _t88 + 4; // 0x4
											E0041C0C5( &_v20, __eflags, _t96 + _t18);
											E0041C047( &_v20, _t130, 0);
										}
										_a4 = _a4 + 1;
										_t96 = _t96 + 0x10;
										__eflags = _a4 -  *0x47e608; // 0x0
									} while (__eflags < 0);
								}
								_push(0);
								_push(_t130);
								goto L14;
							}
						} else {
							_push(0x47ecd8);
							goto L6;
						}
					} else {
						_push(0x47ecf0);
						L6:
						E0041C0C5( &_v20, _t139);
						_push(0);
						_push("\r\n\r\n");
						L14:
						E0041C047( &_v20);
					}
				} else {
					_push(0xa);
					_t93 = E00419E38();
					_t138 = _t93;
					if(_t93 != 0) {
						goto L2;
					}
				}
				E0041C0C5( &_v20, _t139, 0x47ed98);
				E0041BFF8( &_v20, 0x20);
				E0041BDC5( &_v32);
				E0041D95E( *0x47e650,  *0x47e654,  &_v32);
				E0041C0C5( &_v20, _t139,  &_v32);
				E0041C047( &_v20, _t130, 0);
				E0041C0C5( &_v20, _t139, 0x47eda4);
				E0041BFF8( &_v20, 0x20);
				E0041D95E( *0x47e648,  *0x47e64c,  &_v32);
				E0041C0C5( &_v20, _t139,  &_v32);
				_push(E0041CD1E(0x47e344));
				_push(E0041CD1E(0x47edbc));
				_push(E0041CD1E(0x47e338));
				_push(E0041CD1E(0x47edb0));
				E0041C467( &_v20, "\r\n\r\n%s\r\n%s\r\n\r\n%s\r\n%s\r\n");
				if(E0041D46F("<SummaryExtraInfo>") != 0) {
					E0041C047( &_v20, _t72, 0);
				}
				SendMessageA(_v8, 0xcf, 0, 0);
				SetWindowTextA(_v8, E0041CD1E( &_v20));
				SendMessageA(_v8, 0xcf, 1, 0);
				E0041BEFB( &_v32);
				return E0041BEFB( &_v20);
			}

0x0040cd5c
0x0040cd73
0x0040cd76
0x0040cd83
0x0040cd93
0x0040cd9d
0x0040cda1
0x0040cda8
0x0040cdad
0x0040cdc0
0x0040cdc8
0x0040cdd2
0x0040cdd7
0x0040cddc
0x0040cddf
0x0040cde8
0x0040cdeb
0x0040ce05
0x0040ce08
0x0040ce16
0x0040ce20
0x0040ce2d
0x0040ce37
0x0040ce3c
0x0040ce42
0x0040ce45
0x0040ce47
0x0040ce47
0x0040ce49
0x0040ce49
0x0040ce4e
0x0040ce51
0x0040ce58
0x0040ce5d
0x0040ce65
0x0040ce6a
0x0040ce74
0x0040ce74
0x0040ce79
0x0040ce7c
0x0040ce82
0x0040ce82
0x0040ce49
0x0040ce8a
0x0040ce8b
0x00000000
0x0040ce8b
0x0040cded
0x0040cded
0x00000000
0x0040cded
0x0040cde1
0x0040cde1
0x0040cdf2
0x0040cdf5
0x0040cdfa
0x0040cdfb
0x0040ce8c
0x0040ce8f
0x0040ce8f
0x0040cdaf
0x0040cdaf
0x0040cdb3
0x0040cdb8
0x0040cdba
0x00000000
0x00000000
0x0040cdba
0x0040ce9c
0x0040cea6
0x0040ceae
0x0040cec3
0x0040ced2
0x0040cedc
0x0040cee9
0x0040cef3
0x0040cf08
0x0040cf17
0x0040cf26
0x0040cf31
0x0040cf3c
0x0040cf47
0x0040cf51
0x0040cf65
0x0040cf6c
0x0040cf6c
0x0040cf82
0x0040cf90
0x0040cf9d
0x0040cfa2
0x0040cfb3

APIs

GetDlgItem.USER32 ref: 0040CD6A

Part of subcall function 0041BDC5: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF

Part of subcall function 0041C0C5: GlobalUnlock.KERNEL32(?,00000000,0047E380,?,00421CA7,00000004,?,00000000,00000000,00000000,0047E490,0047E788,0047E380,0047E788,?,00422453), ref: 0041C0DE
Part of subcall function 0041C0C5: GlobalReAlloc.KERNEL32 ref: 0041C0EB
Part of subcall function 0041C0C5: GlobalLock.KERNEL32 ref: 0041C10C

Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095

SendMessageA.USER32(?,000000CF,00000000,00000000), ref: 0040CF82
SetWindowTextA.USER32(?,00000000), ref: 0040CF90
SendMessageA.USER32(?,000000CF,00000001,00000000), ref: 0040CF9D

Strings

8G, xrefs: 0040CF32
%s%s%s%s, xrefs: 0040CF4B
=====================================, xrefs: 0040CD8E
, xrefs: 0040CDFB
<SummaryExtraInfo>, xrefs: 0040CF59
DG, xrefs: 0040CF1C

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLock$MessageSendUnlock$ItemTextWindowlstrlen
String ID: $%s%s%s%s$=====================================$8G$<SummaryExtraInfo>$DG
API String ID: 1410268358-2802390505
Opcode ID: 0b48d18390f290eecbfa0a4d87245cdf5aa54a051737659ee71bc0f4a95d5c84
Instruction ID: 20b876188295e953f62be2d2e52f0d26e4c013d0dd05712ef4c6de1570c86156
Opcode Fuzzy Hash: 0b48d18390f290eecbfa0a4d87245cdf5aa54a051737659ee71bc0f4a95d5c84
Instruction Fuzzy Hash: 4751717194011AEACB10EB96DCC6DFF7B38EF54708F50457FB416A20D2EB391A85CA58

Uniqueness

Uniqueness Score: -1.00%

Function 0041B09C, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 169
stringCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041B09C(void* __ecx) {
				char _v16;
				void _v275;
				char _v276;
				long _t46;
				signed int _t52;
				CHAR* _t87;
				signed int _t93;
				char* _t100;
				signed int _t101;
				signed int _t113;
				signed int _t128;
				void* _t131;
				void* _t132;
				void* _t133;
				intOrPtr _t135;

				_t135 =  *0x47e614; // 0x0
				_t125 = __ecx;
				_t87 = "\\";
				if(_t135 == 0) {
					_t126 = __ecx + 0x124;
					E0041BF80(__ecx + 0x124, 0x47e6c8);
					E0041BF80(_t126, E0041CC95(_t126, 0, E0041C7DB(__ecx + 0x124, _t87, 0, 1)));
				} else {
					_v276 = _v276 & 0x00000000;
					_t113 = 0x40;
					memset( &_v275, 0, _t113 << 2);
					_t132 = _t132 + 0xc;
					asm("stosw");
					asm("stosb");
					GetCurrentDirectoryA(0x104,  &_v276);
					_t130 = _t125 + 0x124;
					E0041BF12(_t125 + 0x124,  &_v276);
					if(E0041BFE3(_t125 + 0x124,  *_t130 - 1) == 0x5c) {
						E0041C3A9(_t130,  *_t130 - 1, 1);
					}
				}
				if( *0x47e614 == 0) {
					_v276 = _v276 & 0x00000000;
					_t93 = 0x40;
					memset( &_v275, 0, _t93 << 2);
					_t133 = _t132 + 0xc;
					asm("stosw");
					asm("stosb");
					_t46 = GetTempPathA(0x104,  &_v276);
					if(_v276 == 0) {
						return _t46;
					}
					if( *((char*)(_t131 + lstrlenA( &_v276) - 0x111)) != 0x5c) {
						lstrcatA( &_v276, _t87);
					}
					_t128 = GetTickCount() & 0x7fffffff;
					E0041BDC5( &_v16);
					do {
						E0041BF12( &_v16, 0x42e0c8);
						_t52 = _t128;
						_t128 = _t128 + 1;
						_push(_t52);
						_push( &_v276);
						E0041C467( &_v16, "%sinst%d");
						_t133 = _t133 + 0x10;
					} while (E0040DF52(E0041CD1E( &_v16)) != 0);
					E0041BF80(0x47e628,  &_v16);
					_t100 =  &_v16;
					goto L15;
				} else {
					_v276 = _v276 & 0x00000000;
					_t101 = 0x40;
					memset( &_v275, 0, _t101 << 2);
					asm("stosw");
					asm("stosb");
					GetModuleFileNameA(0,  &_v276, 0x104);
					E0041BE35( &_v16,  &_v276);
					if(E0041C7DB( &_v16, _t87, 0, 1) != 0xffffffff) {
						E0041C3A9( &_v16, _t69, _v16 - _t69);
						if(E0041C7DB( &_v16, _t87, 0, 1) != 0xffffffff) {
							E0041C3A9( &_v16, _t71, _v16 - _t71);
							E0041BF80(0x47e628,  &_v16);
						}
					}
					_t100 =  &_v16;
					L15:
					return E0041BEFB(_t100);
				}
			}

0x0041b0aa
0x0041b0b0
0x0041b0b2
0x0041b0b7
0x0041b114
0x0041b121
0x0041b13d
0x0041b0b9
0x0041b0b9
0x0041b0c2
0x0041b0cb
0x0041b0cb
0x0041b0cd
0x0041b0cf
0x0041b0dc
0x0041b0e2
0x0041b0f1
0x0041b103
0x0041b10d
0x0041b10d
0x0041b103
0x0041b149
0x0041b1e0
0x0041b1e9
0x0041b1f2
0x0041b1f2
0x0041b1f4
0x0041b1f6
0x0041b203
0x0041b210
0x0041b2a7
0x0041b2a7
0x0041b22b
0x0041b235
0x0041b235
0x0041b246
0x0041b24c
0x0041b251
0x0041b259
0x0041b25e
0x0041b260
0x0041b261
0x0041b268
0x0041b272
0x0041b277
0x0041b28a
0x0041b296
0x0041b29b
0x00000000
0x0041b14f
0x0041b14f
0x0041b158
0x0041b166
0x0041b168
0x0041b16a
0x0041b175
0x0041b185
0x0041b199
0x0041b1a5
0x0041b1b9
0x0041b1c5
0x0041b1d3
0x0041b1d3
0x0041b1b9
0x0041b1d8
0x0041b29e
0x00000000
0x0041b29e

APIs

GetTempPathA.KERNEL32(00000104,00000000,00000000,00000000,00000000,0042BC5C,00000000,00000001,0047E6C8,?,0047DFB8), ref: 0041B203
lstrlenA.KERNEL32(00000000,?,0047DFB8), ref: 0041B21D
lstrcatA.KERNEL32(00000000,0042BC5C,?,0047DFB8), ref: 0041B235
GetTickCount.KERNEL32 ref: 0041B23B

Part of subcall function 0041C3A9: GlobalUnlock.KERNEL32(?,00000000,00000000,00421A09,00000000,00000001,0000005C,00000000,00000000,00000000,0000005C,00000000,00000000,0047E490,0047E788,00000000), ref: 0041C3D8
Part of subcall function 0041C3A9: GlobalReAlloc.KERNEL32 ref: 0041C3E5
Part of subcall function 0041C3A9: GlobalLock.KERNEL32 ref: 0041C406

GetCurrentDirectoryA.KERNEL32(00000104,00000000,?,0047DFB8), ref: 0041B0DC

Part of subcall function 0041BF12: GlobalUnlock.KERNEL32(0217020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
Part of subcall function 0041BF12: GlobalReAlloc.KERNEL32 ref: 0041BF3B
Part of subcall function 0041BF12: GlobalLock.KERNEL32 ref: 0041BF5C

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,00000000,00000000,00000000,0042BC5C,00000000,00000001,0047E6C8,?,0047DFB8), ref: 0041B175

Strings

(G, xrefs: 0041B290
(G, xrefs: 0041B1CD
\, xrefs: 0041B223
%sinst%d, xrefs: 0041B26C

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLockUnlock$CountCurrentDirectoryFileModuleNamePathTempTicklstrcatlstrlen
String ID: %sinst%d$(G$(G$\
API String ID: 1059662260-1996247173
Opcode ID: 48ad926f78310d290de6f5bcffd363833ff9a94a6cb62686b6747cace7ae5623
Instruction ID: 4d0a8e3186ef891df92ba4b655dd0f9597cb8498d4d46a76b217ddde163e5ec8
Opcode Fuzzy Hash: 48ad926f78310d290de6f5bcffd363833ff9a94a6cb62686b6747cace7ae5623
Instruction Fuzzy Hash: 3951F671E001187BDB29D7A5CC5AFEE7368EB18304F5005AFB619E21D0DFB85AC58A9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040D100, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 118
timeCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040D100(void* __ecx, void* __esi, struct HWND__* _a4) {
				struct tagRECT _v20;
				struct tagRECT _v36;
				CHAR* _t18;
				intOrPtr _t25;
				struct HWND__* _t44;
				void* _t46;
				intOrPtr _t51;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				void* _t61;
				void* _t63;

				_t63 = __esi;
				_t61 = __ecx;
				_t46 = 0x47e850;
				if(( *0x47e193 & 0x00000002) == 0) {
					_t46 = 0x47edc8;
				}
				_t18 = E0041CD1E(_t46);
				_t44 = _a4;
				SetWindowTextA(_t44, _t18);
				_push(_t63);
				SetDlgItemTextA(_t44, 2, E0041CD1E(0x47e8b8));
				SetDlgItemTextA(_t44, 0x15, E0041CD1E(0x47edd4));
				 *0x47f280 = E0040710F(_t61, 0xa);
				_t25 = E0040710F(_t61, 0xb);
				_t51 =  *0x47f280; // 0x0
				 *0x47f284 = _t25;
				if(_t51 != 0) {
					_t51 =  *((intOrPtr*)(_t51 + 0x50));
					 *0x47f280 = _t51;
				}
				if(_t25 != 0) {
					_t25 =  *((intOrPtr*)(_t25 + 0x50));
					 *0x47f284 = _t25;
				}
				if(( *0x47e190 & 0x00000040) == 0 && _t25 != 0 && _t51 != 0) {
					ShowWindow(GetDlgItem(_t44, 0x15), 0);
					_t58 =  *0x47f280; // 0x0
					E0041EB9E(_t58,  &_v20);
					_t59 =  *0x47f284; // 0x0
					E0041EE6D(_t59,  &_v20);
					_t60 =  *0x47f280; // 0x0
					E0041EE9B(_t60, 4);
				}
				if(E0041C8FD(0x47e2f0, 0x90) != 0 && ( *0x47e192 & 0x00000008) != 0 && E00407D82(_t61) != 0) {
					GetWindowRect(_t44,  &_v20);
					GetWindowRect( *0x47e178,  &_v36);
					SetWindowPos(_t44, 0, _v20, _v36.bottom - _v20.bottom - _v20.top - 0x28, 0, 0, 0x205);
				}
				if( *0x47e114 != 0) {
					E0040EFE7();
				}
				SetTimer(_t44, 1, 0x64, 0);
				return 1;
			}

0x0040d100
0x0040d10f
0x0040d111
0x0040d116
0x0040d118
0x0040d118
0x0040d11d
0x0040d122
0x0040d127
0x0040d12d
0x0040d142
0x0040d152
0x0040d161
0x0040d166
0x0040d16b
0x0040d171
0x0040d178
0x0040d17a
0x0040d17d
0x0040d17d
0x0040d185
0x0040d187
0x0040d18a
0x0040d18a
0x0040d196
0x0040d1ac
0x0040d1b2
0x0040d1bc
0x0040d1c1
0x0040d1cb
0x0040d1d0
0x0040d1d8
0x0040d1d8
0x0040d1ee
0x0040d20f
0x0040d221
0x0040d23a
0x0040d23a
0x0040d248
0x0040d24f
0x0040d24f
0x0040d25b
0x0040d266

APIs

SetWindowTextA.USER32(?,00000000), ref: 0040D127
SetDlgItemTextA.USER32 ref: 0040D142
SetDlgItemTextA.USER32 ref: 0040D152
GetDlgItem.USER32 ref: 0040D1A5
ShowWindow.USER32(00000000), ref: 0040D1AC
GetWindowRect.USER32 ref: 0040D20F
GetWindowRect.USER32 ref: 0040D221
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000205), ref: 0040D23A
SetTimer.USER32 ref: 0040D25B

Strings

PG, xrefs: 0040D111

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Window$ItemText$Rect$ShowTimer
String ID: PG
API String ID: 4255782137-134009939
Opcode ID: 27f53879b3db5f6865515ba562c75925164c84b3ab6133a0cfccc27409b06b41
Instruction ID: 44f17c450aae22649b72e2471c6a04a4b740f7b282ca3080988efca9c19ea94f
Opcode Fuzzy Hash: 27f53879b3db5f6865515ba562c75925164c84b3ab6133a0cfccc27409b06b41
Instruction Fuzzy Hash: C041C774A003056BEB14E7B59C56F7E379DAB48704F4404BEFA06AB2D2CF799845871C

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB7D, Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040BB7D(intOrPtr __ecx, signed short _a4) {
				void* __edi;
				void* __esi;
				signed int _t10;
				long _t12;
				long _t19;
				long _t23;
				long _t24;
				intOrPtr _t25;
				long _t29;
				long _t41;
				char* _t45;
				char* _t47;
				char* _t49;
				long _t52;
				long _t54;
				char* _t58;
				intOrPtr _t63;
				intOrPtr _t70;
				char* _t73;
				void* _t75;
				char* _t76;

				_t70 = __ecx;
				if(_a4 >> 0x10 != 0) {
					return 0;
				}
				_t10 = _a4 & 0x0000ffff;
				__eflags = _t10 - 2;
				if(_t10 != 2) {
					__eflags = _t10 - 1;
					if(_t10 != 1) {
						__eflags = _t10 - 3;
						if(_t10 == 3) {
							_t12 = SendDlgItemMessageA( *(__ecx + 4), 0xb, 0xf0, 0, 0);
							__eflags = _t12 - 1;
							if(_t12 != 1) {
								_t19 = SendDlgItemMessageA( *(_t70 + 4), 0xc, 0xf0, 0, 0);
								asm("sbb eax, eax");
								_t12 = ( ~(_t19 - 1) & 0x000000fe) + 4;
								__eflags = _t12;
							}
							_t49 = "0";
							__eflags = _t12 - 2;
							 *0x47e65c = _t12;
							_t45 = _t49;
							_t73 = _t49;
							if(_t12 != 2) {
								__eflags = _t12 - 1;
								if(_t12 != 1) {
									__eflags = _t12 - 4;
									if(_t12 == 4) {
										_t73 = 0x42b9bc;
									}
								} else {
									_t45 = 0x42b9bc;
								}
							} else {
								_t49 = 0x42b9bc;
							}
							E0041D0FD(_t49, "<IT_Typical>", _t49);
							E0041D0FD(_t49, "<IT_Minimal>", _t45);
							E0041D0FD(_t49, "<IT_Custom>", _t73);
							E0041D728("<IT_Type>",  *0x47e65c);
							E00407827(_t70, _t70, _t73, 0);
							E00417D26(0x47dfb8, 0);
						}
						goto L34;
					}
					_t23 = SendDlgItemMessageA( *(__ecx + 4), 0xb, 0xf0, 0, 0);
					_t52 = 1;
					__eflags = _t23 - _t52;
					if(_t23 != _t52) {
						_t24 = SendDlgItemMessageA( *(_t70 + 4), 0xc, 0xf0, 0, 0);
						__eflags = _t24 - 1;
						if(_t24 != 1) {
							_t75 = 0x47e2f0;
							_t25 = E0041C8FD(0x47e2f0, 0xcc);
							_t54 =  *0x47e64c; // 0x13
							__eflags = _t54;
							if(__eflags > 0) {
								L14:
								 *0x47e650 = _t25;
								 *0x47e654 = 0;
								 *0x47e65c = 2;
								 *0x47e698 = E0041C8FD(_t75, 0xd8);
								 *0x47e69c = 0;
								 *0x47e6a0 = E0041C8FD(_t75, 0xdc);
								 *0x47e6a4 = 0;
								_push(0xe4);
								goto L15;
							}
							if(__eflags < 0) {
								L13:
								E0041B2CC(0x47dfb8,  *(_t70 + 4), E0041CD1E(0x47ed20), 0, 0);
								goto L34;
							}
							_t63 =  *0x47e648; // 0xfff01000
							__eflags = _t63 - _t25;
							if(_t63 >= _t25) {
								goto L14;
							}
							goto L13;
						} else {
							 *0x47e65c = 4;
							goto L16;
						}
					} else {
						_t75 = 0x47e2f0;
						 *0x47e65c = _t52;
						 *0x47e650 = E0041C8FD(0x47e2f0, 0xc8);
						 *0x47e654 = 0;
						 *0x47e698 = E0041C8FD(0x47e2f0, 0xd0);
						 *0x47e69c = 0;
						 *0x47e6a0 = E0041C8FD(0x47e2f0, 0xd4);
						 *0x47e6a4 = 0;
						_push(0xe0);
						L15:
						 *0x47e6a8 = E0041C8FD(_t75);
						 *0x47e6ac = 0;
						L16:
						_t29 =  *0x47e65c; // 0x2
						_t58 = "0";
						__eflags = _t29 - 2;
						_t47 = _t58;
						_t76 = _t58;
						if(_t29 != 2) {
							__eflags = _t29 - 1;
							if(_t29 != 1) {
								__eflags = _t29 - 4;
								if(_t29 == 4) {
									_t76 = 0x42b9bc;
								}
							} else {
								_t47 = 0x42b9bc;
							}
						} else {
							_t58 = 0x42b9bc;
						}
						E0041D0FD(_t58, "<IT_Typical>", _t58);
						E0041D0FD(_t58, "<IT_Minimal>", _t47);
						E0041D0FD(_t58, "<IT_Custom>", _t76);
						E0041D728("<IT_Type>",  *0x47e65c);
						E00407827(_t70, _t70, _t76, 0);
						__eflags =  *0x47e65c - 4;
						E00417EA6(0x47dfb8, 0);
						goto L34;
					}
				} else {
					_t41 = E0041BC79(0x47dfb8);
					__eflags = _t41;
					if(_t41 != 0) {
						E00407827(_t70, _t70, 0x47dfb8, 0);
						E0041A1B5(1);
					}
					L34:
					return 1;
				}
			}

0x0040bb88
0x0040bb8d
0x00000000
0x0040bb8f
0x0040bb96
0x0040bb9b
0x0040bb9e
0x0040bbb9
0x0040bbbc
0x0040bd79
0x0040bd7c
0x0040bd97
0x0040bd99
0x0040bd9c
0x0040bda6
0x0040bdab
0x0040bdaf
0x0040bdaf
0x0040bdaf
0x0040bdb2
0x0040bdb7
0x0040bdba
0x0040bdbf
0x0040bdc1
0x0040bdc3
0x0040bdcc
0x0040bdcf
0x0040bdd8
0x0040bddb
0x0040bddd
0x0040bddd
0x0040bdd1
0x0040bdd1
0x0040bdd1
0x0040bdc5
0x0040bdc5
0x0040bdc5
0x0040bde8
0x0040bdf3
0x0040bdfe
0x0040be0e
0x0040be16
0x0040be21
0x0040be21
0x00000000
0x0040bd7c
0x0040bbd7
0x0040bbdb
0x0040bbdc
0x0040bbde
0x0040bc42
0x0040bc44
0x0040bc47
0x0040bc58
0x0040bc64
0x0040bc69
0x0040bc6f
0x0040bc71
0x0040bc9f
0x0040bca6
0x0040bcab
0x0040bcb1
0x0040bcc7
0x0040bccc
0x0040bcd7
0x0040bcdc
0x0040bce2
0x00000000
0x0040bce2
0x0040bc73
0x0040bc7f
0x0040bc95
0x00000000
0x0040bc95
0x0040bc75
0x0040bc7b
0x0040bc7d
0x00000000
0x00000000
0x00000000
0x0040bc49
0x0040bc49
0x00000000
0x0040bc49
0x0040bbe0
0x0040bbe0
0x0040bbe5
0x0040bbfe
0x0040bc03
0x0040bc15
0x0040bc1a
0x0040bc25
0x0040bc2a
0x0040bc30
0x0040bce7
0x0040bcee
0x0040bcf3
0x0040bcf9
0x0040bcf9
0x0040bcfe
0x0040bd03
0x0040bd06
0x0040bd08
0x0040bd0a
0x0040bd13
0x0040bd16
0x0040bd1f
0x0040bd22
0x0040bd24
0x0040bd24
0x0040bd18
0x0040bd18
0x0040bd18
0x0040bd0c
0x0040bd0c
0x0040bd0c
0x0040bd2f
0x0040bd3a
0x0040bd45
0x0040bd55
0x0040bd5d
0x0040bd62
0x0040bd6f
0x00000000
0x0040bd6f
0x0040bba0
0x0040bba7
0x0040bbac
0x0040bbae
0x0040be2c
0x0040be35
0x0040be35
0x0040be3a
0x00000000
0x0040be3a

Strings

<IT_Minimal>, xrefs: 0040BD35, 0040BDEE
G, xrefs: 0040BC84
<IT_Type>, xrefs: 0040BD50, 0040BE09
<IT_Typical>, xrefs: 0040BD2A, 0040BDE3
<IT_Custom>, xrefs: 0040BD40, 0040BDF9

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID:
String ID: G$<IT_Custom>$<IT_Minimal>$<IT_Type>$<IT_Typical>
API String ID: 0-4188000229
Opcode ID: a758c726f3fe749ae96dd320186b6d3493c3741125bcddf62dc6732be4bcaf85
Instruction ID: 55622309c6d641a856be2f5c2618e352328d0658733466dd7ad14fd22a60ba25
Opcode Fuzzy Hash: a758c726f3fe749ae96dd320186b6d3493c3741125bcddf62dc6732be4bcaf85
Instruction Fuzzy Hash: 2C51F6B0B40214ABE6206F579C41F6A7758DB69708F90827FF209B62C1CF7D588187EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040B143, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 154
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040B143(char __ecx, signed int _a4, char _a7) {
				char _v8;
				char _v20;
				void* __edi;
				void* __esi;
				signed int _t27;
				void* _t31;
				char _t90;
				char _t92;
				void* _t93;
				CHAR* _t94;

				_t90 = __ecx;
				_v8 = __ecx;
				if(_a4 >> 0x10 != 0) {
					return 0;
				}
				_t27 = _a4 & 0x0000ffff;
				if(_t27 != 2) {
					if(_t27 != 1) {
						if(_t27 != 3) {
							if(_t27 == 4) {
								_t94 = E00424DD9(0x104);
								if(_t94 == 0) {
									E0041D881(E0041CD1E(0x47e924));
								}
								E00424500(_t94, 0, 0x104);
								_push( *0x47e654);
								_t31 = E0041CD1E(0x47ec00);
								_t92 = _v8;
								E0040E27C( *(_t92 + 4), _t31, _t94,  *0x47e650);
								if( *_t94 != 0) {
									if( *((char*)(lstrlenA(_t94) + _t94 - 1)) != 0x5c) {
										lstrcatA(_t94, "\\");
									}
									if(( *0x47e193 & 0x00000004) == 0) {
										lstrcatA(_t94, E0041CD1E(0x47e35c));
									}
									SetWindowTextA(GetDlgItem( *(_t92 + 4), 0xa), _t94);
								}
								E00424DCE(_t94);
							}
						} else {
							E0041DBA4( *((intOrPtr*)(__ecx + 4)), 0xa,  &_a4);
							E0041BF12(0x47e338, _a4);
							E00424DCE(_a4);
							E00407827(_t90, _t90, _t93, 0);
							E00417D26(0x47dfb8, 0);
						}
					} else {
						E0041BDC5( &_v20);
						_v8 = 0;
						_a7 = E0040B4A9(__ecx,  &_v20,  &_v8);
						if(_v8 != 0) {
							E00424DCE(_v8);
						}
						if(_a7 != 0) {
							E0041BF80(0x47e338,  &_v20);
							E0041CDAE(0x47e338);
							E0041BFF8(0x47e338, 0x5c);
							E00407827(_t90, _t90, 0x47e338, 0);
							E00417EA6(0x47dfb8, 0);
						}
						E0041BEFB( &_v20);
					}
				} else {
					if(E0041BC79(0x47dfb8) != 0) {
						E00407827(_t90, _t90, 0x47dfb8, 0);
						E0041A1B5(1);
					}
				}
				return 1;
			}

0x0040b152
0x0040b157
0x0040b15a
0x00000000
0x0040b15c
0x0040b163
0x0040b16a
0x0040b188
0x0040b201
0x0040b25e
0x0040b26f
0x0040b276
0x0040b283
0x0040b288
0x0040b28c
0x0040b299
0x0040b2a6
0x0040b2ab
0x0040b2b2
0x0040b2bc
0x0040b2d0
0x0040b2d8
0x0040b2d8
0x0040b2e1
0x0040b2ef
0x0040b2ef
0x0040b2fe
0x0040b2fe
0x0040b305
0x0040b30a
0x0040b203
0x0040b20c
0x0040b21c
0x0040b224
0x0040b22f
0x0040b23a
0x0040b23a
0x0040b18a
0x0040b18d
0x0040b19e
0x0040b1a9
0x0040b1ac
0x0040b1b1
0x0040b1b6
0x0040b1ba
0x0040b1d4
0x0040b1db
0x0040b1e4
0x0040b1ec
0x0040b1f7
0x0040b1f7
0x0040b1bf
0x0040b1bf
0x0040b16c
0x0040b17a
0x0040b248
0x0040b251
0x0040b251
0x0040b17a
0x00000000

Strings

$G, xrefs: 0040B278
\G, xrefs: 0040B2E3
8G, xrefs: 0040B214
8G, xrefs: 0040B1CC

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID:
String ID: $G$8G$8G$\G
API String ID: 0-1143791198
Opcode ID: 802426992f9d0df92792d56e7ea0250147a8a1dce1bdb17cc863aa0786f714fe
Instruction ID: bee363c89d9278215f15d4d38191b35878fd9848968c0216f84cbe3fca6935de
Opcode Fuzzy Hash: 802426992f9d0df92792d56e7ea0250147a8a1dce1bdb17cc863aa0786f714fe
Instruction Fuzzy Hash: B441F471A00114AADB11BBA29C529FE7629EF95318F50407FF905B72C2CF3D4D8292DE

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD20, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 141
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040FD20(intOrPtr __ecx, void* __eflags) {
				BITMAPINFOHEADER* _v8;
				intOrPtr _v12;
				void* _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v44;
				char _v304;
				intOrPtr _t19;
				intOrPtr _t22;
				intOrPtr _t23;
				void* _t24;
				intOrPtr _t26;
				long _t27;
				long _t33;
				signed int _t42;
				void* _t48;
				long _t52;
				signed int _t53;
				intOrPtr* _t60;
				void* _t76;
				struct HDC__* _t77;

				_v12 = __ecx;
				_t19 = E0041C8FD(0x47e2f0, 0xc);
				_v24 = _t19;
				if(_t19 != 0) {
					E0041DBFF(0x47e2f0,  &_v304, ".bmp");
					_t22 =  *0x47f28c; // 0x2070010
					_t52 = 1;
					 *0x47f21c = _t52;
					 *0x47e290 = _t52;
					if(_t22 != 0) {
						E00424DCE(_t22);
					}
					_t23 = E00424DD9(4);
					 *0x47f28c = _t23;
					if(_t23 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					_t24 = E0041C8FD(0x47e2f0, 8);
					_t60 =  *0x47f28c; // 0x2070010
					 *_t60 = _t24 + _v24;
					_t26 = E0041C8FD(0x47e2f0, 0xc);
					_t27 = E0041C8FD(0x47e2f0, 8);
					if(E00401AC0(E0041CD1E(0x47e6c8),  &_v304, _t27, _t26) == 0) {
						_t76 = CreateFileA( &_v304, 0x80000000, _t52, 0, 3, 0x80, 0);
						if(_t76 != 0xffffffff) {
							_t33 = GetFileSize(_t76, 0);
							_v28 = 0;
							_t53 = E00410087(_v12, _t76, _t33,  &_v44,  &_v8,  &_v20,  &_v16,  &_v28);
							CloseHandle(_t76);
							DeleteFileA( &_v304);
							if(_t53 >= 0) {
								_t77 = GetDC( *0x47e178);
								 *0x47e180 = CreateDIBitmap(_t77, _v8, 4, _v16, _v8, 0);
								ReleaseDC( *0x47e178, _t77);
								E00424DCE(_v20);
								_t42 =  *0x47e180; // 0x0
								asm("sbb eax, eax");
								return ( ~_t42 & 0x0000006a) + 0xffffff97;
							}
							return _t53 | 0x00000001;
						}
						_push(0xffffff9c);
						goto L2;
					} else {
						_push(0xffffff9d);
						L2:
						_pop(_t48);
						return _t48;
					}
				}
				 *0x47e180 = 0;
				_push(1);
				goto L2;
			}

0x0040fd2b
0x0040fd38
0x0040fd3f
0x0040fd44
0x0040fd60
0x0040fd65
0x0040fd70
0x0040fd71
0x0040fd77
0x0040fd7d
0x0040fd80
0x0040fd85
0x0040fd88
0x0040fd90
0x0040fd95
0x0040fda2
0x0040fda7
0x0040fdac
0x0040fdb4
0x0040fdbc
0x0040fdc0
0x0040fdca
0x0040fdec
0x0040fe11
0x0040fe16
0x0040fe21
0x0040fe2a
0x0040fe49
0x0040fe4b
0x0040fe58
0x0040fe60
0x0040fe76
0x0040fe8b
0x0040fe96
0x0040fe9f
0x0040fea4
0x0040feac
0x00000000
0x0040feb1
0x00000000
0x0040fe64
0x0040fe18
0x00000000
0x0040fdee
0x0040fdee
0x0040fd4e
0x0040fd4e
0x00000000
0x0040fd4e
0x0040fdec
0x0040fd46
0x0040fd4c
0x00000000

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,0000000C,0047F208,00000001,00000000), ref: 0040FE0B
GetFileSize.KERNEL32(00000000,00000000), ref: 0040FE21
CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?), ref: 0040FE4B
DeleteFileA.KERNEL32(?), ref: 0040FE58
GetDC.USER32 ref: 0040FE6F
CreateDIBitmap.GDI32(00000000,00000000,00000004,?,00000000,00000000), ref: 0040FE84
ReleaseDC.USER32 ref: 0040FE96

Strings

.bmp, xrefs: 0040FD5A
$G, xrefs: 0040FD97

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: File$Create$BitmapCloseDeleteHandleReleaseSize
String ID: $G$.bmp
API String ID: 2008120840-2738061064
Opcode ID: 3995a3750e7dd3da10834d1e6e5926b7dea0f0e3dab81c01293bf198082a347a
Instruction ID: cf3e423417066c2770ee3d28dc9536839d589157f27dfd254e3d0e7e263d838b
Opcode Fuzzy Hash: 3995a3750e7dd3da10834d1e6e5926b7dea0f0e3dab81c01293bf198082a347a
Instruction Fuzzy Hash: 7C41E772A00214BBDB20ABA5EC45EEE37A9EB48714F50027FF215F61D1DB3859858B6C

Uniqueness

Uniqueness Score: -1.00%

Function 0042673F, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042673F() {
				int _v4;
				int _v8;
				intOrPtr _t7;
				CHAR* _t9;
				WCHAR* _t17;
				int _t20;
				char* _t24;
				int _t32;
				CHAR* _t36;
				WCHAR* _t38;
				void* _t39;
				int _t42;

				_t7 =  *0x47f494; // 0x1
				_t32 = 0;
				_t38 = 0;
				_t36 = 0;
				if(_t7 != 0) {
					if(_t7 != 1) {
						if(_t7 != 2) {
							L27:
							return 0;
						}
						L18:
						if(_t36 != _t32) {
							L20:
							_t9 = _t36;
							if( *_t36 == _t32) {
								L23:
								_t41 = _t9 - _t36 + 1;
								_t39 = E00424B9C(_t9 - _t36 + 1);
								if(_t39 != _t32) {
									E00424560(_t39, _t36, _t41);
								} else {
									_t39 = 0;
								}
								FreeEnvironmentStringsA(_t36);
								return _t39;
							} else {
								goto L21;
							}
							do {
								do {
									L21:
									_t9 =  &(_t9[1]);
								} while ( *_t9 != _t32);
								_t9 =  &(_t9[1]);
							} while ( *_t9 != _t32);
							goto L23;
						}
						_t36 = GetEnvironmentStrings();
						if(_t36 == _t32) {
							goto L27;
						}
						goto L20;
					}
					L6:
					if(_t38 != _t32) {
						L8:
						_t17 = _t38;
						if( *_t38 == _t32) {
							L11:
							_t20 = (_t17 - _t38 >> 1) + 1;
							_v4 = _t20;
							_t42 = WideCharToMultiByte(_t32, _t32, _t38, _t20, _t32, _t32, _t32, _t32);
							if(_t42 != _t32) {
								_t24 = E00424B9C(_t42);
								_v8 = _t24;
								if(_t24 != _t32) {
									if(WideCharToMultiByte(_t32, _t32, _t38, _v4, _t24, _t42, _t32, _t32) == 0) {
										_t4 =  &_v8; // 0x42544e
										E00424AB4( *_t4);
										_v8 = _t32;
									}
									_t6 =  &_v8; // 0x42544e
									_t32 =  *_t6;
								}
							}
							FreeEnvironmentStringsW(_t38);
							return _t32;
						} else {
							goto L9;
						}
						do {
							do {
								L9:
								_t17 =  &(_t17[1]);
							} while ( *_t17 != _t32);
							_t17 =  &(_t17[1]);
						} while ( *_t17 != _t32);
						goto L11;
					}
					_t38 = GetEnvironmentStringsW();
					if(_t38 == _t32) {
						goto L27;
					}
					goto L8;
				}
				_t38 = GetEnvironmentStringsW();
				if(_t38 == 0) {
					_t36 = GetEnvironmentStrings();
					if(_t36 == 0) {
						goto L27;
					}
					 *0x47f494 = 2;
					goto L18;
				}
				 *0x47f494 = 1;
				goto L6;
			}

0x00426741
0x00426750
0x00426752
0x00426754
0x00426758
0x00426790
0x0042681a
0x00426868
0x00000000
0x00426868
0x0042681c
0x0042681e
0x0042682c
0x0042682e
0x00426830
0x0042683c
0x0042683f
0x00426847
0x0042684c
0x00426855
0x0042684e
0x0042684e
0x0042684e
0x0042685e
0x00000000
0x00000000
0x00000000
0x00000000
0x00426832
0x00426832
0x00426832
0x00426832
0x00426833
0x00426837
0x00426838
0x00000000
0x00426832
0x00426826
0x0042682a
0x00000000
0x00000000
0x00000000
0x0042682a
0x00426796
0x00426798
0x004267a6
0x004267a9
0x004267ab
0x004267bb
0x004267c7
0x004267ce
0x004267d4
0x004267d8
0x004267db
0x004267e3
0x004267e7
0x004267f8
0x004267fa
0x004267fe
0x00426804
0x00426804
0x00426808
0x00426808
0x00426808
0x004267e7
0x0042680d
0x00000000
0x00000000
0x00000000
0x00000000
0x004267ad
0x004267ad
0x004267ad
0x004267ae
0x004267af
0x004267b5
0x004267b6
0x00000000
0x004267ad
0x0042679c
0x004267a0
0x00000000
0x00000000
0x00000000
0x004267a0
0x0042675c
0x00426760
0x00426774
0x00426778
0x00000000
0x00000000
0x0042677e
0x00000000
0x0042677e
0x00426762
0x00000000

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0042544E), ref: 0042675A
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0042544E), ref: 0042676E
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0042544E), ref: 0042679A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0042544E), ref: 004267D2
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0042544E), ref: 004267F4
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0042544E), ref: 0042680D
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0042544E), ref: 00426820
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0042685E

Strings

NTB, xrefs: 00426808, 004267FA

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID: NTB
API String ID: 1823725401-3275800884
Opcode ID: 09d6d9b367f5193bafd867d262349c5fc6bf43a9ea448f1c081074df28bd7e38
Instruction ID: 70f4fe8edb7dadc6a306c9177d1c38149c5e187b45b6e61e3d9f52c0ed71f94f
Opcode Fuzzy Hash: 09d6d9b367f5193bafd867d262349c5fc6bf43a9ea448f1c081074df28bd7e38
Instruction Fuzzy Hash: F431F4B27062355FDB207F757C8483B769CEA85358792093FF545C3201DA298C82866D

Uniqueness

Uniqueness Score: -1.00%

Function 00409E0C, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00409E0C(void* __edi, void* __esi) {
				intOrPtr _v8;
				void* _t24;
				signed int _t33;
				intOrPtr _t50;
				struct HWND__* _t59;
				void* _t80;
				struct HDC__* _t81;
				void* _t84;
				struct HWND__** _t88;

				_t84 = __esi;
				_t80 = __edi;
				if( *0x47e274 == 0) {
					_t59 = CreateDialogParamA( *0x47e17c, 0x12,  *0x47e178, E00405811, 0);
					if(E00424DD9(0x2c) == 0) {
						_t88 = 0;
					} else {
						_t88 = E0041EA76(_t26);
					}
					if(_t88 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					_push(_t84);
					_push(_t80);
					SetWindowTextA(_t59, E0041CD1E(0x47e700));
					SetDlgItemTextA(_t59, 0x422, E0041CD1E(0x47e9c0));
					_t81 = GetDC( *0x47e178);
					_t33 = MulDiv(0xf4240, GetDeviceCaps(_t81, 0x5a), 0x48);
					asm("cdq");
					_t85 = _t33 / 0x535;
					ReleaseDC( *0x47e178, _t81);
					asm("cdq");
					asm("cdq");
					asm("cdq");
					asm("cdq");
					E0041EBAF(_t88, _t59, _t33 / 0x535 * 0x3d / 0x3e8, _t85 * 0x2d / 0x3e8, _t85 * 0xb2 / 0x3e8, (_t85 + _t85 * 4 << 2) / 0x3e8, 0xff3232, 2);
					if(E00424DD9(0xc) == 0) {
						_t50 = 0;
					} else {
						_t50 = E0041EEB9(_t49);
					}
					 *0x47e274 = _t50;
					if(_t50 != 0) {
						E00421569(_t50, _t88, _v8);
					}
					if(_t88 != 0) {
						E0041EA84(_t88);
						E00424DCE(_t88);
					}
					return DestroyWindow(_t59);
				}
				return _t24;
			}

0x00409e0c
0x00409e0c
0x00409e13
0x00409e38
0x00409e42
0x00409e4f
0x00409e44
0x00409e4b
0x00409e4b
0x00409e53
0x00409e60
0x00409e65
0x00409e66
0x00409e67
0x00409e74
0x00409e8b
0x00409e9d
0x00409eb0
0x00409eb6
0x00409ec5
0x00409ec7
0x00409ed8
0x00409eed
0x00409ef6
0x00409eff
0x00409f06
0x00409f17
0x00409f22
0x00409f19
0x00409f1b
0x00409f1b
0x00409f26
0x00409f2b
0x00409f34
0x00409f34
0x00409f3b
0x00409f3f
0x00409f45
0x00409f4a
0x00000000
0x00409f53
0x00409f54

APIs

CreateDialogParamA.USER32(00000012,00405811,00000000,0047DFB8,00000000), ref: 00409E30
SetWindowTextA.USER32(00000000,00000000), ref: 00409E74
SetDlgItemTextA.USER32 ref: 00409E8B
GetDC.USER32 ref: 00409E97
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00409EA4
MulDiv.KERNEL32(000F4240,00000000), ref: 00409EB0
ReleaseDC.USER32 ref: 00409EC7
DestroyWindow.USER32(00000000,00000000,00000000,00000000,00FF3232,00000002,?,00000000,00415294,00000000,?,?,00000000), ref: 00409F4C

Strings

$G, xrefs: 00409E55

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: TextWindow$CapsCreateDestroyDeviceDialogItemParamRelease
String ID: $G
API String ID: 2752067422-195990108
Opcode ID: 6af5d555873dcb2e1cf5ac52fad9c6eeb51411011906c4e4908784347c516bc4
Instruction ID: 64d2272f1d71ec0746e7bd42cd6953b95e96244998154a68e13917dbc3f7a5c2
Opcode Fuzzy Hash: 6af5d555873dcb2e1cf5ac52fad9c6eeb51411011906c4e4908784347c516bc4
Instruction Fuzzy Hash: BD31B0B1300205AFE724B772AC0AB7A368DDB88B55F50457EBA06D51E2DEBDCC41822D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E177, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 94
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040E177(void* __edx, void* __edi, void* __esi, struct HWND__* _a4, intOrPtr _a8, signed int _a11, intOrPtr _a12, intOrPtr* _a16) {
				signed char _v5;
				char _v6;
				char _v7;
				signed int _v8;
				intOrPtr _v16;
				void* _t26;
				intOrPtr* _t34;
				void* _t35;
				CHAR* _t42;
				void* _t50;
				CHAR* _t56;
				void* _t67;

				_t50 = __edx;
				_t26 = _a8 - 1;
				if(_t26 == 0) {
					SendMessageA(_a4, 0x464, 0, 0);
					L15:
					return 0;
				}
				if(_t26 != 1) {
					goto L15;
				}
				_t56 = E00424DD9(0x104);
				if(_t56 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				E00424500(_t56, 0, 0x104);
				_a11 = _a11 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_v5 = _v5 & 0x00000000;
				_v7 = 0x3a;
				_v6 = 0x5c;
				__imp__SHGetPathFromIDListA(_a12, _t56);
				SendMessageA(_a4, 0x464, 0, _t56);
				_t42 =  &_v8;
				_v8 =  *_t56;
				if( *_t56 == 0x5c && _t56[1] == 0x5c) {
					_a11 = 1;
					_t42 = _t56;
					if( *((char*)(lstrlenA(_t56) + _t56 - 1)) != 0x5c) {
						lstrcatA(_t56, "\\");
					}
				}
				_t34 = _a16;
				_v16 =  *_t34;
				_t35 = E0040DE4D(_t42, 1);
				_t67 = _t50 -  *((intOrPtr*)(_t34 + 4));
				if(_t67 <= 0 && (_t67 < 0 || _t35 < _v16)) {
					SendMessageA(_a4, 0x465, 0, 0);
				}
				if(_a11 != 0) {
					E00424DCE(_t42);
				}
				goto L15;
			}

0x0040e177
0x0040e181
0x0040e182
0x0040e26f
0x0040e275
0x0040e279
0x0040e279
0x0040e189
0x00000000
0x00000000
0x0040e19c
0x0040e1a1
0x0040e1ae
0x0040e1b3
0x0040e1b8
0x0040e1bd
0x0040e1c1
0x0040e1c5
0x0040e1cc
0x0040e1d0
0x0040e1d8
0x0040e1ef
0x0040e1f3
0x0040e1f6
0x0040e1fc
0x0040e205
0x0040e209
0x0040e216
0x0040e21e
0x0040e21e
0x0040e216
0x0040e224
0x0040e22f
0x0040e232
0x0040e238
0x0040e23b
0x0040e250
0x0040e250
0x0040e258
0x0040e25b
0x0040e260
0x00000000

APIs

SHGetPathFromIDListA.SHELL32(?,00000000), ref: 0040E1D8
SendMessageA.USER32(?,00000464,00000000,00000000), ref: 0040E1EF
lstrlenA.KERNEL32(00000000), ref: 0040E20B
lstrcatA.KERNEL32(00000000,0042BC5C), ref: 0040E21E
SendMessageA.USER32(?,00000465,00000000,00000000), ref: 0040E250

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

SendMessageA.USER32(?,00000464,00000000,00000000), ref: 0040E26F

Strings

$G, xrefs: 0040E1A3
:, xrefs: 0040E1CC
\, xrefs: 0040E1D0

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: GlobalMessageSend$AllocFromListLockPathUnlocklstrcatlstrlen
String ID: $G$:$\
API String ID: 140795568-1825042209
Opcode ID: 13d3db3d80b4cfebd66eed4fc2c78cd52229a23c903782d053dff0087ef01897
Instruction ID: 21e24e243a6a30bb0ddabb7fae950f34981bca74c7c0db4a95f2ed546f01ef71
Opcode Fuzzy Hash: 13d3db3d80b4cfebd66eed4fc2c78cd52229a23c903782d053dff0087ef01897
Instruction Fuzzy Hash: 56318B71A05744FEEB21AB62DC49F8F7FA88F42714F1488AEF5403A2D2C6B89911875D

Uniqueness

Uniqueness Score: -1.00%

Function 0041BD55, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 39
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BD55(intOrPtr* __ecx, intOrPtr _a4) {
				CHAR* _v0;
				struct HINSTANCE__* _t15;
				signed int _t19;
				intOrPtr* _t28;

				_t28 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x1c)) == 0) {
					_t3 = _t28 + 0x10; // 0x47e2e0
					E0041BF12(_t3, _a4);
					_t15 = LoadLibraryA(_v0);
					 *(_t28 + 0x1c) = _t15;
					if(_t15 != 0) {
						 *((intOrPtr*)(_t28 + 4)) = GetProcAddress(_t15, "Blit");
						_t7 = _t28 + 0x1c; // 0x0
						 *_t28 = GetProcAddress( *_t7, "GetDllVersion");
						_t8 = _t28 + 0x1c; // 0x0
						 *((intOrPtr*)(_t28 + 8)) = GetProcAddress( *_t8, "JPGToBMP");
						_t10 = _t28 + 0x1c; // 0x0
						_t19 = GetProcAddress( *_t10, "JPGToBMPEx");
						 *(_t28 + 0xc) = _t19;
						return _t19 & 0xffffff00 | _t19 != 0x00000000;
					}
					return 0;
				}
				return 1;
			}

0x0041bd56
0x0041bd5c
0x0041bd66
0x0041bd69
0x0041bd72
0x0041bd7a
0x0041bd7d
0x0041bd97
0x0041bd9a
0x0041bda4
0x0041bda6
0x0041bdb0
0x0041bdb3
0x0041bdb6
0x0041bdba
0x00000000
0x0041bdbe
0x00000000
0x0041bd7f
0x00000000

APIs

LoadLibraryA.KERNEL32(?,?,00000000,004189FA,00000000,00000000,00000000,00000054,00000050,0000005C,0047E1B8,00000001,?,00000000), ref: 0041BD72

Strings

JPGToBMPEx, xrefs: 0041BDAB
GetDllVersion, xrefs: 0041BD92
Blit, xrefs: 0041BD8A
JPGToBMP, xrefs: 0041BD9F

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: LibraryLoad
String ID: Blit$GetDllVersion$JPGToBMP$JPGToBMPEx
API String ID: 1029625771-1379899007
Opcode ID: d53f4ab7834049d4747db6ea862f86f46e16cf2d6d03149368ea9674d48f8cb4
Instruction ID: 5d2a54117ffe63fd1fd62730380fadb6e88887b0d281db8f84bce1ccff9a787c
Opcode Fuzzy Hash: d53f4ab7834049d4747db6ea862f86f46e16cf2d6d03149368ea9674d48f8cb4
Instruction Fuzzy Hash: 9DF06970600711EEC7306F26EC04A9BBBE4EF90710760C92EE086825A0D738A886DF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040EDE3, Relevance: 15.1, APIs: 10, Instructions: 63
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040EDE3(int* __ecx) {
				int _t12;
				void* _t21;
				void* _t25;
				struct HDC__* _t27;
				int* _t28;
				void* _t29;

				_t28 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x10)) != 0) {
					E0040FC45(__ecx);
				}
				_t27 = GetDC( *0x47e178);
				_t12 = CreateCompatibleDC(_t27);
				_t28[4] = _t12;
				if(_t12 != 0) {
					_t3 =  &(_t28[1]); // 0x0
					_t25 = CreateCompatibleBitmap(_t27,  *_t28,  *_t3);
					ReleaseDC( *0x47e178, _t27);
					if(_t25 != 0) {
						_t5 =  &(_t28[4]); // 0x0
						if(SelectObject( *_t5, _t25) != 0) {
							_t7 =  &(_t28[3]); // 0x0
							_t8 =  &(_t28[2]); // 0x0
							_t9 =  &(_t28[1]); // 0x0
							_t10 =  &(_t28[4]); // 0x0
							BitBlt( *_t10, 0, 0,  *_t28,  *_t9,  *0x47e184,  *_t8,  *_t7, 0xcc0020);
							_push(1);
						} else {
							_t6 =  &(_t28[4]); // 0x0
							DeleteDC( *_t6);
							_push(0xfffffffd);
						}
						_pop(_t29);
						DeleteObject(_t25);
						return _t29;
					}
					_t4 =  &(_t28[4]); // 0x0
					DeleteDC( *_t4);
					_t21 = 0xfffffffe;
					return _t21;
				} else {
					return ReleaseDC( *0x47e178, _t27) | 0xffffffff;
				}
			}

0x0040ede5
0x0040edec
0x0040edee
0x0040edee
0x0040edff
0x0040ee02
0x0040ee0a
0x0040ee0d
0x0040ee21
0x0040ee2e
0x0040ee36
0x0040ee3e
0x0040ee4f
0x0040ee5a
0x0040ee6e
0x0040ee71
0x0040ee7a
0x0040ee83
0x0040ee86
0x0040ee8c
0x0040ee5c
0x0040ee5c
0x0040ee5f
0x0040ee65
0x0040ee65
0x0040ee8e
0x0040ee90
0x00000000
0x0040ee96
0x0040ee40
0x0040ee43
0x0040ee4b
0x00000000
0x0040ee0f
0x00000000
0x0040ee1c

APIs

GetDC.USER32(0047F208), ref: 0040EDF9
CreateCompatibleDC.GDI32(00000000), ref: 0040EE02
ReleaseDC.USER32 ref: 0040EE16

Part of subcall function 0040FC45: BitBlt.GDI32(00000000,00000000,0047F208,00000000,00000000,00000000,00000000,00CC0020,00000000), ref: 0040FC6A
Part of subcall function 0040FC45: CreateCompatibleBitmap.GDI32(00000001,00000001), ref: 0040FC7A
Part of subcall function 0040FC45: SelectObject.GDI32(00000000,00000000), ref: 0040FC84
Part of subcall function 0040FC45: DeleteObject.GDI32(00000000), ref: 0040FC8B
Part of subcall function 0040FC45: DeleteDC.GDI32(00000000), ref: 0040FC94

CreateCompatibleBitmap.GDI32(00000000,0047F208,00000000), ref: 0040EE27
ReleaseDC.USER32 ref: 0040EE36
DeleteDC.GDI32(00000000), ref: 0040EE43
SelectObject.GDI32(00000000,00000000), ref: 0040EE52
DeleteDC.GDI32(00000000), ref: 0040EE5F
DeleteObject.GDI32(00000000), ref: 0040EE90

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Delete$Object$CompatibleCreate$BitmapReleaseSelect
String ID:
API String ID: 1573005090-0
Opcode ID: e6151709743439201e731339c2d96ddc398ce3e8a6b7f262f28ba73ccbc63d39
Instruction ID: 32fa84cb7ac7508deeb8dbcab99f5a284d58c6a6701324cb506084c713f8559a
Opcode Fuzzy Hash: e6151709743439201e731339c2d96ddc398ce3e8a6b7f262f28ba73ccbc63d39
Instruction Fuzzy Hash: 90113A31201214FFEB311F66DC09A1A7AB5FB48B11B510A3EF666A04F0CB715866AB58

Uniqueness

Uniqueness Score: -1.00%

Function 00412C58, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
processCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00412C58(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v16;
				struct _PROCESS_INFORMATION _v32;
				struct _STARTUPINFOA _v100;
				void* _t32;
				short _t40;
				short _t58;
				char* _t76;
				long _t110;
				void* _t111;

				_t114 = _a8;
				if(_a8 != 0) {
					E004164B1(0x47dfb8, _t114, 0x47e1ac);
					E0041A81A(_t114, 0x47e1ac);
					E0041B3B9(0x47dfb8, 0x47e1ac, 0x7fffffff);
					E0041BE99( &_v16, E0041CC95(0x47e1ac, 0, E0041C7DB(0x47e1ac, "\\", 0, 1)));
					_t76 = E0041CD1E( &_v16);
					ShellExecuteA(0, "open", E0041CD1E(0x47e1ac), 0, _t76, 1);
					_t32 = E0041BEFB( &_v16);
				}
				_t115 = _a4;
				if(_a4 != 0) {
					E004164B1(0x47dfb8, _t115, 0x47e1a0);
					E0041A81A(_t115, 0x47e1a0);
					E0041B3B9(0x47dfb8, 0x47e1a0, 0x7fffffff);
					E00424500( &_v32, 0, 0x10);
					E00424500( &_v100, 0, 0x44);
					_t111 = _t111 + 0x18;
					_v100.cb = 0x44;
					_t58 = 1;
					_v100.dwFlags = _t58;
					_v100.wShowWindow = _t58;
					E0041BDC5( &_v16);
					if(E0041BFE3(0x47e1a0, 0) != 0x22) {
						_push(E0041CD1E(0x47e1a0));
						E0041C467( &_v16, "\"%s\"");
						_t111 = _t111 + 0xc;
					} else {
						E0041BF80( &_v16, 0x47e1a0);
					}
					CreateProcessA(0, E0041CD1E( &_v16), 0, 0, 0, 0x4000000, 0, 0,  &_v100,  &_v32);
					CloseHandle(_v32.hProcess);
					_t32 = E0041BEFB( &_v16);
				}
				_t117 = _a12;
				if(_a12 != 0) {
					E004164B1(0x47dfb8, _t117, 0x47e284);
					E0041A81A(_t117, 0x47e284);
					E0041B3B9(0x47dfb8, 0x47e284, 0x7fffffff);
					E00424500( &_v32, 0, 0x10);
					_t110 = 0x44;
					E00424500( &_v100, 0, _t110);
					_v100.cb = _t110;
					_t40 = 1;
					_v100.dwFlags = _t40;
					_v100.wShowWindow = _t40;
					E0041BDC5( &_v16);
					_push(E0041CD1E(0x47e284));
					E0041C467( &_v16, "\"%s\"");
					CreateProcessA(0, E0041CD1E( &_v16), 0, 0, 0, 0x4000000, 0, 0,  &_v100,  &_v32);
					CloseHandle(_v32);
					return E0041BEFB( &_v16);
				}
				return _t32;
			}

0x00412c61
0x00412c6b
0x00412c75
0x00412c7d
0x00412c8a
0x00412cb0
0x00412cba
0x00412ccf
0x00412cd8
0x00412cd8
0x00412cdd
0x00412ce0
0x00412cee
0x00412cf6
0x00412d03
0x00412d0f
0x00412d1b
0x00412d20
0x00412d26
0x00412d2f
0x00412d30
0x00412d33
0x00412d37
0x00412d49
0x00412d60
0x00412d6a
0x00412d6f
0x00412d4b
0x00412d4f
0x00412d4f
0x00412d8e
0x00412d97
0x00412da0
0x00412da0
0x00412da5
0x00412da8
0x00412db6
0x00412dbe
0x00412dcb
0x00412dd7
0x00412de1
0x00412de5
0x00412df0
0x00412df5
0x00412df6
0x00412df9
0x00412dfd
0x00412e0c
0x00412e16
0x00412e3a
0x00412e43
0x00000000
0x00412e4c
0x00412e55

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000000,00000000,00000000,?,00000000,?,?,?,7FFFFFFF,0047E284,0047E284), ref: 00412E3A
CloseHandle.KERNEL32(00000000,?,?,?,7FFFFFFF,0047E284,0047E284,0047E880,0047DFB8,00000000), ref: 00412E43
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00412CCF

Part of subcall function 0041BEFB: GlobalUnlock.KERNEL32(?,00000000,0041C1E9,00000000,00000010,00000000,0047E4D0,00000000), ref: 0041BF01
Part of subcall function 0041BEFB: GlobalFree.KERNEL32 ref: 0041BF0A

Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
Part of subcall function 0041C467: lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000000,00000000,00000000,00000044,00000000,?,?,00000000,7FFFFFFF,0047E1A0,0047E1A0), ref: 00412D8E
CloseHandle.KERNEL32(00000000,?,?,00000000,7FFFFFFF,0047E1A0,0047E1A0,0047E880,0047DFB8,00000000), ref: 00412D97

Part of subcall function 0041C7DB: lstrlenA.KERNEL32(0047DFB8,00000000,0047DE94,0042BC5C,0042BC5C,00000000,00000001,0047E6C8,?,0047DFB8), ref: 0041C7E9

Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Strings

open, xrefs: 00412CC9
"%s", xrefs: 00412D64, 00412E10
D, xrefs: 00412D26

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$lstrlen$AllocCloseCreateHandleLockProcessUnlock$ExecuteFreeShell
String ID: "%s"$D$open
API String ID: 2852451536-1882215900
Opcode ID: fbca33da4473706544aacee07d9e66cffff12c51ce9051d3352803ba41c6fea6
Instruction ID: f4c14044bc5125cebcf83ce59b9b63798f6509ae67beb9561b870344e07d8ab8
Opcode Fuzzy Hash: fbca33da4473706544aacee07d9e66cffff12c51ce9051d3352803ba41c6fea6
Instruction Fuzzy Hash: C851C3B1A0021C7ADB10ABA2AC96EFFB72DDF40708F50411FB515A6182DF7C494186AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040D917, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040D917(void* _a4, short _a6, signed int _a8, signed int _a12) {
				void* _v8;
				int _v12;
				void* _v16;
				int _v20;
				signed int _v32;
				char _v44;
				signed int _t49;
				signed int _t51;
				unsigned int _t55;
				signed int _t59;
				signed int _t60;
				void* _t90;
				int _t113;
				void* _t114;

				_t49 = GetFileVersionInfoSizeA(_a4,  &_v20);
				_t113 = _t49;
				if(_t113 != 0) {
					_t90 = E00424DD9(_t113);
					__eflags = _t90;
					_v16 = _t90;
					if(_t90 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					_t51 = GetFileVersionInfoA(_a4, _v20, _t113, _t90);
					__eflags = _t51;
					if(_t51 != 0) {
						_v12 = 0;
						VerQueryValueA(_t90, "\\VarFileInfo\\Translation",  &_v8,  &_v12);
						_t55 = _v12;
						__eflags = 0x00000003 & _t55;
						if((0x00000003 & _t55) != 0) {
							L23:
							_push(0xfffffffc);
							goto L24;
						}
						__eflags = _t55;
						if(_t55 == 0) {
							goto L23;
						}
						__eflags = _t55 >> 2;
						if(_t55 >> 2 <= 0) {
							_t59 = _a8;
							_a4 = 0;
							__eflags = _t59;
							_a6 = 0x4b0;
							if(_t59 != 0) {
								 *_t59 = _a4;
							}
							L22:
							_push(1);
							goto L24;
						}
						_t60 = _a8;
						__eflags = _t60;
						if(_t60 != 0) {
							 *_t60 =  *_v8;
						}
						E0041BDC5( &_v32);
						_t115 = "%h";
						_push( *_v8 & 0x0000ffff);
						E0041C467( &_v32, "%h");
						while(1) {
							__eflags = _v32 & 0x00000003;
							if((_v32 & 0x00000003) == 0) {
								break;
							}
							E0041CA01(0x30, 0);
						}
						E0041BE35( &_v44, "\\StringFileInfo\\");
						E0041C0C5( &_v44, __eflags,  &_v32);
						E0041BF12( &_v32, 0x42e0c8);
						_push( *(_v8 + 2) & 0x0000ffff);
						E0041C467( &_v32, _t115);
						while(1) {
							__eflags = _v32 & 0x00000003;
							if(__eflags == 0) {
								break;
							}
							E0041CA01(0x30, 0);
						}
						E0041C0C5( &_v44, __eflags,  &_v32);
						E0041C047( &_v44, "\\FileDescription", 0);
						VerQueryValueA(_v16, E0041CD1E( &_v44),  &_a4,  &_v12);
						_t103 = _a12;
						__eflags = _a12;
						if(_a12 != 0) {
							E0041BF12(_t103, _a4);
						}
						E0041BEFB( &_v44);
						E0041BEFB( &_v32);
						goto L22;
					} else {
						_push(0xfffffffd);
						L24:
						_pop(_t114);
						E00424DCE(_v16);
						return _t114;
					}
				}
				return _t49 | 0xffffffff;
			}

0x0040d926
0x0040d92b
0x0040d931
0x0040d942
0x0040d945
0x0040d947
0x0040d94a
0x0040d957
0x0040d95c
0x0040d965
0x0040d96a
0x0040d96c
0x0040d978
0x0040d986
0x0040d98b
0x0040d990
0x0040d992
0x0040daa7
0x0040daa7
0x00000000
0x0040daa7
0x0040d998
0x0040d99a
0x00000000
0x00000000
0x0040d9a3
0x0040d9a5
0x0040da8d
0x0040da90
0x0040da94
0x0040da96
0x0040da9c
0x0040daa1
0x0040daa1
0x0040daa3
0x0040daa3
0x00000000
0x0040daa3
0x0040d9ab
0x0040d9ae
0x0040d9b0
0x0040d9b7
0x0040d9b7
0x0040d9bc
0x0040d9c4
0x0040d9cc
0x0040d9d2
0x0040d9da
0x0040d9da
0x0040d9dd
0x00000000
0x00000000
0x0040d9e5
0x0040d9e5
0x0040d9f4
0x0040da00
0x0040da0d
0x0040da19
0x0040da1f
0x0040da27
0x0040da27
0x0040da2a
0x00000000
0x00000000
0x0040da32
0x0040da32
0x0040da40
0x0040da4e
0x0040da67
0x0040da6c
0x0040da6f
0x0040da71
0x0040da76
0x0040da76
0x0040da7e
0x0040da86
0x00000000
0x0040d96e
0x0040d96e
0x0040daa9
0x0040daa9
0x0040daad
0x00000000
0x0040dab5
0x0040d96c
0x00000000

APIs

GetFileVersionInfoSizeA.VERSION(?,00410B65,00000003,00000000,?,?,?,?,?,?,00410B65,?,?,?), ref: 0040D926
GetFileVersionInfoA.VERSION(?,00410B65,00000000,00000000,00000000,?,00410B65,00000003,00000000,?,?,?,?,?,?,00410B65), ref: 0040D965

Strings

\StringFileInfo\, xrefs: 0040D9EC
$G, xrefs: 0040D94C
\VarFileInfo\Translation, xrefs: 0040D980
\FileDescription, xrefs: 0040DA46

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: FileInfoVersion$Size
String ID: $G$\FileDescription$\StringFileInfo\$\VarFileInfo\Translation
API String ID: 2104008232-2658176319
Opcode ID: 61150eeef0968c695101dd92a68d3607be4703a85986fb226b918cbcf9c81c13
Instruction ID: d408d3d500f0ff9ed179e7d5978f6713b2840c9058f8741615ebd732b6ba7fd1
Opcode Fuzzy Hash: 61150eeef0968c695101dd92a68d3607be4703a85986fb226b918cbcf9c81c13
Instruction Fuzzy Hash: 37419071E04118AACB14EBD6DC81DEF7B78EF44354F54412BF811A72D1EB389A49CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00419146, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00419146(void* __ecx, CHAR* _a4) {
				char _v16;
				struct _OSVERSIONINFOA _v164;
				CHAR* _t23;
				void* _t31;
				void* _t40;
				intOrPtr _t55;

				 *0x47e650 = 0;
				 *0x47e654 = 0;
				 *0x47e65c = 2;
				 *0x47e490 = 0;
				 *0x47e544 = 1;
				 *0x47e17c = _a4;
				 *0x47e184 = 0;
				 *0x47e180 = 0;
				 *0x47e178 = 0;
				0x47e1dc->dwOSVersionInfoSize = 0x94;
				GetVersionExA(0x47e1dc);
				 *0x47e84c = 0;
				E00424500(0x47e298, 0, 0x38);
				E00424500(0x47e118, 0, 0x4c);
				E00424500(0x47e780, 0, 8);
				E00424500("=BB", 0, 0x38);
				 *0x47e314 = E00424269;
				 *0x47e300 = E0042423D;
				 *0x47e304 = E00424295;
				 *0x47e30c = E00424316;
				 *0x47e308 = E004243AA;
				 *0x47e310 = E0042444A;
				 *0x47e32c = E0041D830;
				 *0x47e334 = E0041D728;
				 *0x47e328 = E0041D46F;
				 *0x47e330 = E0041D0FD;
				 *0x47e324 = 0x47e190;
				_t23 = E00424DD9(0x104);
				_a4 = _t23;
				if(_t23 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				E00424500(_a4, 0, 0x104);
				GetModuleFileNameA(0, _a4, 0x104);
				E0041BF12(0x47e6c8, _a4);
				E00424DCE(_a4);
				E0041BE35( &_v16, GetCommandLineA());
				E0041CD68( &_v16);
				_push(1);
				_push(0);
				_push("/SILENT");
				_t31 = E0041C6D0( &_v16);
				_t55 = 0xffffffffffffffff;
				if(_t31 != 0xffffffffffffffff) {
					 *0x47f27c = 1;
				}
				_push(1);
				_push(0);
				_push("/REVERT");
				if(E0041C6D0( &_v16) != _t55) {
					 *0x47f2d5 = 1;
				}
				 *0x47e6d8 = _t55;
				 *0x47e6dc = _t55;
				 *0x47e6e0 = _t55;
				 *0x47e6e4 = _t55;
				 *0x47e6e8 = _t55;
				 *0x47e6ec = _t55;
				 *0x47e6f0 = _t55;
				 *0x47e6f4 = _t55;
				E00424500( &_v164, 0, 0x94);
				_v164.dwOSVersionInfoSize = 0x94;
				GetVersionExA( &_v164);
				if(_v164.dwPlatformId != 2) {
					 *0x47e19c = 0;
					if((_v164.dwBuildNumber & 0x0000ffff) <= 0x3e8) {
						 *0x47e299 = 1;
					}
				} else {
					 *0x47e19c = 1;
				}
				E0041BEFB( &_v16);
				_t40 = 1;
				return _t40;
			}

0x00419161
0x00419167
0x0041916d
0x00419177
0x0041917d
0x00419184
0x00419189
0x0041918f
0x00419195
0x0041919b
0x004191a1
0x004191af
0x004191b5
0x004191c2
0x004191cf
0x004191dc
0x004191e6
0x004191f1
0x004191fb
0x00419205
0x0041920f
0x00419219
0x00419223
0x0041922d
0x00419237
0x00419241
0x0041924b
0x00419255
0x0041925f
0x00419262
0x0041926f
0x00419274
0x0041927a
0x00419287
0x00419295
0x0041929d
0x004192ad
0x004192b5
0x004192ba
0x004192bc
0x004192bd
0x004192c5
0x004192ca
0x004192cf
0x004192d1
0x004192d1
0x004192d8
0x004192da
0x004192db
0x004192ea
0x004192ec
0x004192ec
0x004192fc
0x00419302
0x00419308
0x0041930e
0x00419314
0x0041931a
0x00419320
0x00419326
0x0041932c
0x0041933a
0x00419341
0x0041934e
0x00419362
0x00419372
0x00419374
0x00419374
0x00419350
0x00419350
0x00419350
0x0041937e
0x00419385
0x0041938a

APIs

GetVersionExA.KERNEL32(0047E1DC,?,0047DFB8), ref: 004191A1
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 00419287
GetCommandLineA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0047DFB8), ref: 004192A3
GetVersionExA.KERNEL32(?,00000000,00000001,00000000), ref: 00419341

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Strings

/REVERT, xrefs: 004192DB
=BB, xrefs: 004191D7
/SILENT, xrefs: 004192BD
$G, xrefs: 00419264

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$Version$AllocCommandFileLineLockModuleNameUnlock
String ID: $G$/REVERT$/SILENT$=BB
API String ID: 4022919458-682978317
Opcode ID: f776ea48a09c8f8f847d136ed6ee984ee553efc096e973d9a1180c81a32f13a8
Instruction ID: 069071d22816293ed82681b1aff37c9fee1eff57cfef91bdab285aa600e63159
Opcode Fuzzy Hash: f776ea48a09c8f8f847d136ed6ee984ee553efc096e973d9a1180c81a32f13a8
Instruction Fuzzy Hash: 2F51A3B0A00214ABD7109F57FC46AC93FA8EB69748F9086BBF50C562A1D7B805C5CF9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405F3F, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 104
memorystringwindowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00405F3F(void** __ecx, void* __edi, signed int* _a4, CHAR* _a8, long _a12, long _a16) {
				long _v8;
				signed int _v20;
				signed int _v24;
				int _v28;
				CHAR* _v32;
				void _v48;
				void _v92;
				intOrPtr _v96;
				void* _v100;
				signed int* _t40;
				CHAR* _t41;
				int _t42;
				long _t45;
				void* _t50;
				signed int* _t52;
				long _t53;
				void** _t68;
				signed int _t70;
				void* _t81;
				long* _t88;

				_t81 = __edi;
				_t40 = _a4;
				_t68 = __ecx;
				if(_t40 == 0) {
					_v100 = _v100 & 0x00000000;
				} else {
					_v100 =  *_t40;
				}
				_t41 = _a8;
				_push(_t81);
				_v96 = 0xffff0002;
				_v48 = 0x23;
				_v32 = _t41;
				_t42 = lstrlenA(_t41);
				_v24 = _v24 | 0xffffffff;
				_v20 = _v20 | 0xffffffff;
				_v28 = _t42;
				_t70 = 0xa;
				memcpy( &_v92,  &_v48, _t70 << 2);
				_t45 = SendMessageA(_t68[3], 0x1100, 0,  &_v100);
				_v8 = _t45;
				if(_t45 == 0) {
					E0041D881("TreeView_InserItem failed");
				}
				_t88 = E00424DD9(0x1c);
				if(_t88 == 0) {
					_t88 = 0;
				} else {
					_t20 =  &(_t88[3]); // 0xc
					E0041BDC5(_t20);
				}
				if(_t88 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				_t68[1] = _t68[1] + 1;
				GlobalUnlock( *_t68);
				_t50 = GlobalReAlloc( *_t68, _t68[1] << 2, 0x42);
				 *_t68 = _t50;
				if(_t50 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				_t68[2] = GlobalLock( *_t68);
				_t52 = _a4;
				if(_t52 == 0) {
					_t53 = 0;
				} else {
					_t53 = _t52[6] + 1;
				}
				_t88[6] = _t53;
				_t30 =  &(_t88[3]); // 0xc
				 *_t88 = _v8;
				_t88[2] = _a12;
				_t88[1] = _a16;
				E0041BF12(_t30, _a8);
				 *(_t68[2] + _t68[1] * 4 - 4) = _t88;
				return _t88;
			}

0x00405f3f
0x00405f45
0x00405f4c
0x00405f4e
0x00405f57
0x00405f50
0x00405f52
0x00405f52
0x00405f5b
0x00405f5e
0x00405f60
0x00405f67
0x00405f6e
0x00405f71
0x00405f77
0x00405f7b
0x00405f81
0x00405f84
0x00405f99
0x00405f9b
0x00405fa3
0x00405fa6
0x00405fad
0x00405fb2
0x00405fba
0x00405fbf
0x00405fcb
0x00405fc1
0x00405fc1
0x00405fc4
0x00405fc4
0x00405fd4
0x00405fde
0x00405fe3
0x00405fe6
0x00405fe9
0x00405ffa
0x00406002
0x00406004
0x0040600e
0x00406013
0x0040601c
0x0040601f
0x00406025
0x0040602d
0x00406027
0x0040602a
0x0040602a
0x00406032
0x00406038
0x0040603b
0x00406040
0x00406046
0x00406049
0x00406054
0x0040605d

APIs

lstrlenA.KERNEL32(?), ref: 00405F71
SendMessageA.USER32(?,00001100,00000000,00000000), ref: 00405F9B
GlobalUnlock.KERNEL32 ref: 00405FE9
GlobalReAlloc.KERNEL32 ref: 00405FFA
GlobalLock.KERNEL32 ref: 00406016

Strings

$G, xrefs: 00405FCF
TreeView_InserItem failed, xrefs: 00405FA8
#, xrefs: 00405F67

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLockMessageSendUnlocklstrlen
String ID: #$$G$TreeView_InserItem failed
API String ID: 3808323675-3490677953
Opcode ID: e24c319d5a726757bb0563f9117dc54036e36d4a3f5524520f9c0c91d46db45a
Instruction ID: 3a63b91b1eafc2a219035d5167075837741d0a79a5db3777f340d1a2a78fdb77
Opcode Fuzzy Hash: e24c319d5a726757bb0563f9117dc54036e36d4a3f5524520f9c0c91d46db45a
Instruction Fuzzy Hash: 3E31AE71A0071ADFDB14DFA8D885AAEBBF4EF04350F10812AE915EB295DB78D902CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0041F2A2, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 58
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0041F2A2(void* __ecx, void* __eflags) {
				char _v16;
				int _t12;
				_Unknown_base(*)()* _t16;
				struct HDC__* _t28;
				struct HINSTANCE__* _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t30 = __ecx;
				E0041BE35( &_v16, 0x42e0c8);
				E0041EEC5(__ecx,  &_v16);
				E0041EEC5(_t30, 0x47eaa4);
				E00420794(_t30);
				E0041F924(_t30, _t31);
				E0042037B(_t30);
				 *0x47e2b0 =  *0x47e2b0 & 0x00000000;
				_t28 = GetDC( *0x47e178);
				_t12 = GetDeviceCaps(_t28, 0xc);
				ReleaseDC( *0x47e178, _t28);
				if(_t12 > 4) {
					_t29 = LoadLibraryA("DDRAW.DLL");
					if(_t29 != 0) {
						_t16 = GetProcAddress(_t29, "DirectDrawEnumerateA");
						if(_t16 != 0) {
							 *_t16(E0041EEE8, _t30);
						}
						FreeLibrary(_t29);
					}
				}
				return E0041BEFB( &_v16);
			}

0x0041f2a2
0x0041f2aa
0x0041f2b5
0x0041f2c0
0x0041f2cc
0x0041f2d3
0x0041f2da
0x0041f2e1
0x0041f2ec
0x0041f2f9
0x0041f2fe
0x0041f30d
0x0041f316
0x0041f323
0x0041f327
0x0041f32f
0x0041f337
0x0041f33f
0x0041f33f
0x0041f342
0x0041f342
0x0041f327
0x0041f354

APIs

Part of subcall function 0041BE35: lstrlenA.KERNEL32(00000000,0047DFB8,0047F2B8,0041B2F4,Astrum Installer,00000000,0047DFB8,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000), ref: 0041BE49
Part of subcall function 0041BE35: GlobalAlloc.KERNEL32(00000042,00000000,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000,00000000,00000000,?,0047E924,0041D88F), ref: 0041BE54
Part of subcall function 0041BE35: GlobalLock.KERNEL32 ref: 0041BE75

Part of subcall function 00420794: GetComputerNameA.KERNEL32 ref: 004207BF
Part of subcall function 00420794: GetUserNameA.ADVAPI32(00000000,00000100), ref: 0042081E

Part of subcall function 0041F924: GetDC.USER32(00000009), ref: 0041F94D
Part of subcall function 0041F924: GetDeviceCaps.GDI32(00000000,00000008), ref: 0041F95E
Part of subcall function 0041F924: GetDeviceCaps.GDI32(00000000,0000000A), ref: 0041F965
Part of subcall function 0041F924: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041F96D
Part of subcall function 0041F924: ReleaseDC.USER32 ref: 0041F978

Part of subcall function 0042037B: GetSystemInfo.KERNEL32(?,?,?,00000000,?,?,?,?,?,0041F2E6,0047EAA4,00000000,0042E0C8,00000000,00000001,00000001), ref: 00420398

GetDC.USER32(0047EAA4), ref: 0041F2F3
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041F2FE
ReleaseDC.USER32 ref: 0041F30D
LoadLibraryA.KERNEL32(DDRAW.DLL,?,00000000), ref: 0041F31D
GetProcAddress.KERNEL32(00000000,DirectDrawEnumerateA), ref: 0041F32F
FreeLibrary.KERNEL32(00000000,?,00000000), ref: 0041F342

Strings

DirectDrawEnumerateA, xrefs: 0041F329
DDRAW.DLL, xrefs: 0041F318

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: CapsDevice$GlobalLibraryNameRelease$AddressAllocComputerFreeInfoLoadLockProcSystemUserlstrlen
String ID: DDRAW.DLL$DirectDrawEnumerateA
API String ID: 3711895086-3742168443
Opcode ID: 8ce6a746315a39e90f5b78f71b5245f1acafca9eb35746d334086b2a2e85034c
Instruction ID: f50d971d24eabad0d3942204518278dc3872f423c42921db3c5d4f9b29cc9474
Opcode Fuzzy Hash: 8ce6a746315a39e90f5b78f71b5245f1acafca9eb35746d334086b2a2e85034c
Instruction Fuzzy Hash: 9A0104307003246BEB21B767AC4AEBE7768EF80B05780007FF802922A1DF784947866D

Uniqueness

Uniqueness Score: -1.00%

Function 00427450, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00427450(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t4;
				intOrPtr* _t7;
				_Unknown_base(*)()* _t11;
				void* _t14;
				struct HINSTANCE__* _t15;
				void* _t17;

				_t14 = 0;
				_t17 =  *0x47f4a8 - _t14; // 0x0
				if(_t17 != 0) {
					L4:
					_t4 =  *0x47f4ac; // 0x0
					if(_t4 != 0) {
						_t14 =  *_t4();
						if(_t14 != 0) {
							_t7 =  *0x47f4b0; // 0x0
							if(_t7 != 0) {
								_t14 =  *_t7(_t14);
							}
						}
					}
					return  *0x47f4a8(_t14, _a4, _a8, _a12);
				}
				_t15 = LoadLibraryA("user32.dll");
				if(_t15 == 0) {
					L10:
					return 0;
				}
				_t11 = GetProcAddress(_t15, "MessageBoxA");
				 *0x47f4a8 = _t11;
				if(_t11 == 0) {
					goto L10;
				} else {
					 *0x47f4ac = GetProcAddress(_t15, "GetActiveWindow");
					 *0x47f4b0 = GetProcAddress(_t15, "GetLastActivePopup");
					goto L4;
				}
			}

0x00427451
0x00427453
0x0042745b
0x0042749f
0x0042749f
0x004274a6
0x004274aa
0x004274ae
0x004274b0
0x004274b7
0x004274bc
0x004274bc
0x004274b7
0x004274ae
0x00000000
0x004274cb
0x00427468
0x0042746c
0x004274d5
0x00000000
0x004274d5
0x0042747a
0x0042747e
0x00427483
0x00000000
0x00427485
0x00427493
0x0042749a
0x00000000
0x0042749a

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00426B79,?,Microsoft Visual C++ Runtime Library,00012010,?,00428A94,?,00428AE4,?,?,?,Runtime Error!Program: ), ref: 00427462
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0042747A
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0042748B
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00427498

Strings

GetActiveWindow, xrefs: 00427485
MessageBoxA, xrefs: 00427474
user32.dll, xrefs: 0042745D
GetLastActivePopup, xrefs: 0042748D

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 03adae220ba2ac92e5781c7af44260b06c82da7134c75381eb46c402cf3aee39
Instruction ID: b2c2bb2ec5988819b8827ed53610ddeb177762b4ce5a212ddc9ef857ebebcbae
Opcode Fuzzy Hash: 03adae220ba2ac92e5781c7af44260b06c82da7134c75381eb46c402cf3aee39
Instruction Fuzzy Hash: 28012571705332AF8760AFB56C84A1BBED8A6A4791750443EB505C2211DB78D8458B79

Uniqueness

Uniqueness Score: -1.00%

Function 004275DE, Relevance: 13.7, APIs: 9, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E004275DE(int _a4, int _a8, signed char _a9, char* _a12, int _a16, short* _a20, int _a24, int _a28, signed int _a32) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				short* _v36;
				short* _v40;
				int _v44;
				void* _v60;
				int _t61;
				int _t62;
				int _t82;
				int _t83;
				int _t88;
				short* _t89;
				int _t90;
				void* _t91;
				int _t99;
				intOrPtr _t101;
				short* _t102;
				int _t104;

				_push(0xffffffff);
				_push(0x428b70);
				_push(E00424EE0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t101;
				_t102 = _t101 - 0x1c;
				_v28 = _t102;
				_t104 =  *0x47f4d4; // 0x1
				if(_t104 != 0) {
					L5:
					if(_a16 > 0) {
						_t83 = E00427802(_a12, _a16);
						_pop(_t91);
						_a16 = _t83;
					}
					_t61 =  *0x47f4d4; // 0x1
					if(_t61 != 2) {
						if(_t61 != 1) {
							goto L21;
						} else {
							if(_a28 == 0) {
								_t82 =  *0x47f4cc; // 0x0
								_a28 = _t82;
							}
							asm("sbb eax, eax");
							_t88 = MultiByteToWideChar(_a28, ( ~_a32 & 0x00000008) + 1, _a12, _a16, 0, 0);
							_v32 = _t88;
							if(_t88 == 0) {
								goto L21;
							} else {
								_v8 = 0;
								E00425220(_t88 + _t88 + 0x00000003 & 0x000000fc, _t91);
								_v28 = _t102;
								_v40 = _t102;
								_v8 = _v8 | 0xffffffff;
								if(_v40 == 0 || MultiByteToWideChar(_a28, 1, _a12, _a16, _v40, _t88) == 0) {
									goto L21;
								} else {
									_t99 = LCMapStringW(_a4, _a8, _v40, _t88, 0, 0);
									_v44 = _t99;
									if(_t99 == 0) {
										goto L21;
									} else {
										if((_a9 & 0x00000004) == 0) {
											_v8 = 1;
											E00425220(_t99 + _t99 + 0x00000003 & 0x000000fc, _t91);
											_v28 = _t102;
											_t89 = _t102;
											_v36 = _t89;
											_v8 = _v8 | 0xffffffff;
											if(_t89 == 0 || LCMapStringW(_a4, _a8, _v40, _v32, _t89, _t99) == 0) {
												goto L21;
											} else {
												_push(0);
												_push(0);
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_t99 = WideCharToMultiByte(_a28, 0x220, _t89, _t99, ??, ??, ??, ??);
												if(_t99 == 0) {
													goto L21;
												} else {
													goto L30;
												}
											}
										} else {
											if(_a24 == 0 || _t99 <= _a24 && LCMapStringW(_a4, _a8, _v40, _t88, _a20, _a24) != 0) {
												L30:
												_t62 = _t99;
											} else {
												goto L21;
											}
										}
									}
								}
							}
						}
					} else {
						_t62 = LCMapStringA(_a4, _a8, _a12, _a16, _a20, _a24);
					}
				} else {
					_push(0);
					_push(0);
					_t90 = 1;
					if(LCMapStringW(0, 0x100, 0x428b24, _t90, ??, ??) == 0) {
						if(LCMapStringA(0, 0x100, 0x428b20, _t90, 0, 0) == 0) {
							L21:
							_t62 = 0;
						} else {
							 *0x47f4d4 = 2;
							goto L5;
						}
					} else {
						 *0x47f4d4 = _t90;
						goto L5;
					}
				}
				 *[fs:0x0] = _v20;
				return _t62;
			}

0x004275e1
0x004275e3
0x004275e8
0x004275f3
0x004275f4
0x004275fb
0x00427601
0x00427606
0x0042760c
0x00427654
0x00427657
0x0042765f
0x00427665
0x00427666
0x00427666
0x00427669
0x00427671
0x00427693
0x00000000
0x00427699
0x0042769c
0x0042769e
0x004276a3
0x004276a3
0x004276b3
0x004276c3
0x004276c5
0x004276ca
0x00000000
0x004276d0
0x004276d0
0x004276db
0x004276e0
0x004276e5
0x004276e8
0x00427704
0x00000000
0x0042771f
0x00427731
0x00427733
0x00427738
0x00000000
0x0042773a
0x0042773e
0x00427780
0x0042778f
0x00427794
0x00427797
0x00427799
0x0042779c
0x004277b6
0x00000000
0x004277d0
0x004277d3
0x004277d4
0x004277d5
0x004277db
0x004277de
0x004277d7
0x004277d7
0x004277d8
0x004277d8
0x004277f1
0x004277f5
0x00000000
0x00000000
0x00000000
0x00000000
0x004277f5
0x00427740
0x00427743
0x004277fb
0x004277fb
0x00000000
0x00000000
0x00000000
0x00427743
0x0042773e
0x00427738
0x00427704
0x004276ca
0x00427673
0x00427685
0x00427685
0x0042760e
0x0042760e
0x0042760f
0x00427612
0x00427628
0x00427644
0x0042776c
0x0042776c
0x0042764a
0x0042764a
0x00000000
0x0042764a
0x0042762a
0x0042762a
0x00000000
0x0042762a
0x00427628
0x00427774
0x0042777f

APIs

LCMapStringW.KERNEL32(00000000,00000100,00428B24,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00427620
LCMapStringA.KERNEL32(00000000,00000100,00428B20,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 0042763C
LCMapStringA.KERNEL32(?,00000100,00000020,00000001,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00427685
MultiByteToWideChar.KERNEL32(00000000,00000101,00000020,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 004276BD
MultiByteToWideChar.KERNEL32(00000000,00000001,00000020,00000001,00000100,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00427715
LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 0042772B
LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 0042775E
LCMapStringW.KERNEL32(?,00000100,00000100,00000100,?,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 004277C6

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 39097b5ecb80d1361a9f5b9b480cd0cb0502bb5e73b091448b002788b2a42ed1
Instruction ID: 334531f8ad7043bf74cb80c6d62577d1daf6163ea5b5fe0c8e2428b528b5f75d
Opcode Fuzzy Hash: 39097b5ecb80d1361a9f5b9b480cd0cb0502bb5e73b091448b002788b2a42ed1
Instruction Fuzzy Hash: B751BF31605219EFCF219F94ED85EEF7FB4FB88750F60412AF910A1260C739A861DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041B749, Relevance: 13.6, APIs: 4, Strings: 5, Instructions: 143
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0041B749(CHAR* _a4) {
				signed int _v5;
				signed int _v6;
				char* _v12;
				char _v24;
				int _t32;
				char* _t33;
				int _t35;
				int _t46;
				void* _t49;
				void* _t50;
				void* _t51;
				void* _t52;
				char* _t53;
				void* _t60;
				intOrPtr _t61;
				char* _t62;
				int _t63;
				char* _t71;
				int _t80;
				intOrPtr* _t84;

				_t80 =  *0x47e5a4; // 0x0
				if(lstrlenA(_a4) >= _t80) {
					_t32 =  *0x47e5a4; // 0x0
				} else {
					_t32 = lstrlenA(_a4);
				}
				_v12 = _t32;
				_t33 =  *0x47e374; // 0x7
				_t91 = _v12 - _t33;
				if(_v12 >= _t33) {
					_v12 = _t33;
				}
				if(E0041C1FA(0x47e374, _t91, _a4, 1) == 0) {
					_v5 = _v5 & 0x00000000;
					_v6 = _v6 & 0x00000000;
					_t60 = 0;
					__eflags = _v12;
					if(_v12 <= 0) {
						L21:
						_t61 =  *0x47e374; // 0x7
						_t35 = lstrlenA(_a4);
						__eflags = _t35 - _t61;
						if(_t35 > _t61) {
							L23:
							_t62 = E0041D46F("<__Internal_UpdateCannotUpdate1__>");
							__eflags = _t62;
							if(_t62 == 0) {
								_t62 = "This update supports updates from version %s up to version %s. You have version %s and it cannot be updated by this program.";
							}
							E0041BDC5( &_v24);
							_push(_a4);
							_push(E0041CD1E(0x47e374));
							_push(E0041CD1E(0x47e5a4));
							E0041C467( &_v24, _t62);
							E0041B2CC(0x47dfb8, 0, E0041CD1E( &_v24), 0, 0);
							_t71 =  &_v24;
							goto L26;
						}
						_t63 =  *0x47e5a4; // 0x0
						_t46 = lstrlenA(_a4);
						__eflags = _t46 - _t63;
						if(_t46 >= _t63) {
							L27:
							return 1;
						}
						goto L23;
					} else {
						goto L10;
					}
					do {
						L10:
						_t84 = _t60 + _a4;
						_t49 = E0041BFE3(0x47e5a4, _t60);
						__eflags =  *_t84 - _t49;
						if( *_t84 >= _t49) {
							L12:
							_t50 = E0041BFE3(0x47e5a4, _t60);
							__eflags =  *_t84 - _t50;
							if( *_t84 > _t50) {
								_v6 = 1;
							}
							_t51 = E0041BFE3(0x47e374, _t60);
							__eflags =  *_t84 - _t51;
							if( *_t84 > _t51) {
								__eflags = _v5;
								if(_v5 == 0) {
									goto L23;
								}
							}
							goto L16;
						}
						__eflags = _v6;
						if(_v6 == 0) {
							goto L23;
						}
						goto L12;
						L16:
						_t52 = E0041BFE3(0x47e374, _t60);
						__eflags =  *_t84 - _t52;
						if( *_t84 < _t52) {
							_v5 = 1;
						}
						_t60 = _t60 + 1;
						__eflags = _t60 - _v12;
					} while (_t60 < _v12);
					__eflags = _v5;
					if(_v5 != 0) {
						goto L27;
					}
					goto L21;
				} else {
					_t53 = E0041D46F("<__Internal_UpdateAlreadyInstalled__>");
					_t86 = _t53;
					if(_t53 == 0) {
						_t86 = "This update updates to version %s which is already installed on your system.";
					}
					E0041BDC5( &_v24);
					_push(E0041CD1E(0x47e374));
					E0041C467( &_v24, _t86);
					E0041B2CC(0x47dfb8, 0, E0041CD1E( &_v24), 0, 0);
					_t71 =  &_v24;
					L26:
					E0041BEFB(_t71);
					return 0;
				}
			}

0x0041b75b
0x0041b765
0x0041b76e
0x0041b767
0x0041b76a
0x0041b76a
0x0041b773
0x0041b776
0x0041b77b
0x0041b77e
0x0041b780
0x0041b780
0x0041b796
0x0041b7ea
0x0041b7ee
0x0041b7f2
0x0041b7f4
0x0041b7f7
0x0041b85f
0x0041b862
0x0041b868
0x0041b86a
0x0041b86c
0x0041b87d
0x0041b887
0x0041b88b
0x0041b88d
0x0041b88f
0x0041b88f
0x0041b897
0x0041b89c
0x0041b8a6
0x0041b8b1
0x0041b8b7
0x0041b8d0
0x0041b8d5
0x00000000
0x0041b8d5
0x0041b871
0x0041b877
0x0041b879
0x0041b87b
0x0041b8e1
0x00000000
0x0041b8e1
0x00000000
0x00000000
0x00000000
0x00000000
0x0041b7f9
0x0041b7f9
0x0041b802
0x0041b805
0x0041b80a
0x0041b80c
0x0041b814
0x0041b81a
0x0041b81f
0x0041b821
0x0041b823
0x0041b823
0x0041b82a
0x0041b82f
0x0041b831
0x0041b833
0x0041b837
0x00000000
0x00000000
0x0041b837
0x00000000
0x0041b831
0x0041b80e
0x0041b812
0x00000000
0x00000000
0x00000000
0x0041b839
0x0041b83c
0x0041b841
0x0041b843
0x0041b845
0x0041b845
0x0041b849
0x0041b84a
0x0041b84a
0x0041b84f
0x0041b853
0x00000000
0x00000000
0x00000000
0x0041b798
0x0041b79d
0x0041b7a2
0x0041b7a8
0x0041b7aa
0x0041b7aa
0x0041b7b2
0x0041b7be
0x0041b7c4
0x0041b7dd
0x0041b7e2
0x0041b8d8
0x0041b8d8
0x00000000
0x0041b8dd

APIs

lstrlenA.KERNEL32(?,0047DFB8,?,00000000,?,?,?,?,0041B732,?,?,0047DFB8,?,00000000,0047DFB8), ref: 0041B761
lstrlenA.KERNEL32(?,?,00000000,?,?,?,?,0041B732,?,?,0047DFB8,?,00000000,0047DFB8), ref: 0041B76A
lstrlenA.KERNEL32(?,?,00000001,?,00000000,?,?,?,?,0041B732,?,?,0047DFB8,?,00000000,0047DFB8), ref: 0041B868
lstrlenA.KERNEL32(?,?,00000000,?,?,?,?,0041B732,?,?,0047DFB8,?,00000000,0047DFB8), ref: 0041B877

Strings

<__Internal_UpdateAlreadyInstalled__>, xrefs: 0041B798
This update updates to version %s which is already installed on your system., xrefs: 0041B7AA, 0041B7C2
This update supports updates from version %s up to version %s. You have version %s and it cannot be updated by this program., xrefs: 0041B88F, 0041B8B5
<__Internal_UpdateCannotUpdate1__>, xrefs: 0041B87D
tG, xrefs: 0041B785

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: lstrlen
String ID: <__Internal_UpdateAlreadyInstalled__>$<__Internal_UpdateCannotUpdate1__>$This update supports updates from version %s up to version %s. You have version %s and it cannot be updated by this program.$This update updates to version %s which is already installed on your system.$tG
API String ID: 1659193697-2960393938
Opcode ID: 4f077f401ec29313c10081d60f452c3f145c5dd7c1f39a7ee232e5ecadab4a83
Instruction ID: 2c201731e1a9713e9454e6b0e896347747a84652c475a149e91f5efb91133cad
Opcode Fuzzy Hash: 4f077f401ec29313c10081d60f452c3f145c5dd7c1f39a7ee232e5ecadab4a83
Instruction Fuzzy Hash: 6141B371A001186ACB12FBA68DC2AFE7A69DF44308F1440AFE445A3242DB795DC5C7EA

Uniqueness

Uniqueness Score: -1.00%

Function 004112B1, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 187
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004112B1(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				char _v28;
				struct _SHFILEOPSTRUCTA _v60;
				void* _t50;
				signed int _t60;
				long _t63;
				signed int _t66;
				signed int _t69;
				signed int _t73;
				signed int _t74;
				signed int _t79;
				signed char _t85;
				void* _t86;
				signed int* _t97;
				signed int _t110;
				signed int* _t129;
				signed int _t131;
				void* _t135;
				intOrPtr _t136;
				void* _t140;

				_t136 =  *0x47e504; // 0x0
				_v8 = 0;
				_v12 = 0;
				if(_t136 <= 0) {
					L31:
					return _v8;
				} else {
					do {
						_t129 = E0041E860(0x47e4f8, _v12);
						if(_t129[7] != _a4) {
							goto L29;
						}
						_t50 = E00412BA7(_t129[8]);
						_t138 = _t50;
						if(_t50 == 0) {
							goto L29;
						}
						_t7 =  &(_t129[1]); // 0x4
						_t94 = _t7;
						E004164B1(0x47dfb8, _t138, _t7);
						_t8 =  &(_t129[4]); // 0x10
						E004164B1(0x47dfb8, _t138, _t8);
						_t129[7] = _t129[7] | 0xffffffff;
						E0041A81A(_t138, _t94);
						_t11 =  &(_t129[4]); // 0x10
						E0041A81A(_t138, _t11);
						E0041B3B9(0x47dfb8, _t94, 0x7fffffff);
						_t12 =  &(_t129[4]); // 0x10
						E0041B3B9(0x47dfb8, _t12, 0x7fffffff);
						_t60 =  *_t129;
						if(_t60 != 4) {
							__eflags = _t60 - 5;
							if(_t60 != 5) {
								E00424500( &_v60, 0, 0x1e);
								_t63 =  *0x47e178; // 0x0
								_t135 = _t135 + 0xc;
								_v60.hwnd = _t63;
								_v60.fFlags = 0x650;
								E0041BFF8(_t94, 0);
								_v60.pFrom = E0041CD1E(_t94);
								_t66 =  *_t129;
								__eflags = _t66;
								if(_t66 == 0) {
									L11:
									_t19 =  &(_t129[4]); // 0x10
									_t95 = _t19;
									E0041BFF8(_t19, 0);
									_v60.pTo = E0041CD1E(_t95);
									L12:
									_t69 =  *_t129;
									_t110 = 1;
									__eflags = _t69 - _t110;
									if(_t69 != _t110) {
										__eflags = _t69 - 2;
										if(_t69 != 2) {
											__eflags = _t69 - 3;
											_t110 = ((0 | _t69 != 0x00000003) - 0x00000001 & 0x00000002) + 2;
											__eflags = _t110;
										}
										_v60.wFunc = _t110;
									} else {
										_v60.wFunc = 3;
									}
									_t25 =  &(_t129[4]); // 0x10
									_v16 = GetFileAttributesA(E0041CD1E(_t25));
									_t73 = SHFileOperationA( &_v60);
									__eflags = _t73;
									if(_t73 == 0) {
										__eflags =  *_t129 - _t73;
										if( *_t129 == _t73) {
											__eflags = _v16 - 0xffffffff;
											if(_v16 == 0xffffffff) {
												_v8 = _v8 + 1;
												_t31 =  &(_t129[4]); // 0x10
												_t85 = GetFileAttributesA(E0041CD1E(_t31));
												__eflags = _t85 - 0xffffffff;
												if(_t85 != 0xffffffff) {
													__eflags = _t85 & 0x00000010;
													if((_t85 & 0x00000010) == 0) {
														_t34 =  &(_t129[4]); // 0x10
														_t86 = E0041CD1E(_t34);
														_push(0x47e794);
														_push(_t86);
														E00421CE6(__eflags);
													}
												}
											}
										}
									}
									_t74 = _t129[4];
									_t36 =  &(_t129[4]); // 0x10
									_t97 = _t36;
									__eflags = _t74 - 4;
									if(_t74 <= 4) {
										goto L29;
									} else {
										_t131 =  *_t129;
										__eflags = _t131 - 2;
										if(_t131 == 2) {
											L26:
											E0041BE99( &_v28, E0041CC95(_t97, _t74 + 0xfffffffb, 4));
											E0041CD68( &_v28);
											_t79 = E0041C1FA( &_v28, __eflags, ".TTF", 1);
											__eflags = _t79;
											if(_t79 != 0) {
												AddFontResourceA(E0041CD1E(_t97));
												SendMessageA(0xffff, 0x1d, 0, 0);
											}
											E0041BEFB( &_v28);
											goto L29;
										}
										__eflags = _t131;
										if(_t131 != 0) {
											goto L29;
										}
										goto L26;
									}
								}
								__eflags = _t66 - 2;
								if(_t66 == 2) {
									goto L11;
								}
								__eflags = _t66 - 3;
								if(_t66 != 3) {
									goto L12;
								}
								goto L11;
							} else {
								RemoveDirectoryA(E0041CD1E(_t94));
								goto L29;
							}
						} else {
							_v8 = _v8 + 1;
							E00424269(E0041CD1E(_t94));
						}
						L29:
						_v12 = _v12 + 1;
						_t140 = _v12 -  *0x47e504; // 0x0
					} while (_t140 < 0);
					goto L31;
				}
			}

0x004112b9
0x004112bf
0x004112c2
0x004112c5
0x004114da
0x004114de
0x004112cb
0x004112d3
0x004112e0
0x004112e8
0x00000000
0x00000000
0x004112f1
0x004112f6
0x004112f9
0x00000000
0x00000000
0x004112ff
0x004112ff
0x00411305
0x0041130a
0x00411310
0x00411315
0x0041131c
0x00411321
0x00411327
0x00411334
0x00411339
0x00411344
0x00411349
0x0041134e
0x00411365
0x00411368
0x00411385
0x0041138a
0x0041138f
0x00411394
0x00411399
0x0041139f
0x004113ab
0x004113ae
0x004113b0
0x004113b2
0x004113be
0x004113be
0x004113be
0x004113c5
0x004113d1
0x004113d4
0x004113d4
0x004113d8
0x004113d9
0x004113db
0x004113e6
0x004113e9
0x004113ed
0x004113f8
0x004113f8
0x004113f8
0x004113f9
0x004113dd
0x004113dd
0x004113dd
0x004113fc
0x0041140d
0x00411414
0x0041141a
0x0041141c
0x0041141e
0x00411420
0x00411422
0x00411426
0x00411428
0x0041142b
0x00411434
0x00411436
0x00411439
0x0041143b
0x0041143d
0x0041143f
0x00411442
0x00411447
0x0041144c
0x00411452
0x00411452
0x0041143d
0x00411439
0x00411426
0x00411420
0x00411457
0x0041145a
0x0041145a
0x0041145d
0x00411460
0x00000000
0x00411462
0x00411462
0x00411464
0x00411467
0x0041146d
0x0041147e
0x00411486
0x00411495
0x0041149a
0x0041149c
0x004114a6
0x004114b7
0x004114b7
0x004114c0
0x00000000
0x004114c0
0x00411469
0x0041146b
0x00000000
0x00000000
0x00000000
0x0041146b
0x00411460
0x004113b4
0x004113b7
0x00000000
0x00000000
0x004113b9
0x004113bc
0x00000000
0x00000000
0x00000000
0x0041136a
0x00411372
0x00000000
0x00411372
0x00411350
0x00411350
0x0041135b
0x0041135b
0x004114c5
0x004114c5
0x004114cb
0x004114cb
0x00000000
0x004114d9

APIs

Part of subcall function 0041A81A: GetShortPathNameA.KERNEL32 ref: 0041A8E4
Part of subcall function 0041A81A: GetFileAttributesA.KERNEL32(00000000,?,0047E5F8,-00000001,00000000,00000000), ref: 0041A955
Part of subcall function 0041A81A: GetShortPathNameA.KERNEL32 ref: 0041A96C

RemoveDirectoryA.KERNEL32(00000000,00000010,7FFFFFFF,00000004,7FFFFFFF,00000010,00000004,00000010,00000004,00000001,0047F208,0047E880,00000000), ref: 00411372

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Strings

.TTF, xrefs: 0041148D

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$NamePathShort$AllocAttributesDirectoryFileLockRemoveUnlock
String ID: .TTF
API String ID: 2727204524-1265958280
Opcode ID: 049cd381d1cab2b93e529b609a5eb2fd534a0ad8c8c0e5ddd047e13911aedb5f
Instruction ID: fefd7509dd6e5bca57800802f9db65f3eb1c2731682be84efcab5a7d41e1a5f7
Opcode Fuzzy Hash: 049cd381d1cab2b93e529b609a5eb2fd534a0ad8c8c0e5ddd047e13911aedb5f
Instruction Fuzzy Hash: 5251B130700209ABDB14EF76DC86AEE7764AF04714F60062FF616D66E1DB3899C58B5C

Uniqueness

Uniqueness Score: -1.00%

Function 00414A3D, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 158
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00414A3D(intOrPtr __ecx, void* _a4, intOrPtr* _a8, intOrPtr _a12) {
				char _v16;
				intOrPtr _v20;
				char _v32;
				char _v292;
				void* _t31;
				intOrPtr _t45;
				void* _t51;
				void* _t53;
				CHAR* _t61;
				int _t63;
				char* _t74;
				long _t105;
				void* _t108;
				void* _t109;
				intOrPtr _t114;

				_t74 = _a4;
				_v20 = __ecx;
				while(E0040DF52(E0041CD1E(_t74)) != 0) {
					_t78 = _t74;
					_a4 = CreateFileA(E0041CD1E(_t74), 0xc0000000, 0, 0, 3, 0x80, 0);
					_t105 = GetLastError();
					CloseHandle(_a4);
					if(_t105 == 0xc || _t105 == 0x20) {
						_t114 =  *0x47e19c; // 0x1
						if(_t114 == 0) {
							L10:
							__eflags =  *0x47e192 & 0x00000040;
							if(( *0x47e192 & 0x00000040) != 0) {
								E0041DBFF(_t78,  &_v292, ".tmp");
								E0041C0C5(0x47e6b0, __eflags, _t74);
								E0041BFF8(0x47e6b0, 0);
								E0041C047(0x47e6b0,  &_v292, 0);
								E0041BFF8(0x47e6b0, 0);
								E0041BF12(_t74,  &_v292);
								_t45 = 1;
								 *_a8 = _t45;
								return _t45;
							}
							E0041BDC5( &_v32);
							_push(E0041CD1E(_t74));
							E0041C467( &_v32, E0041CD1E(0x47ee40));
							_t109 = _t109 + 0xc;
							_t51 = E0041CD1E(0x47e700);
							_t53 = E0041B2CC(0x47dfb8,  *((intOrPtr*)(_v20 + 8)), E0041CD1E( &_v32), _t51, 5);
							__eflags = _t53 - 4;
							if(_t53 != 4) {
								E0041BEFB( &_v32);
								return 0;
							}
							E0041BEFB( &_v32);
							continue;
						}
						E0041BE99( &_v16, _t74);
						E0041C047( &_v16, ".delete_on_reboot0", 0);
						_t108 = 1;
						while(E0040DF52(E0041CD1E( &_v16)) != 0) {
							E0041C3A9( &_v16, _v16 - 1, 1);
							_push(_t108);
							E0041C467( &_v16, "%d");
							_t109 = _t109 + 0xc;
							_t108 = _t108 + 1;
						}
						_t61 = E0041CD1E( &_v16);
						_t63 = MoveFileExA(E0041CD1E(_t74), _t61, 0);
						__eflags = _t63;
						if(_t63 != 0) {
							E0041BF80(_a12,  &_v16);
							 *_a8 = 2;
							E0041BEFB( &_v16);
							break;
						}
						_t78 =  &_v16;
						E0041BEFB( &_v16);
						goto L10;
					} else {
						break;
					}
				}
				_t31 = 1;
				return _t31;
			}

0x00414a47
0x00414a4c
0x00414a51
0x00414a76
0x00414a84
0x00414a90
0x00414a92
0x00414a9b
0x00414aa6
0x00414aac
0x00414b23
0x00414b23
0x00414b2a
0x00414bc7
0x00414bd6
0x00414bde
0x00414bed
0x00414bf5
0x00414c03
0x00414c0d
0x00414c0e
0x00000000
0x00414c0e
0x00414b33
0x00414b3f
0x00414b4f
0x00414b54
0x00414b5c
0x00414b79
0x00414b7e
0x00414b84
0x00414c12
0x00000000
0x00414c17
0x00414b8a
0x00000000
0x00414b8a
0x00414ab2
0x00414ac0
0x00414ac7
0x00414ac8
0x00414ae5
0x00414aea
0x00414af4
0x00414af9
0x00414afc
0x00414afc
0x00414b03
0x00414b11
0x00414b17
0x00414b19
0x00414b9b
0x00414ba6
0x00414bac
0x00000000
0x00414bac
0x00414b1b
0x00414b1e
0x00000000
0x00000000
0x00000000
0x00000000
0x00414a9b
0x00414bb3
0x00000000

APIs

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000003,00000080,00000000,00000001,00000000,00000001), ref: 00414A7E
GetLastError.KERNEL32 ref: 00414A87
CloseHandle.KERNEL32(00000000), ref: 00414A92
MoveFileExA.KERNEL32 ref: 00414B11

Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095

Part of subcall function 0041BFF8: GlobalUnlock.KERNEL32(8415FF57,0047E788,004221E2,00000000,00000000,00000000,0047E788,00000000), ref: 0041C000
Part of subcall function 0041BFF8: GlobalReAlloc.KERNEL32 ref: 0041C00D
Part of subcall function 0041BFF8: GlobalLock.KERNEL32 ref: 0041C02E

Part of subcall function 0041BF12: GlobalUnlock.KERNEL32(0217020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
Part of subcall function 0041BF12: GlobalReAlloc.KERNEL32 ref: 0041BF3B
Part of subcall function 0041BF12: GlobalLock.KERNEL32 ref: 0041BF5C

Part of subcall function 0041BEFB: GlobalUnlock.KERNEL32(?,00000000,0041C1E9,00000000,00000010,00000000,0047E4D0,00000000), ref: 0041BF01
Part of subcall function 0041BEFB: GlobalFree.KERNEL32 ref: 0041BF0A

Strings

.delete_on_reboot0, xrefs: 00414AB8
@G, xrefs: 00414B40
.tmp, xrefs: 00414BC1

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$Unlock$AllocLock$File$CloseCreateErrorFreeHandleLastMovelstrlen
String ID: .delete_on_reboot0$.tmp$@G
API String ID: 1090038778-567893780
Opcode ID: c8019068e1191b823d5cc3fbb0f74cded316c9d1d39c6097f7a376d3ce6d636d
Instruction ID: 13ee51e1832359dd17840035b39a2d50a49c2f3663439cc94ee8a545bfb2738e
Opcode Fuzzy Hash: c8019068e1191b823d5cc3fbb0f74cded316c9d1d39c6097f7a376d3ce6d636d
Instruction Fuzzy Hash: 8D41B871A40119A6CF14BBA6DC96EEE77699F88308F10446FF506E3182DF3C5985C65C

Uniqueness

Uniqueness Score: -1.00%

Function 00413A88, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 147
stringfilewindowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00413A88(intOrPtr __ecx, void** _a4) {
				char _v5;
				void* _v20;
				intOrPtr _v24;
				char _v36;
				char _v52;
				void _v563;
				char _v564;
				intOrPtr _t32;
				int _t39;
				void* _t48;
				int _t68;
				void* _t75;
				signed int _t83;
				void* _t94;
				void* _t97;
				void* _t105;
				void* _t106;
				intOrPtr _t112;

				_t32 =  *0x47e6c8; // 0x41
				 *0x42bf9c =  *0x42bf9c + 1;
				_v24 = __ecx;
				E0041BE99( &_v20, E0041CC95(0x47e6c8, 0, _t32 + 0xfffffffd));
				E00427836( *0x42bf9c,  &_v52, 0xa);
				_t106 = _t105 + 0xc;
				_t97 = 0;
				_t39 = lstrlenA( &_v52);
				_t75 = 3;
				if(_t75 != _t39) {
					do {
						E0041BFF8( &_v20, 0x30);
						_t97 = _t97 + 1;
						_t68 = lstrlenA( &_v52);
						_t94 = 3;
					} while (_t97 < _t94 - _t68);
				}
				E0041C047( &_v20,  &_v52, 0);
				_v5 = 0;
				L3:
				while(1) {
					if(_v5 != 0 || E0040DF52(E0041CD1E( &_v20)) == 0) {
						_t112 =  *0x47f27c; // 0x1
						if(_t112 != 0 || DialogBoxParamA( *0x47e17c, 0x8a,  *(_v24 + 8), E00413748,  &_v20) == 0) {
							E0041A1B5(1);
						} else {
							goto L7;
						}
					} else {
						L7:
						_t48 = CreateFileA(E0041CD1E( &_v20), 0x80000000, 1, 0, 3, 0x80, 0);
						 *_a4 = _t48;
						if(_t48 != 0xffffffff) {
							E0041BF80(0x47e6c8,  &_v20);
							_push(1);
							_pop(0);
						} else {
							_t83 = 0x7f;
							_v564 = 0;
							memset( &_v563, 0, _t83 << 2);
							asm("stosw");
							asm("stosb");
							FormatMessageA(0x1000, 0, GetLastError(), 0x400,  &_v564, 0x200, 0);
							E0041BDC5( &_v36);
							_push( &_v564);
							_push(E0041CD1E( &_v20));
							E0041C467( &_v36, "File \"%s\" could not be opened. Error: %s");
							_t106 = _t106 + 0x1c;
							E0041B2A8( *(_v24 + 8), E0041CD1E( &_v36), 0);
							_v5 = 1;
							E0041BEFB( &_v36);
							continue;
						}
					}
					E0041BEFB( &_v20);
					return 0;
				}
			}

0x00413a91
0x00413a96
0x00413aa2
0x00413ab7
0x00413ac8
0x00413ad3
0x00413ad9
0x00413adc
0x00413ae0
0x00413ae3
0x00413ae5
0x00413aea
0x00413af2
0x00413af4
0x00413af8
0x00413afb
0x00413ae5
0x00413b07
0x00413b0c
0x00000000
0x00413b14
0x00413b17
0x00413b2c
0x00413b32
0x00413c1d
0x00000000
0x00000000
0x00000000
0x00413b60
0x00413b60
0x00413b79
0x00413b85
0x00413b87
0x00413c2d
0x00413c32
0x00413c34
0x00413b8d
0x00413b91
0x00413b98
0x00413b9e
0x00413ba0
0x00413ba2
0x00413bc2
0x00413bcb
0x00413bd9
0x00413bdf
0x00413be9
0x00413bee
0x00413c03
0x00413c0b
0x00413c0f
0x00000000
0x00413c0f
0x00413b87
0x00413c38
0x00413c43
0x00413c43

APIs

Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4

lstrlenA.KERNEL32(000000A8,0047E1B8,?,0000005C), ref: 00413ADC
lstrlenA.KERNEL32(000000A8,00000030), ref: 00413AF4
DialogBoxParamA.USER32 ref: 00413B52
CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00413B79
GetLastError.KERNEL32 ref: 00413BA3
FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000200,00000000), ref: 00413BC2

Part of subcall function 0041BFF8: GlobalUnlock.KERNEL32(8415FF57,0047E788,004221E2,00000000,00000000,00000000,0047E788,00000000), ref: 0041C000
Part of subcall function 0041BFF8: GlobalReAlloc.KERNEL32 ref: 0041C00D
Part of subcall function 0041BFF8: GlobalLock.KERNEL32 ref: 0041C02E

Strings

File "%s" could not be opened. Error: %s, xrefs: 00413BE3

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLocklstrlen$CreateDialogErrorFileFormatLastMessageParamUnlock
String ID: File "%s" could not be opened. Error: %s
API String ID: 1137091683-3606797700
Opcode ID: 05c5874e8c84a40f5af4de4f2425b1f1c49626199820b519cbb6185dba5cbc98
Instruction ID: ef9122ae9abc39f67992f30ed21fe6da80a0bf8a9b8eac584c3fd464a65e5e51
Opcode Fuzzy Hash: 05c5874e8c84a40f5af4de4f2425b1f1c49626199820b519cbb6185dba5cbc98
Instruction Fuzzy Hash: 8841E571A40219AADF10EBB5DC95FEE777CEF14304F40006EF105B61D1EB786A89CAA8

Uniqueness

Uniqueness Score: -1.00%

Function 004224AD, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 109
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E004224AD(void* __ecx, long _a4) {
				long _v8;
				int _v12;
				long _t12;
				void* _t13;
				intOrPtr* _t14;
				void* _t20;
				struct _OVERLAPPED* _t31;
				void* _t33;
				intOrPtr _t48;
				void* _t50;
				void* _t52;
				void* _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_push(__ecx);
				_push(__ecx);
				_t12 = _a4;
				_t31 = 0;
				_t56 =  *0x47e540 - _t31; // 0x0
				_t2 = _t12 + 0x34; // 0xfc75ffd7
				_t48 =  *_t2;
				if(_t56 <= 0) {
					L6:
					_t52 = 0;
					_t59 =  *0x47e52c - _t52; // 0x0
					if(_t59 <= 0) {
						L19:
						_t13 = 0;
						L20:
						return _t13;
					} else {
						goto L7;
					}
					while(1) {
						L7:
						_t14 = E0041E860(0x47e520, _t52);
						if( *_t14 == _t48) {
							break;
						}
						_t52 = _t52 + 1;
						_t61 = _t52 -  *0x47e52c; // 0x0
						if(_t61 < 0) {
							continue;
						}
						goto L19;
					}
					_t15 = _t14 + 4;
					if(_t14 + 4 == 0) {
						goto L19;
					}
					_t50 = CreateFileA(E0041CD1E(_t15), 0x80000000, 1, 0, 3, 0x80, 0);
					if(_t50 == 0xffffffff) {
						goto L19;
					}
					_a4 = GetFileSize(_t50, 0);
					if(E00424DD9(0xc) == 0) {
						_t33 = 0;
					} else {
						_t33 = E0041BDC5(_t19);
					}
					_t20 = E0041C65C(_t33, _a4);
					if(_t20 != 0) {
						_v8 = 0;
						_v12 = ReadFile(_t50, _t20, _a4,  &_v8, 0);
						CloseHandle(_t50);
						if(_v12 == 0 || _v8 != _a4) {
							goto L17;
						} else {
							_t13 = _t33;
							goto L20;
						}
					} else {
						CloseHandle(_t50);
						L17:
						if(_t33 != 0) {
							E0041BEFB(_t33);
							E00424DCE(_t33);
						}
						goto L19;
					}
				}
				while(E0041E860(0x47e534, _t31) != _t48) {
					_t31 =  &(_t31->Internal);
					_t58 = _t31 -  *0x47e540; // 0x0
					if(_t58 < 0) {
						continue;
					}
					goto L6;
				}
				_t48 = E0041E860(0x47e534,  &(_t31->Internal));
				goto L6;
			}

0x004224b0
0x004224b1
0x004224b2
0x004224b6
0x004224b9
0x004224c0
0x004224c0
0x004224c3
0x004224ed
0x004224ed
0x004224ef
0x004224f5
0x0042258e
0x0042258e
0x00422590
0x00422594
0x00000000
0x00000000
0x00000000
0x004224fb
0x004224fb
0x00422501
0x00422508
0x00000000
0x00000000
0x0042250a
0x0042250b
0x00422511
0x00000000
0x00000000
0x00000000
0x00422513
0x00422515
0x0042251c
0x00000000
0x00000000
0x0042253c
0x00422541
0x00000000
0x00000000
0x0042254d
0x00422558
0x00422565
0x0042255a
0x00422561
0x00422561
0x0042256c
0x00422573
0x0042259c
0x004225ab
0x004225ae
0x004225b7
0x00000000
0x004225c1
0x004225c1
0x00000000
0x004225c1
0x00422575
0x00422576
0x0042257c
0x0042257e
0x00422582
0x00422588
0x0042258d
0x00000000
0x0042257e
0x00422573
0x004224ca
0x004224d7
0x004224d8
0x004224de
0x00000000
0x00000000
0x00000000
0x004224e0
0x004224eb
0x00000000

APIs

CreateFileA.KERNEL32(00000000,00000001,00000000,00000003,00000080,00000000,00000000,0047E490,00000000,00000000,?,?,?,00422691,00000000,00422D86), ref: 00422536
GetFileSize.KERNEL32(00000000,00000000,?,00422691,00000000,00422D86,0047E490,00000000,0042DBB4,0047E788,0047E33C), ref: 00422545
CloseHandle.KERNEL32(00000000,00422D86,?,00422691,00000000,00422D86,0047E490,00000000,0042DBB4,0047E788,0047E33C), ref: 00422576
ReadFile.KERNEL32(00000000,00000000,00422D86,0047E490,00000000,00422D86,?,00422691,00000000,00422D86,0047E490,00000000,0042DBB4,0047E788,0047E33C), ref: 004225A4
CloseHandle.KERNEL32(00000000,?,00422691,00000000,00422D86,0047E490,00000000,0042DBB4,0047E788,0047E33C), ref: 004225AE

Strings

G, xrefs: 004224FC
4G, xrefs: 004224C5

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: File$CloseHandle$CreateReadSize
String ID: G$4G
API String ID: 3664964396-1092705001
Opcode ID: 9a6a8777cdfa7c77cb936d0936636049102e2a8def0660001574716ace2b74fb
Instruction ID: 468c59607e689fc460535f1cb9d03b19926b13a079158055e4d039246126677d
Opcode Fuzzy Hash: 9a6a8777cdfa7c77cb936d0936636049102e2a8def0660001574716ace2b74fb
Instruction Fuzzy Hash: 61312C31701134FBDB206F76AD948AE7669EB48758BA0893FF106D3141DAB88DC187AD

Uniqueness

Uniqueness Score: -1.00%

Function 00426A55, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100
fileCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00426A55(void* __edi, long _a4) {
				char _v164;
				char _v424;
				int _t17;
				long _t19;
				signed int _t42;
				long _t47;
				void* _t48;
				signed int _t54;
				void** _t56;
				void* _t57;

				_t48 = __edi;
				_t47 = _a4;
				_t42 = 0;
				_t17 = 0x42dee8;
				while(_t47 !=  *_t17) {
					_t17 = _t17 + 8;
					_t42 = _t42 + 1;
					if(_t17 < 0x42df78) {
						continue;
					}
					break;
				}
				_t54 = _t42 << 3;
				_t2 = _t54 + 0x42dee8; // 0x94000000
				if(_t47 ==  *_t2) {
					_t17 =  *0x47f380; // 0x0
					if(_t17 == 1 || _t17 == 0 &&  *0x42dc34 == 1) {
						_t16 = _t54 + 0x42deec; // 0x428a94
						_t56 = _t16;
						_t19 = E00424970( *_t56);
						_t17 = WriteFile(GetStdHandle(0xfffffff4),  *_t56, _t19,  &_a4, 0);
					} else {
						if(_t47 != 0xfc) {
							if(GetModuleFileNameA(0,  &_v424, 0x104) == 0) {
								E00425080( &_v424, "<program name unknown>");
							}
							_push(_t48);
							_t49 =  &_v424;
							if(E00424970( &_v424) + 1 > 0x3c) {
								_t49 = E00424970( &_v424) +  &_v424 - 0x3b;
								E004274E0(E00424970( &_v424) +  &_v424 - 0x3b, "...", 3);
								_t57 = _t57 + 0x10;
							}
							E00425080( &_v164, "Runtime Error!\n\nProgram: ");
							E00425090( &_v164, _t49);
							E00425090( &_v164, "\n\n");
							_t12 = _t54 + 0x42deec; // 0x428a94
							E00425090( &_v164,  *_t12);
							_t17 = E00427450( &_v164, "Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				return _t17;
			}

0x00426a55
0x00426a5e
0x00426a61
0x00426a63
0x00426a68
0x00426a6c
0x00426a6f
0x00426a75
0x00000000
0x00000000
0x00000000
0x00426a75
0x00426a7a
0x00426a7d
0x00426a83
0x00426a89
0x00426a91
0x00426b82
0x00426b82
0x00426b8d
0x00426b9f
0x00426aa8
0x00426aae
0x00426aca
0x00426ad8
0x00426ade
0x00426ae5
0x00426ae7
0x00426af7
0x00426b12
0x00426b1a
0x00426b1f
0x00426b1f
0x00426b2e
0x00426b3b
0x00426b4c
0x00426b51
0x00426b5e
0x00426b74
0x00426b7c
0x00426aae
0x00426a91
0x00426ba7

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00426AC2
GetStdHandle.KERNEL32(000000F4,00428A94,00000000,?,00000000,00000000), ref: 00426B98
WriteFile.KERNEL32(00000000), ref: 00426B9F

Strings

Runtime Error!Program: , xrefs: 00426B28
Microsoft Visual C++ Runtime Library, xrefs: 00426B6E
<program name unknown>, xrefs: 00426AD2
..., xrefs: 00426B14

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 8d3ff2caa750b5588205c198fdd24b33ff3624019d3c0a2aa5729fd559ad871a
Instruction ID: 0f70a1d10312b81e6f54c73e82e1ba1951fbcdd9d2096f1ce99f7ebea21e28fe
Opcode Fuzzy Hash: 8d3ff2caa750b5588205c198fdd24b33ff3624019d3c0a2aa5729fd559ad871a
Instruction Fuzzy Hash: 2731C672B012386FDF20D660EC45FAE376CEB45304FD104ABF544E6150EA78AA85CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0041B61B, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 96
registryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0041B61B(void* __ecx, void* __esi, void* __eflags) {
				void* _v8;
				int _v12;
				char _v24;
				char _v284;
				void* __edi;
				long _t34;
				int* _t37;
				int* _t39;
				void* _t49;
				void* _t50;
				void* _t58;
				void* _t59;

				_t50 = __esi;
				_t49 = __ecx;
				E0041BDC5( &_v24);
				_push(E0041CD1E(0x47e350));
				E0041C467( &_v24, "%s installation couldn\'t be found. Try re-installing the application before running update.");
				_t39 = 0;
				if(RegOpenKeyExA( *0x47e588, E0041CD1E(0x47e58c), 0, 0x20019,  &_v8) != 0) {
					L5:
					__eflags =  *0x47e6bc - _t39; // 0x0
					if(__eflags == 0) {
						E0041B2A8(_t39, E0041CD1E( &_v24), _t39);
					} else {
						 *0x47e18c =  *0x47e18c & 0xffffffbf;
						E0041D728("<IsUpdate>", _t39);
						goto L9;
					}
				} else {
					_t58 =  *0x47e598 - _t39; // 0x0
					if(_t58 != 0) {
						L4:
						_push(_t50);
						_v12 = 0x104;
						E00424500( &_v284, _t39, 0x104);
						_t34 = RegQueryValueExA(_v8, E0041CD1E(0x47e598), _t39, _t39,  &_v284,  &_v12);
						RegCloseKey(_v8);
						__eflags = _t34 - _t39;
						if(_t34 == _t39) {
							__eflags =  *0x47e5a4 - _t39; // 0x0
							if(__eflags != 0) {
								__eflags =  *0x47e191 & 0x00000020;
								_push( &_v284);
								if(__eflags == 0) {
									_t37 = E0041B8EA(_t49, __eflags);
								} else {
									_t37 = E0041B749();
								}
								_t39 = _t37;
							} else {
								goto L9;
							}
						} else {
							goto L5;
						}
					} else {
						_t59 =  *0x47e5a4 - _t39; // 0x0
						if(_t59 != 0) {
							goto L4;
						} else {
							RegCloseKey(_v8);
							L9:
							_t39 = 1;
						}
					}
				}
				E0041BEFB( &_v24);
				return _t39;
			}

0x0041b61b
0x0041b626
0x0041b62b
0x0041b63a
0x0041b644
0x0041b64f
0x0041b671
0x0041b6dc
0x0041b6dc
0x0041b6e2
0x0041b708
0x0041b6e4
0x0041b6e4
0x0041b6f1
0x00000000
0x0041b6f1
0x0041b673
0x0041b673
0x0041b679
0x0041b691
0x0041b696
0x0041b697
0x0041b6a3
0x0041b6c6
0x0041b6d1
0x0041b6d7
0x0041b6da
0x0041b70f
0x0041b715
0x0041b71b
0x0041b72a
0x0041b72b
0x0041b734
0x0041b72d
0x0041b72d
0x0041b72d
0x0041b739
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0041b67b
0x0041b67b
0x0041b681
0x00000000
0x0041b683
0x0041b686
0x0041b717
0x0041b717
0x0041b717
0x0041b681
0x0041b679
0x0041b73e
0x0041b748

APIs

Part of subcall function 0041BDC5: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
Part of subcall function 0041C467: lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649

RegOpenKeyExA.ADVAPI32(00000000,00000000,00020019,00000000,?,00000000,0047DFB8), ref: 0041B669
RegCloseKey.ADVAPI32(00000000,?,00000000,0047DFB8), ref: 0041B686
RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,?,0047DFB8,?,?,0047DFB8,?,00000000,0047DFB8), ref: 0041B6C6
RegCloseKey.ADVAPI32(00000000,?,?,0047DFB8,?,00000000,0047DFB8), ref: 0041B6D1

Strings

PG, xrefs: 0041B630
<IsUpdate>, xrefs: 0041B6EC
%s installation couldn't be found. Try re-installing the application before running update., xrefs: 0041B63E

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$lstrlen$AllocCloseLock$OpenQueryUnlockValue
String ID: %s installation couldn't be found. Try re-installing the application before running update.$<IsUpdate>$PG
API String ID: 1725748585-3551563719
Opcode ID: a6a7fe9b5aa94a618adb24312834125a62caa7a1b1ccc239d4fd5e70e750e62b
Instruction ID: b90e6fdb30e05719f3732ba3869b588a65d76d86e8ccd66f67b7a23a7f2ad67b
Opcode Fuzzy Hash: a6a7fe9b5aa94a618adb24312834125a62caa7a1b1ccc239d4fd5e70e750e62b
Instruction Fuzzy Hash: E2318BB190020CBFDB10AB92DD86DFE776CDB54308B50017FF505A2191EB384EC59AAE

Uniqueness

Uniqueness Score: -1.00%

Function 0041285D, Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 305
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041285D(intOrPtr _a4, signed int _a7, intOrPtr _a8, signed int _a12, char _a16) {
				signed int _v5;
				CHAR* _v12;
				CHAR* _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v36;
				char _v48;
				signed int _t96;
				CHAR* _t99;
				CHAR* _t101;
				void* _t102;
				signed int _t105;
				signed int _t111;
				signed int _t115;
				signed int _t118;
				signed int _t127;
				CHAR* _t139;
				signed int _t151;
				signed int _t157;
				signed int _t158;
				signed int _t159;
				intOrPtr _t160;
				signed int _t200;
				void* _t201;
				void* _t203;
				CHAR* _t207;
				signed int _t212;
				void* _t214;

				_t160 = _a4;
				_t96 = _a12 * 0x1c;
				_t197 = _t96 + _t160;
				_v20 = _t96 + _t160;
				_v24 = _t96 + _t160 + 0x10;
				while(1) {
					_t199 = _v20;
					_t99 = E0041D46F(E0041CD1E(_v20));
					_t157 = _v24;
					_v16 = _t99;
					_t101 = E0041D46F(E0041CD1E(_t157));
					_a7 = _a7 & 0x00000000;
					_v5 = _v5 & 0x00000000;
					_v12 = _t101;
					if(_v16 == 0) {
						_t102 = E0041BFE3(_t199, 0);
						__eflags = _t102 - 0x22;
						if(_t102 == 0x22) {
							E0041BE99( &_v36, E0041CC95(_t199, 1,  *_t199 + 0xfffffffe));
							_t151 = E00424DD9(_v36 + 1);
							__eflags = _t151;
							_v16 = _t151;
							if(_t151 == 0) {
								E0041D881(E0041CD1E(0x47e924));
							}
							lstrcpyA(_v16, E0041CD1E( &_v36));
							_a7 = 1;
							E0041BEFB( &_v36);
						}
						__eflags = _v12;
					} else {
						_t207 = _t101;
					}
					if(_t207 != 0 || E0041BFE3(_t157, 0) != 0x22) {
						L13:
						if(_v16 == 0) {
							__eflags = _v12;
							if(_v12 == 0) {
								L32:
								_t200 =  *(_v20 + 0xc);
								if(_v16 == 0 || _v12 == 0) {
									_t158 = E0041425E(_t197, _v20);
									_t105 = E0041425E(_t197, _v24);
									__eflags = _t200;
									if(_t200 != 0) {
										__eflags = _t200 - 1;
										if(_t200 != 1) {
											__eflags = _t200 - 2;
											if(_t200 != 2) {
												__eflags = _t200 - 3;
												if(_t200 != 3) {
													__eflags = _t200 - 4;
													if(_t200 != 4) {
														__eflags = _t200 - 5;
														if(_t200 != 5) {
															__eflags = _t158 & _t105;
															L64:
															_t84 = __eflags != 0;
															__eflags = _t84;
															_t159 = _t158 & 0xffffff00 | _t84;
															goto L65;
														}
														__eflags = _t158 - _t105;
														_t159 = _t158 & 0xffffff00 | _t158 - _t105 <= 0x00000000;
														goto L65;
													}
													__eflags = _t158 - _t105;
													_t159 = _t158 & 0xffffff00 | _t158 - _t105 >= 0x00000000;
													goto L65;
												}
												__eflags = _t158 - _t105;
												_t159 = _t158 & 0xffffff00 | _t158 - _t105 < 0x00000000;
												goto L65;
											}
											__eflags = _t158 - _t105;
											_t159 = _t158 & 0xffffff00 | _t158 - _t105 > 0x00000000;
											goto L65;
										}
										__eflags = _t158 - _t105;
										goto L64;
									}
									__eflags = _t158 - _t105;
									_t159 = _t158 & 0xffffff00 | _t158 == _t105;
									goto L65;
								} else {
									_t111 = E00424A30(_v16, _v12);
									if(_t200 != 0) {
										__eflags = _t200 - 1;
										if(_t200 != 1) {
											__eflags = _t200 - 2;
											if(_t200 != 2) {
												__eflags = _t200 - 3;
												if(_t200 != 3) {
													__eflags = _t200 - 4;
													if(_t200 != 4) {
														__eflags = _t200 - 5;
														if(_t200 != 5) {
															_t159 = 0;
															__eflags = 0;
														} else {
															__eflags = _t111;
															_t159 = _t157 & 0xffffff00 | _t111 <= 0x00000000;
														}
													} else {
														__eflags = _t111;
														_t159 = _t157 & 0xffffff00 | _t111 >= 0x00000000;
													}
												} else {
													__eflags = _t111;
													_t159 = _t157 & 0xffffff00 | _t111 < 0x00000000;
												}
											} else {
												__eflags = _t111;
												_t159 = _t157 & 0xffffff00 | _t111 > 0x00000000;
											}
										} else {
											__eflags = _t111;
											_t159 = _t157 & 0xffffff00 | _t111 != 0x00000000;
										}
									} else {
										_t159 = _t157 & 0xffffff00 | _t111 == 0x00000000;
									}
									if(_a7 != 0) {
										E00424DCE(_v16);
									}
									if(_v5 != 0) {
										E00424DCE(_v12);
									}
									L65:
									if(_a12 == _a8 - 1) {
										return _t159;
									}
									if(_t159 == 0) {
										__eflags = _a16;
										if(_a16 == 0) {
											__eflags = 0;
											return 0;
										}
										L68:
										_a12 = _a12 + 1;
										_v20 = _v20 + 0x1c;
										_v24 = _v24 + 0x1c;
										continue;
									}
									if(_a16 != 0) {
										return 1;
									}
									goto L68;
								}
							}
							_t157 = 0;
							__eflags =  *0x47e4dc; // 0x8
							if(__eflags <= 0) {
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								_t201 = E0041E860(0x47e4d0, _t157);
								_t115 = E0041C176(_t201, __eflags, _v24, 1);
								__eflags = _t115;
								if(_t115 != 0) {
									break;
								}
								_t157 = _t157 + 1;
								__eflags = _t157 -  *0x47e4dc; // 0x8
								if(__eflags < 0) {
									continue;
								}
								goto L32;
							}
							__eflags =  *(_t201 + 0xc);
							if( *(_t201 + 0xc) == 0) {
								_t202 = _v20;
								_t118 = E00424DD9( *_v20 + 1);
								__eflags = _t118;
								_v16 = _t118;
								if(_t118 == 0) {
									E0041D881(E0041CD1E(0x47e924));
								}
								lstrcpyA(_v16, E0041CD1E(_t202));
								_a7 = 1;
							}
							goto L32;
						}
						if(_v12 != 0) {
							goto L32;
						}
						_t157 = 0;
						_t212 =  *0x47e4dc; // 0x8
						if(_t212 <= 0) {
							goto L32;
						} else {
							goto L16;
						}
						while(1) {
							L16:
							_t203 = E0041E860(0x47e4d0, _t157);
							if(E0041C176(_t203, _t212, _v20, 1) != 0) {
								break;
							}
							_t157 = _t157 + 1;
							_t214 = _t157 -  *0x47e4dc; // 0x8
							if(_t214 < 0) {
								continue;
							}
							goto L32;
						}
						__eflags =  *(_t203 + 0xc);
						if( *(_t203 + 0xc) == 0) {
							_t204 = _v24;
							_t127 = E00424DD9( *_v24 + 1);
							__eflags = _t127;
							_v12 = _t127;
							if(_t127 == 0) {
								E0041D881(E0041CD1E(0x47e924));
							}
							lstrcpyA(_v12, E0041CD1E(_t204));
							_v5 = 1;
						}
						goto L32;
					} else {
						E0041BE99( &_v48, E0041CC95(_t157, 1,  *_t157 + 0xfffffffe));
						_t139 = E00424DD9(_v48 + 1);
						_v12 = _t139;
						if(_t139 == 0) {
							E0041D881(E0041CD1E(0x47e924));
						}
						lstrcpyA(_v12, E0041CD1E( &_v48));
						_v5 = 1;
						E0041BEFB( &_v48);
						goto L13;
					}
				}
			}

0x00412866
0x00412869
0x0041286e
0x00412876
0x00412879
0x0041287c
0x0041287c
0x00412887
0x0041288c
0x0041288f
0x0041289a
0x0041289f
0x004128a3
0x004128a9
0x004128af
0x004128b8
0x004128bd
0x004128bf
0x004128d4
0x004128de
0x004128e3
0x004128e6
0x004128e9
0x004128f6
0x004128fb
0x00412908
0x00412911
0x00412915
0x00412915
0x0041291a
0x004128b1
0x004128b1
0x004128b1
0x0041291d
0x00412984
0x00412987
0x00412a14
0x00412a17
0x00412a8a
0x00412a90
0x00412a93
0x00412b1b
0x00412b1d
0x00412b23
0x00412b26
0x00412b2f
0x00412b32
0x00412b38
0x00412b3b
0x00412b44
0x00412b47
0x00412b50
0x00412b53
0x00412b5c
0x00412b5f
0x00412b68
0x00412b6a
0x00412b6a
0x00412b6a
0x00412b6a
0x00000000
0x00412b6a
0x00412b61
0x00412b63
0x00000000
0x00412b63
0x00412b55
0x00412b57
0x00000000
0x00412b57
0x00412b49
0x00412b4b
0x00000000
0x00412b4b
0x00412b3d
0x00412b3f
0x00000000
0x00412b3f
0x00412b34
0x00000000
0x00412b34
0x00412b28
0x00412b2a
0x00000000
0x00412a9a
0x00412aa0
0x00412aa9
0x00412ab2
0x00412ab5
0x00412abe
0x00412ac1
0x00412aca
0x00412acd
0x00412ad6
0x00412ad9
0x00412ae2
0x00412ae5
0x00412aee
0x00412aee
0x00412ae7
0x00412ae7
0x00412ae9
0x00412ae9
0x00412adb
0x00412adb
0x00412add
0x00412add
0x00412acf
0x00412acf
0x00412ad1
0x00412ad1
0x00412ac3
0x00412ac3
0x00412ac5
0x00412ac5
0x00412ab7
0x00412ab7
0x00412ab9
0x00412ab9
0x00412aab
0x00412aad
0x00412aad
0x00412af4
0x00412af9
0x00412afe
0x00412b03
0x00412b08
0x00412b0d
0x00412b6d
0x00412b74
0x00000000
0x00412b98
0x00412b78
0x00412b90
0x00412b94
0x00412ba0
0x00000000
0x00412ba0
0x00412b80
0x00412b80
0x00412b83
0x00412b87
0x00000000
0x00412b87
0x00412b7e
0x00000000
0x00412b9c
0x00000000
0x00412b7e
0x00412a93
0x00412a19
0x00412a1b
0x00412a21
0x00000000
0x00000000
0x00000000
0x00000000
0x00412a23
0x00412a23
0x00412a30
0x00412a37
0x00412a3c
0x00412a3e
0x00000000
0x00000000
0x00412a40
0x00412a41
0x00412a47
0x00000000
0x00000000
0x00000000
0x00412a49
0x00412a4b
0x00412a4e
0x00412a50
0x00412a57
0x00412a5c
0x00412a5f
0x00412a62
0x00412a6f
0x00412a74
0x00412a80
0x00412a86
0x00412a86
0x00000000
0x00412a4e
0x00412990
0x00000000
0x00000000
0x00412996
0x00412998
0x0041299e
0x00000000
0x00000000
0x00000000
0x00000000
0x004129a4
0x004129a4
0x004129b1
0x004129bf
0x00000000
0x00000000
0x004129c1
0x004129c2
0x004129c8
0x00000000
0x00000000
0x00000000
0x004129ca
0x004129cf
0x004129d2
0x004129d8
0x004129df
0x004129e4
0x004129e7
0x004129ea
0x004129f7
0x004129fc
0x00412a08
0x00412a0e
0x00412a0e
0x00000000
0x0041292b
0x0041293e
0x00412948
0x00412950
0x00412953
0x00412960
0x00412965
0x00412972
0x0041297b
0x0041297f
0x00000000
0x0041297f
0x0041291d

APIs

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

lstrcpyA.KERNEL32(0047E880,00000000,00000000,00000001,-000000FE,00000000,00000000,00000000,00000000,00000000,0047DFB8,?,?,00000000,?,00000000), ref: 00412908
lstrcpyA.KERNEL32(00000000,00000000,00000000,00000001,-000000FE,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047DFB8,?,?), ref: 00412972
lstrcpyA.KERNEL32(00000000,00000000,0000001C,00000001,00000000,?,00000000,0041463E), ref: 00412A08
lstrcpyA.KERNEL32(0047E880,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,0047DFB8,?,?,00000000,?,00000000), ref: 00412A80

Strings

$G, xrefs: 004129EC
$G, xrefs: 00412955
$G, xrefs: 004128EB
$G, xrefs: 00412A64

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: lstrcpy$Global$AllocLockUnlock
String ID: $G$$G$$G$$G
API String ID: 809881301-2871775856
Opcode ID: 65cb576162cf48911098db171601cebb1f0e6c29937d8fd97abc63cb19e62d38
Instruction ID: cc9ef96804eb6c6a808a539a243a32eeebaa1f91f1bd0f8a0d8b4aab0d3d3760
Opcode Fuzzy Hash: 65cb576162cf48911098db171601cebb1f0e6c29937d8fd97abc63cb19e62d38
Instruction Fuzzy Hash: D2A14871E44219AFCF30AF758A816FE77A4EF40304F20456FE412E3252DABC59D19A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00412E58, Relevance: 10.8, APIs: 7, Instructions: 328
fileCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00412E58() {
				intOrPtr _v8;
				intOrPtr _v12;
				struct _OVERLAPPED* _v16;
				intOrPtr* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				long _v36;
				long _v40;
				char _v52;
				char _v64;
				long _v76;
				char _v88;
				char _v100;
				void* __edi;
				void* __ebp;
				signed int _t81;
				void* _t84;
				void* _t98;
				intOrPtr _t102;
				intOrPtr _t106;
				void* _t113;
				intOrPtr _t118;
				void* _t134;
				void* _t140;
				void* _t146;
				void* _t159;
				intOrPtr* _t165;
				intOrPtr* _t167;
				void* _t171;
				long* _t192;
				char _t234;
				void* _t237;
				void* _t246;

				_t81 =  *0x47e4c8; // 0x0
				_v32 = _t81;
				_v16 = 0;
				if(_t81 <= 0) {
					L41:
					return 1;
				} else {
					_v28 = 0x64;
					_t234 = "\r\n";
					do {
						_t165 = E0041E860(0x47e4bc, _v16);
						_v20 = _t165;
						_t84 = E00412BA7( *((intOrPtr*)(_t165 + 0x28)));
						_t239 = _t84;
						if(_t84 == 0) {
							goto L39;
						}
						_t7 = _t165 + 4; // 0x4
						_v12 = _t7;
						E004164B1(0x47dfb8, _t239, _t7);
						_t167 = _t165 + 0x10;
						E004164B1(0x47dfb8, _t239, _t167);
						_v8 = _v20 + 0x1c;
						E004164B1(0x47dfb8, _t239, _v20 + 0x1c);
						E0041BE99( &_v64, E0041CC95(_v12, 0, E0041C7DB(_v12, "\\", 0, 1)));
						E0040DC10(E0041CD1E( &_v64), 1);
						_t98 = E0040DF52(E0041CD1E(_v12));
						_t240 = _t98;
						if(_t98 == 0) {
							_t159 = E0041CD1E(_v12);
							_push(0x47e794);
							_push(_t159);
							E00421CE6(_t240);
							CloseHandle(CreateFileA(E0041CD1E(_v12), 0x40000000, 1, 0, 4, 0x80, 0));
						}
						if( *_v20 != 1) {
							E0041BDC5( &_v52);
							_t102 = E0041CAC5( &_v52, E0041CD1E(_v12), 0, 0);
							__eflags = _t102;
							if(_t102 < 0) {
								L24:
								E0041BEFB( &_v52);
								L38:
								E0041BEFB( &_v64);
								goto L39;
							}
							_t106 =  *_v20;
							__eflags = _t106;
							if(_t106 != 0) {
								__eflags = _t106 - 2;
								if(_t106 != 2) {
									__eflags = _t106 - 3;
									if(_t106 != 3) {
										__eflags = _t106 - 4;
										if(_t106 != 4) {
											__eflags = _t106 - 5;
											if(_t106 != 5) {
												__eflags = _t106 - 6;
												if(_t106 != 6) {
													__eflags = _t106 - 7;
													if(_t106 == 7) {
														_t113 = E0041CD1E(_v8);
														E0041CBF9( &_v52, __eflags, E0041CD1E(_t167), _t113, 0, 0, 1);
													}
													L35:
													E0041CE0E( &_v52, E0041CD1E(_v12));
													_t192 =  &_v52;
													L36:
													E0041BEFB(_t192);
													if(_v32 > 0) {
														asm("cdq");
														E00414C1B(_v28 % _v32, _t234, _t237, _v28 / _v32, 0);
													}
													goto L38;
												}
												E0041BDC5( &_v100);
												_v24 = 0;
												E0041BDC5( &_v88);
												while(1) {
													_push(_v24);
													_t118 = E0041C9D2( &_v52);
													__eflags = _t118;
													if(_t118 == 0) {
														break;
													}
													E0041C92F( &_v52,  &_v24,  &_v100);
													__eflags = E0041CC5D( &_v100, E0041CD1E(_t167));
													if(__eflags == 0) {
														E0041C0C5( &_v88, __eflags,  &_v100);
														E0041C047( &_v88, _t234, 0);
													}
												}
												E0041BF80( &_v52,  &_v88);
												E0041BEFB( &_v88);
												E0041BEFB( &_v100);
												goto L35;
											}
											E0041C047(_t167, _t234, 0);
											E0041C047(_v8, _t234, 0);
											_push(0);
											_push(0);
											_push(E0041CD1E(_t167));
											_t134 = E0041C6D0( &_v52);
											__eflags = _t134 - 0xffffffff;
											if(_t134 != 0xffffffff) {
												_push(0);
												L26:
												_push(_t134);
												L13:
												_push(E0041CD1E(_v8));
												E0041CA20( &_v52);
												goto L35;
											}
											goto L24;
										}
										E0041C047(_t167, _t234, 0);
										E0041C047(_v8, _t234, 0);
										_push(0);
										_push(0);
										_push(E0041CD1E(_t167));
										_t140 = E0041C6D0( &_v52);
										__eflags = _t140 - 0xffffffff;
										if(_t140 == 0xffffffff) {
											goto L24;
										}
										_push(0);
										_push( *_t167 + _t140);
										goto L13;
									}
									E0041C047(_t167, _t234, 0);
									E0041C416( &_v52, E0041CD1E(_t167), 0, 1, 0);
									goto L35;
								}
								E0041C047(_t167, _t234, 0);
								_push(0);
								_push(0);
								_push(E0041CD1E(_t167));
								_t146 = E0041C6D0( &_v52);
								__eflags = _t146 - 0xffffffff;
								if(_t146 == 0xffffffff) {
									goto L24;
								}
								_push(0);
								_t134 =  *_t167 + _t146 - 2;
								goto L26;
							}
							E0041C047(_v8, _t234, 0);
							_push(0);
							_push(0);
							goto L13;
						}
						_t171 = CreateFileA(E0041CD1E(_v12), 0xc0000000, 1, 0, 4, 0x80, 0);
						if(_t171 == 0xffffffff) {
							goto L38;
						}
						_v36 = 0;
						SetFilePointer(_t171, 0,  &_v36, 2);
						E0041BE99( &_v76, _v8);
						if(GetFileSize(_t171, 0) > 0) {
							E0041CA20( &_v76, _t234, 0, 0);
						}
						_v40 = 0;
						WriteFile(_t171, E0041CD1E( &_v76), _v76,  &_v40, 0);
						CloseHandle(_t171);
						_t192 =  &_v76;
						goto L36;
						L39:
						_v16 = _v16 + 1;
						_v28 = _v28 + 0x64;
						_t246 = _v16 -  *0x47e4c8; // 0x0
					} while (_t246 < 0);
					goto L41;
				}
			}

0x00412e5e
0x00412e66
0x00412e6b
0x00412e6e
0x0041320c
0x00413210
0x00412e74
0x00412e76
0x00412e7d
0x00412e82
0x00412e8f
0x00412e91
0x00412e97
0x00412e9c
0x00412e9f
0x00000000
0x00000000
0x00412ea5
0x00412eae
0x00412eb1
0x00412eb6
0x00412ebf
0x00412ed0
0x00412ed3
0x00412ef6
0x00412f06
0x00412f16
0x00412f1b
0x00412f1e
0x00412f23
0x00412f28
0x00412f2d
0x00412f33
0x00412f58
0x00412f58
0x00412f64
0x00412ff4
0x00413007
0x0041300c
0x0041300e
0x00413104
0x00413107
0x004131ec
0x004131ef
0x00000000
0x004131ef
0x00413017
0x00413019
0x0041301b
0x0041303f
0x00413042
0x00413074
0x00413077
0x0041309b
0x0041309e
0x004130d5
0x004130d8
0x00413118
0x0041311b
0x00413199
0x0041319c
0x004131a5
0x004131b6
0x004131b6
0x004131bb
0x004131c7
0x004131cc
0x004131cf
0x004131cf
0x004131d7
0x004131dd
0x004131e7
0x004131e7
0x00000000
0x004131d7
0x00413120
0x00413128
0x0041312b
0x00413130
0x00413130
0x00413136
0x0041313b
0x0041313d
0x00000000
0x00000000
0x0041314a
0x0041315f
0x00413161
0x0041316a
0x00413174
0x00413174
0x00413161
0x00413182
0x0041318a
0x00413192
0x00000000
0x00413192
0x004130de
0x004130e8
0x004130ed
0x004130ee
0x004130f6
0x004130fa
0x004130ff
0x00413102
0x00413111
0x00413112
0x00413112
0x00413029
0x00413031
0x00413035
0x00000000
0x00413035
0x00000000
0x00413102
0x004130a4
0x004130ae
0x004130b3
0x004130b4
0x004130bc
0x004130c0
0x004130c5
0x004130c8
0x00000000
0x00000000
0x004130cc
0x004130cf
0x00000000
0x004130cf
0x0041307d
0x00413091
0x00000000
0x00413091
0x00413048
0x0041304d
0x0041304e
0x00413056
0x0041305a
0x0041305f
0x00413062
0x00000000
0x00000000
0x0041306a
0x0041306b
0x00000000
0x0041306b
0x00413022
0x00413027
0x00413028
0x00000000
0x00413028
0x00412f89
0x00412f8e
0x00000000
0x00000000
0x00412f9c
0x00412f9f
0x00412fab
0x00412fba
0x00412fc2
0x00412fc2
0x00412fd2
0x00412fdc
0x00412fe3
0x00412fe9
0x00000000
0x004131f4
0x004131f4
0x004131f7
0x004131fe
0x004131fe
0x00000000
0x0041320b

APIs

Part of subcall function 0041C7DB: lstrlenA.KERNEL32(0047DFB8,00000000,0047DE94,0042BC5C,0042BC5C,00000000,00000001,0047E6C8,?,0047DFB8), ref: 0041C7E9

Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Part of subcall function 0040DC10: GetCurrentDirectoryA.KERNEL32(00000104,00000001,00000000,00000004,0047DFB8,00000010,00000004,00000010,00000004,00000001,0047F208,0047E880,00000000), ref: 0040DC73
Part of subcall function 0040DC10: SetCurrentDirectoryA.KERNEL32(?), ref: 0040DC9B
Part of subcall function 0040DC10: GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,?,?,?,?,?,?,004237A4,00000000,00000000,0047F208,00000001), ref: 0040DD05
Part of subcall function 0040DC10: lstrlenA.KERNEL32(?), ref: 0040DD16
Part of subcall function 0040DC10: lstrlenA.KERNEL32(?), ref: 0040DD20
Part of subcall function 0040DC10: lstrlenA.KERNEL32(?), ref: 0040DD30
Part of subcall function 0040DC10: SetCurrentDirectoryA.KERNEL32(00000000), ref: 0040DD5B
Part of subcall function 0040DC10: CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040DD67
Part of subcall function 0040DC10: SetCurrentDirectoryA.KERNEL32(00000000), ref: 0040DD72

CreateFileA.KERNEL32(00000000,40000000,00000001,00000000,00000004,00000080,00000000,00000000,0047E794,00000000,00000000,00000000,0042BC5C,00000000,00000001,?), ref: 00412F51
CloseHandle.KERNEL32(00000000), ref: 00412F58

Part of subcall function 0041BDC5: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF

Part of subcall function 0041CAC5: CreateFileA.KERNEL32(0047DFB8,80000000,00000001,00000000,00000003,00000080,00000000,74E5FBD0,0047E2F0,00000000,?,0047DFB8), ref: 0041CAE5

Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095

Part of subcall function 0041C6D0: lstrlenA.KERNEL32(0047E788,00000000,0042C1D8,00000001,00000000,0000005C,00000000,00000000,0047E490,0047E788,00000000), ref: 0041C6DE

CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000004,00000080,00000000,00000000,00000000,00000000,0042BC5C,00000000,00000001,?,-00000010,00000004), ref: 00412F83
SetFilePointer.KERNEL32(00000000,00000000,?,00000002), ref: 00412F9F
GetFileSize.KERNEL32(00000000,00000000,?), ref: 00412FB2
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00412FDC
CloseHandle.KERNEL32(00000000), ref: 00412FE3

Part of subcall function 00421CE6: lstrlenA.KERNEL32(0047DFB8,?,0047DFB8,?,00411457,00000000,0047E794), ref: 00421CFC

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$lstrlen$DirectoryFile$Current$AllocCreateLock$CloseHandleUnlock$PointerSizeWrite
String ID:
API String ID: 2476745626-0
Opcode ID: ce08af38f1a14a7eaa29a8a45040529bef0bc21b7ccd4226394128b8269597af
Instruction ID: ffb1d7bd0d554ea9a3b8ed63be469a5a1bbe6e3829c611c30b3a7cfdc5e1920b
Opcode Fuzzy Hash: ce08af38f1a14a7eaa29a8a45040529bef0bc21b7ccd4226394128b8269597af
Instruction Fuzzy Hash: 7CA14E70940118BACF24EBA6DDD5DEF7B79AF05358F10012FF106A6192DF385A85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00420151, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 180
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00420151(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v8;
				long _v12;
				long _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v32;
				char _v44;
				char _v56;
				char _v68;
				char _v80;
				void* __edi;
				void* __ebp;
				intOrPtr* _t58;
				void* _t78;
				int _t86;
				int _t87;
				signed int _t92;
				long _t102;
				intOrPtr _t104;
				intOrPtr _t137;
				void* _t139;
				CHAR* _t140;
				intOrPtr _t141;
				long _t142;
				CHAR* _t144;
				intOrPtr _t146;
				void* _t147;

				_t139 = __edx;
				_v24 = __ecx;
				_t142 = 0;
				_v16 = 0;
				_v20 = 0;
				E0041BDC5( &_v44);
				_t58 = E00424DD9(0x13c);
				if(_t58 == 0) {
					_v12 = 0;
				} else {
					_t5 = _t58 + 4; // 0x4
					_t146 = _t5;
					_t137 = 0x1a;
					_t141 = _t146;
					 *_t58 = _t137;
					_t104 = _t137;
					do {
						E0041BDC5(_t141);
						_t141 = _t141 + 0xc;
						_t104 = _t104 - 1;
					} while (_t104 != 0);
					_v12 = _t146;
					_t142 = 0;
				}
				if(_v12 == _t142) {
					L7:
					 *0x47e2c8 =  *0x47e2c8 + 1;
				} else {
					_t102 = GetLogicalDriveStringsA(_t142, _t142);
					_t140 = E00424DD9(_t102);
					if(_t140 != 0) {
						GetLogicalDriveStringsA(_t102, _t140);
						_t144 = _t140;
						E0041BE35( &_v80, "(HD space placeholder)");
						E0041EEC5(_v24,  &_v80);
						__eflags =  *_t140;
						if( *_t140 != 0) {
							_v8 = _v12;
							do {
								E0041BF12(_v8, _t144);
								_t86 = GetDriveTypeA(E0041CD1E(_v8));
								__eflags = _t86 - 3;
								if(_t86 == 3) {
									_v16 = _v16 + 1;
									E0041BF12( &_v44, "    ");
									E0041C0C5( &_v44, __eflags, _v8);
									E0041BFF8( &_v44, 9);
									_t92 = E0040DE4D(E0041CD1E(_v8), 1);
									__eflags = _t139 -  *0x47e654; // 0x0
									_v32 = _t92;
									if(__eflags <= 0) {
										if(__eflags < 0) {
											L14:
											_t24 =  &_v20;
											 *_t24 = _v20 + 1;
											__eflags =  *_t24;
										} else {
											__eflags = _t92 -  *0x47e650; // 0x207a58a
											if(__eflags < 0) {
												goto L14;
											}
										}
									}
									E0041BDC5( &_v56);
									E0041D95E(_v32, _t103,  &_v56);
									_t147 = _t147 + 0xc;
									E0041C0C5( &_v44, __eflags,  &_v56);
									E0041EEC5(_v24,  &_v44);
									E0041BEFB( &_v56);
								}
								_v8 = _v8 + 0xc;
								_t87 = lstrlenA(_t144);
								__eflags = _t144[_t87 + 1];
								_t144 =  &(_t144[_t87 + 1]);
							} while (__eflags != 0);
						}
						E00424DCE(_t140);
						_push(3);
						E004190EC(_v12, _t140);
						E0041BF80( &_v44, 0x47ea44);
						E0041C047( &_v44, "\t\t", 0);
						E0041BDC5( &_v68);
						E0041D95E( *0x47e650,  *0x47e654,  &_v68);
						E0041C0C5( &_v44, __eflags,  &_v68);
						E0041BFF8( &_v44, 9);
						__eflags = _v20 - _v16;
						if(__eflags != 0) {
							_push(0x47e8f4);
						} else {
							 *0x47e2c0 =  *0x47e2c0 + 1;
							_push(0x47e8dc);
						}
						E0041C0C5( &_v44, __eflags);
						_t78 = E0041CD1E( &_v44);
						E0041CBF9(_v24, __eflags, E0041CD1E( &_v80), _t78, 0, 0, 1);
						E0041BEFB( &_v68);
						E0041BEFB( &_v80);
					} else {
						goto L7;
					}
				}
				return E0041BEFB( &_v44);
			}

0x00420151
0x00420159
0x0042015c
0x00420162
0x00420165
0x00420168
0x00420172
0x0042017a
0x0042019c
0x0042017c
0x0042017e
0x0042017e
0x00420181
0x00420182
0x00420184
0x00420186
0x00420188
0x0042018a
0x0042018f
0x00420192
0x00420192
0x00420195
0x00420198
0x00420198
0x004201a2
0x004201bd
0x004201bd
0x004201a4
0x004201ae
0x004201b6
0x004201bb
0x004201ca
0x004201d4
0x004201d6
0x004201e2
0x004201e7
0x004201ea
0x004201f3
0x004201f6
0x004201fa
0x00420208
0x0042020e
0x00420211
0x00420217
0x00420222
0x0042022d
0x00420237
0x00420247
0x0042024f
0x00420256
0x00420259
0x0042025b
0x00420265
0x00420265
0x00420265
0x00420265
0x0042025d
0x0042025d
0x00420263
0x00000000
0x00000000
0x00420263
0x0042025b
0x0042026b
0x00420278
0x0042027d
0x00420287
0x00420293
0x0042029b
0x0042029b
0x004202a0
0x004202a5
0x004202ab
0x004202b0
0x004202b0
0x004201f6
0x004202bb
0x004202c4
0x004202c6
0x004202d3
0x004202e3
0x004202eb
0x00420300
0x0042030f
0x00420319
0x00420321
0x00420324
0x00420333
0x00420326
0x00420326
0x0042032c
0x0042032c
0x0042033b
0x00420347
0x00420359
0x00420361
0x00420369
0x00000000
0x00000000
0x00000000
0x004201bb
0x0042037a

APIs

Part of subcall function 0041BDC5: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF

GetLogicalDriveStringsA.KERNEL32 ref: 004201AC
GetLogicalDriveStringsA.KERNEL32 ref: 004201CA
GetDriveTypeA.KERNEL32(00000000,00000000,?,(HD space placeholder),?,?,?,?,?,?,?,?,?,0042168B,00000000,00000000), ref: 00420208
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0042168B,00000000,00000000,00000000,00000000,00000000), ref: 004202A5

Part of subcall function 0041C0C5: GlobalUnlock.KERNEL32(?,00000000,0047E380,?,00421CA7,00000004,?,00000000,00000000,00000000,0047E490,0047E788,0047E380,0047E788,?,00422453), ref: 0041C0DE
Part of subcall function 0041C0C5: GlobalReAlloc.KERNEL32 ref: 0041C0EB
Part of subcall function 0041C0C5: GlobalLock.KERNEL32 ref: 0041C10C

Part of subcall function 0041BFF8: GlobalUnlock.KERNEL32(8415FF57,0047E788,004221E2,00000000,00000000,00000000,0047E788,00000000), ref: 0041C000
Part of subcall function 0041BFF8: GlobalReAlloc.KERNEL32 ref: 0041C00D
Part of subcall function 0041BFF8: GlobalLock.KERNEL32 ref: 0041C02E

Strings

, xrefs: 0042021A
(HD space placeholder), xrefs: 004201CC

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocDriveLock$LogicalStringsUnlock$Typelstrlen
String ID: $(HD space placeholder)
API String ID: 88277077-3858189379
Opcode ID: 4413343c6dada0bd3077a0a3251622b39917ba5774e06876e684359967b27202
Instruction ID: 262f8474926e1645baff895f9dfb9859fe624d7e810762e3b04d7bb70cf72b9e
Opcode Fuzzy Hash: 4413343c6dada0bd3077a0a3251622b39917ba5774e06876e684359967b27202
Instruction Fuzzy Hash: 4D515371E00219EACB14EBA2EC859EEBB75EF18314F54005FF505B3192DB385E85CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00423A3D, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146
stringCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00423A3D() {
				signed int _v8;
				intOrPtr _v20;
				intOrPtr _v28;
				signed int _v32;
				CHAR* _v48;
				CHAR* _v52;
				CHAR* _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t25;
				void* _t49;
				CHAR* _t51;
				void* _t72;
				CHAR* _t75;
				signed int _t77;
				signed int _t78;
				intOrPtr _t81;

				_push(0xffffffff);
				_push(0x4286f8);
				_push(E00424EE0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t81;
				_push(_t49);
				_push(_t77);
				_push(_t72);
				_v28 = _t81 - 0x30;
				_t78 = _t77 | 0xffffffff;
				if( *0x47f240 != 0) {
					E00407B45(_t49, _t72, _t78, 1);
					_t75 = E00424DD9(0x104);
					_v48 = _t75;
					if(_t75 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					_t25 = E00424DD9(0x104);
					_v52 = _t25;
					if(_t25 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					_t51 = E00424DD9(0x104);
					_v56 = _t51;
					if(_t51 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					E00424500(_t75, 0, 0x104);
					E00424500(_v52, 0, 0x104);
					E00424500(_t51, 0, 0x104);
					lstrcatA(_t75, E0041CD1E(0x47e1b8));
					lstrcatA(_v52, E0041CD1E(0x47e1c4));
					lstrcatA(_t51, E0041CD1E(0x47e1d0));
					_v8 = _v8 & 0x00000000;
					_t78 =  *0x47f240( *0x47e178, _v48, 0x104, _v52, 0x104, _t51, 0x104);
					_v32 = _t78;
					_v8 = _v8 | 0xffffffff;
					E0041BF12(0x47e1b8, _v48);
					E0041BF12(0x47e1c4, _v52);
					E0041BF12(0x47e1d0, _t51);
					E00424DCE(_v48);
					E00424DCE(_v52);
					E00424DCE(_t51);
					if(_t78 == 1) {
						if(_t78 != 2) {
							goto L14;
						} else {
							goto L12;
						}
					} else {
						if(_t78 == 2) {
							L12:
							if( *0x42bf98 == 0xffffffff) {
								L14:
								_t78 = 0;
							} else {
								_t78 = 1;
							}
						} else {
							E0041A1B5(1);
						}
					}
				}
				if(_t78 <= 0) {
					E004145F6(0x47e880, 6);
					E004112B1(6);
				}
				 *[fs:0x0] = _v20;
				return _t78;
			}

0x00423a40
0x00423a42
0x00423a47
0x00423a52
0x00423a53
0x00423a5d
0x00423a5e
0x00423a5f
0x00423a60
0x00423a63
0x00423a6d
0x00423a75
0x00423a87
0x00423a89
0x00423a8e
0x00423a9b
0x00423aa0
0x00423aa2
0x00423aa8
0x00423aad
0x00423aba
0x00423abf
0x00423ac7
0x00423ac9
0x00423ace
0x00423adb
0x00423ae0
0x00423ae5
0x00423af0
0x00423af9
0x00423b13
0x00423b23
0x00423b31
0x00423b33
0x00423b4d
0x00423b4f
0x00423b52
0x00423b71
0x00423b7e
0x00423b89
0x00423b91
0x00423b99
0x00423b9f
0x00423baa
0x00423bc2
0x00000000
0x00000000
0x00000000
0x00000000
0x00423bac
0x00423baf
0x00423bc4
0x00423bcb
0x00423bd2
0x00423bd2
0x00423bcd
0x00423bcf
0x00423bcf
0x00423bb1
0x00423bb8
0x00423bb8
0x00423baf
0x00423baa
0x00423bd6
0x00423be1
0x00423bea
0x00423bea
0x00423bf4
0x00423bff

APIs

Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407B99
Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407BA9
Part of subcall function 00407B45: DestroyWindow.USER32(?,00000000,0047DFB8,00000094,?,0041A1BF,00000001,0047DFB8,0041A044,00000001,00000000,00000000,00000000,?,0047E924,0041D88F), ref: 00407BE2
Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407C0B
Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407C22
Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407C39
Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407C50

lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,0047E50C,00000000,00000000,FFFFFFFF,0000000E,00000000,0047DFB8), ref: 00423B13
lstrcatA.KERNEL32(FFFFFFFF,00000000,?,?,?,?,?,?,0047E50C,00000000,00000000,FFFFFFFF,0000000E,00000000,0047DFB8), ref: 00423B23
lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,0047E50C,00000000,00000000,FFFFFFFF,0000000E,00000000,0047DFB8), ref: 00423B31

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Strings

$G, xrefs: 00423A90
$G, xrefs: 00423AD0
$G, xrefs: 00423AAF

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: DeleteObject$Globallstrcat$AllocDestroyLockUnlockWindow
String ID: $G$$G$$G
API String ID: 1134962081-397660746
Opcode ID: df6fcd672bf3ab2fa7e4feb5633386ca3948e2e91a1d1d585c446a39a409343c
Instruction ID: 5d6d0fb6400b280bbebfd3ce72b31f39c0bee1e24df1173561ddc6a405f6c54f
Opcode Fuzzy Hash: df6fcd672bf3ab2fa7e4feb5633386ca3948e2e91a1d1d585c446a39a409343c
Instruction Fuzzy Hash: 5E412771F001246ACB147B66BC46BEE792ADF84724F50423FF505A22D2CF3C1C8186AD

Uniqueness

Uniqueness Score: -1.00%

Function 004102F6, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 136
fileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E004102F6(intOrPtr* __ecx) {
				char _v8;
				long _v12;
				char _v24;
				char _v36;
				char _v48;
				void* _t53;
				void* _t55;
				void* _t61;
				CHAR* _t68;
				void* _t99;
				intOrPtr _t100;
				intOrPtr* _t101;
				intOrPtr _t105;
				intOrPtr _t107;

				_t101 = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				_v8 = 0;
				E0041BDC5( &_v24);
				while(1) {
					_push(_v8);
					if(E0041C9D2(0x47e5bc) == 0) {
						break;
					}
					E0041C92F(0x47e5bc,  &_v8,  &_v24);
					_t99 = CreateFileA(E0041CD1E( &_v24), 0x80000000, 1, 0, 3, 0x80, 0);
					if(_t99 == 0xffffffff) {
						L13:
						E0041BEFB( &_v24);
						return 0;
					}
					_v12 = GetFileSize(_t99, 0);
					CloseHandle(_t99);
					_t100 = _v12;
					 *_t101 = _t100;
					E0041BE99( &_v36,  &_v24);
					E0041C3A9( &_v36, _v36 + 0xfffffffd, 3);
					E0041C047( &_v36, "BMP", 0);
					_t105 =  *0x47f27c; // 0x1
					if(_t105 == 0) {
						E0041BE35( &_v48, E0041CD1E(0x47eea0));
						E0041BFF8( &_v48, 0x20);
						E0041C0C5( &_v48, _t105,  &_v24);
						_t68 = E0041CD1E( &_v48);
						_t20 = _t101 + 8; // 0x0
						SetDlgItemTextA( *_t20, 0x14, _t68);
						E0041BEFB( &_v48);
					}
					_t53 =  *0x47e2dc(E0041CD1E( &_v24), E0041CD1E( &_v36), E00415012, E0041505D);
					_t106 = _t53;
					if(_t53 <= 0) {
						E0041BEFB( &_v36);
						goto L13;
					} else {
						_t55 = E0041CD1E( &_v36);
						_push(0x47e794);
						_push(_t55);
						E00421CE6(_t106);
						_t107 =  *0x47e610; // 0x0
						if(_t107 != 0) {
							if(E00424DD9(0xc) == 0) {
								_t61 = 0;
								__eflags = 0;
							} else {
								_t61 = E0041BE99(_t60,  &_v36);
							}
							E0041E87A(0x47e634, _t61, 0xffffffff);
						}
						E0040D85F(E0041CD1E( &_v24));
						 *((intOrPtr*)(_t101 + 4)) =  *((intOrPtr*)(_t101 + 4)) + _t100;
						E0041BEFB( &_v36);
						continue;
					}
				}
				E0041BEFB( &_v24);
				return 1;
			}

0x004102fe
0x00410306
0x00410309
0x0041030c
0x00410311
0x00410311
0x00410320
0x00000000
0x00000000
0x00410333
0x00410357
0x0041035c
0x00410483
0x00410486
0x00000000
0x0041048b
0x0041036b
0x0041036e
0x00410374
0x0041037e
0x00410380
0x00410391
0x0041039f
0x004103a4
0x004103aa
0x004103ba
0x004103c4
0x004103d0
0x004103d8
0x004103e0
0x004103e3
0x004103ec
0x004103ec
0x0041040d
0x00410413
0x00410418
0x0041047e
0x00000000
0x0041041a
0x0041041a
0x0041041f
0x00410424
0x0041042a
0x0041042f
0x00410435
0x00410441
0x00410450
0x00410450
0x00410443
0x00410449
0x00410449
0x0041045a
0x0041045a
0x00410468
0x0041046d
0x00410474
0x00000000
0x00410474
0x00410418
0x00410492
0x00000000

APIs

Part of subcall function 0041BDC5: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000000,00000003,0047E880,00000000,?,?,00412577), ref: 00410351
GetFileSize.KERNEL32(00000000,00000000,?,?,00412577,00000000,00000000,00000000,00000000,0047E880,0047DFB8,?,00000000,0041520C,00000000,?), ref: 00410364
CloseHandle.KERNEL32(00000000,?,?,00412577,00000000,00000000,00000000,00000000,0047E880,0047DFB8,?,00000000,0041520C,00000000,?), ref: 0041036E

Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4

Part of subcall function 0041C3A9: GlobalUnlock.KERNEL32(?,00000000,00000000,00421A09,00000000,00000001,0000005C,00000000,00000000,00000000,0000005C,00000000,00000000,0047E490,0047E788,00000000), ref: 0041C3D8
Part of subcall function 0041C3A9: GlobalReAlloc.KERNEL32 ref: 0041C3E5
Part of subcall function 0041C3A9: GlobalLock.KERNEL32 ref: 0041C406

Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095

SetDlgItemTextA.USER32 ref: 004103E3

Strings

4G, xrefs: 00410455
BMP, xrefs: 00410397

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLock$Unlock$File$CloseCreateHandleItemSizeTextlstrlen
String ID: 4G$BMP
API String ID: 344598365-661391485
Opcode ID: 38262aa651b9e8356e42a0337b5908c3521fec37494197ef42125fa72b51bc5d
Instruction ID: 6e1de597df35e38bd71d78d36fecd714cf96043b4dc7f9fd8b62fa2553890872
Opcode Fuzzy Hash: 38262aa651b9e8356e42a0337b5908c3521fec37494197ef42125fa72b51bc5d
Instruction Fuzzy Hash: 39418371940209AACF14EBF6DC969EE7778AF18308F10452FF202B21D2DF785A85C669

Uniqueness

Uniqueness Score: -1.00%

Function 0040612F, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040612F(void* __ecx, intOrPtr* _a4) {
				struct tagPOINT _v12;
				signed int _v20;
				intOrPtr _v24;
				void* _v28;
				int _v40;
				int _v44;
				intOrPtr _v64;
				void* _v68;
				intOrPtr _t37;
				struct HWND__* _t38;
				long _t40;
				intOrPtr _t44;
				intOrPtr _t49;
				intOrPtr _t58;
				signed int _t59;
				intOrPtr _t61;
				int _t64;
				intOrPtr* _t74;
				intOrPtr* _t75;
				void* _t76;

				_t74 = _a4;
				_t76 = __ecx;
				_t37 =  *((intOrPtr*)(_t74 + 8));
				_t64 = 0;
				if(_t37 != 0xfffffe64) {
					if(_t37 != 0xfffffe6d) {
						if(_t37 != 0xfffffe6e) {
							goto L3;
						}
						_t58 = E0040607A(__ecx,  *((intOrPtr*)(_t74 + 0x3c)));
						if(_t58 != 0xffffffff) {
							 *((intOrPtr*)(__ecx + 0x10)) = _t58;
						}
						goto L20;
					}
					_t59 = E0040607A(__ecx,  *((intOrPtr*)(_t74 + 0x10)));
					if(_t59 != 0xffffffff) {
						_t61 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 8)) + _t59 * 4)) + 8));
						 *((intOrPtr*)(_t74 + 0x28)) = _t61;
						 *((intOrPtr*)(_t74 + 0x24)) = _t61;
					}
					goto L20;
				} else {
					if( *((short*)(_t74 + 0xc)) == 0x20) {
						_t64 = 1;
					}
					L3:
					if(_t37 == 0xfffffffe || _t37 == 0xfffffffd || _t64 != 0) {
						_t38 =  *(_t76 + 0xc);
						if( *_t74 != _t38) {
							goto L27;
						}
						if(_t64 != 0) {
							_t40 = SendMessageA(_t38, 0x110a, 9, 0);
							L17:
							if(E0040607A(_t76, _t40) == 0xffffffff) {
								goto L27;
							}
							_t75 = E00406060(_t76, _t41);
							if(_t75 == 0) {
								goto L27;
							}
							if( *((intOrPtr*)(_t75 + 8)) != 2) {
								_v68 = 0x32;
								_v64 =  *_t75;
								_t44 =  *((intOrPtr*)(_t75 + 8));
								if(_t44 != 0) {
									if(_t44 == 1 || _t44 == 3) {
										 *((intOrPtr*)(_t75 + 8)) = 0;
										_v40 = 0;
										_v44 = 0;
									}
								} else {
									_t49 = 1;
									 *((intOrPtr*)(_t75 + 8)) = _t49;
									_v40 = _t49;
									_v44 = _t49;
								}
								SendMessageA( *(_t76 + 0xc), 0x110d, 0,  &_v68);
								E004062C4(_t76,  *_t75,  *((intOrPtr*)(_t75 + 8)));
								E00406506(_t76);
								goto L27;
							}
							L20:
							return 0;
						}
						GetCursorPos( &_v12);
						ScreenToClient( *(_t76 + 0xc),  &_v12);
						_v28 = _v12.x;
						_v24 = _v12.y;
						_t40 = SendMessageA( *(_t76 + 0xc), 0x1111, 0,  &_v28);
						if((_v20 & 0x00000002) == 2) {
							goto L17;
						}
						goto L27;
					} else {
						L27:
						return 1;
					}
				}
			}

0x00406138
0x0040613b
0x0040613f
0x00406142
0x00406149
0x004061c4
0x004061eb
0x00000000
0x00000000
0x004061f6
0x004061fe
0x00406200
0x00406200
0x00000000
0x004061fe
0x004061cb
0x004061d3
0x004061db
0x004061de
0x004061e1
0x004061e1
0x00000000
0x0040614b
0x00406150
0x00406152
0x00406152
0x00406154
0x00406157
0x00406166
0x0040616b
0x00000000
0x00000000
0x00406173
0x0040620e
0x00406214
0x0040621f
0x00000000
0x00000000
0x00406229
0x0040622d
0x00000000
0x00000000
0x00406233
0x0040623b
0x00406242
0x00406245
0x0040624a
0x0040625d
0x00406264
0x00406267
0x0040626a
0x0040626a
0x0040624c
0x0040624e
0x0040624f
0x00406252
0x00406255
0x00406255
0x0040627a
0x00406287
0x0040628e
0x00000000
0x0040628e
0x00406235
0x00000000
0x00406235
0x0040617d
0x0040618a
0x00406193
0x00406199
0x004061a9
0x004061b8
0x00000000
0x00000000
0x00000000
0x00406293
0x00406293
0x00000000
0x00406293
0x00406157

APIs

GetCursorPos.USER32(?), ref: 0040617D
ScreenToClient.USER32 ref: 0040618A
SendMessageA.USER32(?,00001111,00000000,?), ref: 004061A9
SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040620E
SendMessageA.USER32(?,0000110D,00000000,00000032), ref: 0040627A

Strings

2, xrefs: 0040623B

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: MessageSend$ClientCursorScreen
String ID: 2
API String ID: 41388912-450215437
Opcode ID: 2a1799bccda79db75d656728ceaf8dabbfcc03810baa88552f5a0faf615ffa00
Instruction ID: f8a9f1cfee04589b8875d05137da50bc283deff4bee9bf1f4b822495c2b9fb2d
Opcode Fuzzy Hash: 2a1799bccda79db75d656728ceaf8dabbfcc03810baa88552f5a0faf615ffa00
Instruction Fuzzy Hash: 6D418270A00605AFCB20EF68C8849AEB7B5BF44324B21467FE117E62D0D7359DB28B59

Uniqueness

Uniqueness Score: -1.00%

Function 00419BE3, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 128
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419BE3(void* __eflags) {
				void* _v8;
				long _v12;
				char _v24;
				intOrPtr _v28;
				char _v288;
				char _v548;
				intOrPtr _t32;
				intOrPtr _t39;
				intOrPtr _t40;
				void* _t42;
				intOrPtr _t44;
				void* _t47;
				char _t69;
				intOrPtr* _t79;
				void* _t95;

				_v8 = E0041C8FD(0x47e2f0, 0x2c);
				_t32 = E0041C8FD(0x47e2f0, 0x28);
				_v28 = _t32;
				_v12 = 0;
				if(_t32 <= 0) {
					L6:
					return 1;
				}
				_t69 = "\r\n";
				while(1) {
					E0041BDC5( &_v24);
					E0041CAC5( &_v24, E0041CD1E(0x47e6c8), _v8, 4);
					_v8 = _v8 + 4;
					E0041DBFF( &_v24,  &_v288, ".TTF");
					_t39 = 1;
					 *0x47f21c = _t39;
					 *0x47e290 = _t39;
					_t40 =  *0x47f28c; // 0x2070010
					if(_t40 != 0) {
						E00424DCE(_t40);
					}
					 *0x47f28c = E00424DD9(4);
					_t42 = E0041C8FD( &_v24, 0);
					_t79 =  *0x47f28c; // 0x2070010
					 *_t79 = _t42 + _v8;
					_t44 = E0041C8FD( &_v24, 0);
					_t47 = E00401AC0(E0041CD1E(0x47e6c8),  &_v288, _v8, _t44);
					_t95 = _t95 + 0x10;
					if(_t47 != 0) {
						break;
					}
					_v8 = _v8 + E0041C8FD( &_v24, 0);
					E0041DBFF( &_v24,  &_v548, ".FOT");
					CreateScalableFontResourceA(0,  &_v548,  &_v288, 0);
					AddFontResourceA( &_v548);
					E0041C047(0x47e570,  &_v548, 0);
					E0041C047(0x47e570, _t69, 0);
					E0041C047(0x47e570,  &_v288, 0);
					E0041C047(0x47e570, _t69, 0);
					E0041BEFB( &_v24);
					_v12 = _v12 + 1;
					if(_v12 < _v28) {
						continue;
					}
					goto L6;
				}
				DeleteFileA( &_v288);
				E0041BEFB( &_v24);
				return 0;
			}

0x00419c01
0x00419c04
0x00419c0b
0x00419c10
0x00419c13
0x00419d50
0x00000000
0x00419d50
0x00419c1e
0x00419c23
0x00419c26
0x00419c3e
0x00419c43
0x00419c53
0x00419c5c
0x00419c5d
0x00419c62
0x00419c67
0x00419c6e
0x00419c71
0x00419c76
0x00419c7f
0x00419c88
0x00419c90
0x00419c97
0x00419c9c
0x00419cb7
0x00419cbc
0x00419cc1
0x00000000
0x00000000
0x00419cd0
0x00419cdf
0x00419cf6
0x00419d03
0x00419d13
0x00419d1c
0x00419d2b
0x00419d34
0x00419d3c
0x00419d41
0x00419d4a
0x00000000
0x00000000
0x00000000
0x00419d4a
0x00419d5e
0x00419d67
0x00000000

APIs

Part of subcall function 0041BDC5: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Part of subcall function 0041CAC5: CreateFileA.KERNEL32(0047DFB8,80000000,00000001,00000000,00000003,00000080,00000000,74E5FBD0,0047E2F0,00000000,?,0047DFB8), ref: 0041CAE5

Part of subcall function 0041DBFF: GetTempPathA.KERNEL32(00000104,00000000,?,?,?,?,0047E2F0,00000000,000000A8,0000005C,0047E1B8,00000001,?,00000000), ref: 0041DC46
Part of subcall function 0041DBFF: lstrcatA.KERNEL32(00000000,C:\,?,?,?,?,0047E2F0,00000000,000000A8,0000005C,0047E1B8,00000001,?,00000000), ref: 0041DC5C
Part of subcall function 0041DBFF: GetTickCount.KERNEL32 ref: 0041DC6F
Part of subcall function 0041DBFF: lstrlenA.KERNEL32(00000000,?,?,?,?,0047E2F0,00000000,000000A8,0000005C,0047E1B8,00000001,?,00000000), ref: 0041DC79
Part of subcall function 0041DBFF: lstrcatA.KERNEL32(00000000,aiw,?,?,?,?,?,?,?,0047E2F0,00000000,000000A8,0000005C,0047E1B8,00000001), ref: 0041DCA1
Part of subcall function 0041DBFF: lstrcatA.KERNEL32(00000000,0000005C,?,?,?,?,?,?,?,0047E2F0,00000000,000000A8,0000005C,0047E1B8,00000001), ref: 0041DCA8
Part of subcall function 0041DBFF: lstrcatA.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,0047E2F0,00000000,000000A8,0000005C,0047E1B8,00000001), ref: 0041DCAE
Part of subcall function 0041DBFF: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?,?,0047E2F0,00000000,000000A8,0000005C,0047E1B8,00000001), ref: 0041DCBF

CreateScalableFontResourceA.GDI32(00000000,?,?,00000000,00000000,0000002C,0047E2F0,00000001,00000000), ref: 00419CF6
AddFontResourceA.GDI32(?), ref: 00419D03
DeleteFileA.KERNEL32(?,0000002C,0047E2F0,00000001,00000000), ref: 00419D5E

Strings

pG, xrefs: 00419C19
.TTF, xrefs: 00419C4D
.FOT, xrefs: 00419CD9

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Globallstrcat$AllocCreateFileFontLockResource$CountDeletePathScalableTempTickUnlocklstrlen
String ID: .FOT$.TTF$pG
API String ID: 2855166206-2355402239
Opcode ID: da263dae11c4dccd75cfe5de3c3717d08b13cab50d91d4aa04446e2cf5d485cd
Instruction ID: b0307000140c279c1ff1cafe2788717768607d41d640f69ff04e345ebede6464
Opcode Fuzzy Hash: da263dae11c4dccd75cfe5de3c3717d08b13cab50d91d4aa04446e2cf5d485cd
Instruction Fuzzy Hash: 61415671940118AACB15EBA6EC86DEE77BCEB48704F5040AFF205E3192DB385E85CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040F33B, Relevance: 10.6, APIs: 7, Instructions: 116
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040F33B(int* __ecx, void* __edx, void* __eflags, CHAR* _a4) {
				BITMAPINFO* _v8;
				char _v12;
				int _v16;
				long _v20;
				void* _v24;
				char _v40;
				intOrPtr _t34;
				intOrPtr _t37;
				CHAR* _t38;
				int _t49;
				BITMAPINFO* _t50;
				intOrPtr _t52;
				intOrPtr _t56;
				intOrPtr _t60;
				void* _t67;
				unsigned int _t73;
				void* _t81;
				int* _t82;

				_t81 = __edx;
				_t33 = _a4;
				_t34 =  *0x47e780; // 0x0
				_t84 = _a4 + _t33 * 2 << 2;
				_t82 = __ecx;
				E0041A81A(__eflags, _t34 + (_a4 + _t33 * 2 << 2));
				_t37 =  *0x47e780; // 0x0
				_t38 = E0041CD1E(_t84 + _t37);
				_a4 = _t38;
				_t67 = CreateFileA(_t38, 0x80000000, 1, 0, 3, 0x80, 0);
				_v20 = GetFileSize(_t67, 0);
				if(_t67 == 0xffffffff) {
					return DeleteFileA(_a4);
				}
				E0040FC45(_t82);
				_v16 = 0;
				_v20 = E00410087(_t82, _t67, _v20,  &_v40,  &_v8,  &_v12,  &_v24,  &_v16);
				CloseHandle(_t67);
				_t49 = DeleteFileA(_a4);
				__eflags = _v20;
				if(_v20 >= 0) {
					_t50 = _v8;
					_t73 =  *(_t50 + 4);
					 *_t82 = _t73;
					_t82[1] =  *(_t50 + 8);
					_t52 =  *0x47e170; // 0x0
					asm("cdq");
					_t22 =  &(_t82[1]); // 0x0
					_t82[2] = (_t52 - _t81 >> 1) - (_t73 >> 1);
					_t56 =  *0x47e174; // 0x0
					asm("cdq");
					_t82[3] = (_t56 - _t81 >> 1) - ( *_t22 >> 1);
					_t60 = E0040EDE3(_t82);
					__eflags = _t60;
					if(_t60 >= 0) {
						_t26 =  &(_t82[1]); // 0x0
						_t61 =  *_t26;
						_t78 =  *_t82;
						_t29 =  &(_t82[3]); // 0x0
						_t30 =  &(_t82[2]); // 0x0
						StretchDIBits( *0x47e184,  *_t30,  *_t29,  *_t82,  *_t26, 0, 0, _t78, _t61, _v24, _v8, 0, 0xcc0020);
						E00424DCE(_v12);
						return DeleteObject(_v16);
					}
					return E00424DCE(_v12);
				}
				return _t49;
			}

0x0040f33b
0x0040f341
0x0040f34a
0x0040f34f
0x0040f352
0x0040f35c
0x0040f361
0x0040f369
0x0040f370
0x0040f38a
0x0040f397
0x0040f39a
0x00000000
0x0040f39f
0x0040f3ac
0x0040f3c7
0x0040f3d4
0x0040f3d7
0x0040f3e0
0x0040f3e6
0x0040f3e9
0x0040f3ef
0x0040f3f2
0x0040f3f5
0x0040f3fa
0x0040f3fd
0x0040f402
0x0040f40b
0x0040f40e
0x0040f411
0x0040f416
0x0040f421
0x0040f424
0x0040f429
0x0040f42b
0x0040f438
0x0040f438
0x0040f43b
0x0040f44f
0x0040f452
0x0040f45b
0x0040f464
0x00000000
0x0040f46d
0x00000000
0x0040f435
0x0040f477

APIs

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000064,00000060,00000000,00404E9E,?,004051FC,0045AA60,00000000), ref: 0040F384
GetFileSize.KERNEL32(00000000,00000000,?,004051FC,0045AA60,00000000,00404E9E,00000000,00000000,00000000,0047E1B8,00000001,?,00000000), ref: 0040F38E
DeleteFileA.KERNEL32(00000000,?,004051FC,0045AA60,00000000,00404E9E,00000000,00000000,00000000,0047E1B8,00000001,?,00000000), ref: 0040F39F
CloseHandle.KERNEL32(00000000,00000000,00404E9E,00000000,00000000,00000000,00000000,00000000,?,004051FC,0045AA60,00000000,00404E9E,00000000,00000000,00000000), ref: 0040F3D7
DeleteFileA.KERNEL32(00000000,?,004051FC,0045AA60,00000000,00404E9E,00000000,00000000,00000000,0047E1B8,00000001,?,00000000), ref: 0040F3E0

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: File$Global$Delete$AllocCloseCreateHandleLockSizeUnlock
String ID:
API String ID: 3562677592-0
Opcode ID: 63be94b49783e533935e19cf314129601f4d4d3528a53a33a7546e7259e29ac7
Instruction ID: 17d04eb565bbb5c163c28542497edf53ee781f36736893d5f3475824fe2b72b9
Opcode Fuzzy Hash: 63be94b49783e533935e19cf314129601f4d4d3528a53a33a7546e7259e29ac7
Instruction Fuzzy Hash: D3415F71A00515EFCB249F69DD49DAEBFB9FF48310B50423AF509E3260DB34A951CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040D2FA, Relevance: 10.6, APIs: 7, Instructions: 107
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040D2FA(intOrPtr __ecx, void* __edi, void* __ebp, signed short _a4) {
				long _v4;
				long _v8;
				long _v12;
				long _v13;
				void* _v16;
				intOrPtr _v17;
				void* __ebx;
				void* __esi;
				unsigned int _t20;
				long _t23;
				long _t24;
				long _t25;
				signed int _t28;
				long _t36;
				void* _t37;
				void* _t49;
				void* _t51;
				intOrPtr _t52;
				void* _t53;

				_t53 = __ebp;
				_t49 = __edi;
				_t20 = _a4;
				_t52 = __ecx;
				if(_t20 >> 0x10 != 0 || _t20 != 1 && _t20 != 3) {
					return 0;
				} else {
					_push(_t53);
					_push(_t49);
					E0041412C(_t37, _t49);
					_v13 = 0;
					_v8 = 0;
					_v4 = 0;
					_v12 = 0;
					_t23 = SendDlgItemMessageA( *(_t52 + 4), 0x14, 0xf0, 0, 0);
					if(_t23 == 1) {
						_v13 = _t23;
					}
					_t24 = SendDlgItemMessageA( *(_t52 + 4), 0x17, 0xf0, 0, 0);
					if(_t24 == 1) {
						_v8 = _t24;
					}
					_t25 = SendDlgItemMessageA( *(_t52 + 4), 0x16, 0xf0, 0, 0);
					if(_t25 == 1) {
						_v4 = _t25;
					}
					if(IsWindowVisible(GetDlgItem( *(_t52 + 4), 0x46)) != 0) {
						_t36 = SendDlgItemMessageA( *(_t52 + 4), 0x46, 0xf0, 0, 0);
						if(_t36 == 1) {
							_v12 = _t36;
						}
					}
					_t28 = _a4 & 0x0000ffff;
					_pop(_t51);
					if(_t28 != 1) {
						if(_t28 == 3) {
							E00407827(_t52, _t51, _t52, 0);
							E00417D26(0x47dfb8, 0);
						}
					} else {
						E00407827(_t52, _t51, _t52, 0);
						if(_v17 == 0) {
							E00412C58(_v4, _v8, _v12);
							E00417EA6(0x47dfb8, 0);
						} else {
							E00424003();
							E00411D82();
							PostQuitMessage(1);
						}
					}
					return 1;
				}
			}

0x0040d2fa
0x0040d2fa
0x0040d2fa
0x0040d303
0x0040d30d
0x00000000
0x0040d323
0x0040d323
0x0040d324
0x0040d32a
0x0040d341
0x0040d348
0x0040d34c
0x0040d350
0x0040d354
0x0040d359
0x0040d35b
0x0040d35b
0x0040d367
0x0040d36c
0x0040d36e
0x0040d36e
0x0040d37a
0x0040d37f
0x0040d381
0x0040d381
0x0040d399
0x0040d3a3
0x0040d3a8
0x0040d3aa
0x0040d3aa
0x0040d3a8
0x0040d3ae
0x0040d3b3
0x0040d3b8
0x0040d407
0x0040d40c
0x0040d417
0x0040d417
0x0040d3ba
0x0040d3bd
0x0040d3c6
0x0040d3f2
0x0040d3fd
0x0040d3c8
0x0040d3c8
0x0040d3d2
0x0040d3d9
0x0040d3d9
0x0040d3c6
0x00000000
0x0040d41c

APIs

SendDlgItemMessageA.USER32(?,00000014,000000F0,00000000,00000000), ref: 0040D354
SendDlgItemMessageA.USER32(?,00000017,000000F0,00000000,00000000), ref: 0040D367
SendDlgItemMessageA.USER32(?,00000016,000000F0,00000000,00000000), ref: 0040D37A
GetDlgItem.USER32 ref: 0040D38A
IsWindowVisible.USER32 ref: 0040D391
SendDlgItemMessageA.USER32(?,00000046,000000F0,00000000,00000000), ref: 0040D3A3
PostQuitMessage.USER32(00000001), ref: 0040D3D9

Part of subcall function 00412C58: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00412CCF

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: ItemMessage$Send$ExecutePostQuitShellVisibleWindow
String ID:
API String ID: 3842003878-0
Opcode ID: 54de036da2a81d597b5cfd85777855c51b7d06fd8c14f802e07017e065111d94
Instruction ID: 40df1cb1daf66bccd2bfbafc100118adea5f07f781d5d0cd9cb67cf283506348
Opcode Fuzzy Hash: 54de036da2a81d597b5cfd85777855c51b7d06fd8c14f802e07017e065111d94
Instruction Fuzzy Hash: EE310D30A483446AD62177A54C40D7FBADDEBD5744F40843FF985622D2C53A9C4A973F

Uniqueness

Uniqueness Score: -1.00%

Function 004062C4, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004062C4(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				long _v8;
				intOrPtr _v20;
				intOrPtr _v24;
				long _v44;
				char _v48;
				long _v84;
				void* _v88;
				long _v124;
				void* _v128;
				long _t37;
				long _t39;
				long _t44;
				int _t47;
				intOrPtr _t48;
				void* _t57;

				_push(_a4);
				_t57 = __ecx;
				_t47 = 4;
				_t37 = SendMessageA( *(__ecx + 0xc), 0x110a, _t47, ??);
				_v8 = _t37;
				if(_a4 != 0) {
					_v84 = _t37;
					_v88 = _t47;
					_t39 = SendMessageA( *(_t57 + 0xc), 0x110c, 0,  &_v88);
					_t48 = _a8;
					if(_t39 == 0) {
						goto L6;
					} else {
						_t37 = E00406060(_t57, E0040607A(_t57, _v84));
						if(_t37 != 0) {
							if( *((intOrPtr*)(_t37 + 8)) != 2) {
								 *((intOrPtr*)(_t37 + 8)) = _t48;
								_v48 = 0x32;
								_v44 = _v8;
								_v20 = _t48;
								_v24 = _t48;
								_t44 =  &_v48;
								L5:
								SendMessageA( *(_t57 + 0xc), 0x110d, 0, _t44);
								while(1) {
									L6:
									E004062C4(_t57, _v8, _t48);
									_t37 = SendMessageA( *(_t57 + 0xc), 0x110a, 1, _v8);
									_v8 = _t37;
									if(_t37 == 0) {
										goto L11;
									}
									_v124 = _t37;
									_v128 = 4;
									if(SendMessageA( *(_t57 + 0xc), 0x110c, 0,  &_v128) == 0) {
										continue;
									} else {
										_t37 = E00406060(_t57, E0040607A(_t57, _v124));
										if(_t37 != 0) {
											if( *((intOrPtr*)(_t37 + 8)) == 2) {
												continue;
											} else {
												 *((intOrPtr*)(_t37 + 8)) = _t48;
												_v48 = 0x32;
												_v44 = _v8;
												_v20 = _t48;
												_v24 = _t48;
												_t44 =  &_v48;
												goto L5;
											}
											L12:
										}
									}
									goto L11;
								}
								goto L11;
							}
							goto L6;
						}
					}
				}
				L11:
				return _t37;
				goto L12;
			}

0x004062d3
0x004062d6
0x004062da
0x004062e4
0x004062ea
0x004062ed
0x004062f3
0x00406301
0x00406307
0x00406309
0x0040630e
0x00000000
0x00406310
0x0040631d
0x00406324
0x0040632e
0x00406333
0x00406336
0x0040633d
0x00406340
0x00406343
0x00406346
0x00406349
0x00406354
0x00406356
0x00406356
0x0040635c
0x0040636e
0x00406372
0x00406375
0x00000000
0x00000000
0x00406377
0x00406385
0x00406393
0x00000000
0x00406395
0x004063a2
0x004063a9
0x004063af
0x00000000
0x004063b1
0x004063b4
0x004063b7
0x004063be
0x004063c1
0x004063c4
0x004063c7
0x00000000
0x004063c7
0x00000000
0x004063af
0x004063a9
0x00000000
0x00406393
0x00000000
0x00406356
0x00000000
0x0040632e
0x00406324
0x0040630e
0x004063d3
0x004063d3
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000004,?), ref: 004062E4
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00406307
SendMessageA.USER32(?,0000110D,00000000,00000032), ref: 00406354
SendMessageA.USER32(?,0000110A,00000001,?), ref: 0040636E
SendMessageA.USER32(?,0000110C,00000000,?), ref: 0040638F

Strings

2, xrefs: 004063B7

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: MessageSend
String ID: 2
API String ID: 3850602802-450215437
Opcode ID: 39c45cc5b37b1b84ea6d5fa9529c823bae7bf4d2b75c7038cd662bec360d4a93
Instruction ID: faac35d2f29a5aafd93d9db01ac471e448461c6527a0e82b97acf963d26bb515
Opcode Fuzzy Hash: 39c45cc5b37b1b84ea6d5fa9529c823bae7bf4d2b75c7038cd662bec360d4a93
Instruction Fuzzy Hash: 98312F70E00208AADB11DF95CD41AAEBBBABF48354F25802AE506B62D0D7749964DF94

Uniqueness

Uniqueness Score: -1.00%

Function 0041412C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0041412C(void* __ebx, void* __edi) {
				signed int _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v32;
				char _v292;
				char _v552;
				void* _t28;
				signed int _t33;
				CHAR* _t53;
				intOrPtr _t58;
				intOrPtr _t61;
				CHAR* _t68;
				void* _t73;
				intOrPtr* _t74;
				intOrPtr _t75;

				_t75 =  *0x47e6b0; // 0x0
				if(_t75 != 0) {
					_v20 = E0041CD1E(0x47e6b0);
					_t58 =  *0x47e6b0; // 0x0
					_t28 = E0041DD95(__ebx, _t29, _t58 + 1,  &_v12,  &_v16);
					_t74 = _t73 + 0x10;
					if(_t28 != 0) {
						_v8 = 0;
						if(_v16 <= 0) {
							L8:
							E00424DCE(_v12);
							 *_t74 = 0x42e0c8;
							return E0041BF12(0x47e6b0);
						}
						_push(__ebx);
						do {
							_t61 = _v12;
							_t33 = _v8 << 2;
							_t68 =  *((intOrPtr*)(_t33 + _t61)) + _v20;
							_t53 =  *((intOrPtr*)(_t33 + _t61 + 4)) + _v20;
							if(MoveFileExA(_t53, _t68, 5) == 0) {
								E0041BE99( &_v32, 0x47dfc8);
								E0041C047( &_v32, "\\WININIT.INI", 0);
								E00424500( &_v552, 0, 0x104);
								E00424500( &_v292, 0, 0x104);
								_t74 = _t74 + 0x18;
								GetShortPathNameA(_t68,  &_v552, 0x104);
								GetShortPathNameA(_t53,  &_v292, 0x104);
								WritePrivateProfileStringA("Rename",  &_v552,  &_v292, E0041CD1E( &_v32));
								E0041BEFB( &_v32);
							}
							_v8 = _v8 + 2;
						} while (_v8 < _v16);
						goto L8;
					}
				}
				return _t28;
			}

0x00414138
0x0041413e
0x00414151
0x00414159
0x00414162
0x00414167
0x0041416c
0x00414175
0x00414178
0x00414242
0x00414245
0x0041424f
0x00000000
0x00414256
0x0041417e
0x00414185
0x00414188
0x0041418b
0x00414197
0x0041419a
0x004141a7
0x004141b5
0x004141c4
0x004141d3
0x004141e2
0x004141e7
0x004141f9
0x00414204
0x00414222
0x0041422b
0x0041422b
0x00414230
0x00414237
0x00000000
0x00414241
0x0041416c
0x0041425d

APIs

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

MoveFileExA.KERNEL32 ref: 0041419F

Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4

Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095

GetShortPathNameA.KERNEL32 ref: 004141F9
GetShortPathNameA.KERNEL32 ref: 00414204
WritePrivateProfileStringA.KERNEL32(Rename,?,?,00000000), ref: 00414222

Part of subcall function 0041BEFB: GlobalUnlock.KERNEL32(?,00000000,0041C1E9,00000000,00000010,00000000,0047E4D0,00000000), ref: 0041BF01
Part of subcall function 0041BEFB: GlobalFree.KERNEL32 ref: 0041BF0A

Strings

\WININIT.INI, xrefs: 004141BC
Rename, xrefs: 0041421D

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLockUnlock$NamePathShort$FileFreeMovePrivateProfileStringWritelstrlen
String ID: Rename$\WININIT.INI
API String ID: 3587727116-382979624
Opcode ID: d61e163e4b1642f25e9412c7ee909ea501c5c7ad710714f0a50dc1e1a82e982a
Instruction ID: 6ccb05560540a31af43dede7ab03aa05fb632c09e9ebc2799af0b626637c211d
Opcode Fuzzy Hash: d61e163e4b1642f25e9412c7ee909ea501c5c7ad710714f0a50dc1e1a82e982a
Instruction Fuzzy Hash: B03182B1D00118BBDB20EB95EC85EEEB778EF84304F5041AEF505A3181DB386A85CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040585D, Relevance: 10.6, APIs: 7, Instructions: 87
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040585D(struct HWND__* _a4, long _a8, signed short _a12, long _a16) {
				long _t35;
				long _t38;
				long _t41;
				void* _t42;
				long _t50;

				if(_a8 != 0x110) {
					__eflags = _a8 - 0x111;
					if(_a8 == 0x111) {
						_t50 = SendDlgItemMessageA(_a4, 0x42a, 0xe, 0, 0);
						__eflags = _t50;
						EnableWindow(GetDlgItem(_a4, 1), 0 | __eflags > 0x00000000);
						__eflags = _a12 >> 0x10;
						if(_a12 >> 0x10 == 0) {
							__eflags = _a12 - 1;
							if(_a12 == 1) {
								_t14 = _t50 + 1; // 0x1
								_t35 = E00424DD9(_t14);
								__eflags = _t35;
								_a8 = _t35;
								if(_t35 != 0) {
									_t16 = _t50 + 1; // 0x1
									SendDlgItemMessageA(_a4, 0x42a, 0xd, _t16, _t35);
									_t62 = _a8;
									 *((char*)(_a8 + _t50)) =  *(_a8 + _t50) & 0x00000000;
									_t38 =  *0x47df4c;
									__eflags = _t38;
									if(_t38 != 0) {
										E0041BF12(_t38 + 0x1c, _t62);
									}
									E00424DCE(_t62);
								}
							}
							EndDialog(_a4, _a12 & 0x0000ffff);
						}
					}
					__eflags = 0;
					return 0;
				}
				_t41 = _a16;
				 *0x47df4c = _t41;
				if(_t41 != 0) {
					SetWindowTextA(_a4, E0041CD1E(_t41 + 0x10));
					SetDlgItemTextA(_a4, 0x449, E0041CD1E( *0x47df4c + 4));
				}
				_t42 = 1;
				return _t42;
			}

0x00405867
0x004058ab
0x004058b5
0x004058d2
0x004058d6
0x004058e8
0x004058f4
0x004058f7
0x004058f9
0x004058fe
0x00405900
0x00405904
0x00405909
0x0040590c
0x0040590f
0x00405912
0x0040591c
0x0040591e
0x00405921
0x00405925
0x0040592a
0x0040592c
0x00405932
0x00405932
0x00405938
0x0040593d
0x0040590f
0x00405946
0x00405946
0x004058f7
0x0040594e
0x00000000
0x00405950
0x00405869
0x0040586e
0x00405873
0x00405881
0x0040589d
0x0040589d
0x004058a5
0x00000000

APIs

SetWindowTextA.USER32(?,00000000), ref: 00405881
SetDlgItemTextA.USER32 ref: 0040589D
SendDlgItemMessageA.USER32(?,0000042A,0000000E,00000000,00000000), ref: 004058D0
GetDlgItem.USER32 ref: 004058E1
EnableWindow.USER32(00000000), ref: 004058E8
SendDlgItemMessageA.USER32(?,0000042A,0000000D,00000001,00000000), ref: 0040591C
EndDialog.USER32(?,00000001), ref: 00405946

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Item$Global$MessageSendTextWindow$AllocDialogEnableLockUnlock
String ID:
API String ID: 6122972-0
Opcode ID: 98e64860257a9b305ad77235a9a85b4545619def014f5d57034860a6271ff690
Instruction ID: f49f642065d340e3a7ad1b65ce0aa73714bfea6f3ab2296c2f665de5166f183d
Opcode Fuzzy Hash: 98e64860257a9b305ad77235a9a85b4545619def014f5d57034860a6271ff690
Instruction Fuzzy Hash: B7213E71600209ABEB109F61DC45FAB3BA8EF44760F44843AFD05EA1A1DB79D951CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00413C46, Relevance: 10.6, APIs: 7, Instructions: 71
fileCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00413C46(void* __ecx, void* __edx, void* __eflags, long _a4, CHAR* _a8) {
				void* _v8;
				long _v12;
				void _v32012;
				void* __ebp;
				void* _t18;
				void* _t35;
				void* _t37;
				void* _t41;

				_t35 = __edx;
				E00425220(0x7d08, __ecx);
				_t18 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
				_v8 = _t18;
				if(_t18 != 0xffffffff) {
					E0040D85F(_a8);
					_t37 = CreateFileA(_a8, 0x40000000, 1, 0, 2, 0x80, 0);
					if(_t37 != 0xffffffff) {
						_a4 = 0;
						do {
							ReadFile(_v8,  &_v32012, 0x7d00,  &_a4, 0);
							WriteFile(_t37,  &_v32012, _a4,  &_v12, 0);
							E00414F7F(_t35, _t41, _a4);
						} while (_a4 == 0x7d00);
						CloseHandle(_v8);
						return CloseHandle(_t37);
					}
					return CloseHandle(_v8);
				}
				return _t18;
			}

0x00413c46
0x00413c4e
0x00413c72
0x00413c77
0x00413c7a
0x00413c7f
0x00413c96
0x00413c9b
0x00413ca8
0x00413cb0
0x00413cc0
0x00413cd6
0x00413cdf
0x00413ce7
0x00413cf3
0x00000000
0x00413cf6
0x00000000
0x00413ca0
0x00413cfc

APIs

CreateFileA.KERNEL32(0047E880,80000000,00000001,00000000,00000003,00000080,00000000,00000001,00000000,00000000,?,00412393,00000000,00000000,00000000,00000000), ref: 00413C72

Part of subcall function 0040D85F: GetFileAttributesA.KERNEL32(l.B,0047E788,00422E6C,00000000), ref: 0040D865
Part of subcall function 0040D85F: SetFileAttributesA.KERNEL32(l.B,00000000), ref: 0040D874
Part of subcall function 0040D85F: DeleteFileA.KERNEL32(l.B), ref: 0040D87B

CreateFileA.KERNEL32(00000003,40000000,00000001,00000000,00000002,00000080,00000000,?,00412393,00000000,00000000,00000000,00000000,00000000,00000000,0042BC5C), ref: 00413C94
CloseHandle.KERNEL32(00000000,?,00412393,00000000,00000000,00000000,00000000,00000000,00000000,0042BC5C,00000000,00000001,0042C1D8,0042BC5C,00000002,00000000), ref: 00413CA0
ReadFile.KERNEL32(00000000,?,00007D00,0047E880,00000000,?,00412393,00000000,00000000,00000000,00000000,00000000,00000000,0042BC5C,00000000,00000001), ref: 00413CC0
WriteFile.KERNEL32(00000000,?,0047E880,0047E880,00000000,?,00412393,00000000,00000000,00000000,00000000,00000000,00000000,0042BC5C,00000000,00000001), ref: 00413CD6
CloseHandle.KERNEL32(00000000,?,00412393,00000000,00000000,00000000,00000000,00000000,00000000,0042BC5C,00000000,00000001,0042C1D8,0042BC5C,00000002,00000000), ref: 00413CF3
CloseHandle.KERNEL32(00000000,?,00412393,00000000,00000000,00000000,00000000,00000000,00000000,0042BC5C,00000000,00000001,0042C1D8,0042BC5C,00000002,00000000), ref: 00413CF6

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: File$CloseHandle$AttributesCreate$DeleteReadWrite
String ID:
API String ID: 4193614173-0
Opcode ID: 4695edea306db9e0e244aa9cf59e96a1a6b44e21d00fac8a367ea497388d7424
Instruction ID: d6a8e47d74a94cecba19c6bbf340d7de880066c1608b2e882d88da8b899a33ac
Opcode Fuzzy Hash: 4695edea306db9e0e244aa9cf59e96a1a6b44e21d00fac8a367ea497388d7424
Instruction Fuzzy Hash: 56119D3290101CBAEF215F55DC85EEF7F7CEF443A1F10417AB518A61A0CB345E819BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041F924, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0041F924(intOrPtr __ecx, void* __eflags) {
				int _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr _t18;
				int _t25;
				struct HDC__* _t32;
				int _t34;
				void* _t37;

				_t37 = __eflags;
				_v12 = __ecx;
				E0041BE99( &_v24, 0x47eac8);
				E0041BFF8( &_v24, 9);
				_t32 = GetDC( *0x47e178);
				_t25 = GetDeviceCaps(_t32, 8);
				_v8 = GetDeviceCaps(_t32, 0xa);
				_t34 = GetDeviceCaps(_t32, 0xc);
				ReleaseDC( *0x47e178, _t32);
				_t18 = _v8;
				_push(_t34);
				 *0x47e6e8 = _t18;
				_push(_t18);
				_push(_t25);
				 *0x47e6e4 = _t25;
				 *0x47e6ec = _t34;
				E0041C467( &_v24, "%dx%d %d ");
				E0041C0C5( &_v24, _t37, 0x47ead4);
				E0041EEC5(_v12,  &_v24);
				return E0041BEFB( &_v24);
			}

0x0041f924
0x0041f92c
0x0041f938
0x0041f942
0x0041f959
0x0041f963
0x0041f96a
0x0041f970
0x0041f978
0x0041f97e
0x0041f981
0x0041f982
0x0041f987
0x0041f988
0x0041f992
0x0041f998
0x0041f99e
0x0041f9ae
0x0041f9ba
0x0041f9cb

APIs

Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4

Part of subcall function 0041BFF8: GlobalUnlock.KERNEL32(8415FF57,0047E788,004221E2,00000000,00000000,00000000,0047E788,00000000), ref: 0041C000
Part of subcall function 0041BFF8: GlobalReAlloc.KERNEL32 ref: 0041C00D
Part of subcall function 0041BFF8: GlobalLock.KERNEL32 ref: 0041C02E

GetDC.USER32(00000009), ref: 0041F94D
GetDeviceCaps.GDI32(00000000,00000008), ref: 0041F95E
GetDeviceCaps.GDI32(00000000,0000000A), ref: 0041F965
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041F96D
ReleaseDC.USER32 ref: 0041F978

Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
Part of subcall function 0041C467: lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649

Part of subcall function 0041C0C5: GlobalUnlock.KERNEL32(?,00000000,0047E380,?,00421CA7,00000004,?,00000000,00000000,00000000,0047E490,0047E788,0047E380,0047E788,?,00422453), ref: 0041C0DE
Part of subcall function 0041C0C5: GlobalReAlloc.KERNEL32 ref: 0041C0EB
Part of subcall function 0041C0C5: GlobalLock.KERNEL32 ref: 0041C10C

Part of subcall function 0041BEFB: GlobalUnlock.KERNEL32(?,00000000,0041C1E9,00000000,00000010,00000000,0047E4D0,00000000), ref: 0041BF01
Part of subcall function 0041BEFB: GlobalFree.KERNEL32 ref: 0041BF0A

Strings

%dx%d %d , xrefs: 0041F98C

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocCapsDeviceLockUnlocklstrlen$FreeRelease
String ID: %dx%d %d
API String ID: 2849383836-986776345
Opcode ID: 6701b937088444dcc262592f75ddd3e1e35e50d4286847ffe524a57a5883be79
Instruction ID: 939847e7418d91016d4a78c6a461a2bb1d59a8861e3360f60a2477e60b39c450
Opcode Fuzzy Hash: 6701b937088444dcc262592f75ddd3e1e35e50d4286847ffe524a57a5883be79
Instruction Fuzzy Hash: 91119471900218AFDB00EBA6DC46DEF7B7CFB14B00F50007BB505A3191DA745D458B69

Uniqueness

Uniqueness Score: -1.00%

Function 00414081, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00414081(char* _a4, intOrPtr _a8) {
				char _v8;
				void* _v12;
				int _v16;
				char _v28;
				long _t21;
				void* _t29;

				_t21 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\SharedDLLs", 0, 0x2001f,  &_v12);
				if(_t21 == 0) {
					_v8 = 0;
					_v16 = 4;
					RegQueryValueExA(_v12, _a4, 0, 0,  &_v8,  &_v16);
					_v8 = _v8 + 1;
					RegSetValueExA(_v12, _a4, 0, 4,  &_v8, 4);
					RegCloseKey(_v12);
					E0041BE35( &_v28, _a4);
					_t40 = _a8;
					if(_a8 != 0) {
						E0041C047( &_v28, "|ctrl", 0);
					}
					_t29 = E0041CD1E( &_v28);
					_push(0x47e800);
					_push(_t29);
					E00421CE6(_t40);
					return E0041BEFB( &_v28);
				}
				return _t21;
			}

0x0041409e
0x004140a6
0x004140ab
0x004140b5
0x004140c2
0x004140ce
0x004140da
0x004140e3
0x004140ef
0x004140f4
0x004140f7
0x00414102
0x00414102
0x0041410a
0x0041410f
0x00414114
0x0041411a
0x00000000
0x00414122
0x00414129

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\SharedDLLs,00000000,0002001F,0047E880,00000000,?,000000C0,000000BC,00000003,0047E880,00000000), ref: 0041409E
RegQueryValueExA.ADVAPI32(?,?,00000000), ref: 004140C2
RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004), ref: 004140DA
RegCloseKey.ADVAPI32(?), ref: 004140E3

Part of subcall function 0041BE35: lstrlenA.KERNEL32(00000000,0047DFB8,0047F2B8,0041B2F4,Astrum Installer,00000000,0047DFB8,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000), ref: 0041BE49
Part of subcall function 0041BE35: GlobalAlloc.KERNEL32(00000042,00000000,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000,00000000,00000000,?,0047E924,0041D88F), ref: 0041BE54
Part of subcall function 0041BE35: GlobalLock.KERNEL32 ref: 0041BE75

Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095

Strings

Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00414094
|ctrl, xrefs: 004140FA

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLockValuelstrlen$CloseOpenQueryUnlock
String ID: Software\Microsoft\Windows\CurrentVersion\SharedDLLs$|ctrl
API String ID: 707054961-2170158477
Opcode ID: 9287fe5cdd0942b607070d4ffcbdb31c284ae224106b6bf49031bb986ee66167
Instruction ID: 273fb6a66b4209d3a46defa7447582479fda1a1bfef144c825d9ad7138c78fa8
Opcode Fuzzy Hash: 9287fe5cdd0942b607070d4ffcbdb31c284ae224106b6bf49031bb986ee66167
Instruction Fuzzy Hash: 5A111FB594010DBEDB10EFD1DC86EEEBB7CEB14348F50406AB605A10A1DB345E85DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040D76B, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D76B(void* __eflags, struct HWND__* _a4) {
				CHAR* _t2;
				void* _t24;
				struct HWND__* _t25;

				_t2 = E0041CD1E(0x47e8a0);
				_t25 = _a4;
				SetDlgItemTextA(_t25, 3, _t2);
				SetDlgItemTextA(_t25, 1, E0041CD1E(0x47e8d0));
				SetDlgItemTextA(_t25, 2, E0041CD1E(0x47e8b8));
				if(E00419E8A() == 0) {
					if(E00419E6A() != 0) {
						_t24 = 0x47ef6c;
						goto L4;
					}
				} else {
					_t24 = 0x47e8c4;
					L4:
					SetDlgItemTextA(_t25, 1, E0041CD1E(_t24));
				}
				if( *0x47e114 != 0) {
					SetDlgItemTextA(_t25, 0x41f, E0041CD1E(0x47df68));
					E0040EFE7();
				}
				return 1;
			}

0x0040d773
0x0040d778
0x0040d786
0x0040d796
0x0040d7a6
0x0040d7b6
0x0040d7c8
0x0040d7ca
0x00000000
0x0040d7ca
0x0040d7b8
0x0040d7b8
0x0040d7cf
0x0040d7d8
0x0040d7d8
0x0040d7e1
0x0040d7f4
0x0040d7fb
0x0040d7fb
0x0040d805

APIs

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

SetDlgItemTextA.USER32 ref: 0040D786
SetDlgItemTextA.USER32 ref: 0040D796
SetDlgItemTextA.USER32 ref: 0040D7A6
SetDlgItemTextA.USER32 ref: 0040D7D8
SetDlgItemTextA.USER32 ref: 0040D7F4

Strings

lG, xrefs: 0040D7CA

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: ItemText$Global$AllocLockUnlock
String ID: lG
API String ID: 1320547164-1663926740
Opcode ID: 91e4bd00f38452d55a2895847701c7ccddab22c0fce15f7968b8967b6b60ab5d
Instruction ID: d8f0bfc246ea1dac22b33ef5546518489f320966156894edd493a4645e0109dc
Opcode Fuzzy Hash: 91e4bd00f38452d55a2895847701c7ccddab22c0fce15f7968b8967b6b60ab5d
Instruction Fuzzy Hash: D7018460A5020426D11476661C96FFE061F8FC9744F14C47FF6067B2C2CF6D0C8A927E

Uniqueness

Uniqueness Score: -1.00%

Function 00406D11, Relevance: 10.6, APIs: 7, Instructions: 53
memoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00406D11(intOrPtr* __ecx, void* __eflags) {
				signed int _t21;
				void* _t25;
				struct HDC__* _t34;
				intOrPtr* _t35;

				_t35 = __ecx;
				_t1 = _t35 + 8; // 0x8
				E00406DE2(_t1);
				_t2 = _t35 + 0x70; // 0x70
				E0041E814(_t2);
				_t3 = _t35 + 0x84; // 0x84
				E0041E814(_t3);
				 *_t35 = 0x4285cc;
				 *((intOrPtr*)(_t35 + 0xa8)) = 0;
				 *((char*)(_t35 + 0xac)) = 1;
				 *((intOrPtr*)(_t35 + 0x98)) = 0;
				if( *0x47df5c == 0) {
					_t25 = GlobalAlloc(0x42, 0);
					 *0x47df5c = _t25;
					 *0x47df58 = GlobalLock(_t25);
				}
				 *((intOrPtr*)(_t35 + 0x9c)) = 0;
				 *((intOrPtr*)(_t35 + 0xa0)) = 0;
				 *((intOrPtr*)(_t35 + 0xa4)) = LoadCursorA(0, 0x7f00);
				_t34 = GetDC( *0x47e178);
				_t21 = MulDiv(0xf4240, GetDeviceCaps(_t34, 0x5a), 0x48);
				asm("cdq");
				 *0x42b91c = _t21 / 0x535;
				ReleaseDC( *0x47e178, _t34);
				if(( *0x47e192 & 0x00000004) == 0) {
					 *0x42b91c = 0x3e8;
				}
				return _t35;
			}

0x00406d12
0x00406d15
0x00406d18
0x00406d1d
0x00406d20
0x00406d25
0x00406d2b
0x00406d32
0x00406d38
0x00406d3e
0x00406d45
0x00406d51
0x00406d56
0x00406d5d
0x00406d68
0x00406d68
0x00406d73
0x00406d79
0x00406d85
0x00406d97
0x00406daa
0x00406db0
0x00406dbf
0x00406dc4
0x00406dd1
0x00406dd3
0x00406dd3
0x00406de1

APIs

Part of subcall function 0041E814: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0040E8F7,00000000,0042290E,00000000,00000001,00000000,00000000,00000000,0000005C,00000000,00000000,00000000,00000001), ref: 0041E82A
Part of subcall function 0041E814: GlobalLock.KERNEL32 ref: 0041E834

GlobalAlloc.KERNEL32(00000042,00000000), ref: 00406D56
GlobalLock.KERNEL32 ref: 00406D62
LoadCursorA.USER32 ref: 00406D7F
GetDC.USER32 ref: 00406D91
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00406D9E
MulDiv.KERNEL32(000F4240,00000000), ref: 00406DAA
ReleaseDC.USER32 ref: 00406DC4

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLock$CapsCursorDeviceLoadRelease
String ID:
API String ID: 360201357-0
Opcode ID: 2efe2023bf81b3e24329aa99aa27404b0337e545e5a23960d49dfbc65c8d11dc
Instruction ID: 5ece2d926049a6a0ac0f62f40905e0d7ac656334098489eecc411e68072f2eeb
Opcode Fuzzy Hash: 2efe2023bf81b3e24329aa99aa27404b0337e545e5a23960d49dfbc65c8d11dc
Instruction Fuzzy Hash: AD110A707017509FE3219F26EC0AB6A7BF4EF55701F80447EEA5A962A0DB741486CF29

Uniqueness

Uniqueness Score: -1.00%

Function 0040E27C, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040E285
SHBrowseForFolderA.SHELL32(?), ref: 0040E2B7
SHGetPathFromIDListA.SHELL32(00000000,w@), ref: 0040E2C3
SHGetMalloc.SHELL32(00000000), ref: 0040E2D1
CoUninitialize.OLE32 ref: 0040E2E5

Strings

w@, xrefs: 0040E2BD

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: BrowseFolderFromInitializeListMallocPathUninitialize
String ID: w@
API String ID: 50853812-3933844196
Opcode ID: 871ff91e918a476b10dcbb04aa0b531a60d8972d50d1ef0aa5e56f6c00e180a7
Instruction ID: dcf86f71e1ec0a2d11d85a577e1a136d4c66ffd2969777ac98c319ca4d3b7e98
Opcode Fuzzy Hash: 871ff91e918a476b10dcbb04aa0b531a60d8972d50d1ef0aa5e56f6c00e180a7
Instruction Fuzzy Hash: D0010475A01209EFCB10DFA5D949BEF7BF8FB48306F104069E401E6290DB749A16CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041C467, Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 178
stringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0041C467(intOrPtr* _a4, CHAR* _a8) {
				signed char _v5;
				char _v6;
				signed char* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v31;
				char _v32;
				char _v48;
				signed int _v83;
				char _v84;
				signed char* _t86;
				signed char* _t89;
				signed char _t90;
				signed int _t91;
				char* _t95;
				signed char* _t97;
				signed char* _t107;
				signed char _t108;
				signed int _t111;
				signed char _t112;
				signed char* _t116;
				CHAR* _t121;
				void* _t123;
				void* _t127;
				void* _t129;
				void* _t132;
				signed int _t138;
				signed int _t139;
				signed int _t140;
				signed char _t142;
				signed char _t143;
				intOrPtr _t144;
				void* _t145;
				void* _t146;

				_t144 =  *_a4;
				_t143 = 0;
				E0041C047(_a4, _a8, 0);
				if(lstrlenA(_a8) - 1 > 0) {
					_t86 =  &_a8;
					_v12 = _t86;
					while(1) {
						_t121 = _a8;
						if( *((char*)(_t143 + _t121)) != 0x25) {
							goto L35;
						}
						_t123 =  *((char*)(_t143 + _t121 + 1)) - 0x62;
						if(_t123 == 0) {
							_t89 =  &(_t86[4]);
							_v12 = _t89;
							_t90 =  *_t89;
							__eflags = _t90;
							if(__eflags != 0) {
								_t53 =  &_v16;
								 *_t53 = _v16 & 0x00000000;
								__eflags =  *_t53;
								_v20 = 0x1f;
								do {
									_t138 = 1;
									_t139 = _t138 << _v20;
									__eflags = _t90 & _t139;
									_t140 = _t139 & 0xffffff00 | (_t90 & _t139) != 0x00000000;
									__eflags = _t140;
									if(_t140 != 0) {
										L29:
										_t63 =  &_v16;
										 *_t63 = _v16 + 1;
										__eflags =  *_t63;
										 *((char*)(_t145 + _v16 - 0x50)) = _t140 + 0x30;
									} else {
										__eflags = _v16;
										if(_v16 != 0) {
											goto L29;
										}
									}
									_t67 =  &_v20;
									 *_t67 = _v20 - 1;
									__eflags =  *_t67;
								} while ( *_t67 >= 0);
								_t91 = _v16;
								_t70 = _t145 + _t91 - 0x50;
								 *_t70 =  *(_t145 + _t91 - 0x50) & 0x00000000;
								__eflags =  *_t70;
							} else {
								_v83 = _v83 & _t90;
								_v84 = 0x30;
							}
							E0041CBF9(_a4, __eflags, "%b",  &_v84, _t143 + _t144, 1, 1);
							_t95 =  &_v84;
							goto L33;
						} else {
							_t127 = _t123 - 1;
							if(_t127 == 0) {
								_t97 =  &(_t86[4]);
								_v12 = _t97;
								_v5 = _v5 & 0x00000000;
								_v6 =  *_t97;
								E0041CBF9(_a4, __eflags, "%d",  &_v6, _t143 + _t144, 1, 1);
								_t144 = _t144 - 1;
							} else {
								_t129 = _t127 - 1;
								if(_t129 == 0) {
									_v12 =  &(_t86[4]);
									E00427836(_t86[4],  &_v48, 0xa);
									_t146 = _t146 + 0xc;
									E0041CBF9(_a4, __eflags, "%d",  &_v48, _t143 + _t144, 1, 1);
									_t95 =  &_v48;
									goto L33;
								} else {
									_t132 = _t129 - 4;
									if(_t132 == 0) {
										_t107 =  &(_t86[4]);
										_v12 = _t107;
										_t108 =  *_t107;
										__eflags = _t108;
										_v20 = _t108;
										if(__eflags != 0) {
											_t142 = 0;
											__eflags = 0;
											_v16 = 0x1c;
											do {
												_t111 = _v20 >> _v16 & 0x0000000f;
												__eflags = _t142;
												if(_t142 != 0) {
													L15:
													__eflags = _t111 - 0xa;
													if(_t111 >= 0xa) {
														_t112 = _t111 + 0x37;
														__eflags = _t112;
													} else {
														_t112 = _t111 + 0x30;
													}
													 *(_t145 + _t142 - 0x1c) = _t112;
													_t142 = _t142 + 1;
													__eflags = _t142;
												} else {
													__eflags = _t111;
													if(_t111 != 0) {
														goto L15;
													}
												}
												_t26 =  &_v16;
												 *_t26 = _v16 - 4;
												__eflags =  *_t26;
											} while ( *_t26 >= 0);
											_t28 = _t145 + _t142 - 0x1c;
											 *_t28 =  *(_t145 + _t142 - 0x1c) & 0x00000000;
											__eflags =  *_t28;
										} else {
											_v31 = _v31 & _t108;
											_v32 = 0x30;
										}
										E0041CBF9(_a4, __eflags, "%h",  &_v32, _t143 + _t144, 1, 1);
										_t95 =  &_v32;
										L33:
										_push(_t95);
										goto L34;
									} else {
										_t153 = _t132 == 0xb;
										if(_t132 == 0xb) {
											_t116 =  &(_t86[4]);
											_v12 = _t116;
											_v20 =  *_t116;
											E0041CBF9(_a4, _t153, "%s",  *_t116, _t143 + _t144, 1, 1);
											_push(_v20);
											L34:
											_t79 = lstrlenA() - 2; // 0x3a73656c
											_t144 = _t144 + _t79;
										}
									}
								}
							}
						}
						L35:
						_t143 = _t143 + 1;
						if(_t143 < lstrlenA(_a8) - 1) {
							_t86 = _v12;
							continue;
						}
						goto L36;
					}
				}
				L36:
				return _a4;
			}

0x0041c473
0x0041c475
0x0041c47b
0x0041c48e
0x0041c494
0x0041c497
0x0041c49f
0x0041c49f
0x0041c4a6
0x00000000
0x00000000
0x0041c4b1
0x0041c4b4
0x0041c5d1
0x0041c5d4
0x0041c5d7
0x0041c5d9
0x0041c5db
0x0041c5e6
0x0041c5e6
0x0041c5e6
0x0041c5ea
0x0041c5f1
0x0041c5f6
0x0041c5f7
0x0041c5f9
0x0041c5fb
0x0041c5fe
0x0041c600
0x0041c608
0x0041c60e
0x0041c60e
0x0041c60e
0x0041c611
0x0041c602
0x0041c602
0x0041c606
0x00000000
0x00000000
0x0041c606
0x0041c615
0x0041c615
0x0041c615
0x0041c615
0x0041c61a
0x0041c61d
0x0041c61d
0x0041c61d
0x0041c5dd
0x0041c5dd
0x0041c5e0
0x0041c5e0
0x0041c636
0x0041c63b
0x00000000
0x0041c4ba
0x0041c4ba
0x0041c4bb
0x0041c5a6
0x0041c5ac
0x0041c5af
0x0041c5b7
0x0041c5c9
0x0041c5ce
0x0041c4c1
0x0041c4c1
0x0041c4c2
0x0041c57a
0x0041c57d
0x0041c582
0x0041c599
0x0041c59e
0x00000000
0x0041c4c8
0x0041c4c8
0x0041c4cb
0x0041c4ff
0x0041c502
0x0041c505
0x0041c507
0x0041c509
0x0041c50c
0x0041c517
0x0041c517
0x0041c519
0x0041c520
0x0041c528
0x0041c52b
0x0041c52d
0x0041c533
0x0041c533
0x0041c536
0x0041c53c
0x0041c53c
0x0041c538
0x0041c538
0x0041c538
0x0041c53e
0x0041c542
0x0041c542
0x0041c52f
0x0041c52f
0x0041c531
0x00000000
0x00000000
0x0041c531
0x0041c543
0x0041c543
0x0041c543
0x0041c543
0x0041c549
0x0041c549
0x0041c549
0x0041c50e
0x0041c50e
0x0041c511
0x0041c511
0x0041c562
0x0041c567
0x0041c63e
0x0041c63e
0x00000000
0x0041c4cd
0x0041c4cd
0x0041c4d0
0x0041c4d6
0x0041c4db
0x0041c4ef
0x0041c4f2
0x0041c4f7
0x0041c63f
0x0041c641
0x0041c641
0x0041c641
0x0041c4d0
0x0041c4cb
0x0041c4c2
0x0041c4bb
0x0041c645
0x0041c648
0x0041c64e
0x0041c49c
0x00000000
0x0041c49c
0x00000000
0x0041c64e
0x0041c49f
0x0041c654
0x0041c65b

APIs

Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095

lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F

Part of subcall function 0041CBF9: lstrlenA.KERNEL32(00000000,00000001,0042DB90,74E06980,0042DB90,?,0041C63B,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041CC0B
Part of subcall function 0041CBF9: lstrlenA.KERNEL32(00000001,?,0041C63B,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041CC12

lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649

Strings

Files:, xrefs: 0041C578
0, xrefs: 0041C511
0, xrefs: 0041C5E0

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: lstrlen$Global$AllocLockUnlock
String ID: 0$0$Files:
API String ID: 4127010206-878858382
Opcode ID: 113a8afbf2adde3107a447d089c6d2c3fd82a06444fa93a62c1bca81b52230a8
Instruction ID: 0ebba43547ad7c447cfe6da4dc9b66f8907a2b5e87f98b2ae228ac07d7ae3c7d
Opcode Fuzzy Hash: 113a8afbf2adde3107a447d089c6d2c3fd82a06444fa93a62c1bca81b52230a8
Instruction Fuzzy Hash: 7651CE31E44259BBEF05CFA8CCC5BEEBBB5EF04304F14805AE401AA281D779AA85CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041ED05, Relevance: 9.2, APIs: 6, Instructions: 150
windowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0041ED05(struct HWND__** __ecx) {
				signed int _v8;
				signed int _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct HDC__* _t61;
				signed int _t67;
				signed int _t73;
				signed int _t74;
				void* _t81;
				signed int _t83;
				void* _t95;
				signed int _t104;
				signed int _t105;
				signed int _t106;
				signed int _t109;
				long _t120;
				signed int _t121;
				struct HDC__* _t122;
				long _t123;
				struct HWND__** _t124;

				_t124 = __ecx;
				_t61 =  *(__ecx + 4);
				if(_t61 == 0 || ( *(__ecx + 0x24) & 0x00000004) != 0) {
					L16:
					return 0;
				} else {
					_t120 = 2;
					_v28.left = _t120;
					_v28.right =  *((intOrPtr*)(__ecx + 0x1c)) -  *((intOrPtr*)(__ecx + 0x14)) - _t120;
					_v28.top = _t120;
					_v28.bottom =  *((intOrPtr*)(__ecx + 0x20)) -  *((intOrPtr*)(__ecx + 0x18)) - _t120;
					if(FillRect(_t61,  &_v28, 0x10) != 0) {
						_t104 = 0x64;
						_t67 = ( *((intOrPtr*)(__ecx + 0x1c)) -  *((intOrPtr*)(__ecx + 0x14)) - 4) *  *(__ecx + 0x10);
						asm("cdq");
						_t113 = _t67 % _t104;
						_t105 = _t67 / _t104;
						if(( *(__ecx + 0x24) & 0x00000001) == 0) {
							_t121 =  *((intOrPtr*)(__ecx + 0x28)) + 2;
							asm("cdq");
							_t73 = (_t121 - _t113 >> 1) + _t105;
							_t106 = 0;
							asm("cdq");
							_t74 = _t73 / _t121;
							_t113 = _t73 % _t121;
							_v12 = _t74;
							if(_t74 <= 0) {
								L11:
								if((_t124[9] & 0x00000001) == 0 || E0041EB0F(_t124, _t113) >= 0) {
									_t122 = GetDC( *_t124);
									if(_t122 != 0) {
										if(BitBlt(_t122, _t124[5], _t124[6], _t124[7] - _t124[5], _t124[8] - _t124[6], _t124[1], 0, 0, 0xcc0020) != 0) {
											_push(1);
										} else {
											_push(0xfffffff7);
										}
										_pop(_t95);
										ReleaseDC( *_t124, _t122);
										return _t95;
									}
									goto L16;
								} else {
									_push(0xfffffff8);
									L14:
									_pop(_t81);
									return _t81;
								}
							}
							_t123 = 3;
							while(1) {
								_t83 =  &(_t124[0xa]->i);
								_v44.top = _t123;
								_t113 = _t83 * _t106 + _t123;
								_t109 = _t106 + 1;
								_v8 = _t109;
								_v44.left = _t83 * _t106 + _t123;
								_v44.right = _t109 * _t83 + 1;
								_v44.bottom = _t124[8] - _t124[6] - _t123;
								if(FillRect(_t124[1],  &_v44, _t124[3]) == 0) {
									break;
								}
								_t106 = _v8;
								if(_t106 < _v12) {
									continue;
								}
								goto L11;
							}
							L6:
							_push(0xfffffff9);
							goto L14;
						}
						_v44.left = _t120;
						_v44.top = _t120;
						_v44.right = _t105 + 2;
						_v44.bottom =  *((intOrPtr*)(__ecx + 0x20)) -  *((intOrPtr*)(__ecx + 0x18)) - _t120;
						if(FillRect( *(__ecx + 4),  &_v44,  *(__ecx + 0xc)) != 0) {
							goto L11;
						}
						goto L6;
					}
					_push(0xfffffffa);
					goto L14;
				}
			}

0x0041ed0d
0x0041ed10
0x0041ed15
0x0041ee27
0x00000000
0x0041ed25
0x0041ed2d
0x0041ed38
0x0041ed3b
0x0041ed44
0x0041ed49
0x0041ed55
0x0041ed66
0x0041ed6a
0x0041ed6e
0x0041ed6f
0x0041ed75
0x0041ed77
0x0041eda7
0x0041edac
0x0041edb1
0x0041edb3
0x0041edb5
0x0041edb6
0x0041edb6
0x0041edba
0x0041edbd
0x0041ee03
0x0041ee07
0x0041ee21
0x0041ee25
0x0041ee54
0x0041ee5a
0x0041ee56
0x0041ee56
0x0041ee56
0x0041ee5c
0x0041ee60
0x00000000
0x0041ee66
0x00000000
0x0041ee14
0x0041ee14
0x0041ee16
0x0041ee16
0x00000000
0x0041ee16
0x0041ee07
0x0041edc1
0x0041edc2
0x0041edc8
0x0041edcb
0x0041edd3
0x0041edd5
0x0041edd6
0x0041ede3
0x0041ede6
0x0041edeb
0x0041edf9
0x00000000
0x00000000
0x0041edfb
0x0041ee01
0x00000000
0x00000000
0x00000000
0x0041ee01
0x0041eda0
0x0041eda0
0x00000000
0x0041eda0
0x0041ed85
0x0041ed88
0x0041ed8d
0x0041ed90
0x0041ed9e
0x00000000
0x00000000
0x00000000
0x0041ed9e
0x0041ed57
0x00000000
0x0041ed57

APIs

FillRect.USER32 ref: 0041ED51
FillRect.USER32 ref: 0041ED9A
GetDC.USER32(00000000), ref: 0041EE1B
BitBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00CC0020), ref: 0041EE4C
ReleaseDC.USER32 ref: 0041EE60

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: FillRect$Release
String ID:
API String ID: 1083154806-0
Opcode ID: 39eeff6ec04cb99a4edfaf3109efffefae14775aa6b410768b86bd2bcacc964e
Instruction ID: 51cebc95b3b2b8c5e61734997514edc2417931a881d4bd94c21e6ef9b22fab1f
Opcode Fuzzy Hash: 39eeff6ec04cb99a4edfaf3109efffefae14775aa6b410768b86bd2bcacc964e
Instruction Fuzzy Hash: 4C51E375A007069FDB24CF6ACD45AABFBF9EF88710F10461EE942D2690D770E981CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040A736, Relevance: 9.1, APIs: 6, Instructions: 120
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A736(char __ecx) {
				char _v8;
				char _v12;
				char _v272;
				int _t36;
				char _t84;
				void* _t86;

				_t84 = __ecx;
				_v8 = __ecx;
				if(( *0x47e194 & 0x00000001) != 0) {
					E0041DBA4( *((intOrPtr*)(__ecx + 4)), 0x14,  &_v12);
					_t86 = _t86 + 0xc;
					E0041BF12(0x47e1b8, _v12);
					_t36 = E00424DCE(_v12);
				}
				if(( *0x47e194 & 0x00000004) != 0) {
					E0041DBA4( *(_t84 + 4), 0x15,  &_v12);
					_t86 = _t86 + 0xc;
					E0041BF12(0x47e1c4, _v12);
					_t36 = E00424DCE(_v12);
				}
				if(( *0x47e194 & 0x00000010) != 0) {
					if(( *0x47e190 & 0x00000080) == 0) {
						E0041DBA4( *(_t84 + 4), 0x16,  &_v8);
						E0041BF12(0x47e1d0, _v8);
						return E00424DCE(_v8);
					}
					GetDlgItemTextA( *(_t84 + 4), 0x17,  &_v272, 0x104);
					_t36 = lstrlenA( &_v272);
					if(_t36 ==  *0x47e664) {
						E0041BF12(0x47e1d0,  &_v272);
						E0041BFF8(0x47e1d0, 0x2d);
						GetDlgItemTextA( *(_v8 + 4), 0x18,  &_v272, 0x104);
						if(lstrlenA( &_v272) !=  *0x47e668) {
							L10:
							return E0041BF12(0x47e1d0, 0x42e0c8);
						}
						E0041C047(0x47e1d0,  &_v272, 0);
						E0041BFF8(0x47e1d0, 0x2d);
						GetDlgItemTextA( *(_v8 + 4), 0x19,  &_v272, 0x104);
						if(lstrlenA( &_v272) !=  *0x47e66c) {
							goto L10;
						}
						return E0041C047(0x47e1d0,  &_v272, 0);
					}
				}
				return _t36;
			}

0x0040a748
0x0040a74b
0x0040a74e
0x0040a759
0x0040a75e
0x0040a769
0x0040a771
0x0040a776
0x0040a77e
0x0040a789
0x0040a78e
0x0040a799
0x0040a7a1
0x0040a7a6
0x0040a7ae
0x0040a7bb
0x0040a8a1
0x0040a8b1
0x00000000
0x0040a8be
0x0040a7d8
0x0040a7e7
0x0040a7ef
0x0040a803
0x0040a80c
0x0040a825
0x0040a836
0x0040a88a
0x00000000
0x0040a891
0x0040a843
0x0040a84c
0x0040a865
0x0040a876
0x00000000
0x00000000
0x00000000
0x0040a883
0x0040a7ef
0x0040a8c3

APIs

GetDlgItemTextA.USER32 ref: 0040A7D8
lstrlenA.KERNEL32(?), ref: 0040A7E7
GetDlgItemTextA.USER32 ref: 0040A825
lstrlenA.KERNEL32(?), ref: 0040A82E
GetDlgItemTextA.USER32 ref: 0040A865
lstrlenA.KERNEL32(?), ref: 0040A86E

Part of subcall function 0041DBA4: GetDlgItem.USER32 ref: 0041DBAF
Part of subcall function 0041DBA4: GetWindowTextLengthA.USER32(00000000), ref: 0041DBB8

Part of subcall function 0041BF12: GlobalUnlock.KERNEL32(0217020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
Part of subcall function 0041BF12: GlobalReAlloc.KERNEL32 ref: 0041BF3B
Part of subcall function 0041BF12: GlobalLock.KERNEL32 ref: 0041BF5C

Part of subcall function 0041BF12: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0047DFB8), ref: 0041BF2C

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: ItemTextlstrlen$Global$AllocLengthLockUnlockWindow
String ID:
API String ID: 3218319920-0
Opcode ID: a958e4ce70b71c14c951e7f8eeb3b4799bad585ea4ebaa6a7b20b7fa26e27c02
Instruction ID: c3ea2f18b3b25a3017e395926b3782d2fe5e2a6f3110804de850d1408f6535d8
Opcode Fuzzy Hash: a958e4ce70b71c14c951e7f8eeb3b4799bad585ea4ebaa6a7b20b7fa26e27c02
Instruction Fuzzy Hash: 834104B5600218ABEB11E751DC42FDD77A8DF08708F4081BBF608A21E2D7789E819F4D

Uniqueness

Uniqueness Score: -1.00%

Function 004272C5, Relevance: 9.1, APIs: 6, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E004272C5(int _a4, char* _a8, int _a12, short* _a16, int _a20, int _a24, signed int _a28) {
				int _v8;
				intOrPtr _v20;
				short* _v28;
				short _v32;
				int _v36;
				short* _v40;
				void* _v56;
				int _t31;
				int _t32;
				int _t37;
				int _t43;
				int _t44;
				int _t45;
				void* _t53;
				short* _t60;
				int _t61;
				intOrPtr _t62;
				short* _t63;

				_push(0xffffffff);
				_push(0x428b28);
				_push(E00424EE0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_t63 = _t62 - 0x18;
				_v28 = _t63;
				_t31 =  *0x47f4a4; // 0x1
				if(_t31 != 0) {
					L6:
					if(_t31 != 2) {
						if(_t31 != 1) {
							goto L18;
						} else {
							if(_a20 == 0) {
								_t44 =  *0x47f4cc; // 0x0
								_a20 = _t44;
							}
							asm("sbb eax, eax");
							_t37 = MultiByteToWideChar(_a20, ( ~_a28 & 0x00000008) + 1, _a8, _a12, 0, 0);
							_v36 = _t37;
							if(_t37 == 0) {
								goto L18;
							} else {
								_v8 = 0;
								E00425220(_t37 + _t37 + 0x00000003 & 0x000000fc, _t53);
								_v28 = _t63;
								_t60 = _t63;
								_v40 = _t60;
								E00424500(_t60, 0, _t37 + _t37);
								_v8 = _v8 | 0xffffffff;
								if(_t60 == 0) {
									goto L18;
								} else {
									_t43 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t60, _v36);
									if(_t43 == 0) {
										goto L18;
									} else {
										_t32 = GetStringTypeW(_a4, _t60, _t43, _a16);
									}
								}
							}
						}
					} else {
						_t45 = _a24;
						if(_t45 == 0) {
							_t45 =  *0x47f4bc; // 0x0
						}
						_t32 = GetStringTypeA(_t45, _a4, _a8, _a12, _a16);
					}
				} else {
					_push( &_v32);
					_t61 = 1;
					if(GetStringTypeW(_t61, 0x428b24, _t61, ??) == 0) {
						if(GetStringTypeA(0, _t61, 0x428b20, _t61,  &_v32) == 0) {
							L18:
							_t32 = 0;
						} else {
							_t31 = 2;
							goto L5;
						}
					} else {
						_t31 = _t61;
						L5:
						 *0x47f4a4 = _t31;
						goto L6;
					}
				}
				 *[fs:0x0] = _v20;
				return _t32;
			}

0x004272c8
0x004272ca
0x004272cf
0x004272da
0x004272db
0x004272e2
0x004272e8
0x004272eb
0x004272f4
0x00427334
0x00427337
0x00427360
0x00000000
0x00427366
0x00427369
0x0042736b
0x00427370
0x00427370
0x00427380
0x0042738a
0x00427390
0x00427395
0x00000000
0x00427397
0x00427397
0x004273a4
0x004273a9
0x004273ac
0x004273ae
0x004273b4
0x004273c9
0x004273cf
0x00000000
0x004273d1
0x004273e0
0x004273e8
0x00000000
0x004273ea
0x004273f2
0x004273f2
0x004273e8
0x004273cf
0x00427395
0x00427339
0x00427339
0x0042733e
0x00427340
0x00427340
0x00427352
0x00427352
0x004272f6
0x004272f9
0x004272fc
0x0042730c
0x00427326
0x004273fa
0x004273fa
0x0042732c
0x0042732e
0x00000000
0x0042732e
0x0042730e
0x0042730e
0x0042732f
0x0042732f
0x00000000
0x0042732f
0x0042730c
0x00427402
0x0042740d

APIs

GetStringTypeW.KERNEL32(00000001,00428B24,00000001,00000000,?,00000100,00000000,00426E86,00000001,00000020,00000100,?,00000000), ref: 00427304
GetStringTypeA.KERNEL32(00000000,00000001,00428B20,00000001,00000000,?,00000100,00000000,00426E86,00000001,00000020,00000100,?,00000000), ref: 0042731E
GetStringTypeA.KERNEL32(00000000,?,00000100,00000020,00000001,?,00000100,00000000,00426E86,00000001,00000020,00000100,?,00000000), ref: 00427352
MultiByteToWideChar.KERNEL32(00426E86,00000101,00000100,00000020,00000000,00000000,?,00000100,00000000,00426E86,00000001,00000020,00000100,?,00000000), ref: 0042738A
MultiByteToWideChar.KERNEL32(00426E86,00000001,00000100,00000020,?,00000100,?,00000100,00000000,00426E86,00000001,00000020,00000100,?), ref: 004273E0
GetStringTypeW.KERNEL32(?,?,00000000,00000001,?,00000100,?,00000100,00000000,00426E86,00000001,00000020,00000100,?), ref: 004273F2

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 61453ecd1c249a1ce5133ae697db4f5c2d8e35c1aecd411161b274758355ec87
Instruction ID: 6be327ffa1a4198f4d6f994e72d681d04775553015f1cfaff04cbce36024448d
Opcode Fuzzy Hash: 61453ecd1c249a1ce5133ae697db4f5c2d8e35c1aecd411161b274758355ec87
Instruction Fuzzy Hash: 11418B7270522AAFCF20CF94EC85AAF3F68FB09350F50442AFD11D22A0D7788951DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041A2C6, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041A2C6(void* __ecx) {
				CHAR* _v8;
				void* _t10;
				void* _t14;
				char* _t17;
				CHAR* _t20;
				void* _t34;

				_push(__ecx);
				_t34 = __ecx;
				if(( *0x47e192 & 0x00000020) == 0) {
					L6:
					_push(1);
					L7:
					_pop(_t10);
					return _t10;
				}
				E0041B3B9(__ecx, 0x47e670, 0x7fffffff);
				E0041B3B9(_t34, 0x47e67c, 0x7fffffff);
				_t14 = E0041CD1E(0x47e67c);
				if(E0041DAE7( *0x47e660, E0041CD1E(0x47e670), _t14,  &_v8) <= 0) {
					__eflags =  *0x47e338; // 0x10
					if(__eflags != 0) {
						goto L6;
					}
					_t17 = E0041D46F("<__Internal_DirNotFound__>");
					__eflags = _t17;
					if(_t17 == 0) {
						_t17 = "Couldn\'t read destination directory from registry. Aborting";
					}
					E0041B2A8(0, _t17, 0);
					_push(0xffffffec);
					goto L7;
				}
				E0041BF12(0x47e338, _v8);
				_t20 = _v8;
				if( *_t20 != 0 &&  *((char*)(lstrlenA(_t20) + _v8 - 1)) != 0x5c) {
					E0041BFF8(0x47e338, 0x5c);
				}
				E00424DCE(_v8);
				goto L6;
			}

0x0041a2c9
0x0041a2d3
0x0041a2d5
0x0041a35e
0x0041a35e
0x0041a360
0x0041a360
0x0041a364
0x0041a364
0x0041a2e6
0x0041a2f3
0x0041a301
0x0041a322
0x0041a367
0x0041a36d
0x00000000
0x00000000
0x0041a374
0x0041a379
0x0041a37b
0x0041a37d
0x0041a37d
0x0041a38a
0x0041a38f
0x00000000
0x0041a38f
0x0041a32e
0x0041a333
0x0041a339
0x0041a350
0x0041a350
0x0041a358
0x00000000

APIs

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Part of subcall function 0041BF12: GlobalUnlock.KERNEL32(0217020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
Part of subcall function 0041BF12: GlobalReAlloc.KERNEL32 ref: 0041BF3B
Part of subcall function 0041BF12: GlobalLock.KERNEL32 ref: 0041BF5C

lstrlenA.KERNEL32(0041817C,0041817C,00000001,00000000,?,0041817C,?,?,0047DFB8,00000000), ref: 0041A33C

Part of subcall function 0041BFF8: GlobalUnlock.KERNEL32(8415FF57,0047E788,004221E2,00000000,00000000,00000000,0047E788,00000000), ref: 0041C000
Part of subcall function 0041BFF8: GlobalReAlloc.KERNEL32 ref: 0041C00D
Part of subcall function 0041BFF8: GlobalLock.KERNEL32 ref: 0041C02E

Strings

|G, xrefs: 0041A2FB
Couldn't read destination directory from registry. Aborting, xrefs: 0041A37D, 0041A383
<__Internal_DirNotFound__>, xrefs: 0041A36F
8G, xrefs: 0041A327
pG, xrefs: 0041A307

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLockUnlock$lstrlen
String ID: 8G$<__Internal_DirNotFound__>$Couldn't read destination directory from registry. Aborting$pG$|G
API String ID: 878976672-2294415296
Opcode ID: 1d2f0c179e2808cabb6edd0fc3a47c8b5d393f36232cda0ed35bcb0b05661669
Instruction ID: 98707ccd7f9e9314107195a16b5fe33a87529964cf95b42a167967a965c268bb
Opcode Fuzzy Hash: 1d2f0c179e2808cabb6edd0fc3a47c8b5d393f36232cda0ed35bcb0b05661669
Instruction Fuzzy Hash: B7113B706412286ADB1173668C06FEF2A5DCF45324F6441AFFD18E72D1CB6C0D8092AD

Uniqueness

Uniqueness Score: -1.00%

Function 0041A256, Relevance: 9.0, APIs: 6, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A256(void* __ecx) {
				struct tagMSG _v32;
				intOrPtr _t15;
				void* _t24;

				_t24 = __ecx;
				L1:
				while(PeekMessageA( &_v32, 0, 0, 0, 0) != 0) {
					if(GetMessageA( &_v32, 0, 0, 0) == 0) {
						return _v32.wParam;
					}
					_t3 = _t24 + 0x158; // 0x0
					_t15 =  *_t3;
					if(_t15 == 0 || IsDialogMessageA( *(_t15 + 4),  &_v32) == 0) {
						TranslateMessage( &_v32);
						DispatchMessageA( &_v32);
					}
				}
				WaitMessage();
				goto L1;
			}

0x0041a25e
0x00000000
0x0041a262
0x0041a283
0x0041a2c5
0x0041a2c5
0x0041a285
0x0041a285
0x0041a28d
0x0041a2a5
0x0041a2af
0x0041a2af
0x0041a28d
0x0041a2b7
0x00000000

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041A26A
GetMessageA.USER32 ref: 0041A27B
IsDialogMessageA.USER32(?,?,?,0041529B,00000000,?,?,00000000), ref: 0041A297
TranslateMessage.USER32(?), ref: 0041A2A5
DispatchMessageA.USER32 ref: 0041A2AF
WaitMessage.USER32(?,0041529B,00000000,?,?,00000000), ref: 0041A2B7

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslateWait
String ID:
API String ID: 3298547167-0
Opcode ID: 604008bfe091b565b834a33188d37d6adf91f7f09843a3d340f2d604e6b1a507
Instruction ID: 9a9fed00297a081154bdabad59b2a154639d1f590cc810b1ff3e124008c44952
Opcode Fuzzy Hash: 604008bfe091b565b834a33188d37d6adf91f7f09843a3d340f2d604e6b1a507
Instruction Fuzzy Hash: BC012171A03116AB8B209BA5DC4CCEFBB7CEF417917444069B805D2214DA39E946C7B9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C66A, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 212
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040C66A(void* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v28;
				char _v40;
				signed int _v44;
				intOrPtr _v64;
				char* _v68;
				long _v80;
				void* _v84;
				char _v340;
				void* __edi;
				void* __ebp;
				signed int* _t84;
				signed int* _t111;
				void* _t129;
				signed int* _t131;
				signed int* _t144;
				signed int* _t167;
				signed int _t169;
				long _t171;
				signed int _t172;
				signed int* _t174;
				void* _t176;

				_t129 = __ecx;
				_t174 = 0;
				 *0x47e608 = 0;
				_t84 =  *(__ecx + 0xb0);
				_t169 = _t84[1];
				_v44 = _t169;
				if(_t169 != 0) {
					_t131 =  *0x47e604; // 0x0
					if(_t131 != 0) {
						_push(3);
						E0040C90C(_t131, _t169);
					}
					_t84 = E00424DD9((_t169 << 4) + 4);
					if(_t84 != _t174) {
						 *_t84 = _t169;
						_t4 =  &(_t84[1]); // 0x4
						_t174 = _t4;
						_t84 = _t169 - 1;
						if(_t84 >= 0) {
							_t6 =  &(_t174[1]); // 0x8
							_v12 = _t6;
							_v8 =  &(_t84[0]);
							do {
								_t84 = E0041BDC5(_v12);
								_v12 = _v12 + 0x10;
								_t12 =  &_v8;
								 *_t12 = _v8 - 1;
							} while ( *_t12 != 0);
						}
					}
					 *0x47e604 = _t174;
					if(_t174 == 0) {
						_t84 = E0041D881(E0041CD1E(0x47e924));
					}
					_v12 = _v12 & 0x00000000;
					 *0x47e608 = _t169;
					if(_t169 > 0) {
						_v16 = _v16 & 0x00000000;
						do {
							_t84 = E00406060( *((intOrPtr*)(_t129 + 0xb0)), _v12);
							_v8 = _t84;
							if(_t84 != 0) {
								E0041BDC5( &_v40);
								E0041BDC5( &_v28);
								_t171 =  *_v8;
								E00424500( &_v84, 0, 0x28);
								_t176 = _t176 + 0xc;
								_v68 =  &_v340;
								_v84 = 0x11;
								_v64 = 0x100;
								_v80 = _t171;
								SendMessageA( *( *((intOrPtr*)(_t129 + 0xb0)) + 0xc), 0x110c, 0,  &_v84);
								E0041BF12( &_v28, _v68);
								if(E0041C7DB( &_v28, "(", 0, 1) != 0xffffffff) {
									E0041C3A9( &_v28, _t98 - 1, _v28 - _t98 + 1);
								}
								E0041BF80( &_v40,  &_v28);
								while(1) {
									_t171 = SendMessageA( *( *((intOrPtr*)(_t129 + 0xb0)) + 0xc), 0x110a, 3, _t171);
									if(_t171 == 0) {
										break;
									}
									_v80 = _t171;
									SendMessageA( *( *((intOrPtr*)(_t129 + 0xb0)) + 0xc), 0x110c, 0,  &_v84);
									E0041BF12( &_v28, _v68);
									if(E0041C7DB( &_v28, "(", 0, 1) != 0xffffffff) {
										E0041C3A9( &_v28, _t118 - 1, _v28 - _t118 + 1);
									}
									E0041CA20( &_v40, "_", 0, 0);
									E0041CA20( &_v40, E0041CD1E( &_v28), 0, 0);
								}
								E0041CA20( &_v40, "<II_", 0, 0);
								E0041C047( &_v40, ">", 0);
								_t172 = _v8;
								__eflags =  *((intOrPtr*)(_t172 + 8));
								if( *((intOrPtr*)(_t172 + 8)) <= 0) {
									_push("0");
								} else {
									_push(0x42b9bc);
								}
								_push(E0041CD1E( &_v40));
								E0041D0FD( &_v40);
								_v8 = _v8 & 0x00000000;
								__eflags =  *((intOrPtr*)(_t172 + 0x18));
								if( *((intOrPtr*)(_t172 + 0x18)) > 0) {
									do {
										_t111 =  *0x47e604; // 0x0
										E0041BFF8( &(_t111[1]) + _v16, 9);
										_v8 = _v8 + 1;
										__eflags = _v8 -  *((intOrPtr*)(_t172 + 0x18));
									} while (_v8 <  *((intOrPtr*)(_t172 + 0x18)));
								}
								_t167 =  *0x47e604; // 0x0
								__eflags =  *((intOrPtr*)(_t172 + 8));
								 *(_t167 + _v16) = 0 |  *((intOrPtr*)(_t172 + 8)) > 0x00000000;
								_t144 =  *0x47e604; // 0x0
								__eflags = _t172 + 0xc;
								_t75 =  &(_t144[1]); // 0x4
								E0041C0C5(_t75 + _v16, _t172 + 0xc, _t172 + 0xc);
								E0041BEFB( &_v28);
								_t84 = E0041BEFB( &_v40);
								_t169 = _v44;
							}
							_v12 = _v12 + 1;
							_v16 = _v16 + 0x10;
							__eflags = _v12 - _t169;
						} while (_v12 < _t169);
					}
				}
				return _t84;
			}

0x0040c675
0x0040c677
0x0040c679
0x0040c680
0x0040c686
0x0040c68b
0x0040c68e
0x0040c694
0x0040c69c
0x0040c69e
0x0040c6a0
0x0040c6a0
0x0040c6ae
0x0040c6b6
0x0040c6b8
0x0040c6ba
0x0040c6ba
0x0040c6bd
0x0040c6c2
0x0040c6c4
0x0040c6c8
0x0040c6cb
0x0040c6ce
0x0040c6d1
0x0040c6d6
0x0040c6da
0x0040c6da
0x0040c6da
0x0040c6ce
0x0040c6c2
0x0040c6e1
0x0040c6e7
0x0040c6f4
0x0040c6f9
0x0040c6fa
0x0040c6fe
0x0040c706
0x0040c70c
0x0040c716
0x0040c71f
0x0040c726
0x0040c729
0x0040c732
0x0040c73a
0x0040c746
0x0040c74c
0x0040c757
0x0040c75a
0x0040c76e
0x0040c775
0x0040c77c
0x0040c782
0x0040c78a
0x0040c7a3
0x0040c7b1
0x0040c7b1
0x0040c7bd
0x0040c7c2
0x0040c7d6
0x0040c7da
0x00000000
0x00000000
0x0040c7df
0x0040c7f3
0x0040c7fb
0x0040c814
0x0040c822
0x0040c822
0x0040c833
0x0040c848
0x0040c848
0x0040c85e
0x0040c86d
0x0040c872
0x0040c875
0x0040c879
0x0040c882
0x0040c87b
0x0040c87b
0x0040c87b
0x0040c88f
0x0040c890
0x0040c895
0x0040c899
0x0040c89d
0x0040c89f
0x0040c89f
0x0040c8ad
0x0040c8b2
0x0040c8b8
0x0040c8b8
0x0040c89f
0x0040c8bd
0x0040c8c8
0x0040c8ce
0x0040c8d1
0x0040c8d7
0x0040c8db
0x0040c8df
0x0040c8e7
0x0040c8ef
0x0040c8f4
0x0040c8f4
0x0040c8f7
0x0040c8fa
0x0040c8fe
0x0040c8fe
0x0040c716
0x0040c706
0x0040c90b

APIs

SendMessageA.USER32(00000000,0000110C,00000000,?), ref: 0040C782
SendMessageA.USER32(00000000,0000110A,00000003,?), ref: 0040C7D4
SendMessageA.USER32(00000000,0000110C,00000000,00000011), ref: 0040C7F3

Part of subcall function 0041BF12: GlobalUnlock.KERNEL32(0217020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
Part of subcall function 0041BF12: GlobalReAlloc.KERNEL32 ref: 0041BF3B
Part of subcall function 0041BF12: GlobalLock.KERNEL32 ref: 0041BF5C

Part of subcall function 0041C7DB: lstrlenA.KERNEL32(0047DFB8,00000000,0047DE94,0042BC5C,0042BC5C,00000000,00000001,0047E6C8,?,0047DFB8), ref: 0041C7E9

Strings

$G, xrefs: 0040C6E9
<II_, xrefs: 0040C856

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: GlobalMessageSend$AllocLockUnlocklstrlen
String ID: $G$<II_
API String ID: 1494865645-922916322
Opcode ID: b9f56a72e6b5cccd65ee82c4a017a634706126ff13888642351831db160f8511
Instruction ID: f4c6c7f1c56e6f66badf9017ba5c36f6f732dc675927b6575f4ba8211be110fc
Opcode Fuzzy Hash: b9f56a72e6b5cccd65ee82c4a017a634706126ff13888642351831db160f8511
Instruction Fuzzy Hash: A681AE71A40209EBDB14EB95CC82FEEB7B5EF04704F60416EE501BB2D1DB74A985CB88

Uniqueness

Uniqueness Score: -1.00%

Function 00411692, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00411692(intOrPtr __ecx, void* __eflags, long _a4, long* _a8, intOrPtr* _a12, char* _a16) {
				intOrPtr _v8;
				char _v20;
				void* _t24;
				short _t32;
				void* _t35;
				void* _t53;
				void* _t55;
				void* _t83;
				long _t84;
				signed int _t86;
				signed int _t87;

				_t84 = _a4;
				_t3 = _t84 + 0x34; // 0x0
				_v8 = __ecx;
				_t24 = E0041CD1E(0x47e6c8);
				_t60 = _a8;
				if(E0041CAC5(_a8, _t24,  *_a12,  *_t3) >= 0) {
					E004164B1(0x47dfb8, __eflags, _t60);
					E0041A81A(__eflags, _t60);
					E0041B3B9(0x47dfb8, _t60, 0x7fffffff);
					 *_a16 = 1;
					_t8 = _t84 + 0x34; // 0x0
					 *0x47f200 =  *0x47f200 +  *_t8;
					_t32 = E0040DF52(E0041CD1E(_t60));
					__eflags = _t32;
					if(_t32 != 0) {
						_t83 = CreateFileA(E0041CD1E(_t60), 0x80000000, 1, 0, 3, 0x80, 0);
						__eflags = _t83 - 0xffffffff;
						if(_t83 != 0xffffffff) {
							_a4 = _a4 & 0x00000000;
							 *((intOrPtr*)(_t84 + 0x34)) = GetFileSize(_t83,  &_a4);
							_t19 = _t84 + 0x10; // 0x47e890
							_t20 = _t84 + 0x18; // 0x47e898
							GetFileTime(_t83, _t20, 0, _t19);
							CloseHandle(_t83);
							_t21 = _t84 + 0x24; // 0x47e8a4
							_t22 = _t84 + 0x20; // 0x47e8a0
							E0040D883(E0041CD1E(_t60), _t22, _t21);
							__eflags = _t84 + 0x28;
							E0040D917(E0041CD1E(_t60), _t84 + 0x28, 0);
						}
						_t35 = 1;
						return _t35;
					}
					E0041BDC5( &_v20);
					_push(E0041CD1E(_t60));
					E0041C467( &_v20, E0041CD1E(0x47ee94));
					_t53 = E0041CD1E(0x47e700);
					_t86 =  *(_v8 + 8);
					_t55 = E0041B2CC(0x47dfb8, _t86, E0041CD1E( &_v20), _t53, 4);
					__eflags = _t55 - 7;
					if(_t55 != 7) {
						_t87 = 0;
						__eflags = 0;
					} else {
						_t87 = _t86 | 0xffffffff;
					}
					E0041BEFB( &_v20);
					return _t87;
				}
				E0041B2A8( *((intOrPtr*)(__ecx + 8)), "Couldn\'t read filename - skipping file", 0);
				return 0;
			}

0x0041169d
0x004116a3
0x004116ab
0x004116b0
0x004116b5
0x004116c2
0x004116e7
0x004116ef
0x004116fc
0x00411706
0x00411709
0x0041170c
0x00411718
0x0041171d
0x00411720
0x004117a8
0x004117aa
0x004117ad
0x004117af
0x004117be
0x004117c1
0x004117c5
0x004117cc
0x004117d3
0x004117d9
0x004117df
0x004117e9
0x004117f1
0x004117ff
0x00411804
0x00411809
0x00000000
0x00411809
0x00411725
0x00411731
0x00411741
0x0041174e
0x00411759
0x00411768
0x0041176d
0x00411770
0x00411777
0x00411777
0x00411772
0x00411772
0x00411772
0x0041177c
0x00000000
0x00411781
0x004116d3
0x00000000

Strings

Couldn't read filename - skipping file, xrefs: 004116C6

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocCreateFileLockUnlock
String ID: Couldn't read filename - skipping file
API String ID: 386137224-3589919851
Opcode ID: 1a17dde42886f2bb9dc47f863d57d7fd9d6951654acd95ed662d069c9873e807
Instruction ID: 9ba8b95a0a887d455509938602594151a60fc8a1d70c9b17fb128ea7c1c85513
Opcode Fuzzy Hash: 1a17dde42886f2bb9dc47f863d57d7fd9d6951654acd95ed662d069c9873e807
Instruction Fuzzy Hash: 7A41E6716002046BCB10AB65DC86FFE72ADAF44318F10453FFA06E72D2DF38A8858769

Uniqueness

Uniqueness Score: -1.00%

Function 0041CA20, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041CA20(long* __ecx, CHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				long _t21;
				void* _t24;
				intOrPtr _t29;
				void* _t40;
				int _t43;

				_t29 = _a8;
				_t46 = __ecx;
				if(_t29 <=  *((intOrPtr*)(__ecx))) {
					_t43 = lstrlenA(_a4);
					if(_a12 != 0) {
						_t43 = _a12;
					}
					_t5 =  &(_t46[1]); // 0x0
					 *_t46 =  *_t46 + _t43;
					GlobalUnlock( *_t5);
					_t6 =  &(_t46[1]); // 0x0
					_t21 = GlobalReAlloc( *_t6,  *_t46, 0x42);
					_t46[1] = _t21;
					if(_t21 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					_t8 =  &(_t46[1]); // 0x0
					_t46[2] = GlobalLock( *_t8);
					_t24 =  *_t46 - 1;
					_t40 = _t43 + _t29;
					if(_t24 < _t40) {
						goto L9;
					} else {
						do {
							_t11 =  &(_t46[2]); // 0x6b636142
							 *((char*)( *_t11 + _t24)) =  *((intOrPtr*)( *_t11 - _t43 + _t24));
							_t24 = _t24 - 1;
						} while (_t24 >= _t40);
						_t29 = _a8;
						L9:
						while(_t24 >= _t29) {
							_t16 =  &(_t46[2]); // 0x6b636142
							 *((char*)( *_t16 + _t24)) =  *((intOrPtr*)(_t24 - _t29 + _a4));
							_t24 = _t24 - 1;
						}
						return _t46;
					}
				}
				return __ecx;
			}

0x0041ca24
0x0041ca28
0x0041ca2c
0x0041ca43
0x0041ca45
0x0041ca47
0x0041ca47
0x0041ca4a
0x0041ca4d
0x0041ca4f
0x0041ca59
0x0041ca5c
0x0041ca64
0x0041ca67
0x0041ca74
0x0041ca79
0x0041ca7a
0x0041ca83
0x0041ca88
0x0041ca89
0x0041ca8e
0x00000000
0x0041ca90
0x0041ca90
0x0041ca90
0x0041ca9a
0x0041ca9d
0x0041ca9e
0x0041caa2
0x00000000
0x0041caa5
0x0041caac
0x0041cab6
0x0041cab9
0x0041cab9
0x00000000
0x0041cabe
0x0041ca8e
0x00000000

APIs

lstrlenA.KERNEL32(00000001,0042DB90,00000000,00000000,?,0041CC46,00000000,00000000,00000000,00000000,00000001,00000001,00000000,0041C63B,?,0041C63B), ref: 0041CA39
GlobalUnlock.KERNEL32(00000000,?,0041CC46,00000000,00000000,00000000,00000000,00000001,00000001,00000000,0041C63B,?,0041C63B,0042D4D0), ref: 0041CA4F
GlobalReAlloc.KERNEL32 ref: 0041CA5C
GlobalLock.KERNEL32 ref: 0041CA7D

Strings

$G, xrefs: 0041CA69

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLockUnlocklstrlen
String ID: $G
API String ID: 1193986054-195990108
Opcode ID: 5d35e7ea65a2d6825d976dd3d6991c87e1c56d6275482e42d3e240b4916bb047
Instruction ID: 5603829e847da92005f6a023f110383f11d6e5884fcbf5cfa6c8cd2347ef54ab
Opcode Fuzzy Hash: 5d35e7ea65a2d6825d976dd3d6991c87e1c56d6275482e42d3e240b4916bb047
Instruction Fuzzy Hash: AC11D5313407059FC7219F69CCC4A9ABBA5EF48394764882EE596C7211C734DC81CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00424316, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00424316(char _a4) {
				void* _v8;
				int _v12;
				signed int _t13;
				signed int _t16;
				char* _t25;

				_push(_t27);
				_t25 = _a4;
				_t13 = E0040DB19(_t25);
				if(_t13 == 0) {
					__eflags = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\SharedDLLs", 0, 0x2001f,  &_v8);
					if(__eflags != 0) {
						_push(0xfffffffe);
					} else {
						_a4 = 0;
						_v12 = 4;
						RegQueryValueExA(_v8, _t25, 0, 0,  &_a4,  &_v12);
						_a4 = _a4 + 1;
						RegSetValueExA(_v8, _t25, 0, 4,  &_a4, 4);
						RegCloseKey(_v8);
						_push(0x47e800);
						_push(_t25);
						E00421CE6(__eflags);
						_push(1);
					}
					_pop(_t16);
				} else {
					_t16 = _t13 | 0xffffffff;
				}
				return _t16;
			}

0x0042431a
0x0042431c
0x00424321
0x00424329
0x0042434c
0x0042434e
0x004243a1
0x00424350
0x00424353
0x00424361
0x00424368
0x00424371
0x0042437e
0x00424387
0x0042438d
0x00424392
0x00424398
0x0042439d
0x0042439d
0x004243a3
0x0042432b
0x0042432b
0x0042432b
0x004243a7

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\SharedDLLs,00000000,0002001F,?), ref: 00424346
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?), ref: 00424368
RegSetValueExA.ADVAPI32(?,?,00000000,00000004,00000004,00000004), ref: 0042437E
RegCloseKey.ADVAPI32(?), ref: 00424387

Strings

Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0042433C

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Value$CloseOpenQuery
String ID: Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 237177642-3400865229
Opcode ID: a265586fcd8e2d4ae3d60842d183ecd60b40a79d569d049d288659a66fc2cb46
Instruction ID: 2afa97585fa973cdf6ebdfa308dfe96903249848b8f16a545dfa2517b57cc3af
Opcode Fuzzy Hash: a265586fcd8e2d4ae3d60842d183ecd60b40a79d569d049d288659a66fc2cb46
Instruction Fuzzy Hash: D011C8B1740118BEDB208B92EC49FAF7F7CEBC5758F60412ABA05A50D1CA744A058638

Uniqueness

Uniqueness Score: -1.00%

Function 0041C047, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C047(long* __ecx, CHAR* _a4, intOrPtr _a8) {
				long _t15;
				void* _t17;
				char _t23;
				void* _t28;
				int _t32;
				long* _t33;

				_t33 = __ecx;
				_t32 = lstrlenA(_a4);
				if(_a8 != 0) {
					_t32 = _a8;
				}
				_t4 =  &(_t33[1]); // 0x8415ff57
				 *_t33 =  *_t33 + _t32;
				GlobalUnlock( *_t4);
				_t5 =  &(_t33[1]); // 0x8415ff57
				_t15 = GlobalReAlloc( *_t5,  *_t33, 0x42);
				_t33[1] = _t15;
				if(_t15 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				_t7 =  &(_t33[1]); // 0x8415ff57
				_t33[2] = GlobalLock( *_t7);
				_t17 = 0;
				if(_t32 > 0) {
					do {
						_t10 =  &(_t33[2]); // 0x8d004282
						_t23 =  *((intOrPtr*)(_t17 + _a4));
						_t28 =  *_t33 - _t32 + _t17;
						_t17 = _t17 + 1;
						 *((char*)(_t28 +  *_t10)) = _t23;
					} while (_t17 < _t32);
				}
				return _t33;
			}

0x0041c04d
0x0041c05a
0x0041c05c
0x0041c05e
0x0041c05e
0x0041c062
0x0041c065
0x0041c067
0x0041c071
0x0041c074
0x0041c07c
0x0041c07f
0x0041c08c
0x0041c091
0x0041c092
0x0041c09b
0x0041c09e
0x0041c0a2
0x0041c0a5
0x0041c0ab
0x0041c0b0
0x0041c0b3
0x0041c0b5
0x0041c0b8
0x0041c0b8
0x0041c0bd
0x0041c0c2

APIs

lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
GlobalReAlloc.KERNEL32 ref: 0041C074
GlobalLock.KERNEL32 ref: 0041C095

Strings

$G, xrefs: 0041C081

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLockUnlocklstrlen
String ID: $G
API String ID: 1193986054-195990108
Opcode ID: d1ba55372e4d4a584c29bd95be6dfa892a82c033d9f715793612bc238b335498
Instruction ID: 86848620a02905628978c4322f41490f0c5417c04306446d91f9f9474cd8ae65
Opcode Fuzzy Hash: d1ba55372e4d4a584c29bd95be6dfa892a82c033d9f715793612bc238b335498
Instruction Fuzzy Hash: 9B016D31644701CFC721AF65CD4865BBBE6BF98300B14882EE19983221DB75D841CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0041BC79, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BC79(intOrPtr* __ecx) {
				intOrPtr _t9;
				char* _t11;
				signed int _t13;
				intOrPtr* _t20;
				void* _t23;
				void* _t24;
				intOrPtr* _t25;

				_t25 = __ecx;
				_t1 = _t25 + 0x158; // 0x0
				_t9 =  *_t1;
				if(_t9 != 0) {
					EnableWindow( *(_t9 + 4), 0);
				}
				_t20 = 0x47e700;
				if( *0x47e700 <= 0) {
					_t20 = 0x47e850;
				}
				_t23 = E0041CD1E(_t20);
				if( *0x47e918 <= 0) {
					_t11 = "Do your really want to exit setup?";
				} else {
					_t11 = E0041CD1E(0x47e918);
				}
				_t24 = E0041B2CC(_t25,  *_t25, _t11, _t23, 4);
				_t3 = _t25 + 0x158; // 0x0
				_t13 =  *_t3;
				if(_t13 != 0) {
					EnableWindow( *(_t13 + 4), 1);
					_t5 = _t25 + 0x158; // 0x0
					_t13 = SetForegroundWindow( *( *_t5 + 4));
				}
				return _t13 & 0xffffff00 | _t24 != 0x00000007;
			}

0x0041bc81
0x0041bc84
0x0041bc84
0x0041bc8c
0x0041bc93
0x0041bc93
0x0041bc9c
0x0041bca1
0x0041bca3
0x0041bca3
0x0041bcb4
0x0041bcb6
0x0041bcc4
0x0041bcb8
0x0041bcbd
0x0041bcbd
0x0041bcd6
0x0041bcd8
0x0041bcd8
0x0041bce0
0x0041bce7
0x0041bce9
0x0041bcf2
0x0041bcf2
0x0041bd01

APIs

EnableWindow.USER32(?,00000000), ref: 0041BC93
EnableWindow.USER32(?,00000001), ref: 0041BCE7
SetForegroundWindow.USER32(?), ref: 0041BCF2

Strings

PG, xrefs: 0041BCA3
Do your really want to exit setup?, xrefs: 0041BCC4, 0041BCCC

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Window$Enable$Foreground
String ID: Do your really want to exit setup?$PG
API String ID: 2644897057-2931071296
Opcode ID: bee443d1fbdd976699502f7e30580af2992c2cefda8e58a12d92eb193de696a4
Instruction ID: ac9d4f32d2ea49032055976a08762f19bec1a0615ae6cab58999680f0bfc9b05
Opcode Fuzzy Hash: bee443d1fbdd976699502f7e30580af2992c2cefda8e58a12d92eb193de696a4
Instruction Fuzzy Hash: 81018F713001009BE720AB66DC89BCBBBD6DB84755F15847EE2099B3A1DF799C80D79C

Uniqueness

Uniqueness Score: -1.00%

Function 004060B6, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060B6(void* __ecx, intOrPtr _a4, void* _a8) {
				void* _t11;
				long _t22;
				void* _t23;

				_t23 = __ecx;
				 *((intOrPtr*)(__ecx + 0xc)) = _a4;
				_t22 = ImageList_Create(0xd, 0xd, 4, 4, 4);
				if(_t22 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				if(ImageList_Add(_t22, _a8, 0) == 0xffffffff) {
					E0041D881(E0041CD1E(0x47e924));
				}
				DeleteObject(_a8);
				SendMessageA( *(_t23 + 0xc), 0x1109, 0, _t22);
				_t11 = 1;
				return _t11;
			}

0x004060c1
0x004060c9
0x004060d2
0x004060db
0x004060e5
0x004060ea
0x004060fb
0x00406105
0x0040610a
0x0040610f
0x00406120
0x00406128
0x0040612c

APIs

ImageList_Create.COMCTL32(0000000D,0000000D,00000004,00000004,00000004,?,?,769048C0,0040C141,00000000), ref: 004060CC
ImageList_Add.COMCTL32(00000000,769048C0,00000000,?,?,769048C0,0040C141,00000000), ref: 004060F2
DeleteObject.GDI32(0040C141), ref: 0040610F
SendMessageA.USER32(?,00001109,00000000,00000000), ref: 00406120

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Strings

$G, xrefs: 004060D4

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$ImageList_$AllocCreateDeleteLockMessageObjectSendUnlock
String ID: $G
API String ID: 3198803340-195990108
Opcode ID: e47f47b44f5be8c8198a84e49064f1da869e1903cbbfc8fffeec7cb84f866b49
Instruction ID: 6791099ba6acc7eb50aa9d2fe7bafcb2aff3b1712aa492df654a4519af5c33ea
Opcode Fuzzy Hash: e47f47b44f5be8c8198a84e49064f1da869e1903cbbfc8fffeec7cb84f866b49
Instruction Fuzzy Hash: A1F0F4727803007BE6206B61AC8EF5F3A55EB80B61F10453FF312991D2CEB998428718

Uniqueness

Uniqueness Score: -1.00%

Function 0041BF12, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BF12(long* __ecx, CHAR* _a4) {
				long _t12;
				void* _t14;
				CHAR* _t23;
				long* _t24;

				_t24 = __ecx;
				_t1 =  &(_t24[1]); // 0x217020c
				GlobalUnlock( *_t1);
				_t23 = _a4;
				if(_t23 != 0) {
					 *_t24 = lstrlenA(_t23);
				} else {
					 *_t24 =  *_t24 & _t23;
				}
				_t3 =  &(_t24[1]); // 0x217020c
				_t12 = GlobalReAlloc( *_t3,  *_t24, 0x42);
				_t24[1] = _t12;
				if(_t12 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				_t5 =  &(_t24[1]); // 0x217020c
				_t24[2] = GlobalLock( *_t5);
				_t14 = 0;
				if( *_t24 > 0) {
					do {
						_t7 =  &(_t24[2]); // 0x640270
						 *((char*)( *_t7 + _t14)) =  *((intOrPtr*)(_t14 + _t23));
						_t14 = _t14 + 1;
					} while (_t14 <  *_t24);
				}
				return _t24;
			}

0x0041bf13
0x0041bf16
0x0041bf19
0x0041bf1f
0x0041bf25
0x0041bf32
0x0041bf27
0x0041bf27
0x0041bf27
0x0041bf38
0x0041bf3b
0x0041bf43
0x0041bf46
0x0041bf53
0x0041bf58
0x0041bf59
0x0041bf62
0x0041bf65
0x0041bf69
0x0041bf6b
0x0041bf6b
0x0041bf71
0x0041bf74
0x0041bf75
0x0041bf6b
0x0041bf7d

APIs

GlobalUnlock.KERNEL32(0217020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0047DFB8), ref: 0041BF2C
GlobalReAlloc.KERNEL32 ref: 0041BF3B
GlobalLock.KERNEL32 ref: 0041BF5C

Strings

$G, xrefs: 0041BF48

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLockUnlocklstrlen
String ID: $G
API String ID: 1193986054-195990108
Opcode ID: f4168bbc14b58ece5299c2a09c70ce466236e7760992961e786b482267182a23
Instruction ID: d030bc0b615e75949c7210a2cdcfd6d568315ba4b24ded64fab219e1162ce76e
Opcode Fuzzy Hash: f4168bbc14b58ece5299c2a09c70ce466236e7760992961e786b482267182a23
Instruction Fuzzy Hash: F601AD75205B02DFC3316F21DD4986ABBE5EF95751320887EE4DAC3221DB389882CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00414C1B, Relevance: 7.7, APIs: 5, Instructions: 193
windowCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00414C1B(void* __edx, void* __edi, void* __ebp, signed int _a4, intOrPtr _a8) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				intOrPtr _v20;
				intOrPtr _v24;
				void* __ecx;
				void* _t25;
				signed int _t26;
				signed int _t29;
				signed int _t30;
				intOrPtr _t31;
				signed int _t32;
				signed int _t34;
				signed int _t35;
				signed int _t43;
				void* _t44;
				signed int _t54;
				intOrPtr _t58;
				intOrPtr _t59;
				void* _t60;
				signed int _t62;
				void* _t63;
				signed int _t64;
				signed int _t66;
				void* _t67;
				intOrPtr _t68;
				signed int _t69;
				struct HDC__* _t71;
				void* _t73;
				void* _t74;
				signed int _t75;
				intOrPtr _t77;
				void* _t78;
				void* _t80;
				void* _t86;
				void* _t90;

				_t74 = __ebp;
				_t63 = __edi;
				_t60 = __edx;
				_t77 =  *0x47f27c; // 0x1
				if(_t77 != 0) {
					L42:
					return _t25;
				} else {
					_t68 =  *0x47e658; // 0x8
					_t78 =  *0x42c090 - _t68; // 0xffffffff
					if(_t78 != 0) {
						 *0x42c08c =  *0x42c08c | 0xffffffff;
						 *0x42c090 = _t68;
					}
					_t26 = _a4;
					_t80 = _t26 -  *0x42c08c; // 0xffffffff
					if(_t80 > 0) {
						_t59 =  *0x47f280; // 0x0
						 *0x42c08c = _t26;
						if(_t59 != 0) {
							E0041EE7E(_t59, _t26);
							_t68 =  *0x47e658; // 0x8
						}
					}
					_push(_t74);
					_t75 =  *0x47e6a8; // 0x207a58a
					_push(_t63);
					_t64 =  *0x47e6ac; // 0x0
					_v8 = _t75;
					_v4 = _t64;
					if((_t75 | _t64) == 0) {
						_v8 = 1;
						_v4 = 0;
					}
					_t29 =  *0x47e18c; // 0x0
					_t30 = _t29 & 0x00000002;
					_a4 = _t30;
					if(_t30 != 0) {
						_v24 = _v24 + E004252C0( *0x47e6a0,  *0x47e6a4, 0x1d, 0);
						asm("adc [esp+0x14], edx");
					}
					if(( *0x47e18c & 0x00000004) != 0) {
						_v24 = _v24 + E004252C0( *0x47e698,  *0x47e69c, 0x14, 0);
						asm("adc [esp+0x14], edx");
					}
					_t31 = _a8;
					if(_t68 != 1) {
						__eflags = _t68 - 2;
						if(_t68 != 2) {
							__eflags = _t68 - 3;
							if(_t68 != 3) {
								__eflags = _t68 - 4;
								if(__eflags != 0) {
									__eflags = _t68 - 5;
									if(__eflags == 0) {
										goto L23;
									}
									__eflags = _t68 - 6;
									if(__eflags == 0) {
										goto L23;
									}
									__eflags = _t68 - 7;
									if(__eflags != 0) {
										__eflags = _t68 - 8;
										_t43 = (0 | _t68 != 0x00000008) + 0x63;
										__eflags = _t43;
										goto L30;
									}
									_push(0x61);
									L28:
									_pop(_t69);
									goto L31;
								}
								L23:
								_push(0x60);
								goto L28;
							}
							_t44 = E004252C0(_t31, 0, 0x14, 0);
							_t67 = _t60;
							_t73 = _t44 + _t75;
							asm("adc edi, [0x47e6ac]");
							__eflags = _v12;
							if(_v12 != 0) {
								_t73 = _t73 + E004252C0( *0x47e6a0,  *0x47e6a4, 0x1d, 0);
								asm("adc edi, edx");
							}
							_push(0);
							_push(0x64);
							_push(_t67);
							_push(_t73);
							goto L21;
						}
						_t31 = E004252C0(_t31, 0, 0x1d, 0) + _t75;
						_push(0);
						asm("adc edx, edi");
						_push(0x64);
						_push(_t60);
						goto L14;
					} else {
						_push(0);
						_push(0x64);
						_push(0);
						L14:
						_push(_t31);
						L21:
						_t43 = E00425250(E004252C0(E00425250(E004252C0(), _t60, _v24, _v20), _t60, 0x5f, 0), _t60, 0x64, 0);
						L30:
						_t69 = _t43;
						L31:
						_t86 = _t69 -  *0x42c094; // 0xffffffff
						if(_t86 > 0) {
							_t58 =  *0x47f284; // 0x0
							 *0x42c094 = _t69;
							if(_t58 != 0) {
								E0041EE7E(_t58, _t69);
							}
						}
						_t54 =  *0x47e784; // 0x0
						if(_t54 > 0 && _t54 < 0x65) {
							_t32 = 0x64;
							asm("cdq");
							_t66 = _t32 / _t54;
							_t34 = _t69;
							asm("cdq");
							_t35 = _t34 / _t66;
							_t62 = _t34 % _t66;
							_t90 = _t35 -  *0x42c098; // 0xffffffff
							if(_t90 > 0) {
								_t91 = _t35 - _t54;
								if(_t35 < _t54) {
									 *0x42c098 = _t35;
									E0040F33B(0x47f208, _t62, _t91, _t35);
									_t71 = GetDC( *0x47e178);
									BitBlt(_t71, 0, 0,  *0x47e170,  *0x47e174,  *0x47e184, 0, 0, 0xcc0020);
									ReleaseDC( *0x47e178, _t71);
								}
							}
						}
						_t25 = E0041A207();
						while(_t25 == 1) {
							_t25 = E0041A207();
						}
						goto L42;
					}
				}
			}

0x00414c1b
0x00414c1b
0x00414c1b
0x00414c20
0x00414c27
0x00414e54
0x00414e54
0x00414c2d
0x00414c2d
0x00414c33
0x00414c39
0x00414c3b
0x00414c42
0x00414c42
0x00414c48
0x00414c4c
0x00414c52
0x00414c54
0x00414c5a
0x00414c61
0x00414c64
0x00414c69
0x00414c69
0x00414c61
0x00414c6f
0x00414c70
0x00414c76
0x00414c77
0x00414c7f
0x00414c85
0x00414c89
0x00414c8b
0x00414c93
0x00414c93
0x00414c97
0x00414c9c
0x00414c9f
0x00414ca3
0x00414cb9
0x00414cbd
0x00414cbd
0x00414cc8
0x00414cde
0x00414ce2
0x00414ce2
0x00414ce6
0x00414ced
0x00414cf6
0x00414cf9
0x00414d0f
0x00414d12
0x00414d77
0x00414d7a
0x00414d80
0x00414d83
0x00000000
0x00000000
0x00414d85
0x00414d88
0x00000000
0x00000000
0x00414d8a
0x00414d8d
0x00414d96
0x00414d9c
0x00414d9c
0x00000000
0x00414d9c
0x00414d8f
0x00414d91
0x00414d91
0x00000000
0x00414d91
0x00414d7c
0x00414d7c
0x00000000
0x00414d7c
0x00414d19
0x00414d20
0x00414d22
0x00414d24
0x00414d2a
0x00414d2e
0x00414d44
0x00414d46
0x00414d46
0x00414d48
0x00414d49
0x00414d4b
0x00414d4c
0x00000000
0x00414d4c
0x00414d05
0x00414d07
0x00414d08
0x00414d0a
0x00414d0c
0x00000000
0x00414cef
0x00414cef
0x00414cf0
0x00414cf2
0x00414cf3
0x00414cf3
0x00414d4d
0x00414d70
0x00414d9f
0x00414d9f
0x00414da1
0x00414da1
0x00414da7
0x00414da9
0x00414daf
0x00414db7
0x00414dba
0x00414dba
0x00414db7
0x00414dbf
0x00414dc7
0x00414dd0
0x00414dd1
0x00414dd4
0x00414dd6
0x00414dd8
0x00414dd9
0x00414dd9
0x00414ddb
0x00414de1
0x00414de3
0x00414de5
0x00414ded
0x00414df2
0x00414e0a
0x00414e21
0x00414e2e
0x00414e2e
0x00414de5
0x00414de1
0x00414e3b
0x00414e42
0x00414e49
0x00414e49
0x00000000
0x00414e42
0x00414ced

APIs

__aulldiv.LIBCMT ref: 00414D5C
__aulldiv.LIBCMT ref: 00414D70
GetDC.USER32(00000060), ref: 00414DFD
BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,00CC0020,?,0207A58A,-00000001), ref: 00414E21
ReleaseDC.USER32 ref: 00414E2E

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: __aulldiv$Release
String ID:
API String ID: 3493685692-0
Opcode ID: c829be2c0b2fef8037b4d98ece4fb16d813a1104892517bff0df9b681447dd76
Instruction ID: a9d97e3be5756bfe4d35d353e42b65620ab82c9c544829cce164ddad8ecaccd7
Opcode Fuzzy Hash: c829be2c0b2fef8037b4d98ece4fb16d813a1104892517bff0df9b681447dd76
Instruction Fuzzy Hash: 7C51FA71A01310AFDB209B65AC81EAF76A9E7D8718F85057FF508A7261C3394CC18B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00426871, Relevance: 7.6, APIs: 5, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00426871() {
				signed int* _t35;
				signed int* _t37;
				long _t42;
				signed int _t44;
				signed int _t45;
				int _t46;
				void* _t48;
				void** _t52;
				int _t53;
				int _t54;
				signed int* _t55;
				int _t57;
				void** _t58;
				signed char _t60;
				signed int _t62;
				void* _t66;
				void* _t69;
				signed int _t70;
				int* _t71;
				signed int* _t72;
				void** _t73;
				int _t74;
				intOrPtr* _t75;
				void* _t76;

				_t72 = E00424B9C(0x100);
				if(_t72 == 0) {
					E004254C0(0x1b);
				}
				 *0x47f720 = _t72;
				 *0x47f820 = 0x20;
				_t1 =  &(_t72[0x40]); // 0x100
				_t35 = _t1;
				while(_t72 < _t35) {
					_t72[1] = _t72[1] & 0x00000000;
					 *_t72 =  *_t72 | 0xffffffff;
					_t72[1] = 0xa;
					_t55 =  *0x47f720; // 0x2070ef0
					_t72 =  &(_t72[2]);
					_t35 =  &(_t55[0x40]);
				}
				GetStartupInfoA(_t76 + 0x10);
				__eflags =  *((short*)(_t76 + 0x42));
				if( *((short*)(_t76 + 0x42)) == 0) {
					L25:
					_t57 = 0;
					__eflags = 0;
					do {
						_t37 =  *0x47f720; // 0x2070ef0
						__eflags =  *(_t37 + _t57 * 8) - 0xffffffff;
						_t73 = _t37 + _t57 * 8;
						if( *(_t37 + _t57 * 8) != 0xffffffff) {
							_t32 =  &(_t73[1]);
							 *_t32 = _t73[1] | 0x00000080;
							__eflags =  *_t32;
							goto L37;
						}
						__eflags = _t57;
						_t73[1] = 0x81;
						if(_t57 != 0) {
							asm("sbb eax, eax");
							_t42 =  ~(_t57 - 1) + 0xfffffff5;
							__eflags = _t42;
						} else {
							_t42 = 0xfffffff6;
						}
						_t69 = GetStdHandle(_t42);
						__eflags = _t69 - 0xffffffff;
						if(_t69 == 0xffffffff) {
							L33:
							_t73[1] = _t73[1] | 0x00000040;
						} else {
							_t44 = GetFileType(_t69);
							__eflags = _t44;
							if(_t44 == 0) {
								goto L33;
							}
							_t45 = _t44 & 0x000000ff;
							 *_t73 = _t69;
							__eflags = _t45 - 2;
							if(_t45 != 2) {
								__eflags = _t45 - 3;
								if(_t45 == 3) {
									_t73[1] = _t73[1] | 0x00000008;
								}
								goto L37;
							}
							goto L33;
						}
						L37:
						_t57 = _t57 + 1;
						__eflags = _t57 - 3;
					} while (_t57 < 3);
					return SetHandleCount( *0x47f820);
				}
				_t46 =  *(_t76 + 0x44);
				__eflags = _t46;
				if(_t46 == 0) {
					goto L25;
				}
				_t74 =  *_t46;
				_t75 = _t46 + 4;
				__eflags = _t74 - 0x800;
				_t58 = _t74 + _t75;
				if(_t74 >= 0x800) {
					_t74 = 0x800;
				}
				__eflags =  *0x47f820 - _t74; // 0x20
				if(__eflags >= 0) {
					L18:
					_t70 = 0;
					__eflags = _t74;
					if(_t74 <= 0) {
						goto L25;
					} else {
						goto L19;
					}
					do {
						L19:
						_t48 =  *_t58;
						__eflags = _t48 - 0xffffffff;
						if(_t48 == 0xffffffff) {
							goto L24;
						}
						_t60 =  *_t75;
						__eflags = _t60 & 0x00000001;
						if((_t60 & 0x00000001) == 0) {
							goto L24;
						}
						__eflags = _t60 & 0x00000008;
						if((_t60 & 0x00000008) != 0) {
							L23:
							_t62 = _t70 & 0x0000001f;
							__eflags = _t62;
							_t52 = 0x47f720[_t70 >> 5] + _t62 * 8;
							 *_t52 =  *_t58;
							_t52[1] =  *_t75;
							goto L24;
						}
						_t53 = GetFileType(_t48);
						__eflags = _t53;
						if(_t53 == 0) {
							goto L24;
						}
						goto L23;
						L24:
						_t70 = _t70 + 1;
						_t75 = _t75 + 1;
						_t58 =  &(_t58[1]);
						__eflags = _t70 - _t74;
					} while (_t70 < _t74);
					goto L25;
				} else {
					_t71 = 0x47f724;
					while(1) {
						_t54 = E00424B9C(0x100);
						__eflags = _t54;
						if(_t54 == 0) {
							break;
						}
						 *0x47f820 =  *0x47f820 + 0x20;
						__eflags =  *0x47f820;
						 *_t71 = _t54;
						_t10 = _t54 + 0x100; // 0x100
						_t66 = _t10;
						while(1) {
							__eflags = _t54 - _t66;
							if(_t54 >= _t66) {
								break;
							}
							 *(_t54 + 4) =  *(_t54 + 4) & 0x00000000;
							 *_t54 =  *_t54 | 0xffffffff;
							 *((char*)(_t54 + 5)) = 0xa;
							_t54 = _t54 + 8;
							_t66 =  *_t71 + 0x100;
						}
						_t71 =  &(_t71[1]);
						__eflags =  *0x47f820 - _t74; // 0x20
						if(__eflags < 0) {
							continue;
						}
						goto L18;
					}
					_t74 =  *0x47f820; // 0x20
					goto L18;
				}
			}

0x00426882
0x00426887
0x0042688b
0x00426890
0x00426891
0x00426897
0x004268a1
0x004268a1
0x004268a7
0x004268ab
0x004268af
0x004268b2
0x004268b6
0x004268bb
0x004268be
0x004268be
0x004268ca
0x004268d0
0x004268d6
0x004269a1
0x004269a1
0x004269a1
0x004269a3
0x004269a3
0x004269a8
0x004269ac
0x004269af
0x004269fe
0x004269fe
0x004269fe
0x00000000
0x004269fe
0x004269b1
0x004269b3
0x004269b7
0x004269c3
0x004269c5
0x004269c5
0x004269b9
0x004269bb
0x004269bb
0x004269cf
0x004269d1
0x004269d4
0x004269ed
0x004269ed
0x004269d6
0x004269d7
0x004269dd
0x004269df
0x00000000
0x00000000
0x004269e1
0x004269e6
0x004269e8
0x004269eb
0x004269f3
0x004269f6
0x004269f8
0x004269f8
0x00000000
0x004269f6
0x00000000
0x004269eb
0x00426a02
0x00426a02
0x00426a03
0x00426a03
0x00426a1b
0x00426a1b
0x004268dc
0x004268e0
0x004268e2
0x00000000
0x00000000
0x004268e8
0x004268ea
0x004268f2
0x004268f4
0x004268f7
0x004268f9
0x004268f9
0x004268fb
0x00426901
0x00426955
0x00426955
0x00426957
0x00426959
0x00000000
0x00000000
0x00000000
0x00000000
0x0042695b
0x0042695b
0x0042695b
0x0042695d
0x00426960
0x00000000
0x00000000
0x00426962
0x00426965
0x00426968
0x00000000
0x00000000
0x0042696a
0x0042696d
0x0042697a
0x00426981
0x00426981
0x0042698b
0x00426990
0x00426995
0x00000000
0x00426995
0x00426970
0x00426976
0x00426978
0x00000000
0x00000000
0x00000000
0x00426998
0x00426998
0x00426999
0x0042699a
0x0042699d
0x0042699d
0x00000000
0x00426903
0x00426903
0x00426908
0x0042690d
0x00426912
0x00426915
0x00000000
0x00000000
0x00426917
0x00426917
0x0042691e
0x00426920
0x00426920
0x00426926
0x00426926
0x00426928
0x00000000
0x00000000
0x0042692a
0x0042692e
0x00426931
0x00426937
0x0042693a
0x0042693a
0x00426942
0x00426945
0x0042694b
0x00000000
0x00000000
0x00000000
0x0042694d
0x0042694f
0x00000000
0x0042694f

APIs

GetStartupInfoA.KERNEL32(?), ref: 004268CA
GetFileType.KERNEL32(00000800), ref: 00426970
GetStdHandle.KERNEL32(-000000F6), ref: 004269C9
GetFileType.KERNEL32(00000000), ref: 004269D7
SetHandleCount.KERNEL32 ref: 00426A0E

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: fc2f99d6d75735703ef8d3f561f92466763e75c486a1a5d3e360cb6a19083e99
Instruction ID: 0480248ec443beef7d494d037e8a8200b04a5f20b88e5398d1804388355726b4
Opcode Fuzzy Hash: fc2f99d6d75735703ef8d3f561f92466763e75c486a1a5d3e360cb6a19083e99
Instruction Fuzzy Hash: 555129B17043218BD7209B28ED447667BE0EB05360F97463ED4AAC73E1DB389889875D

Uniqueness

Uniqueness Score: -1.00%

Function 00408121, Relevance: 7.6, APIs: 5, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00408121(void* __ecx, int _a4) {
				int _v52;
				int _v108;
				int _v164;
				void* _t26;
				long _t27;
				signed int _t28;
				int _t33;
				CHAR* _t34;
				CHAR* _t49;
				long _t52;
				struct HFONT__* _t53;
				void* _t54;
				void* _t55;
				void* _t76;

				_push(_a4);
				_t76 = __ecx;
				if(E00407FD5() == 0xffffffff) {
					_t55 = 0xfffffffc;
					return _t55;
				}
				_t26 = E0041E860(0x47e50c, _t25);
				_t2 = _t76 + 0x70; // 0x70
				_t3 = _t76 + 8; // 0x8
				_t27 = E00408256(__eflags, _t26, _t3, _t2, 1);
				__eflags = _t27;
				if(_t27 >= 0) {
					_t28 =  *0x42b91c; // 0x3e8
					asm("cdq");
					_t33 = MulDiv( *(_t76 + 0x44) & 0x0000ffff, (_t28 + _t28 * 2 << 5) / 0x3e8, 0x48);
					_t12 = _t76 + 0x38; // 0x38
					_t78 = _t12;
					_a4 = _t33;
					_t34 = E0041CD1E(_t12);
					asm("sbb ebx, ebx");
					 *((intOrPtr*)(_t76 + 0x48)) = CreateFontA(_a4, 0, 0, 0, ( ~( *(_t76 + 0x46) & 0x00000001) & 0x0000012c) + 0x190,  *(_t76 + 0x46) >> 0x00000001 & 0x00000001, 0, 0, 0, 0, 0, 0, 0, _t34);
					 *((intOrPtr*)(_t76 + 0x4c)) = CreateFontA(_v52, 0, 0, 0, 0x2bc,  *(_t76 + 0x46) >> 0x00000001 & 0x00000001, 0, 0, 0, 0, 0, 0, 0, E0041CD1E(_t12));
					 *((intOrPtr*)(_t76 + 0x50)) = CreateFontA(_v108, 0, 0, 0, 0x190,  *(_t76 + 0x46) >> 0x00000001 & 0x00000001, 1, 0, 0, 0, 0, 0, 0, E0041CD1E(_t12));
					_t49 = E0041CD1E(_t78);
					_t52 =  *(_t76 + 0x46) >> 0x00000001 & 0x00000001;
					__eflags = _t52;
					_t53 = CreateFontA(_v164, 0, 0, 0, 0x2bc, _t52, 1, 0, 0, 0, 0, 0, 0, _t49);
					 *(_t76 + 0x54) = _t53;
					_t54 = 1;
					return _t54;
				}
				return _t27;
			}

0x00408123
0x00408127
0x00408132
0x00408136
0x00000000
0x00408136
0x00408142
0x00408147
0x0040814d
0x00408152
0x0040815c
0x0040815e
0x00408164
0x00408178
0x00408181
0x0040818b
0x0040818b
0x00408190
0x00408194
0x004081aa
0x004081ce
0x004081f7
0x00408221
0x00408224
0x00408235
0x00408235
0x00408247
0x0040824b
0x0040824e
0x00000000
0x00408250
0x00408253

APIs

MulDiv.KERNEL32(?,000003E8,00000048), ref: 00408181
CreateFontA.GDI32(?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004081CA
CreateFontA.GDI32(?,00000000,00000000,00000000,000002BC,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004081F3
CreateFontA.GDI32(?,00000000,00000000,00000000,00000190,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040821D

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: CreateFont
String ID:
API String ID: 1830492434-0
Opcode ID: a0dc7068cd27009a1279465c43ead3e4ef2f7f57a47b585927daa53c3fb0ce14
Instruction ID: 91811af97634840e8ceefda5567941c751d6f7838c551a2ad01c93e1cb071a82
Opcode Fuzzy Hash: a0dc7068cd27009a1279465c43ead3e4ef2f7f57a47b585927daa53c3fb0ce14
Instruction Fuzzy Hash: 5331C5711407807DDB309A6B9C89EAB7FBDDBCBF10F00082DB295926D1CA66A441C634

Uniqueness

Uniqueness Score: -1.00%

Function 0041EB0F, Relevance: 7.6, APIs: 5, Instructions: 63
stringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041EB0F(void* __ecx, void* __edx) {
				struct tagSIZE _v12;
				char _v28;
				signed int _t32;
				void* _t36;
				void* _t39;
				void* _t45;

				_t39 = __edx;
				_t45 = __ecx;
				E00427836( *((intOrPtr*)(__ecx + 0x10)),  &_v28, 0xa);
				lstrcatA( &_v28, " %");
				if(GetTextExtentPoint32A( *(_t45 + 4),  &_v28, lstrlenA( &_v28),  &_v12) != 0) {
					asm("cdq");
					asm("cdq");
					_t32 = TextOutA( *(_t45 + 4), ( *((intOrPtr*)(_t45 + 0x1c)) -  *((intOrPtr*)(_t45 + 0x14)) - _t39 >> 1) - (_v12.cx - _t39 >> 1), 2,  &_v28, lstrlenA( &_v28));
					asm("sbb eax, eax");
					return ( ~_t32 & 0x0000000c) + 0xfffffff5;
				}
				_t36 = 0xfffffff6;
				return _t36;
			}

0x0041eb0f
0x0041eb1a
0x0041eb22
0x0041eb33
0x0041eb59
0x0041eb67
0x0041eb6f
0x0041eb89
0x0041eb91
0x00000000
0x0041eb97
0x0041eb5d
0x00000000

APIs

lstrcatA.KERNEL32(?,0042D698,?,00000000,7690FB30,?,?,?,?,?,?,?,0041EE10,?,004051FC,0045AA60), ref: 0041EB33
lstrlenA.KERNEL32(?,?,?,00000000,7690FB30,?,?,?,?,?,?,?,0041EE10,?,004051FC,0045AA60), ref: 0041EB47
GetTextExtentPoint32A.GDI32(?,?,00000000), ref: 0041EB51
lstrlenA.KERNEL32(?,?,?,00000000,7690FB30,?,?,?,?,?,?,?,0041EE10,?,004051FC,0045AA60), ref: 0041EB7C
TextOutA.GDI32(?,?,00000002,?,00000000), ref: 0041EB89

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Textlstrlen$ExtentPoint32lstrcat
String ID:
API String ID: 3780604614-0
Opcode ID: f1f3a101613beeb1aa5f5ee0721c5e0b67aed8fbfa80b47b83a423e2ebd76357
Instruction ID: b5ccb3afcf26193c53e81dcc7e7fa64a1b5680322ebb231c090800a54c7e9584
Opcode Fuzzy Hash: f1f3a101613beeb1aa5f5ee0721c5e0b67aed8fbfa80b47b83a423e2ebd76357
Instruction Fuzzy Hash: EB116973A04609AFDB20DBB8DC4ADDF7BBCEB44711F444726F602D2190EA30E94587A4

Uniqueness

Uniqueness Score: -1.00%

Function 0040FC45, Relevance: 7.5, APIs: 5, Instructions: 29
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040FC45(int* __ecx) {
				struct HDC__* _t9;
				void* _t11;
				int _t14;
				int* _t16;

				_t16 = __ecx;
				_t1 = _t16 + 0x10; // 0x0
				_t9 =  *_t1;
				if(_t9 != 0) {
					_t2 = _t16 + 4; // 0x0
					_t3 = _t16 + 0xc; // 0x0
					_t4 = _t16 + 8; // 0x0
					BitBlt( *0x47e184,  *_t4,  *_t3,  *__ecx,  *_t2, _t9, 0, 0, 0xcc0020);
					_t11 = CreateCompatibleBitmap( *0x47e184, 1, 1);
					_t5 = _t16 + 0x10; // 0x0
					DeleteObject(SelectObject( *_t5, _t11));
					_t6 = _t16 + 0x10; // 0x0
					_t14 = DeleteDC( *_t6);
					__ecx[4] = __ecx[4] & 0x00000000;
					return _t14;
				}
				return _t9;
			}

0x0040fc46
0x0040fc48
0x0040fc48
0x0040fc4d
0x0040fc59
0x0040fc5e
0x0040fc61
0x0040fc6a
0x0040fc7a
0x0040fc81
0x0040fc8b
0x0040fc91
0x0040fc94
0x0040fc9a
0x00000000
0x0040fc9a
0x0040fc9f

APIs

BitBlt.GDI32(00000000,00000000,0047F208,00000000,00000000,00000000,00000000,00CC0020,00000000), ref: 0040FC6A
CreateCompatibleBitmap.GDI32(00000001,00000001), ref: 0040FC7A
SelectObject.GDI32(00000000,00000000), ref: 0040FC84
DeleteObject.GDI32(00000000), ref: 0040FC8B
DeleteDC.GDI32(00000000), ref: 0040FC94

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: DeleteObject$BitmapCompatibleCreateSelect
String ID:
API String ID: 1708838939-0
Opcode ID: 4fce775da680b68cfbaf63d319c26e888dfe94671b2c622037a7a18372212f81
Instruction ID: 4c0b358634b2dcbc37ace0c2ae9a94ec987f1bb4a940835be0c4d5214cf889df
Opcode Fuzzy Hash: 4fce775da680b68cfbaf63d319c26e888dfe94671b2c622037a7a18372212f81
Instruction Fuzzy Hash: F7F0D432211700FFEB311F60ED0AF5A7BB6FB08711F42493CB656954B0CBB2A8599B18

Uniqueness

Uniqueness Score: -1.00%

Function 0041E5E3, Relevance: 7.5, APIs: 5, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E5E3(void* __ebx) {
				int _t11;
				void* _t13;
				void* _t14;

				_t13 = __ebx;
				if( *(_t14 - 0x1c) != __ebx) {
					_t11 = LocalFree( *(_t14 - 0x1c));
				}
				if( *(_t14 - 0x6c) != _t13) {
					_t11 = LocalFree( *(_t14 - 0x6c));
				}
				if( *(_t14 - 0x64) != _t13) {
					_t11 = FreeSid( *(_t14 - 0x64));
				}
				if( *(_t14 - 0x44) != _t13) {
					_t11 = CloseHandle( *(_t14 - 0x44));
				}
				if( *(_t14 - 0x74) != _t13) {
					return CloseHandle( *(_t14 - 0x74));
				}
				return _t11;
			}

0x0041e5e3
0x0041e5e6
0x0041e5eb
0x0041e5eb
0x0041e5f4
0x0041e5f9
0x0041e5f9
0x0041e602
0x0041e607
0x0041e607
0x0041e610
0x0041e615
0x0041e615
0x0041e61e
0x00000000
0x0041e623
0x0041e629

APIs

LocalFree.KERNEL32(000000FF,0041E5CA), ref: 0041E5EB
LocalFree.KERNEL32(0041E5CA,0041E5CA), ref: 0041E5F9
FreeSid.ADVAPI32(?,0041E5CA), ref: 0041E607
CloseHandle.KERNEL32(?,0041E5CA), ref: 0041E615
CloseHandle.KERNEL32(?,0041E5CA), ref: 0041E623

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Free$CloseHandleLocal
String ID:
API String ID: 705109652-0
Opcode ID: 511d6d9563a7b1ffc5c92be43f58a519d922bcec561c93a000fc30fed3c9634a
Instruction ID: 73678e22deb19cee6ac9eaf631a966f4da86afaf54b79670e03dbd25b55c7706
Opcode Fuzzy Hash: 511d6d9563a7b1ffc5c92be43f58a519d922bcec561c93a000fc30fed3c9634a
Instruction Fuzzy Hash: A6F04535D0225ADBCF619FD2DA494ADBBB2EB10302BA4803EE51566131CB350E92DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040F1B2, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040F1B2(signed int _a4, char _a7, signed int _a8, char _a11, intOrPtr _a12, signed int _a16, char _a19, intOrPtr _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				void* _v64;
				signed int _v68;
				intOrPtr _t114;
				signed int _t116;
				signed int _t120;
				signed int _t121;
				intOrPtr _t134;
				unsigned int _t156;
				signed int _t159;
				intOrPtr _t160;
				unsigned int _t161;
				signed int _t163;
				signed int _t175;
				signed int _t177;

				_t161 = _a4;
				_t114 =  *0x47e170; // 0x0
				_t156 = _a8;
				_t175 = _t161 & 0x000000ff;
				_t177 = _a16;
				_v60 = _t114;
				_v68 = _v68 & 0x00000000;
				_t116 = _t175 - (_t156 & 0x000000ff);
				_v20 = _t175;
				_a4 = _t116;
				asm("cdq");
				_v32 = _t116 / _t177;
				_t120 = _t161 & 0x000000ff;
				_a16 = _t120;
				_t121 = _t120 - (_t156 & 0x000000ff);
				_a8 = _t121;
				asm("cdq");
				_t163 = _t161 >> 0x00000010 & 0x000000ff;
				_v28 = _t163;
				_v36 = _t121 / _t177;
				_t159 = _t163 - (_t156 >> 0x00000010 & 0x000000ff);
				asm("cdq");
				_v40 = _t159 / _t177;
				asm("cdq");
				_v44 = _a4 % _t177;
				asm("cdq");
				_v48 = _a8 % _t177;
				asm("cdq");
				_v24 = _a16;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_a7 = _a4 > 0;
				_a11 = _a8 > 0;
				_t134 = _a20;
				_a19 = _t159 > 0;
				_v52 = _t159 % _t177;
				while(_t134 < _a12) {
					if(_a11 == 0) {
						if(_v12 <=  ~_t177) {
							_v12 = _v12 + _t177;
							_v24 = _v24 + 1;
						}
					} else {
						if(_v12 >= _t177) {
							_v12 = _v12 - _t177;
							_v24 = _v24 - 1;
						}
					}
					if(_a19 == 0) {
						if(_v16 <=  ~_t177) {
							_v16 = _v16 + _t177;
							_v28 = _v28 + 1;
						}
					} else {
						if(_v16 >= _t177) {
							_v16 = _v16 - _t177;
							_v28 = _v28 - 1;
						}
					}
					_t134 = _t160;
				}
				return _t134;
			}

0x0040f1b8
0x0040f1bb
0x0040f1c1
0x0040f1c6
0x0040f1cc
0x0040f1cf
0x0040f1d4
0x0040f1d8
0x0040f1da
0x0040f1dd
0x0040f1e0
0x0040f1ed
0x0040f1f4
0x0040f1f7
0x0040f1fa
0x0040f1fc
0x0040f1ff
0x0040f205
0x0040f208
0x0040f20b
0x0040f213
0x0040f217
0x0040f21a
0x0040f220
0x0040f226
0x0040f229
0x0040f22e
0x0040f231
0x0040f237
0x0040f23f
0x0040f242
0x0040f245
0x0040f248
0x0040f24f
0x0040f255
0x0040f258
0x0040f25c
0x0040f25f
0x0040f2ed
0x0040f303
0x0040f305
0x0040f308
0x0040f308
0x0040f2ef
0x0040f2f2
0x0040f2f4
0x0040f2f7
0x0040f2f7
0x0040f2f2
0x0040f30f
0x0040f325
0x0040f327
0x0040f32a
0x0040f32a
0x0040f311
0x0040f314
0x0040f316
0x0040f319
0x0040f319
0x0040f314
0x0040f32d
0x0040f32d
0x0040f338

APIs

CreateSolidBrush.GDI32(00000000), ref: 0040F283
FillRect.USER32 ref: 0040F296
DeleteObject.GDI32(00000000), ref: 0040F29D

Strings

g@22, xrefs: 0040F2A9

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: BrushCreateDeleteFillObjectRectSolid
String ID: g@22
API String ID: 2123768370-484279793
Opcode ID: 32db67808970f7d40a01b2fbc38824db2168226f8f331c16745f0a183be6d3bf
Instruction ID: 9399de27422c3eafa2a9f271622b1fa8dcba86be0284eb149c6f32b38e448122
Opcode Fuzzy Hash: 32db67808970f7d40a01b2fbc38824db2168226f8f331c16745f0a183be6d3bf
Instruction Fuzzy Hash: 4E51E5B1D01229DFCB50CFA9D8845EEBBF1BB48311F1480BBE815E2241D3349A85DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 004063D6, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004063D6(void* __ecx, void* __eflags, long _a4, intOrPtr* _a8, intOrPtr* _a12) {
				signed int _v8;
				long _v12;
				signed int _v16;
				int _v28;
				int _v32;
				long _v52;
				char _v56;
				long _t55;
				long _t56;
				long _t60;
				intOrPtr _t63;
				intOrPtr* _t64;
				int _t66;
				int _t67;
				int _t68;
				long _t72;
				long _t74;
				int _t78;
				signed int _t81;
				void* _t85;

				_t74 = _a4;
				_t85 = __ecx;
				_t55 = E00406060(__ecx, E0040607A(__ecx, _t74));
				_v8 = _v8 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_a4 = _t55;
				_t56 = SendMessageA( *(__ecx + 0xc), 0x110a, 4, _t74);
				_t78 = 0;
				_v12 = _t56;
				_t91 = _t56;
				if(_t56 == 0) {
					L3:
					 *_a8 =  *_a8 + _v8;
					_t81 = _v16;
					 *_a12 =  *_a12 + _t81;
					if(_v8 == _t78) {
						__eflags = _t81 - _t78;
						if(_t81 != _t78) {
							_v56 = 0x32;
							_v28 = _t78;
							_v32 = _t78;
							 *((intOrPtr*)(_a4 + 8)) = _t78;
							_v52 = _t74;
							_t60 =  &_v56;
							L11:
							SendMessageA( *(_t85 + 0xc), 0x110d, _t78, _t60);
							_t63 =  *((intOrPtr*)(_a4 + 8));
							if(_t63 != 0) {
								__eflags = _t63 - 1;
								if(_t63 == 1) {
									L15:
									_t64 = _a8;
									L16:
									 *_t64 =  *_t64 + 1;
									return _t64;
								}
								__eflags = _t63 - 2;
								if(_t63 != 2) {
									return _t63;
								}
								goto L15;
							}
							_t64 = _a12;
							goto L16;
						}
						L7:
						__eflags = _v8 - _t78;
						if(_v8 == _t78) {
							_v56 = 0x32;
							_v52 = _t74;
							_t66 =  *((intOrPtr*)(_a4 + 8));
							_v28 = _t66;
							_v32 = _t66;
							_t60 =  &_v56;
						} else {
							_t67 = 1;
							_v56 = 0x32;
							 *((intOrPtr*)(_a4 + 8)) = _t67;
							_v28 = _t67;
							_v32 = _t67;
							_v52 = _t74;
							_t60 =  &_v56;
						}
						goto L11;
					}
					if(_t81 == _t78) {
						goto L7;
					}
					_t68 = 3;
					_v56 = 0x32;
					 *(_a4 + 8) = _t68;
					_v28 = _t68;
					_v32 = _t68;
					_v52 = _t74;
					_t60 =  &_v56;
					goto L11;
				} else {
					goto L1;
				}
				do {
					L1:
					E004063D6(_t85, _t91, _v12,  &_v8,  &_v16);
					_t72 = SendMessageA( *(_t85 + 0xc), 0x110a, 1, _v12);
					_v12 = _t72;
				} while (_t72 != 0);
				_t78 = 0;
				goto L3;
			}

0x004063dd
0x004063e2
0x004063ed
0x004063f8
0x004063fc
0x0040640b
0x0040640e
0x00406410
0x00406412
0x00406415
0x00406417
0x00406443
0x00406449
0x0040644e
0x00406451
0x00406456
0x0040647a
0x0040647c
0x004064a4
0x004064ab
0x004064ae
0x004064b1
0x004064b4
0x004064b7
0x004064d5
0x004064df
0x004064e7
0x004064ec
0x004064f3
0x004064f6
0x004064fd
0x004064fd
0x00406500
0x00406500
0x00000000
0x00406500
0x004064f8
0x004064fb
0x00406503
0x00406503
0x00000000
0x004064fb
0x004064ee
0x00000000
0x004064ee
0x0040647e
0x0040647e
0x00406481
0x004064bf
0x004064c6
0x004064c9
0x004064cc
0x004064cf
0x004064d2
0x00406483
0x00406488
0x00406489
0x00406490
0x00406493
0x00406496
0x00406499
0x0040649c
0x0040649c
0x00000000
0x00406481
0x0040645a
0x00000000
0x00000000
0x00406461
0x00406462
0x00406469
0x0040646c
0x0040646f
0x00406472
0x00406475
0x00000000
0x00000000
0x00000000
0x00000000
0x00406419
0x00406419
0x00406426
0x00406438
0x0040643c
0x0040643c
0x00406441
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000004,?), ref: 0040640E
SendMessageA.USER32(?,0000110D,00000000,00000032), ref: 004064DF

Part of subcall function 004063D6: SendMessageA.USER32(?,0000110A,00000001,?), ref: 00406438

Strings

2, xrefs: 004064BF

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: MessageSend
String ID: 2
API String ID: 3850602802-450215437
Opcode ID: 0d697fa6cfd22ce5255ca20625cc7f0cb5f0048a09a495801416c6ff532affda
Instruction ID: cbb0343fe3eedb3d421d54385876156e88e43829525f595412eb2063aa438078
Opcode Fuzzy Hash: 0d697fa6cfd22ce5255ca20625cc7f0cb5f0048a09a495801416c6ff532affda
Instruction Fuzzy Hash: 7A41D670E01209EFDF15CF98D881A9EBBB5FF08315F21816BE506EB290D7749A518F88

Uniqueness

Uniqueness Score: -1.00%

Function 00408006, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
windowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00408006(signed char* _a4) {
				signed int _t21;
				signed char _t24;
				intOrPtr* _t25;
				struct HICON__* _t27;
				signed char* _t36;
				void* _t37;
				signed int* _t38;
				signed int _t39;
				signed char* _t40;

				_t40 = _a4;
				_t2 =  &(_t40[8]); // 0xd44d8d00
				_t21 =  *_t2;
				if(_t21 != 1) {
					L24:
					__eflags = _t21 - 2;
					if(_t21 != 2) {
						L28:
						return _t21;
					}
					__eflags =  *_t40 & 0x00000080;
					if(( *_t40 & 0x00000080) == 0) {
						goto L28;
					}
					__eflags = 0;
					_t18 =  &(_t40[0x58]); // 0x407864
					_t36 = _t18;
					_t19 =  &(_t40[0x34]); // 0x44c60575
					E0040FEB9(0x47f208, _t36,  *_t19, 0, 0);
					_push( *_t36);
					_push(0);
					_push(0xf7);
					L27:
					_t20 =  &(_t40[0x50]); // 0x6ffee858
					return SendMessageA( *_t20, ??, ??, ??);
				}
				if(_t40[0xc] != 4) {
					__eflags = _t21 - 1;
					if(_t21 != 1) {
						goto L24;
					}
					__eflags = _t40[0xc] - 3;
					if(_t40[0xc] != 3) {
						goto L24;
					}
					_t10 =  &(_t40[0x34]); // 0x44c60575
					_t24 =  *_t10;
					__eflags = _t24 - 0xffffffff;
					if(_t24 != 0xffffffff) {
						__eflags = _t24 - 0xfffffffe;
						if(_t24 != 0xfffffffe) {
							_t37 = 0;
							__eflags =  *0x47e52c; // 0x0
							if(__eflags <= 0) {
								L21:
								_t15 =  &(_t40[0x58]); // 0x76ffcd8b
								_t21 =  *_t15;
								__eflags = _t21;
								if(_t21 == 0) {
									goto L28;
								}
								_push(_t21);
								_push(1);
								L23:
								_push(0x172);
								goto L27;
							} else {
								goto L16;
							}
							while(1) {
								L16:
								_t25 = E0041E860(0x47e520, _t37);
								_t12 =  &(_t40[0x34]); // 0x44c60575
								__eflags =  *_t25 -  *_t12;
								if( *_t25 ==  *_t12) {
									break;
								}
								_t37 = _t37 + 1;
								__eflags = _t37 -  *0x47e52c; // 0x0
								if(__eflags < 0) {
									continue;
								}
								goto L21;
							}
							_t13 = _t25 + 4; // 0x4
							_t27 = LoadImageA( *0x47e17c, E0041CD1E(_t13), 1, 0, 0, 0x10);
							L20:
							_t40[0x58] = _t27;
							goto L21;
						}
						_t40[0x58] = 0;
						goto L21;
					}
					_t27 = LoadIconA( *0x47e17c, 0x65);
					goto L20;
				}
				_t4 =  &(_t40[0x34]); // 0x44c60575
				_t21 =  *_t4;
				if(_t21 != 0xffffffff) {
					__eflags = _t21 - 0xfffffffe;
					_t6 =  &(_t40[0x58]); // 0x407864
					_t38 = _t6;
					if(_t21 != 0xfffffffe) {
						_t7 =  &(_t40[0x20]); // 0xdb33e98b
						_t8 =  &(_t40[0x1c]); // 0x555328ec
						_t21 = E0040FEB9(0x47f208, _t38, _t21,  *_t8,  *_t7);
					} else {
						 *_t38 = 0;
					}
				} else {
					_t21 =  *0x47e180; // 0x0
					_t5 =  &(_t40[0x58]); // 0x407864
					_t38 = _t5;
					 *_t38 = _t21;
				}
				_t39 =  *_t38;
				if(_t39 == 0) {
					goto L28;
				} else {
					_push(_t39);
					_push(0);
					goto L23;
				}
			}

0x00408008
0x0040800d
0x0040800d
0x00408013
0x004080ed
0x004080ed
0x004080f0
0x00408120
0x00408120
0x00408120
0x004080f2
0x004080f5
0x00000000
0x00000000
0x004080f7
0x004080f9
0x004080f9
0x004080fe
0x00408107
0x0040810c
0x0040810e
0x0040810f
0x00408114
0x00408114
0x00000000
0x00408117
0x0040801d
0x00408064
0x00408067
0x00000000
0x00000000
0x0040806d
0x00408071
0x00000000
0x00000000
0x00408073
0x00408073
0x00408078
0x0040807b
0x0040808d
0x00408090
0x00408097
0x00408099
0x0040809f
0x004080dc
0x004080dc
0x004080dc
0x004080df
0x004080e1
0x00000000
0x00000000
0x004080e3
0x004080e4
0x004080e6
0x004080e6
0x00000000
0x00000000
0x00000000
0x00000000
0x004080a1
0x004080a1
0x004080a7
0x004080ae
0x004080ae
0x004080b1
0x00000000
0x00000000
0x004080b3
0x004080b4
0x004080ba
0x00000000
0x00000000
0x00000000
0x004080bc
0x004080c4
0x004080d3
0x004080d9
0x004080d9
0x00000000
0x004080d9
0x00408092
0x00000000
0x00408092
0x00408085
0x00000000
0x00408085
0x0040801f
0x0040801f
0x00408027
0x00408035
0x00408038
0x00408038
0x0040803b
0x00408041
0x00408049
0x0040804e
0x0040803d
0x0040803d
0x0040803d
0x00408029
0x00408029
0x0040802e
0x0040802e
0x00408031
0x00408031
0x00408053
0x00408057
0x00000000
0x0040805d
0x0040805d
0x0040805e
0x00000000
0x0040805e

APIs

LoadIconA.USER32 ref: 00408085
SendMessageA.USER32(6FFEE858,000000F7,00000000,00407864), ref: 00408117

Strings

G, xrefs: 004080A2

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: IconLoadMessageSend
String ID: G
API String ID: 3419944811-4264440988
Opcode ID: 855e07b435fa39fb14fa5a0f8baf01adcb0fae204b3cce904ce901f2b8418828
Instruction ID: 54e56afa20d57626c761f8bd5286ead796f30a47e0c4695bdc08836978fd8330
Opcode Fuzzy Hash: 855e07b435fa39fb14fa5a0f8baf01adcb0fae204b3cce904ce901f2b8418828
Instruction Fuzzy Hash: 3731E631100301EFC7304B25CE8086777A9EB45728B514A3FF5D2A66E2CB79AC8ADF19

Uniqueness

Uniqueness Score: -1.00%

Function 00408F3D, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00408F3D(intOrPtr __ecx, signed short _a4) {
				void* __edi;
				void* __esi;
				signed int _t9;
				signed int _t15;
				signed int _t24;
				signed int _t27;
				void* _t35;
				void* _t42;

				_t46 = __ecx;
				if(_a4 >> 0x10 != 0) {
					return 0;
				}
				_t9 = _a4 & 0x0000ffff;
				__eflags = _t9 - 2;
				if(_t9 != 2) {
					__eflags = _t9 - 1;
					if(_t9 != 1) {
						__eflags = _t9 - 3;
						if(_t9 == 3) {
							E00407827(__ecx, _t42, __ecx, 0);
							E00417D26(0x47dfb8, 0);
						}
					} else {
						_t27 = SendDlgItemMessageA( *(__ecx + 4), 0xa, 0x188, 0, 0);
						__eflags = _t27;
						if(_t27 >= 0) {
							__eflags = _t27 - SendDlgItemMessageA( *(_t46 + 4), 0xa, 0x18b, 0, 0);
							if(__eflags <= 0) {
								_t15 = E004153F8(0x47dfb8, __eflags, _t27);
								__eflags = _t15;
								if(_t15 != 0) {
									E0041BF12(0x47e700, 0x42e0c8);
									__eflags =  *0x47e18c & 0x00000040;
									if(( *0x47e18c & 0x00000040) == 0) {
										_push(E0041CD1E(0x47e350));
										_t35 = 0x47e900;
									} else {
										_push(E0041CD1E(0x47e350));
										_t35 = 0x47e90c;
									}
									E0041C467(0x47e700, E0041CD1E(_t35));
									E00407827(_t46, 0x47dfb8, _t46, 0);
									E00417EA6(0x47dfb8, 0);
								} else {
									E0041B2A8( *(_t46 + 4), "Couldn\'t load language set!", 0);
								}
							}
						}
					}
				} else {
					_t24 = E0041BC79(0x47dfb8);
					__eflags = _t24;
					if(_t24 != 0) {
						E00407827(_t46, 0x47dfb8, _t46, 0);
						E0041A1B5(1);
					}
				}
				return 1;
			}

0x00408f4b
0x00408f4d
0x00000000
0x00408f4f
0x00408f56
0x00408f5b
0x00408f5e
0x00408f79
0x00408f7c
0x00409036
0x00409039
0x00409040
0x0040904b
0x0040904b
0x00408f82
0x00408f98
0x00408f9a
0x00408f9c
0x00408fb0
0x00408fb2
0x00408fc0
0x00408fc5
0x00408fc7
0x00408fea
0x00408fef
0x00408ffb
0x0040900f
0x00409010
0x00408ffd
0x00409002
0x00409003
0x00409003
0x0040901c
0x00409027
0x0040902f
0x00408fc9
0x00408fd4
0x00408fd4
0x00408fc7
0x00408fb2
0x00408f9c
0x00408f60
0x00408f67
0x00408f6c
0x00408f6e
0x00409056
0x0040905f
0x0040905f
0x00408f6e
0x00000000

Strings

Couldn't load language set!, xrefs: 00408FCA
PG, xrefs: 00408FF6

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID:
String ID: Couldn't load language set!$PG
API String ID: 0-2579099614
Opcode ID: 42a7c8d168349ac970808f6448ea46a28237ef3dfabdb2de91d1ed100cc331f8
Instruction ID: 77cd5b422e5052c0ad46dc8d68f147adf1f3548e2e93d8bac81c3ea856fbdb18
Opcode Fuzzy Hash: 42a7c8d168349ac970808f6448ea46a28237ef3dfabdb2de91d1ed100cc331f8
Instruction Fuzzy Hash: 5321A02030430862CA1432735C96ABF764E8F85B59F54843FF60A762D2CF6E6C42626E

Uniqueness

Uniqueness Score: -1.00%

Function 0041DE38, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94
stringCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0041DE38(signed int _a4, signed int _a8, CHAR* _a12) {
				signed int _v5;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t50;
				void* _t60;
				signed int _t64;
				char _t66;
				void* _t67;
				signed int _t72;
				char* _t74;

				_t72 = _a8;
				if((_a4 | _t72) != 0) {
					_t74 = _a12;
					_t66 = 0;
					_v5 = _v5 & 0;
					_v12 = 0;
					__eflags = _t72 & 0x80000000;
					if((_t72 & 0x80000000) == 0) {
						L8:
						_v20 = 0xa7640000;
						_v16 = 0xde0b6b3;
						_a12 = 0x13;
						do {
							__eflags = _t72 - _v16;
							if(__eflags < 0) {
								L13:
								__eflags = _v12 - _t66;
								if(_v12 != _t66) {
									_t33 =  &_v12;
									 *_t33 = _v12 + 1;
									__eflags =  *_t33;
									 *((char*)((_v5 & 0x000000ff) + _v12 + _t74)) = 0x30;
								}
								goto L15;
							}
							if(__eflags > 0) {
								L12:
								_t67 = E00425320(_a4, _t72, _v20, _v16);
								asm("cdq");
								_a4 = _a4 - E004252C0(_t67, 0x80000000, _v20, _v16);
								asm("sbb edi, edx");
								_v12 = _v12 + 1;
								 *((char*)((_v5 & 0x000000ff) + _v12 + _t74)) = _t67 + 0x30;
								_t66 = 0;
								goto L15;
							}
							__eflags = _a4 - _v20;
							if(_a4 < _v20) {
								goto L13;
							}
							goto L12;
							L15:
							_t50 = E00425320(_v20, _v16, 0xa, _t66);
							_t38 =  &_a12;
							 *_t38 = _a12 - 1;
							__eflags =  *_t38;
							_v20 = _t50;
							_v16 = 0x80000000;
						} while ( *_t38 != 0);
						_t60 = (_v5 & 0x000000ff) + _v12;
						_t44 = _t60 + _t74;
						 *_t44 =  *(_t60 + _t74) & 0x00000000;
						__eflags =  *_t44;
						return _t74;
					}
					__eflags = _a4;
					if(_a4 != 0) {
						L7:
						 *_t74 = 0x2d;
						_t72 =  !_t72 & 0x0fffffff;
						_t64 =  !_a4 + 1;
						__eflags = _t64;
						asm("adc edi, ebx");
						_a4 = _t64;
						_v5 = 1;
						goto L8;
					}
					__eflags = _t72 - 0x80000000;
					if(_t72 != 0x80000000) {
						goto L7;
					}
					_push("-9223372036854775808");
					L6:
					return lstrcpyA(_a12, ??);
				}
				_push("0");
				goto L6;
			}

0x0041de44
0x0041de49
0x0041de52
0x0041de5c
0x0041de5e
0x0041de65
0x0041de68
0x0041de6a
0x0041dea4
0x0041dea4
0x0041deab
0x0041deb2
0x0041deb9
0x0041deb9
0x0041debc
0x0041df03
0x0041df03
0x0041df06
0x0041df0f
0x0041df0f
0x0041df0f
0x0041df12
0x0041df12
0x00000000
0x0041df06
0x0041debe
0x0041dec8
0x0041deda
0x0041dee2
0x0041deea
0x0041def1
0x0041def9
0x0041defc
0x0041deff
0x00000000
0x0041deff
0x0041dec3
0x0041dec6
0x00000000
0x00000000
0x00000000
0x0041df16
0x0041df1f
0x0041df24
0x0041df24
0x0041df24
0x0041df27
0x0041df2a
0x0041df2a
0x0041df33
0x0041df36
0x0041df36
0x0041df36
0x00000000
0x0041df3a
0x0041de6c
0x0041de6f
0x0041de88
0x0041de8b
0x0041de92
0x0041de98
0x0041de98
0x0041de9b
0x0041de9d
0x0041dea0
0x00000000
0x0041dea0
0x0041de71
0x0041de73
0x00000000
0x00000000
0x0041de75
0x0041de7a
0x00000000
0x0041de7d
0x0041de4b
0x00000000

APIs

lstrcpyA.KERNEL32(0040CA7F,-9223372036854775808,00000000,?,00000000,0040CA7F,00000000,?,00000000,76903BB0,?,00000000,00000000,00000000,000000B4,00000000), ref: 0041DE7D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041DED2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041DF1F

Strings

-9223372036854775808, xrefs: 0041DE75

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$lstrcpy
String ID: -9223372036854775808
API String ID: 191136725-2871333643
Opcode ID: 1da013a00ed4f888c4f4e2d40d23857b28de4f724200c88ab0ce9d1520ac8055
Instruction ID: 9bd6ed5f5e092b7878f430b8e576e8865948b3051bf6daf1064d560ea88b1c8a
Opcode Fuzzy Hash: 1da013a00ed4f888c4f4e2d40d23857b28de4f724200c88ab0ce9d1520ac8055
Instruction Fuzzy Hash: 3731A2B1E04659BFCF118F95DC817EEBFB1FF50345F54809AE810A6241C7798A81CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00423C00, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 91
stringCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00423C00() {
				signed int _v8;
				intOrPtr _v20;
				intOrPtr _v28;
				signed int _v32;
				CHAR* _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t36;
				CHAR* _t39;
				signed int _t40;
				signed int _t41;
				intOrPtr _t44;
				intOrPtr _t47;

				_push(0xffffffff);
				_push(0x428708);
				_push(E00424EE0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t44;
				_push(_t40);
				_push(_t36);
				_v28 = _t44 - 0x18;
				_t41 = _t40 | 0xffffffff;
				_t47 =  *0x47f244; // 0x0
				if(_t47 != 0) {
					E00407B45(0, _t36, _t41, 1);
					_t39 = E00424DD9(0x104);
					_v40 = _t39;
					if(_t39 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					E00424500(_t39, 0, 0x104);
					lstrcatA(_t39, E0041CD1E(0x47e338));
					_v8 = 0;
					_t41 =  *0x47f244( *0x47e178, _t39, 0x104);
					_v32 = _t41;
					_v8 = _v8 | 0xffffffff;
					E0041BF12(0x47e338, _t39);
					E00424DCE(_t39);
					if(_t41 == 1) {
						if(_t41 != 2) {
							goto L10;
						} else {
							goto L8;
						}
					} else {
						if(_t41 == 2) {
							L8:
							if( *0x42bf98 == 0xffffffff) {
								L10:
								_t41 = 0;
							} else {
								_t41 = 1;
							}
						} else {
							E0041A1B5(1);
						}
					}
				}
				if(_t41 <= 0) {
					E004145F6(0x47e880, 7);
					E004112B1(7);
				}
				 *[fs:0x0] = _v20;
				return _t41;
			}

0x00423c03
0x00423c05
0x00423c0a
0x00423c15
0x00423c16
0x00423c21
0x00423c22
0x00423c23
0x00423c26
0x00423c2b
0x00423c31
0x00423c39
0x00423c4b
0x00423c4d
0x00423c52
0x00423c5f
0x00423c64
0x00423c68
0x00423c7c
0x00423c82
0x00423c93
0x00423c95
0x00423c98
0x00423cb5
0x00423cbb
0x00423cc4
0x00423cdc
0x00000000
0x00000000
0x00000000
0x00000000
0x00423cc6
0x00423cc9
0x00423cde
0x00423ce5
0x00423cec
0x00423cec
0x00423ce7
0x00423ce9
0x00423ce9
0x00423ccb
0x00423cd2
0x00423cd2
0x00423cc9
0x00423cc4
0x00423cf0
0x00423cfb
0x00423d04
0x00423d04
0x00423d0e
0x00423d19

APIs

Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407B99
Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407BA9
Part of subcall function 00407B45: DestroyWindow.USER32(?,00000000,0047DFB8,00000094,?,0041A1BF,00000001,0047DFB8,0041A044,00000001,00000000,00000000,00000000,?,0047E924,0041D88F), ref: 00407BE2
Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407C0B
Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407C22
Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407C39
Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407C50

lstrcatA.KERNEL32(00000000,00000000,0047E50C,00000000,00000000,00415294,00000000,?,?,00000000), ref: 00423C7C

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Strings

8G, xrefs: 00423CB0
$G, xrefs: 00423C54
8G, xrefs: 00423C70

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: DeleteObject$Global$AllocDestroyLockUnlockWindowlstrcat
String ID: $G$8G$8G
API String ID: 2522731524-374341317
Opcode ID: 7185a05e51b1de32318d534e3b6fcfef408e179e28108a3ef9f92a30f156077d
Instruction ID: 8115a7386252ee14b040bfa3dfd6a380e7d671b64f282384a0dcfaf0cb5d2036
Opcode Fuzzy Hash: 7185a05e51b1de32318d534e3b6fcfef408e179e28108a3ef9f92a30f156077d
Instruction Fuzzy Hash: 98212B72F00230ABC3206B6A7D42AAE7579DB80B69F60023FF515772D1CA7D0D82859D

Uniqueness

Uniqueness Score: -1.00%

Function 00423D1A, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 91
stringCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00423D1A() {
				signed int _v8;
				intOrPtr _v20;
				intOrPtr _v28;
				signed int _v32;
				CHAR* _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t36;
				CHAR* _t39;
				signed int _t40;
				signed int _t41;
				intOrPtr _t44;
				intOrPtr _t47;

				_push(0xffffffff);
				_push(0x428718);
				_push(E00424EE0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t44;
				_push(_t40);
				_push(_t36);
				_v28 = _t44 - 0x18;
				_t41 = _t40 | 0xffffffff;
				_t47 =  *0x47f248; // 0x0
				if(_t47 != 0) {
					E00407B45(0, _t36, _t41, 1);
					_t39 = E00424DD9(0x104);
					_v40 = _t39;
					if(_t39 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					E00424500(_t39, 0, 0x104);
					lstrcatA(_t39, E0041CD1E(0x47e344));
					_v8 = 0;
					_t41 =  *0x47f248( *0x47e178, _t39, 0x104);
					_v32 = _t41;
					_v8 = _v8 | 0xffffffff;
					E0041BF12(0x47e344, _t39);
					E00424DCE(_t39);
					if(_t41 == 1) {
						if(_t41 != 2) {
							goto L10;
						} else {
							goto L8;
						}
					} else {
						if(_t41 == 2) {
							L8:
							if( *0x42bf98 == 0xffffffff) {
								L10:
								_t41 = 0;
							} else {
								_t41 = 1;
							}
						} else {
							E0041A1B5(1);
						}
					}
				}
				if(_t41 <= 0) {
					E004145F6(0x47e880, 8);
					E004112B1(8);
				}
				 *[fs:0x0] = _v20;
				return _t41;
			}

0x00423d1d
0x00423d1f
0x00423d24
0x00423d2f
0x00423d30
0x00423d3b
0x00423d3c
0x00423d3d
0x00423d40
0x00423d45
0x00423d4b
0x00423d53
0x00423d65
0x00423d67
0x00423d6c
0x00423d79
0x00423d7e
0x00423d82
0x00423d96
0x00423d9c
0x00423dad
0x00423daf
0x00423db2
0x00423dcf
0x00423dd5
0x00423dde
0x00423df6
0x00000000
0x00000000
0x00000000
0x00000000
0x00423de0
0x00423de3
0x00423df8
0x00423dff
0x00423e06
0x00423e06
0x00423e01
0x00423e03
0x00423e03
0x00423de5
0x00423dec
0x00423dec
0x00423de3
0x00423dde
0x00423e0a
0x00423e15
0x00423e1e
0x00423e1e
0x00423e28
0x00423e33

APIs

Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407B99
Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407BA9
Part of subcall function 00407B45: DestroyWindow.USER32(?,00000000,0047DFB8,00000094,?,0041A1BF,00000001,0047DFB8,0041A044,00000001,00000000,00000000,00000000,?,0047E924,0041D88F), ref: 00407BE2
Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407C0B
Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407C22
Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407C39
Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407C50

lstrcatA.KERNEL32(00000000,00000000,0047E50C,00000000,00000000,00415294,00000000,?,?,00000000), ref: 00423D96

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Strings

DG, xrefs: 00423D8A
DG, xrefs: 00423DCA
$G, xrefs: 00423D6E

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: DeleteObject$Global$AllocDestroyLockUnlockWindowlstrcat
String ID: $G$DG$DG
API String ID: 2522731524-3730125631
Opcode ID: 2f2b418b8ba34d6e3d4374114826b12d4a2e3f29efaab3276254b25a5f94b08d
Instruction ID: a2bfef0010f8ebc192bdd9e60e8a526ad02d01d20727c96312a57d634a3b970f
Opcode Fuzzy Hash: 2f2b418b8ba34d6e3d4374114826b12d4a2e3f29efaab3276254b25a5f94b08d
Instruction Fuzzy Hash: 5421E972B40130ABD3206B657C82ABE7975DB81765F61023FF515662D1CA7C0D8246EE

Uniqueness

Uniqueness Score: -1.00%

Function 00405311, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00405311(void* __edi, void* __esi, void* __eflags) {
				char _v16;
				char _v28;
				void _v539;
				char _v540;
				void* _t26;
				void* _t27;
				signed int _t50;
				long _t59;
				void* _t61;
				void* _t62;

				_t59 = GetLastError();
				E00401A5C();
				E0041BDC5( &_v16);
				_push(E0041CD1E(0x47f02c));
				E0041C467( &_v16, E0041CD1E(0x47efd8));
				_t62 = _t61 + 0xc;
				E0041BDC5( &_v28);
				if(_t59 == 0) {
					E0041BF80( &_v28,  &_v16);
				} else {
					_t50 = 0x7f;
					_v540 = 0;
					memset( &_v539, 0, _t50 << 2);
					asm("stosw");
					asm("stosb");
					FormatMessageA(0x1000, 0, _t59, 0x400,  &_v540, 0x200, 0);
					_push( &_v540);
					_push(E0041CD1E( &_v16));
					E0041C467( &_v28, "%s (%s)");
					_t62 = _t62 + 0x1c;
				}
				_t26 = E0041CD1E(0x47e700);
				_t27 = E0041CD1E( &_v28);
				if(E0041D0E2(GetActiveWindow(), _t27, _t26, 4) == 7) {
					E0041D0D5(_t29);
				}
				E0041BEFB( &_v28);
				return E0041BEFB( &_v16);
			}

0x00405321
0x00405323
0x0040532b
0x0040533a
0x0040534a
0x0040534f
0x00405355
0x0040535e
0x004053c1
0x00405360
0x00405363
0x0040536c
0x00405372
0x00405374
0x00405376
0x00405390
0x0040539f
0x004053a5
0x004053af
0x004053b4
0x004053b7
0x004053cd
0x004053d6
0x004053ef
0x004053f1
0x004053f1
0x004053f9
0x00405407

APIs

GetLastError.KERNEL32(00000000), ref: 0040531B

Part of subcall function 00401A5C: CloseHandle.KERNEL32(00000000,00405328), ref: 00401A72
Part of subcall function 00401A5C: CloseHandle.KERNEL32 ref: 00401A7A
Part of subcall function 00401A5C: DeleteFileA.KERNEL32(C:\ztg\fillProxy\spy++\spyxxhk.dll), ref: 00401A81

Part of subcall function 0041BDC5: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
Part of subcall function 0041C467: lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649

FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000200,00000000,00000000), ref: 00405390
GetActiveWindow.USER32 ref: 004053DC

Strings

%s (%s), xrefs: 004053A9

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$lstrlen$AllocCloseHandleLock$ActiveDeleteErrorFileFormatLastMessageUnlockWindow
String ID: %s (%s)
API String ID: 2124624523-1363028141
Opcode ID: 974608c8354438f0f6330fc2255bd5c4ab50c069cb72252345656e87d0d041e2
Instruction ID: 1a99f7a09a3374408a4759d62bf33a5c9ae644328a98e511fed88348be1b81f5
Opcode Fuzzy Hash: 974608c8354438f0f6330fc2255bd5c4ab50c069cb72252345656e87d0d041e2
Instruction Fuzzy Hash: 6221B3B1D40109A6CB14F7B1DC8ADEF772CDF14348F5041BEF605A21C2EF7856858AA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041021E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73
filestringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041021E(CHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v16;
				int _t29;
				CHAR* _t57;

				E0041BE99( &_v16, 0x47e338);
				if(E0041BFE3( &_v16, _v16 - 1) != 0x5c) {
					E0041BFF8( &_v16, 0x5c);
				}
				E0041C047( &_v16, "Backup\\", 0);
				E0040DC10(E0041CD1E( &_v16), 1);
				_t57 = _a4;
				_t29 = lstrlenA(_t57);
				while(1) {
					_t29 = _t29 - 1;
					if(_t29 <= 0) {
						break;
					}
					if(_t57[_t29] != 0x5c) {
						continue;
					} else {
						E0041C047( &_v16,  &(( &(_t57[1]))[_t29]), 0);
					}
					break;
				}
				CopyFileA(_t57, E0041CD1E( &_v16), 0);
				E0041BFF8( &_v16, 9);
				E0041C047( &_v16, _t57, 0);
				_push(_a16);
				_push(_a20);
				_push(_a12);
				_push(_a8);
				E0041C467( &_v16, "\t%d\t%d\t%d\t%d");
				E00421D22(0x47e788, E0041CD1E( &_v16));
				return E0041BEFB( &_v16);
			}

0x0041022c
0x00410240
0x00410247
0x00410247
0x00410257
0x00410267
0x0041026c
0x00410272
0x00410278
0x00410278
0x0041027b
0x00000000
0x00000000
0x00410281
0x00000000
0x00410283
0x0041028d
0x0041028d
0x00000000
0x00410281
0x0041029e
0x004102a9
0x004102b4
0x004102b9
0x004102bf
0x004102c2
0x004102c5
0x004102ce
0x004102e4
0x004102f3

APIs

Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4

lstrlenA.KERNEL32(00000000,Backup\,00000000,00000000,-00000001,0047E338,00000000,00000000,00000034,?,?,?,0047EB1C,0042BC40,00000000), ref: 00410272
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0041029E

Part of subcall function 0041BFF8: GlobalUnlock.KERNEL32(8415FF57,0047E788,004221E2,00000000,00000000,00000000,0047E788,00000000), ref: 0041C000
Part of subcall function 0041BFF8: GlobalReAlloc.KERNEL32 ref: 0041C00D
Part of subcall function 0041BFF8: GlobalLock.KERNEL32 ref: 0041C02E

Strings

%d%d%d%d, xrefs: 004102C8
Backup\, xrefs: 0041024F

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLock$CopyFileUnlocklstrlen
String ID: %d%d%d%d$Backup\
API String ID: 1237974043-2132705745
Opcode ID: 976619ff1f6ac7e304c3716991ac40e53723da516e64e13083b91b345daaa296
Instruction ID: ad85fda3904b5a867add6e6e5d2a9896b3e047cb0076d11bc5066a6bb4e0c6a8
Opcode Fuzzy Hash: 976619ff1f6ac7e304c3716991ac40e53723da516e64e13083b91b345daaa296
Instruction Fuzzy Hash: 61217F31940209BADB14FBA5EC86FEE3728DF14304F50405EB511A60D2EF78AA85CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041CF4B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041CF4B(void** __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* _t26;
				void* _t27;
				void* _t30;
				signed int _t31;
				void* _t46;
				void** _t55;

				_t55 = __ecx;
				__ecx[4] = 1;
				GlobalUnlock( *__ecx);
				_t26 = GlobalReAlloc( *_t55, (_a8 + _t55[1]) * _t55[3], 0x42);
				 *_t55 = _t26;
				_t27 = GlobalLock(_t26);
				_t49 = 0;
				 *(_t55[2]) = _t27;
				if( *(_t55[2]) != 0) {
					if(_a8 <= 0) {
						L8:
						_t55[1] = _t55[1] + _a8;
						_t55[4] = _t55[4] & 0x00000000;
						_t30 = 1;
						return _t30;
					}
					do {
						_t31 = _t55[3];
						_t46 = 0;
						if(_t31 <= 0) {
							goto L6;
						} else {
							goto L5;
						}
						do {
							L5:
							 *((char*)((_t55[1] + _t49) * _t31 +  *(_t55[2]) + _t46)) =  *((intOrPtr*)(_t31 * _t49 + _t46 + _a4));
							_t31 = _t55[3];
							_t46 = _t46 + 1;
						} while (_t46 < _t31);
						L6:
						_t49 = _t49 + 1;
					} while (_t49 < _a8);
					goto L8;
				}
				_t55[4] = 0;
				return E0041D881(E0041CD1E(0x47e924)) | 0xffffffff;
			}

0x0041cf4f
0x0041cf53
0x0041cf57
0x0041cf6c
0x0041cf73
0x0041cf75
0x0041cf7e
0x0041cf80
0x0041cf87
0x0041cfa5
0x0041cfdf
0x0041cfe4
0x0041cfe7
0x0041cfeb
0x00000000
0x0041cfeb
0x0041cfa9
0x0041cfa9
0x0041cfac
0x0041cfb0
0x00000000
0x00000000
0x00000000
0x00000000
0x0041cfb2
0x0041cfb2
0x0041cfcc
0x0041cfcf
0x0041cfd2
0x0041cfd3
0x0041cfd7
0x0041cfd7
0x0041cfd8
0x00000000
0x0041cfde
0x0041cf8e
0x00000000

APIs

GlobalUnlock.KERNEL32(?,?,?,00421D0E,00000001,00000001,?,00411457,00000000,0047E794), ref: 0041CF57
GlobalReAlloc.KERNEL32 ref: 0041CF6C
GlobalLock.KERNEL32 ref: 0041CF75

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Strings

$G, xrefs: 0041CF89

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLockUnlock
String ID: $G
API String ID: 3972497268-195990108
Opcode ID: 50ea70f0800864770253a9ffb9ffb59fa3bc52ba0c8d08bfe82d6428a90440b9
Instruction ID: 30d634e0afc79d46ac79a2021f3955f9af89963e9248311a26e3a657e5a0657f
Opcode Fuzzy Hash: 50ea70f0800864770253a9ffb9ffb59fa3bc52ba0c8d08bfe82d6428a90440b9
Instruction Fuzzy Hash: CB21A435240B419FC724CF69C981996B7E9EF59320710C52EE19ACB7A1D778E881CB14

Uniqueness

Uniqueness Score: -1.00%

Function 0040D883, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040D883(char* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				signed int _t15;
				void* _t21;
				void* _t36;
				int _t38;
				void* _t39;

				_t15 = GetFileVersionInfoSizeA(_a4,  &_v12);
				_t38 = _t15;
				if(_t38 != 0) {
					_t36 = E00424DD9(_t38);
					if(_t36 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					if(GetFileVersionInfoA(_a4, _v12, _t38, _t36) != 0) {
						_v8 = _v8 & 0x00000000;
						if(VerQueryValueA(_t36, "\\",  &_v8,  &_v16) != 0) {
							_t21 = _v8;
							_push(1);
							 *_a8 =  *((intOrPtr*)(_t21 + 8));
							 *_a12 =  *((intOrPtr*)(_t21 + 0xc));
						} else {
							_push(0xfffffffc);
						}
					} else {
						_push(0xfffffffd);
					}
					_pop(_t39);
					E00424DCE(_t36);
					return _t39;
				}
				return _t15 | 0xffffffff;
			}

0x0040d891
0x0040d896
0x0040d89a
0x0040d8a8
0x0040d8ad
0x0040d8ba
0x0040d8bf
0x0040d8cf
0x0040d8d5
0x0040d8ee
0x0040d8f4
0x0040d8fa
0x0040d8ff
0x0040d907
0x0040d8f0
0x0040d8f0
0x0040d8f0
0x0040d8d1
0x0040d8d1
0x0040d8d1
0x0040d909
0x0040d90b
0x00000000
0x0040d913
0x00000000

APIs

GetFileVersionInfoSizeA.VERSION(00000000,00000000,00000000,?,00000000,00000000), ref: 0040D891
GetFileVersionInfoA.VERSION(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040D8C8

Strings

$G, xrefs: 0040D8AF

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: FileInfoVersion$Size
String ID: $G
API String ID: 2104008232-195990108
Opcode ID: 624c5718af41c2b79abd81fd6ec22ab6704b1926903904cabe6d26171faf070a
Instruction ID: 6ec1859e884c135b30265ee31449acefa2f538f76d71efcc8004e3bba50e2383
Opcode Fuzzy Hash: 624c5718af41c2b79abd81fd6ec22ab6704b1926903904cabe6d26171faf070a
Instruction Fuzzy Hash: 08110D76A00114BBCB11BA95EC04DEF3B68DF85374B20427BF810E72C1DB389905D795

Uniqueness

Uniqueness Score: -1.00%

Function 0041E9EA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E9EA(char* __ecx, intOrPtr _a4) {
				signed int _t19;
				signed int _t20;
				void* _t25;
				void* _t26;
				signed int _t30;
				intOrPtr* _t33;
				char* _t38;

				_t38 = __ecx;
				_t30 = 0;
				_t19 =  *(__ecx + 0xc);
				if(_t19 <= 0) {
					L4:
					_t20 = _t19 | 0xffffffff;
				} else {
					_t33 =  *((intOrPtr*)(__ecx + 8));
					while( *_t33 != _a4) {
						_t30 = _t30 + 1;
						_t33 = _t33 + 4;
						if(_t30 < _t19) {
							continue;
						} else {
							goto L4;
						}
						goto L5;
					}
					 *_t38 = 1;
					while(_t30 < _t19 - 1) {
						 *((intOrPtr*)( *(_t38 + 8) + _t30 * 4)) =  *((intOrPtr*)( *(_t38 + 8) + 4 + _t30 * 4));
						_t19 =  *(_t38 + 0xc);
						_t30 = _t30 + 1;
					}
					 *(_t38 + 0xc) =  *(_t38 + 0xc) - 1;
					GlobalUnlock( *(_t38 + 4));
					_t25 = GlobalReAlloc( *(_t38 + 4),  *(_t38 + 0xc) << 2, 0x42);
					 *(_t38 + 4) = _t25;
					_t26 = GlobalLock(_t25);
					 *(_t38 + 8) = _t26;
					if(_t26 != 0 ||  *(_t38 + 0xc) <= _t26) {
						_t20 = 1;
					} else {
						_t19 = E0041D881(E0041CD1E(0x47e924));
						goto L4;
					}
				}
				L5:
				return _t20;
			}

0x0041e9eb
0x0041e9ed
0x0041e9f0
0x0041e9f5
0x0041ea0a
0x0041ea0a
0x0041e9f7
0x0041e9f7
0x0041e9fa
0x0041ea02
0x0041ea03
0x0041ea08
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0041ea08
0x0041ea12
0x0041ea15
0x0041ea21
0x0041ea24
0x0041ea27
0x0041ea27
0x0041ea2d
0x0041ea30
0x0041ea42
0x0041ea49
0x0041ea4c
0x0041ea54
0x0041ea57
0x0041ea73
0x0041ea5e
0x0041ea69
0x00000000
0x0041ea6e
0x0041ea57
0x0041ea0d
0x0041ea0f

APIs

GlobalUnlock.KERNEL32(?,?,?,00415BF8,00000000,?), ref: 0041EA30
GlobalReAlloc.KERNEL32 ref: 0041EA42
GlobalLock.KERNEL32 ref: 0041EA4C

Strings

$G, xrefs: 0041EA5E

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLockUnlock
String ID: $G
API String ID: 3972497268-195990108
Opcode ID: 2c14db1d8af75b99250c197fbadac50f9c6fd3ff559b8cc28addc30c0ae6fbaa
Instruction ID: c5794519439faa4e23426753201981bf120af7aabff434d8043eab4aea142066
Opcode Fuzzy Hash: 2c14db1d8af75b99250c197fbadac50f9c6fd3ff559b8cc28addc30c0ae6fbaa
Instruction Fuzzy Hash: 0A11A075700A028FC7249F2AD85596BB7E5FF443A0710C92EE89BC7761DB78F8828B14

Uniqueness

Uniqueness Score: -1.00%

Function 0041CEC4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041CEC4(void** __ecx, intOrPtr _a4) {
				void* _t20;
				void* _t23;
				void* _t24;
				signed int _t30;
				void** _t43;

				_t43 = __ecx;
				__ecx[4] = 1;
				GlobalUnlock( *__ecx);
				_t43[1] = _t43[1] + 1;
				_t20 = GlobalReAlloc( *_t43, _t43[1] * _t43[3], 0x42);
				 *_t43 = _t20;
				 *(_t43[2]) = GlobalLock(_t20);
				if( *(_t43[2]) != 0) {
					_t30 = _t43[3];
					_t23 = 0;
					if(_t30 <= 0) {
						L6:
						_t43[4] = 0;
						_t24 = 1;
						return _t24;
					}
					do {
						 *((char*)((_t43[1] - 1) * _t30 +  *(_t43[2]) + _t23)) =  *((intOrPtr*)(_t23 + _a4));
						_t30 = _t43[3];
						_t23 = _t23 + 1;
					} while (_t23 < _t30);
					goto L6;
				}
				_t43[4] = 0;
				return E0041D881(E0041CD1E(0x47e924)) | 0xffffffff;
			}

0x0041cec5
0x0041cec9
0x0041cecd
0x0041ced3
0x0041cee2
0x0041cee9
0x0041cef6
0x0041cefd
0x0041cf18
0x0041cf1b
0x0041cf1f
0x0041cf41
0x0041cf43
0x0041cf46
0x00000000
0x0041cf46
0x0041cf22
0x0041cf35
0x0041cf38
0x0041cf3b
0x0041cf3c
0x00000000
0x0041cf40
0x0041cf04
0x00000000

APIs

GlobalUnlock.KERNEL32(?,?,00421D1D,00000000), ref: 0041CECD
GlobalReAlloc.KERNEL32 ref: 0041CEE2
GlobalLock.KERNEL32 ref: 0041CEEB

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Strings

$G, xrefs: 0041CEFF

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLockUnlock
String ID: $G
API String ID: 3972497268-195990108
Opcode ID: b0a6c556769eefa18d5e04f9020e956f96c5b50801f3da1a30941deeb5b5b08f
Instruction ID: 0870221ce2071d048dde4c69390beb3818ff02ef434fcd04cf7f89a3ced6e25b
Opcode Fuzzy Hash: b0a6c556769eefa18d5e04f9020e956f96c5b50801f3da1a30941deeb5b5b08f
Instruction Fuzzy Hash: D611A075244B41CFC339DB28D984956BBE6EF993107108D6EE0EAC76A1CB74A881CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041E87A, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E87A(char* __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* _t21;
				void* _t22;
				void* _t24;
				signed int _t28;
				intOrPtr _t35;
				char* _t36;

				_t36 = __ecx;
				_t35 = _a4;
				if( *((char*)(__ecx + 0x10)) != 0) {
					L2:
					_t3 = _t36 + 4; // 0x0
					 *_t36 = 1;
					GlobalUnlock( *_t3);
					 *(_t36 + 0xc) =  *(_t36 + 0xc) + 1;
					_t6 = _t36 + 0xc; // 0x8
					_t7 = _t36 + 4; // 0x0
					_t21 = GlobalReAlloc( *_t7,  *_t6 << 2, 0x42);
					 *(_t36 + 4) = _t21;
					_t22 = GlobalLock(_t21);
					 *(_t36 + 8) = _t22;
					if(_t22 != 0) {
						_t10 = _t36 + 0xc; // 0x8
						 *((intOrPtr*)(_t22 +  *_t10 * 4 - 4)) = _t35;
						_t14 = _t36 + 0xc; // 0x8
						_t23 =  *_t14;
						if(_a8 <  *_t14 && _a8 >= 0) {
							E0041E974(_t36, _t23 - 1, _a8);
						}
						_t24 = 1;
						return _t24;
					}
					_t28 = E0041D881(E0041CD1E(0x47e924));
					L4:
					return _t28 | 0xffffffff;
				}
				_t28 = E0041E950(__ecx, _t35);
				if(_t28 != 0xffffffff) {
					goto L4;
				}
				goto L2;
			}

0x0041e87b
0x0041e87e
0x0041e886
0x0041e893
0x0041e893
0x0041e896
0x0041e899
0x0041e89f
0x0041e8a2
0x0041e8ab
0x0041e8ae
0x0041e8b5
0x0041e8b8
0x0041e8c0
0x0041e8c3
0x0041e8db
0x0041e8de
0x0041e8e2
0x0041e8e2
0x0041e8e9
0x0041e8fa
0x0041e8fa
0x0041e901
0x00000000
0x0041e901
0x0041e8d0
0x0041e8d6
0x00000000
0x0041e8d6
0x0041e889
0x0041e891
0x00000000
0x00000000
0x00000000

APIs

GlobalUnlock.KERNEL32(00000000,00000000,0047E4D0,00407A66,00000000,000000FF), ref: 0041E899
GlobalReAlloc.KERNEL32 ref: 0041E8AE
GlobalLock.KERNEL32 ref: 0041E8B8

Strings

$G, xrefs: 0041E8C5

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLockUnlock
String ID: $G
API String ID: 3972497268-195990108
Opcode ID: 74d9ac9f50b49838fe07b5fd0cd885ac76f5d1e4ede386879f54f980973285f0
Instruction ID: 677c5236bdc69a88a765f96c0d8c279930d7b857a0512f7c879e7915f268e9bb
Opcode Fuzzy Hash: 74d9ac9f50b49838fe07b5fd0cd885ac76f5d1e4ede386879f54f980973285f0
Instruction Fuzzy Hash: 311182745047019FC770AF269804A9BB7E8EF80324F108E2FF4AAC3591CB78D8858715

Uniqueness

Uniqueness Score: -1.00%

Function 0041C0C5, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C0C5(long* __ecx, void* __eflags, intOrPtr* _a4) {
				long _t13;
				void* _t15;
				void* _t19;
				intOrPtr _t22;
				intOrPtr* _t29;
				long* _t30;

				_t29 = _a4;
				_t30 = __ecx;
				_t19 = E0041CD1E(_t29);
				 *((intOrPtr*)(__ecx)) =  *((intOrPtr*)(__ecx)) +  *_t29;
				GlobalUnlock( *(__ecx + 4));
				_t13 = GlobalReAlloc(_t30[1],  *_t30, 0x42);
				_t30[1] = _t13;
				if(_t13 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				_t30[2] = GlobalLock(_t30[1]);
				_t22 =  *_t29;
				_t15 = 0;
				if(_t22 > 0) {
					do {
						 *((char*)(_t30[2] - _t22 +  *_t30 + _t15)) =  *((intOrPtr*)(_t15 + _t19));
						_t22 =  *_t29;
						_t15 = _t15 + 1;
					} while (_t15 < _t22);
				}
				return _t30;
			}

0x0041c0c8
0x0041c0cc
0x0041c0d8
0x0041c0dc
0x0041c0de
0x0041c0eb
0x0041c0f3
0x0041c0f6
0x0041c103
0x0041c108
0x0041c112
0x0041c115
0x0041c117
0x0041c11b
0x0041c11d
0x0041c127
0x0041c12a
0x0041c12c
0x0041c12d
0x0041c11d
0x0041c136

APIs

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

GlobalUnlock.KERNEL32(?,00000000,0047E380,?,00421CA7,00000004,?,00000000,00000000,00000000,0047E490,0047E788,0047E380,0047E788,?,00422453), ref: 0041C0DE
GlobalReAlloc.KERNEL32 ref: 0041C0EB
GlobalLock.KERNEL32 ref: 0041C10C

Strings

$G, xrefs: 0041C0F8

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLockUnlock
String ID: $G
API String ID: 3972497268-195990108
Opcode ID: 8b189ad3345f8380a8df0d55fc6743b7dca6120ea45f8771dcbff30577c797eb
Instruction ID: 49bf8d3a54a78856bda07e556bf62412b24030ed4f2420b63ffce69e27d2bfe6
Opcode Fuzzy Hash: 8b189ad3345f8380a8df0d55fc6743b7dca6120ea45f8771dcbff30577c797eb
Instruction Fuzzy Hash: F10184717417029FC7259F69DD8495ABBE6EF98341320887EE196C3212DB34A851CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041C3A9, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C3A9(long* __ecx, intOrPtr _a4, intOrPtr _a8) {
				long _t11;
				void* _t15;
				char* _t20;
				intOrPtr _t22;
				intOrPtr _t28;
				long* _t30;

				_t30 = __ecx;
				_t22 = _a8;
				_t28 = _a4;
				_t11 =  *__ecx;
				if(_t28 + _t22 <= _t11) {
					while(_t28 < _t11 - _t22) {
						_t20 = _t30[2] + _t28;
						_t28 = _t28 + 1;
						 *_t20 =  *((intOrPtr*)(_t20 + _t22));
						_t11 =  *_t30;
					}
					 *_t30 =  *_t30 - _t22;
					GlobalUnlock(_t30[1]);
					_t15 = GlobalReAlloc(_t30[1],  *_t30, 0x42);
					_t30[1] = _t15;
					if(_t15 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					_t30[2] = GlobalLock(_t30[1]);
				}
				return _t30;
			}

0x0041c3aa
0x0041c3ac
0x0041c3b1
0x0041c3b5
0x0041c3bc
0x0041c3be
0x0041c3c7
0x0041c3c9
0x0041c3cd
0x0041c3cf
0x0041c3cf
0x0041c3d6
0x0041c3d8
0x0041c3e5
0x0041c3ed
0x0041c3f0
0x0041c3fd
0x0041c402
0x0041c40c
0x0041c40c
0x0041c413

APIs

GlobalUnlock.KERNEL32(?,00000000,00000000,00421A09,00000000,00000001,0000005C,00000000,00000000,00000000,0000005C,00000000,00000000,0047E490,0047E788,00000000), ref: 0041C3D8
GlobalReAlloc.KERNEL32 ref: 0041C3E5
GlobalLock.KERNEL32 ref: 0041C406

Strings

$G, xrefs: 0041C3F2

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLockUnlock
String ID: $G
API String ID: 3972497268-195990108
Opcode ID: ce94d3d2ed04f124d8b86c6096b51262ffcacc8fad0a292b7f1391668019940f
Instruction ID: 4101d6855ea1f152fbb9774533b33507be4d6942b6c24dae346219f2524f0346
Opcode Fuzzy Hash: ce94d3d2ed04f124d8b86c6096b51262ffcacc8fad0a292b7f1391668019940f
Instruction Fuzzy Hash: 790162327486029FC7349F29DD8499AFBE6EF95740310C87EE5D5C3221DB74A891CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041CDAE, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041CDAE(long* __ecx) {
				void* _t9;
				void* _t12;
				intOrPtr _t20;
				long _t21;
				long* _t22;

				_t22 = __ecx;
				_t9 =  *((intOrPtr*)(__ecx)) - 1;
				if(_t9 >= 0) {
					_t1 =  &(_t22[2]); // 0x642f20
					_t21 =  *_t1;
					while(1) {
						_t20 =  *((intOrPtr*)(_t21 + _t9));
						if(_t20 != 0 && _t20 != 0x5c && _t20 != 0x20) {
							goto L6;
						}
						_t9 = _t9 - 1;
						if(_t9 >= 0) {
							continue;
						}
						goto L6;
					}
				}
				L6:
				_t3 =  &(_t22[1]); // 0x2170004
				 *_t22 = _t9 + 1;
				GlobalUnlock( *_t3);
				_t4 =  &(_t22[1]); // 0x2170004
				_t12 = GlobalReAlloc( *_t4,  *_t22, 0x42);
				_t22[1] = _t12;
				if(_t12 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				_t6 =  &(_t22[1]); // 0x2170004
				_t22[2] = GlobalLock( *_t6);
				return _t22;
			}

0x0041cdaf
0x0041cdb3
0x0041cdb4
0x0041cdb6
0x0041cdb6
0x0041cdb9
0x0041cdb9
0x0041cdbe
0x00000000
0x00000000
0x0041cdca
0x0041cdcb
0x00000000
0x00000000
0x00000000
0x0041cdcb
0x0041cdb9
0x0041cdcd
0x0041cdcd
0x0041cdd1
0x0041cdd3
0x0041cddd
0x0041cde0
0x0041cde8
0x0041cdeb
0x0041cdf8
0x0041cdfd
0x0041cdfe
0x0041ce07
0x0041ce0d

APIs

GlobalUnlock.KERNEL32(02170004,0047E338,0040B1E0,?,?,?), ref: 0041CDD3
GlobalReAlloc.KERNEL32 ref: 0041CDE0
GlobalLock.KERNEL32 ref: 0041CE01

Strings

$G, xrefs: 0041CDED

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLockUnlock
String ID: $G
API String ID: 3972497268-195990108
Opcode ID: 8de8414d1a52eac36a64e7fca60370f33a9269afa838c04ced9cdb7dda55fbdf
Instruction ID: 01e44200846436256941e548dcc22a4f605205465bad4b6a47175318308e68d3
Opcode Fuzzy Hash: 8de8414d1a52eac36a64e7fca60370f33a9269afa838c04ced9cdb7dda55fbdf
Instruction Fuzzy Hash: FBF06D71640B128FCB745F24ED89797BFE5AF04740B50887FE1DAC2661DB38A8818B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0041BE35, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BE35(signed int* __ecx, CHAR* _a4) {
				long _t12;
				void* _t13;
				void* _t15;
				CHAR* _t24;
				long* _t25;

				_t24 = _a4;
				_t25 = __ecx;
				 *__ecx =  *__ecx & 0x00000000;
				__ecx[1] = __ecx[1] & 0x00000000;
				__ecx[2] = __ecx[2] & 0x00000000;
				_t12 = lstrlenA(_t24);
				 *_t25 = _t12;
				_t13 = GlobalAlloc(0x42, _t12);
				_t25[1] = _t13;
				if(_t13 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				_t7 =  &(_t25[1]); // 0x0
				_t25[2] = GlobalLock( *_t7);
				_t15 = 0;
				if( *_t25 > 0) {
					do {
						_t9 =  &(_t25[2]); // 0x0
						 *((char*)( *_t9 + _t15)) =  *((intOrPtr*)(_t15 + _t24));
						_t15 = _t15 + 1;
					} while (_t15 <  *_t25);
				}
				return _t25;
			}

0x0041be37
0x0041be3b
0x0041be3e
0x0041be41
0x0041be45
0x0041be49
0x0041be52
0x0041be54
0x0041be5c
0x0041be5f
0x0041be6c
0x0041be71
0x0041be72
0x0041be7b
0x0041be7e
0x0041be82
0x0041be84
0x0041be84
0x0041be8a
0x0041be8d
0x0041be8e
0x0041be84
0x0041be96

APIs

lstrlenA.KERNEL32(00000000,0047DFB8,0047F2B8,0041B2F4,Astrum Installer,00000000,0047DFB8,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000), ref: 0041BE49
GlobalAlloc.KERNEL32(00000042,00000000,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000,00000000,00000000,?,0047E924,0041D88F), ref: 0041BE54
GlobalLock.KERNEL32 ref: 0041BE75

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Strings

$G, xrefs: 0041BE61

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLock$Unlocklstrlen
String ID: $G
API String ID: 2268361814-195990108
Opcode ID: a54ba253c70fa0cd4d2e56b280490d55e97e6a57c0a02e50faa441c33bfdb720
Instruction ID: 666aed2cee0ee7ac947090af6697bf4a0c856acb48d457316b65e62b34adf051
Opcode Fuzzy Hash: a54ba253c70fa0cd4d2e56b280490d55e97e6a57c0a02e50faa441c33bfdb720
Instruction Fuzzy Hash: F4018C71605B129FD320AF21D8487AABBE4EF55726F108C7EE1D6C3611DB74A881CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041BF80, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BF80(long* __ecx, long* _a4) {
				long _t12;
				void* _t13;
				void* _t15;
				long* _t25;
				long* _t26;

				_t26 = __ecx;
				GlobalUnlock( *(__ecx + 4));
				_t25 = _a4;
				_t12 =  *_t25;
				 *_t26 = _t12;
				_t13 = GlobalReAlloc(_t26[1], _t12, 0x42);
				_t26[1] = _t13;
				if(_t13 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				_t26[2] = GlobalLock(_t26[1]);
				_t15 = 0;
				if( *_t26 > 0) {
					do {
						 *((char*)(_t15 + _t26[2])) =  *((intOrPtr*)(_t25[2] + _t15));
						_t15 = _t15 + 1;
					} while (_t15 <  *_t26);
				}
				return _t26;
			}

0x0041bf81
0x0041bf87
0x0041bf8d
0x0041bf93
0x0041bf96
0x0041bf9b
0x0041bfa3
0x0041bfa6
0x0041bfb3
0x0041bfb8
0x0041bfc2
0x0041bfc5
0x0041bfc9
0x0041bfcb
0x0041bfd4
0x0041bfd7
0x0041bfd8
0x0041bfcb
0x0041bfe0

APIs

GlobalUnlock.KERNEL32(?,00000000,00000000,004079C1,00000000), ref: 0041BF87
GlobalReAlloc.KERNEL32 ref: 0041BF9B
GlobalLock.KERNEL32 ref: 0041BFBC

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Strings

$G, xrefs: 0041BFA8

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLockUnlock
String ID: $G
API String ID: 3972497268-195990108
Opcode ID: 59f63f12cdc820c50a35a72d2ac7230724f5bcf63de1468a8ccc27b5790c422b
Instruction ID: 44c6a60f1433e036eaff595bc2cd982a3a6f2c3680db31fcf9d68199b728413a
Opcode Fuzzy Hash: 59f63f12cdc820c50a35a72d2ac7230724f5bcf63de1468a8ccc27b5790c422b
Instruction Fuzzy Hash: 46F06975200A12DFC320AF25D94885ABBE5EF48710310887EE1DAC3621DB34A882CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041DBA4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041DBA4(struct HWND__* _a4, int _a8, CHAR** _a12) {
				CHAR* _t6;
				struct HWND__* _t12;
				CHAR** _t16;
				int _t18;

				_t12 = GetDlgItem(_a4, _a8);
				_t18 = GetWindowTextLengthA(_t12) + 1;
				_t6 = E00424DD9(_t18);
				_t16 = _a12;
				 *_t16 = _t6;
				if(_t6 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				if(_t18 != 1) {
					GetWindowTextA(_t12,  *_t16, _t18);
				} else {
					 *( *_t16) =  *( *_t16) & 0x00000000;
				}
				return  *_t16;
			}

0x0041dbb5
0x0041dbc0
0x0041dbc2
0x0041dbc7
0x0041dbce
0x0041dbd0
0x0041dbdd
0x0041dbe2
0x0041dbe6
0x0041dbf3
0x0041dbe8
0x0041dbea
0x0041dbea
0x0041dbfe

APIs

GetDlgItem.USER32 ref: 0041DBAF
GetWindowTextLengthA.USER32(00000000), ref: 0041DBB8

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

GetWindowTextA.USER32 ref: 0041DBF3

Strings

$G, xrefs: 0041DBD2

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$TextWindow$AllocItemLengthLockUnlock
String ID: $G
API String ID: 3259721826-195990108
Opcode ID: 231bd6963203158d56c21cf6dda77177e467fd13823651f79f9084ab0eeaff42
Instruction ID: f596d6819808e543455ba3198ff04e609fd8c282cc4ed5f74eb635775b3554cc
Opcode Fuzzy Hash: 231bd6963203158d56c21cf6dda77177e467fd13823651f79f9084ab0eeaff42
Instruction Fuzzy Hash: 29F0E9B6A09112DFC710AB61EC8899FBF9CEF49361B10003BF80287211DB399C52D769

Uniqueness

Uniqueness Score: -1.00%

Function 0041C65C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C65C(long* __ecx, intOrPtr _a4) {
				long _t8;
				long _t16;
				intOrPtr _t19;
				long* _t20;

				_t20 = __ecx;
				_t19 = _a4;
				 *((intOrPtr*)(__ecx)) =  *((intOrPtr*)(__ecx)) + _t19;
				GlobalUnlock( *(__ecx + 4));
				_t8 = GlobalReAlloc(_t20[1],  *_t20, 0x42);
				_t20[1] = _t8;
				if(_t8 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				_t16 = GlobalLock(_t20[1]);
				_t20[2] = _t16;
				return  *_t20 - _t19 + _t16;
			}

0x0041c65d
0x0041c660
0x0041c667
0x0041c669
0x0041c676
0x0041c67e
0x0041c681
0x0041c68e
0x0041c693
0x0041c69d
0x0041c6a3
0x0041c6aa

APIs

GlobalUnlock.KERNEL32(?,00000000,00000000,00422571,00422D86,?,00422691,00000000,00422D86,0047E490,00000000,0042DBB4,0047E788,0047E33C), ref: 0041C669
GlobalReAlloc.KERNEL32 ref: 0041C676
GlobalLock.KERNEL32 ref: 0041C697

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Strings

$G, xrefs: 0041C683

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLockUnlock
String ID: $G
API String ID: 3972497268-195990108
Opcode ID: 4f5ece7ec2e95d7afc40c57851927f66563dbfb55d93eb9d1c14b3bf9a5f1804
Instruction ID: a348731c2379111fd9940010399183ac0525806b12e232145e0d7a813987a14c
Opcode Fuzzy Hash: 4f5ece7ec2e95d7afc40c57851927f66563dbfb55d93eb9d1c14b3bf9a5f1804
Instruction Fuzzy Hash: 76F08CB27047019FC7645F69DD0AA5ABBE9EF94710310883EF19AC2620DB78A8418B18

Uniqueness

Uniqueness Score: -1.00%

Function 0041CD1E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041CD1E(intOrPtr* __ecx) {
				void* _t12;
				void* _t13;
				intOrPtr* _t21;

				_t21 = __ecx;
				_t1 = _t21 + 4; // 0x21703e4
				GlobalUnlock( *_t1);
				_t2 = _t21 + 4; // 0x21703e4
				_t12 = GlobalReAlloc( *_t2,  *_t21 + 1, 0x42);
				 *(_t21 + 4) = _t12;
				if(_t12 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				_t4 = _t21 + 4; // 0x21703e4
				_t13 = GlobalLock( *_t4);
				_t18 =  *_t21;
				 *(_t21 + 8) = _t13;
				 *(_t18 + _t13) =  *( *_t21 + _t13) & 0x00000000;
				_t8 = _t21 + 8; // 0x0
				return  *_t8;
			}

0x0041cd1f
0x0041cd21
0x0041cd24
0x0041cd30
0x0041cd33
0x0041cd3b
0x0041cd3e
0x0041cd4b
0x0041cd50
0x0041cd51
0x0041cd54
0x0041cd5a
0x0041cd5c
0x0041cd5f
0x0041cd63
0x0041cd67

APIs

GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
GlobalReAlloc.KERNEL32 ref: 0041CD33
GlobalLock.KERNEL32 ref: 0041CD54

Strings

$G, xrefs: 0041CD40

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLockUnlock
String ID: $G
API String ID: 3972497268-195990108
Opcode ID: 4c04066e2957ffe463fa4d1aa61e0edd956c59a5287266df2bedffe38d45fd84
Instruction ID: 05689e7bf601cf7ae28db6c5b8659b178a5b11d912197ed629201878707b0977
Opcode Fuzzy Hash: 4c04066e2957ffe463fa4d1aa61e0edd956c59a5287266df2bedffe38d45fd84
Instruction Fuzzy Hash: BAF03070640B01DFD7345F25ED49AA67BE9EF04700710887EF49A82661DB79AC818B54

Uniqueness

Uniqueness Score: -1.00%

Function 0041BFF8, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BFF8(long* __ecx, char _a4) {
				long _t10;
				long _t11;
				long* _t20;

				_t20 = __ecx;
				_t1 =  &(_t20[1]); // 0x8415ff57
				 *((intOrPtr*)(__ecx)) =  *((intOrPtr*)(__ecx)) + 1;
				GlobalUnlock( *_t1);
				_t2 =  &(_t20[1]); // 0x828415ff
				_t10 = GlobalReAlloc( *_t2,  *_t20, 0x42);
				_t20[1] = _t10;
				if(_t10 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				_t4 =  &(_t20[1]); // 0x828415ff
				_t11 = GlobalLock( *_t4);
				_t20[2] = _t11;
				 *((char*)( *_t20 + _t11 - 1)) = _a4;
				return _t20;
			}

0x0041bff9
0x0041bffb
0x0041bffe
0x0041c000
0x0041c00a
0x0041c00d
0x0041c015
0x0041c018
0x0041c025
0x0041c02a
0x0041c02b
0x0041c02e
0x0041c03a
0x0041c03d
0x0041c044

APIs

GlobalUnlock.KERNEL32(8415FF57,0047E788,004221E2,00000000,00000000,00000000,0047E788,00000000), ref: 0041C000
GlobalReAlloc.KERNEL32 ref: 0041C00D
GlobalLock.KERNEL32 ref: 0041C02E

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Strings

$G, xrefs: 0041C01A

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLockUnlock
String ID: $G
API String ID: 3972497268-195990108
Opcode ID: 253567e8a581ebbe8db9d371c070114a8f7ea98805c1aae6d7df8b8c6d179442
Instruction ID: e55ee8fbfd7d64683e51a792c0928d2730b2136d939b803eba4c43ccf220643e
Opcode Fuzzy Hash: 253567e8a581ebbe8db9d371c070114a8f7ea98805c1aae6d7df8b8c6d179442
Instruction Fuzzy Hash: 43F08CB1644B01DFC7356F64DD4959ABFE5EF18740310887EE1CA82661CB769842CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00401A5C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15
fileCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00401A5C() {

				if( *0x47abb4 != 0) {
					CloseHandle( *0x42e1fc);
					CloseHandle( *0x436240);
					DeleteFileA("C:\\ztg\\fillProxy\\spy++\\spyxxhk.dll");
				}
				_push(0);
				return E00401A91();
			}

0x00401a63
0x00401a72
0x00401a7a
0x00401a81
0x00401a87
0x00401a88
0x00401a90

APIs

CloseHandle.KERNEL32(00000000,00405328), ref: 00401A72
CloseHandle.KERNEL32 ref: 00401A7A
DeleteFileA.KERNEL32(C:\ztg\fillProxy\spy++\spyxxhk.dll), ref: 00401A81

Strings

C:\ztg\fillProxy\spy++\spyxxhk.dll, xrefs: 00401A7C

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: CloseHandle$DeleteFile
String ID: C:\ztg\fillProxy\spy++\spyxxhk.dll
API String ID: 2471952376-3488750491
Opcode ID: 48ea7f2289afebfbec97439729fd254d1b1a95f8514cfacec7d849ade9fc138a
Instruction ID: 011212603eeadad25b788f756fc2933f28d08ab607f4b69d847d9026e627dfcf
Opcode Fuzzy Hash: 48ea7f2289afebfbec97439729fd254d1b1a95f8514cfacec7d849ade9fc138a
Instruction Fuzzy Hash: A9D09E31643236EADA616756BC0979A3F11EB04365F6540B6F509120B08FB814A1DEAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040D85F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D85F(char _a4) {
				signed char _t2;
				CHAR* _t6;

				_t1 =  &_a4; // 0x422e6c
				_t6 =  *_t1;
				_t2 = GetFileAttributesA(_t6);
				if(_t2 != 0xffffffff) {
					SetFileAttributesA(_t6, _t2 & 0x000000fe);
				}
				return DeleteFileA(_t6);
			}

0x0040d860
0x0040d860
0x0040d865
0x0040d86e
0x0040d874
0x0040d874
0x0040d882

APIs

GetFileAttributesA.KERNEL32(l.B,0047E788,00422E6C,00000000), ref: 0040D865
SetFileAttributesA.KERNEL32(l.B,00000000), ref: 0040D874
DeleteFileA.KERNEL32(l.B), ref: 0040D87B

Strings

l.B, xrefs: 0040D860, 0040D864, 0040D873, 0040D87A

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: File$Attributes$Delete
String ID: l.B
API String ID: 3735447641-760857286
Opcode ID: 3bc230dc05e1e53809ba87e7aa1a09fbd0f80c40bc0a3ff18a8ee73f233b3a8c
Instruction ID: 69245f053f2fe347b0f60851306233cda265d5ba250ce982434ca58f77919bec
Opcode Fuzzy Hash: 3bc230dc05e1e53809ba87e7aa1a09fbd0f80c40bc0a3ff18a8ee73f233b3a8c
Instruction Fuzzy Hash: B2D0C972502821AB92152764BD088DF37189E162213514655F125910A08B34594346AD

Uniqueness

Uniqueness Score: -1.00%

Function 00413211, Relevance: 6.1, APIs: 4, Instructions: 130
fileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00413211() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr* _v20;
				char _v32;
				char _v44;
				void* __edi;
				void* __ebp;
				signed int _t35;
				void* _t40;
				void* _t47;
				void* _t50;
				CHAR* _t58;
				CHAR* _t59;
				CHAR* _t60;
				void* _t67;
				intOrPtr* _t105;
				void* _t107;
				void* _t114;

				_t35 =  *0x47e4b4; // 0x0
				_v8 = _v8 & 0x00000000;
				_v16 = _t35;
				if(_t35 > 0) {
					_v12 = 0x64;
					do {
						_t105 = E0041E860(0x47e4a8, _v8);
						_t40 = E00412BA7( *((intOrPtr*)(_t105 + 0x24)));
						_t109 = _t40;
						if(_t40 != 0) {
							E004164B1(0x47dfb8, _t109, _t105);
							_t7 = _t105 + 0xc; // 0xc
							_v20 = _t7;
							E004164B1(0x47dfb8, _t109, _t7);
							_t9 = _t105 + 0x18; // 0x18
							E004164B1(0x47dfb8, _t109, _t9);
							E0041BE99( &_v32, _t9);
							_push(1);
							_push(0);
							_push("=");
							_t47 = E0041C6D0( &_v32);
							_t74 = _t47;
							if(_t47 != 0xffffffff) {
								_t50 = E0040DF52(E0041CD1E(_t105));
								_t111 = _t50;
								if(_t50 == 0) {
									_t67 = E0041CD1E(_t105);
									_push(0x47e794);
									_push(_t67);
									E00421CE6(_t111);
									CloseHandle(CreateFileA(E0041CD1E(_t105), 0x40000000, 1, 0, 4, 0x80, 0));
								}
								E0041BE99( &_v44, E0041CC95( &_v32, 0, _t74));
								E0041BF80( &_v32, E0041CC95( &_v32, _t74 + 1, _v32 - _t74 - 1));
								_t58 = E0041CD1E(_t105);
								_t59 = E0041CD1E( &_v32);
								_t60 = E0041CD1E( &_v44);
								WritePrivateProfileStringA(E0041CD1E(_v20), _t60, _t59, _t58);
								if(_v16 > 0) {
									asm("cdq");
									E00414C1B(_v12 % _v16, 0x47dfb8, _t107, _v12 / _v16, 0);
								}
								E0041BEFB( &_v44);
							}
							E0041BEFB( &_v32);
						}
						_v8 = _v8 + 1;
						_v12 = _v12 + 0x64;
						_t114 = _v8 -  *0x47e4b4; // 0x0
					} while (_t114 < 0);
				}
				WritePrivateProfileSectionA(0, 0, 0);
				return 1;
			}

0x00413217
0x0041321c
0x00413222
0x00413225
0x0041322e
0x0041323a
0x00413247
0x0041324c
0x00413251
0x00413254
0x0041325d
0x00413262
0x00413268
0x0041326b
0x00413270
0x00413276
0x0041327f
0x00413284
0x00413286
0x00413288
0x00413290
0x00413295
0x0041329a
0x004132a8
0x004132ad
0x004132b0
0x004132b4
0x004132b9
0x004132be
0x004132c4
0x004132ea
0x004132ea
0x004132ff
0x00413319
0x00413320
0x00413329
0x00413332
0x00413341
0x0041334b
0x00413352
0x0041335c
0x0041335c
0x00413364
0x00413364
0x0041336c
0x0041336c
0x00413371
0x00413374
0x0041337b
0x0041337b
0x00413389
0x0041338f
0x00413398

APIs

WritePrivateProfileSectionA.KERNEL32(00000000,00000000,00000000), ref: 0041338F

Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4

Part of subcall function 0041C6D0: lstrlenA.KERNEL32(0047E788,00000000,0042C1D8,00000001,00000000,0000005C,00000000,00000000,0047E490,0047E788,00000000), ref: 0041C6DE

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00413341

Part of subcall function 00421CE6: lstrlenA.KERNEL32(0047DFB8,?,0047DFB8,?,00411457,00000000,0047E794), ref: 00421CFC

CreateFileA.KERNEL32(00000000,40000000,00000001,00000000,00000004,00000080,00000000,00000000,0047E794,0042C1E4,00000000,00000001,00000018,00000018,0000000C,00000000), ref: 004132E3
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 004132EA

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLockPrivateProfileWritelstrlen$CloseCreateFileHandleSectionStringUnlock
String ID:
API String ID: 101153366-0
Opcode ID: 8faa665165d4190c2024c48e07c2056962af170eca38d8979cd27a0261ab05fa
Instruction ID: 01991a5c306ca7eb0492e891f23a91763dd5baf84a9a29fd6ac1ac7f032b0f9d
Opcode Fuzzy Hash: 8faa665165d4190c2024c48e07c2056962af170eca38d8979cd27a0261ab05fa
Instruction Fuzzy Hash: A0419F70A40209ABDB14ABA2DC96BEE7779EF44709F10412EF506A61C2DF3C59858A6C

Uniqueness

Uniqueness Score: -1.00%

Function 00407E96, Relevance: 6.1, APIs: 4, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E00407E96(intOrPtr _a4) {
				void* _t45;
				intOrPtr _t46;
				intOrPtr _t47;
				void* _t48;
				intOrPtr _t49;
				signed int _t56;
				signed int _t61;
				signed int _t72;
				intOrPtr _t79;

				_t79 = _a4;
				if( *(_t79 + 8) != 1 ||  *((intOrPtr*)(_t79 + 0xc)) != 2) {
					__eflags =  *((intOrPtr*)(_t79 + 0x38));
					_t6 = _t79 + 0x38; // 0x38
					_t45 = _t6;
					if(__eflags > 0) {
						E00407D91(__eflags, _t45);
					}
				} else {
					_t4 = _t79 + 0x38; // 0x38
					E0041BF12(_t4, 0x42e0c8);
				}
				_t46 =  *((intOrPtr*)(_t79 + 0x24));
				if(_t46 != 0x3000000) {
					__eflags = _t46 - 0x2000000;
					if(_t46 != 0x2000000) {
						__eflags = _t46 - 0x1000000;
						if(_t46 != 0x1000000) {
							goto L12;
						}
						_push(8);
						goto L11;
					}
					_push(5);
					goto L11;
				} else {
					_push(0xf);
					L11:
					 *((intOrPtr*)(_t79 + 0x24)) = GetSysColor();
					L12:
					_t47 =  *((intOrPtr*)(_t79 + 0x2c));
					if(_t47 != 0x3000000) {
						__eflags = _t47 - 0x2000000;
						if(_t47 != 0x2000000) {
							__eflags = _t47 - 0x1000000;
							if(_t47 != 0x1000000) {
								L19:
								_t48 =  *(_t79 + 8);
								if(_t48 != 1 ||  *((intOrPtr*)(_t79 + 0xc)) >= 3) {
									if(_t48 == 5 || _t48 == 3 || _t48 == 4 || _t48 == 9 || _t48 == 7 || _t48 == 2) {
										goto L31;
									} else {
										if(_t48 != 1 ||  *((intOrPtr*)(_t79 + 0xc)) != 3) {
											 *(_t79 + 0x54) =  *(_t79 + 0x54) & 0x00000000;
											goto L36;
										} else {
											_push( *((intOrPtr*)(_t79 + 0x2c)));
											goto L34;
										}
									}
								} else {
									L31:
									_t49 =  *((intOrPtr*)(_t79 + 0x2c));
									__eflags = _t49 - 0x4000000;
									if(_t49 != 0x4000000) {
										_push(_t49);
										L34:
										_t48 = CreateSolidBrush();
										L35:
										 *(_t79 + 0x54) = _t48;
										L36:
										if(( *0x47e192 & 0x00000004) == 0) {
											L39:
											return _t48;
										}
										_t72 =  *0x42b91c; // 0x3e8
										if(_t72 == 0x3e8) {
											goto L39;
										}
										asm("cdq");
										 *(_t79 + 0x14) =  *(_t79 + 0x14) * _t72 / 0x3e8;
										asm("cdq");
										 *(_t79 + 0x18) =  *(_t79 + 0x18) *  *0x42b91c / 0x3e8;
										_t56 =  *0x42b91c; // 0x3e8
										asm("cdq");
										 *(_t79 + 0x20) = _t56 *  *(_t79 + 0x20) / 0x3e8;
										asm("cdq");
										_t61 =  *(_t79 + 0x1c) *  *0x42b91c / 0x3e8;
										 *(_t79 + 0x1c) = _t61;
										return _t61;
									}
									_t48 = GetStockObject(5);
									goto L35;
								}
							}
							_push(8);
							L18:
							 *((intOrPtr*)(_t79 + 0x2c)) = GetSysColor();
							goto L19;
						}
						_push(5);
						goto L18;
					}
					_push(0xf);
					goto L18;
				}
			}

0x00407e97
0x00407ea0
0x00407eb7
0x00407ebb
0x00407ebb
0x00407ebe
0x00407ec1
0x00407ec6
0x00407ea8
0x00407ead
0x00407eb0
0x00407eb0
0x00407ec7
0x00407ede
0x00407ee4
0x00407ee6
0x00407eec
0x00407ef1
0x00000000
0x00000000
0x00407ef3
0x00000000
0x00407ef3
0x00407ee8
0x00000000
0x00407ee0
0x00407ee0
0x00407ef5
0x00407ef7
0x00407efa
0x00407efa
0x00407eff
0x00407f05
0x00407f07
0x00407f0d
0x00407f12
0x00407f1b
0x00407f1b
0x00407f23
0x00407f2e
0x00000000
0x00407f49
0x00407f4c
0x00407f59
0x00000000
0x00407f54
0x00407f54
0x00000000
0x00407f54
0x00407f4c
0x00407f5f
0x00407f5f
0x00407f5f
0x00407f62
0x00407f67
0x00407f73
0x00407f74
0x00407f74
0x00407f7a
0x00407f7a
0x00407f7d
0x00407f84
0x00407fd4
0x00407fd4
0x00407fd4
0x00407f86
0x00407f93
0x00000000
0x00000000
0x00407f9d
0x00407fa0
0x00407fad
0x00407fb0
0x00407fb3
0x00407fbc
0x00407fbf
0x00407fcc
0x00407fcd
0x00407fcf
0x00000000
0x00407fcf
0x00407f6b
0x00000000
0x00407f6b
0x00407f23
0x00407f14
0x00407f16
0x00407f18
0x00000000
0x00407f18
0x00407f09
0x00000000
0x00407f09
0x00407f01
0x00000000
0x00407f01

APIs

GetSysColor.USER32(00000008), ref: 00407EF5
GetSysColor.USER32(00000008), ref: 00407F16
CreateSolidBrush.GDI32(?), ref: 00407F74

Part of subcall function 0041BF12: GlobalUnlock.KERNEL32(0217020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
Part of subcall function 0041BF12: GlobalReAlloc.KERNEL32 ref: 0041BF3B
Part of subcall function 0041BF12: GlobalLock.KERNEL32 ref: 0041BF5C

GetStockObject.GDI32(00000005), ref: 00407F6B

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$Color$AllocBrushCreateLockObjectSolidStockUnlock
String ID:
API String ID: 2645381997-0
Opcode ID: f72cfad292160d375b0ec810965c7e029dd39dd06a1dbcb8e3cb20bc4e58938e
Instruction ID: e29085e474f895eb1c711dfb40de24dfc349578096c85eb6b47243c0d32e08ce
Opcode Fuzzy Hash: f72cfad292160d375b0ec810965c7e029dd39dd06a1dbcb8e3cb20bc4e58938e
Instruction Fuzzy Hash: 6C4157709097028EDB34DB15D980B27B7E5EB54310F20487BE146E6AE0C778F88ADA5F

Uniqueness

Uniqueness Score: -1.00%

Function 0041049E, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 101sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4

Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Part of subcall function 0041BF80: GlobalUnlock.KERNEL32(?,00000000,00000000,004079C1,00000000), ref: 0041BF87
Part of subcall function 0041BF80: GlobalReAlloc.KERNEL32 ref: 0041BF9B
Part of subcall function 0041BF80: GlobalLock.KERNEL32 ref: 0041BFBC

Part of subcall function 0041A207: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041A218
Part of subcall function 0041A207: GetMessageA.USER32 ref: 0041A229

Sleep.KERNEL32(00000005), ref: 00410576

Strings

.mp3, xrefs: 004104B8
dG, xrefs: 0041053A
.wav, xrefs: 004104C3

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLock$Unlock$Message$PeekSleeplstrlen
String ID: .mp3$.wav$dG
API String ID: 292671316-967384120
Opcode ID: a7a3d227bc91022c10ba62d5cdb2729cd240ff3e2448ba0b5ab13c425b095347
Instruction ID: be7cc5903273ae59eb09633fe0a367c3c1d52df3ef82d7b9a29b8b1f483c8fbb
Opcode Fuzzy Hash: a7a3d227bc91022c10ba62d5cdb2729cd240ff3e2448ba0b5ab13c425b095347
Instruction Fuzzy Hash: 8221E531540114BAD718B766AC9AEEF3B5DDF49348B6041BFF10A62193DF6C09C4C6AD

Uniqueness

Uniqueness Score: -1.00%

Function 00407D91, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 82stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041BDC5: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF

Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
Part of subcall function 0041C467: lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Part of subcall function 0041C6D0: lstrlenA.KERNEL32(0047E788,00000000,0042C1D8,00000001,00000000,0000005C,00000000,00000000,0047E490,0047E788,00000000), ref: 0041C6DE

lstrlenA.KERNEL32(</LangID=1>,</LangID=1>,00000000,00000001,<LangID=1>,00000000,00000001,00000000,00000000,00000001,?,0042DB90,0047E788,0042DBB4), ref: 00407E36

Strings

</LangID=1>, xrefs: 00407E20, 00407E26, 00407E35
<LangID=1>, xrefs: 00407E0B
<LangID=%d>, xrefs: 00407DAB

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Globallstrlen$AllocLock$Unlock
String ID: </LangID=1>$<LangID=%d>$<LangID=1>
API String ID: 3553255392-1915860067
Opcode ID: da5e679e7afdfabe7abf8992c1ce1ece30b442ee123a6016c19d2f1471309018
Instruction ID: 99359c2c779010847e57dc621f665969c9d849ef75cbed5dcbc5acb9726991c0
Opcode Fuzzy Hash: da5e679e7afdfabe7abf8992c1ce1ece30b442ee123a6016c19d2f1471309018
Instruction Fuzzy Hash: 5A21C871A401187BCB24BA79DCC5EFF772D8B81754F10027EB426A61D1EB385D8586E8

Uniqueness

Uniqueness Score: -1.00%

Function 0041FAAD, Relevance: 6.1, APIs: 4, Instructions: 81
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041FAAD(intOrPtr __ecx, struct HWND__* _a4) {
				int _v8;
				char _v12;
				char _v16;
				long _v20;
				intOrPtr _v24;
				char _v36;
				long _t27;
				long _t42;
				long _t43;

				_v24 = __ecx;
				if(_a4 != 0) {
					_v12 = 0;
					_v16 = 0;
					E0042417F(__ecx, _a4,  &_v12,  &_v16);
					 *0x47e2c0 =  *0x47e2c0 + _v12;
					 *0x47e2c8 =  *0x47e2c8 + _v16;
					_t27 = SendMessageA(_a4, 0x18b, 0, 0);
					_v20 = _t27;
					_v8 = 0;
					if(_t27 > 0) {
						do {
							_t43 = E00424DD9(SendMessageA(_a4, 0x18a, _v8, 0) + 1);
							if(_t43 != 0) {
								SendMessageA(_a4, 0x189, _v8, _t43);
								E0041BE35( &_v36, _t43);
								E0041EEC5(_v24,  &_v36);
								E00424DCE(_t43);
								E0041BEFB( &_v36);
							}
							_v8 = _v8 + 1;
							_t27 = _v8;
						} while (_t27 < _v20);
					}
					_t42 = _v20;
					if(_t42 > 0) {
						do {
							_t27 = SendMessageA(_a4, 0x182, 0, 0);
							_t42 = _t42 - 1;
						} while (_t42 != 0);
					}
				}
				return _t27;
			}

0x0041fabb
0x0041fabe
0x0041fac7
0x0041facf
0x0041fad5
0x0041fae0
0x0041faef
0x0041faff
0x0041fb03
0x0041fb06
0x0041fb09
0x0041fb0b
0x0041fb20
0x0041fb25
0x0041fb33
0x0041fb39
0x0041fb45
0x0041fb4b
0x0041fb54
0x0041fb54
0x0041fb59
0x0041fb5c
0x0041fb5f
0x0041fb0b
0x0041fb64
0x0041fb69
0x0041fb6b
0x0041fb75
0x0041fb77
0x0041fb77
0x0041fb6b
0x0041fb69
0x0041fb7e

APIs

SendMessageA.USER32(00000000,0000018B,00000000,00000000), ref: 0041FAFF
SendMessageA.USER32(?,0000018A,?,00000000), ref: 0041FB17
SendMessageA.USER32(?,00000189,?,00000000), ref: 0041FB33

Part of subcall function 0041BE35: lstrlenA.KERNEL32(00000000,0047DFB8,0047F2B8,0041B2F4,Astrum Installer,00000000,0047DFB8,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000), ref: 0041BE49
Part of subcall function 0041BE35: GlobalAlloc.KERNEL32(00000042,00000000,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000,00000000,00000000,?,0047E924,0041D88F), ref: 0041BE54
Part of subcall function 0041BE35: GlobalLock.KERNEL32 ref: 0041BE75

Part of subcall function 0041BEFB: GlobalUnlock.KERNEL32(?,00000000,0041C1E9,00000000,00000010,00000000,0047E4D0,00000000), ref: 0041BF01
Part of subcall function 0041BEFB: GlobalFree.KERNEL32 ref: 0041BF0A

SendMessageA.USER32(?,00000182,00000000,00000000), ref: 0041FB75

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: GlobalMessageSend$AllocFreeLockUnlocklstrlen
String ID:
API String ID: 3880121834-0
Opcode ID: 063305ad0612915f541c72bb84528224e4d185c83b860aebb46a364ef473b751
Instruction ID: 7958884c9c21427cd5c2304b146da1093f297958eaa18a76e97d27b894b4699f
Opcode Fuzzy Hash: 063305ad0612915f541c72bb84528224e4d185c83b860aebb46a364ef473b751
Instruction Fuzzy Hash: E6213971E00218BBCF11DBA6CC81CEEBBB9FF84744B10416BF505A6161DB345A96CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00408E91, Relevance: 6.1, APIs: 4, Instructions: 62
windowCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00408E91(void* __ecx) {
				signed int _t11;
				void* _t15;
				signed int _t17;
				signed char _t18;
				intOrPtr _t21;
				void* _t23;
				void* _t25;
				struct HWND__* _t26;

				_t25 = __ecx;
				_t11 =  *(__ecx + 0x90);
				if(_t11 != 0) {
					_t17 = 0;
					_t23 = 0;
					if(_t11 > 0) {
						do {
							_t2 = _t25 + 0x84; // 0x84
							_t15 = E0041E860(_t2, _t23);
							_t21 =  *((intOrPtr*)(_t15 + 8));
							if(_t21 == 3 || _t21 == 4) {
								_push(0);
								_push(0);
								_push(0xf0);
								goto L8;
							} else {
								if(_t21 != 5) {
									goto L9;
								} else {
									_push(0);
									_push(0);
									_push(0xe);
									L8:
									if(SendMessageA( *(_t15 + 0x50), ??, ??, ??) == 0) {
										_t17 = 1;
									} else {
										goto L9;
									}
								}
							}
							goto L12;
							L9:
							_t23 = _t23 + 1;
						} while (_t23 <  *((intOrPtr*)(_t25 + 0x90)));
					}
					L12:
					_t11 = GetDlgItem( *(_t25 + 4), 1);
					_t26 = _t11;
					if(_t26 != 0) {
						_t18 = _t17 & 0xffffff00 | _t17 == 0x00000000;
						_t11 = IsWindowEnabled(_t26) & 0xffffff00 | _t12 != 0x00000000;
						if(_t11 != _t18) {
							return EnableWindow(_t26, _t18 & 0x000000ff);
						}
					}
				}
				return _t11;
			}

0x00408e93
0x00408e95
0x00408e9d
0x00408ea5
0x00408ea7
0x00408eab
0x00408eb3
0x00408eb4
0x00408eba
0x00408ebf
0x00408ec5
0x00408ed9
0x00408edb
0x00408edd
0x00000000
0x00408ecc
0x00408ecf
0x00000000
0x00408ed1
0x00408ed1
0x00408ed3
0x00408ed5
0x00408ee2
0x00408ee9
0x00408ef6
0x00000000
0x00000000
0x00000000
0x00408ee9
0x00408ecf
0x00000000
0x00408eeb
0x00408eeb
0x00408eec
0x00408ef4
0x00408ef8
0x00408efd
0x00408f03
0x00408f09
0x00408f0e
0x00408f19
0x00408f1e
0x00000000
0x00408f25
0x00408f1e
0x00408f09
0x00408f2d

APIs

SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00408EE5
GetDlgItem.USER32 ref: 00408EFD
IsWindowEnabled.USER32(00000000), ref: 00408F11
EnableWindow.USER32(00000000,00000000), ref: 00408F25

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Window$EnableEnabledItemMessageSend
String ID:
API String ID: 1134289176-0
Opcode ID: 9474baf0080859b85d04275841ab774ee9cdf0b3bb4a70bf898c30ac1865b368
Instruction ID: 358cbe2e815a2d8044ff4469c3e51069db2ba4092bb171402a1accf79a18d433
Opcode Fuzzy Hash: 9474baf0080859b85d04275841ab774ee9cdf0b3bb4a70bf898c30ac1865b368
Instruction Fuzzy Hash: 8901E532281212ABE2305624DD51B6B33999B41B50F15043EF982F72E1CE799C42939C

Uniqueness

Uniqueness Score: -1.00%

Function 0040FCA0, Relevance: 6.0, APIs: 4, Instructions: 50
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040FCA0(void* __eflags, long _a4) {
				void _v8;
				long _v12;
				long _v16;
				signed int _t12;
				signed int _t13;
				void* _t22;
				void* _t24;

				_t12 = CreateFileA(E0041CD1E(0x47e6c8), 0x80000000, 1, 0, 3, 0x80, 0);
				_t24 = _t12;
				_t13 = _t12 | 0xffffffff;
				if(_t24 != _t13) {
					_v12 = 0;
					SetFilePointer(_t24, _a4,  &_v12, 0);
					_v8 = 0;
					ReadFile(_t24,  &_v8, 2,  &_v16, 0);
					CloseHandle(_t24);
					if(_v8 != 0xd8ff) {
						return 0 | _v8 == 0x00004d42;
					}
					_t22 = 2;
					return _t22;
				}
				return _t13;
			}

0x0040fcc5
0x0040fccb
0x0040fccd
0x0040fcd2
0x0040fcd9
0x0040fce0
0x0040fcf2
0x0040fcf5
0x0040fcfc
0x0040fd08
0x00000000
0x0040fd17
0x0040fd0c
0x00000000
0x0040fd0c
0x0040fd1d

APIs

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,0047E2F0,00000088,00000001,?,00000000), ref: 0040FCC5
SetFilePointer.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040FCE0
ReadFile.KERNEL32(00000000,00000000,00000002,?,00000000,?,00000000), ref: 0040FCF5
CloseHandle.KERNEL32(00000000,?,00000000), ref: 0040FCFC

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: FileGlobal$AllocCloseCreateHandleLockPointerReadUnlock
String ID:
API String ID: 776348577-0
Opcode ID: 4c6470a940fc35570197cea61f5949696e028a5a4c15a106a705bfcf217e3645
Instruction ID: ebe5246031743c64951fdeae7fa7b21e7573840a08ab047e73c86a926ca140f7
Opcode Fuzzy Hash: 4c6470a940fc35570197cea61f5949696e028a5a4c15a106a705bfcf217e3645
Instruction Fuzzy Hash: 8501D432A02118B6DB30ABA59C09FDF7F3CEF45760F10817AF202E20D0DA744645C6B4

Uniqueness

Uniqueness Score: -1.00%

Function 0041E362, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0041E362(void* __ebx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v40;
				signed short _v42;
				short _v44;
				signed short _v46;
				signed short _v48;
				intOrPtr _v52;
				struct HDC__* _v56;
				void* _v60;
				void* _v64;
				intOrPtr _v68;
				struct tagPD _v72;
				int _t25;
				void* _t28;
				struct tagPD _t36;

				_t36 = 0x42;
				E00424500( &_v72, 0, _t36);
				_v48 = _v48 | 0x0000ffff;
				_v46 = _v46 | 0x0000ffff;
				_v42 = _v42 | 0x0000ffff;
				_v68 = _a4;
				_v72 = _t36;
				_v52 = 0x4010c;
				_v40 = 1;
				_v44 = 1;
				_t25 = PrintDlgA( &_v72);
				_t41 = _t25 - 1;
				if(_t25 != 1) {
					__eflags = 0;
					return 0;
				}
				_t28 = E0041E01C(_t41, _a8,  &_v72, _a12);
				GlobalFree(_v64);
				GlobalFree(_v60);
				DeleteDC(_v56);
				return _t28;
			}

0x0041e36b
0x0041e373
0x0041e37b
0x0041e381
0x0041e387
0x0041e390
0x0041e396
0x0041e39a
0x0041e3a1
0x0041e3a7
0x0041e3ad
0x0041e3b2
0x0041e3b5
0x0041e3ea
0x00000000
0x0041e3ea
0x0041e3c2
0x0041e3d5
0x0041e3da
0x0041e3df
0x00000000

APIs

PrintDlgA.COMDLG32(?), ref: 0041E3AD

Part of subcall function 0041E01C: GetDeviceCaps.GDI32(?,0000006E), ref: 0041E036
Part of subcall function 0041E01C: GetDeviceCaps.GDI32(?,0000006F), ref: 0041E040
Part of subcall function 0041E01C: GetDeviceCaps.GDI32(?,00000058), ref: 0041E04A
Part of subcall function 0041E01C: GetDeviceCaps.GDI32(?,0000005A), ref: 0041E054
Part of subcall function 0041E01C: MulDiv.KERNEL32(?,000005A0,?), ref: 0041E065
Part of subcall function 0041E01C: MulDiv.KERNEL32(?,000005A0,?), ref: 0041E080
Part of subcall function 0041E01C: SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 0041E0E9
Part of subcall function 0041E01C: SendMessageA.USER32(?,00000439,00000000,00000000), ref: 0041E0FE
Part of subcall function 0041E01C: SaveDC.GDI32(?), ref: 0041E107
Part of subcall function 0041E01C: SetMapMode.GDI32(?,00000001), ref: 0041E112
Part of subcall function 0041E01C: GetDeviceCaps.GDI32(000000FF,00000070), ref: 0041E11D
Part of subcall function 0041E01C: GetDeviceCaps.GDI32(000000FF,00000071), ref: 0041E129
Part of subcall function 0041E01C: MulDiv.KERNEL32(000005A0,?,000005A0), ref: 0041E134
Part of subcall function 0041E01C: MulDiv.KERNEL32(000005A0,?,000005A0), ref: 0041E142

GlobalFree.KERNEL32 ref: 0041E3D5
GlobalFree.KERNEL32 ref: 0041E3DA
DeleteDC.GDI32(?), ref: 0041E3DF

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: CapsDevice$FreeGlobalMessageSend$DeleteModePrintSave
String ID:
API String ID: 1547233470-0
Opcode ID: 5fd8a1cfb9227a1948322716fcc1d0b75f37bac64a781435e9473d1cdbb8d31f
Instruction ID: 61697338e6a914efdc9261fedabd1759ebfe30573a18d0f42110f68606127c4c
Opcode Fuzzy Hash: 5fd8a1cfb9227a1948322716fcc1d0b75f37bac64a781435e9473d1cdbb8d31f
Instruction Fuzzy Hash: 0F016D71D0121CABCF209F95EC458CE7FB8EF05314F200026F904A6220E7369A95CBAC

Uniqueness

Uniqueness Score: -1.00%

Function 0041A207, Relevance: 6.0, APIs: 4, Instructions: 37
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A207() {
				struct tagMSG _v32;
				signed int _t9;
				void* _t14;

				if(PeekMessageA( &_v32, 0, 0, 0, 0) == 0) {
					return 0;
				}
				_t9 = GetMessageA( &_v32, 0, 0, 0);
				if(_t9 != 0) {
					TranslateMessage( &_v32);
					DispatchMessageA( &_v32);
					_t14 = 1;
					return _t14;
				}
				return _t9 | 0xffffffff;
			}

0x0041a220
0x00000000
0x0041a251
0x0041a229
0x0041a231
0x0041a23c
0x0041a246
0x0041a24e
0x00000000
0x0041a24e
0x00000000

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041A218
GetMessageA.USER32 ref: 0041A229
TranslateMessage.USER32(?), ref: 0041A23C
DispatchMessageA.USER32 ref: 0041A246

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: 2f4b92e821464b19c680a6563fbc4accd91a2cde11b5bcfa6784e995e24c3316
Instruction ID: 32f3f6478f1484d68ab8fc6182b3522fb0f6e550144391087ed403b437ff1102
Opcode Fuzzy Hash: 2f4b92e821464b19c680a6563fbc4accd91a2cde11b5bcfa6784e995e24c3316
Instruction Fuzzy Hash: 8FF08272E03229A6CB30ABF19C4CDDF3F6CEF457A0B404566B516D1150EA38E142C6B9

Uniqueness

Uniqueness Score: -1.00%

Function 004211DC, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E004211DC(intOrPtr __ecx) {
				char _v16;
				intOrPtr _v20;
				struct _devicemodeA _v176;
				intOrPtr _t36;
				intOrPtr _t42;
				intOrPtr _t52;
				intOrPtr _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				void* _t80;
				void* _t81;
				void* _t86;
				void* _t87;
				void* _t88;
				void* _t89;

				_v176.dmPanningWidth = __ecx;
				E0041BE99( &_v16, 0x47ea74);
				E0041BFF8( &_v16, 9);
				E00424500( &_v176, 0, 0x94);
				EnumDisplaySettingsA(0, 0,  &_v176);
				_t36 = 1;
				_v176.dmPanningHeight = 0;
				_push( &_v176);
				_v20 = _t36;
				_t70 = 0;
				_push(_t36);
				while(EnumDisplaySettingsA(0, ??, ??) != 0) {
					_t52 = _v176.dmPelsWidth;
					_t69 = _v176.dmPelsHeight;
					_t80 = _t52 -  *0x47e2b8; // 0x0
					if(_t80 > 0) {
						L4:
						 *0x47e2b8 = _t52;
						 *0x47e2bc = _t69;
						L5:
						_t68 = _v176.dmBitsPerPel;
						if(_t52 > _v176.dmPanningHeight || _t69 > _t70) {
							 *0x47e2b4 = _t68;
							_v176.dmPanningHeight = _t52;
							_t70 = _t69;
						} else {
							if(_t52 == _v176.dmPanningHeight || _t69 == _t70) {
								_t86 = _t68 -  *0x47e2b4; // 0x0
								if(_t86 > 0) {
									 *0x47e2b4 = _t68;
								}
							}
						}
						_t87 = _t52 -  *0x47e148; // 0x0
						if(_t87 >= 0) {
							_t88 = _t69 -  *0x47e14c; // 0x0
							if(_t88 >= 0) {
								_t89 = _t68 -  *0x47e150; // 0x8
								if(_t89 >= 0) {
									 *0x47e29a = 1;
								}
							}
						}
						_v20 = _v20 + 1;
						_push( &_v176);
						_push(_v20);
						continue;
					}
					_t81 = _t69 -  *0x47e2bc; // 0x0
					if(_t81 <= 0) {
						goto L5;
					}
					goto L4;
				}
				_push( *0x47e2b4);
				_push( *0x47e2bc);
				_push( *0x47e2b8);
				E0041C467( &_v16, "%dx%d %d ");
				E0041C0C5( &_v16, __eflags, 0x47ead4);
				E0041BFF8( &_v16, 9);
				_t42 =  *0x47e148; // 0x0
				__eflags = _t42;
				if(_t42 == 0) {
					L21:
					E0041C047( &_v16, "-\t", 0);
					L22:
					_push(0x47e8f4);
					L23:
					E0041C0C5( &_v16, __eflags);
					E0041EEC5(_v176.dmPanningWidth,  &_v16);
					return E0041BEFB( &_v16);
				}
				_t65 =  *0x47e14c; // 0x0
				__eflags = _t65;
				if(_t65 == 0) {
					goto L21;
				}
				_push( *0x47e150);
				_push(_t65);
				_push(_t42);
				E0041C467( &_v16, "%dx%d %d ");
				E0041C0C5( &_v16, __eflags, 0x47ead4);
				E0041BFF8( &_v16, 9);
				__eflags =  *0x47e29a; // 0x0
				if(__eflags != 0) {
					goto L22;
				} else {
					 *0x47e2c0 =  *0x47e2c0 + 1;
					_push(0x47e8dc);
					goto L23;
				}
			}

0x004211e7
0x004211f3
0x004211fd
0x00421211
0x00421228
0x00421232
0x00421233
0x00421236
0x00421237
0x0042123a
0x0042123c
0x0042123d
0x00421248
0x0042124b
0x0042124e
0x00421254
0x0042125e
0x0042125e
0x00421263
0x00421269
0x0042126c
0x0042126f
0x0042128e
0x00421294
0x00421297
0x00421275
0x00421278
0x0042127e
0x00421284
0x00421286
0x00421286
0x00421284
0x00421278
0x00421299
0x0042129f
0x004212a1
0x004212a7
0x004212a9
0x004212af
0x004212b1
0x004212b1
0x004212af
0x004212a7
0x004212b8
0x004212c1
0x004212c2
0x00000000
0x004212c2
0x00421256
0x0042125c
0x00000000
0x00000000
0x00000000
0x0042125c
0x004212ca
0x004212d8
0x004212de
0x004212e6
0x004212f7
0x00421301
0x00421306
0x0042130b
0x0042130d
0x00421356
0x0042135f
0x00421364
0x00421364
0x00421369
0x0042136c
0x00421378
0x00421389
0x00421389
0x0042130f
0x00421315
0x00421317
0x00000000
0x00000000
0x00421319
0x0042131f
0x00421320
0x00421326
0x00421332
0x0042133c
0x00421341
0x00421347
0x00000000
0x00421349
0x00421349
0x0042134f
0x00000000
0x0042134f

APIs

Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4

Part of subcall function 0041BFF8: GlobalUnlock.KERNEL32(8415FF57,0047E788,004221E2,00000000,00000000,00000000,0047E788,00000000), ref: 0041C000
Part of subcall function 0041BFF8: GlobalReAlloc.KERNEL32 ref: 0041C00D
Part of subcall function 0041BFF8: GlobalLock.KERNEL32 ref: 0041C02E

EnumDisplaySettingsA.USER32 ref: 00421228
EnumDisplaySettingsA.USER32 ref: 0042123E

Strings

%dx%d %d , xrefs: 004212D0, 004212E4, 00421324

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocDisplayEnumLockSettings$Unlock
String ID: %dx%d %d
API String ID: 1409221493-986776345
Opcode ID: 964c2b7373515b439b1f4a16c64c3018edec216adc54284224c7fddf17fe6006
Instruction ID: 52cc721ffd10832fdac61662a86abf9676243ad7a0bad42bc1d52495f049a86f
Opcode Fuzzy Hash: 964c2b7373515b439b1f4a16c64c3018edec216adc54284224c7fddf17fe6006
Instruction Fuzzy Hash: E2417271E00118EEDB14DF92EC81DAE7778EB19300FA042EBF519A2161E7345A84CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 00426DE7, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00426DE7(void* __ebx, void* __edi) {
				char _v17;
				signed char _v18;
				struct _cpinfo _v24;
				char _v280;
				char _v536;
				char _v792;
				char _v1304;
				void* _t43;
				char _t44;
				signed char _t45;
				void* _t55;
				signed int _t56;
				signed char _t64;
				intOrPtr* _t66;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				signed char _t76;
				signed char _t77;
				signed char* _t78;
				void* _t81;
				void* _t87;
				void* _t88;

				if(GetCPInfo( *0x47f4d8,  &_v24) == 1) {
					_t44 = 0;
					do {
						 *((char*)(_t87 + _t44 - 0x114)) = _t44;
						_t44 = _t44 + 1;
					} while (_t44 < 0x100);
					_t45 = _v18;
					_v280 = 0x20;
					if(_t45 == 0) {
						L9:
						E004272C5(1,  &_v280, 0x100,  &_v1304,  *0x47f4d8,  *0x47f704, 0);
						E004275DE( *0x47f704, 0x100,  &_v280, 0x100,  &_v536, 0x100,  *0x47f4d8, 0);
						E004275DE( *0x47f704, 0x200,  &_v280, 0x100,  &_v792, 0x100,  *0x47f4d8, 0);
						_t55 = 0;
						_t66 =  &_v1304;
						do {
							_t76 =  *_t66;
							if((_t76 & 0x00000001) == 0) {
								if((_t76 & 0x00000002) == 0) {
									 *(_t55 + 0x47f500) =  *(_t55 + 0x47f500) & 0x00000000;
									goto L16;
								}
								 *(_t55 + 0x47f601) =  *(_t55 + 0x47f601) | 0x00000020;
								_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x314));
								L12:
								 *(_t55 + 0x47f500) = _t77;
								goto L16;
							}
							 *(_t55 + 0x47f601) =  *(_t55 + 0x47f601) | 0x00000010;
							_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x214));
							goto L12;
							L16:
							_t55 = _t55 + 1;
							_t66 = _t66 + 2;
						} while (_t55 < 0x100);
						return _t55;
					}
					_t78 =  &_v17;
					do {
						_t68 =  *_t78 & 0x000000ff;
						_t56 = _t45 & 0x000000ff;
						if(_t56 <= _t68) {
							_t81 = _t87 + _t56 - 0x114;
							_t70 = _t68 - _t56 + 1;
							_t71 = _t70 >> 2;
							memset(_t81 + _t71, memset(_t81, 0x20202020, _t71 << 2), (_t70 & 0x00000003) << 0);
							_t88 = _t88 + 0x18;
						}
						_t78 =  &(_t78[2]);
						_t45 =  *((intOrPtr*)(_t78 - 1));
					} while (_t45 != 0);
					goto L9;
				}
				_t43 = 0;
				do {
					if(_t43 < 0x41 || _t43 > 0x5a) {
						if(_t43 < 0x61 || _t43 > 0x7a) {
							 *(_t43 + 0x47f500) =  *(_t43 + 0x47f500) & 0x00000000;
						} else {
							 *(_t43 + 0x47f601) =  *(_t43 + 0x47f601) | 0x00000020;
							_t64 = _t43 - 0x20;
							goto L22;
						}
					} else {
						 *(_t43 + 0x47f601) =  *(_t43 + 0x47f601) | 0x00000010;
						_t64 = _t43 + 0x20;
						L22:
						 *(_t43 + 0x47f500) = _t64;
					}
					_t43 = _t43 + 1;
				} while (_t43 < 0x100);
				return _t43;
			}

0x00426e04
0x00426e0a
0x00426e11
0x00426e11
0x00426e18
0x00426e19
0x00426e1d
0x00426e20
0x00426e29
0x00426e62
0x00426e81
0x00426ea5
0x00426ecd
0x00426ed5
0x00426ed7
0x00426edd
0x00426edd
0x00426ee3
0x00426efe
0x00426f10
0x00000000
0x00426f10
0x00426f00
0x00426f07
0x00426ef3
0x00426ef3
0x00000000
0x00426ef3
0x00426ee5
0x00426eec
0x00000000
0x00426f17
0x00426f17
0x00426f19
0x00426f1a
0x00000000
0x00426edd
0x00426e2d
0x00426e30
0x00426e30
0x00426e33
0x00426e38
0x00426e3c
0x00426e43
0x00426e4b
0x00426e55
0x00426e55
0x00426e55
0x00426e58
0x00426e59
0x00426e5c
0x00000000
0x00426e61
0x00426f20
0x00426f27
0x00426f2a
0x00426f48
0x00426f5d
0x00426f4f
0x00426f4f
0x00426f58
0x00000000
0x00426f58
0x00426f31
0x00426f31
0x00426f3a
0x00426f3d
0x00426f3d
0x00426f3d
0x00426f64
0x00426f65
0x00426f6b

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 00426DFB

Strings

, xrefs: 00426E20
, xrefs: 00426E44

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 8af776f91375291814e2a28617f2dd10cab6d1612eef2abaf60376d169dff548
Instruction ID: c1c7c0c3c85ba169b0968962e9275626b03637f0dd342fd722a85275e85bd415
Opcode Fuzzy Hash: 8af776f91375291814e2a28617f2dd10cab6d1612eef2abaf60376d169dff548
Instruction Fuzzy Hash: 87418E312042B82BEF118B24FD49BF77F99DB02700F5604F6D64DC7192D2294D58CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0041B2CC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0041B2CC(void* __ecx, struct HWND__* _a4, CHAR* _a8, CHAR* _a12, signed int _a16) {
				CHAR* _t13;
				signed int _t15;
				void* _t16;
				struct HWND__* _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				void* _t33;

				_t33 = __ecx;
				if(( *0x47f2d4 & 0x00000001) == 0) {
					 *0x47f2d4 =  *0x47f2d4 | 0x00000001;
					E0041BE35(0x47f2b8, "Astrum Installer");
					E004251DD( *0x47f2d4, E0041B3AF);
				}
				_t13 = _a12;
				if(_t13 == 0) {
					_t13 = E0041CD1E(0x47e700);
				}
				if( *_t13 == 0) {
					_t13 = E0041CD1E(0x47e850);
					if( *_t13 == 0) {
						_t13 = E0041CD1E(0x47f2b8);
					}
				}
				if( *0x47f27c != 0) {
					_t15 = _a16 & 0x0000000f;
					__eflags = _t15;
					if(_t15 == 0) {
						L19:
						_push(1);
						L24:
						_pop(_t16);
						return _t16;
					}
					__eflags = _t15 - 4;
					if(_t15 == 4) {
						L23:
						_push(6);
						goto L24;
					}
					__eflags = _t15 - 3;
					if(_t15 == 3) {
						goto L23;
					}
					__eflags = _t15 - 1;
					if(_t15 != 1) {
						__eflags = _t15 - 5;
						if(_t15 != 5) {
							__eflags = _t15 - 2;
							return (0 | _t15 != 0x00000002) + 5;
						}
						_push(2);
						goto L24;
					}
					goto L19;
				} else {
					_t25 = _a4;
					if(_t25 != 0) {
						L14:
						return MessageBoxA(_t25, _a8, _t13, _a16);
					}
					_t5 = _t33 + 0x158; // 0x0
					_t26 =  *_t5;
					if(_t26 == 0) {
						L11:
						_t27 =  *0x47df60;
						if(_t27 == 0) {
							L13:
							_t25 =  *0x47e178; // 0x0
							goto L14;
						}
						_t25 =  *(_t27 + 4);
						if(_t25 != 0) {
							goto L14;
						}
						goto L13;
					}
					_t25 =  *(_t26 + 4);
					if(_t25 != 0) {
						goto L14;
					}
					goto L11;
				}
			}

0x0041b2d8
0x0041b2df
0x0041b2e1
0x0041b2ef
0x0041b2f9
0x0041b2fe
0x0041b2ff
0x0041b304
0x0041b30b
0x0041b30b
0x0041b313
0x0041b31a
0x0041b322
0x0041b326
0x0041b326
0x0041b322
0x0041b332
0x0041b376
0x0041b376
0x0041b379
0x0041b38a
0x0041b38a
0x0041b3a8
0x0041b3a8
0x00000000
0x0041b3a8
0x0041b37b
0x0041b37e
0x0041b3a6
0x0041b3a6
0x00000000
0x0041b3a6
0x0041b380
0x0041b383
0x00000000
0x00000000
0x0041b385
0x0041b388
0x0041b38e
0x0041b391
0x0041b399
0x00000000
0x0041b3a2
0x0041b393
0x00000000
0x0041b393
0x00000000
0x0041b334
0x0041b334
0x0041b339
0x0041b363
0x00000000
0x0041b36b
0x0041b33b
0x0041b33b
0x0041b343
0x0041b34c
0x0041b34c
0x0041b354
0x0041b35d
0x0041b35d
0x00000000
0x0041b35d
0x0041b356
0x0041b35b
0x00000000
0x00000000
0x00000000
0x0041b35b
0x0041b345
0x0041b34a
0x00000000
0x00000000
0x00000000
0x0041b34a

APIs

MessageBoxA.USER32 ref: 0041B36B

Part of subcall function 0041BE35: lstrlenA.KERNEL32(00000000,0047DFB8,0047F2B8,0041B2F4,Astrum Installer,00000000,0047DFB8,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000), ref: 0041BE49
Part of subcall function 0041BE35: GlobalAlloc.KERNEL32(00000042,00000000,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000,00000000,00000000,?,0047E924,0041D88F), ref: 0041BE54
Part of subcall function 0041BE35: GlobalLock.KERNEL32 ref: 0041BE75

Strings

Astrum Installer, xrefs: 0041B2E8
PG, xrefs: 0041B315

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLockMessagelstrlen
String ID: Astrum Installer$PG
API String ID: 1540376194-1967893462
Opcode ID: 4463d9b6d986ba360d0d591e675b6e9e63147af931b7266c3d6bc5fa644b97cf
Instruction ID: af5c5bb72c462a79c2bc03ba79e4050386d3cf3836c42e4c6053ff0419561c8b
Opcode Fuzzy Hash: 4463d9b6d986ba360d0d591e675b6e9e63147af931b7266c3d6bc5fa644b97cf
Instruction Fuzzy Hash: 7621B33170820D96DF299A21A895BFF2B45DB41714F24406FEC2ADA391CB6D8CE193DE

Uniqueness

Uniqueness Score: -1.00%

Function 0041F355, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0041F355(void* __ecx) {
				char _v16;
				struct _MEMORYSTATUS _v48;
				intOrPtr _t17;
				signed char _t26;
				void* _t33;

				_t33 = __ecx;
				E0041BE35( &_v16, "RAM:\t");
				_v48.dwLength = 0x20;
				GlobalMemoryStatus( &_v48);
				_t26 = _v48.dwTotalPhys >> 0x14;
				if((_t26 & 0x00000001) != 0) {
					_t26 = _t26 + 1;
				}
				_push(_t26);
				 *0x47e6f0 = _t26;
				E0041C467( &_v16, "%d MB\t");
				_t17 =  *0x47e13c; // 0x0
				_t40 = _t17;
				if(_t17 != 0) {
					_push(_t17);
					E0041C467( &_v16, "%d MB\t");
					__eflags = _t26 -  *0x47e13c; // 0x0
					if(__eflags < 0) {
						 *0x47e2c0 =  *0x47e2c0 + 1;
						__eflags =  *0x47e2c0;
						_push(0x47e8dc);
					} else {
						goto L5;
					}
				} else {
					E0041C047( &_v16, "-\t", _t17);
					L5:
					_push(0x47e8f4);
				}
				E0041C0C5( &_v16, _t40);
				E0041EEC5(_t33,  &_v16);
				 *0x47e2c4 = _t26;
				return E0041BEFB( &_v16);
			}

0x0041f35e
0x0041f368
0x0041f370
0x0041f378
0x0041f381
0x0041f387
0x0041f389
0x0041f389
0x0041f38f
0x0041f395
0x0041f39b
0x0041f3a0
0x0041f3a8
0x0041f3aa
0x0041f3bc
0x0041f3c2
0x0041f3ca
0x0041f3d0
0x0041f3d9
0x0041f3d9
0x0041f3df
0x00000000
0x00000000
0x00000000
0x0041f3ac
0x0041f3b5
0x0041f3d2
0x0041f3d2
0x0041f3d2
0x0041f3e7
0x0041f3f2
0x0041f3fa
0x0041f409

APIs

Part of subcall function 0041BE35: lstrlenA.KERNEL32(00000000,0047DFB8,0047F2B8,0041B2F4,Astrum Installer,00000000,0047DFB8,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000), ref: 0041BE49
Part of subcall function 0041BE35: GlobalAlloc.KERNEL32(00000042,00000000,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000,00000000,00000000,?,0047E924,0041D88F), ref: 0041BE54
Part of subcall function 0041BE35: GlobalLock.KERNEL32 ref: 0041BE75

GlobalMemoryStatus.KERNEL32 ref: 0041F378

Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
Part of subcall function 0041C467: lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649

Strings

%d MB, xrefs: 0041F38A, 0041F393, 0041F3C0
RAM:, xrefs: 0041F360

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: lstrlen$Global$AllocLockMemoryStatus
String ID: %d MB$RAM:
API String ID: 590694599-1553691747
Opcode ID: f17e7ea3f21c4c1cbe4b5afdf2ee1b002352a239595c7e885cb399aa9e76efb0
Instruction ID: 956f4e3496c1c7b6b8146966e90f7d17b5a24efe081624b63e5b1255e4f6415b
Opcode Fuzzy Hash: f17e7ea3f21c4c1cbe4b5afdf2ee1b002352a239595c7e885cb399aa9e76efb0
Instruction Fuzzy Hash: 1B115875D002186AC700EBA7DC85DDE776CEB08714F5041BBE815A3252D7789589CA6D

Uniqueness

Uniqueness Score: -1.00%

Function 0041BE99, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BE99(long* __ecx, long* _a4) {
				long _t13;
				void* _t14;
				void* _t16;
				long* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t27 = __ecx;
				 *__ecx =  *__ecx & 0x00000000;
				__ecx[1] = __ecx[1] & 0x00000000;
				__ecx[2] = __ecx[2] & 0x00000000;
				_t13 =  *_t26;
				 *__ecx = _t13;
				_t14 = GlobalAlloc(0x42, _t13);
				 *(_t27 + 4) = _t14;
				if(_t14 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				 *((intOrPtr*)(_t27 + 8)) = GlobalLock( *(_t27 + 4));
				_t16 = 0;
				if( *_t27 > 0) {
					do {
						_t9 =  &(_t26[2]); // 0x0
						 *((char*)( *((intOrPtr*)(_t27 + 8)) + _t16)) =  *((intOrPtr*)( *_t9 + _t16));
						_t16 = _t16 + 1;
					} while (_t16 <  *_t27);
				}
				return _t27;
			}

0x0041be9b
0x0041be9f
0x0041bea1
0x0041bea4
0x0041bea8
0x0041beac
0x0041beb1
0x0041beb3
0x0041bebb
0x0041bebe
0x0041becb
0x0041bed0
0x0041beda
0x0041bedd
0x0041bee1
0x0041bee3
0x0041bee3
0x0041beec
0x0041beef
0x0041bef0
0x0041bee3
0x0041bef8

APIs

GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
GlobalLock.KERNEL32 ref: 0041BED4

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Strings

$G, xrefs: 0041BEC0

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLock$Unlock
String ID: $G
API String ID: 3539109396-195990108
Opcode ID: 77142d1ac7a35253a5c46d6b5c4036aaa2082d3adee7a4c4dc71fa2d51af2a6f
Instruction ID: 9714d13ebd5381219ea0003f19ce2b82f8f169450bb3b6d00ebaf17d5743210f
Opcode Fuzzy Hash: 77142d1ac7a35253a5c46d6b5c4036aaa2082d3adee7a4c4dc71fa2d51af2a6f
Instruction Fuzzy Hash: 85018C71604B129FD3209F26C8487A6BBE4EF54322F20CC2EE5D6C7611D778A881CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041BDEC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BDEC(long* __ecx, intOrPtr _a4) {
				long _t9;
				void* _t10;
				void* _t11;
				long* _t19;

				_t9 = 1;
				_t19 = __ecx;
				__ecx[1] = __ecx[1] & 0x00000000;
				__ecx[2] = __ecx[2] & 0x00000000;
				 *__ecx = _t9;
				_t10 = GlobalAlloc(0x42, _t9);
				 *(_t19 + 4) = _t10;
				if(_t10 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				_t11 = GlobalLock( *(_t19 + 4));
				 *(_t19 + 8) = _t11;
				 *_t11 = _a4;
				return _t19;
			}

0x0041bdef
0x0041bdf0
0x0041bdf5
0x0041bdf9
0x0041bdfd
0x0041bdff
0x0041be07
0x0041be0a
0x0041be17
0x0041be1c
0x0041be20
0x0041be2a
0x0041be2d
0x0041be32

APIs

GlobalAlloc.KERNEL32(00000042,00000001,00000000,0041B00D,?,7FFFFFFF,7FFFFFFF,7FFFFFFF,0000000D,00000000,00000000,00000000,<\0>,0042C38C,00000000,00000000), ref: 0041BDFF
GlobalLock.KERNEL32 ref: 0041BE20

Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(021703E4,0047E6C8,0041BF52), ref: 0041CD24
Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54

Strings

$G, xrefs: 0041BE0C

Memory Dump Source

Source File: 00000000.00000002.513144464.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.513137160.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513163963.0000000000428000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.513171922.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513179252.000000000042C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.513185916.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513195793.000000000045A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513203750.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513210873.000000000046A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513219487.000000000047E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.513226952.0000000000480000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd

Similarity

API ID: Global$AllocLock$Unlock
String ID: $G
API String ID: 3539109396-195990108
Opcode ID: 0e0301fbd6dc2532e90e789fb0e47dd771507ade9c2427d8e102f8080f848ce2
Instruction ID: d82badc86695a26f39644d466923ba77f379b8d0b1b1a0a45fb16c5613b72c60
Opcode Fuzzy Hash: 0e0301fbd6dc2532e90e789fb0e47dd771507ade9c2427d8e102f8080f848ce2
Instruction Fuzzy Hash: A9F0A0B1A047119FD3605B21D8097A77AD4EB20751F10C86EE199C7251DB789880CB54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vcredist_x86.exe PID: 6976 Parent PID: 6540 vcredist_x86.exeCOMMON

Executed Functions

Function 00093BC3, Relevance: 45.8, APIs: 23, Strings: 3, Instructions: 311
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00093BC3(void* __edx, WCHAR* _a4, unsigned int _a8) {
				signed int _v8;
				short _v528;
				short _v1048;
				short _v1078;
				intOrPtr _v1592;
				intOrPtr _v1594;
				struct _WIN32_FIND_DATAW _v1640;
				signed int _v1644;
				signed int _v1648;
				WCHAR* _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t66;
				signed char _t80;
				void* _t81;
				short _t87;
				void* _t89;
				short _t93;
				signed char _t94;
				int _t95;
				signed short _t97;
				int _t100;
				int _t101;
				signed short _t102;
				signed short _t106;
				int _t108;
				signed short _t112;
				short _t114;
				signed short _t116;
				signed short _t121;
				signed short _t123;
				long _t124;
				WCHAR* _t125;
				signed char _t126;
				void* _t130;
				void* _t132;
				signed int _t160;

				_t130 = __edx;
				_t66 =  *0xfa008; // 0x90c8e23b
				_v8 = _t66 ^ _t160;
				_v1648 = _v1648 | 0xffffffff;
				_v1660 = _a8 & 0x00000001;
				_t125 = _a4;
				_v1656 = _a8 >> 0x00000001 & 0x00000001;
				_v1652 = _t125;
				_t133 = 0;
				_v1664 = _a8 >> 0x00000002 & 0x00000001;
				_v1644 = _v1644 & 0;
				E000BF670(0x208,  &_v1048, 0, 0x208);
				E000BF670(0x208,  &_v528, 0, 0x208);
				_t80 = GetFileAttributesW(_t125); // executed
				_t132 = GetLastError;
				_t126 = _t80;
				if(_t126 != 0xffffffff) {
					L4:
					if((_t126 & 0x00000010) == 0) {
						_t133 = 0x8000ffff;
						L54:
						_t81 = _v1648;
						if(_t81 != 0xffffffff) {
							FindClose(_t81);
						}
						L56:
						if(_v1644 != 0) {
							E000D54EF(_v1644);
						}
						return E000BDE36(_t126, _v8 ^ _t160, _t130, _t132, _t133);
					}
					if((_t126 & 0x00000001) == 0 || SetFileAttributesW(_v1652, 0x80) != 0) {
						if(_v1660 != 0 || _v1656 != 0) {
							_t126 = _v1664;
							if(_t126 == 0 || GetTempPathW(0x104,  &_v1048) != 0) {
								_t87 = E00092D79(_t127, _v1652, L"*.*",  &_v1644);
								_t133 = _t87;
								if(_t87 < 0) {
									goto L56;
								}
								_t89 = FindFirstFileW(_v1644,  &_v1640); // executed
								_v1648 = _t89;
								if(_t89 != 0xffffffff) {
									while(1) {
										_t130 = 0x2e;
										if(_t130 != _v1640.cFileName) {
											goto L20;
										}
										_t127 = 0;
										if(0 == _v1594 || _t130 == _v1594 && 0 == _v1592) {
											L36:
											_t127 =  &_v1640;
											_t95 = FindNextFileW(_t89,  &_v1640); // executed
											if(_t95 == 0) {
												if(GetLastError() != 0x12) {
													_t97 = GetLastError();
													_t136 =  <=  ? _t97 : _t97 & 0x0000ffff | 0x80070000;
													_t98 = 0x80004005;
													_t133 =  >=  ? 0x80004005 :  <=  ? _t97 : _t97 & 0x0000ffff | 0x80070000;
													_push( >=  ? 0x80004005 :  <=  ? _t97 : _t97 & 0x0000ffff | 0x80070000);
													_push(0x132);
													goto L39;
												}
												_t133 = 0;
												goto L45;
											}
											_t89 = _v1648;
											continue;
										}
										L20:
										_v1078 = 0;
										_t93 = E00092D79(_t127, _v1652,  &(_v1640.cFileName),  &_v1644);
										_t133 = _t93;
										if(_t93 < 0) {
											goto L54;
										}
										_t94 = _v1640.dwFileAttributes;
										if(_v1656 == 0 || (_t94 & 0x00000010) == 0) {
											if(_v1660 == 0) {
												goto L35;
											}
											if((_t94 & 0x00000007) == 0 || SetFileAttributesW(_v1644, 0x80) != 0) {
												_t101 = DeleteFileW(_v1644); // executed
												if(_t101 != 0) {
													goto L35;
												}
												if(_t126 == 0) {
													_t102 = GetLastError();
													_t141 =  <=  ? _t102 : _t102 & 0x0000ffff | 0x80070000;
													_t98 = 0x80004005;
													_t133 =  >=  ? 0x80004005 :  <=  ? _t102 : _t102 & 0x0000ffff | 0x80070000;
													_push( >=  ? 0x80004005 :  <=  ? _t102 : _t102 & 0x0000ffff | 0x80070000);
													_push(0x125);
													goto L39;
												}
												if(GetTempFileNameW( &_v1048, L"DEL", 0,  &_v528) == 0) {
													_t106 = GetLastError();
													_t144 =  <=  ? _t106 : _t106 & 0x0000ffff | 0x80070000;
													_t98 = 0x80004005;
													_t133 =  >=  ? 0x80004005 :  <=  ? _t106 : _t106 & 0x0000ffff | 0x80070000;
													_push( >=  ? 0x80004005 :  <=  ? _t106 : _t106 & 0x0000ffff | 0x80070000);
													_push(0x115);
													goto L39;
												}
												_t108 = MoveFileExW(_v1644,  &_v528, 1);
												_push(4);
												_push(0);
												if(_t108 == 0) {
													_push(_v1644);
												} else {
													_push( &_v528);
												}
												MoveFileExW();
												goto L35;
											} else {
												_t112 = GetLastError();
												_t148 =  <=  ? _t112 : _t112 & 0x0000ffff | 0x80070000;
												_t98 = 0x80004005;
												_t133 =  >=  ? 0x80004005 :  <=  ? _t112 : _t112 & 0x0000ffff | 0x80070000;
												_push( >=  ? 0x80004005 :  <=  ? _t112 : _t112 & 0x0000ffff | 0x80070000);
												_push(0x10b);
												goto L39;
											}
										} else {
											_t114 = E00092B2E(_t127, _t132,  &_v1644);
											_t133 = _t114;
											if(_t114 < 0) {
												goto L54;
											}
											E00093BC3(_t130, _v1644, _a8); // executed
											L35:
											_t89 = _v1648;
											goto L36;
										}
									}
								}
								_t116 = GetLastError();
								_t151 =  <=  ? _t116 : _t116 & 0x0000ffff | 0x80070000;
								_t117 = 0x80004005;
								_t133 =  >=  ? 0x80004005 :  <=  ? _t116 : _t116 & 0x0000ffff | 0x80070000;
								_push( >=  ? 0x80004005 :  <=  ? _t116 : _t116 & 0x0000ffff | 0x80070000);
								_push(0xe7);
							} else {
								_t121 = GetLastError();
								_t154 =  <=  ? _t121 : _t121 & 0x0000ffff | 0x80070000;
								_t117 = 0x80004005;
								_t133 =  >=  ? 0x80004005 :  <=  ? _t121 : _t121 & 0x0000ffff | 0x80070000;
								_push( >=  ? 0x80004005 :  <=  ? _t121 : _t121 & 0x0000ffff | 0x80070000);
								_push(0xdc);
							}
							goto L3;
						} else {
							_t126 = _v1664;
							L45:
							_t100 = RemoveDirectoryW(_v1652); // executed
							if(_t100 != 0) {
								goto L54;
							}
							_t133 =  <=  ? GetLastError() : _t98 & 0x0000ffff | 0x80070000;
							if(_t133 != 0x80070020) {
								L50:
								if(_t133 >= 0) {
									goto L54;
								}
								L51:
								_push(_t133);
								_push(0x141);
								L39:
								_push("dirutil.cpp");
								E000937D3(_t98);
								goto L54;
							}
							if(_t126 == 0 || MoveFileExW(_v1652, 0, 4) == 0) {
								goto L51;
							} else {
								_t133 = 0;
								goto L50;
							}
						}
					} else {
						_t123 = GetLastError();
						_t157 =  <=  ? _t123 : _t123 & 0x0000ffff | 0x80070000;
						_t117 = 0x80004005;
						_t133 =  >=  ? 0x80004005 :  <=  ? _t123 : _t123 & 0x0000ffff | 0x80070000;
						_push( >=  ? 0x80004005 :  <=  ? _t123 : _t123 & 0x0000ffff | 0x80070000);
						_push(0xd1);
						L3:
						_push("dirutil.cpp");
						E000937D3(_t117);
						goto L56;
					}
				}
				_t124 = GetLastError();
				_t127 = 3;
				_t117 =  ==  ? _t127 : _t124;
				_t133 =  <=  ?  ==  ? _t127 : _t124 : ( ==  ? _t127 : _t124) & 0x0000ffff | 0x80070000;
				if(_t133 >= 0) {
					goto L4;
				}
				_push(_t133);
				_push(0xc8);
				goto L3;
			}

0x00093bc3
0x00093bcc
0x00093bd3
0x00093bd9
0x00093be3
0x00093bf2
0x00093bf5
0x00093c0b
0x00093c11
0x00093c13
0x00093c19
0x00093c28
0x00093c36
0x00093c3f
0x00093c45
0x00093c4b
0x00093c50
0x00093c84
0x00093c87
0x00093fd3
0x00093fd8
0x00093fd8
0x00093fe1
0x00093fe4
0x00093fe4
0x00093fea
0x00093ff1
0x00093ff9
0x00093ff9
0x00094010
0x00094010
0x00093c90
0x00093cd0
0x00093cdf
0x00093ce7
0x00093d36
0x00093d3b
0x00093d3f
0x00000000
0x00000000
0x00093d52
0x00093d58
0x00093d61
0x00093d88
0x00093d8a
0x00093d92
0x00000000
0x00000000
0x00093d94
0x00093d9d
0x00093ebc
0x00093ebc
0x00093ec4
0x00093ecc
0x00093f51
0x00093fae
0x00093fbb
0x00093fbe
0x00093fc5
0x00093fc8
0x00093fc9
0x00000000
0x00093fc9
0x00093f53
0x00000000
0x00093f53
0x00093ece
0x00000000
0x00093ece
0x00093db9
0x00093dbb
0x00093dd6
0x00093ddb
0x00093ddf
0x00000000
0x00000000
0x00093dec
0x00093df2
0x00093e28
0x00000000
0x00000000
0x00093e30
0x00093e51
0x00093e59
0x00000000
0x00000000
0x00093e5d
0x00093f2a
0x00093f37
0x00093f3a
0x00093f41
0x00093f44
0x00093f45
0x00000000
0x00093f45
0x00093e80
0x00093f08
0x00093f15
0x00093f18
0x00093f1f
0x00093f22
0x00093f23
0x00000000
0x00093f23
0x00093e9b
0x00093e9d
0x00093e9f
0x00093ea3
0x00093eae
0x00093ea5
0x00093eab
0x00093eab
0x00093eb4
0x00000000
0x00093ed9
0x00093ed9
0x00093ee6
0x00093ee9
0x00093ef0
0x00093ef3
0x00093ef4
0x00000000
0x00093ef4
0x00093df8
0x00093dff
0x00093e04
0x00093e08
0x00000000
0x00000000
0x00093e17
0x00093eb6
0x00093eb6
0x00000000
0x00093eb6
0x00093df2
0x00093d88
0x00093d63
0x00093d70
0x00093d73
0x00093d7a
0x00093d7d
0x00093d7e
0x00093cff
0x00093cff
0x00093d0c
0x00093d0f
0x00093d16
0x00093d19
0x00093d1a
0x00093d1a
0x00000000
0x00093f57
0x00093f57
0x00093f5d
0x00093f63
0x00093f6b
0x00000000
0x00000000
0x00093f7a
0x00093f83
0x00093f9f
0x00093fa1
0x00000000
0x00000000
0x00093fa3
0x00093fa3
0x00093fa4
0x00093ef9
0x00093ef9
0x00093efe
0x00000000
0x00093efe
0x00093f87
0x00000000
0x00093f9d
0x00093f9d
0x00000000
0x00093f9d
0x00093f87
0x00093ca7
0x00093ca7
0x00093cb4
0x00093cb7
0x00093cbe
0x00093cc1
0x00093cc2
0x00093c75
0x00093c75
0x00093c7a
0x00000000
0x00093c7a
0x00093c90
0x00093c52
0x00093c59
0x00093c5a
0x00093c68
0x00093c6d
0x00000000
0x00000000
0x00093c6f
0x00093c70
0x00000000

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 00093C3F
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00093C52
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000001,00000000,?), ref: 00093C9D
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00093CA7
GetTempPathW.KERNEL32(00000104,?,?,?,?,00000001,00000000,?), ref: 00093CF5
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00093CFF
FindFirstFileW.KERNELBASE(?,?,?,*.*,?,?,?,?,00000001,00000000,?), ref: 00093D52
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00093D63
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00000001,00000000,?), ref: 00093E3D
DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,00000001,00000000,?), ref: 00093E51
GetTempFileNameW.KERNEL32(?,DEL,00000000,?,?,?,?,00000001,00000000,?), ref: 00093E78
MoveFileExW.KERNEL32(?,?,00000001,?,?,?,00000001,00000000,?), ref: 00093E9B
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 00093EB4
FindNextFileW.KERNELBASE(000000FF,?,?,?,?,?,?,?,00000001,00000000,?), ref: 00093EC4
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00093ED9
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00093F08
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00093F2A
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00093F4C
RemoveDirectoryW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 00093F63
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00093F6D
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 00093F93
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00093FAE
FindClose.KERNEL32(000000FF,?,?,?,00000001,00000000,?), ref: 00093FE4

Strings

dirutil.cpp, xrefs: 00093C75, 00093EF9
*.*, xrefs: 00093D2B
DEL, xrefs: 00093E6C

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorFileLast$AttributesFindMove$Temp$CloseDeleteDirectoryFirstNameNextPathRemove
String ID: *.*$DEL$dirutil.cpp
API String ID: 1544372074-1252831301
Opcode ID: c206e9db7c814b5847e808130b9d99542ab5f0c0db8de0f11b9e6d9af49f5255
Instruction ID: 8689e820988c9322a6107a671bcb4a86fef128cb1b577c386d27e4ccf3b56d66
Opcode Fuzzy Hash: c206e9db7c814b5847e808130b9d99542ab5f0c0db8de0f11b9e6d9af49f5255
Instruction Fuzzy Hash: B3B1B971E01635EAEF705A758C44BEAB6F5AF44750F0102A5ED09F7190DB368E80DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00091070, Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 77
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00091070(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				char* _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				WCHAR* _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t24;
				void* _t29;
				void* _t33;
				void* _t35;
				void* _t40;
				intOrPtr _t41;
				void* _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t47;
				signed int _t48;
				void* _t49;
				signed int _t50;

				_t45 = __edx;
				_t42 = __ecx;
				_t24 =  *0xfa008; // 0x90c8e23b
				_v8 = _t24 ^ _t50;
				_t41 = _a4;
				_t46 = _a12;
				_t49 = _t48 | 0xffffffff;
				_v52 = 0;
				_v48 = 0;
				_v44 = L"cabinet.dll";
				_v40 = L"msi.dll";
				_v36 = L"version.dll";
				_v32 = L"wininet.dll";
				_v28 = L"comres.dll";
				_v24 = L"clbcatq.dll";
				_v20 = L"msasn1.dll";
				_v16 = L"crypt32.dll";
				_v12 = L"feclient.dll";
				if(E000933D7( &_v48, 0) >= 0) {
					_t40 = CreateFileW(_v48, 0x80000000, 5, 0, 3, 0x80, 0); // executed
					_t49 = _t40;
				}
				_t29 = E0009501B(_t46); // executed
				_t52 = _t29;
				if(_t29 == 0) {
					E00091174(_t42,  &_v44, 9);
				} else {
					E000911FB();
				}
				_t33 = E0009508D(_t42, _t45, _t52, _t41, _t49, _t46, _a16,  &_v52); // executed
				_t47 = _t33;
				if(_t49 != 0xffffffff) {
					FindCloseChangeNotification(_t49); // executed
				}
				if(_v48 != 0) {
					E000D54EF(_v48);
				}
				_t35 =  <  ? _t47 : _v52;
				return E000BDE36(_t41, _v8 ^ _t50, _t45, _t47, _t49);
			}

0x00091070
0x00091070
0x00091076
0x0009107d
0x00091081
0x00091088
0x0009108b
0x0009108f
0x00091092
0x00091099
0x000910a0
0x000910a7
0x000910ae
0x000910b5
0x000910bc
0x000910c3
0x000910ca
0x000910d1
0x000910df
0x000910f6
0x000910fc
0x000910fc
0x000910ff
0x00091104
0x00091106
0x00091115
0x00091108
0x00091108
0x00091108
0x00091124
0x00091129
0x0009112e
0x00091131
0x00091131
0x0009113b
0x00091140
0x00091140
0x0009114d
0x0009115d

APIs

Part of subcall function 000933D7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,000910DD,?,00000000), ref: 000933F8

CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 000910F6

Part of subcall function 00091174: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,0009111A,cabinet.dll,00000009,?,?,00000000), ref: 00091185
Part of subcall function 00091174: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,0009111A,cabinet.dll,00000009,?,?,00000000), ref: 00091190
Part of subcall function 00091174: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0009119E
Part of subcall function 00091174: GetLastError.KERNEL32(?,?,?,?,0009111A,cabinet.dll,00000009,?,?,00000000), ref: 000911B9
Part of subcall function 00091174: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 000911C1
Part of subcall function 00091174: GetLastError.KERNEL32(?,?,?,?,0009111A,cabinet.dll,00000009,?,?,00000000), ref: 000911D6

FindCloseChangeNotification.KERNELBASE(?,?,?,?,000DB4C0,?,cabinet.dll,00000009,?,?,00000000), ref: 00091131

Strings

feclient.dll, xrefs: 000910D1
msasn1.dll, xrefs: 000910C3
msi.dll, xrefs: 000910A0
comres.dll, xrefs: 000910B5
crypt32.dll, xrefs: 000910CA
cabinet.dll, xrefs: 00091099
wininet.dll, xrefs: 000910AE
clbcatq.dll, xrefs: 000910BC
version.dll, xrefs: 000910A7

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: AddressErrorFileLastModuleProc$ChangeCloseCreateFindHandleHeapInformationNameNotification
String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
API String ID: 2670336470-3151496603
Opcode ID: 90f6cf3a3e3e72f59b7882c91da3efa01c2c7416d3807d2f9f5dc63159e76d5b
Instruction ID: 193cceff52784844ffbb02f3609d0c3a7873a07fbfbae0cefbbb13e92aac39e4
Opcode Fuzzy Hash: 90f6cf3a3e3e72f59b7882c91da3efa01c2c7416d3807d2f9f5dc63159e76d5b
Instruction Fuzzy Hash: 38216071A00309EBDB10DFA5DC45BEEBBB8EF45714F11411AEA20B7292D7749904DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 000CFDC2, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130
threadtimeCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 55%

			E000CFDC2(void* __edi, intOrPtr _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				struct _SYSTEMTIME _v24;
				signed int _v28;
				signed int _v32;
				long _v36;
				long _v40;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t34;
				void* _t39;
				intOrPtr* _t42;
				void* _t43;
				signed int _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t51;
				intOrPtr _t58;
				void* _t60;
				intOrPtr _t61;
				void* _t68;
				signed int _t73;
				char* _t75;
				signed int _t76;
				void* _t79;

				_t70 = __edi;
				_t34 =  *0xfa008; // 0x90c8e23b
				_v8 = _t34 ^ _t76;
				_t61 = _a12;
				_t74 = 0;
				_v28 = _v28 & 0;
				_v32 = _v32 & 0;
				_t79 =  *0xfb634 - _t74; // 0x0
				if(_t79 != 0) {
					L19:
					return E000BDE36(_t61, _v8 ^ _t76, _t68, _t70, _t74);
				}
				EnterCriticalSection(0xfb60c);
				if(_a16 == 0) {
					L10:
					_t39 = E00092436(_t68,  &_v32, _t61, 0, 0xfde9); // executed
					_t74 = _t39;
					if(_t39 >= 0) {
						_t42 =  *0xfb63c; // 0x0
						if(_t42 == 0) {
							_t43 = E000D0658(_t62, _t68, _v32);
						} else {
							_t43 =  *_t42(_v32,  *0xfb640);
						}
						_t74 = _t43;
					}
					L15:
					LeaveCriticalSection(0xfb60c);
					if(_v28 != 0) {
						E000D54EF(_v28);
					}
					if(_v32 != 0) {
						E000D54EF(_v32);
					}
					goto L19;
				}
				_push(__edi);
				_v40 = GetCurrentProcessId();
				_v36 = GetCurrentThreadId();
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				GetLocalTime( &_v24);
				_t48 = _a8;
				_t49 = _t48 & 0xf0000000;
				_t73 = _t48 & 0x0fffffff;
				if(_t49 == 0xe0000000 || _a4 == 5) {
					_t75 = "e";
				} else {
					if(_t49 == 0xa0000000 || _a4 == 1) {
						_t75 = "w";
					} else {
						_t75 = "i";
					}
				}
				_t50 =  *0xfb628; // 0x0
				_t66 =  !=  ? _t50 : L"\r\n";
				_t51 =  *0xfb62c; // 0x0
				_push( !=  ? _t50 : L"\r\n");
				_push(_t61);
				_t62 =  !=  ? _t51 : 0xdb524;
				_push( !=  ? _t51 : 0xdb524);
				_push(_t73);
				_push(_t75);
				_push(_v24.wSecond & 0x0000ffff);
				_push(_v24.wMinute & 0x0000ffff);
				_push(_v24.wHour & 0x0000ffff);
				_push(_v24.wDay & 0x0000ffff);
				_push(_v24.wMonth & 0x0000ffff);
				_push(_v24.wYear & 0x0000ffff);
				_push(_v36);
				_t58 =  *0xfb624; // 0x0
				_push(_v40);
				_t68 =  !=  ? _t58 : 0xdb524;
				_t60 = E00091F20( &_v28, L"%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls", 0xdb524);
				_t74 = _t60;
				_pop(_t70);
				if(_t60 < 0) {
					goto L15;
				}
				goto L10;
			}

0x000cfdc2
0x000cfdc8
0x000cfdcf
0x000cfdd3
0x000cfdd7
0x000cfdd9
0x000cfddc
0x000cfddf
0x000cfde5
0x000cff34
0x000cff45
0x000cff45
0x000cfdf0
0x000cfdf9
0x000cfece
0x000cfee2
0x000cfee7
0x000cfeeb
0x000cfeed
0x000cfef4
0x000cff06
0x000cfef6
0x000cfeff
0x000cfeff
0x000cff0b
0x000cff0b
0x000cff0d
0x000cff12
0x000cff1c
0x000cff21
0x000cff21
0x000cff2a
0x000cff2f
0x000cff2f
0x00000000
0x000cff2a
0x000cfdff
0x000cfe06
0x000cfe0f
0x000cfe17
0x000cfe18
0x000cfe19
0x000cfe1a
0x000cfe1f
0x000cfe25
0x000cfe2a
0x000cfe2f
0x000cfe3a
0x000cfe5d
0x000cfe42
0x000cfe47
0x000cfe56
0x000cfe4f
0x000cfe4f
0x000cfe4f
0x000cfe47
0x000cfe62
0x000cfe73
0x000cfe76
0x000cfe7b
0x000cfe7c
0x000cfe81
0x000cfe88
0x000cfe89
0x000cfe8a
0x000cfe8b
0x000cfe90
0x000cfe95
0x000cfe9a
0x000cfe9f
0x000cfea4
0x000cfea5
0x000cfea8
0x000cfeaf
0x000cfeb2
0x000cfebf
0x000cfec7
0x000cfec9
0x000cfecc
0x00000000
0x00000000
0x00000000

APIs

EnterCriticalSection.KERNEL32(000FB60C,00000000,?,?,?,?,000B1014,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 000CFDF0
GetCurrentProcessId.KERNEL32(00000000,?,000B1014,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 000CFE00
GetCurrentThreadId.KERNEL32 ref: 000CFE09
GetLocalTime.KERNEL32(8007139F,?,000B1014,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 000CFE1F
LeaveCriticalSection.KERNEL32(000FB60C,?,00000000,00000000,0000FDE9), ref: 000CFF12

Strings

%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 000CFEB9

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls
API String ID: 296830338-59366893
Opcode ID: c89ae1e42d72b224d06b701562305189c49848c226314114b11f4b1e59bcd751
Instruction ID: 99c52db0c9ecc192be1fed818097c94dd4c1682bb0ff8346a209016ca55acd0d
Opcode Fuzzy Hash: c89ae1e42d72b224d06b701562305189c49848c226314114b11f4b1e59bcd751
Instruction Fuzzy Hash: C9415F72901219EBDF209BA4DC45BBEB7F5EF08711F50403AFA01E6661D7388D41DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 000A9EB7, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E000A9EB7(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				void* _t12;
				void* _t13;
				void* _t27;

				_v8 = 0;
				_t12 = E000A80AE(__edx, _a4,  &_v8); // executed
				if(_t12 >= 0) {
					_t13 = E00094013(_v8, 0); // executed
					_t27 = _t13;
					if(_t27 >= 0) {
						__imp__DecryptFileW(_v8, 0); // executed
						if(_a8 != 0) {
							_t27 = E000921A5(_a8, _v8, 0);
							if(_t27 < 0) {
								_push("Failed to copy working folder.");
								goto L7;
							}
						}
					} else {
						_push("Failed create working folder.");
						goto L7;
					}
				} else {
					_push("Failed to calculate working folder to ensure it exists.");
					L7:
					_push(_t27);
					E000D012F();
				}
				if(_v8 != 0) {
					E000D54EF(_v8);
				}
				return _t27;
			}

0x000a9ec6
0x000a9ec9
0x000a9ed2
0x000a9edf
0x000a9ee4
0x000a9ee8
0x000a9ef5
0x000a9efe
0x000a9f0c
0x000a9f10
0x000a9f12
0x00000000
0x000a9f12
0x000a9f10
0x000a9eea
0x000a9eea
0x00000000
0x000a9eea
0x000a9ed4
0x000a9ed4
0x000a9f17
0x000a9f17
0x000a9f18
0x000a9f1e
0x000a9f22
0x000a9f27
0x000a9f27
0x000a9f33

Strings

Failed to calculate working folder to ensure it exists., xrefs: 000A9ED4
=S, xrefs: 000A9EB7
Failed create working folder., xrefs: 000A9EEA
Failed to copy working folder., xrefs: 000A9F12

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CurrentDirectoryErrorLastProcessWindows
String ID: =S$Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
API String ID: 3841436932-23846267
Opcode ID: 49abd25b18bb909c89b6a900f1d19b0eac60ced659a7f3a48453f8603ff4d1de
Instruction ID: d9abe93e09ebdb425b03d6a52bfbc5515b93c9b8b857071c75a225098f288e76
Opcode Fuzzy Hash: 49abd25b18bb909c89b6a900f1d19b0eac60ced659a7f3a48453f8603ff4d1de
Instruction Fuzzy Hash: 16018831E05668FF9F229B95DC06CAF7A74DF92760B204266F904B6212DB328E10A6D0

Uniqueness

Uniqueness Score: -1.00%

Function 000C4812, Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E000C4812(int _a4) {
				void* _t14;
				void* _t15;
				void* _t17;
				void* _t18;
				void* _t19;

				if(E000C8A73(_t14, _t15, _t17, _t18, _t19) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E000C4897(_t15, _a4);
				ExitProcess(_a4);
			}

0x000c481e
0x000c483a
0x000c483a
0x000c4843
0x000c484c

APIs

GetCurrentProcess.KERNEL32(00000000,?,000C47E8,00000000,000F7CF8,0000000C,000C493F,00000000,00000002,00000000), ref: 000C4833
TerminateProcess.KERNEL32(00000000,?,000C47E8,00000000,000F7CF8,0000000C,000C493F,00000000,00000002,00000000), ref: 000C483A
ExitProcess.KERNEL32 ref: 000C484C

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5b086f88208b0b2cc13323e6551ea1d7c40bfbe4e118db77d4d7d75727fd82f7
Instruction ID: 571a6dd747ae3f32d732e43b34e5820ef2abfb4c72686baaa382dab47360b9fb
Opcode Fuzzy Hash: 5b086f88208b0b2cc13323e6551ea1d7c40bfbe4e118db77d4d7d75727fd82f7
Instruction Fuzzy Hash: 1DE01232401288EBDF016F11E829EAE3B69BF00341B060029F8048B122CB39E882CA94

Uniqueness

Uniqueness Score: -1.00%

Function 000938D4, Relevance: 3.0, APIs: 2, Instructions: 13
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 58%

			E000938D4(long _a4, signed int _a8) {
				void* _t7;

				asm("sbb eax, eax");
				_t7 = RtlAllocateHeap(GetProcessHeap(),  ~_a8 & 0x00000008, _a4); // executed
				return _t7;
			}

0x000938df
0x000938ec
0x000938f3

APIs

GetProcessHeap.KERNEL32(?,000001C7,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938E5
RtlAllocateHeap.NTDLL(00000000,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938EC

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: c61ccd8c138798da61a344234904395450db033cb66d534b1e0a6d4f97f20d15
Instruction ID: bace933704e9fc28841d6049e8ac61bb609b5f4b73585092da8583b1f671948d
Opcode Fuzzy Hash: c61ccd8c138798da61a344234904395450db033cb66d534b1e0a6d4f97f20d15
Instruction Fuzzy Hash: 51C012361A0218EB8B006FF8EC0EC9A3BACAB68A027408402B905C2110CB3CE0148B70

Uniqueness

Uniqueness Score: -1.00%

Function 000BE773, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000BE773() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E000BE77F); // executed
				return _t1;
			}

0x000be778
0x000be77e

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0002E77F,000BDEF8), ref: 000BE778

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1b43a662b16aad25f1eab50ad3976a0f4765fbc90f3dee0253e3b3045e099f9d
Instruction ID: 516265e0e59d3c8a09ad9a7067cf6748683b539e253da43ea5480ea9ceb12fef
Opcode Fuzzy Hash: 1b43a662b16aad25f1eab50ad3976a0f4765fbc90f3dee0253e3b3045e099f9d
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0009DE25, Relevance: 126.6, APIs: 11, Strings: 61, Instructions: 646
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0009DE25(void* __ebx, void* __edi, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				short** _v40;
				intOrPtr* _t208;
				intOrPtr* _t213;
				intOrPtr _t223;
				signed int _t224;
				int _t235;
				int _t262;
				signed int _t268;
				intOrPtr _t271;
				intOrPtr _t275;
				signed int _t279;
				intOrPtr _t280;
				signed int _t290;
				signed int _t292;
				intOrPtr _t302;
				signed int _t303;
				intOrPtr* _t318;
				short** _t320;
				intOrPtr* _t322;
				intOrPtr* _t324;
				intOrPtr* _t325;
				signed int _t328;
				signed int _t329;
				intOrPtr* _t330;
				signed int _t336;
				void* _t346;
				signed int _t347;
				signed int _t348;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				short** _t358;
				void* _t360;

				_v20 = _v20 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_t351 = E000D3803(_a12, L"RollbackBoundary",  &_v20);
				if(_t351 >= 0) {
					_t208 = _v20;
					_t321 =  *_t208;
					_t351 =  *((intOrPtr*)( *_t208 + 0x20))(_t208,  &_v24);
					if(_t351 >= 0) {
						_t210 = _v24;
						_push(__ebx);
						_t318 = _a4;
						if(_v24 == 0) {
							L17:
							_t322 = _v20;
							if(_t322 != 0) {
								 *((intOrPtr*)( *_t322 + 8))(_t322);
								_v20 = _v20 & 0x00000000;
							}
							if(E000D3803(_a12, L"Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage",  &_v20) >= 0) {
								_t213 = _v20;
								_t340 =  &_v24;
								_push( &_v24);
								_push(_t213);
								if( *((intOrPtr*)( *_t213 + 0x20))() >= 0) {
									_t215 = _v24;
									if(_v24 == 0) {
										L123:
										_t351 = 0;
										goto L124;
									}
									_t223 = E000938D4(_t215 * 0xe0, 1);
									 *((intOrPtr*)(_t318 + 8)) = _t223;
									if(_t223 != 0) {
										_t224 = _v24;
										_v32 = _v32 & 0x00000000;
										 *((intOrPtr*)(_t318 + 0xc)) = _t224;
										if(_t224 == 0) {
											L106:
											_t351 = E0009D87E(_t318, _a12);
											if(_t351 >= 0) {
												goto L123;
											}
											_push("Failed to parse target product codes.");
											goto L108;
										}
										_t328 = 0;
										_v36 = 0;
										while(1) {
											_t346 =  *((intOrPtr*)(_t318 + 8)) + _t328;
											_t351 = E000D3760(_t328, _v20,  &_v8,  &_v12);
											if(_t351 < 0) {
												break;
											}
											_t351 = E000D31C7(_v8, L"Id", _t346);
											if(_t351 < 0) {
												L121:
												_push("Failed to get @Id.");
												goto L108;
											}
											_t351 = E000D31C7(_v8, L"Cache",  &_v16);
											if(_t351 < 0) {
												_push("Failed to get @Cache.");
												goto L108;
											}
											if(CompareStringW(0x7f, 0, _v16, 0xffffffff, L"no", 0xffffffff) != 2) {
												if(CompareStringW(0x7f, 0, _v16, 0xffffffff, L"yes", 0xffffffff) != 2) {
													_t235 = CompareStringW(0x7f, 0, _v16, 0xffffffff, L"always", 0xffffffff);
													_t328 = 2;
													if(_t235 != _t328) {
														_push(_v16);
														_t351 = 0x8000ffff;
														_push("Invalid cache type: %ls");
														L119:
														_push(_t351);
														E000D012F();
														goto L124;
													}
													 *(_t346 + 0x20) = _t328;
													L37:
													_t351 = E000D31C7(_v8, L"CacheId", _t346 + 0x24);
													if(_t351 < 0) {
														_push("Failed to get @CacheId.");
														goto L108;
													}
													_t351 = E000D329B(_v8, L"Size", _t346 + 0x30);
													if(_t351 < 0) {
														_push("Failed to get @Size.");
														goto L108;
													}
													_t351 = E000D329B(_v8, L"InstallSize", _t346 + 0x28);
													if(_t351 < 0) {
														_push("Failed to get @InstallSize.");
														goto L108;
													}
													_t351 = E000D33DB(_t328, _v8, L"PerMachine", _t346 + 0x14);
													if(_t351 < 0) {
														_push("Failed to get @PerMachine.");
														goto L108;
													}
													_t351 = E000D33DB(_t328, _v8, L"Permanent", _t346 + 0x18);
													if(_t351 < 0) {
														_push("Failed to get @Permanent.");
														goto L108;
													}
													 *(_t346 + 0x18) = 0 |  *(_t346 + 0x18) == 0x00000000;
													_t351 = E000D33DB(_t328, _v8, L"Vital", _t346 + 0x1c);
													if(_t351 < 0) {
														L112:
														_push("Failed to get @Vital.");
														goto L108;
													}
													_t351 = E000D31C7(_v8, L"LogPathVariable", _t346 + 4);
													if(_t351 == 0x80070490 || _t351 >= 0) {
														_t351 = E000D31C7(_v8, L"RollbackLogPathVariable", _t346 + 8);
														if(_t351 == 0x80070490 || _t351 >= 0) {
															_t351 = E000D31C7(_v8, L"InstallCondition", _t346 + 0xc);
															if(_t351 == 0x80070490 || _t351 >= 0) {
																_t351 = E000D31C7(_v8, L"RollbackBoundaryForward",  &_v16);
																if(_t351 == 0x80070490) {
																	L52:
																	_t351 = E000D31C7(_v8, L"RollbackBoundaryBackward",  &_v16);
																	if(_t351 == 0x80070490) {
																		L55:
																		if(CompareStringW(0x7f, 0, _v12, 0xffffffff, L"ExePackage", 0xffffffff) != 2) {
																			_t262 = CompareStringW(0x7f, 0, _v12, 0xffffffff, L"MsiPackage", 0xffffffff);
																			_t329 = 2;
																			if(_t262 != _t329) {
																				if(CompareStringW(0x7f, 0, _v12, 0xffffffff, L"MspPackage", 0xffffffff) != 2) {
																					if(CompareStringW(0x7f, 0, _v12, 0xffffffff, L"MsuPackage", 0xffffffff) != 2) {
																						L66:
																						_t351 = E0009D9EE(_t318, _t346, _a8, _v8);
																						if(_t351 < 0) {
																							_push("Failed to parse payload references.");
																							goto L108;
																						}
																						_t351 = E000B7CD9(_t346, _v8);
																						if(_t351 < 0) {
																							_push("Failed to parse dependency providers.");
																							goto L108;
																						}
																						_t330 = _v8;
																						if(_t330 != 0) {
																							 *((intOrPtr*)( *_t330 + 8))(_t330);
																							_v8 = _v8 & 0x00000000;
																						}
																						if(_v12 != 0) {
																							__imp__#6(_v12);
																							_v12 = _v12 & 0x00000000;
																						}
																						_t268 = _v32 + 1;
																						_t328 = _v36 + 0xe0;
																						_v32 = _t268;
																						_v36 = _t328;
																						if(_t268 < _v24) {
																							continue;
																						} else {
																							_t356 = _v28;
																							if(_v28 == 0) {
																								goto L106;
																							}
																							_t271 = E000938D4(_t356 << 4, 1);
																							 *((intOrPtr*)(_t318 + 0x20)) = _t271;
																							if(_t271 != 0) {
																								 *((intOrPtr*)(_t318 + 0x24)) = E000938D4(_t356 << 2, 1);
																								if( *((intOrPtr*)(_t318 + 0x20)) != 0) {
																									_t275 = 0;
																									_a8 = 0;
																									if( *((intOrPtr*)(_t318 + 0xc)) <= 0) {
																										goto L106;
																									}
																									_t347 = 0;
																									_v28 = 0;
																									do {
																										_t358 =  *((intOrPtr*)(_t318 + 8)) + _t347;
																										_v40 = _t358;
																										if( *((intOrPtr*)(_t358 + 0x8c)) != 3) {
																											goto L105;
																										}
																										 *((intOrPtr*)( *((intOrPtr*)(_t318 + 0x20)) + ( *(_t318 + 0x28) +  *(_t318 + 0x28)) * 8)) =  *((intOrPtr*)(_t358 + 0x94));
																										 *((intOrPtr*)( *((intOrPtr*)(_t318 + 0x20)) + 4 + ( *(_t318 + 0x28) +  *(_t318 + 0x28)) * 8)) = 2;
																										 *((intOrPtr*)( *((intOrPtr*)(_t318 + 0x24)) +  *(_t318 + 0x28) * 4)) = _t358;
																										_t336 = 0;
																										 *(_t318 + 0x28) =  *(_t318 + 0x28) + 1;
																										_v36 = 0;
																										if( *((intOrPtr*)(_t318 + 0xc)) <= 0) {
																											L104:
																											_t275 = _a8;
																											goto L105;
																										}
																										_t279 = 0;
																										_v32 = 0;
																										do {
																											_t360 =  *((intOrPtr*)(_t318 + 8)) + _t279;
																											if( *((intOrPtr*)(_t360 + 0x8c)) != 2) {
																												goto L102;
																											}
																											_t348 = 0;
																											if( *((intOrPtr*)(_t360 + 0xd4)) <= 0) {
																												goto L102;
																											}
																											_t320 = _v40;
																											do {
																												_t280 =  *((intOrPtr*)(_t360 + 0xd0));
																												if( *(_t280 + _t348 * 4) != 0 && CompareStringW(0x7f, 0,  *_t320, 0xffffffff,  *(_t280 + _t348 * 4), 0xffffffff) == 2) {
																													 *( *((intOrPtr*)(_t360 + 0xcc)) + _t348 * 4) = _t320;
																													_t283 =  *((intOrPtr*)(_t360 + 0xd0));
																													if( *( *((intOrPtr*)(_t360 + 0xd0)) + _t348 * 4) != 0) {
																														E000D54EF( *((intOrPtr*)(_t283 + _t348 * 4)));
																														 *( *((intOrPtr*)(_t360 + 0xd0)) + _t348 * 4) =  *( *((intOrPtr*)(_t360 + 0xd0)) + _t348 * 4) & 0x00000000;
																													}
																												}
																												_t348 = _t348 + 1;
																											} while (_t348 <  *((intOrPtr*)(_t360 + 0xd4)));
																											_t318 = _a4;
																											_t279 = _v32;
																											_t336 = _v36;
																											L102:
																											_t336 = _t336 + 1;
																											_t279 = _t279 + 0xe0;
																											_v36 = _t336;
																											_v32 = _t279;
																										} while (_t336 <  *((intOrPtr*)(_t318 + 0xc)));
																										_t347 = _v28;
																										goto L104;
																										L105:
																										_t275 = _t275 + 1;
																										_t347 = _t347 + 0xe0;
																										_a8 = _t275;
																										_v28 = _t347;
																									} while (_t275 <  *((intOrPtr*)(_t318 + 0xc)));
																									goto L106;
																								}
																								_t349 = 0x8007000e;
																								_t351 = 0x8007000e;
																								E000937D3(_t274, "package.cpp", 0x100, 0x8007000e);
																								_push("Failed to allocate memory for patch sequence information to package lookup.");
																								L87:
																								_push(_t349);
																								goto L109;
																							}
																							_t349 = 0x8007000e;
																							_t351 = 0x8007000e;
																							E000937D3(_t271, "package.cpp", 0xfd, 0x8007000e);
																							_push("Failed to allocate memory for MSP patch sequence information.");
																							goto L87;
																						}
																					}
																					 *(_t346 + 0x8c) = 4;
																					_t290 = E000B6F47(_v8, _t346); // executed
																					_t351 = _t290;
																					if(_t351 < 0) {
																						_push("Failed to parse MSU package.");
																						goto L108;
																					}
																					goto L66;
																				}
																				 *(_t346 + 0x8c) = 3;
																				_t351 = E000B643A(_t318, _v8, _t346);
																				if(_t351 < 0) {
																					_push("Failed to parse MSP package.");
																					goto L108;
																				}
																				_v28 = _v28 + 1;
																				goto L66;
																			}
																			 *(_t346 + 0x8c) = _t329;
																			_t292 = E000B4888(_t340, _v8, _t346); // executed
																			_t351 = _t292;
																			if(_t351 >= 0) {
																				goto L66;
																			}
																			_push("Failed to parse MSI package.");
																			goto L108;
																		}
																		 *(_t346 + 0x8c) = 1;
																		_t351 = E000B25AF(_t328, _v8, _t346);
																		if(_t351 >= 0) {
																			goto L66;
																		}
																		_push("Failed to parse EXE package.");
																		goto L108;
																	}
																	if(_t351 < 0) {
																		_push("Failed to get @RollbackBoundaryBackward.");
																		goto L108;
																	}
																	_t351 = E0009D82F(_t318, _v16, _t346 + 0x3c);
																	if(_t351 < 0) {
																		_push(_v16);
																		_push("Failed to find backward transaction boundary: %ls");
																		goto L119;
																	}
																	goto L55;
																}
																if(_t351 < 0) {
																	_push("Failed to get @RollbackBoundaryForward.");
																	goto L108;
																}
																_t351 = E0009D82F(_t318, _v16, _t346 + 0x38);
																if(_t351 < 0) {
																	_push(_v16);
																	_push("Failed to find forward transaction boundary: %ls");
																	goto L119;
																}
																goto L52;
															} else {
																_push("Failed to get @InstallCondition.");
																goto L108;
															}
														} else {
															_push("Failed to get @RollbackLogPathVariable.");
															goto L108;
														}
													} else {
														_push("Failed to get @LogPathVariable.");
														goto L108;
													}
												}
												 *(_t346 + 0x20) = 1;
												goto L37;
											}
											 *(_t346 + 0x20) =  *(_t346 + 0x20) & 0x00000000;
											goto L37;
										}
										L122:
										_push("Failed to get next node.");
										goto L108;
									}
									_t349 = 0x8007000e;
									_t351 = 0x8007000e;
									E000937D3(_t223, "package.cpp", 0x5f, 0x8007000e);
									_push("Failed to allocate memory for package structs.");
									goto L87;
								}
								_push("Failed to get package node count.");
								goto L108;
							} else {
								_push("Failed to select package nodes.");
								L108:
								_push(_t351);
								L109:
								E000D012F();
								L124:
								L125:
								_t324 = _v20;
								if(_t324 != 0) {
									 *((intOrPtr*)( *_t324 + 8))(_t324);
								}
								_t325 = _v8;
								if(_t325 != 0) {
									 *((intOrPtr*)( *_t325 + 8))(_t325);
								}
								if(_v12 != 0) {
									__imp__#6(_v12);
								}
								if(_v16 != 0) {
									E000D54EF(_v16);
								}
								return _t351;
							}
						}
						_t302 = E000938D4(_t210 << 3, 1);
						 *_t318 = _t302;
						if(_t302 != 0) {
							_t303 = _v24;
							_t350 = 0;
							 *((intOrPtr*)(_t318 + 4)) = _t303;
							if(_t303 == 0) {
								goto L17;
							} else {
								goto L9;
							}
							while(1) {
								L9:
								_v32 =  *_t318 + _t350 * 8;
								_t351 = E000D3760(_t321, _v20,  &_v8,  &_v12);
								if(_t351 < 0) {
									goto L122;
								}
								_t351 = E000D31C7(_v8, L"Id", _v32);
								if(_t351 < 0) {
									goto L121;
								}
								_t351 = E000D33DB(_t321, _v8, L"Vital", _v32 + 4);
								if(_t351 < 0) {
									goto L112;
								}
								_t321 = _v8;
								if(_t321 != 0) {
									 *((intOrPtr*)( *_t321 + 8))(_t321);
									_v8 = _v8 & 0x00000000;
								}
								if(_v12 != 0) {
									__imp__#6(_v12);
									_v12 = _v12 & 0x00000000;
								}
								_t350 = _t350 + 1;
								if(_t350 < _v24) {
									continue;
								} else {
									goto L17;
								}
							}
							goto L122;
						}
						_t349 = 0x8007000e;
						_t351 = 0x8007000e;
						E000937D3(_t302, "package.cpp", 0x34, 0x8007000e);
						_push("Failed to allocate memory for rollback boundary structs.");
						goto L87;
					}
					_push("Failed to get rollback bundary node count.");
					L2:
					_push(_t351);
					E000D012F();
					goto L125;
				}
				_push("Failed to select rollback boundary nodes.");
				goto L2;
			}

0x0009de2b
0x0009de32
0x0009de36
0x0009de3a
0x0009de3e
0x0009de42
0x0009de55
0x0009de59
0x0009de6d
0x0009de75
0x0009de7a
0x0009de7e
0x0009de87
0x0009de8a
0x0009de8b
0x0009de91
0x0009df5e
0x0009df5e
0x0009df63
0x0009df68
0x0009df6b
0x0009df6b
0x0009df84
0x0009df90
0x0009df93
0x0009df96
0x0009df97
0x0009dfa1
0x0009dfad
0x0009dfb2
0x0009e603
0x0009e603
0x00000000
0x0009e603
0x0009dfc1
0x0009dfc6
0x0009dfcb
0x0009dfeb
0x0009dfee
0x0009dff2
0x0009dff7
0x0009e580
0x0009e589
0x0009e58d
0x00000000
0x00000000
0x0009e58f
0x00000000
0x0009e58f
0x0009dffd
0x0009dfff
0x0009e002
0x0009e00c
0x0009e017
0x0009e01b
0x00000000
0x00000000
0x0009e02f
0x0009e033
0x0009e5f5
0x0009e5f5
0x00000000
0x0009e5f5
0x0009e04a
0x0009e04e
0x0009e5ee
0x00000000
0x0009e5ee
0x0009e06f
0x0009e08c
0x0009e0a7
0x0009e0ab
0x0009e0ae
0x0009e5d6
0x0009e5d9
0x0009e5de
0x0009e5e3
0x0009e5e3
0x0009e5e4
0x00000000
0x0009e5e9
0x0009e0b4
0x0009e0b7
0x0009e0c8
0x0009e0cc
0x0009e5cf
0x00000000
0x0009e5cf
0x0009e0e3
0x0009e0e7
0x0009e5c8
0x00000000
0x0009e5c8
0x0009e0fe
0x0009e102
0x0009e5c1
0x00000000
0x0009e5c1
0x0009e119
0x0009e11d
0x0009e5ba
0x00000000
0x0009e5ba
0x0009e134
0x0009e138
0x0009e5b3
0x00000000
0x0009e5b3
0x0009e146
0x0009e15a
0x0009e15e
0x0009e5ac
0x0009e5ac
0x00000000
0x0009e5ac
0x0009e175
0x0009e17d
0x0009e198
0x0009e1a0
0x0009e1bb
0x0009e1c3
0x0009e1de
0x0009e1e6
0x0009e207
0x0009e218
0x0009e220
0x0009e241
0x0009e25c
0x0009e295
0x0009e299
0x0009e29c
0x0009e2d2
0x0009e30b
0x0009e32a
0x0009e336
0x0009e33a
0x0009e5a5
0x00000000
0x0009e5a5
0x0009e349
0x0009e34d
0x0009e59e
0x00000000
0x0009e59e
0x0009e353
0x0009e358
0x0009e35d
0x0009e360
0x0009e360
0x0009e368
0x0009e36d
0x0009e373
0x0009e373
0x0009e37d
0x0009e37e
0x0009e384
0x0009e387
0x0009e38d
0x00000000
0x0009e393
0x0009e393
0x0009e398
0x00000000
0x00000000
0x0009e3a6
0x0009e3ab
0x0009e3b0
0x0009e448
0x0009e44b
0x0009e46f
0x0009e471
0x0009e477
0x00000000
0x00000000
0x0009e47d
0x0009e47f
0x0009e482
0x0009e485
0x0009e487
0x0009e491
0x00000000
0x00000000
0x0009e4a5
0x0009e4b0
0x0009e4be
0x0009e4c1
0x0009e4c3
0x0009e4c6
0x0009e4cc
0x0009e567
0x0009e567
0x00000000
0x0009e567
0x0009e4d2
0x0009e4d4
0x0009e4d7
0x0009e4da
0x0009e4e3
0x00000000
0x00000000
0x0009e4e5
0x0009e4ed
0x00000000
0x00000000
0x0009e4ef
0x0009e4f2
0x0009e4f2
0x0009e4fc
0x0009e51c
0x0009e51f
0x0009e529
0x0009e52e
0x0009e539
0x0009e539
0x0009e529
0x0009e53d
0x0009e53e
0x0009e546
0x0009e549
0x0009e54c
0x0009e54f
0x0009e54f
0x0009e550
0x0009e555
0x0009e558
0x0009e55b
0x0009e564
0x00000000
0x0009e56a
0x0009e56a
0x0009e56b
0x0009e571
0x0009e574
0x0009e577
0x00000000
0x0009e482
0x0009e44d
0x0009e45d
0x0009e45f
0x0009e464
0x0009e469
0x0009e469
0x00000000
0x0009e469
0x0009e3b6
0x0009e3c6
0x0009e3c8
0x0009e3cd
0x00000000
0x0009e3cd
0x0009e38d
0x0009e30e
0x0009e31b
0x0009e320
0x0009e324
0x0009e42d
0x00000000
0x0009e42d
0x00000000
0x0009e324
0x0009e2d5
0x0009e2e7
0x0009e2eb
0x0009e423
0x00000000
0x0009e423
0x0009e2f1
0x00000000
0x0009e2f1
0x0009e29f
0x0009e2a8
0x0009e2ad
0x0009e2b1
0x00000000
0x00000000
0x0009e2b3
0x00000000
0x0009e2b3
0x0009e25f
0x0009e271
0x0009e275
0x00000000
0x00000000
0x0009e27b
0x00000000
0x0009e27b
0x0009e224
0x0009e419
0x00000000
0x0009e419
0x0009e237
0x0009e23b
0x0009e40c
0x0009e40f
0x00000000
0x0009e40f
0x00000000
0x0009e23b
0x0009e1ea
0x0009e402
0x00000000
0x0009e402
0x0009e1fd
0x0009e201
0x0009e3f5
0x0009e3f8
0x00000000
0x0009e3f8
0x00000000
0x0009e3eb
0x0009e3eb
0x00000000
0x0009e3eb
0x0009e3e1
0x0009e3e1
0x00000000
0x0009e3e1
0x0009e3d7
0x0009e3d7
0x00000000
0x0009e3d7
0x0009e17d
0x0009e08e
0x00000000
0x0009e08e
0x0009e071
0x00000000
0x0009e071
0x0009e5fc
0x0009e5fc
0x00000000
0x0009e5fc
0x0009dfcd
0x0009dfda
0x0009dfdc
0x0009dfe1
0x00000000
0x0009dfe1
0x0009dfa3
0x00000000
0x0009df86
0x0009df86
0x0009e594
0x0009e594
0x0009e595
0x0009e595
0x0009e605
0x0009e607
0x0009e607
0x0009e60c
0x0009e611
0x0009e611
0x0009e614
0x0009e619
0x0009e61e
0x0009e61e
0x0009e625
0x0009e62a
0x0009e62a
0x0009e634
0x0009e639
0x0009e639
0x0009e644
0x0009e644
0x0009df84
0x0009de9d
0x0009dea2
0x0009dea6
0x0009dec6
0x0009dec9
0x0009decb
0x0009ded0
0x00000000
0x00000000
0x00000000
0x00000000
0x0009ded6
0x0009ded6
0x0009dedb
0x0009deee
0x0009def2
0x00000000
0x00000000
0x0009df08
0x0009df0c
0x00000000
0x00000000
0x0009df26
0x0009df2a
0x00000000
0x00000000
0x0009df30
0x0009df35
0x0009df3a
0x0009df3d
0x0009df3d
0x0009df45
0x0009df4a
0x0009df50
0x0009df50
0x0009df54
0x0009df58
0x00000000
0x00000000
0x00000000
0x00000000
0x0009df58
0x00000000
0x0009ded6
0x0009dea8
0x0009deb5
0x0009deb7
0x0009debc
0x00000000
0x0009debc
0x0009de80
0x0009de60
0x0009de60
0x0009de61
0x00000000
0x0009de67
0x0009de5b
0x00000000

APIs

SysFreeString.OLEAUT32(00000000), ref: 0009DF4A
SysFreeString.OLEAUT32(00000000), ref: 0009E62A

Part of subcall function 000938D4: GetProcessHeap.KERNEL32(?,000001C7,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938E5
Part of subcall function 000938D4: RtlAllocateHeap.NTDLL(00000000,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938EC

Strings

Failed to get @RollbackLogPathVariable., xrefs: 0009E3E1
msi.dll, xrefs: 0009E0BA
comres.dll, xrefs: 0009E126
Failed to parse dependency providers., xrefs: 0009E59E
Failed to allocate memory for MSP patch sequence information., xrefs: 0009E3CD
Failed to parse MSI package., xrefs: 0009E2B3
cabinet.dll, xrefs: 0009E0F0
Failed to parse EXE package., xrefs: 0009E27B
clbcatq.dll, xrefs: 0009E10B
RollbackBoundaryForward, xrefs: 0009E1D1
Failed to get @Cache., xrefs: 0009E5EE
Failed to get @CacheId., xrefs: 0009E5CF
PerMachine, xrefs: 0009E10C
InstallSize, xrefs: 0009E0F1
Invalid cache type: %ls, xrefs: 0009E5DE
MsiPackage, xrefs: 0009E287
Failed to parse target product codes., xrefs: 0009E58F
Failed to get rollback bundary node count., xrefs: 0009DE80
Cache, xrefs: 0009E03D
MspPackage, xrefs: 0009E2BF
package.cpp, xrefs: 0009DEB0, 0009DFD5, 0009E3C1, 0009E458
Failed to parse MSP package., xrefs: 0009E423
yes, xrefs: 0009E079
Failed to find backward transaction boundary: %ls, xrefs: 0009E40F
RollbackLogPathVariable, xrefs: 0009E18B
=S, xrefs: 0009DE25
Size, xrefs: 0009E0D6
LogPathVariable, xrefs: 0009E168
Failed to parse payload references., xrefs: 0009E5A5
feclient.dll, xrefs: 0009E18A
Failed to get @Permanent., xrefs: 0009E5B3
Failed to allocate memory for patch sequence information to package lookup., xrefs: 0009E464
InstallCondition, xrefs: 0009E1AE
Failed to parse MSU package., xrefs: 0009E42D
wininet.dll, xrefs: 0009E14C
Failed to get @RollbackBoundaryBackward., xrefs: 0009E419
always, xrefs: 0009E099
Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage, xrefs: 0009DF73
RollbackBoundary, xrefs: 0009DE48
Failed to find forward transaction boundary: %ls, xrefs: 0009E3F8
Failed to get @PerMachine., xrefs: 0009E5BA
Vital, xrefs: 0009DF19, 0009E14D
Failed to select package nodes., xrefs: 0009DF86
Failed to get @Vital., xrefs: 0009E5AC
Failed to allocate memory for package structs., xrefs: 0009DFE1
crypt32.dll, xrefs: 0009E1AD
Failed to get @InstallSize., xrefs: 0009E5C1
Failed to get package node count., xrefs: 0009DFA3
MsuPackage, xrefs: 0009E2F8
Permanent, xrefs: 0009E127
ExePackage, xrefs: 0009E249
CacheId, xrefs: 0009E0BB
Failed to get next node., xrefs: 0009E5FC
Failed to get @InstallCondition., xrefs: 0009E3EB
Failed to get @Id., xrefs: 0009E5F5
Failed to allocate memory for rollback boundary structs., xrefs: 0009DEBC
Failed to get @LogPathVariable., xrefs: 0009E3D7
RollbackBoundaryBackward, xrefs: 0009E20B
Failed to get @Size., xrefs: 0009E5C8
Failed to select rollback boundary nodes., xrefs: 0009DE5B
Failed to get @RollbackBoundaryForward., xrefs: 0009E402

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: FreeHeapString$AllocateProcess
String ID: =S$Cache$CacheId$Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage$ExePackage$Failed to allocate memory for MSP patch sequence information.$Failed to allocate memory for package structs.$Failed to allocate memory for patch sequence information to package lookup.$Failed to allocate memory for rollback boundary structs.$Failed to find backward transaction boundary: %ls$Failed to find forward transaction boundary: %ls$Failed to get @Cache.$Failed to get @CacheId.$Failed to get @Id.$Failed to get @InstallCondition.$Failed to get @InstallSize.$Failed to get @LogPathVariable.$Failed to get @PerMachine.$Failed to get @Permanent.$Failed to get @RollbackBoundaryBackward.$Failed to get @RollbackBoundaryForward.$Failed to get @RollbackLogPathVariable.$Failed to get @Size.$Failed to get @Vital.$Failed to get next node.$Failed to get package node count.$Failed to get rollback bundary node count.$Failed to parse EXE package.$Failed to parse MSI package.$Failed to parse MSP package.$Failed to parse MSU package.$Failed to parse dependency providers.$Failed to parse payload references.$Failed to parse target product codes.$Failed to select package nodes.$Failed to select rollback boundary nodes.$InstallCondition$InstallSize$Invalid cache type: %ls$LogPathVariable$MsiPackage$MspPackage$MsuPackage$PerMachine$Permanent$RollbackBoundary$RollbackBoundaryBackward$RollbackBoundaryForward$RollbackLogPathVariable$Size$Vital$always$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msi.dll$package.cpp$wininet.dll$yes
API String ID: 336948655-1483295644
Opcode ID: e30bb7fe210bfaf8979e0422e0c8f3c30731a4b0b517d2e023a6999b68635561
Instruction ID: e719d5ef6ec2303cbf18de745d620aea2adf12ff1e5b8946b4f7d2e4c19424fd
Opcode Fuzzy Hash: e30bb7fe210bfaf8979e0422e0c8f3c30731a4b0b517d2e023a6999b68635561
Instruction Fuzzy Hash: DC32C171940766EFCF21DB50CC42FAEBBB4AB04724F114265FA11BB291D7B1AE40AB90

Uniqueness

Uniqueness Score: -1.00%

Function 0009F86E, Relevance: 117.7, APIs: 3, Strings: 64, Instructions: 445
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E0009F86E(void* __edx, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				void* _v12;
				short* _v16;
				void* _v20;
				void* _t88;
				void* _t112;
				int _t158;
				void* _t164;
				signed int _t166;
				intOrPtr* _t167;
				intOrPtr* _t168;
				intOrPtr* _t169;
				void* _t174;
				intOrPtr _t176;
				void* _t179;
				void* _t188;
				void* _t190;

				_t174 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				_t88 = E000D388A(_a8, L"Registration",  &_v12);
				_t164 = 0x80070490;
				_t179 =  ==  ? 0x80070490 : _t88;
				if(_t179 >= 0) {
					_push(__edi);
					_t176 = _a4;
					if(E000D31C7(_v12, L"Id", _t176 + 0x10) >= 0) {
						if(E000D31C7(_v12, L"Tag", _t176 + 0x14) >= 0) {
							if(E0009E936(_t176, _t176, _a8) >= 0) {
								if(E000D31C7(_v12, L"Version",  &_v16) >= 0) {
									if(E000D4B5A(_t174, _v16, 0, _t176 + 0x38) >= 0) {
										if(E000D31C7(_v12, L"ProviderKey", _t176 + 0x44) >= 0) {
											if(E000D31C7(_v12, L"ExecutableName", _t176 + 0x48) >= 0) {
												if(E000D33DB(_t166, _v12, L"PerMachine", _t176) >= 0) {
													_t188 = E000D388A(_v12, L"Arp",  &_v8);
													if(_t188 == 1) {
														L71:
														if(E0009EBB2(_v12, _t176 + 0x94, _t176 + 0x98) >= 0) {
															_t190 = E000D388A(_v12, L"Update",  &_v20);
															if(_t190 == 1) {
																L88:
																_t112 = E0009EFE5(_t166, _t176); // executed
																_t190 = _t112;
																if(_t190 >= 0) {
																	L91:
																	L92:
																	_t167 = _v12;
																	if(_t167 != 0) {
																		 *((intOrPtr*)( *_t167 + 8))(_t167);
																	}
																	_t168 = _v8;
																	if(_t168 != 0) {
																		 *((intOrPtr*)( *_t168 + 8))(_t168);
																	}
																	_t169 = _v20;
																	if(_t169 != 0) {
																		 *((intOrPtr*)( *_t169 + 8))(_t169);
																	}
																	if(_v16 != 0) {
																		E000D54EF(_v16);
																	}
																	return _t190;
																}
																_push("Failed to set registration paths.");
																L90:
																_push(_t190);
																E000D012F();
																goto L91;
															}
															if(_t190 >= 0) {
																 *((intOrPtr*)(_t176 + 0x9c)) = 1;
																_t190 = E000D31C7(_v20, L"Manufacturer", _t176 + 0xa0);
																if(_t190 >= 0) {
																	_t190 = E000D31C7(_v20, L"Department", _t176 + 0xa4);
																	if(_t190 == _t164 || _t190 >= 0) {
																		_t190 = E000D31C7(_v20, L"ProductFamily", _t176 + 0xa8);
																		if(_t190 == _t164 || _t190 >= 0) {
																			_t190 = E000D31C7(_v20, L"Name", _t176 + 0xac);
																			if(_t190 >= 0) {
																				_t190 = E000D31C7(_v20, L"Classification", _t176 + 0xb0);
																				if(_t190 >= 0) {
																					goto L88;
																				}
																				_push("Failed to get @Classification.");
																				goto L90;
																			}
																			_push("Failed to get @Name.");
																		} else {
																			_push("Failed to get @ProductFamily.");
																		}
																	} else {
																		_push("Failed to get @Department.");
																	}
																	goto L90;
																}
																_push("Failed to get @Manufacturer.");
																goto L90;
															}
															_push("Failed to select Update node.");
															goto L90;
														}
														_push("Failed to parse software tag.");
														goto L90;
													}
													if(_t188 >= 0) {
														_t190 = E000D33DB(_t166, _v8, L"Register", _t176 + 4);
														if(_t190 >= 0) {
															_t190 = E000D31C7(_v8, L"DisplayName", _t176 + 0x60);
															if(_t190 == 0x80070490 || _t190 >= 0) {
																_t190 = E000D31C7(_v8, L"DisplayVersion", _t176 + 0x64);
																if(_t190 == _t164 || _t190 >= 0) {
																	_t190 = E000D31C7(_v8, L"Publisher", _t176 + 0x68);
																	if(_t190 == _t164 || _t190 >= 0) {
																		_t190 = E000D31C7(_v8, L"HelpLink", _t176 + 0x6c);
																		if(_t190 == _t164 || _t190 >= 0) {
																			_t190 = E000D31C7(_v8, L"HelpTelephone", _t176 + 0x70);
																			if(_t190 == _t164 || _t190 >= 0) {
																				_t190 = E000D31C7(_v8, L"AboutUrl", _t176 + 0x74);
																				if(_t190 == _t164 || _t190 >= 0) {
																					_t190 = E000D31C7(_v8, L"UpdateUrl", _t176 + 0x78);
																					if(_t190 == _t164 || _t190 >= 0) {
																						_t190 = E000D31C7(_v8, L"ParentDisplayName", _t176 + 0x7c);
																						if(_t190 == _t164 || _t190 >= 0) {
																							_t190 = E000D31C7(_v8, L"Comments", _t176 + 0x80);
																							if(_t190 == _t164 || _t190 >= 0) {
																								_t190 = E000D31C7(_v8, L"Contact", _t176 + 0x84);
																								if(_t190 == _t164 || _t190 >= 0) {
																									_t190 = E000D31C7(_v8, L"DisableModify",  &_v16);
																									if(_t190 < 0) {
																										if(_t190 == _t164) {
																											 *(_t176 + 0x88) =  *(_t176 + 0x88) & 0x00000000;
																											_t190 = 0;
																										}
																										L65:
																										if(_t190 >= 0) {
																											_t190 = E000D33DB(_t166, _v8, L"DisableRemove", _t176 + 0x90);
																											if(_t190 == _t164) {
																												goto L71;
																											}
																											if(_t190 >= 0) {
																												 *(_t176 + 0x8c) = 1;
																												goto L71;
																											}
																											_push("Failed to get @DisableRemove.");
																											goto L90;
																										}
																										_push("Failed to get @DisableModify.");
																										goto L90;
																									}
																									_t158 = CompareStringW(0x7f, 0, _v16, 0xffffffff, L"button", 0xffffffff);
																									_t166 = 2;
																									if(_t158 != _t166) {
																										if(CompareStringW(0x7f, 0, _v16, 0xffffffff, L"yes", 0xffffffff) != 2) {
																											if(CompareStringW(0x7f, 0, _v16, 0xffffffff, L"no", 0xffffffff) != 2) {
																												_t190 = 0x8000ffff;
																												E000937D3(_t160, "registration.cpp", 0xf6, 0x8000ffff);
																												_push(_v16);
																												_push("Invalid modify disabled type: %ls");
																												L62:
																												_push(_t190);
																												E000D012F();
																												goto L91;
																											}
																											 *(_t176 + 0x88) =  *(_t176 + 0x88) & 0x00000000;
																											L60:
																											_t164 = 0x80070490;
																											goto L65;
																										}
																										 *(_t176 + 0x88) = 1;
																										goto L60;
																									}
																									 *(_t176 + 0x88) = _t166;
																									goto L60;
																								} else {
																									_push("Failed to get @Contact.");
																									goto L90;
																								}
																							} else {
																								_push("Failed to get @Comments.");
																								goto L90;
																							}
																						} else {
																							_push("Failed to get @ParentDisplayName.");
																							goto L90;
																						}
																					} else {
																						_push("Failed to get @UpdateUrl.");
																						goto L90;
																					}
																				} else {
																					_push("Failed to get @AboutUrl.");
																					goto L90;
																				}
																			} else {
																				_push("Failed to get @HelpTelephone.");
																				goto L90;
																			}
																		} else {
																			_push("Failed to get @HelpLink.");
																			goto L90;
																		}
																	} else {
																		_push("Failed to get @Publisher.");
																		goto L90;
																	}
																} else {
																	_push("Failed to get @DisplayVersion.");
																	goto L90;
																}
															} else {
																_push("Failed to get @DisplayName.");
																goto L90;
															}
														}
														_push("Failed to get @Register.");
														goto L90;
													}
													_push("Failed to select ARP node.");
													goto L90;
												}
												_push("Failed to get @PerMachine.");
												goto L90;
											}
											_push("Failed to get @ExecutableName.");
											goto L90;
										}
										_push("Failed to get @ProviderKey.");
										goto L90;
									}
									_push(_v16);
									_push("Failed to parse @Version: %ls");
									goto L62;
								}
								_push("Failed to get @Version.");
								goto L90;
							}
							_push("Failed to parse related bundles");
							goto L90;
						}
						_push("Failed to get @Tag.");
						goto L90;
					}
					_push("Failed to get @Id.");
					goto L90;
				}
				_push("Failed to select registration node.");
				_push(_t179);
				E000D012F();
				goto L92;
			}

0x0009f86e
0x0009f878
0x0009f87b
0x0009f87e
0x0009f881
0x0009f890
0x0009f897
0x0009f89f
0x0009f8a4
0x0009f8b8
0x0009f8b9
0x0009f8d1
0x0009f8f2
0x0009f90b
0x0009f92c
0x0009f94a
0x0009f96e
0x0009f98f
0x0009f9ad
0x0009f9ca
0x0009f9cf
0x0009fc7e
0x0009fc98
0x0009fcb5
0x0009fcbc
0x0009fd86
0x0009fd87
0x0009fd8c
0x0009fd90
0x0009fd9f
0x0009fda0
0x0009fda0
0x0009fda5
0x0009fdaa
0x0009fdaa
0x0009fdad
0x0009fdb2
0x0009fdb7
0x0009fdb7
0x0009fdba
0x0009fdbf
0x0009fdc4
0x0009fdc4
0x0009fdcb
0x0009fdd0
0x0009fdd0
0x0009fddc
0x0009fddc
0x0009fd92
0x0009fd97
0x0009fd97
0x0009fd98
0x00000000
0x0009fd9e
0x0009fcc4
0x0009fcd0
0x0009fcea
0x0009fcee
0x0009fd0e
0x0009fd12
0x0009fd33
0x0009fd37
0x0009fd58
0x0009fd5c
0x0009fd79
0x0009fd7d
0x00000000
0x00000000
0x0009fd7f
0x00000000
0x0009fd7f
0x0009fd5e
0x0009fd3d
0x0009fd3d
0x0009fd3d
0x0009fd18
0x0009fd18
0x0009fd18
0x00000000
0x0009fd12
0x0009fcf0
0x00000000
0x0009fcf0
0x0009fcc6
0x00000000
0x0009fcc6
0x0009fc9a
0x00000000
0x0009fc9a
0x0009f9d7
0x0009f9f4
0x0009f9f8
0x0009fa15
0x0009fa19
0x0009fa3a
0x0009fa3e
0x0009fa5f
0x0009fa63
0x0009fa84
0x0009fa88
0x0009faa9
0x0009faad
0x0009face
0x0009fad2
0x0009faf3
0x0009faf7
0x0009fb18
0x0009fb1c
0x0009fb40
0x0009fb44
0x0009fb68
0x0009fb6c
0x0009fb8d
0x0009fb91
0x0009fc33
0x0009fc35
0x0009fc3c
0x0009fc3c
0x0009fc3e
0x0009fc40
0x0009fc60
0x0009fc64
0x00000000
0x00000000
0x0009fc68
0x0009fc74
0x00000000
0x0009fc74
0x0009fc6a
0x00000000
0x0009fc6a
0x0009fc42
0x00000000
0x0009fc42
0x0009fbad
0x0009fbb1
0x0009fbb4
0x0009fbd3
0x0009fbf6
0x0009fc06
0x0009fc16
0x0009fc1b
0x0009fc1e
0x0009fc23
0x0009fc23
0x0009fc24
0x00000000
0x0009fc29
0x0009fbf8
0x0009fbff
0x0009fbff
0x00000000
0x0009fbff
0x0009fbd5
0x00000000
0x0009fbd5
0x0009fbb6
0x00000000
0x0009fb72
0x0009fb72
0x00000000
0x0009fb72
0x0009fb4a
0x0009fb4a
0x00000000
0x0009fb4a
0x0009fb22
0x0009fb22
0x00000000
0x0009fb22
0x0009fafd
0x0009fafd
0x00000000
0x0009fafd
0x0009fad8
0x0009fad8
0x00000000
0x0009fad8
0x0009fab3
0x0009fab3
0x00000000
0x0009fab3
0x0009fa8e
0x0009fa8e
0x00000000
0x0009fa8e
0x0009fa69
0x0009fa69
0x00000000
0x0009fa69
0x0009fa44
0x0009fa44
0x00000000
0x0009fa44
0x0009fa1f
0x0009fa1f
0x00000000
0x0009fa1f
0x0009fa19
0x0009f9fa
0x00000000
0x0009f9fa
0x0009f9d9
0x00000000
0x0009f9d9
0x0009f9af
0x00000000
0x0009f9af
0x0009f991
0x00000000
0x0009f991
0x0009f970
0x00000000
0x0009f970
0x0009f94c
0x0009f94f
0x00000000
0x0009f94f
0x0009f92e
0x00000000
0x0009f92e
0x0009f90d
0x00000000
0x0009f90d
0x0009f8f4
0x00000000
0x0009f8f4
0x0009f8d3
0x00000000
0x0009f8d3
0x0009f8a6
0x0009f8ab
0x0009f8ac
0x00000000

Strings

Version, xrefs: 0009F91B
Failed to set registration paths., xrefs: 0009FD92
Classification, xrefs: 0009FD6C
Failed to get @ParentDisplayName., xrefs: 0009FB22
clbcatq.dll, xrefs: 0009F8E0
Manufacturer, xrefs: 0009FCDD
Failed to get @Name., xrefs: 0009FD5E
Failed to get @Comments., xrefs: 0009FB4A
HelpLink, xrefs: 0009FA77
PerMachine, xrefs: 0009F99C
Failed to get @ExecutableName., xrefs: 0009F991
Failed to get @Version., xrefs: 0009F92E
Failed to get @DisplayVersion., xrefs: 0009FA44
AboutUrl, xrefs: 0009FAC1
Update, xrefs: 0009FCA8
Failed to get @DisplayName., xrefs: 0009FA1F
DisableRemove, xrefs: 0009FC53
ParentDisplayName, xrefs: 0009FB0B
Failed to get @HelpTelephone., xrefs: 0009FAB3
Failed to get @UpdateUrl., xrefs: 0009FAFD
Failed to get @DisableRemove., xrefs: 0009FC6A
Name, xrefs: 0009FD4B
Comments, xrefs: 0009FB33
Registration, xrefs: 0009F888
Failed to get @AboutUrl., xrefs: 0009FAD8
Arp, xrefs: 0009F9BD
Failed to get @ProductFamily., xrefs: 0009FD3D
DisableModify, xrefs: 0009FB80
yes, xrefs: 0009FBC0
Failed to get @Manufacturer., xrefs: 0009FCF0
=S, xrefs: 0009F86E
UpdateUrl, xrefs: 0009FAE6
Failed to get @Register., xrefs: 0009F9FA
Failed to parse @Version: %ls, xrefs: 0009F94F
Failed to select Update node., xrefs: 0009FCC6
Department, xrefs: 0009FD01
Failed to select ARP node., xrefs: 0009F9D9
Failed to get @DisableModify., xrefs: 0009FC42
Failed to get @Contact., xrefs: 0009FB72
Tag, xrefs: 0009F8E1
ProviderKey, xrefs: 0009F95D
Failed to get @PerMachine., xrefs: 0009F9AF
Failed to get @Tag., xrefs: 0009F8F4
HelpTelephone, xrefs: 0009FA9C
DisplayVersion, xrefs: 0009FA2D
Failed to get @ProviderKey., xrefs: 0009F970
Failed to parse software tag., xrefs: 0009FC9A
Contact, xrefs: 0009FB5B
Failed to get @Publisher., xrefs: 0009FA69
Failed to get @Classification., xrefs: 0009FD7F
msasn1.dll, xrefs: 0009F8BF
Invalid modify disabled type: %ls, xrefs: 0009FC1E
registration.cpp, xrefs: 0009FC11
ProductFamily, xrefs: 0009FD26
Publisher, xrefs: 0009FA52
Failed to get @Id., xrefs: 0009F8D3
DisplayName, xrefs: 0009FA08
Failed to parse related bundles, xrefs: 0009F90D
ExecutableName, xrefs: 0009F97E
Failed to get @HelpLink., xrefs: 0009FA8E
Register, xrefs: 0009F9E7
Failed to get @Department., xrefs: 0009FD18
Failed to select registration node., xrefs: 0009F8A6
button, xrefs: 0009FB9F

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID:
String ID: =S$AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$clbcatq.dll$msasn1.dll$registration.cpp$yes
API String ID: 0-2206336810
Opcode ID: fcafa8a1b6321bfaee8c2855135d1ce94fd61ce80fc558aae6207b04c67acc1b
Instruction ID: a458409e0f4673cde3a865a29a3d2cc98292c82dec7eaa5ad38a1b541e26690b
Opcode Fuzzy Hash: fcafa8a1b6321bfaee8c2855135d1ce94fd61ce80fc558aae6207b04c67acc1b
Instruction Fuzzy Hash: 39E1B872E817A7BFCF2196A1CC41EFDBA65AB00710F110275FE20FA291D7B15E50A791

Uniqueness

Uniqueness Score: -1.00%

Function 0009B389, Relevance: 95.1, APIs: 24, Strings: 30, Instructions: 565
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E0009B389(union _LARGE_INTEGER* __edx, void* _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				union _LARGE_INTEGER _v12;
				char _v72;
				signed short _v300;
				signed int _v314;
				void _v320;
				union _LARGE_INTEGER _v340;
				long _v344;
				void _v360;
				long _v364;
				union _LARGE_INTEGER* _v368;
				intOrPtr _v372;
				void _v376;
				void _v380;
				struct _OVERLAPPED* _v384;
				intOrPtr _v388;
				union _LARGE_INTEGER _v392;
				intOrPtr _v396;
				char _v400;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t98;
				intOrPtr _t106;
				int _t108;
				int _t117;
				int _t120;
				union _LARGE_INTEGER _t123;
				int _t124;
				int _t133;
				signed short _t137;
				intOrPtr* _t142;
				int _t151;
				intOrPtr _t160;
				signed short _t188;
				signed short _t191;
				signed short _t196;
				signed short _t199;
				signed short _t202;
				signed short _t205;
				signed short _t208;
				signed short _t211;
				signed short _t214;
				signed short _t217;
				signed short _t220;
				signed int _t224;
				void* _t226;
				intOrPtr _t237;
				void _t241;
				intOrPtr _t242;
				union _LARGE_INTEGER* _t243;
				void* _t244;
				void* _t247;
				void* _t248;
				void* _t252;
				signed int _t290;

				_t243 = __edx;
				_t98 =  *0xfa008; // 0x90c8e23b
				_v8 = _t98 ^ _t290;
				_t223 = _a4;
				_t3 =  &_v72; // 0x9435c
				asm("xorps xmm0, xmm0");
				_v364 = 0;
				asm("movlpd [ebp-0x18c], xmm0");
				E000BF670(_t244, _t3, 0, 0x40);
				E000BF670(_t244,  &_v320, 0, 0xf8);
				_v376 = 0;
				_v380 = 0;
				_v368 = 0;
				_t224 = 0xa;
				memset( &_v360, 0, _t224 << 2);
				_t226 = _a8;
				 *_t223 = _t226;
				if(_t226 != 0xffffffff) {
					_t106 = _a12;
					_t247 = SetFilePointerEx;
					_push(0);
					_t107 =  ==  ? _t226 : _t106;
					 *((intOrPtr*)(_t223 + 4)) =  ==  ? _t226 : _t106;
					_t108 = SetFilePointerEx(_t226, 0, 0, 0); // executed
					if(_t108 != 0) {
						_t15 =  &_v72; // 0x9435c
						_t111 = ReadFile( *_t223, _t15, 0x40,  &_v364, 0); // executed
						if(_t111 != 0) {
							if(_v364 < 0x40) {
								L66:
								_t247 = 0x8007000d;
								_t252 = 0x8007000d;
								E000937D3(_t111, "section.cpp", 0x4e, 0x8007000d);
								_push("Failed to find valid DOS image header in buffer.");
								L67:
								_push(_t247);
								goto L68;
							}
							_t111 = 0x5a4d;
							_t17 =  &_v72; // 0x9435c
							if(0x5a4d !=  *_t17) {
								goto L66;
							}
							_push(0);
							asm("cdq");
							_t117 = SetFilePointerEx( *_t223, _v12.LowPart, _t243, 0); // executed
							if(_t117 != 0) {
								_t120 = ReadFile( *_t223,  &_v320, 0x18,  &_v364, 0); // executed
								if(_t120 != 0) {
									if(_v364 < 0x18 || _v320 != 0x4550) {
										_t247 = 0x8007000d;
										_t252 = 0x8007000d;
										E000937D3(_t120, "section.cpp", 0x64, 0x8007000d);
										_push("Failed to find valid NT image header in buffer.");
										goto L67;
									} else {
										_t24 = _v12.LowPart + 0x58; // 0x58
										_t123 = _v12.LowPart + 0x98;
										_v388 = _t24;
										_push(0);
										_v392.LowPart = _t123;
										_t124 = SetFilePointerEx( *_t223, _t123, 0, 0); // executed
										if(_t124 != 0) {
											if(ReadFile( *_t223,  &_v376, 4,  &_v364, 0) != 0) {
												if(ReadFile( *_t223,  &_v380, 4,  &_v364, 0) != 0) {
													_push(0);
													_t133 = SetFilePointerEx( *_t223, _v12 + (_v300 & 0x0000ffff) + 0x18, 0, 0); // executed
													if(_t133 != 0) {
														_t247 = 0;
														_v384 = 0;
														if(ReadFile( *_t223,  &_v360, 0x28,  &_v364, 0) == 0) {
															L63:
															_t137 = GetLastError();
															_t255 =  <=  ? _t137 : _t137 & 0x0000ffff | 0x80070000;
															_t252 =  >=  ? 0x80004005 :  <=  ? _t137 : _t137 & 0x0000ffff | 0x80070000;
															E000937D3(0x80004005, "section.cpp", 0x8d, _t252);
															_push(_t247);
															_push("Failed to read image section header, index: %u");
															_push(_t252);
															L64:
															E000D012F();
															goto L69;
														}
														_t237 = 1;
														while(_v364 >= 0x28) {
															_t142 =  &_v360;
															if( *_t142 != 0x7869772e ||  *((intOrPtr*)(_t142 + 4)) != 0x6e727562) {
																_t143 = _v314 & 0x0000ffff;
																if(_t237 >= (_v314 & 0x0000ffff)) {
																	_t248 = 0x8007000d;
																	_t252 = 0x8007000d;
																	E000937D3(_t143, "section.cpp", 0xa0, 0x8007000d);
																	_push("Failed to find Burn section.");
																	goto L57;
																}
																_t247 = _t247 + 1;
																_v384 = _t247;
																_v372 = _t237 + 1;
																if(ReadFile( *_t223,  &_v360, 0x28,  &_v364, 0) == 0) {
																	goto L63;
																}
																_t237 = _v372;
																continue;
															} else {
																if(_v344 >= 0x34) {
																	_t247 = E000938D4(_v344, 1);
																	_v368 = _t247;
																	if(_t247 != 0) {
																		_push(0);
																		_t151 = SetFilePointerEx( *_t223, _v340.LowPart, 0, 0); // executed
																		if(_t151 != 0) {
																			_v372 = _v340 + 0x1c;
																			if(ReadFile( *_t223, _t247, _v344,  &_v364, 0) != 0) {
																				_t156 = _v344;
																				if(_v344 <= _v364) {
																					if( *((intOrPtr*)(_t247 + 4)) == 2) {
																						if(E000D48CB(_t237,  *((intOrPtr*)(_t223 + 4)),  &_v400) >= 0) {
																							_t243 =  *(_t247 + 0x18);
																							 *(_t223 + 8) = _t243;
																							if( *((intOrPtr*)(_t247 + 0x20)) == 0) {
																								_t241 = _v376;
																								if(_t241 == 0) {
																									_t160 =  *((intOrPtr*)(_t247 + 0x30)) + _t243;
																								} else {
																									_t160 = _v380 + _t241;
																								}
																							} else {
																								_t160 =  *((intOrPtr*)(_t247 + 0x24)) +  *((intOrPtr*)(_t247 + 0x20));
																							}
																							 *((intOrPtr*)(_t223 + 0xc)) = _t160;
																							 *((intOrPtr*)(_t223 + 0x10)) = _v400;
																							 *((intOrPtr*)(_t223 + 0x14)) = _v396;
																							 *((intOrPtr*)(_t223 + 0x18)) = _v388;
																							 *(_t223 + 0x1c) = _v392;
																							 *((intOrPtr*)(_t223 + 0x20)) = _v372;
																							 *((intOrPtr*)(_t223 + 0x24)) =  *((intOrPtr*)(_t247 + 0x1c));
																							 *((intOrPtr*)(_t223 + 0x28)) =  *((intOrPtr*)(_t247 + 0x20));
																							 *((intOrPtr*)(_t223 + 0x2c)) =  *((intOrPtr*)(_t247 + 0x24));
																							 *((intOrPtr*)(_t223 + 0x30)) =  *((intOrPtr*)(_t247 + 0x28));
																							 *(_t223 + 0x34) =  *(_t247 + 0x2c);
																							_t242 = E000938D4( *(_t247 + 0x2c) << 2, 1);
																							 *((intOrPtr*)(_t223 + 0x38)) = _t242;
																							if(_t242 != 0) {
																								_t93 = _t247 + 0x30; // 0x30
																								E000BF0F0(_t242, _t93,  *(_t223 + 0x34) << 2);
																								_t94 = _t247 + 8; // 0x8
																								_t252 = E0009B106(_t94);
																								if(_t252 >= 0) {
																									goto L59;
																								}
																								E000937D3(_t178, "section.cpp", 0xf5, _t252);
																								_push("PE Header from file didn\'t match PE Header in memory.");
																								L37:
																								_push(_t252);
																								goto L38;
																							} else {
																								_t223 = 0x8007000e;
																								_t252 = 0x8007000e;
																								E000937D3(_t172, "section.cpp", 0xef, 0x8007000e);
																								_push("Failed to allocate memory for container sizes.");
																								_push(0x8007000e);
																								L38:
																								E000D012F();
																								L58:
																								L59:
																								if(_t247 != 0) {
																									E00093999(_t247);
																								}
																								goto L69;
																							}
																						}
																						_push("Failed to get total size of bundle.");
																						goto L37;
																					}
																					_t252 = 0x8007000d;
																					E000937D3(_t156, "section.cpp", 0xcc, 0x8007000d);
																					E000D012F(0x8007000d, "Failed to read section info, unsupported version: %08x", _v368->LowPart.HighPart);
																					_t247 = _v368;
																					goto L59;
																				}
																				_t248 = 0x8007000d;
																				_t252 = 0x8007000d;
																				E000937D3(_t156, "section.cpp", 0xc5, 0x8007000d);
																				_push("Failed to read complete section info.");
																				L57:
																				_push(_t248);
																				E000D012F();
																				_t247 = _v368;
																				goto L58;
																			}
																			_t188 = GetLastError();
																			_t259 =  <=  ? _t188 : _t188 & 0x0000ffff | 0x80070000;
																			_t252 =  >=  ? 0x80004005 :  <=  ? _t188 : _t188 & 0x0000ffff | 0x80070000;
																			E000937D3(0x80004005, "section.cpp", 0xc0, _t252);
																			_push("Failed to read section info.");
																			goto L37;
																		}
																		_t191 = GetLastError();
																		_t262 =  <=  ? _t191 : _t191 & 0x0000ffff | 0x80070000;
																		_t252 =  >=  ? 0x80004005 :  <=  ? _t191 : _t191 & 0x0000ffff | 0x80070000;
																		E000937D3(0x80004005, "section.cpp", 0xb7, _t252);
																		_push("Failed to seek to section info.");
																		goto L37;
																	}
																	_t223 = 0x8007000e;
																	_t252 = 0x8007000e;
																	E000937D3(_t149, "section.cpp", 0xb1, 0x8007000e);
																	_push("Failed to allocate buffer for section info.");
																	_push(0x8007000e);
																	goto L68;
																}
																_t247 = 0x8007000d;
																_t252 = 0x8007000d;
																E000937D3(_t142, "section.cpp", 0xac, 0x8007000d);
																_push(_v344);
																_push("Failed to read section info, data to short: %u");
																L62:
																_push(_t247);
																goto L64;
															}
														}
														_t247 = 0x8007000d;
														_t252 = 0x8007000d;
														E000937D3(_t136, "section.cpp", 0x92, 0x8007000d);
														_push(_v384);
														_push("Failed to read complete image section header, index: %u");
														goto L62;
													}
													_t196 = GetLastError();
													_t265 =  <=  ? _t196 : _t196 & 0x0000ffff | 0x80070000;
													_t252 =  >=  ? 0x80004005 :  <=  ? _t196 : _t196 & 0x0000ffff | 0x80070000;
													E000937D3(0x80004005, "section.cpp", 0x84, _t252);
													_push("Failed to seek past optional headers.");
													goto L2;
												}
												_t199 = GetLastError();
												_t268 =  <=  ? _t199 : _t199 & 0x0000ffff | 0x80070000;
												_t252 =  >=  ? 0x80004005 :  <=  ? _t199 : _t199 & 0x0000ffff | 0x80070000;
												E000937D3(0x80004005, "section.cpp", 0x79, _t252);
												_push("Failed to read signature size.");
												goto L2;
											}
											_t202 = GetLastError();
											_t271 =  <=  ? _t202 : _t202 & 0x0000ffff | 0x80070000;
											_t252 =  >=  ? 0x80004005 :  <=  ? _t202 : _t202 & 0x0000ffff | 0x80070000;
											E000937D3(0x80004005, "section.cpp", 0x74, _t252);
											_push("Failed to read signature offset.");
											goto L2;
										}
										_t205 = GetLastError();
										_t274 =  <=  ? _t205 : _t205 & 0x0000ffff | 0x80070000;
										_t252 =  >=  ? 0x80004005 :  <=  ? _t205 : _t205 & 0x0000ffff | 0x80070000;
										E000937D3(0x80004005, "section.cpp", 0x6f, _t252);
										_push("Failed to seek to section info.");
										goto L2;
									}
								}
								_t208 = GetLastError();
								_t277 =  <=  ? _t208 : _t208 & 0x0000ffff | 0x80070000;
								_t252 =  >=  ? 0x80004005 :  <=  ? _t208 : _t208 & 0x0000ffff | 0x80070000;
								E000937D3(0x80004005, "section.cpp", 0x5f, _t252);
								_push("Failed to read NT header.");
								goto L2;
							}
							_t211 = GetLastError();
							_t280 =  <=  ? _t211 : _t211 & 0x0000ffff | 0x80070000;
							_t252 =  >=  ? 0x80004005 :  <=  ? _t211 : _t211 & 0x0000ffff | 0x80070000;
							E000937D3(0x80004005, "section.cpp", 0x59, _t252);
							_push("Failed to seek to NT header.");
							goto L2;
						}
						_t214 = GetLastError();
						_t283 =  <=  ? _t214 : _t214 & 0x0000ffff | 0x80070000;
						_t252 =  >=  ? 0x80004005 :  <=  ? _t214 : _t214 & 0x0000ffff | 0x80070000;
						E000937D3(0x80004005, "section.cpp", 0x49, _t252);
						_push("Failed to read DOS header.");
						goto L2;
					}
					_t217 = GetLastError();
					_t286 =  <=  ? _t217 : _t217 & 0x0000ffff | 0x80070000;
					_t252 =  >=  ? 0x80004005 :  <=  ? _t217 : _t217 & 0x0000ffff | 0x80070000;
					E000937D3(0x80004005, "section.cpp", 0x43, _t252);
					_push("Failed to seek to start of file.");
					goto L2;
				} else {
					_t220 = GetLastError();
					_t289 =  <=  ? _t220 : _t220 & 0x0000ffff | 0x80070000;
					_t252 =  >=  ? 0x80004005 :  <=  ? _t220 : _t220 & 0x0000ffff | 0x80070000;
					E000937D3(0x80004005, "section.cpp", 0x3a, _t252);
					_push("Failed to open handle to engine process path.");
					L2:
					_push(_t252);
					L68:
					E000D012F();
					L69:
					return E000BDE36(_t223, _v8 ^ _t290, _t243, _t247, _t252);
				}
			}

0x0009b389
0x0009b392
0x0009b399
0x0009b39d
0x0009b3a0
0x0009b3a7
0x0009b3ae
0x0009b3b4
0x0009b3bc
0x0009b3ce
0x0009b3d6
0x0009b3de
0x0009b3ea
0x0009b3f2
0x0009b3f3
0x0009b3f5
0x0009b3f8
0x0009b3fd
0x0009b435
0x0009b43b
0x0009b441
0x0009b445
0x0009b449
0x0009b44c
0x0009b450
0x0009b494
0x0009b49a
0x0009b49e
0x0009b4dc
0x0009bad3
0x0009bad3
0x0009bae0
0x0009bae2
0x0009bae7
0x0009baec
0x0009baec
0x00000000
0x0009baec
0x0009b4e2
0x0009b4e7
0x0009b4eb
0x00000000
0x00000000
0x0009b4f4
0x0009b4f8
0x0009b4fd
0x0009b501
0x0009b54c
0x0009b550
0x0009b58e
0x0009bab8
0x0009bac5
0x0009bac7
0x0009bacc
0x00000000
0x0009b5a4
0x0009b5a7
0x0009b5aa
0x0009b5af
0x0009b5b7
0x0009b5bd
0x0009b5c3
0x0009b5c7
0x0009b616
0x0009b665
0x0009b6ad
0x0009b6b3
0x0009b6b7
0x0009b6f1
0x0009b703
0x0009b710
0x0009ba79
0x0009ba79
0x0009ba8a
0x0009ba94
0x0009baa2
0x0009baa7
0x0009baa8
0x0009baad
0x0009baae
0x0009baae
0x00000000
0x0009bab3
0x0009b718
0x0009b719
0x0009b726
0x0009b732
0x0009b73d
0x0009b746
0x0009ba17
0x0009ba27
0x0009ba29
0x0009ba2e
0x00000000
0x0009ba2e
0x0009b754
0x0009b75e
0x0009b768
0x0009b772
0x00000000
0x00000000
0x0009b778
0x00000000
0x0009b780
0x0009b787
0x0009b7bd
0x0009b7bf
0x0009b7c7
0x0009b7ed
0x0009b7f8
0x0009b800
0x0009b84b
0x0009b865
0x0009b89c
0x0009b8a8
0x0009b8cf
0x0009b91d
0x0009b929
0x0009b92c
0x0009b933
0x0009b93d
0x0009b945
0x0009b954
0x0009b947
0x0009b94d
0x0009b94d
0x0009b935
0x0009b938
0x0009b938
0x0009b956
0x0009b95f
0x0009b968
0x0009b971
0x0009b97a
0x0009b983
0x0009b989
0x0009b98f
0x0009b995
0x0009b99b
0x0009b9a1
0x0009b9af
0x0009b9b1
0x0009b9b6
0x0009b9e1
0x0009b9e6
0x0009b9ee
0x0009b9f7
0x0009b9fb
0x00000000
0x00000000
0x0009ba08
0x0009ba0d
0x0009b835
0x0009b835
0x00000000
0x0009b9b8
0x0009b9b8
0x0009b9c8
0x0009b9ca
0x0009b9cf
0x0009b9d4
0x0009b836
0x0009b836
0x0009ba3f
0x0009ba41
0x0009ba43
0x0009ba4a
0x0009ba4a
0x00000000
0x0009ba43
0x0009b9b6
0x0009b91f
0x00000000
0x0009b91f
0x0009b8e1
0x0009b8e3
0x0009b8f7
0x0009b8fc
0x00000000
0x0009b902
0x0009b8aa
0x0009b8ba
0x0009b8bc
0x0009b8c1
0x0009ba33
0x0009ba33
0x0009ba34
0x0009ba39
0x00000000
0x0009ba39
0x0009b867
0x0009b878
0x0009b882
0x0009b890
0x0009b895
0x00000000
0x0009b895
0x0009b802
0x0009b813
0x0009b81d
0x0009b82b
0x0009b830
0x00000000
0x0009b830
0x0009b7c9
0x0009b7d9
0x0009b7db
0x0009b7e0
0x0009b7e5
0x00000000
0x0009b7e5
0x0009b789
0x0009b799
0x0009b79b
0x0009b7a0
0x0009b7a6
0x0009ba76
0x0009ba76
0x00000000
0x0009ba76
0x0009b732
0x0009ba54
0x0009ba64
0x0009ba66
0x0009ba6b
0x0009ba71
0x00000000
0x0009ba71
0x0009b6b9
0x0009b6ca
0x0009b6d4
0x0009b6e2
0x0009b6e7
0x00000000
0x0009b6e7
0x0009b667
0x0009b678
0x0009b682
0x0009b68d
0x0009b692
0x00000000
0x0009b692
0x0009b618
0x0009b629
0x0009b633
0x0009b63e
0x0009b643
0x00000000
0x0009b643
0x0009b5c9
0x0009b5da
0x0009b5e4
0x0009b5ef
0x0009b5f4
0x00000000
0x0009b5f4
0x0009b58e
0x0009b552
0x0009b563
0x0009b56d
0x0009b578
0x0009b57d
0x00000000
0x0009b57d
0x0009b503
0x0009b514
0x0009b51e
0x0009b529
0x0009b52e
0x00000000
0x0009b52e
0x0009b4a0
0x0009b4b1
0x0009b4bb
0x0009b4c6
0x0009b4cb
0x00000000
0x0009b4cb
0x0009b452
0x0009b463
0x0009b46d
0x0009b478
0x0009b47d
0x00000000
0x0009b3ff
0x0009b3ff
0x0009b410
0x0009b41a
0x0009b425
0x0009b42a
0x0009b42f
0x0009b42f
0x0009baed
0x0009baed
0x0009baf4
0x0009bb06
0x0009bb06

APIs

GetLastError.KERNEL32(?,?,?,00000000,77639EB0,00000000), ref: 0009B3FF
SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,77639EB0,00000000), ref: 0009B44C
GetLastError.KERNEL32(?,?,?,00000000,77639EB0,00000000), ref: 0009B452
ReadFile.KERNELBASE(00000000,\CH,00000040,?,00000000,?,?,?,00000000,77639EB0,00000000), ref: 0009B49A
GetLastError.KERNEL32(?,?,?,00000000,77639EB0,00000000), ref: 0009B4A0
SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,77639EB0,00000000), ref: 0009B4FD
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,77639EB0,00000000), ref: 0009B503
ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,77639EB0,00000000), ref: 0009B54C
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,77639EB0,00000000), ref: 0009B552
SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,77639EB0,00000000), ref: 0009B5C3
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,77639EB0,00000000), ref: 0009B5C9

Strings

Failed to read DOS header., xrefs: 0009B4CB
Failed to find valid NT image header in buffer., xrefs: 0009BACC
Failed to read image section header, index: %u, xrefs: 0009BAA8
Failed to seek past optional headers., xrefs: 0009B6E7
Failed to read complete image section header, index: %u, xrefs: 0009BA71
(, xrefs: 0009B719
Failed to allocate memory for container sizes., xrefs: 0009B9CF
PE Header from file didn't match PE Header in memory., xrefs: 0009BA0D
Failed to get total size of bundle., xrefs: 0009B91F
Failed to seek to start of file., xrefs: 0009B47D
Failed to read section info, unsupported version: %08x, xrefs: 0009B8F1
burn, xrefs: 0009B734
\CH, xrefs: 0009B3A0, 0009B494, 0009B4E7, 0009B3AD, 0009B497
section.cpp, xrefs: 0009B420, 0009B473, 0009B4C1, 0009B524, 0009B573, 0009B5EA, 0009B639, 0009B688, 0009B6DD, 0009B794, 0009B7D4, 0009B826, 0009B88B, 0009B8B5, 0009B8DC, 0009B9C3, 0009BA03, 0009BA22, 0009BA5F, 0009BA9D, 0009BAC0, 0009BADB
Failed to read NT header., xrefs: 0009B57D
Failed to read complete section info., xrefs: 0009B8C1
Failed to find valid DOS image header in buffer., xrefs: 0009BAE7
Failed to read section info., xrefs: 0009B895
Failed to seek to NT header., xrefs: 0009B52E
4, xrefs: 0009B780
Failed to read section info, data to short: %u, xrefs: 0009B7A6
PE, xrefs: 0009B594
Failed to allocate buffer for section info., xrefs: 0009B7E0
Failed to find Burn section., xrefs: 0009BA2E
.wix, xrefs: 0009B72C
@Mt, xrefs: 0009B3FF, 0009B452, 0009B4A0, 0009B503, 0009B552, 0009B5C9, 0009B618, 0009B667, 0009B6B9, 0009B802, 0009B867, 0009BA79
Failed to seek to section info., xrefs: 0009B5F4, 0009B830
Failed to read signature offset., xrefs: 0009B643
Failed to open handle to engine process path., xrefs: 0009B42A
Failed to read signature size., xrefs: 0009B692

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorLast$File$Pointer$Read
String ID: ($.wix$4$@Mt$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$\CH$burn$section.cpp
API String ID: 2600052162-2735846750
Opcode ID: 67760ad8dc4e9205606c6c274a62880a313ba47440e8079cbf8a75f5dde4a224
Instruction ID: 905f1b4d7de62d0942ff6a9ee680b8eb82dd140ff0e160ca9d60a862d63f845d
Opcode Fuzzy Hash: 67760ad8dc4e9205606c6c274a62880a313ba47440e8079cbf8a75f5dde4a224
Instruction Fuzzy Hash: C112A271A40325ABEF30AA65DD45FAB76E9EF04710F014166FE09EB281DB748D40EBB1

Uniqueness

Uniqueness Score: -1.00%

Function 000B0A77, Relevance: 56.3, APIs: 20, Strings: 12, Instructions: 288
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E000B0A77(void* __ecx, union _LARGE_INTEGER* __edx, intOrPtr _a4, union _LARGE_INTEGER* _a8) {
				union _LARGE_INTEGER* _v8;
				union _LARGE_INTEGER _v12;
				int _t30;
				void* _t34;
				intOrPtr _t42;
				void* _t50;
				signed short _t52;
				signed short _t56;
				signed short _t59;
				signed short _t62;
				void* _t66;
				intOrPtr _t68;
				void* _t72;
				signed short _t76;
				void* _t77;
				signed short _t79;
				void* _t80;
				signed short _t82;
				void* _t83;
				signed short _t86;
				signed short _t87;
				signed short _t88;
				signed int _t89;
				long _t90;
				signed int _t93;
				void* _t95;
				union _LARGE_INTEGER* _t98;
				intOrPtr _t100;
				signed int _t103;

				_t98 = __edx;
				_push(_t89);
				_t100 = _a4;
				_t30 = SetEvent( *(_t100 + 0x28));
				_t90 = _t89 | 0xffffffff;
				if(_t30 != 0) {
					if(WaitForSingleObject( *(_t100 + 0x24), _t90) != _t90) {
						if(ResetEvent( *(_t100 + 0x24)) != 0) {
							_t34 =  *((intOrPtr*)(_t100 + 0x2c)) - 1;
							if(_t34 == 0) {
								_t103 = E000921BC(_t98,  *((intOrPtr*)(_t100 + 0x34)), _a8->LowPart.HighPart, 0, 0xfde9);
								if(_t103 >= 0) {
									if(SetEvent( *(_t100 + 0x28)) != 0) {
										if(WaitForSingleObject( *(_t100 + 0x24), _t90) != _t90) {
											if(ResetEvent( *(_t100 + 0x24)) != 0) {
												_t42 =  *((intOrPtr*)(_t100 + 0x2c));
												if(_t42 == 0) {
													_t95 = CreateFileW( *(_t100 + 0x38), 0x40000000, 1, 0, 2, 0x80, 0);
													 *(_t100 + 0x3c) = _t95;
													if(_t95 != _t90) {
														_push(0);
														asm("cdq");
														if(SetFilePointerEx(_t95,  *_a8, _t98, 0) != 0) {
															if(SetEndOfFile( *(_t100 + 0x3c)) != 0) {
																_push(0);
																asm("xorps xmm0, xmm0");
																asm("movlpd [ebp-0x8], xmm0");
																if(SetFilePointerEx( *(_t100 + 0x3c), _v12, _v8, 0) == 0) {
																	_t52 = GetLastError();
																	_t107 =  <=  ? _t52 : _t52 & 0x0000ffff | 0x80070000;
																	_t103 =  >=  ? 0x80004005 :  <=  ? _t52 : _t52 & 0x0000ffff | 0x80070000;
																	E000937D3(0x80004005, "cabextract.cpp", 0x24f, _t103);
																	_push("Failed to set file pointer to beginning of file.");
																	goto L40;
																}
															} else {
																_t56 = GetLastError();
																_t110 =  <=  ? _t56 : _t56 & 0x0000ffff | 0x80070000;
																_t103 =  >=  ? 0x80004005 :  <=  ? _t56 : _t56 & 0x0000ffff | 0x80070000;
																E000937D3(0x80004005, "cabextract.cpp", 0x249, _t103);
																_push("Failed to set end of file.");
																goto L40;
															}
														} else {
															_t59 = GetLastError();
															_t113 =  <=  ? _t59 : _t59 & 0x0000ffff | 0x80070000;
															_t103 =  >=  ? 0x80004005 :  <=  ? _t59 : _t59 & 0x0000ffff | 0x80070000;
															E000937D3(0x80004005, "cabextract.cpp", 0x244, _t103);
															_push("Failed to set file pointer to end of file.");
															goto L40;
														}
													} else {
														_t62 = GetLastError();
														_t116 =  <=  ? _t62 : _t62 & 0x0000ffff | 0x80070000;
														_t103 =  >=  ? 0x80004005 :  <=  ? _t62 : _t62 & 0x0000ffff | 0x80070000;
														E000937D3(0x80004005, "cabextract.cpp", 0x23d, _t103);
														_push( *(_t100 + 0x38));
														_push("Failed to create file: %ls");
														goto L16;
													}
													goto L42;
												} else {
													_t66 = _t42 - 1;
													if(_t66 == 0) {
														_t68 = E000938D4( *_a8, 1); // executed
														 *((intOrPtr*)(_t100 + 0x40)) = _t68;
														if(_t68 != 0) {
															 *(_t100 + 0x48) =  *(_t100 + 0x48) & 0x00000000;
															 *(_t100 + 0x44) =  *_a8;
														} else {
															_t103 = 0x8007000e;
															E000937D3(_t68, "cabextract.cpp", 0x257, 0x8007000e);
															_push("Failed to allocate buffer for stream.");
															goto L40;
														}
														goto L42;
													} else {
														_t72 = _t66 - 1;
														if(_t72 == 0) {
															_t50 = 0;
														} else {
															_t73 = _t72 == 1;
															if(_t72 == 1) {
																goto L13;
															} else {
																_t93 = 0x8007139f;
																_push(0x8007139f);
																_push(0x268);
																goto L12;
															}
															goto L42;
														}
													}
												}
											} else {
												_t76 = GetLastError();
												_t119 =  <=  ? _t76 : _t76 & 0x0000ffff | 0x80070000;
												_t77 = 0x80004005;
												_t103 =  >=  ? 0x80004005 :  <=  ? _t76 : _t76 & 0x0000ffff | 0x80070000;
												_push(_t103);
												_push(0x232);
												goto L8;
											}
										} else {
											_t79 = GetLastError();
											_t122 =  <=  ? _t79 : _t79 & 0x0000ffff | 0x80070000;
											_t80 = 0x80004005;
											_t103 =  >=  ? 0x80004005 :  <=  ? _t79 : _t79 & 0x0000ffff | 0x80070000;
											_push(_t103);
											_push(0x22d);
											goto L5;
										}
									} else {
										_t82 = GetLastError();
										_t125 =  <=  ? _t82 : _t82 & 0x0000ffff | 0x80070000;
										_t83 = 0x80004005;
										_t103 =  >=  ? 0x80004005 :  <=  ? _t82 : _t82 & 0x0000ffff | 0x80070000;
										_push(_t103);
										_push(0x227);
										goto L2;
									}
								} else {
									_push(_a8->LowPart.HighPart);
									_push("Failed to copy stream name: %ls");
									L16:
									_push(_t103);
									E000D012F();
									goto L42;
								}
							} else {
								_t73 = _t34 == 4;
								if(_t34 == 4) {
									L13:
									_t103 = 0x80004004;
								} else {
									_t93 = 0x8007139f;
									_push(0x8007139f);
									_push(0x21d);
									L12:
									_t103 = _t93;
									E000937D3(_t73);
									E000D012F(_t93, "Invalid operation for this state.", "cabextract.cpp");
									_t90 = _t93 | 0xffffffff;
									goto L41;
								}
								goto L42;
							}
						} else {
							_t86 = GetLastError();
							_t128 =  <=  ? _t86 : _t86 & 0x0000ffff | 0x80070000;
							_t77 = 0x80004005;
							_t103 =  >=  ? 0x80004005 :  <=  ? _t86 : _t86 & 0x0000ffff | 0x80070000;
							_push(_t103);
							_push(0x20f);
							L8:
							_push("cabextract.cpp");
							E000937D3(_t77);
							_push("Failed to reset begin operation event.");
							goto L40;
						}
					} else {
						_t87 = GetLastError();
						_t131 =  <=  ? _t87 : _t87 & 0x0000ffff | 0x80070000;
						_t80 = 0x80004005;
						_t103 =  >=  ? 0x80004005 :  <=  ? _t87 : _t87 & 0x0000ffff | 0x80070000;
						_push(_t103);
						_push(0x20a);
						L5:
						_push("cabextract.cpp");
						E000937D3(_t80);
						_push("Failed to wait for begin operation event.");
						goto L40;
					}
				} else {
					_t88 = GetLastError();
					_t134 =  <=  ? _t88 : _t88 & 0x0000ffff | 0x80070000;
					_t83 = 0x80004005;
					_t103 =  >=  ? 0x80004005 :  <=  ? _t88 : _t88 & 0x0000ffff | 0x80070000;
					_push(_t103);
					_push(0x204);
					L2:
					_push("cabextract.cpp");
					E000937D3(_t83);
					_push("Failed to set operation complete event.");
					L40:
					_push(_t103);
					E000D012F();
					L41:
					L42:
					_t50 = 1;
				}
				 *(_t100 + 0x30) = _t103;
				_t91 =  >=  ? _t50 : _t90;
				return  >=  ? _t50 : _t90;
			}

0x000b0a77
0x000b0a7c
0x000b0a7f
0x000b0a85
0x000b0a8b
0x000b0a90
0x000b0ad6
0x000b0b1b
0x000b0b58
0x000b0b5b
0x000b0bab
0x000b0baf
0x000b0bd5
0x000b0c0c
0x000b0c42
0x000b0c71
0x000b0c74
0x000b0cfe
0x000b0d00
0x000b0d05
0x000b0d45
0x000b0d4b
0x000b0d57
0x000b0d9c
0x000b0dd3
0x000b0dd7
0x000b0dda
0x000b0df0
0x000b0df2
0x000b0e03
0x000b0e0d
0x000b0e1b
0x000b0e20
0x00000000
0x000b0e20
0x000b0d9e
0x000b0d9e
0x000b0daf
0x000b0db9
0x000b0dc7
0x000b0dcc
0x00000000
0x000b0dcc
0x000b0d59
0x000b0d59
0x000b0d6a
0x000b0d74
0x000b0d82
0x000b0d87
0x00000000
0x000b0d87
0x000b0d07
0x000b0d07
0x000b0d18
0x000b0d22
0x000b0d30
0x000b0d35
0x000b0d38
0x00000000
0x000b0d38
0x00000000
0x000b0c76
0x000b0c76
0x000b0c79
0x000b0ca7
0x000b0cac
0x000b0cb1
0x000b0cd7
0x000b0cdb
0x000b0cb3
0x000b0cb3
0x000b0cc3
0x000b0cc8
0x00000000
0x000b0cc8
0x00000000
0x000b0c7b
0x000b0c7b
0x000b0c7e
0x000b0c99
0x000b0c80
0x000b0c80
0x000b0c83
0x00000000
0x000b0c89
0x000b0c89
0x000b0c8e
0x000b0c8f
0x00000000
0x000b0c8f
0x00000000
0x000b0c83
0x000b0c7e
0x000b0c79
0x000b0c44
0x000b0c44
0x000b0c55
0x000b0c58
0x000b0c5f
0x000b0c62
0x000b0c63
0x00000000
0x000b0c63
0x000b0c0e
0x000b0c0e
0x000b0c1f
0x000b0c22
0x000b0c29
0x000b0c2c
0x000b0c2d
0x00000000
0x000b0c2d
0x000b0bd7
0x000b0bd7
0x000b0be8
0x000b0beb
0x000b0bf2
0x000b0bf5
0x000b0bf6
0x00000000
0x000b0bf6
0x000b0bb1
0x000b0bb4
0x000b0bb7
0x000b0bbc
0x000b0bbc
0x000b0bbd
0x00000000
0x000b0bc2
0x000b0b5d
0x000b0b5d
0x000b0b60
0x000b0b8c
0x000b0b8c
0x000b0b62
0x000b0b62
0x000b0b67
0x000b0b68
0x000b0b6d
0x000b0b72
0x000b0b74
0x000b0b7f
0x000b0b84
0x00000000
0x000b0b84
0x00000000
0x000b0b60
0x000b0b1d
0x000b0b1d
0x000b0b2e
0x000b0b31
0x000b0b38
0x000b0b3b
0x000b0b3c
0x000b0b41
0x000b0b41
0x000b0b46
0x000b0b4b
0x00000000
0x000b0b4b
0x000b0ad8
0x000b0ad8
0x000b0ae9
0x000b0aec
0x000b0af3
0x000b0af6
0x000b0af7
0x000b0afc
0x000b0afc
0x000b0b01
0x000b0b06
0x00000000
0x000b0b06
0x000b0a92
0x000b0a92
0x000b0aa3
0x000b0aa6
0x000b0aad
0x000b0ab0
0x000b0ab1
0x000b0ab6
0x000b0ab6
0x000b0abb
0x000b0ac0
0x000b0e25
0x000b0e25
0x000b0e26
0x000b0e2b
0x000b0e2d
0x000b0e2f
0x000b0e2f
0x000b0e32
0x000b0e36
0x000b0e40

APIs

SetEvent.KERNEL32(?,?,?,?,00000000,00000000,?,000B0621,?,?), ref: 000B0A85
GetLastError.KERNEL32(?,?,?,00000000,00000000,?,000B0621,?,?), ref: 000B0A92
WaitForSingleObject.KERNEL32(?,?,?,?,?,00000000,00000000,?,000B0621,?,?), ref: 000B0ACE
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,000B0621,?,?), ref: 000B0AD8

Strings

cabextract.cpp, xrefs: 000B0AB6, 000B0AFC, 000B0B41, 000B0B6D, 000B0CBE, 000B0D2B, 000B0D7D, 000B0DC2, 000B0E16
Invalid operation for this state., xrefs: 000B0B79
Failed to set file pointer to end of file., xrefs: 000B0D87
@Mt, xrefs: 000B0A92, 000B0AD8, 000B0B1D, 000B0BD7, 000B0C0E, 000B0C44, 000B0D07, 000B0D59, 000B0D9E, 000B0DF2
Failed to reset begin operation event., xrefs: 000B0B4B
Failed to allocate buffer for stream., xrefs: 000B0CC8
Failed to wait for begin operation event., xrefs: 000B0B06
Failed to create file: %ls, xrefs: 000B0D38
Failed to set operation complete event., xrefs: 000B0AC0
Failed to copy stream name: %ls, xrefs: 000B0BB7
Failed to set end of file., xrefs: 000B0DCC
Failed to set file pointer to beginning of file., xrefs: 000B0E20

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorLast$EventObjectSingleWait
String ID: @Mt$Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 3600396749-1373155927
Opcode ID: cbece43df3076afa560a78a2959e28ddc3e4d4f943fedb1b4f477bd1c29531a5
Instruction ID: e260e06ad77a592a9877557d10f169ec90e42d3e44fe8bd6d96bbc7a4b65a487
Opcode Fuzzy Hash: cbece43df3076afa560a78a2959e28ddc3e4d4f943fedb1b4f477bd1c29531a5
Instruction Fuzzy Hash: B8911272B80721FFF7205A7A8D49BAB7AD4EF08750F024226BE15FA5E0D765DC0086E1

Uniqueness

Uniqueness Score: -1.00%

Function 0009508D, Relevance: 45.8, APIs: 5, Strings: 21, Instructions: 322
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E0009508D(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed short* _a20) {
				signed int _v8;
				signed short _v16;
				struct _OSVERSIONINFOW _v292;
				signed int _v296;
				intOrPtr _v304;
				signed short _v308;
				intOrPtr _v312;
				WCHAR* _v316;
				WCHAR* _v320;
				WCHAR* _v324;
				WCHAR* _v328;
				signed short* _v332;
				char _v340;
				char _v344;
				signed short _v420;
				intOrPtr _v576;
				intOrPtr _v1316;
				char _v1332;
				signed short _v1340;
				char _v1404;
				intOrPtr _v1532;
				intOrPtr _v1544;
				signed short _v1564;
				char _v1588;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t70;
				void* _t83;
				signed short _t85;
				signed short _t87;
				signed short _t88;
				signed short _t89;
				signed short _t90;
				signed short _t91;
				signed short _t93;
				signed short _t99;
				signed short _t101;
				signed short _t103;
				intOrPtr _t124;
				signed short _t131;
				signed short _t134;
				signed short _t137;
				signed short _t144;
				signed short _t148;
				void* _t149;
				void* _t156;
				signed short _t159;
				signed short _t162;
				signed short _t167;
				signed short _t170;
				signed int _t171;
				void* _t172;
				void* _t173;

				_t156 = __edx;
				_t149 = __ecx;
				_t70 =  *0xfa008; // 0x90c8e23b
				_v8 = _t70 ^ _t171;
				_t148 = 0;
				_t157 = _a8;
				_v304 = _a4;
				_v332 = _a20;
				_v312 = _a12;
				_v328 = 0;
				_v324 = 0;
				_v320 = 0;
				_v316 = 0;
				E000BF670(_a8,  &_v292, 0, 0x11c);
				_v296 = 0;
				_v308 = 0;
				E000BF670(_a8,  &_v1588, 0, 0x4e8);
				_t173 = _t172 + 0x18;
				E000D03F0(GetModuleHandleW(0));
				E000D05A2(3, 0);
				_t83 = E00091209(_t149, _a12,  &_v344,  &_v340); // executed
				if(_t83 >= 0) {
					_t85 = E000941D2(_t149, _t156, __eflags,  &_v1588, _t157); // executed
					_t162 = _t85;
					__eflags = _t162;
					if(_t162 >= 0) {
						_v1544 = _a16;
						_t87 = E00095525();
						__imp__CoInitializeEx(0, 0); // executed
						_t162 = _t87;
						__eflags = _t162;
						if(_t162 >= 0) {
							_t159 = 1;
							_t88 = E000CFBAD();
							__eflags = _t88;
							if(_t88 >= 0) {
								_v328 = 1;
								_t89 = E000D0CD1();
								_t164 = _t89;
								__eflags = _t89;
								if(__eflags >= 0) {
									_v324 = 1;
									_t90 = E000D29B3(_t149, _t156, _t164, __eflags); // executed
									__eflags = _t90;
									if(_t90 >= 0) {
										_v320 = 1;
										_t91 = E000D343B(_t90);
										__eflags = _t91;
										if(_t91 >= 0) {
											_v316 = 1;
											_v292.dwOSVersionInfoSize = 0x11c;
											_t93 = GetVersionExW( &_v292);
											__eflags = _t93;
											if(_t93 != 0) {
												E000933D7( &_v296, 0);
												_push(_v296);
												_push(_v16 & 0x0000ffff);
												_push(_v292.dwBuildNumber);
												_push(_v292.dwMinorVersion);
												_push(_v292.dwMajorVersion);
												E0009550F(2, 0x20000001, "3.10.4.4718"); // executed
												_t173 = _t173 + 0x20;
												__eflags = _v296;
												if(__eflags != 0) {
													E000D54EF(_v296);
													_t36 =  &_v296;
													 *_t36 = _v296 & 0;
													__eflags =  *_t36;
												}
												_t99 = E000A7337(_t156, __eflags,  &_v1588); // executed
												_t167 = _t99;
												__eflags = _t167;
												if(_t167 >= 0) {
													_t101 = _v420;
													__eflags = _t101;
													if(_t101 == 0) {
														_t103 = E00094C33(_t156, _v312,  &_v1588); // executed
														_t167 = _t103;
														__eflags = _t167;
														if(_t167 >= 0) {
															L38:
															_t150 = _v332;
															_t148 = _v1564;
															 *_v332 = _v1340;
															goto L39;
														}
														_push("Failed to run untrusted mode.");
														goto L9;
													}
													_t131 = _t101 - 1;
													__eflags = _t131;
													if(_t131 == 0) {
														_v308 = _t159;
														_t167 = E000949DF(_t149, _t156, _v304,  &_v1588);
														__eflags = _t167;
														if(_t167 >= 0) {
															goto L38;
														}
														_push("Failed to run per-user mode.");
														goto L9;
													}
													_t134 = _t131 - 1;
													__eflags = _t134;
													if(_t134 == 0) {
														_t167 = E000947E9(_t149, _t156, _v304, _v312,  &_v1588);
														__eflags = _t167;
														if(_t167 >= 0) {
															goto L38;
														}
														_push("Failed to run per-machine mode.");
														goto L9;
													}
													_t137 = _t134 - 1;
													__eflags = _t137;
													if(_t137 == 0) {
														_v308 = _t159;
														_t167 = E00094982(_t149, _t156, _v304,  &_v1588);
														__eflags = _t167;
														if(_t167 >= 0) {
															goto L38;
														}
														_push("Failed to run embedded mode.");
														goto L9;
													}
													__eflags = _t137 == 1;
													if(_t137 == 1) {
														_t167 = E00094B80(_t149,  &_v1332, _a16);
														__eflags = _t167;
														if(_t167 >= 0) {
															goto L38;
														}
														_push("Failed to run RunOnce mode.");
														goto L9;
													}
													_t167 = 0x8000ffff;
													_push("Invalid run mode.");
													goto L9;
												} else {
													_push("Failed to initialize core.");
													L9:
													E000D012F();
													_t150 = _t167;
													goto L39;
												}
											}
											_t144 = GetLastError();
											__eflags = _t144;
											_t170 =  <=  ? _t144 : _t144 & 0x0000ffff | 0x80070000;
											__eflags = _t170;
											_t167 =  >=  ? 0x80004005 : _t170;
											E000937D3(0x80004005, "engine.cpp", 0x95, _t167);
											_push("Failed to get OS info.");
											goto L9;
										}
										_push("Failed to initialize XML util.");
										goto L9;
									}
									_push("Failed to initialize Wiutil.");
									goto L9;
								}
								_push("Failed to initialize Regutil.");
								goto L9;
							}
							_push("Failed to initialize Cryputil.");
							goto L9;
						}
						_push("Failed to initialize COM.");
						goto L2;
					}
					_push("Failed to initialize engine state.");
					goto L2;
				} else {
					_push("Failed to parse command line.");
					L2:
					E000D012F();
					_t150 = _t162;
					_t159 = _t148;
					L39:
					if(_v296 != 0) {
						E000D54EF(_v296);
					}
					if(_t167 < 0 && _v576 == 0) {
						E000D041B(_t150, _t156, _t159, 0, L"Setup", L"_Failed", L"txt", 0, 0, 0);
					}
					E0009D723( &_v1404);
					E000AA6D0(_t150, _t156, _v1316); // executed
					E000AA91E();
					if(_t148 != 0) {
						_t124 = _v1532;
						if(_t124 != 0 && _t124 != 6) {
							E0009550F(2, 0xa0000008, E000A416A(_t124));
							_t173 = _t173 + 0xc;
							_t167 = 0x80070bc2;
							_t148 = 0;
						}
					}
					E00094E9C(_t148, _t150, _t159,  &_v1588); // executed
					if(_v316 != 0) {
						E000D3911();
					}
					if(_v320 != 0) {
						E000D2DD0();
					}
					if(_v324 != 0) {
						E000D1317();
					}
					if(_v328 != 0) {
						E000CFCBC();
					}
					if(_t159 != 0) {
						__imp__CoUninitialize(); // executed
					}
					if(_v308 != 0) {
						if(_t167 >= 0) {
							_t159 =  *_v332;
						} else {
							_t159 = _t167;
						}
						_push(E000A3C30(_t148));
						E0009550F(2, 0x20000007, _t159);
						if(_t148 != 0) {
							_push(0xa0000005);
							E0009550F();
							_t150 = 2;
						}
					}
					E000D000B(_t150, _t159, 0);
					_t193 = _t148;
					if(_t148 != 0) {
						E000944E9(_t156);
					}
					E000D06F5(_t150, _t159, _t193, 0);
					return E000BDE36(_t148, _v8 ^ _t171, _t156, _t159, _t167);
				}
			}

0x0009508d
0x0009508d
0x00095096
0x0009509d
0x000950a8
0x000950ab
0x000950ae
0x000950bc
0x000950ca
0x000950d0
0x000950d6
0x000950dc
0x000950e2
0x000950e8
0x000950f8
0x00095100
0x00095106
0x0009510b
0x00095116
0x0009511e
0x00095132
0x0009513b
0x00095159
0x0009515e
0x00095160
0x00095162
0x0009516e
0x00095174
0x0009517d
0x00095183
0x00095185
0x00095187
0x00095192
0x00095193
0x0009519a
0x0009519c
0x000951b0
0x000951b6
0x000951bb
0x000951bd
0x000951bf
0x000951c8
0x000951ce
0x000951d5
0x000951d7
0x000951e0
0x000951e6
0x000951ed
0x000951ef
0x000951fe
0x00095205
0x0009520f
0x00095215
0x00095217
0x0009525a
0x0009525f
0x00095269
0x0009526a
0x00095270
0x00095276
0x00095288
0x0009528d
0x00095290
0x00095296
0x0009529e
0x000952a3
0x000952a3
0x000952a3
0x000952a3
0x000952b0
0x000952b5
0x000952b7
0x000952b9
0x000952cb
0x000952cb
0x000952ce
0x000953a3
0x000953a8
0x000953aa
0x000953ac
0x000953b8
0x000953b8
0x000953c4
0x000953ca
0x00000000
0x000953ca
0x000953ae
0x00000000
0x000953ae
0x000952d4
0x000952d4
0x000952d7
0x00095374
0x00095386
0x00095388
0x0009538a
0x00000000
0x00000000
0x0009538c
0x00000000
0x0009538c
0x000952dd
0x000952dd
0x000952e0
0x0009535e
0x00095360
0x00095362
0x00000000
0x00000000
0x00095364
0x00000000
0x00095364
0x000952e2
0x000952e2
0x000952e5
0x00095324
0x00095336
0x00095338
0x0009533a
0x00000000
0x00000000
0x0009533c
0x00000000
0x0009533c
0x000952e7
0x000952ea
0x0009530a
0x0009530c
0x0009530e
0x00000000
0x00000000
0x00095314
0x00000000
0x00095314
0x000952ec
0x000952f1
0x00000000
0x000952bb
0x000952bb
0x000951a3
0x000951a4
0x000951aa
0x00000000
0x000951aa
0x000952b9
0x00095219
0x00095228
0x0009522a
0x00095232
0x00095234
0x00095242
0x00095247
0x00000000
0x00095247
0x000951f1
0x00000000
0x000951f1
0x000951d9
0x00000000
0x000951d9
0x000951c1
0x00000000
0x000951c1
0x0009519e
0x00000000
0x0009519e
0x00095189
0x00000000
0x00095189
0x00095164
0x00000000
0x0009513d
0x0009513d
0x00095142
0x00095143
0x00095149
0x0009514a
0x000953cc
0x000953d3
0x000953db
0x000953db
0x000953e2
0x00095402
0x00095402
0x0009540e
0x00095419
0x0009541e
0x00095425
0x00095427
0x0009542f
0x00095444
0x00095449
0x0009544c
0x00095451
0x00095451
0x0009542f
0x0009545a
0x00095466
0x00095468
0x00095468
0x00095474
0x00095476
0x00095476
0x00095482
0x00095484
0x00095484
0x00095490
0x00095492
0x00095492
0x00095499
0x0009549b
0x0009549b
0x000954a8
0x000954ac
0x000954b8
0x000954ae
0x000954ae
0x000954ae
0x000954c0
0x000954c9
0x000954d3
0x000954d5
0x000954dc
0x000954e2
0x000954e2
0x000954d3
0x000954e5
0x000954ea
0x000954ec
0x000954ee
0x000954ee
0x000954f5
0x0009550c
0x0009550c

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 0009510F

Part of subcall function 000D03F0: InitializeCriticalSection.KERNEL32(000FB60C,?,0009511B,00000000,?,?,?,?,?,?), ref: 000D0407

Part of subcall function 00091209: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,00095137,00000000,?), ref: 00091247
Part of subcall function 00091209: GetLastError.KERNEL32(?,?,?,00095137,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00091251

CoInitializeEx.OLE32(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 0009517D

Part of subcall function 000D0CD1: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 000D0CF2

GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 0009520F
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00095219
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0009549B

Strings

Failed to parse command line., xrefs: 0009513D
Failed to initialize COM., xrefs: 00095189
_Failed, xrefs: 000953F7
Failed to run embedded mode., xrefs: 0009533C
Failed to run RunOnce mode., xrefs: 00095314
Failed to initialize Wiutil., xrefs: 000951D9
txt, xrefs: 000953F2
Failed to initialize XML util., xrefs: 000951F1
Failed to initialize engine state., xrefs: 00095164
3.10.4.4718, xrefs: 0009527C
Failed to run untrusted mode., xrefs: 000953AE
Failed to get OS info., xrefs: 00095247
Setup, xrefs: 000953FC
Failed to run per-machine mode., xrefs: 00095364
@Mt, xrefs: 00095219
engine.cpp, xrefs: 0009523D
Failed to initialize Cryputil., xrefs: 0009519E
Failed to run per-user mode., xrefs: 0009538C
Failed to initialize core., xrefs: 000952BB
Failed to initialize Regutil., xrefs: 000951C1
Invalid run mode., xrefs: 000952F1

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
String ID: 3.10.4.4718$@Mt$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$Setup$_Failed$engine.cpp$txt
API String ID: 3262001429-3164437760
Opcode ID: 4ac87f2a28f61bbf786ff0779aef2511d8bbaff0f88decfaf44b10172558783d
Instruction ID: dae4acd56eb6a18c382c17f5dd298462e0b2d7832439db09be2a8cba966b7761
Opcode Fuzzy Hash: 4ac87f2a28f61bbf786ff0779aef2511d8bbaff0f88decfaf44b10172558783d
Instruction Fuzzy Hash: 09B1B671D41B299BDF73AF65CC46BED76A4AF04702F010196F908A6342DB719E80AFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00094C33, Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00094C33(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v12;
				struct _SECURITY_ATTRIBUTES* _v16;
				struct _SECURITY_ATTRIBUTES* _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				struct _SECURITY_ATTRIBUTES* _v32;
				struct _PROCESS_INFORMATION _v48;
				struct _STARTUPINFOW _v116;
				void* __edi;
				void* _t66;
				void* _t70;
				WCHAR* _t71;
				void* _t73;
				void* _t76;
				void* _t79;
				int _t87;
				void* _t90;
				signed short _t101;
				void* _t107;
				intOrPtr _t108;
				void* _t109;
				void* _t114;
				void* _t115;
				WCHAR* _t117;
				void* _t120;
				void* _t125;
				void* _t130;
				void* _t131;
				void* _t132;
				void* _t133;

				_t114 = __edx;
				_v16 = 0;
				_v32 = 0;
				_v12 = 0;
				_v28 = 0;
				E000BF670(_t115,  &_v116, 0, 0x44);
				_v24 = 0;
				_v20 = 0;
				asm("stosd");
				_t131 = _t130 + 0xc;
				_t107 = 0;
				_v8 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t120 = E000933D7( &_v16, 0);
				if(_t120 >= 0) {
					_t66 = E000A96F2();
					_t108 = _a8;
					if(_t66 == 0) {
						_t70 = E000A96F8(_t109, _t114, _t108 + 0xbc, _t108 + 0x48,  &_v32); // executed
						if(_t70 >= 0) {
							_t117 = _v32;
							_t71 = _v16;
							goto L8;
						} else {
							_push("Failed to cache to clean room.");
							goto L6;
						}
					} else {
						_t71 = _v16;
						_t117 = _t71;
						L8:
						_push(_t71);
						_t73 = E00091F20( &_v12, L"-%ls=\"%ls\"", L"burn.clean.room");
						_t132 = _t131 + 0x10;
						if(_t73 >= 0) {
							_t76 = E000A6859(_t109,  *((intOrPtr*)(_t108 + 0x48)),  &_v24,  &_v12); // executed
							if(_t76 >= 0) {
								_t79 = E000A6915(_t117,  &_v20,  &_v12, 0); // executed
								if(_t79 >= 0) {
									_push(_a4);
									_t125 = E00091F62( &_v12, L"%ls %ls", _v12);
									_t133 = _t132 + 0x10;
									if(_t125 >= 0) {
										_push(_v12);
										_t125 = E00091F62( &_v28, L"\"%ls\" %ls", _t117);
										_t132 = _t133 + 0x10;
										if(_t125 >= 0) {
											_v116.wShowWindow =  *((intOrPtr*)(_t108 + 0x2c));
											_v116.cb = 0x44;
											_t87 = CreateProcessW(_t117, _v28, 0, 0, 1, 0, 0, 0,  &_v116,  &_v48); // executed
											if(_t87 != 0) {
												_v8 = _v48.hProcess;
												_t107 = _v8;
												_v48.hProcess = 0;
												_t90 = E000D0917(_t109, _t107, 0xffffffff, _t108 + 0xf8); // executed
												_t125 = _t90;
												if(_t125 < 0) {
													E000D012F(_t125, "Failed to wait for clean room process: %ls", _t117);
													goto L24;
												}
											} else {
												_t101 = GetLastError();
												_t129 =  <=  ? _t101 : _t101 & 0x0000ffff | 0x80070000;
												_t125 =  >=  ? 0x80004005 :  <=  ? _t101 : _t101 & 0x0000ffff | 0x80070000;
												E000937D3(0x80004005, "engine.cpp", 0x1ce, _t125);
												_push(_v28);
												_push("Failed to launch clean room process: %ls");
												goto L13;
											}
										} else {
											_push("Failed to allocate full command-line.");
											goto L6;
										}
									} else {
										_push("Failed to append original command line.");
										goto L6;
									}
								} else {
									_push(L"burn.filehandle.self");
									goto L12;
								}
							} else {
								_push(L"burn.filehandle.attached");
								L12:
								_push("Failed to append %ls");
								L13:
								_push(_t125);
								E000D012F();
								_t107 = _v8;
								L24:
							}
						} else {
							_push("Failed to allocate parameters for unelevated process.");
							L6:
							_push(_t125);
							E000D012F();
							_t107 = _v8;
						}
					}
				} else {
					_push("Failed to get path for current process.");
					_push(_t120);
					E000D012F();
				}
				if(_v48.hThread != 0) {
					CloseHandle(_v48.hThread);
					_v48.hThread = _v48.hThread & 0x00000000;
				}
				if(_v20 != 0xffffffff) {
					CloseHandle(_v20);
					_v20 = _v20 | 0xffffffff;
				}
				if(_v24 != 0xffffffff) {
					CloseHandle(_v24);
					_v24 = _v24 | 0xffffffff;
				}
				if(_t107 != 0) {
					CloseHandle(_t107);
				}
				E00092793(_v28);
				E00092793(_v12);
				if(_v32 != 0) {
					E000D54EF(_v32);
				}
				if(_v16 != 0) {
					E000D54EF(_v16);
				}
				return _t125;
			}

0x00094c33
0x00094c45
0x00094c48
0x00094c4b
0x00094c4e
0x00094c51
0x00094c58
0x00094c5e
0x00094c61
0x00094c62
0x00094c65
0x00094c67
0x00094c6a
0x00094c6c
0x00094c6d
0x00094c77
0x00094c7b
0x00094c8f
0x00094c94
0x00094c99
0x00094cb1
0x00094cba
0x00094cd1
0x00094cd4
0x00000000
0x00094cbc
0x00094cbc
0x00000000
0x00094cbc
0x00094c9b
0x00094c9b
0x00094c9e
0x00094cd7
0x00094cd7
0x00094ce6
0x00094ced
0x00094cf2
0x00094d06
0x00094d0f
0x00094d34
0x00094d3d
0x00094d46
0x00094d5a
0x00094d5c
0x00094d61
0x00094d6d
0x00094d7f
0x00094d81
0x00094d86
0x00094d98
0x00094da3
0x00094db6
0x00094dbe
0x00094dfe
0x00094e07
0x00094e0e
0x00094e11
0x00094e16
0x00094e1a
0x00094e23
0x00000000
0x00094e23
0x00094dc0
0x00094dc0
0x00094dd1
0x00094ddb
0x00094de9
0x00094dee
0x00094df1
0x00000000
0x00094df1
0x00094d88
0x00094d88
0x00000000
0x00094d88
0x00094d63
0x00094d63
0x00000000
0x00094d63
0x00094d3f
0x00094d3f
0x00000000
0x00094d3f
0x00094d11
0x00094d11
0x00094d16
0x00094d16
0x00094d1b
0x00094d1b
0x00094d1c
0x00094d21
0x00094e28
0x00094e28
0x00094cf4
0x00094cf4
0x00094cc1
0x00094cc1
0x00094cc2
0x00094cc7
0x00094ccb
0x00094cf2
0x00094c7d
0x00094c7d
0x00094c82
0x00094c83
0x00094c89
0x00094e35
0x00094e3a
0x00094e3c
0x00094e3c
0x00094e44
0x00094e49
0x00094e4b
0x00094e4b
0x00094e53
0x00094e58
0x00094e5a
0x00094e5a
0x00094e60
0x00094e63
0x00094e63
0x00094e68
0x00094e70
0x00094e79
0x00094e7e
0x00094e7e
0x00094e87
0x00094e8c
0x00094e8c
0x00094e99

APIs

Part of subcall function 000933D7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,000910DD,?,00000000), ref: 000933F8

CloseHandle.KERNEL32(00000000,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00094E3A
CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00094E49
CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00094E58
CloseHandle.KERNEL32(?,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00094E63

Strings

-%ls="%ls", xrefs: 00094CE0
burn.clean.room, xrefs: 00094CD8
Failed to cache to clean room., xrefs: 00094CBC
Failed to allocate parameters for unelevated process., xrefs: 00094CF4
"%ls" %ls, xrefs: 00094D74
Failed to allocate full command-line., xrefs: 00094D88
Failed to launch clean room process: %ls, xrefs: 00094DF1
@Mt, xrefs: 00094DC0
Failed to wait for clean room process: %ls, xrefs: 00094E1D
engine.cpp, xrefs: 00094DE4
%ls %ls, xrefs: 00094D4F
burn.filehandle.self, xrefs: 00094D3F
Failed to get path for current process., xrefs: 00094C7D
D, xrefs: 00094DA3
Failed to append original command line., xrefs: 00094D63
Failed to append %ls, xrefs: 00094D16
burn.filehandle.attached, xrefs: 00094D11

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CloseHandle$FileModuleName
String ID: "%ls" %ls$%ls %ls$-%ls="%ls"$@Mt$D$Failed to allocate full command-line.$Failed to allocate parameters for unelevated process.$Failed to append %ls$Failed to append original command line.$Failed to cache to clean room.$Failed to get path for current process.$Failed to launch clean room process: %ls$Failed to wait for clean room process: %ls$burn.clean.room$burn.filehandle.attached$burn.filehandle.self$engine.cpp
API String ID: 3884789274-1051482454
Opcode ID: 12d793b230a71577e1f13230b92166cb165070008cf90d3f47bed9775c87c688
Instruction ID: 948ff4f8e0a6068d01b680517d4000bdcc74da5975685e4b7f6422390a1abf26
Opcode Fuzzy Hash: 12d793b230a71577e1f13230b92166cb165070008cf90d3f47bed9775c87c688
Instruction Fuzzy Hash: 55718671D01329FBDF219BA4CC41EEFBBB8AF04720F114126FA14B7291DB745A429BA1

Uniqueness

Uniqueness Score: -1.00%

Function 000A84C4, Relevance: 37.0, APIs: 9, Strings: 12, Instructions: 205
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E000A84C4(void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v20;
				WCHAR* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t25;
				void* _t29;
				void* _t31;
				void* _t33;
				int _t37;
				void* _t39;
				int _t41;
				void* _t43;
				void* _t46;
				int _t48;
				void* _t50;
				signed short _t51;
				signed short _t54;
				signed short _t57;
				signed short _t62;
				intOrPtr _t66;
				WCHAR* _t67;
				void* _t73;
				void* _t75;
				signed int _t91;

				_t73 = __edx;
				_t25 =  *0xfa008; // 0x90c8e23b
				_v8 = _t25 ^ _t91;
				_t67 = _a12;
				_t66 = _a16;
				_t76 = _a4;
				_v28 = _a8;
				_v32 = _a4;
				asm("stosd");
				asm("stosd");
				_v24 = _t67;
				asm("stosd"); // executed
				_t29 = CreateFileW(_t67, 0x40000000, 5, 0, 2, 0x8000080, 0); // executed
				_t75 = _t29;
				if(_t75 != 0xffffffff) {
					_t31 = E000D47D3(_t67, _t76, 0, 0, 0, 0); // executed
					_t77 = _t31;
					if(_t31 >= 0) {
						_t33 = E000D3DB5(_t73, _v32, _t75,  *((intOrPtr*)(_t66 + 0xc)), 0, 0); // executed
						_t77 = _t33;
						if(_t77 >= 0) {
							if( *((intOrPtr*)(_t66 + 0x28)) != 0) {
								_push(0);
								_t37 = SetFilePointerEx(_t75,  *(_t66 + 0x18), 0, 0); // executed
								if(_t37 != 0) {
									_t39 = E000D4CEE(0, _t75, _t66 + 0x24, 4); // executed
									if(_t39 >= 0) {
										_push(0);
										_t41 = SetFilePointerEx(_t75,  *(_t66 + 0x1c), 0, 0); // executed
										if(_t41 != 0) {
											_t43 = E000D4CEE(0, _t75, _t66 + 0x28, 4); // executed
											_t77 = _t43;
											if(_t77 < 0) {
												goto L10;
											} else {
												_t46 = E000D4CEE(0, _t75, _t66 + 0x2c, 4); // executed
												_t77 = _t46;
												if(_t77 < 0) {
													goto L10;
												} else {
													_push(0);
													_t48 = SetFilePointerEx(_t75,  *(_t66 + 0x20), 0, 0); // executed
													if(_t48 != 0) {
														_t50 = E000D4CEE(0, _t75,  &_v20, 0xc); // executed
														_t77 = _t50;
														if(_t77 < 0) {
															_push("Failed to zero out original data offset.");
															goto L19;
														}
													} else {
														_t51 = GetLastError();
														_t81 =  <=  ? _t51 : _t51 & 0x0000ffff | 0x80070000;
														_t77 =  >=  ? 0x80004005 :  <=  ? _t51 : _t51 & 0x0000ffff | 0x80070000;
														E000937D3(0x80004005, "cache.cpp", 0x6d6, _t77);
														_push("Failed to seek to original data in exe burn section header.");
														goto L19;
													}
												}
											}
										} else {
											_t54 = GetLastError();
											_t84 =  <=  ? _t54 : _t54 & 0x0000ffff | 0x80070000;
											_t77 =  >=  ? 0x80004005 :  <=  ? _t54 : _t54 & 0x0000ffff | 0x80070000;
											E000937D3(0x80004005, "cache.cpp", 0x6c9, _t77);
											_push("Failed to seek to signature table in exe header.");
											goto L19;
										}
									} else {
										L10:
										_push("Failed to update signature offset.");
										goto L19;
									}
								} else {
									_t57 = GetLastError();
									_t87 =  <=  ? _t57 : _t57 & 0x0000ffff | 0x80070000;
									_t77 =  >=  ? 0x80004005 :  <=  ? _t57 : _t57 & 0x0000ffff | 0x80070000;
									E000937D3(0x80004005, "cache.cpp", 0x6bf, _t77);
									_push("Failed to seek to checksum in exe header.");
									L19:
									_push(_t77);
									E000D012F();
								}
							}
						} else {
							_push(_v24);
							E000D012F(_t77, "Failed to copy engine from: %ls to: %ls", _v28);
						}
					} else {
						E000D012F(_t77, "Failed to seek to beginning of engine file: %ls", _v28);
					}
					FindCloseChangeNotification(_t75); // executed
				} else {
					_t62 = GetLastError();
					_t90 =  <=  ? _t62 : _t62 & 0x0000ffff | 0x80070000;
					_t77 =  >=  ? 0x80004005 :  <=  ? _t62 : _t62 & 0x0000ffff | 0x80070000;
					E000937D3(0x80004005, "cache.cpp", 0x6af,  >=  ? 0x80004005 :  <=  ? _t62 : _t62 & 0x0000ffff | 0x80070000);
					E000D012F( >=  ? 0x80004005 :  <=  ? _t62 : _t62 & 0x0000ffff | 0x80070000, "Failed to create engine file at path: %ls", _v24);
				}
				return E000BDE36(_t66, _v8 ^ _t91, _t73, _t75, _t77);
			}

0x000a84c4
0x000a84ca
0x000a84d1
0x000a84d7
0x000a84db
0x000a84df
0x000a84e5
0x000a84f2
0x000a84f7
0x000a8501
0x000a8503
0x000a8506
0x000a8507
0x000a850d
0x000a8512
0x000a855f
0x000a8564
0x000a8568
0x000a858b
0x000a8590
0x000a8594
0x000a85b4
0x000a85ba
0x000a85c1
0x000a85c9
0x000a860a
0x000a8613
0x000a8621
0x000a8628
0x000a8630
0x000a8671
0x000a8676
0x000a867a
0x00000000
0x000a867c
0x000a8683
0x000a8688
0x000a868c
0x00000000
0x000a868e
0x000a8690
0x000a8697
0x000a869f
0x000a86dd
0x000a86e2
0x000a86e6
0x000a86e8
0x00000000
0x000a86e8
0x000a86a1
0x000a86a1
0x000a86b2
0x000a86bc
0x000a86ca
0x000a86cf
0x00000000
0x000a86cf
0x000a869f
0x000a868c
0x000a8632
0x000a8632
0x000a8643
0x000a864d
0x000a865b
0x000a8660
0x00000000
0x000a8660
0x000a8615
0x000a8615
0x000a8615
0x00000000
0x000a8615
0x000a85cb
0x000a85cb
0x000a85dc
0x000a85e6
0x000a85f4
0x000a85f9
0x000a86ed
0x000a86ed
0x000a86ee
0x000a86f4
0x000a85c9
0x000a8596
0x000a8596
0x000a85a2
0x000a85a7
0x000a856a
0x000a8573
0x000a8578
0x000a86f6
0x000a8514
0x000a8514
0x000a8525
0x000a852f
0x000a853d
0x000a854b
0x000a8550
0x000a870e

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000005,00000000,00000002,08000080,00000000,?,00000000,00000000,00094CB6,?,?,00000000,00094CB6,00000000), ref: 000A8507
GetLastError.KERNEL32 ref: 000A8514
FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,000DB4F0,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000A86F6

Strings

Failed to seek to signature table in exe header., xrefs: 000A8660
cache.cpp, xrefs: 000A8538, 000A85EF, 000A8656, 000A86C5
msi.dll, xrefs: 000A8608
Failed to zero out original data offset., xrefs: 000A86E8
@Mt, xrefs: 000A8514, 000A85CB, 000A8632, 000A86A1
cabinet.dll, xrefs: 000A866F
Failed to copy engine from: %ls to: %ls, xrefs: 000A859C
Failed to update signature offset., xrefs: 000A8615
Failed to seek to original data in exe burn section header., xrefs: 000A86CF
Failed to seek to beginning of engine file: %ls, xrefs: 000A856D
Failed to seek to checksum in exe header., xrefs: 000A85F9
Failed to create engine file at path: %ls, xrefs: 000A8545

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ChangeCloseCreateErrorFileFindLastNotification
String ID: @Mt$Failed to copy engine from: %ls to: %ls$Failed to create engine file at path: %ls$Failed to seek to beginning of engine file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$cabinet.dll$cache.cpp$msi.dll
API String ID: 4091947256-1642438763
Opcode ID: 6cd1e3b4b1d55718d825b6c7079ccff79ba48a7fea63bbfcf1f768fb6fe5700e
Instruction ID: d5315b99a7588607ed6c986a0c98e27a0279b3cdb67d6ecaad9db52fe76c4b5a
Opcode Fuzzy Hash: 6cd1e3b4b1d55718d825b6c7079ccff79ba48a7fea63bbfcf1f768fb6fe5700e
Instruction Fuzzy Hash: 0351E672A41721BFFB115AA99C4AFBB7698EF05750F014126FE05FB281EB648C0097F5

Uniqueness

Uniqueness Score: -1.00%

Function 000A7337, Relevance: 35.3, APIs: 1, Strings: 19, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E000A7337(void* __edx, void* __eflags, intOrPtr _a4) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v124;
				void* __ebx;
				void* __edi;
				void* _t70;
				intOrPtr _t73;
				intOrPtr _t76;
				intOrPtr _t81;
				intOrPtr _t96;
				intOrPtr _t105;
				intOrPtr _t106;
				intOrPtr* _t107;
				intOrPtr _t109;
				intOrPtr _t110;
				void* _t140;
				void* _t141;
				intOrPtr _t142;
				intOrPtr _t149;
				intOrPtr _t152;

				_t140 = __edx;
				_v12 = 0;
				_v28 = 0;
				_v20 = 0;
				_v32 = 0;
				E000BF670(_t141,  &_v124, 0, 0x58);
				_t142 = _a4;
				_v36 = 0;
				_v8 = 0;
				_v16 = 0;
				_v24 = 0;
				_t11 = _t142 + 0x88; // 0x9533d
				_t135 = _t11;
				_t70 = E00097503(_t11); // executed
				if(_t70 >= 0) {
					_t13 = _t142 + 0x48; // 0x952fd
					_t73 = E0009C2A1(_t13,  &_v124); // executed
					__eflags = _t73;
					if(_t73 >= 0) {
						_t76 = E0009C108( &_v124,  &_v28);
						__eflags = _t76;
						if(_t76 >= 0) {
							__eflags = E0009C362( &_v124,  &_v20,  &_v32);
							if(__eflags >= 0) {
								_t81 = E000BBDC9(__eflags, _v20, _v32, _t142); // executed
								__eflags = _t81;
								if(_t81 >= 0) {
									_t22 = _t142 + 0x1c0; // 0x95475
									_t23 = _t142 + 0x4d8; // 0x9578d
									_t24 = _t142 + 0x140; // 0x953f5
									_t25 = _t142 + 0x400; // 0x956b5
									_t26 = _t142 + 0x3fc; // 0x956b1
									_t27 = _t142 + 0x4d4; // 0x95789
									_t30 = _t142 + 0x3ec; // 0x956a1
									_t31 = _t142 + 0x494; // 0x95749
									_t32 = _t142 + 0x490; // 0x95745
									_t136 = _t32;
									_t33 = _t142 + 0x4b8; // 0x9576d
									_t34 = _t142 + 0x4a0; // 0x95755
									_t35 = _t142 + 0x1c; // 0x952d1
									_t36 = _t142 + 0x4e0; // 0x485
									_t37 = _t142 + 0x4dc; // 0x48d016a
									_t96 = E000A5A35( *_t37,  *_t36, _t35, _t34, _t33, _t135, _t32, _t31, _t30,  &_v8,  &_v24, _t27, _t26, _t25, _t24, _t23, _t22,  &_v12);
									__eflags = _t96;
									if(_t96 >= 0) {
										__eflags = _v12;
										_t98 =  !=  ? _v12 : 0xdb524;
										E0009550F(2, 0x20000009,  !=  ? _v12 : 0xdb524);
										E000D076C(GetCurrentProcess(),  &_v36); // executed
										asm("cdq");
										_t149 = E00098152(_t135, L"WixBundleElevated", _v36, _t140, 1);
										__eflags = _t149;
										if(_t149 >= 0) {
											_t105 = _v8;
											__eflags = _t105;
											if(_t105 == 0) {
												L21:
												_t106 = _v24;
												__eflags = _t106;
												if(_t106 == 0) {
													L24:
													_t47 = _t142 + 0x490; // 0x95745
													_t107 = _t47;
													__eflags =  *_t107;
													if( *_t107 == 0) {
														L27:
														_t49 = _t142 + 0x100; // 0x953b5
														_t109 = E000AA307(_t135, _t49, _t135, _v8);
														__eflags = _t109;
														if(_t109 >= 0) {
															_t50 = _t142 + 0x490; // 0x95745
															_t107 = _t50;
															goto L30;
														} else {
															_push("Failed to initialize internal cache functionality.");
															goto L38;
														}
													} else {
														__eflags =  *_t107 - 1;
														if( *_t107 == 1) {
															goto L27;
														} else {
															__eflags =  *_t107 - 3;
															if( *_t107 != 3) {
																L30:
																__eflags =  *_t107 - 1;
																if(__eflags == 0) {
																	L32:
																	_t51 = _t142 + 0xcc; // 0x95381
																	_t135 = _t51;
																	_t52 = _t142 + 0x110; // 0xfff9e89d
																	_t110 = E0009D497(_t136, _t140, _t142, __eflags,  *_t52, _t51);
																	__eflags = _t110;
																	if(_t110 >= 0) {
																		_t54 = _t142 + 0xbc; // 0x95371
																		_t152 = E0009CABE(_t54, 0,  &_v124,  *_t135);
																		__eflags = _t152;
																		if(_t152 >= 0) {
																			_t55 = _t142 + 0xbc; // 0x95371
																			_t56 = _t142 + 0x2b0; // 0x95565
																			_t152 = E0009C7DF(_t140, _t56, _t55);
																			__eflags = _t152;
																			if(_t152 < 0) {
																				_push("Failed to load catalog files.");
																				goto L38;
																			}
																		} else {
																			_push("Failed to extract bootstrapper application payloads.");
																			goto L38;
																		}
																	} else {
																		_push("Failed to get unique temporary folder for bootstrapper application.");
																		goto L38;
																	}
																} else {
																	__eflags =  *_t107 - 3;
																	if(__eflags == 0) {
																		goto L32;
																	}
																}
															} else {
																goto L27;
															}
														}
													}
												} else {
													_t152 = E000980F6(_t135, L"WixBundleOriginalSource", _t106, 0);
													__eflags = _t152;
													if(_t152 >= 0) {
														goto L24;
													} else {
														_push("Failed to set original source variable.");
														goto L38;
													}
												}
											} else {
												_t152 = E000980F6(_t135, L"WixBundleSourceProcessPath", _t105, 1);
												__eflags = _t152;
												if(_t152 >= 0) {
													_t152 = E00093446(_t136, _v8,  &_v16);
													__eflags = _t152;
													if(_t152 >= 0) {
														_t152 = E000980F6(_t135, L"WixBundleSourceProcessFolder", _v16, 1);
														__eflags = _t152;
														if(_t152 >= 0) {
															goto L21;
														} else {
															_push("Failed to set source process folder variable.");
															goto L38;
														}
													} else {
														_push("Failed to get source process folder from path.");
														goto L38;
													}
												} else {
													_push("Failed to set source process path variable.");
													goto L38;
												}
											}
										} else {
											E000D012F(_t149, "Failed to overwrite the %ls built-in variable.", L"WixBundleElevated");
										}
									} else {
										_push("Failed to parse command line.");
										goto L38;
									}
								} else {
									_push("Failed to load manifest.");
									goto L38;
								}
							} else {
								_push("Failed to get manifest stream from container.");
								goto L38;
							}
						} else {
							_push("Failed to open manifest stream.");
							goto L38;
						}
					} else {
						_push("Failed to open attached UX container.");
						goto L38;
					}
				} else {
					_push("Failed to initialize variables.");
					L38:
					_push(_t152);
					E000D012F();
				}
				_t116 = _v24;
				if(_v24 != 0) {
					E000D54EF(_t116);
				}
				if(_v16 != 0) {
					E000D54EF(_v16);
				}
				_t117 = _v8;
				if(_v8 != 0) {
					E000D54EF(_t117);
				}
				E0009C055(_t135,  &_v124);
				if(_v28 != 0) {
					E000D54EF(_v28);
				}
				if(_v12 != 0) {
					E000D54EF(_v12);
				}
				if(_v20 != 0) {
					E00093999(_v20); // executed
				}
				return _t152;
			}

0x000a7337
0x000a7349
0x000a734c
0x000a734f
0x000a7352
0x000a7355
0x000a735a
0x000a7360
0x000a7363
0x000a7366
0x000a7369
0x000a736c
0x000a736c
0x000a7373
0x000a737c
0x000a738c
0x000a7390
0x000a7397
0x000a7399
0x000a73ad
0x000a73b4
0x000a73b6
0x000a73d5
0x000a73d7
0x000a73ea
0x000a73f1
0x000a73f3
0x000a7403
0x000a740a
0x000a7411
0x000a7418
0x000a741f
0x000a7426
0x000a7435
0x000a743c
0x000a7443
0x000a7443
0x000a744b
0x000a7452
0x000a7459
0x000a745d
0x000a7463
0x000a7469
0x000a7470
0x000a7472
0x000a747e
0x000a7487
0x000a7493
0x000a74a6
0x000a74b0
0x000a74be
0x000a74c0
0x000a74c2
0x000a74dc
0x000a74df
0x000a74e1
0x000a753d
0x000a753d
0x000a7540
0x000a7542
0x000a7562
0x000a7562
0x000a7562
0x000a7568
0x000a756b
0x000a7577
0x000a757a
0x000a7582
0x000a7589
0x000a758b
0x000a7594
0x000a7594
0x00000000
0x000a758d
0x000a758d
0x00000000
0x000a758d
0x000a756d
0x000a756d
0x000a7570
0x00000000
0x000a7572
0x000a7572
0x000a7575
0x000a759a
0x000a759a
0x000a759d
0x000a75a4
0x000a75a4
0x000a75a4
0x000a75ab
0x000a75b1
0x000a75b8
0x000a75ba
0x000a75c9
0x000a75d7
0x000a75d9
0x000a75db
0x000a75e4
0x000a75eb
0x000a75f7
0x000a75f9
0x000a75fb
0x000a75fd
0x00000000
0x000a75fd
0x000a75dd
0x000a75dd
0x00000000
0x000a75dd
0x000a75bc
0x000a75bc
0x00000000
0x000a75bc
0x000a759f
0x000a759f
0x000a75a2
0x00000000
0x00000000
0x000a75a2
0x00000000
0x00000000
0x00000000
0x000a7575
0x000a7570
0x000a7544
0x000a7552
0x000a7554
0x000a7556
0x00000000
0x000a7558
0x000a7558
0x00000000
0x000a7558
0x000a7556
0x000a74e3
0x000a74f1
0x000a74f3
0x000a74f5
0x000a750d
0x000a750f
0x000a7511
0x000a752d
0x000a752f
0x000a7531
0x00000000
0x000a7533
0x000a7533
0x00000000
0x000a7533
0x000a7513
0x000a7513
0x00000000
0x000a7513
0x000a74f7
0x000a74f7
0x00000000
0x000a74f7
0x000a74f5
0x000a74c4
0x000a74cf
0x000a74d4
0x000a7474
0x000a7474
0x00000000
0x000a7474
0x000a73f5
0x000a73f5
0x00000000
0x000a73f5
0x000a73d9
0x000a73d9
0x00000000
0x000a73d9
0x000a73b8
0x000a73b8
0x00000000
0x000a73b8
0x000a739b
0x000a739b
0x00000000
0x000a739b
0x000a737e
0x000a737e
0x000a7602
0x000a7602
0x000a7603
0x000a7609
0x000a760a
0x000a760f
0x000a7612
0x000a7612
0x000a761b
0x000a7620
0x000a7620
0x000a7625
0x000a762a
0x000a762d
0x000a762d
0x000a7636
0x000a763f
0x000a7644
0x000a7644
0x000a764d
0x000a7652
0x000a7652
0x000a765b
0x000a7660
0x000a7660
0x000a766d

Strings

WixBundleOriginalSource, xrefs: 000A7547
Failed to parse command line., xrefs: 000A7474
Failed to set source process path variable., xrefs: 000A74F7
Failed to load manifest., xrefs: 000A73F5
WixBundleSourceProcessPath, xrefs: 000A74E6
WixBundleSourceProcessFolder, xrefs: 000A7522
Failed to get manifest stream from container., xrefs: 000A73D9
Failed to overwrite the %ls built-in variable., xrefs: 000A74C9
Failed to initialize variables., xrefs: 000A737E
Failed to load catalog files., xrefs: 000A75FD
Failed to get source process folder from path., xrefs: 000A7513
WixBundleElevated, xrefs: 000A74B3, 000A74C4
Failed to open manifest stream., xrefs: 000A73B8
Failed to extract bootstrapper application payloads., xrefs: 000A75DD
Failed to set source process folder variable., xrefs: 000A7533
Failed to initialize internal cache functionality., xrefs: 000A758D
Failed to set original source variable., xrefs: 000A7558
Failed to get unique temporary folder for bootstrapper application., xrefs: 000A75BC
Failed to open attached UX container., xrefs: 000A739B

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath
API String ID: 32694325-252221001
Opcode ID: d7eab31e7eeab67f4f140bd33bb4dd491daa5335adfcc7503a19c6e8ed1393b3
Instruction ID: 8ebb8d7e66dd07bafb671d1294ab0ecc504671ef6ec05f00a4752a9324f09352
Opcode Fuzzy Hash: d7eab31e7eeab67f4f140bd33bb4dd491daa5335adfcc7503a19c6e8ed1393b3
Instruction Fuzzy Hash: 76919572E44A19BFCB229AE4CC41FEEB7ACBF05700F018226F609F7141D7719A449BA4

Uniqueness

Uniqueness Score: -1.00%

Function 000A80AE, Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 52%

			E000A80AE(void* __edx, intOrPtr _a8) {
				signed int _v8;
				char _v88;
				short _v608;
				char _v624;
				signed int _v628;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t18;
				intOrPtr _t23;
				signed int _t32;
				signed int _t33;
				signed int _t35;
				signed short _t40;
				signed short _t48;
				intOrPtr _t51;
				void* _t52;
				void* _t57;
				void* _t58;
				signed int _t60;
				signed int _t64;
				signed int _t68;

				_t57 = __edx;
				_t18 =  *0xfa008; // 0x90c8e23b
				_v8 = _t18 ^ _t68;
				_v628 = _v628 & 0x00000000;
				_t51 = _a8;
				E000BF670(_t58,  &_v608, 0, 0x208);
				_t59 =  &_v624;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t23 =  *0xfaa94; // 0x0
				if(_t23 != 0) {
					L17:
					_t60 = E000921A5(_t51, _t23, 0);
					__eflags = _t60;
					if(_t60 < 0) {
						_push("Failed to copy working folder path.");
						goto L19;
					}
				} else {
					E000D076C(GetCurrentProcess(),  &_v628); // executed
					if(_v628 == 0) {
						_t32 = GetTempPathW(0x104,  &_v608);
						__eflags = _t32;
						if(_t32 != 0) {
							goto L10;
						} else {
							_t40 = GetLastError();
							__eflags = _t40;
							_t64 =  <=  ? _t40 : _t40 & 0x0000ffff | 0x80070000;
							__eflags = _t64;
							_t60 =  >=  ? 0x80004005 : _t64;
							E000937D3(0x80004005, "cache.cpp", 0x46b, _t60);
							_push("Failed to get temp path for working folder.");
							goto L19;
						}
					} else {
						_t59 = 0x104;
						if(GetWindowsDirectoryW( &_v608, 0x104) != 0) {
							_t60 = E0009338F(_t52, __eflags,  &_v608, 0x104);
							__eflags = _t60;
							if(_t60 >= 0) {
								_t60 = E000936B4(_t52,  &_v608, 0x104, L"Temp\\");
								__eflags = _t60;
								if(_t60 >= 0) {
									L10:
									_t33 =  &_v624;
									__imp__UuidCreate(_t33);
									_t60 = _t33 | 0x00000001;
									__eflags = _t60;
									if(_t60 >= 0) {
										_t35 =  &_v624;
										__imp__StringFromGUID2(_t35,  &_v88, 0x27);
										__eflags = _t35;
										if(_t35 != 0) {
											_push( &_v88);
											_t60 = E00091F20(0xfaa94, L"%ls%ls\\",  &_v608);
											__eflags = _t60;
											if(_t60 >= 0) {
												_t23 =  *0xfaa94; // 0x0
												goto L17;
											} else {
												_push("Failed to append bundle id on to temp path for working folder.");
												goto L19;
											}
										} else {
											_t60 = 0x8007000e;
											E000937D3(_t35, "cache.cpp", 0x475, 0x8007000e);
											_push("Failed to convert working folder guid into string.");
											goto L19;
										}
									} else {
										_push("Failed to create working folder guid.");
										goto L19;
									}
								} else {
									_push("Failed to concat Temp directory on windows path for working folder.");
									goto L19;
								}
							} else {
								_push("Failed to ensure windows path for working folder ended in backslash.");
								goto L19;
							}
						} else {
							_t48 = GetLastError();
							_t67 =  <=  ? _t48 : _t48 & 0x0000ffff | 0x80070000;
							_t60 =  >=  ? 0x80004005 :  <=  ? _t48 : _t48 & 0x0000ffff | 0x80070000;
							E000937D3(0x80004005, "cache.cpp", 0x460, _t60);
							_push("Failed to get windows path for working folder.");
							L19:
							_push(_t60);
							E000D012F();
						}
					}
				}
				return E000BDE36(_t51, _v8 ^ _t68, _t57, _t59, _t60);
			}

0x000a80ae
0x000a80b7
0x000a80be
0x000a80c1
0x000a80cf
0x000a80dc
0x000a80e3
0x000a80e9
0x000a80ed
0x000a80ee
0x000a80ef
0x000a80f0
0x000a80f7
0x000a8270
0x000a8279
0x000a827b
0x000a827d
0x000a827f
0x00000000
0x000a827f
0x000a80fd
0x000a810b
0x000a811d
0x000a81b1
0x000a81b7
0x000a81b9
0x00000000
0x000a81bb
0x000a81bb
0x000a81ca
0x000a81cc
0x000a81d4
0x000a81d6
0x000a81e4
0x000a81e9
0x00000000
0x000a81e9
0x000a8123
0x000a8123
0x000a8132
0x000a8179
0x000a817b
0x000a817d
0x000a819b
0x000a819d
0x000a819f
0x000a81f3
0x000a81f3
0x000a81fa
0x000a8202
0x000a8202
0x000a8205
0x000a8214
0x000a821b
0x000a8221
0x000a8223
0x000a8244
0x000a825b
0x000a8260
0x000a8262
0x000a826b
0x00000000
0x000a8264
0x000a8264
0x00000000
0x000a8264
0x000a8225
0x000a8225
0x000a8235
0x000a823a
0x00000000
0x000a823a
0x000a8207
0x000a8207
0x00000000
0x000a8207
0x000a81a1
0x000a81a1
0x00000000
0x000a81a1
0x000a817f
0x000a817f
0x00000000
0x000a817f
0x000a8134
0x000a8134
0x000a8145
0x000a814f
0x000a815d
0x000a8162
0x000a8284
0x000a8284
0x000a8285
0x000a828b
0x000a8132
0x000a811d
0x000a829e

APIs

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00095381), ref: 000A8104

Part of subcall function 000D076C: OpenProcessToken.ADVAPI32(?,00000008,?,000952B5,00000000,?,?,?,?,?,?,?,000A74AB,00000000), ref: 000D078A
Part of subcall function 000D076C: GetLastError.KERNEL32(?,?,?,?,?,?,?,000A74AB,00000000), ref: 000D0794
Part of subcall function 000D076C: FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,000A74AB,00000000), ref: 000D081D

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 000A812A
GetLastError.KERNEL32 ref: 000A8134
GetTempPathW.KERNEL32(00000104,?,00000000), ref: 000A81B1
GetLastError.KERNEL32 ref: 000A81BB

Strings

Failed to create working folder guid., xrefs: 000A8207
cache.cpp, xrefs: 000A8158, 000A81DF, 000A8230
Failed to get windows path for working folder., xrefs: 000A8162
Temp\, xrefs: 000A8189
@Mt, xrefs: 000A8134, 000A81BB
Failed to ensure windows path for working folder ended in backslash., xrefs: 000A817F
Failed to get temp path for working folder., xrefs: 000A81E9
Failed to convert working folder guid into string., xrefs: 000A823A
Failed to concat Temp directory on windows path for working folder., xrefs: 000A81A1
Failed to copy working folder path., xrefs: 000A827F
%ls%ls\, xrefs: 000A824C
Failed to append bundle id on to temp path for working folder., xrefs: 000A8264

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorLast$Process$ChangeCloseCurrentDirectoryFindNotificationOpenPathTempTokenWindows
String ID: %ls%ls\$@Mt$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
API String ID: 58964441-2583515731
Opcode ID: 37fdaffe0722d086016e8e18659cb1dab4aa638753f3eef184809deb007c1ca6
Instruction ID: b952d17442ed540e6870f9ff057dd34ad9e2e42bad676ecfb25b247f6ba18e93
Opcode Fuzzy Hash: 37fdaffe0722d086016e8e18659cb1dab4aa638753f3eef184809deb007c1ca6
Instruction Fuzzy Hash: 25410872F45724ABEB60A6F59C49FBB73ACAB05750F004162FE05FB140EA759D048BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00097503, Relevance: 33.4, APIs: 1, Strings: 21, Instructions: 378
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00097503(struct _CRITICAL_SECTION* _a4) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char* _v48;
				intOrPtr _v52;
				char _v56;
				char _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				char _v80;
				intOrPtr _v84;
				char* _v88;
				intOrPtr _v92;
				char _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				char* _v108;
				intOrPtr _v112;
				char _v116;
				char _v120;
				intOrPtr _v124;
				char* _v128;
				intOrPtr _v132;
				char _v136;
				char _v140;
				intOrPtr _v144;
				char* _v148;
				intOrPtr _v152;
				char _v156;
				char _v160;
				intOrPtr _v164;
				char* _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				char _v180;
				intOrPtr _v184;
				char* _v188;
				intOrPtr _v192;
				char _v196;
				char _v200;
				intOrPtr _v204;
				char* _v208;
				intOrPtr _v212;
				char _v216;
				char _v220;
				intOrPtr _v224;
				char* _v228;
				intOrPtr _v232;
				char _v236;
				char _v240;
				intOrPtr _v244;
				char* _v248;
				char _v252;
				char _v256;
				char _v260;
				intOrPtr _v264;
				char* _v268;
				char _v272;
				char _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				char* _v288;
				char _v292;
				char _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				char* _v308;
				char _v312;
				char _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				char* _v328;
				char _v332;
				char _v336;
				char _v340;
				intOrPtr _v344;
				char* _v348;
				char _v352;
				char _v356;
				char _v360;
				intOrPtr _v364;
				char* _v368;
				char _v372;
				char _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				char* _v388;
				char _v392;
				char _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				char* _v408;
				char _v412;
				char _v416;
				char _v420;
				intOrPtr _v424;
				char* _v428;
				char _v432;
				char _v436;
				char _v440;
				intOrPtr _v444;
				char* _v448;
				char _v452;
				char _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				char* _v468;
				char _v472;
				char _v476;
				char _v480;
				intOrPtr _v484;
				char* _v488;
				char _v492;
				char _v496;
				intOrPtr _v500;
				intOrPtr _v504;
				char* _v508;
				char _v512;
				char _v516;
				intOrPtr _v520;
				intOrPtr _v524;
				char* _v528;
				char _v532;
				char _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				char* _v548;
				char _v552;
				char _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				char* _v568;
				char _v572;
				char _v576;
				char _v580;
				intOrPtr _v584;
				char* _v588;
				char _v592;
				char _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				char* _v608;
				char _v612;
				char _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				char* _v628;
				char _v632;
				char _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				char* _v648;
				char _v652;
				char _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				char* _v668;
				char _v672;
				char _v676;
				intOrPtr _v680;
				intOrPtr _v684;
				char* _v688;
				char _v692;
				char _v696;
				char _v700;
				intOrPtr _v704;
				char* _v708;
				char _v712;
				char _v716;
				intOrPtr _v720;
				intOrPtr _v724;
				char* _v728;
				char _v732;
				char _v736;
				intOrPtr _v740;
				intOrPtr _v744;
				char* _v748;
				char _v752;
				char _v756;
				intOrPtr _v760;
				intOrPtr _v764;
				char* _v768;
				char _v772;
				char _v776;
				intOrPtr _v780;
				intOrPtr _v784;
				char* _v788;
				char _v792;
				char _v796;
				intOrPtr _v800;
				intOrPtr _v804;
				char* _v808;
				char _v812;
				char _v816;
				intOrPtr _v820;
				intOrPtr _v824;
				char* _v828;
				char _v832;
				char _v836;
				intOrPtr _v840;
				intOrPtr _v844;
				char* _v848;
				char _v852;
				char _v856;
				intOrPtr _v860;
				intOrPtr _v864;
				char* _v868;
				char _v872;
				char _v876;
				intOrPtr _v880;
				intOrPtr _v884;
				char* _v888;
				char _v892;
				char _v896;
				intOrPtr _v900;
				intOrPtr _v904;
				char* _v908;
				char _v912;
				char _v916;
				char _v920;
				intOrPtr _v924;
				char* _v928;
				char _v932;
				char _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				char* _v948;
				char _v952;
				char _v956;
				char _v960;
				intOrPtr _v964;
				char* _v968;
				char _v972;
				char _v976;
				char _v980;
				intOrPtr _v984;
				char* _v988;
				char _v992;
				char _v996;
				intOrPtr _v1000;
				intOrPtr _v1004;
				char* _v1008;
				char _v1012;
				char _v1016;
				intOrPtr _v1020;
				intOrPtr _v1024;
				char* _v1028;
				char _v1032;
				char _v1036;
				char _v1040;
				intOrPtr _v1044;
				char* _v1048;
				char _v1052;
				char _v1056;
				char _v1060;
				intOrPtr _v1064;
				char* _v1068;
				char _v1072;
				char _v1076;
				char _v1080;
				intOrPtr _v1084;
				char* _v1088;
				char _v1092;
				char _v1096;
				intOrPtr _v1100;
				intOrPtr _v1104;
				char* _v1108;
				char _v1112;
				char _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				char* _v1128;
				char _v1132;
				char _v1136;
				intOrPtr _v1140;
				intOrPtr _v1144;
				char* _v1148;
				char _v1152;
				char _v1156;
				intOrPtr _v1160;
				intOrPtr _v1164;
				char* _v1168;
				char _v1172;
				char _v1176;
				intOrPtr _v1180;
				intOrPtr _v1184;
				char* _v1188;
				char _v1192;
				char _v1196;
				intOrPtr _v1200;
				intOrPtr _v1204;
				char* _v1208;
				char _v1212;
				char _v1216;
				intOrPtr _v1220;
				intOrPtr _v1224;
				char* _v1228;
				struct _CRITICAL_SECTION* _v1232;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t317;
				struct _CRITICAL_SECTION* _t319;
				intOrPtr _t320;
				intOrPtr _t321;
				intOrPtr _t322;
				void* _t328;
				intOrPtr _t333;
				intOrPtr _t335;
				intOrPtr _t336;
				intOrPtr _t338;
				intOrPtr _t342;
				intOrPtr _t346;
				intOrPtr* _t347;
				char _t348;
				signed int _t349;

				_t317 =  *0xfa008; // 0x90c8e23b
				_v8 = _t317 ^ _t349;
				_t319 = _a4;
				_v1232 = _t319;
				InitializeCriticalSection(_t319);
				_t348 = 0;
				_v1228 = L"AdminToolsFolder";
				_t320 = 0x2b;
				_v1220 = 0x30;
				_v1224 = E00095EAB;
				_v1216 = 0;
				_t335 = 6;
				_v1212 = 0;
				_v1208 = L"AppDataFolder";
				_v1204 = E00095EAB;
				_v1200 = 0x1a;
				_v1196 = 0;
				_v1192 = 0;
				_v1188 = L"CommonAppDataFolder";
				_v1184 = E00095EAB;
				_v1180 = 0x23;
				_v1176 = 0;
				_v1172 = 0;
				_v1168 = L"CommonFiles64Folder";
				_v1164 = E00096418;
				_v1160 = _t320;
				_v1156 = 0;
				_v1152 = 0;
				_v1148 = L"CommonFilesFolder";
				_v1144 = E00095EAB;
				_v1140 = _t320;
				_v1136 = 0;
				_v1132 = 0;
				_v1128 = L"CommonFiles6432Folder";
				_v1124 = E00095D71;
				_v1120 = _t320;
				_v1116 = 0;
				_v1112 = 0;
				_v1108 = L"CompatibilityMode";
				_v1104 = E00096184;
				_v1100 = 0xc;
				_v1096 = 0;
				_v1092 = 0;
				_v1088 = L"Date";
				_v1084 = E00095F14;
				_v1080 = 0;
				_v1076 = 0;
				_v1072 = 0;
				_v1068 = L"ComputerName";
				_v1064 = E00095E0B;
				_v1060 = 0;
				_v1056 = 0;
				_v1052 = 0;
				_v1048 = L"DesktopFolder";
				_v1044 = E00095EAB;
				_v1040 = 0;
				_v1036 = 0;
				_v1032 = 0;
				_v1028 = L"FavoritesFolder";
				_v1024 = E00095EAB;
				_v1020 = _t335;
				_v1016 = 0;
				_v1012 = 0;
				_v1008 = L"FontsFolder";
				_v1004 = E00095EAB;
				_v1000 = 0x14;
				_v996 = 0;
				_v992 = 0;
				_v988 = L"InstallerName";
				_v984 = E0009602F;
				_v980 = 0;
				_v976 = 0;
				_v972 = 0;
				_v968 = L"InstallerVersion";
				_t321 = 5;
				_v944 = E00095EAB;
				_v904 = E00095EAB;
				_t333 = 7;
				_v840 = _t335;
				_t336 = 9;
				_v884 = E00096184;
				_v864 = E00096184;
				_v844 = E00096184;
				_v824 = E00096184;
				_v804 = E00096184;
				_v784 = E00096184;
				_v764 = E00096184;
				_v744 = E00096184;
				_t342 = 0xb;
				_v964 = E0009605C;
				_v960 = 0;
				_v956 = 0;
				_v952 = 0;
				_v948 = L"LocalAppDataFolder";
				_v940 = 0x1c;
				_v936 = 0;
				_v932 = 0;
				_v928 = L"LogonUser";
				_v924 = E000960BA;
				_v920 = 0;
				_v916 = 0;
				_v912 = 0;
				_v908 = L"MyPicturesFolder";
				_v900 = 0x27;
				_v896 = 0;
				_v892 = 0;
				_v888 = L"NTProductType";
				_v880 = 4;
				_v876 = 0;
				_v872 = 0;
				_v868 = L"NTSuiteBackOffice";
				_v860 = _t321;
				_v856 = 0;
				_v852 = 0;
				_v848 = L"NTSuiteDataCenter";
				_v836 = 0;
				_v832 = 0;
				_v828 = L"NTSuiteEnterprise";
				_v820 = E00095EAB;
				_v816 = 0;
				_v812 = 0;
				_v808 = L"NTSuitePersonal";
				_v800 = 8;
				_v796 = 0;
				_v792 = 0;
				_v788 = L"NTSuiteSmallBusiness";
				_v780 = _t336;
				_v776 = 0;
				_v772 = 0;
				_v768 = L"NTSuiteSmallBusinessRestricted";
				_v760 = 0xa;
				_v756 = 0;
				_v752 = 0;
				_v748 = L"NTSuiteWebServer";
				_v740 = E00096184;
				_v736 = 0;
				_v732 = 0;
				_v728 = L"PersonalFolder";
				_v724 = E00095EAB;
				_v720 = _t321;
				_v716 = 0;
				_v712 = 0;
				_v708 = L"Privileged";
				_v704 = E00096360;
				_v700 = 0;
				_v696 = 0;
				_v692 = 0;
				_v688 = L"ProcessorArchitecture";
				_v684 = E000965DF;
				_v680 = 0xe;
				_v676 = 0;
				_t322 = 0x26;
				_v660 = _t322;
				_v640 = _t322;
				_v620 = _t322;
				_v604 = E00095EAB;
				_v564 = E00095EAB;
				_v524 = E00095EAB;
				_v504 = E00095EAB;
				_v520 = _t342;
				_v624 = E00095D71;
				_v560 = _t336;
				_v484 = E000964B6;
				_v464 = E000964B6;
				_t346 = 2;
				_v672 = 0;
				_v668 = L"ProgramFiles64Folder";
				_v664 = E00096418;
				_v656 = 0;
				_v652 = 0;
				_v648 = L"ProgramFilesFolder";
				_v644 = E00095EAB;
				_v636 = 0;
				_v632 = 0;
				_v628 = L"ProgramFiles6432Folder";
				_v616 = 0;
				_v612 = 0;
				_v608 = L"ProgramMenuFolder";
				_v600 = E00095D71;
				_v596 = 0;
				_v592 = 0;
				_v588 = L"RebootPending";
				_v584 = E000963A9;
				_v580 = 0;
				_v576 = 0;
				_v572 = 0;
				_v568 = L"SendToFolder";
				_v556 = 0;
				_v552 = 0;
				_v548 = L"ServicePackLevel";
				_v544 = E000967E5;
				_v540 = 3;
				_v536 = 0;
				_v532 = 0;
				_v528 = L"StartMenuFolder";
				_v516 = 0;
				_v512 = 0;
				_v508 = L"StartupFolder";
				_v500 = _t333;
				_v496 = 0;
				_v492 = 0;
				_v488 = L"SystemFolder";
				_v480 = 0;
				_v476 = 0;
				_v472 = 0;
				_v468 = L"System64Folder";
				_v460 = 1;
				_v456 = 0;
				_v452 = 0;
				_v448 = L"SystemLanguageID";
				_v444 = E00095D0D;
				_v440 = 0;
				_v436 = 0;
				_v432 = 0;
				_v428 = L"TempFolder";
				_v424 = E00096644;
				_v420 = 0;
				_v416 = 0;
				_v412 = 0;
				_v408 = L"TemplateFolder";
				_v404 = E00095EAB;
				_v400 = 0x15;
				_v396 = 0;
				_v392 = 0;
				_v284 = E00095EAB;
				_v324 = E000967E5;
				_v304 = E000967E5;
				_t338 = E0009648B;
				_v244 = E00096159;
				_v164 = E00096159;
				_v144 = E00096159;
				_v388 = L"TerminalServer";
				_v384 = E00096184;
				_v380 = 0xd;
				_v376 = 0;
				_v372 = 0;
				_v368 = L"UserLanguageID";
				_v364 = E00095D3F;
				_v360 = 0;
				_v356 = 0;
				_v352 = 0;
				_v348 = L"VersionMsi";
				_v344 = E0009671C;
				_v340 = 0;
				_v336 = 0;
				_v332 = 0;
				_v328 = L"VersionNT";
				_v320 = 1;
				_v316 = 0;
				_v312 = 0;
				_v308 = L"VersionNT64";
				_v300 = _t346;
				_v296 = 0;
				_v292 = 0;
				_v288 = L"WindowsFolder";
				_v280 = 0x24;
				_v276 = 0;
				_v272 = 0;
				_v268 = L"WindowsVolume";
				_v264 = E000969B8;
				_v260 = 0;
				_v256 = 0;
				_v252 = 0;
				_v248 = L"WixBundleAction";
				_v240 = 0;
				_v236 = 0;
				_v232 = 1;
				_v228 = L"WixBundleExecutePackageCacheFolder";
				_v224 = E0009648B;
				_v220 = 0;
				_v216 = 0;
				_v212 = 1;
				_v208 = L"WixBundleExecutePackageAction";
				_v204 = E0009648B;
				_v200 = 0;
				_v196 = 0;
				_v192 = 1;
				_v188 = L"WixBundleForcedRestartPackage";
				_v184 = E0009648B;
				_v180 = 0;
				_v176 = 1;
				_v172 = 1;
				_v168 = L"WixBundleInstalled";
				_v160 = 0;
				_v156 = 0;
				_v152 = 1;
				_v148 = L"WixBundleElevated";
				_v140 = 0;
				_v136 = 0;
				_v132 = 1;
				_v128 = L"WixBundleActiveParent";
				_v124 = E0009648B;
				_v120 = 0;
				_v116 = 0;
				_v112 = 1;
				_v108 = L"WixBundleProviderKey";
				_v104 = E0009648B;
				_v100 = 0xdb524;
				_v96 = 0;
				_v92 = 1;
				_v88 = L"WixBundleSourceProcessPath";
				_v84 = E0009648B;
				_v80 = 0;
				_v76 = 0;
				_t347 =  &_v1216;
				_v72 = 1;
				_v68 = L"WixBundleSourceProcessFolder";
				_v64 = E0009648B;
				_v60 = 0;
				_v56 = 0;
				_v52 = 1;
				_v48 = L"WixBundleTag";
				_v44 = E0009648B;
				_v40 = 0xdb524;
				_v36 = 0;
				_v32 = 1;
				_v28 = L"WixBundleVersion";
				_v24 = E000966F1;
				_v20 = 0;
				_v16 = 0;
				_v12 = 1;
				while(1) {
					_t328 = E00095530(_t338, _v1232,  *((intOrPtr*)(_t347 - 0xc)),  *((intOrPtr*)(_t347 - 8)),  *((intOrPtr*)(_t347 - 4)),  *_t347,  *((intOrPtr*)(_t347 + 4))); // executed
					_t334 = _t328;
					if(_t328 < 0) {
						break;
					}
					_t348 = _t348 + 1;
					_t347 = _t347 + 0x14;
					if(_t348 < 0x3d) {
						continue;
					} else {
					}
					L5:
					return E000BDE36(_t334, _v8 ^ _t349, 1, _t347, _t348);
				}
				E000D012F(_t334, "Failed to add built-in variable: %ls.",  *((intOrPtr*)(_t347 - 0xc)));
				goto L5;
			}

0x0009750c
0x00097513
0x00097516
0x0009751d
0x00097523
0x00097529
0x0009752b
0x00097537
0x0009753d
0x0009754e
0x00097559
0x0009755f
0x00097560
0x00097566
0x00097570
0x00097576
0x00097580
0x00097586
0x0009758c
0x00097596
0x0009759c
0x000975a6
0x000975ac
0x000975b2
0x000975bc
0x000975c6
0x000975cc
0x000975d2
0x000975d8
0x000975e2
0x000975e8
0x000975ee
0x000975f4
0x000975fa
0x00097604
0x0009760a
0x00097610
0x00097616
0x0009761c
0x00097626
0x0009762c
0x00097636
0x0009763c
0x00097642
0x0009764c
0x00097656
0x0009765c
0x00097662
0x00097668
0x00097672
0x0009767c
0x00097682
0x00097688
0x0009768e
0x00097698
0x0009769e
0x000976a4
0x000976aa
0x000976b0
0x000976ba
0x000976c0
0x000976c6
0x000976cc
0x000976d2
0x000976dc
0x000976e2
0x000976ec
0x000976f2
0x000976f8
0x00097702
0x0009770c
0x00097712
0x00097718
0x0009771e
0x0009772a
0x0009772d
0x00097733
0x00097739
0x0009773c
0x00097742
0x00097745
0x0009774b
0x00097751
0x00097757
0x0009775d
0x00097763
0x00097769
0x0009776f
0x00097775
0x00097776
0x00097780
0x00097786
0x0009778c
0x00097792
0x0009779c
0x000977a6
0x000977ac
0x000977b2
0x000977bc
0x000977c6
0x000977cc
0x000977d2
0x000977d8
0x000977e2
0x000977ec
0x000977f2
0x000977f8
0x00097802
0x0009780c
0x00097812
0x00097818
0x00097822
0x00097828
0x0009782e
0x00097834
0x0009783e
0x00097844
0x0009784a
0x00097854
0x0009785a
0x00097860
0x00097866
0x00097870
0x0009787a
0x00097880
0x00097886
0x00097890
0x00097896
0x0009789c
0x000978a2
0x000978ac
0x000978b6
0x000978bc
0x000978c2
0x000978cc
0x000978d2
0x000978d8
0x000978de
0x000978e8
0x000978f2
0x000978f8
0x000978fe
0x00097904
0x0009790e
0x00097918
0x0009791e
0x00097924
0x0009792a
0x00097934
0x0009793e
0x00097948
0x00097950
0x00097951
0x00097957
0x0009795d
0x00097968
0x0009796e
0x00097974
0x0009797a
0x00097985
0x0009798f
0x00097996
0x000979a1
0x000979a7
0x000979b2
0x000979b3
0x000979b9
0x000979c3
0x000979cd
0x000979d3
0x000979d9
0x000979e3
0x000979ed
0x000979f3
0x000979f9
0x00097a03
0x00097a09
0x00097a0f
0x00097a19
0x00097a1f
0x00097a25
0x00097a2b
0x00097a35
0x00097a3f
0x00097a45
0x00097a4b
0x00097a51
0x00097a5b
0x00097a61
0x00097a67
0x00097a71
0x00097a77
0x00097a81
0x00097a87
0x00097a8d
0x00097a97
0x00097a9d
0x00097aa3
0x00097aad
0x00097ab3
0x00097ab9
0x00097abf
0x00097ac9
0x00097acf
0x00097ad5
0x00097adb
0x00097ae5
0x00097aeb
0x00097af1
0x00097af7
0x00097b01
0x00097b0b
0x00097b11
0x00097b17
0x00097b1d
0x00097b27
0x00097b31
0x00097b37
0x00097b3d
0x00097b43
0x00097b4d
0x00097b53
0x00097b5d
0x00097b63
0x00097b69
0x00097b74
0x00097b7a
0x00097b80
0x00097b85
0x00097b8b
0x00097b91
0x00097b9c
0x00097ba6
0x00097bb0
0x00097bba
0x00097bc0
0x00097bc6
0x00097bd0
0x00097bda
0x00097be0
0x00097be6
0x00097bec
0x00097bf6
0x00097c00
0x00097c06
0x00097c0c
0x00097c12
0x00097c1c
0x00097c22
0x00097c28
0x00097c2e
0x00097c38
0x00097c3e
0x00097c44
0x00097c4a
0x00097c54
0x00097c5e
0x00097c64
0x00097c6a
0x00097c74
0x00097c7e
0x00097c84
0x00097c8a
0x00097c90
0x00097c9a
0x00097ca0
0x00097ca6
0x00097cac
0x00097cb6
0x00097cbc
0x00097cc2
0x00097cc8
0x00097cce
0x00097cd8
0x00097cde
0x00097ce4
0x00097cea
0x00097cf0
0x00097cfa
0x00097d00
0x00097d06
0x00097d0c
0x00097d12
0x00097d1c
0x00097d22
0x00097d28
0x00097d2e
0x00097d38
0x00097d3e
0x00097d44
0x00097d47
0x00097d4e
0x00097d51
0x00097d54
0x00097d57
0x00097d5a
0x00097d61
0x00097d64
0x00097d67
0x00097d6a
0x00097d6d
0x00097d74
0x00097d77
0x00097d7a
0x00097d7d
0x00097d83
0x00097d86
0x00097d8d
0x00097d90
0x00097d93
0x00097d96
0x00097d99
0x00097da0
0x00097da3
0x00097da6
0x00097da9
0x00097dac
0x00097db3
0x00097dba
0x00097dbd
0x00097dc0
0x00097dc3
0x00097dd7
0x00097ddc
0x00097de0
0x00000000
0x00000000
0x00097de2
0x00097de3
0x00097de9
0x00000000
0x00000000
0x00097deb
0x00097dfe
0x00097e10
0x00097e10
0x00097df6
0x00000000

APIs

InitializeCriticalSection.KERNEL32(000A7378,000952B5,00000000,0009533D), ref: 00097523

Strings

WixBundleInstalled, xrefs: 00097D12
Date, xrefs: 00097642
WixBundleSourceProcessPath, xrefs: 00097D6D
WixBundleSourceProcessFolder, xrefs: 00097D86
LogonUser, xrefs: 000977B2
0, xrefs: 0009753D
#, xrefs: 0009759C
Failed to add built-in variable: %ls., xrefs: 00097DF0
WixBundleAction, xrefs: 00097C90
WixBundleVersion, xrefs: 00097DAC
InstallerName, xrefs: 000976F8
WixBundleElevated, xrefs: 00097D2E
', xrefs: 000977E2
WixBundleExecutePackageAction, xrefs: 00097CCE
$, xrefs: 00097C54
WixBundleProviderKey, xrefs: 00097D5A
InstallerVersion, xrefs: 0009771E
WixBundleForcedRestartPackage, xrefs: 00097CF0
WixBundleActiveParent, xrefs: 00097D47
WixBundleTag, xrefs: 00097D99
WixBundleExecutePackageCacheFolder, xrefs: 00097CAC

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleVersion
API String ID: 32694325-826827252
Opcode ID: 271409593653e2e651b074dbd2bd7fed9cbc0a14f2db5b413c884d9eb9a70364
Instruction ID: 34e1d25ba5166d330d742a35805512940b61c20da245830f2fae98fed1c42f38
Opcode Fuzzy Hash: 271409593653e2e651b074dbd2bd7fed9cbc0a14f2db5b413c884d9eb9a70364
Instruction Fuzzy Hash: FF3226B0C263798BDB65CF59C98878DBAB8BB49B04F5081DBE10CA6311D7B50B84DF94

Uniqueness

Uniqueness Score: -1.00%

Function 000B0E43, Relevance: 31.7, APIs: 8, Strings: 10, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 000B0E65
CoUninitialize.OLE32 ref: 000B10D9

Strings

cabextract.cpp, xrefs: 000B0EDB, 000B0FFF, 000B104A, 000B1087, 000B10B3
Failed to initialize COM., xrefs: 000B0E71
Invalid operation for this state., xrefs: 000B10BD
Failed to extract all files from container, erf: %d:%X:%d, xrefs: 000B0FC0
Failed to initialize cabinet.dll., xrefs: 000B0EE7
@Mt, xrefs: 000B0FE0, 000B102B, 000B1068
<the>.cab, xrefs: 000B0F05
Failed to reset begin operation event., xrefs: 000B1091
Failed to wait for begin operation event., xrefs: 000B1054
Failed to set operation complete event., xrefs: 000B1009

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: InitializeUninitialize
String ID: <the>.cab$@Mt$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 3442037557-233467505
Opcode ID: a159e96c7cce8b2ad130255f405842416d3cadcc6ebc7d8968db9e3c5335b38f
Instruction ID: e7d0e97de098dafbb3dd738d0e2b5a34b7242233e1d49e8d4587112a212eb1d2
Opcode Fuzzy Hash: a159e96c7cce8b2ad130255f405842416d3cadcc6ebc7d8968db9e3c5335b38f
Instruction Fuzzy Hash: 2351B032B54362EBD7302665CD45EFFB690DB45760F12023AFD02BF780D6A98D009AE2

Uniqueness

Uniqueness Score: -1.00%

Function 000941D2, Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E000941D2(void* __ecx, union _LARGE_INTEGER* __edx, void* __eflags, struct _CRITICAL_SECTION* _a4, signed int _a8) {
				char _v8;
				void* _t50;
				int _t55;
				WCHAR* _t56;
				int _t62;
				WCHAR* _t63;
				signed int _t69;
				intOrPtr* _t72;
				signed int _t76;
				struct _CRITICAL_SECTION* _t79;
				signed int _t83;
				void* _t89;
				void* _t93;
				union _LARGE_INTEGER* _t96;
				struct _CRITICAL_SECTION* _t98;
				void* _t100;
				void* _t103;

				_t96 = __edx;
				_push(__ecx);
				_a8 = _a8 | 0xffffffff;
				_t98 = _a4;
				_v8 = _a8;
				 *(_t98 + 0x498) =  *(_t98 + 0x498) | 0xffffffff;
				 *(_t98 + 0x494) = 1;
				InitializeCriticalSection(_t98);
				_t9 = _t98 + 0xd0; // 0xd0
				InitializeCriticalSection(_t9);
				_t10 = _t98 + 0x4a0; // 0x4a0
				E000A4B0E(_t10);
				_t11 = _t98 + 0x4b8; // 0x4b8
				E000A4B0E(_t11);
				_t83 = 0;
				if( *((intOrPtr*)(_t98 + 0x4dc)) <= 0) {
					L14:
					_t40 = _t98 + 0x48; // 0x48
					_t50 = E0009B389(_t96, _t40, _v8, _a8); // executed
					_t103 = _t50;
					if(_t103 < 0) {
						_push("Failed to initialize engine section.");
						_push(_t103);
						E000D012F();
					}
					L16:
					return _t103;
				}
				do {
					if( *((short*)( *((intOrPtr*)( *((intOrPtr*)(_t98 + 0x4e0)) + _t83 * 4)))) != 0x2d) {
						goto L13;
					}
					_t55 = lstrlenW(L"burn.filehandle.attached");
					_t56 = L"burn.filehandle.attached";
					if(CompareStringW(0x7f, 1,  *((intOrPtr*)( *((intOrPtr*)(_t98 + 0x4e0)) + _t83 * 4)) + 2, lstrlenW(_t56), _t56, _t55) != 2) {
						L8:
						_t62 = lstrlenW(L"burn.filehandle.self");
						_t63 = L"burn.filehandle.self";
						if(CompareStringW(0x7f, 1,  *((intOrPtr*)( *((intOrPtr*)(_t98 + 0x4e0)) + _t83 * 4)) + 2, lstrlenW(_t63), _t63, _t62) != 2) {
							goto L13;
						}
						_t69 = lstrlenW(L"burn.filehandle.self");
						_t72 =  *((intOrPtr*)( *((intOrPtr*)(_t98 + 0x4e0)) + _t83 * 4)) + 4 + _t69 * 2;
						_t89 = 0x3d;
						_a4 = _t72;
						if(_t89 !=  *((intOrPtr*)(_t72 - 2)) || 0 ==  *_t72) {
							_t100 = 0x80070057;
							E000937D3(_t72, "engine.cpp", 0x140, 0x80070057);
							_push(L"burn.filehandle.self");
							L19:
							_push("Missing required parameter for switch: %ls");
							_t103 = _t100;
							_push(_t100);
							goto L20;
						} else {
							_t103 = E000929DC( &_v8, _t96, _t72, 0,  &_v8);
							if(_t103 < 0) {
								L17:
								_push(_a4);
								_push("Failed to parse file handle: \'%ls\'");
								_push(_t103);
								L20:
								E000D012F();
								goto L16;
							}
							goto L13;
						}
					}
					_t76 = lstrlenW(L"burn.filehandle.attached");
					_t79 =  *((intOrPtr*)( *((intOrPtr*)(_t98 + 0x4e0)) + _t83 * 4)) + 4 + _t76 * 2;
					_t93 = 0x3d;
					_a4 = _t79;
					if(_t93 !=  *((intOrPtr*)(_t79 - 2)) || 0 ==  *_t79) {
						_t100 = 0x80070057;
						E000937D3(_t79, "engine.cpp", 0x135, 0x80070057);
						_push(L"burn.filehandle.attached");
						goto L19;
					} else {
						_t103 = E000929DC( &_a8, _t96, _t79, 0,  &_a8);
						if(_t103 < 0) {
							goto L17;
						}
						goto L8;
					}
					L13:
					_t83 = _t83 + 1;
				} while (_t83 <  *((intOrPtr*)(_t98 + 0x4dc)));
				goto L14;
			}

0x000941d2
0x000941d5
0x000941d9
0x000941e6
0x000941ea
0x000941ed
0x000941f4
0x000941fe
0x00094200
0x00094207
0x00094209
0x00094210
0x00094215
0x0009421c
0x00094221
0x00094229
0x0009434d
0x00094350
0x00094357
0x0009435c
0x00094360
0x00094362
0x00094367
0x00094368
0x0009436e
0x0009436f
0x00094377
0x00094377
0x00094235
0x00094242
0x00000000
0x00000000
0x0009424d
0x00094250
0x00094274
0x000942c6
0x000942cb
0x000942ce
0x000942f2
0x00000000
0x00000000
0x000942f9
0x0009430d
0x0009430f
0x00094310
0x00094317
0x000943b1
0x000943c1
0x000943c6
0x0009439f
0x0009439f
0x000943a4
0x000943a6
0x00000000
0x00094328
0x00094334
0x00094338
0x0009437a
0x0009437a
0x0009437d
0x00094382
0x000943a7
0x000943a7
0x00000000
0x000943ac
0x00000000
0x0009433a
0x00094317
0x0009427b
0x0009428f
0x00094291
0x00094292
0x00094299
0x00094385
0x00094395
0x0009439a
0x00000000
0x000942aa
0x000942b6
0x000942ba
0x00000000
0x00000000
0x00000000
0x000942c0
0x00094340
0x00094340
0x00094341
0x00000000

APIs

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,0009515E,?,?,00000000,?,?), ref: 000941FE
InitializeCriticalSection.KERNEL32(000000D0,?,?,0009515E,?,?,00000000,?,?), ref: 00094207
lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,0009515E,?,?,00000000,?,?), ref: 0009424D
lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,0009515E,?,?,00000000,?,?), ref: 00094257
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,0009515E,?,?,00000000,?,?), ref: 0009426B
lstrlenW.KERNEL32(burn.filehandle.attached,?,?,0009515E,?,?,00000000,?,?), ref: 0009427B
lstrlenW.KERNEL32(burn.filehandle.self,?,?,0009515E,?,?,00000000,?,?), ref: 000942CB
lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,0009515E,?,?,00000000,?,?), ref: 000942D5
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,0009515E,?,?,00000000,?,?), ref: 000942E9
lstrlenW.KERNEL32(burn.filehandle.self,?,?,0009515E,?,?,00000000,?,?), ref: 000942F9

Strings

Missing required parameter for switch: %ls, xrefs: 0009439F
engine.cpp, xrefs: 00094390, 000943BC
Failed to initialize engine section., xrefs: 00094362
burn.filehandle.self, xrefs: 000942C6, 000942CE, 000942D3, 000942D4, 000942F4, 000943C6
Failed to parse file handle: '%ls', xrefs: 0009437D
burn.filehandle.attached, xrefs: 00094248, 00094250, 00094255, 00094256, 00094276, 0009439A

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: lstrlen$CompareCriticalInitializeSectionString
String ID: Failed to initialize engine section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$engine.cpp
API String ID: 3039292287-3209860532
Opcode ID: 497bfd50ce057908e14e7f048ded146c63f33ab1001fe1dc64842e4a778f758a
Instruction ID: 5692e4bced61b3cc29fad07ad44924e82c59c7fbd0da3c440a4f379c87b6a493
Opcode Fuzzy Hash: 497bfd50ce057908e14e7f048ded146c63f33ab1001fe1dc64842e4a778f758a
Instruction Fuzzy Hash: 9A51C471A40315FFDB249B69DC86FAAB7A8EF04720F014116F618DB290DB70AA51DBB4

Uniqueness

Uniqueness Score: -1.00%

Function 0009C129, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 128
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E0009C129(HANDLE* _a4, intOrPtr _a8, void* _a12, WCHAR* _a16) {
				void* _t29;
				int _t31;
				union _LARGE_INTEGER* _t33;
				int _t34;
				long _t38;
				signed short _t40;
				signed short _t43;
				void* _t47;
				signed short _t48;
				HANDLE* _t51;
				intOrPtr _t52;
				long _t55;
				union _LARGE_INTEGER _t65;

				_t52 = _a8;
				_t51 = _a4;
				_t51[6] =  *(_t52 + 4);
				_t55 = 0;
				_t65 = 0;
				_t51[4] =  *(_t52 + 0x18);
				_t51[5] =  *(_t52 + 0x1c);
				_t51[2] =  *(_t52 + 0x40);
				_t51[3] =  *(_t52 + 0x44);
				if(_a12 != 0xffffffff) {
					_t29 = GetCurrentProcess();
					_t31 = DuplicateHandle(GetCurrentProcess(), _a12, _t29, _t51, 0, 0, 2); // executed
					if(_t31 != 0) {
						_t65 = 0;
						goto L7;
					} else {
						_t43 = GetLastError();
						_t61 =  <=  ? _t43 : _t43 & 0x0000ffff | 0x80070000;
						_t55 =  >=  ? 0x80004005 :  <=  ? _t43 : _t43 & 0x0000ffff | 0x80070000;
						E000937D3(0x80004005, "container.cpp", 0xec, _t55);
						_push(_a16);
						_push("Failed to duplicate handle to container: %ls");
						goto L3;
					}
				} else {
					_t47 = CreateFileW(_a16, 0x80000000, 1, 0, 3, 0x8000080, 0);
					 *_t51 = _t47;
					if(_t47 != 0xffffffff) {
						L7:
						if( *((intOrPtr*)(_a8 + 0xc)) == _t55) {
							_t33 = _t55;
						} else {
							_t65 = _t51[2];
							_t33 = _t51[3];
						}
						_push(_t55);
						_t34 = SetFilePointerEx( *_t51, _t65, _t33, _t55); // executed
						if(_t34 != 0) {
							if(_t51[6] == 1) {
								_t38 = E000B1484(_t51, _a16); // executed
								_t55 = _t38;
								if(_t55 < 0) {
									_push("Failed to open container.");
									goto L15;
								}
							}
						} else {
							_t40 = GetLastError();
							_t58 =  <=  ? _t40 : _t40 & 0x0000ffff | 0x80070000;
							_t55 =  >=  ? 0x80004005 :  <=  ? _t40 : _t40 & 0x0000ffff | 0x80070000;
							E000937D3(0x80004005, "container.cpp", 0xf8, _t55);
							_push("Failed to move file pointer to container offset.");
							L15:
							_push(_t55);
							E000D012F();
						}
					} else {
						_t48 = GetLastError();
						_t64 =  <=  ? _t48 : _t48 & 0x0000ffff | 0x80070000;
						_t55 =  >=  ? 0x80004005 :  <=  ? _t48 : _t48 & 0x0000ffff | 0x80070000;
						E000937D3(0x80004005, "container.cpp", 0xe6, _t55);
						_push(_a16);
						_push("Failed to open file: %ls");
						L3:
						_push(_t55);
						E000D012F();
					}
				}
				return _t55;
			}

0x0009c12c
0x0009c130
0x0009c138
0x0009c13b
0x0009c141
0x0009c146
0x0009c14c
0x0009c152
0x0009c158
0x0009c15b
0x0009c1d0
0x0009c1d9
0x0009c1e1
0x0009c21b
0x00000000
0x0009c1e3
0x0009c1e3
0x0009c1f4
0x0009c1fe
0x0009c20c
0x0009c211
0x0009c214
0x00000000
0x0009c214
0x0009c15d
0x0009c170
0x0009c176
0x0009c17b
0x0009c21d
0x0009c223
0x0009c22d
0x0009c225
0x0009c225
0x0009c228
0x0009c228
0x0009c22f
0x0009c235
0x0009c23d
0x0009c27a
0x0009c280
0x0009c285
0x0009c289
0x0009c28b
0x00000000
0x0009c28b
0x0009c289
0x0009c23f
0x0009c23f
0x0009c250
0x0009c25a
0x0009c268
0x0009c26d
0x0009c290
0x0009c290
0x0009c291
0x0009c297
0x0009c181
0x0009c181
0x0009c192
0x0009c19c
0x0009c1aa
0x0009c1af
0x0009c1b2
0x0009c1b7
0x0009c1b7
0x0009c1b8
0x0009c1bd
0x0009c17b
0x0009c29e

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,0009C319,000952FD,?,?,0009533D), ref: 0009C170
GetLastError.KERNEL32(?,0009C319,000952FD,?,?,0009533D,0009533D,00000000,?,00000000), ref: 0009C181
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,0009C319,000952FD,?,?,0009533D,0009533D,00000000,?), ref: 0009C1D0
GetCurrentProcess.KERNEL32(000000FF,00000000,?,0009C319,000952FD,?,?,0009533D,0009533D,00000000,?,00000000), ref: 0009C1D6
DuplicateHandle.KERNELBASE(00000000,?,0009C319,000952FD,?,?,0009533D,0009533D,00000000,?,00000000), ref: 0009C1D9
GetLastError.KERNEL32(?,0009C319,000952FD,?,?,0009533D,0009533D,00000000,?,00000000), ref: 0009C1E3
SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,0009C319,000952FD,?,?,0009533D,0009533D,00000000,?,00000000), ref: 0009C235
GetLastError.KERNEL32(?,0009C319,000952FD,?,?,0009533D,0009533D,00000000,?,00000000), ref: 0009C23F

Strings

Failed to duplicate handle to container: %ls, xrefs: 0009C214
feclient.dll, xrefs: 0009C232
container.cpp, xrefs: 0009C1A5, 0009C207, 0009C263
@Mt, xrefs: 0009C181, 0009C1E3, 0009C23F
crypt32.dll, xrefs: 0009C231
Failed to open container., xrefs: 0009C28B
Failed to open file: %ls, xrefs: 0009C1B2
Failed to move file pointer to container offset., xrefs: 0009C26D

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
String ID: @Mt$Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp$crypt32.dll$feclient.dll
API String ID: 2619879409-1185302370
Opcode ID: 64f9e8e6dfd91cf78bdc99738771a7f4f43dced8a7af53419f540d31ca838d9d
Instruction ID: 476d2fccedf2372c28151b43abb881a7e158fad58e91d6f9e03615a7cb2e0f08
Opcode Fuzzy Hash: 64f9e8e6dfd91cf78bdc99738771a7f4f43dced8a7af53419f540d31ca838d9d
Instruction Fuzzy Hash: 6B41B036640301ABEB209F6A9C45F673BE9AF85750F11812AFD19DB291DA31C801EB70

Uniqueness

Uniqueness Score: -1.00%

Function 000D2F23, Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 152
libraryloadercomCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E000D2F23(signed int _a4, intOrPtr* _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				char _v16;
				_Unknown_base(*)()* _v20;
				signed int _t38;
				signed int _t46;
				signed int _t53;
				signed int _t58;
				signed short _t61;
				signed int _t64;
				signed int _t65;
				intOrPtr* _t66;
				intOrPtr* _t67;
				signed int _t68;
				signed int _t69;
				signed int _t71;
				signed int _t74;
				signed int _t79;
				struct HINSTANCE__* _t81;
				signed int _t82;

				_t64 = 0;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_t81 = GetModuleHandleA("kernel32.dll");
				if(_t81 != 0) {
					_t38 = GetProcAddress(_t81, "IsWow64Process");
					__eflags = _t38;
					if(_t38 == 0) {
						_t79 = 0;
						L9:
						__imp__CoCreateInstance(0xfb6c8, 0, 1, 0xdb808,  &_v8); // executed
						_t82 = 0xfb6c8;
						__eflags = 0xfb6c8;
						if(0xfb6c8 < 0) {
							L23:
							__eflags = _t64;
							if(_t64 == 0) {
								L26:
								L27:
								_t66 = _v12;
								if(_t66 != 0) {
									 *((intOrPtr*)( *_t66 + 8))(_t66);
								}
								_t67 = _v8;
								if(_t67 != 0) {
									 *((intOrPtr*)( *_t67 + 8))(_t67);
								}
								return _t82;
							}
							_t46 =  *_t79(_v16);
							__eflags = _t46;
							if(_t46 != 0) {
								goto L26;
							}
							ExitProcess(1);
						}
						_t68 = 0;
						__eflags = 0;
						_t74 = 0xfb6c8;
						while(1) {
							__eflags =  *((intOrPtr*)(_t74 + _t68 * 4)) -  *((intOrPtr*)(0xdb7f8 + _t68 * 4));
							_t74 = 0xfb6c8;
							if(__eflags != 0) {
								break;
							}
							_t68 = _t68 + 1;
							__eflags = _t68 - 4;
							if(_t68 != 4) {
								continue;
							}
							L17:
							 *0xfb6dc = 1;
							L18:
							__eflags = _a4;
							if(_a4 == 0) {
								L21:
								_v8 = _v8 & 0x00000000;
								 *_a8 = _v8;
								_t71 = _a12;
								__eflags = _t71;
								if(_t71 != 0) {
									_t29 =  &_v12;
									 *_t29 = _v12 & 0x00000000;
									__eflags =  *_t29;
									 *_t71 = _v12;
								}
								goto L23;
							}
							_t82 = E000D30BF( &_v12, _v8, _a4,  &_v12);
							__eflags = _t82;
							if(_t82 < 0) {
								goto L23;
							}
							_t53 = _v8;
							_t82 =  *((intOrPtr*)( *_t53 + 0x54))(_t53, _v12, 0);
							__eflags = _t82;
							if(_t82 < 0) {
								goto L23;
							}
							goto L21;
						}
						_t69 = 0;
						__eflags = 0;
						while(1) {
							__eflags =  *((intOrPtr*)(_t74 + _t69 * 4)) -  *((intOrPtr*)(0xdb7e8 + _t69 * 4));
							_t74 = 0xfb6c8;
							if(__eflags != 0) {
								goto L18;
							}
							_t69 = _t69 + 1;
							__eflags = _t69 - 4;
							if(_t69 != 4) {
								continue;
							}
							goto L17;
						}
						goto L18;
					}
					_v20 = GetProcAddress(_t81, "Wow64DisableWow64FsRedirection");
					_t65 = GetProcAddress(_t81, "Wow64EnableWow64FsRedirection");
					_t79 = GetProcAddress(_t81, "Wow64RevertWow64FsRedirection");
					_t58 = _v20;
					__eflags = _t58;
					if(_t58 == 0) {
						L7:
						_t64 = 0;
						goto L9;
					}
					__eflags = _t65;
					if(_t65 == 0) {
						goto L7;
					}
					__eflags = _t79;
					if(_t79 == 0) {
						goto L7;
					}
					 *_t58( &_v16);
					_t64 =  *_t65(1) & 0x000000ff;
					goto L9;
				}
				_t61 = GetLastError();
				_t85 =  <=  ? _t61 : _t61 & 0x0000ffff | 0x80070000;
				_t82 =  >=  ? 0x80004005 :  <=  ? _t61 : _t61 & 0x0000ffff | 0x80070000;
				E000937D3(0x80004005, "xmlutil.cpp", 0x85, _t82);
				goto L27;
			}

0x000d2f32
0x000d2f34
0x000d2f37
0x000d2f3a
0x000d2f43
0x000d2f47
0x000d2f89
0x000d2f8b
0x000d2f8d
0x000d2fd0
0x000d2fd2
0x000d2fe5
0x000d2feb
0x000d2fed
0x000d2fef
0x000d3085
0x000d3085
0x000d3087
0x000d309a
0x000d309b
0x000d309b
0x000d30a0
0x000d30a5
0x000d30a5
0x000d30a8
0x000d30ad
0x000d30b2
0x000d30b2
0x000d30bc
0x000d30bc
0x000d308c
0x000d308e
0x000d3090
0x00000000
0x00000000
0x000d3094
0x000d3094
0x000d2ff5
0x000d2ff5
0x000d2ff7
0x000d2ffc
0x000d3004
0x000d3007
0x000d300c
0x00000000
0x00000000
0x000d300e
0x000d300f
0x000d3012
0x00000000
0x00000000
0x000d3030
0x000d3030
0x000d303a
0x000d303a
0x000d303e
0x000d3069
0x000d306f
0x000d3073
0x000d3075
0x000d3078
0x000d307a
0x000d307f
0x000d307f
0x000d307f
0x000d3083
0x000d3083
0x00000000
0x000d307a
0x000d304f
0x000d3051
0x000d3053
0x00000000
0x00000000
0x000d3055
0x000d3063
0x000d3065
0x000d3067
0x00000000
0x00000000
0x00000000
0x000d3067
0x000d3016
0x000d3016
0x000d3018
0x000d3020
0x000d3023
0x000d3028
0x00000000
0x00000000
0x000d302a
0x000d302b
0x000d302e
0x00000000
0x00000000
0x00000000
0x000d302e
0x00000000
0x000d3018
0x000d2f9d
0x000d2fa8
0x000d2fac
0x000d2fae
0x000d2fb1
0x000d2fb3
0x000d2fcc
0x000d2fcc
0x00000000
0x000d2fcc
0x000d2fb5
0x000d2fb7
0x00000000
0x00000000
0x000d2fb9
0x000d2fbb
0x00000000
0x00000000
0x000d2fc1
0x000d2fc7
0x00000000
0x000d2fc7
0x000d2f49
0x000d2f5a
0x000d2f64
0x000d2f72
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,000D34DF,00000000,?,00000000), ref: 000D2F3D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,000BBDED,?,000952FD,?,00000000,?), ref: 000D2F49
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 000D2F89
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 000D2F95
GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 000D2FA0
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 000D2FAA
CoCreateInstance.OLE32(000FB6C8,00000000,00000001,000DB808,?,?,?,?,?,?,?,?,?,?,?,000BBDED), ref: 000D2FE5
ExitProcess.KERNEL32 ref: 000D3094

Strings

Wow64RevertWow64FsRedirection, xrefs: 000D2FA2
xmlutil.cpp, xrefs: 000D2F6D
kernel32.dll, xrefs: 000D2F2D
@Mt, xrefs: 000D2F49
Wow64EnableWow64FsRedirection, xrefs: 000D2F97
IsWow64Process, xrefs: 000D2F83
Wow64DisableWow64FsRedirection, xrefs: 000D2F8F

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
String ID: @Mt$IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
API String ID: 2124981135-2065807636
Opcode ID: 690d72d1a1ad6fe50b0ed6f16c80a47ab8ba5f1cded1d0afb62ba0cc93ebebcc
Instruction ID: 376b489214b3fb7b62bde4d05d359a50f13fd30650b561aa1e6200e4c8c2e78f
Opcode Fuzzy Hash: 690d72d1a1ad6fe50b0ed6f16c80a47ab8ba5f1cded1d0afb62ba0cc93ebebcc
Instruction Fuzzy Hash: 3E41A331A01319ABDB209FA8C854BAEBBE4EF44711F11406AEA01EB751DB75DE409BB1

Uniqueness

Uniqueness Score: -1.00%

Function 000D29B3, Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 86
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000D29B3(void* __ecx, void* __edx, void* __esi, void* __eflags) {
				signed int _v8;
				void* _t8;
				_Unknown_base(*)()* _t12;
				_Unknown_base(*)()* _t13;
				_Unknown_base(*)()* _t14;
				_Unknown_base(*)()* _t15;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				_Unknown_base(*)()* _t18;
				intOrPtr _t20;
				intOrPtr _t22;
				intOrPtr _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t30;
				intOrPtr _t32;
				void* _t36;

				_v8 = _v8 & 0x00000000;
				_t8 = E000937EA(__edx, L"Msi.dll", 0xfb680,  &_v8); // executed
				_t36 = _t8;
				if(_t36 >= 0) {
					E000D4932(_v8, 0xfb684, 0xfb688); // executed
					_t12 = GetProcAddress( *0xfb680, "MsiDeterminePatchSequenceW");
					_t20 =  *0xfb68c; // 0x6e53be10
					_t21 =  ==  ? _t12 : _t20;
					 *0xfb6a8 = _t12;
					 *0xfb68c =  ==  ? _t12 : _t20;
					_t13 = GetProcAddress( *0xfb680, "MsiDetermineApplicablePatchesW");
					_t22 =  *0xfb690; // 0x6e53a130
					_t23 =  ==  ? _t13 : _t22;
					 *0xfb6ac = _t13;
					 *0xfb690 =  ==  ? _t13 : _t22;
					_t14 = GetProcAddress( *0xfb680, "MsiEnumProductsExW");
					_t24 =  *0xfb694; // 0x6e5403d0
					_t25 =  ==  ? _t14 : _t24;
					 *0xfb6b0 = _t14;
					 *0xfb694 =  ==  ? _t14 : _t24;
					_t15 = GetProcAddress( *0xfb680, "MsiGetPatchInfoExW");
					_t26 =  *0xfb698; // 0x6e543560
					_t27 =  ==  ? _t15 : _t26;
					 *0xfb6b4 = _t15;
					 *0xfb698 =  ==  ? _t15 : _t26;
					_t16 = GetProcAddress( *0xfb680, "MsiGetProductInfoExW");
					_t28 =  *0xfb69c; // 0x6e46ac90
					_t29 =  ==  ? _t16 : _t28;
					 *0xfb6b8 = _t16;
					 *0xfb69c =  ==  ? _t16 : _t28;
					_t17 = GetProcAddress( *0xfb680, "MsiSetExternalUIRecord");
					_t30 =  *0xfb6a0; // 0x6e5471b0
					_t31 =  ==  ? _t17 : _t30;
					 *0xfb6bc = _t17;
					 *0xfb6a0 =  ==  ? _t17 : _t30;
					_t18 = GetProcAddress( *0xfb680, "MsiSourceListAddSourceExW");
					_t32 =  *0xfb6a4; // 0x6e547ec0
					 *0xfb6c0 = _t18;
					_t33 =  ==  ? _t18 : _t32;
					 *0xfb6c4 = 1;
					 *0xfb6a4 =  ==  ? _t18 : _t32;
				}
				if(_v8 != 0) {
					E000D54EF(_v8);
				}
				return _t36;
			}

0x000d29b7
0x000d29ca
0x000d29cf
0x000d29d3
0x000d29e7
0x000d29fd
0x000d29ff
0x000d2a12
0x000d2a15
0x000d2a1a
0x000d2a20
0x000d2a22
0x000d2a35
0x000d2a38
0x000d2a3d
0x000d2a43
0x000d2a45
0x000d2a58
0x000d2a5b
0x000d2a60
0x000d2a66
0x000d2a68
0x000d2a7b
0x000d2a7e
0x000d2a83
0x000d2a89
0x000d2a8b
0x000d2a9e
0x000d2aa1
0x000d2aa6
0x000d2aac
0x000d2aae
0x000d2ac1
0x000d2ac4
0x000d2ac9
0x000d2acf
0x000d2ad1
0x000d2ad9
0x000d2ade
0x000d2ae1
0x000d2aeb
0x000d2af1
0x000d2af6
0x000d2afb
0x000d2afb
0x000d2b06

APIs

Part of subcall function 000937EA: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00093829
Part of subcall function 000937EA: GetLastError.KERNEL32 ref: 00093833

Part of subcall function 000D4932: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 000D495A

GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 000D29FD
GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 000D2A20
GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 000D2A43
GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 000D2A66
GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 000D2A89
GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 000D2AAC
GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 000D2ACF

Strings

MsiGetProductInfoExW, xrefs: 000D2A70
MsiSourceListAddSourceExW, xrefs: 000D2AB6
MsiGetPatchInfoExW, xrefs: 000D2A4D
MsiDeterminePatchSequenceW, xrefs: 000D29F2
Msi.dll, xrefs: 000D29C5
MsiDetermineApplicablePatchesW, xrefs: 000D2A07
MsiEnumProductsExW, xrefs: 000D2A2A
MsiSetExternalUIRecord, xrefs: 000D2A93

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: AddressProc$ErrorLast$DirectorySystem
String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
API String ID: 2510051996-1735120554
Opcode ID: f792221256ee2b5765ca031ac9e0c80d42076cda49aad5bf6bcbd8b229df5953
Instruction ID: 7dfb3212366b5b8ba7b263d3102b9427362009f46859572b2932704513e7a452
Opcode Fuzzy Hash: f792221256ee2b5765ca031ac9e0c80d42076cda49aad5bf6bcbd8b229df5953
Instruction Fuzzy Hash: 7631EAB0641208AFFB58DF25EC52A793BB5FB44700741452EE506D6EA0D7BEA900FF40

Uniqueness

Uniqueness Score: -1.00%

Function 000B1484, Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E000B1484(void* _a4, intOrPtr _a8) {
				void* _t11;
				void* _t12;
				void* _t13;
				void* _t29;
				void* _t30;

				_t29 = _a4;
				 *(_t29 + 0x3c) =  *(_t29 + 0x3c) | 0xffffffff;
				_t30 = E000921A5(_t29 + 0x1c, _a8, 0);
				if(_t30 >= 0) {
					_t11 = CreateEventW(0, 1, 0, 0);
					 *(_t29 + 0x24) = _t11;
					if(_t11 != 0) {
						_t12 = CreateEventW(0, 1, 0, 0);
						 *(_t29 + 0x28) = _t12;
						if(_t12 != 0) {
							_t13 = CreateThread(0, 0, E000B0E43, _t29, 0, 0); // executed
							 *(_t29 + 0x20) = _t13;
							if(_t13 != 0) {
								_t30 = E000B1224(_t29);
								if(_t30 < 0) {
									_push("Failed to wait for operation complete.");
									goto L10;
								}
							} else {
								_t34 =  <=  ? GetLastError() : _t17 & 0x0000ffff | 0x80070000;
								_t30 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t17 & 0x0000ffff | 0x80070000;
								E000937D3(0x80004005, "cabextract.cpp", 0x93, _t30);
								_push("Failed to create extraction thread.");
								goto L10;
							}
						} else {
							_t37 =  <=  ? GetLastError() : _t20 & 0x0000ffff | 0x80070000;
							_t30 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t20 & 0x0000ffff | 0x80070000;
							E000937D3(0x80004005, "cabextract.cpp", 0x8f, _t30);
							_push("Failed to create operation complete event.");
							goto L10;
						}
					} else {
						_t40 =  <=  ? GetLastError() : _t23 & 0x0000ffff | 0x80070000;
						_t30 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t23 & 0x0000ffff | 0x80070000;
						E000937D3(0x80004005, "cabextract.cpp", 0x8c, _t30);
						_push("Failed to create begin operation event.");
						goto L10;
					}
				} else {
					_push("Failed to copy file name.");
					L10:
					_push(_t30);
					E000D012F();
				}
				return _t30;
			}

0x000b148a
0x000b1493
0x000b14a0
0x000b14a4
0x000b14bb
0x000b14bd
0x000b14c2
0x000b1501
0x000b1503
0x000b1508
0x000b1549
0x000b154f
0x000b1554
0x000b1591
0x000b1595
0x000b1597
0x00000000
0x000b1597
0x000b1556
0x000b1567
0x000b1571
0x000b157f
0x000b1584
0x00000000
0x000b1584
0x000b150a
0x000b151b
0x000b1525
0x000b1533
0x000b1538
0x00000000
0x000b1538
0x000b14c4
0x000b14d5
0x000b14df
0x000b14ed
0x000b14f2
0x00000000
0x000b14f2
0x000b14a6
0x000b14a6
0x000b159c
0x000b159c
0x000b159d
0x000b15a3
0x000b15aa

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,0009C285,?,00000000,?,0009C319), ref: 000B14BB
GetLastError.KERNEL32(?,0009C285,?,00000000,?,0009C319,000952FD,?,?,0009533D,0009533D,00000000,?,00000000), ref: 000B14C4

Strings

cabextract.cpp, xrefs: 000B14E8, 000B152E, 000B157A
Failed to create operation complete event., xrefs: 000B1538
Failed to wait for operation complete., xrefs: 000B1597
@Mt, xrefs: 000B14C4, 000B150A, 000B1556
Failed to copy file name., xrefs: 000B14A6
Failed to create extraction thread., xrefs: 000B1584
wininet.dll, xrefs: 000B149A
Failed to create begin operation event., xrefs: 000B14F2

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: @Mt$Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp$wininet.dll
API String ID: 545576003-4160517777
Opcode ID: 9b6e0be8351d3cee3e2b6c338dd25339de71e54611525ffb11a6c5b742555ec1
Instruction ID: b20cdb938b985c6965cc48eca8c3ea0a14b4395caaf2f3dee35b9e9e93f74b48
Opcode Fuzzy Hash: 9b6e0be8351d3cee3e2b6c338dd25339de71e54611525ffb11a6c5b742555ec1
Instruction Fuzzy Hash: E121B1B2B44B25BEF731667A5C41BE77ADCEF487A0B020226BD05FA581E664EC0085F5

Uniqueness

Uniqueness Score: -1.00%

Function 000B0627, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 103
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E000B0627(void* __ecx, CHAR* _a4) {
				void* _v8;
				long _t18;
				void* _t19;
				signed short _t22;
				void* _t27;
				int _t29;
				signed short _t33;
				signed int _t36;
				int _t37;
				signed int _t40;
				void** _t44;
				void* _t47;

				_push(__ecx);
				_t40 =  *0xfaac0; // 0x0
				_push(_t36);
				_t37 = _t36 | 0xffffffff;
				_t47 = 0;
				_v8 = _t37;
				_t44 =  *( *((intOrPtr*)( *[fs:0x2c] + _t40 * 4)) + 4);
				_t18 = CompareStringA(0, 0, "<the>.cab", _t37, _a4, _t37); // executed
				if(_t18 != 2) {
					_t19 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x8000080, 0);
					_v8 = _t19;
					if(_t19 == _t37) {
						_t22 = GetLastError();
						_t51 =  <=  ? _t22 : _t22 & 0x0000ffff | 0x80070000;
						_t47 =  >=  ? 0x80004005 :  <=  ? _t22 : _t22 & 0x0000ffff | 0x80070000;
						E000937D3(0x80004005, "cabextract.cpp", 0x2d5, _t47);
						E000D012F(_t47, "Failed to open cabinet file: %hs", _a4);
					}
					L8:
					_t44[0xc] = _t47;
					_t21 =  <  ? _t37 : _v8;
					return  <  ? _t37 : _v8;
				}
				_t27 = GetCurrentProcess();
				_t29 = DuplicateHandle(GetCurrentProcess(),  *_t44, _t27,  &_v8, 0, 0, _t18); // executed
				if(_t29 != 0) {
					_t47 = E000B04BE(_t40,  &(_t44[7]), _v8, _t44[2], _t44[3]);
					if(_t47 >= 0) {
						goto L8;
					}
					_push("Failed to add virtual file pointer for cab container.");
					L3:
					_push(_t47);
					E000D012F();
					goto L8;
				}
				_t33 = GetLastError();
				_t55 =  <=  ? _t33 : _t33 & 0x0000ffff | 0x80070000;
				_t47 =  >=  ? 0x80004005 :  <=  ? _t33 : _t33 & 0x0000ffff | 0x80070000;
				E000937D3(0x80004005, "cabextract.cpp", 0x2ca, _t47);
				_push("Failed to duplicate handle to cab container.");
				goto L3;
			}

0x000b062a
0x000b062b
0x000b0637
0x000b063d
0x000b0644
0x000b0646
0x000b0649
0x000b0657
0x000b0660
0x000b06f0
0x000b06f6
0x000b06fb
0x000b06fd
0x000b070e
0x000b0718
0x000b0726
0x000b0734
0x000b0739
0x000b073c
0x000b073c
0x000b0746
0x000b074d
0x000b074d
0x000b066f
0x000b0677
0x000b067f
0x000b06d0
0x000b06d4
0x00000000
0x00000000
0x000b06d6
0x000b06b4
0x000b06b4
0x000b06b5
0x00000000
0x000b06bb
0x000b0681
0x000b0692
0x000b069c
0x000b06aa
0x000b06af
0x00000000

APIs

CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 000B0657
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 000B066F
GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 000B0674
DuplicateHandle.KERNELBASE(00000000,?,?), ref: 000B0677
GetLastError.KERNEL32(?,?), ref: 000B0681
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 000B06F0
GetLastError.KERNEL32(?,?), ref: 000B06FD

Strings

cabextract.cpp, xrefs: 000B06A5, 000B0721
Failed to add virtual file pointer for cab container., xrefs: 000B06D6
@Mt, xrefs: 000B0681, 000B06FD
<the>.cab, xrefs: 000B0650
Failed to duplicate handle to cab container., xrefs: 000B06AF
Failed to open cabinet file: %hs, xrefs: 000B072E

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
String ID: <the>.cab$@Mt$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
API String ID: 3030546534-2854731662
Opcode ID: 5ac89e4ff6641a971573e98b81392282880a37dad48b4bffe9a0d140b5eab3e0
Instruction ID: 10c4e687994bd1199547ed7cd6b6a3d836b7d4ad67f2f36a90bb80818e70f80d
Opcode Fuzzy Hash: 5ac89e4ff6641a971573e98b81392282880a37dad48b4bffe9a0d140b5eab3e0
Instruction Fuzzy Hash: 8031E172A41225FFEB209BA68C49EDB7BA8EF09760F010126FD08F7150D7249D108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 000A6859, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E000A6859(void* __ecx, void* _a4, signed int* _a8, intOrPtr* _a12) {
				void* _v8;
				void* _t12;
				int _t14;
				signed int _t17;
				void* _t18;
				signed int* _t29;
				void* _t33;

				_v8 = _v8 | 0xffffffff;
				_t29 = _a8;
				 *_t29 =  *_t29 | 0xffffffff;
				_t12 = GetCurrentProcess();
				_t14 = DuplicateHandle(GetCurrentProcess(), _a4, _t12,  &_v8, 0, 1, 2); // executed
				if(_t14 != 0) {
					_push(_v8);
					_t15 = _a12;
					_push(L"burn.filehandle.attached");
					_t33 = E00091F62(_a12, L"%ls -%ls=%u",  *_t15);
					if(_t33 >= 0) {
						_t17 = _v8;
						 *_t29 = _t17;
						_t18 = _t17 | 0xffffffff;
						_v8 = _t18;
					} else {
						_push("Failed to append the file handle to the command line.");
						goto L2;
					}
				} else {
					_t37 =  <=  ? GetLastError() : _t22 & 0x0000ffff | 0x80070000;
					_t33 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t22 & 0x0000ffff | 0x80070000;
					E000937D3(0x80004005, "core.cpp", 0x3da, _t33);
					_push("Failed to duplicate file handle for attached container.");
					L2:
					_push(_t33);
					E000D012F();
					_t18 = _v8;
				}
				if(_t18 != 0xffffffff) {
					CloseHandle(_t18);
				}
				return _t33;
			}

0x000a685d
0x000a686c
0x000a6875
0x000a6879
0x000a6882
0x000a688a
0x000a68cc
0x000a68cf
0x000a68d2
0x000a68e4
0x000a68eb
0x000a68f4
0x000a68f7
0x000a68f9
0x000a68fc
0x000a68ed
0x000a68ed
0x00000000
0x000a68ed
0x000a688c
0x000a689d
0x000a68a7
0x000a68b5
0x000a68ba
0x000a68bf
0x000a68bf
0x000a68c0
0x000a68c5
0x000a68c9
0x000a6902
0x000a6905
0x000a6905
0x000a6912

APIs

GetCurrentProcess.KERNEL32(000000FF,00000000,00000001,00000002,?,00000000,?,?,00094D0B,?,?), ref: 000A6879
GetCurrentProcess.KERNEL32(?,00000000,?,?,00094D0B,?,?), ref: 000A687F
DuplicateHandle.KERNELBASE(00000000,?,?,00094D0B,?,?), ref: 000A6882
GetLastError.KERNEL32(?,?,00094D0B,?,?), ref: 000A688C
CloseHandle.KERNEL32(000000FF,?,00094D0B,?,?), ref: 000A6905

Strings

Failed to append the file handle to the command line., xrefs: 000A68ED
@Mt, xrefs: 000A688C
%ls -%ls=%u, xrefs: 000A68D9
core.cpp, xrefs: 000A68B0
Failed to duplicate file handle for attached container., xrefs: 000A68BA
burn.filehandle.attached, xrefs: 000A68D2

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CurrentHandleProcess$CloseDuplicateErrorLast
String ID: %ls -%ls=%u$@Mt$Failed to append the file handle to the command line.$Failed to duplicate file handle for attached container.$burn.filehandle.attached$core.cpp
API String ID: 4224961946-3016681858
Opcode ID: dc5b59b07e562b1916a5366bfdb1353f0668a4d420b7785efddc77bf92e2850d
Instruction ID: 60ff0a804d04ca9d23e73c510531f7669a86456260466aae62fd79ad34b0fa5a
Opcode Fuzzy Hash: dc5b59b07e562b1916a5366bfdb1353f0668a4d420b7785efddc77bf92e2850d
Instruction Fuzzy Hash: E1118431A41719FBDB10ABB99D05A9E7BACAF05B70F110326FD20F72D0DB758D1196A0

Uniqueness

Uniqueness Score: -1.00%

Function 000D076C, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E000D076C(void* _a4, signed int* _a8) {
				void* _v8;
				void _v12;
				long _v16;
				int _t20;
				signed short _t27;
				long _t31;

				_t31 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				if(OpenProcessToken(_a4, 8,  &_v8) != 0) {
					_t20 = GetTokenInformation(_v8, 0x14,  &_v12, 4,  &_v16); // executed
					if(_t20 == 0) {
						_t31 =  <=  ? GetLastError() : 0x80004005 & 0x0000ffff | 0x80070000;
						if(_t31 != 0x80070057) {
							if(_t31 < 0) {
								_push(_t31);
								_push(0x35);
								goto L8;
							}
						} else {
							_t31 = 0;
							 *_a8 = 0;
						}
					} else {
						 *_a8 = 0 | _v12 != 0x00000000;
					}
				} else {
					_t27 = GetLastError();
					_t36 =  <=  ? _t27 : _t27 & 0x0000ffff | 0x80070000;
					_t31 =  >=  ? 0x80004005 :  <=  ? _t27 : _t27 & 0x0000ffff | 0x80070000;
					_push(_t31);
					_push(0x21);
					L8:
					_push("procutil.cpp");
					E000937D3(0x80004005);
				}
				if(_v8 != 0) {
					FindCloseChangeNotification(_v8); // executed
				}
				return _t31;
			}

0x000d077f
0x000d0781
0x000d0784
0x000d0787
0x000d0792
0x000d07c6
0x000d07ce
0x000d07f0
0x000d07f9
0x000d0806
0x000d0808
0x000d0809
0x00000000
0x000d0809
0x000d07fb
0x000d07fe
0x000d0800
0x000d0800
0x000d07d0
0x000d07db
0x000d07db
0x000d0794
0x000d0794
0x000d07a5
0x000d07af
0x000d07b2
0x000d07b3
0x000d080b
0x000d080b
0x000d0810
0x000d0810
0x000d0818
0x000d081d
0x000d081d
0x000d082a

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,000952B5,00000000,?,?,?,?,?,?,?,000A74AB,00000000), ref: 000D078A
GetLastError.KERNEL32(?,?,?,?,?,?,?,000A74AB,00000000), ref: 000D0794
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,000A74AB,00000000), ref: 000D07C6
FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,000A74AB,00000000), ref: 000D081D

Strings

@Mt, xrefs: 000D0794, 000D07DF
procutil.cpp, xrefs: 000D080B

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: Token$ChangeCloseErrorFindInformationLastNotificationOpenProcess
String ID: @Mt$procutil.cpp
API String ID: 2387526074-822494847
Opcode ID: 03b5fd4f7430305fd129c1d6083fe93df01ca6b1dfa92320ffc658425e407a11
Instruction ID: c70a149ac9b2c46f8cbbaf7a0b5193fac10c7184ba1c3f04c6003a9828745e52
Opcode Fuzzy Hash: 03b5fd4f7430305fd129c1d6083fe93df01ca6b1dfa92320ffc658425e407a11
Instruction Fuzzy Hash: B4215071D41328EBEB209B958C44B9EBBE8EF54710F114167AD19EB250D6708E04EBF0

Uniqueness

Uniqueness Score: -1.00%

Function 00092436, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 118
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 27%

			E00092436(signed int __edx, intOrPtr* _a4, short* _a8, signed int _a12, int _a16) {
				signed int _t16;
				int _t17;
				signed int _t18;
				signed short _t22;
				intOrPtr _t23;
				intOrPtr* _t25;
				signed short _t28;
				int _t31;
				short* _t40;
				void* _t41;
				intOrPtr _t43;
				int _t45;
				signed int _t48;
				int _t50;
				int _t52;
				intOrPtr* _t53;

				_t39 = _a4;
				_t45 = __edx | 0xffffffff;
				_t16 = _a12;
				_t31 = 0;
				_t52 = 0;
				_t48 = _t16;
				if( *_a4 == 0) {
					L4:
					_t40 = _a8;
					if(_t16 != 0) {
						if(0 == _t40[_t16]) {
							_t48 = _t16 - 1;
						}
						L11:
						_t17 = _t48 + 1;
						if(_t52 >= _t17) {
							L20:
							_t18 = _a12;
							_push(_t31);
							_push(_t31);
							_push(_t52);
							_t53 = _a4;
							_push( *_t53);
							_t41 = 0xffffffff;
							_t19 =  ==  ? _t41 : _t18;
							if(WideCharToMultiByte(_a16, _t31, _a8,  ==  ? _t41 : _t18, ??, ??, ??, ??) != 0) {
								 *(_t48 +  *_t53) = _t31;
								L23:
								return _t31;
							}
							_t22 = GetLastError();
							_t35 =  <=  ? _t22 : _t22 & 0x0000ffff | 0x80070000;
							_t23 = 0x80004005;
							_t31 =  >=  ? 0x80004005 :  <=  ? _t22 : _t22 & 0x0000ffff | 0x80070000;
							_push(_t31);
							_push(0x1de);
							L7:
							_push("strutil.cpp");
							E000937D3(_t23);
							goto L23;
						}
						_t52 = _t17;
						if(_t52 < 0x7fffffff) {
							_t25 = _a4;
							_push(1);
							_push(_t52);
							if( *_t25 == _t31) {
								_t23 = E000938D4(); // executed
							} else {
								_push( *_t25);
								_t23 = E00093A72();
							}
							_t43 = _t23;
							if(_t43 != 0) {
								 *_a4 = _t43;
								goto L20;
							} else {
								_t31 = 0x8007000e;
								_push(0x8007000e);
								_push(0x1d7);
								goto L7;
							}
						}
						_t31 = 0x8007000e;
						goto L23;
					}
					_t50 = WideCharToMultiByte(_a16, _t31, _t40, _t45, _t31, _t31, _t31, _t31);
					if(_t50 != 0) {
						_t48 = _t50 - 1;
						goto L11;
					}
					_t28 = GetLastError();
					_t38 =  <=  ? _t28 : _t28 & 0x0000ffff | 0x80070000;
					_t23 = 0x80004005;
					_t31 =  >=  ? 0x80004005 :  <=  ? _t28 : _t28 & 0x0000ffff | 0x80070000;
					_push(_t31);
					_push(0x1bc);
					goto L7;
				}
				_t52 = E00093B51( *_t39);
				_t45 = _t45 | 0xffffffff;
				if(_t52 != _t45) {
					_t16 = _t48;
					goto L4;
				}
				_t31 = 0x80070057;
				goto L23;
			}

0x00092439
0x0009243c
0x0009243f
0x00092444
0x00092446
0x00092449
0x0009244d
0x0009246b
0x0009246b
0x00092470
0x000924c4
0x000924c6
0x000924c6
0x000924c9
0x000924c9
0x000924ce
0x00092514
0x00092514
0x00092519
0x0009251a
0x0009251b
0x0009251c
0x0009251f
0x00092523
0x00092524
0x00092537
0x00092564
0x00092567
0x0009256d
0x0009256d
0x00092539
0x0009254a
0x0009254d
0x00092554
0x00092557
0x00092558
0x000924ac
0x000924ac
0x000924b1
0x00000000
0x000924b1
0x000924d0
0x000924d8
0x000924e4
0x000924e7
0x000924e9
0x000924ec
0x000924f7
0x000924ee
0x000924ee
0x000924f0
0x000924f0
0x000924fc
0x00092500
0x00092512
0x00000000
0x00092502
0x00092502
0x00092507
0x00092508
0x00000000
0x00092508
0x00092500
0x000924da
0x00000000
0x000924da
0x00092482
0x00092486
0x000924bb
0x00000000
0x000924bb
0x00092488
0x00092499
0x0009249c
0x000924a3
0x000924a6
0x000924a7
0x00000000
0x000924a7
0x00092456
0x00092458
0x0009245d
0x00092469
0x00000000
0x00092469
0x0009245f
0x00000000

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,000CFEE7,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,000CFEE7,?,00000000,00000000), ref: 0009247C
GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,000CFEE7,?,00000000,00000000,0000FDE9), ref: 00092488

Part of subcall function 00093B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,000921DC,000001C7,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 00093B59
Part of subcall function 00093B51: HeapSize.KERNEL32(00000000,?,000921DC,000001C7,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 00093B60

Strings

@Mt, xrefs: 00092488, 00092539
strutil.cpp, xrefs: 000924AC

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: @Mt$strutil.cpp
API String ID: 3662877508-3983159554
Opcode ID: 14fe424ea8b6f3d6f6ff538fe27e0a2c3436310fc41323bb778a59e81a98a434
Instruction ID: 4100dc0864d492de16ef398a8a628c5e10385aa0d5134dd2b29b0bc0250a33c6
Opcode Fuzzy Hash: 14fe424ea8b6f3d6f6ff538fe27e0a2c3436310fc41323bb778a59e81a98a434
Instruction Fuzzy Hash: 0731C071240719FFFF109E688C84ABA72DDEB44364B11422AFD25DB1A0EB75CC40AB70

Uniqueness

Uniqueness Score: -1.00%

Function 000B07E4, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E000B07E4(signed int __edx, void* _a4, union _LARGE_INTEGER _a8, intOrPtr _a12) {
				union _LARGE_INTEGER* _v8;
				intOrPtr _v12;
				void* _v16;
				intOrPtr _t32;
				signed short _t36;
				signed short _t41;
				signed short _t42;
				void* _t46;
				union _LARGE_INTEGER _t52;
				signed int _t55;
				signed int _t56;
				intOrPtr _t60;
				intOrPtr _t61;
				signed short _t64;

				_t55 =  *0xfaac0; // 0x0
				_t61 = 0;
				_v16 = 0;
				_v12 = 0;
				_t60 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c] + _t55 * 4)) + 4));
				_t32 = _a12;
				if(_t32 == 0) {
					asm("cdq");
					_t56 = __edx;
					_t52 = _a8.LowPart +  *((intOrPtr*)(_t60 + 8));
					asm("adc ecx, [edi+0xc]");
					goto L7;
				} else {
					_t46 = _t32 - 1;
					if(_t46 == 0) {
						asm("cdq");
						_t52 = _a8.LowPart;
						_t56 = __edx;
						goto L7;
					} else {
						if(_t46 == 1) {
							_t56 =  *(_t60 + 0x14);
							asm("adc ecx, [edi+0xc]");
							asm("cdq");
							_t52 =  *((intOrPtr*)(_t60 + 0x10)) +  *((intOrPtr*)(_t60 + 8)) + _a8.LowPart;
							asm("adc ecx, edx");
							L7:
							_v8 = _t56;
							_t36 = E000B11CF(__eflags, _t60 + 0x1c, _a4, _t52, _t56,  &_v16, _a12);
							__eflags = _t36;
							if(_t36 == 0) {
								L10:
								_t25 =  &_v16;
								 *_t25 = _v16 -  *((intOrPtr*)(_t60 + 8));
								__eflags =  *_t25;
							} else {
								_push(_a12);
								_t41 = SetFilePointerEx(_a4, _t52, _v8,  &_v16); // executed
								__eflags = _t41;
								if(_t41 != 0) {
									goto L10;
								} else {
									_t42 = GetLastError();
									__eflags = _t42;
									_t64 =  <=  ? _t42 : _t42 & 0x0000ffff | 0x80070000;
									__eflags = _t64;
									_t61 =  >=  ? 0x80004005 : _t64;
									E000937D3(0x80004005, "cabextract.cpp", 0x345, _t61);
									E000D012F(_t61, "Failed to move file pointer 0x%x bytes.", _a8);
								}
							}
						} else {
							_t61 = 0x80070057;
							_push("Invalid seek type.");
							E000D012F();
							_t56 = 0x80070057;
						}
					}
				}
				 *((intOrPtr*)(_t60 + 0x30)) = _t61;
				_t39 =  <  ? _t56 | 0xffffffff : _v16;
				return  <  ? _t56 | 0xffffffff : _v16;
			}

0x000b07ea
0x000b07fc
0x000b07fe
0x000b0801
0x000b0804
0x000b080d
0x000b080f
0x000b0855
0x000b0858
0x000b085a
0x000b085d
0x00000000
0x000b0811
0x000b0811
0x000b0814
0x000b084b
0x000b084c
0x000b084e
0x00000000
0x000b0816
0x000b0819
0x000b083b
0x000b083e
0x000b0841
0x000b0842
0x000b0844
0x000b0860
0x000b0866
0x000b0873
0x000b0878
0x000b087a
0x000b08d5
0x000b08d8
0x000b08d8
0x000b08d8
0x000b087c
0x000b087c
0x000b088a
0x000b0890
0x000b0892
0x00000000
0x000b0894
0x000b0894
0x000b08a3
0x000b08a5
0x000b08ad
0x000b08af
0x000b08bd
0x000b08cb
0x000b08d0
0x000b0892
0x000b081b
0x000b081b
0x000b0820
0x000b0826
0x000b082c
0x000b082c
0x000b0819
0x000b0814
0x000b08db
0x000b08e8
0x000b08ef

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 000B088A
GetLastError.KERNEL32(?,?,?), ref: 000B0894

Strings

cabextract.cpp, xrefs: 000B08B8
Failed to move file pointer 0x%x bytes., xrefs: 000B08C5
@Mt, xrefs: 000B0894
Invalid seek type., xrefs: 000B0820

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: @Mt$Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
API String ID: 2976181284-609547513
Opcode ID: 48be79b96fd09b295c05ce5e9ce5fcc244025b3fd4ac2b0e02b1f4baf97cf5c0
Instruction ID: 83b4ce3f35d9cdfbbc5411574fdc1bbc1ac4652359ae27b57e8d65511bae2d70
Opcode Fuzzy Hash: 48be79b96fd09b295c05ce5e9ce5fcc244025b3fd4ac2b0e02b1f4baf97cf5c0
Instruction Fuzzy Hash: BE318371A0061AFFDB14DF69CC859AAB7A9FF08710B10822AF919A7651D730EE10CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 000D4932, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E000D4932(intOrPtr _a4, intOrPtr* _a8, intOrPtr* _a12) {
				void* _v8;
				char _v12;
				char _v16;
				long _t15;
				char* _t18;
				long _t25;
				intOrPtr _t28;
				void* _t31;
				int _t32;

				_t15 =  &_v8;
				_push(_t15);
				_push(_a4);
				_t32 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				L000D94F0(); // executed
				_t25 = _t15;
				if(_t25 != 0) {
					L4:
					_t16 = GlobalAlloc(0, _t25); // executed
					_t31 = _t16;
					if(_t31 != 0) {
						_push(_t31);
						_push(_t25);
						_push(_v8);
						_push(_a4);
						L000D9500(); // executed
						if(_t16 != 0) {
							L10:
							_push( &_v16);
							_t18 =  &_v12;
							_push(_t18);
							_push("\\");
							_push(_t31);
							L000D9510();
							if(_t18 != 0) {
								L13:
								_t28 = _v12;
								 *_a8 =  *((intOrPtr*)(_t28 + 8));
								 *_a12 =  *((intOrPtr*)(_t28 + 0xc));
							} else {
								_t32 =  <=  ? GetLastError() : _t22 & 0x0000ffff | 0x80070000;
								if(_t32 >= 0) {
									goto L13;
								} else {
									_push(_t32);
									_push(0x122);
									goto L9;
								}
							}
						} else {
							_t32 =  <=  ? GetLastError() : _t22 & 0x0000ffff | 0x80070000;
							if(_t32 >= 0) {
								goto L10;
							} else {
								_push(_t32);
								_push(0x11d);
								L9:
								_push("fileutil.cpp");
								E000937D3(_t22);
							}
						}
						GlobalFree(_t31);
					} else {
						_t32 = 0x8007000e;
						_push(0x8007000e);
						_push(0x119);
						goto L3;
					}
				} else {
					_t32 =  <=  ? GetLastError() : _t16 & 0x0000ffff | 0x80070000;
					if(_t32 >= 0) {
						goto L4;
					} else {
						_push(_t32);
						_push(0x115);
						L3:
						_push("fileutil.cpp");
						E000937D3(_t16);
					}
				}
				return _t32;
			}

0x000d493b
0x000d4940
0x000d4941
0x000d4944
0x000d4946
0x000d4949
0x000d494c
0x000d494f
0x000d4954
0x000d4958
0x000d4987
0x000d4989
0x000d498f
0x000d4993
0x000d49a2
0x000d49a3
0x000d49a4
0x000d49a7
0x000d49aa
0x000d49b1
0x000d49dd
0x000d49e0
0x000d49e1
0x000d49e4
0x000d49e5
0x000d49ea
0x000d49eb
0x000d49f2
0x000d4a14
0x000d4a14
0x000d4a1d
0x000d4a25
0x000d49f4
0x000d4a05
0x000d4a0a
0x00000000
0x000d4a0c
0x000d4a0c
0x000d4a0d
0x00000000
0x000d4a0d
0x000d4a0a
0x000d49b3
0x000d49c4
0x000d49c9
0x00000000
0x000d49cb
0x000d49cb
0x000d49cc
0x000d49d1
0x000d49d1
0x000d49d6
0x000d49d6
0x000d49c9
0x000d4a28
0x000d4995
0x000d4995
0x000d499a
0x000d499b
0x00000000
0x000d499b
0x000d495a
0x000d496b
0x000d4970
0x00000000
0x000d4972
0x000d4972
0x000d4973
0x000d4978
0x000d4978
0x000d497d
0x000d497d
0x000d4970
0x000d4a36

APIs

GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 000D495A
GlobalAlloc.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 000D4989
GetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 000D49B3
GetLastError.KERNEL32(00000000,000DB790,?,?,?,00000000,00000000,00000000), ref: 000D49F4
GlobalFree.KERNEL32 ref: 000D4A28

Strings

@Mt, xrefs: 000D495A, 000D49B3, 000D49F4
fileutil.cpp, xrefs: 000D4978, 000D49D1

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorLast$Global$AllocFree
String ID: @Mt$fileutil.cpp
API String ID: 1145190524-3352924005
Opcode ID: 3e73e2c285485c37c89258f684c7dd2bfe86790aedef99d780064ea41cf4f6b7
Instruction ID: ef4a264c113826af87de4a8acf82eaf1b16782e785da131dbedaa0b37a0ab982
Opcode Fuzzy Hash: 3e73e2c285485c37c89258f684c7dd2bfe86790aedef99d780064ea41cf4f6b7
Instruction Fuzzy Hash: F3219535A40329ABDB219BAA8C45AEFFBA8EF84360F114117FD05E7351D735CD0096B1

Uniqueness

Uniqueness Score: -1.00%

Function 00094013, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00094013(WCHAR* _a4, struct _SECURITY_ATTRIBUTES* _a8) {
				int _t5;
				long _t7;
				short _t12;
				signed short _t14;
				short* _t17;
				WCHAR* _t19;
				WCHAR* _t21;
				short _t22;

				_t21 = _a4;
				_t22 = 0;
				_t5 = CreateDirectoryW(_t21, _a8); // executed
				if(_t5 != 0) {
					L17:
					return _t22;
				}
				_t7 = GetLastError();
				if(_t7 != 0xb7) {
					if(_t7 == 3 || E000940E2(_t21, 0) == 0) {
						_t8 =  *_t21 & 0x0000ffff;
						_t19 = _t21;
						_t17 = 0;
						if(( *_t21 & 0x0000ffff) == 0) {
							L15:
							_t22 = 0x80070003;
							E000937D3(_t8, "dirutil.cpp", 0x72, 0x80070003);
							goto L16;
						} else {
							_push(0x5c);
							do {
								_t17 =  ==  ? _t19 : _t17;
								_t19 =  &(_t19[1]);
								_t8 =  *_t19 & 0x0000ffff;
							} while (( *_t19 & 0x0000ffff) != 0);
							if(_t17 == 0) {
								goto L15;
							} else {
								 *_t17 = 0;
								_t22 = E00094013(_t21, _a8);
								_t12 = 0x5c;
								 *_t17 = _t12;
								if(_t22 >= 0) {
									if(CreateDirectoryW(_t21, _a8) != 0) {
										_t22 = 0;
									} else {
										_t14 = GetLastError();
										if(_t14 != 0xb7) {
											_t22 =  <=  ? _t14 : _t14 & 0x0000ffff | 0x80070000;
										} else {
											_t22 = 1;
										}
									}
								}
								L16:
								goto L17;
							}
						}
					} else {
						goto L2;
					}
				}
				L2:
				_t22 = 0;
				goto L17;
			}

0x0009401b
0x0009401e
0x00094021
0x00094029
0x000940db
0x000940df
0x000940df
0x0009402f
0x0009403a
0x00094046
0x00094054
0x00094057
0x0009405a
0x0009405f
0x000940c7
0x000940c7
0x000940d4
0x00000000
0x00094061
0x00094061
0x00094064
0x00094067
0x0009406a
0x0009406d
0x00094070
0x00094077
0x00000000
0x00094079
0x0009407f
0x00094087
0x0009408b
0x0009408c
0x00094091
0x0009409f
0x000940c3
0x000940a1
0x000940a1
0x000940ac
0x000940be
0x000940ae
0x000940b0
0x000940b0
0x000940ac
0x0009409f
0x000940d9
0x00000000
0x000940d9
0x00094077
0x00000000
0x00000000
0x00000000
0x00094046
0x0009403c
0x0009403c
0x00000000

APIs

CreateDirectoryW.KERNELBASE(0009533D,000953B5,00000000,00000000,?,000A9EE4,00000000,00000000,0009533D,00000000,000952B5,00000000,?,=S,0009D4AC,=S), ref: 00094021
GetLastError.KERNEL32(?,000A9EE4,00000000,00000000,0009533D,00000000,000952B5,00000000,?,=S,0009D4AC,=S,00000000,00000000), ref: 0009402F
CreateDirectoryW.KERNEL32(0009533D,000953B5,00095381,?,000A9EE4,00000000,00000000,0009533D,00000000,000952B5,00000000,?,=S,0009D4AC,=S,00000000), ref: 00094097
GetLastError.KERNEL32(?,000A9EE4,00000000,00000000,0009533D,00000000,000952B5,00000000,?,=S,0009D4AC,=S,00000000,00000000), ref: 000940A1

Strings

dirutil.cpp, xrefs: 000940CF
@Mt, xrefs: 0009402F, 000940A1

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: @Mt$dirutil.cpp
API String ID: 1375471231-3103255058
Opcode ID: f7acdd24c67d09efd4f25da469eab8d8250dbca3632e0c7a153bac10d6e84935
Instruction ID: dc64365859036aed3c4a1f30fb9d7d9f891edb32f84b4c541df1a92ae5095b87
Opcode Fuzzy Hash: f7acdd24c67d09efd4f25da469eab8d8250dbca3632e0c7a153bac10d6e84935
Instruction Fuzzy Hash: 0D11D236A04321E6EF311AA14C44F7FB698EFD4B60F114226FF45EB190E7758C12B2A1

Uniqueness

Uniqueness Score: -1.00%

Function 000A6915, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72
fileCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E000A6915(WCHAR* _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				struct _SECURITY_ATTRIBUTES _v16;
				void* _t10;
				void** _t18;
				void* _t22;
				void* _t23;

				_t18 = _a8;
				_t23 = 0;
				 *_t18 =  *_t18 | 0xffffffff;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v16.bInheritHandle = 1;
				_t10 = CreateFileW(_a4, 0x80000000, 5,  &_v16, 3, 0x80, 0); // executed
				_t22 = _t10;
				if(_t22 == 0xffffffff) {
					L10:
					return _t23;
				}
				_push(_t22);
				_push(L"burn.filehandle.self");
				_t23 = E00091F62(_a12, L"%ls -%ls=%u",  *_a12);
				if(_t23 >= 0) {
					_t14 = _a16;
					if(_a16 == 0) {
						L7:
						 *_t18 = _t22;
						_t22 = _t22 | 0xffffffff;
						L8:
						if(_t22 != 0xffffffff) {
							CloseHandle(_t22);
						}
						goto L10;
					}
					_push(_t22);
					_push(L"burn.filehandle.self");
					_t23 = E00091F20(_t14, L"%ls -%ls=%u",  *_t14);
					if(_t23 >= 0) {
						goto L7;
					}
					_push("Failed to append the file handle to the obfuscated command line.");
					L3:
					_push(_t23);
					E000D012F();
					goto L8;
				}
				_push("Failed to append the file handle to the command line.");
				goto L3;
			}

0x000a691c
0x000a6926
0x000a6928
0x000a692b
0x000a6934
0x000a6935
0x000a6944
0x000a694b
0x000a6951
0x000a6956
0x000a69c2
0x000a69c9
0x000a69c9
0x000a695b
0x000a695c
0x000a696e
0x000a6975
0x000a6986
0x000a698b
0x000a69b0
0x000a69b0
0x000a69b2
0x000a69b5
0x000a69b8
0x000a69bb
0x000a69bb
0x00000000
0x000a69b8
0x000a698d
0x000a698e
0x000a69a0
0x000a69a7
0x00000000
0x00000000
0x000a69a9
0x000a697c
0x000a697c
0x000a697d
0x00000000
0x000a6983
0x000a6977
0x00000000

APIs

CreateFileW.KERNELBASE(?,80000000,00000005,?,00000003,00000080,00000000,?,00000000,?,?,?), ref: 000A694B
CloseHandle.KERNEL32(00000000), ref: 000A69BB

Strings

Failed to append the file handle to the command line., xrefs: 000A6977
%ls -%ls=%u, xrefs: 000A6963, 000A6995
burn.filehandle.self, xrefs: 000A695C, 000A698E
Failed to append the file handle to the obfuscated command line., xrefs: 000A69A9

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to append the file handle to the obfuscated command line.$burn.filehandle.self
API String ID: 3498533004-3263533295
Opcode ID: beb4bb345c183671060652c4b9e5e06d7a501b404d4db1ec0862a26d0b7913f0
Instruction ID: 7432df762c221faa0699fffacb3b0abb01b8f4798a63d36d0b218b1f9f8be01b
Opcode Fuzzy Hash: beb4bb345c183671060652c4b9e5e06d7a501b404d4db1ec0862a26d0b7913f0
Instruction Fuzzy Hash: 26110832601714BFDB205AA99C05F9F7BACDB46B30F050361FE24BB2E1DB71581186A1

Uniqueness

Uniqueness Score: -1.00%

Function 000D0917, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E000D0917(void* __ecx, void* _a4, long _a8, intOrPtr* _a12) {
				long _v8;
				long _t9;
				int _t11;
				void* _t14;
				long _t21;

				_t21 = 0;
				_v8 = 0;
				_t9 = WaitForSingleObject(_a4, _a8);
				_v8 = _t9;
				if(_t9 != 0xffffffff) {
					if(_t9 != 0x102) {
						_t11 = GetExitCodeProcess(_a4,  &_v8); // executed
						if(_t11 != 0) {
							 *_a12 = _v8;
						} else {
							_t25 =  <=  ? GetLastError() : _t13 & 0x0000ffff | 0x80070000;
							_t14 = 0x80004005;
							_t21 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t13 & 0x0000ffff | 0x80070000;
							_push(_t21);
							_push(0x12a);
							goto L2;
						}
					} else {
						_t21 = 0x80070102;
					}
				} else {
					_t28 =  <=  ? GetLastError() : _t16 & 0x0000ffff | 0x80070000;
					_t14 = 0x80004005;
					_t21 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t16 & 0x0000ffff | 0x80070000;
					_push(_t21);
					_push(0x121);
					L2:
					_push("procutil.cpp");
					E000937D3(_t14);
				}
				return _t21;
			}

0x000d091f
0x000d0924
0x000d0927
0x000d092d
0x000d0933
0x000d096a
0x000d097a
0x000d0982
0x000d09b0
0x000d0984
0x000d0995
0x000d0998
0x000d099f
0x000d09a2
0x000d09a3
0x00000000
0x000d09a3
0x000d096c
0x000d096c
0x000d096c
0x000d0935
0x000d0946
0x000d0949
0x000d0950
0x000d0953
0x000d0954
0x000d0959
0x000d0959
0x000d095e
0x000d095e
0x000d09b8

APIs

WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,00094E16,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 000D0927
GetLastError.KERNEL32(?,?,00094E16,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 000D0935

Strings

@Mt, xrefs: 000D0935, 000D0984
procutil.cpp, xrefs: 000D0959

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: @Mt$procutil.cpp
API String ID: 1211598281-822494847
Opcode ID: e49b43f9a75f68e7d7affe709f25071abca7ae3047902411e48b1e7dbb4489e2
Instruction ID: 634346c2d676b3d88f102c148868a478f347e36c50583457387783b87e709a24
Opcode Fuzzy Hash: e49b43f9a75f68e7d7affe709f25071abca7ae3047902411e48b1e7dbb4489e2
Instruction Fuzzy Hash: 7E118E32E01325EBFB209BA59C087ABBBE4EF04360F124217FD19EB291D2358D0096F5

Uniqueness

Uniqueness Score: -1.00%

Function 000D343B, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 000D344A
InterlockedIncrement.KERNEL32(000FB6D8), ref: 000D3467
CLSIDFromProgID.OLE32(Msxml2.DOMDocument,000FB6C8,?,?,?,?,?,?), ref: 000D3482
CLSIDFromProgID.OLE32(MSXML.DOMDocument,000FB6C8,?,?,?,?,?,?), ref: 000D348E

Strings

Msxml2.DOMDocument, xrefs: 000D347D
MSXML.DOMDocument, xrefs: 000D3489

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: FromProg$IncrementInitializeInterlocked
String ID: MSXML.DOMDocument$Msxml2.DOMDocument
API String ID: 2109125048-2356320334
Opcode ID: 6a0522a834ba7fca60d0b61f54343c39e59bcabe75a420ba7033b9727314742f
Instruction ID: 9673313070089f342edb86b04eaf4aa1a0f49a7063e4aa35a25c43a61c14b450
Opcode Fuzzy Hash: 6a0522a834ba7fca60d0b61f54343c39e59bcabe75a420ba7033b9727314742f
Instruction Fuzzy Hash: 0AF0A02174133997E7224BA5EC0DB273EA4AB81F65F01002FEE00E5794D36CA941DEB2

Uniqueness

Uniqueness Score: -1.00%

Function 000D31C7, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E000D31C7(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v20;
				char _v28;
				intOrPtr* _t23;
				void* _t24;
				signed int _t33;
				void* _t35;
				intOrPtr* _t38;
				intOrPtr* _t39;
				void* _t43;
				void* _t44;

				_v8 = _v8 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_t43 = 0;
				__imp__#8( &_v28);
				_t23 = _a4;
				_t24 =  *((intOrPtr*)( *_t23 + 0x44))(_t23,  &_v8);
				_t44 = _t24;
				if(_t44 < 0) {
					L9:
					_t38 = _v8;
					if(_t38 != 0) {
						 *((intOrPtr*)( *_t38 + 8))(_t38);
					}
					_t39 = _v12;
					if(_t39 != 0) {
						 *((intOrPtr*)( *_t39 + 8))(_t39);
					}
					__imp__#9( &_v28);
					if(_t43 != 0) {
						__imp__#6(_t43);
					}
					return _t44;
				}
				__imp__#2(_a8);
				_t43 = _t24;
				if(_t43 != 0) {
					_t44 = E000D336E( &_v12, _v8, _t43,  &_v12);
					if(_t44 != 1) {
						if(_t44 < 0) {
							goto L9;
						}
						_t33 = _v12;
						_t44 =  *((intOrPtr*)( *_t33 + 0x20))(_t33,  &_v28);
						if(_t44 == 1) {
							goto L4;
						}
						if(_t44 >= 0) {
							_t35 = E000921A5(_a12, _v20, 0); // executed
							_t44 = _t35;
						}
						goto L9;
					}
					L4:
					_t44 = 0x80070490;
					goto L9;
				}
				_t44 = 0x8007000e;
				E000937D3(_t24, "xmlutil.cpp", 0x2a6, 0x8007000e);
				goto L9;
			}

0x000d31cd
0x000d31d4
0x000d31db
0x000d31dd
0x000d31e3
0x000d31ed
0x000d31f0
0x000d31f4
0x000d3262
0x000d3262
0x000d3267
0x000d326c
0x000d326c
0x000d326f
0x000d3274
0x000d3279
0x000d3279
0x000d3280
0x000d3288
0x000d328b
0x000d328b
0x000d3298
0x000d3298
0x000d31f9
0x000d31ff
0x000d3203
0x000d3229
0x000d322e
0x000d3239
0x00000000
0x00000000
0x000d323b
0x000d3248
0x000d324d
0x00000000
0x00000000
0x000d3251
0x000d325b
0x000d3260
0x000d3260
0x00000000
0x000d3251
0x000d3230
0x000d3230
0x00000000
0x000d3230
0x000d3205
0x000d3215
0x00000000

APIs

VariantInit.OLEAUT32(?), ref: 000D31DD
SysAllocString.OLEAUT32(?), ref: 000D31F9
VariantClear.OLEAUT32(?), ref: 000D3280
SysFreeString.OLEAUT32(00000000), ref: 000D328B

Strings

xmlutil.cpp, xrefs: 000D3210

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: xmlutil.cpp
API String ID: 760788290-1270936966
Opcode ID: a4a594b73e330addc783f4c54a1df2b810ab386b7fde2cbe2bee9a8542bb3660
Instruction ID: 64a111c68522130cfa33a34275517da428a0e042f21d52bfb95b70c143bf8dc2
Opcode Fuzzy Hash: a4a594b73e330addc783f4c54a1df2b810ab386b7fde2cbe2bee9a8542bb3660
Instruction Fuzzy Hash: 3B218032D01319EBDB20DBA8C849EBEBBB8AF44750F154159F905AB210CB359E009BA1

Uniqueness

Uniqueness Score: -1.00%

Function 000CFD20, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 59
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000CFD20(void* __ecx, void* __edi, intOrPtr _a4, void* _a8, long _a12, char* _a16, intOrPtr _a20) {
				short _v8;
				short _t25;
				signed int _t32;
				void* _t33;
				void* _t34;
				void* _t36;
				long _t38;

				_t36 = __edi;
				_t38 = 0;
				_v8 = 0;
				_t32 = FormatMessageW(0x900, _a8, _a12, 0,  &_v8, 0,  &_a16);
				if(_t32 != 0) {
					if(_t32 < 2) {
						goto L7;
					} else {
						_t25 = _v8;
						_t33 = 0xd;
						if(_t33 ==  *((intOrPtr*)(_t25 + _t32 * 2 - 4))) {
							_t34 = 0xa;
							if(_t34 ==  *((intOrPtr*)(_t25 + _t32 * 2 - 2))) {
								 *((short*)(_t25 + _t32 * 2 - 4)) = 0;
								goto L7;
							}
						}
					}
					goto L8;
				} else {
					_t38 =  <=  ? GetLastError() : _t29 & 0x0000ffff | 0x80070000;
					if(_t38 >= 0) {
						L7:
						_t25 = _v8;
						L8:
						E000CFDC2(_t36, _a4, _a12, _t25, _a20); // executed
					} else {
						E000937D3(_t29, "logutil.cpp", 0x333, _t38);
					}
				}
				if(_v8 != 0) {
					LocalFree(_v8);
				}
				return _t38;
			}

0x000cfd20
0x000cfd28
0x000cfd2f
0x000cfd45
0x000cfd49
0x000cfd78
0x00000000
0x000cfd7a
0x000cfd7a
0x000cfd7f
0x000cfd85
0x000cfd89
0x000cfd8f
0x000cfd93
0x00000000
0x000cfd93
0x000cfd8f
0x000cfd85
0x00000000
0x000cfd4b
0x000cfd5c
0x000cfd61
0x000cfd98
0x000cfd98
0x000cfd9b
0x000cfda5
0x000cfd63
0x000cfd6e
0x000cfd6e
0x000cfd61
0x000cfdae
0x000cfdb3
0x000cfdb3
0x000cfdbf

APIs

FormatMessageW.KERNEL32(00000900,?,00000000,00000000,00000000,00000000,?,00000000,?,?,000D03EC,?,00000000,?,?,00000001), ref: 000CFD3F
GetLastError.KERNEL32(?,000D03EC,?,00000000,?,?,00000001,?,00095523,?,?,00000000,?,?,0009528D,00000002), ref: 000CFD4B
LocalFree.KERNEL32(00000000,?,00000000,00000000,?,?,000D03EC,?,00000000,?,?,00000001,?,00095523,?,?), ref: 000CFDB3

Strings

logutil.cpp, xrefs: 000CFD69
@Mt, xrefs: 000CFD4B

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: @Mt$logutil.cpp
API String ID: 1365068426-3917315118
Opcode ID: 23a065da075d79d201f7ddc9280c90fde6edac34b32bf42b71c31bd04119183e
Instruction ID: 3b7ac3d98c5eb39f8b409325b166e8afc15430ae56743afdb9aef172aa25c8ba
Opcode Fuzzy Hash: 23a065da075d79d201f7ddc9280c90fde6edac34b32bf42b71c31bd04119183e
Instruction Fuzzy Hash: 7F116D3160121AEBDB21AF94CD05FFF7B6AEF54710F01402EFD0696160D7718A60E6A2

Uniqueness

Uniqueness Score: -1.00%

Function 000B074E, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 52
fileCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E000B074E(void* __ecx, void* __eflags, void* _a4, void* _a8, long _a12) {
				long _v8;
				int _t19;
				signed short _t22;
				signed int _t27;
				intOrPtr _t31;
				struct _OVERLAPPED* _t34;

				_t27 =  *0xfaac0; // 0x0
				_t34 = 0;
				_v8 = 0;
				_t31 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c] + _t27 * 4)) + 4));
				E000B114F(__eflags, _t31 + 0x1c, _a4, _a12); // executed
				_t19 = ReadFile(_a4, _a8, _a12,  &_v8, 0); // executed
				if(_t19 == 0) {
					_t22 = GetLastError();
					_t38 =  <=  ? _t22 : _t22 & 0x0000ffff | 0x80070000;
					_t34 =  >=  ? 0x80004005 :  <=  ? _t22 : _t22 & 0x0000ffff | 0x80070000;
					E000937D3(0x80004005, "cabextract.cpp", 0x2ec, _t34);
					_push("Failed to read during cabinet extraction.");
					E000D012F();
					_t27 = _t34;
				}
				 *((intOrPtr*)(_t31 + 0x30)) = _t34;
				_t21 =  <  ? _t27 | 0xffffffff : _v8;
				return  <  ? _t27 | 0xffffffff : _v8;
			}

0x000b0752
0x000b0766
0x000b076b
0x000b076e
0x000b0778
0x000b078b
0x000b0793
0x000b0795
0x000b07a6
0x000b07b0
0x000b07be
0x000b07c3
0x000b07c9
0x000b07cf
0x000b07cf
0x000b07d0
0x000b07dc
0x000b07e3

APIs

Part of subcall function 000B114F: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,000B077D,?,?,?), ref: 000B1177
Part of subcall function 000B114F: GetLastError.KERNEL32(?,000B077D,?,?,?), ref: 000B1181

ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 000B078B
GetLastError.KERNEL32 ref: 000B0795

Strings

cabextract.cpp, xrefs: 000B07B9
Failed to read during cabinet extraction., xrefs: 000B07C3
@Mt, xrefs: 000B0795

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorFileLast$PointerRead
String ID: @Mt$Failed to read during cabinet extraction.$cabextract.cpp
API String ID: 2170121939-1028880800
Opcode ID: df9f28bb85e65b44b4b2aee335a22306f04477448a7fa58b9c9c5555d5e51384
Instruction ID: 00caccebe4269612be19193d0e736ced25fb088cc908b7ebe8e257032c2e1e53
Opcode Fuzzy Hash: df9f28bb85e65b44b4b2aee335a22306f04477448a7fa58b9c9c5555d5e51384
Instruction Fuzzy Hash: 1901A572A00264EBDB109FA9DC05EDA7BA9FF09760F010119FD08E7650D735DA109BE4

Uniqueness

Uniqueness Score: -1.00%

Function 000B114F, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E000B114F(void* __eflags, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				int _t11;
				void* _t19;
				long _t20;

				_t20 = 0x80070490;
				_t19 = E000B1127(_a4, _a8);
				if(_t19 != 0) {
					_t20 = 0;
					_push(0);
					_t11 = SetFilePointerEx(_a8,  *(_t19 + 8),  *(_t19 + 0xc), 0); // executed
					if(_t11 != 0) {
						 *(_t19 + 8) =  *(_t19 + 8) + _a12;
						asm("adc [edi+0xc], esi");
					} else {
						_t23 =  <=  ? GetLastError() : _t12 & 0x0000ffff | 0x80070000;
						_t20 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t12 & 0x0000ffff | 0x80070000;
						E000937D3(0x80004005, "cabextract.cpp", 0x37e, _t20);
						_push("Failed to move to virtual file pointer.");
						_push(_t20);
						E000D012F();
					}
				}
				return _t20;
			}

0x000b1157
0x000b1164
0x000b1168
0x000b116a
0x000b116c
0x000b1177
0x000b117f
0x000b11c1
0x000b11c4
0x000b1181
0x000b1192
0x000b119c
0x000b11aa
0x000b11af
0x000b11b4
0x000b11b5
0x000b11bb
0x000b117f
0x000b11cc

APIs

SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,000B077D,?,?,?), ref: 000B1177
GetLastError.KERNEL32(?,000B077D,?,?,?), ref: 000B1181

Strings

cabextract.cpp, xrefs: 000B11A5
@Mt, xrefs: 000B1181
Failed to move to virtual file pointer., xrefs: 000B11AF

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: @Mt$Failed to move to virtual file pointer.$cabextract.cpp
API String ID: 2976181284-1344848017
Opcode ID: c1509b75a6a9fa607c50330eeea65de1121fc8f8d74cc384eb08a11a04e3c144
Instruction ID: a246eb5a94547b6a1fd4377489b67164f6e07b72bc82f3491bbc942eb3ee44c4
Opcode Fuzzy Hash: c1509b75a6a9fa607c50330eeea65de1121fc8f8d74cc384eb08a11a04e3c144
Instruction Fuzzy Hash: A201F236640225BBDB215AAA9C04EC7FF99EF017B0B01812AFE1C9A150D7359C10CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 000D3DB5, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 101
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E000D3DB5(signed short __edx, void* _a4, intOrPtr _a8, intOrPtr _a12, signed short _a16, intOrPtr* _a20) {
				signed int _v8;
				void _v4104;
				long _v4108;
				intOrPtr _v4112;
				long _v4116;
				void* _v4120;
				intOrPtr _v4124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t32;
				long _t37;
				int _t39;
				signed short _t40;
				long _t45;
				void* _t47;
				intOrPtr* _t49;
				void* _t50;
				intOrPtr _t55;
				signed short _t56;
				intOrPtr _t58;
				void* _t59;
				signed short _t64;
				void* _t65;
				signed int _t66;
				void* _t73;

				_t56 = __edx;
				E000D9F00();
				_t32 =  *0xfa008; // 0x90c8e23b
				_v8 = _t32 ^ _t66;
				asm("xorps xmm0, xmm0");
				_t49 = _a20;
				asm("movlpd [ebp-0x100c], xmm0");
				_v4120 = _a4;
				_t58 = _v4112;
				_v4124 = _a8;
				_v4116 = _v4108;
				do {
					if(_a12 != 0 || _a16 != 0) {
						_t56 = _a16;
						_t37 = _a12 - _t58;
						asm("sbb edx, ecx");
						__eflags = _t56;
						if(__eflags < 0) {
							L8:
							_v4108 = _t56;
							goto L9;
						}
						if(__eflags > 0) {
							L7:
							_v4108 = _v4108 & 0x00000000;
							_t37 = 0x1000;
							goto L9;
						}
						__eflags = _t37 - 0x1000;
						if(_t37 <= 0x1000) {
							goto L8;
						}
						goto L7;
					} else {
						_t37 = 0x1000;
						L9:
						_v4108 = _t37;
						_t39 = ReadFile(_v4120,  &_v4104, _t37,  &_v4108, 0); // executed
						if(_t39 == 0) {
							_t40 = GetLastError();
							__eflags = _t40;
							_t64 =  <=  ? _t40 : _t40 & 0x0000ffff | 0x80070000;
							__eflags = _t64;
							_t61 =  >=  ? 0x80004005 : _t64;
							E000937D3(0x80004005, "fileutil.cpp", 0x407,  >=  ? 0x80004005 : _t64);
							L20:
							_pop(_t59);
							_pop(_t65);
							_pop(_t50);
							return E000BDE36(_t50, _v8 ^ _t66, _t56, _t59, _t65);
						}
						_t45 = _v4108;
						if(_t45 == 0) {
							goto L13;
						}
						_t47 = E000D4CEE( &_v4108, _v4124,  &_v4104, _t45); // executed
						if(_t47 < 0) {
							goto L20;
						}
						_t45 = _v4108;
					}
					L13:
					_t55 = _v4116;
					_t58 = _t58 + _t45;
					asm("adc ecx, 0x0");
					_v4116 = _t55;
					_t73 = _t55 - _a16;
				} while (_t73 <= 0 && (_t73 < 0 || _t58 < _a12) && _t45 != 0);
				if(_t49 != 0) {
					 *_t49 = _t58;
					 *((intOrPtr*)(_t49 + 4)) = _t55;
				}
				goto L20;
			}

0x000d3db5
0x000d3dbd
0x000d3dc2
0x000d3dc9
0x000d3dcf
0x000d3dd3
0x000d3dd7
0x000d3de7
0x000d3df1
0x000d3df7
0x000d3dfd
0x000d3e03
0x000d3e07
0x000d3e19
0x000d3e1c
0x000d3e1e
0x000d3e20
0x000d3e22
0x000d3e3b
0x000d3e3b
0x00000000
0x000d3e3b
0x000d3e24
0x000d3e2d
0x000d3e2d
0x000d3e34
0x00000000
0x000d3e34
0x000d3e26
0x000d3e2b
0x00000000
0x00000000
0x00000000
0x000d3e0f
0x000d3e0f
0x000d3e41
0x000d3e49
0x000d3e5e
0x000d3e66
0x000d3ec1
0x000d3ed0
0x000d3ed2
0x000d3eda
0x000d3edc
0x000d3eea
0x000d3eef
0x000d3ef4
0x000d3ef5
0x000d3ef8
0x000d3f01
0x000d3f01
0x000d3e68
0x000d3e70
0x00000000
0x00000000
0x000d3e80
0x000d3e89
0x00000000
0x00000000
0x000d3e8b
0x000d3e8b
0x000d3e91
0x000d3e91
0x000d3e97
0x000d3e99
0x000d3e9c
0x000d3ea2
0x000d3ea2
0x000d3eb8
0x000d3eba
0x000d3ebc
0x000d3ebc
0x00000000

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 000D3E5E
GetLastError.KERNEL32 ref: 000D3EC1

Strings

@Mt, xrefs: 000D3EC1
fileutil.cpp, xrefs: 000D3EE5

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: @Mt$fileutil.cpp
API String ID: 1948546556-3352924005
Opcode ID: 8dfc86293f67c570ad4aa8594260b1cb408be6c0ddcdaece5ec2498fa47a9f14
Instruction ID: c4c96cf85b7bbe2eb1514cf2e632d91f035d7f0f12aadad987d72858935b9510
Opcode Fuzzy Hash: 8dfc86293f67c570ad4aa8594260b1cb408be6c0ddcdaece5ec2498fa47a9f14
Instruction Fuzzy Hash: A0413D71E003699BDB21DF58C8407EAB7A4EF48751F0041A7B949E7380D7B49EC4DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 000937EA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000937EA(void* __edx, intOrPtr _a4, struct HINSTANCE__** _a8, intOrPtr _a12) {
				signed int _v8;
				short _v528;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t15;
				signed int _t20;
				void* _t22;
				struct HINSTANCE__* _t26;
				signed short _t27;
				void* _t31;
				struct HINSTANCE__** _t32;
				void* _t33;
				void* _t36;
				intOrPtr _t37;
				signed int _t42;

				_t36 = __edx;
				_t15 =  *0xfa008; // 0x90c8e23b
				_v8 = _t15 ^ _t42;
				_t32 = _a8;
				_t37 = _a12;
				E000BF670(_t37,  &_v528, 0, 0x208);
				_t38 = 0x104;
				_t20 = GetSystemDirectoryW( &_v528, 0x104);
				if(_t20 != 0) {
					_t33 = 0x5c;
					if(_t33 ==  *((intOrPtr*)(_t42 + _t20 * 2 - 0x20e))) {
						L6:
						_t22 = E000936B4(_t33,  &_v528, _t38, _a4);
						_t39 = _t22;
						if(_t22 < 0) {
							L10:
							return E000BDE36(_t32, _v8 ^ _t42, _t36, _t37, _t39);
						}
						_t26 = LoadLibraryW( &_v528); // executed
						 *_t32 = _t26;
						if(_t26 == 0) {
							goto L1;
						}
						if(_t37 != 0) {
							_t39 = E000921A5(_t37,  &_v528, 0x104);
						}
						goto L10;
					}
					_t31 = E00093665(_t33,  &_v528, 0x104, "\\", 1);
					_t39 = _t31;
					if(_t31 < 0) {
						goto L10;
					} else {
						_t38 = 0x104;
						goto L6;
					}
				}
				L1:
				_t27 = GetLastError();
				_t39 =  <=  ? _t27 : _t27 & 0x0000ffff | 0x80070000;
				if(( <=  ? _t27 : _t27 & 0x0000ffff | 0x80070000) >= 0) {
					_t39 = 0x80004005;
				}
				goto L10;
			}

0x000937ea
0x000937f3
0x000937fa
0x000937fe
0x00093809
0x00093814
0x00093822
0x00093829
0x00093831
0x00093854
0x0009385d
0x0009387e
0x00093889
0x0009388e
0x00093892
0x000938bf
0x000938d1
0x000938d1
0x0009389b
0x000938a1
0x000938a5
0x00000000
0x00000000
0x000938a9
0x000938bd
0x000938bd
0x00000000
0x000938a9
0x0009386e
0x00093873
0x00093877
0x00000000
0x00093879
0x00093879
0x00000000
0x00093879
0x00093877
0x00093833
0x00093833
0x00093844
0x00093849
0x0009384b
0x0009384b
0x00000000

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00093829
GetLastError.KERNEL32 ref: 00093833
LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 0009389B

Strings

@Mt, xrefs: 00093833

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: DirectoryErrorLastLibraryLoadSystem
String ID: @Mt
API String ID: 1230559179-1491384996
Opcode ID: cd057fcd30c0d3e6de179def7ea2bf275d4b8a82de8e3ce047cb97f5776ed320
Instruction ID: 6507ea1699abcaf283e00d9bd17cc0266583483a2f8113534f5f272edcd920bc
Opcode Fuzzy Hash: cd057fcd30c0d3e6de179def7ea2bf275d4b8a82de8e3ce047cb97f5776ed320
Instruction Fuzzy Hash: 642198B6D01329A7EF209B649C49FEBB7BCDB04710F114165BD14E7241EA34DE449FA0

Uniqueness

Uniqueness Score: -1.00%

Function 000D4CEE, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000D4CEE(void* __ecx, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				long _v8;
				int _t14;
				intOrPtr _t19;
				void* _t23;
				void* _t26;

				_t19 = _a8;
				_t26 = 0;
				_v8 = _v8 & 0;
				_t23 = 0;
				do {
					_t14 = WriteFile(_a4, _t23 + _t19, _a12 - _t23,  &_v8, 0); // executed
					if(_t14 != 0) {
						goto L3;
					} else {
						_t26 =  <=  ? GetLastError() : _t16 & 0x0000ffff | 0x80070000;
						if(_t26 < 0) {
							E000937D3(_t16, "fileutil.cpp", 0x3e7, _t26);
						} else {
							goto L3;
						}
					}
					L6:
					return _t26;
					L3:
					_t23 = _t23 + _v8;
				} while (_t23 < _a12);
				goto L6;
			}

0x000d4cf3
0x000d4cf7
0x000d4cf9
0x000d4cfd
0x000d4cff
0x000d4d12
0x000d4d1a
0x00000000
0x000d4d1c
0x000d4d2d
0x000d4d32
0x000d4d49
0x00000000
0x00000000
0x00000000
0x000d4d32
0x000d4d4e
0x000d4d56
0x000d4d34
0x000d4d34
0x000d4d37
0x00000000

APIs

WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,000D3E85,?,?,?), ref: 000D4D12
GetLastError.KERNEL32(?,?,000D3E85,?,?,?), ref: 000D4D1C

Strings

@Mt, xrefs: 000D4D1C
fileutil.cpp, xrefs: 000D4D44

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: @Mt$fileutil.cpp
API String ID: 442123175-3352924005
Opcode ID: 8571797e90605480c1885bd62ca0924bc43be4236bc203934ad2a0da5e7df032
Instruction ID: 61f563ac681d17d49088513430e0fdb33c409d3bea45cc22d2c6bb0bd46715e4
Opcode Fuzzy Hash: 8571797e90605480c1885bd62ca0924bc43be4236bc203934ad2a0da5e7df032
Instruction Fuzzy Hash: F7F08172601229BBD7109E9ACC48E9FBBAEFB44761F010117FD04D7140D631AD0096F1

Uniqueness

Uniqueness Score: -1.00%

Function 000D47D3, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E000D47D3(void* __ecx, void* _a4, union _LARGE_INTEGER _a8, union _LARGE_INTEGER* _a12, intOrPtr* _a16, intOrPtr _a20) {
				intOrPtr _v8;
				void* _v12;
				int _t11;
				intOrPtr* _t12;
				void* _t21;

				_push(_a20);
				_t21 = 0;
				_t11 = SetFilePointerEx(_a4, _a8, _a12,  &_v12); // executed
				if(_t11 != 0) {
					_t12 = _a16;
					if(_t12 != 0) {
						 *_t12 = _v12;
						 *((intOrPtr*)(_t12 + 4)) = _v8;
					}
				} else {
					_t25 =  <=  ? GetLastError() : _t14 & 0x0000ffff | 0x80070000;
					_t21 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t14 & 0x0000ffff | 0x80070000;
					E000937D3(0x80004005, "fileutil.cpp", 0x20a, _t21);
				}
				return _t21;
			}

0x000d47d9
0x000d47df
0x000d47eb
0x000d47f3
0x000d4825
0x000d482a
0x000d482f
0x000d4834
0x000d4834
0x000d47f5
0x000d4806
0x000d4810
0x000d481e
0x000d481e
0x000d483d

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,000A8564,00000000,00000000,00000000,00000000,00000000), ref: 000D47EB
GetLastError.KERNEL32(?,?,?,000A8564,00000000,00000000,00000000,00000000,00000000), ref: 000D47F5

Strings

@Mt, xrefs: 000D47F5
fileutil.cpp, xrefs: 000D4819

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: @Mt$fileutil.cpp
API String ID: 2976181284-3352924005
Opcode ID: 7dbceb4cd53e159c0c87b9dae12a6cd1529d03347a6ba0bde13252a64dcb6ef6
Instruction ID: 94c28a8898ca98c0472b3af17018edcb098e1fefd39f50d213adec4356e30313
Opcode Fuzzy Hash: 7dbceb4cd53e159c0c87b9dae12a6cd1529d03347a6ba0bde13252a64dcb6ef6
Instruction Fuzzy Hash: 48F01D71A00359ABAB209F959C09DAB7BE8EF08790B01411ABD05D7250D631DD10EBF4

Uniqueness

Uniqueness Score: -1.00%

Function 00093999, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00093999(void* _a4) {
				char _t3;
				long _t6;

				_t6 = 0;
				_t3 = RtlFreeHeap(GetProcessHeap(), 0, _a4); // executed
				if(_t3 == 0) {
					_t6 =  <=  ? GetLastError() : _t5 & 0x0000ffff | 0x80070000;
				}
				return _t6;
			}

0x000939a0
0x000939aa
0x000939b2
0x000939c5
0x000939c5
0x000939cc

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00093B34,00000000,?,00091472,00000000,80004005,00000000,80004005,00000000,000001C7,?,000913B7), ref: 000939A3
RtlFreeHeap.NTDLL(00000000,?,00093B34,00000000,?,00091472,00000000,80004005,00000000,80004005,00000000,000001C7,?,000913B7,000001C7,00000100), ref: 000939AA
GetLastError.KERNEL32(?,00093B34,00000000,?,00091472,00000000,80004005,00000000,80004005,00000000,000001C7,?,000913B7,000001C7,00000100,?), ref: 000939B4

Strings

@Mt, xrefs: 000939B4

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: Heap$ErrorFreeLastProcess
String ID: @Mt
API String ID: 406640338-1491384996
Opcode ID: f3facd98a0105b490e7ff639104b7b3c890b7550c9b33d70aa7a5f10123da143
Instruction ID: 832bac31970496a527dd9bb40edea5ebaca67f5e54abf1641f61830c32b87a6a
Opcode Fuzzy Hash: f3facd98a0105b490e7ff639104b7b3c890b7550c9b33d70aa7a5f10123da143
Instruction Fuzzy Hash: 3FD01236601234A797202BFA5C0C697BFDCEF456A17424022FD09D2110D729881096F4

Uniqueness

Uniqueness Score: -1.00%

Function 00094E9C, Relevance: 6.1, APIs: 4, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00094E9C(void* __ebx, void* __ecx, void* __edi, struct _CRITICAL_SECTION* _a4) {
				void* __esi;
				void* _t38;
				long _t66;
				void* _t79;
				void* _t80;
				void* _t81;
				struct _CRITICAL_SECTION* _t82;

				_t81 = __edi;
				_t80 = __ecx;
				_t79 = __ebx;
				_t82 = _a4;
				_t31 =  *((intOrPtr*)(_t82 + 0x4e0));
				if( *((intOrPtr*)(_t82 + 0x4e0)) != 0) {
					E00091160(_t31);
				}
				_t32 =  *((intOrPtr*)(_t82 + 0x4d8));
				if( *((intOrPtr*)(_t82 + 0x4d8)) != 0) {
					E000D54EF(_t32);
				}
				E000A4B2B(_t82 + 0x4b8);
				E000A4B2B(_t82 + 0x4a0);
				_t37 =  *((intOrPtr*)(_t82 + 0x49c));
				if( *((intOrPtr*)(_t82 + 0x49c)) != 0) {
					E000D54EF(_t37);
				}
				_t38 =  *(_t82 + 0x3e4);
				if(_t38 != 0) {
					CloseHandle(_t38);
					 *(_t82 + 0x3e4) =  *(_t82 + 0x3e4) & 0x00000000;
				}
				DeleteCriticalSection(_t82 + 0xd0);
				E0009D79F(_t81, _t82 + 0xb8);
				E0009BEFA(_t79, _t82 + 0x3d8);
				E0009E79A(_t79, _t80, _t81, _t82 + 0x2f0);
				E0009872B(_t79, _t82 + 0x88);
				E0009B037(_t82, _t82 + 0xb0);
				E000A0704(_t80, _t82 + 0x100);
				E0009D133(_t82, _t82 + 0x2b8);
				E0009E647(_t80, _t82 + 0x2c0);
				E0009C8F1(_t81, _t82 + 0x2b0);
				E0009BB09(_t81, _t82 + 0x48);
				E0009C6C4(_t81, _t82 + 0x2a8); // executed
				if( *((intOrPtr*)(_t82 + 0x40)) != 0) {
					E000D54EF( *((intOrPtr*)(_t82 + 0x40)));
				}
				if( *((intOrPtr*)(_t82 + 0x28)) != 0) {
					E000D54EF( *((intOrPtr*)(_t82 + 0x28)));
				}
				_t62 =  *((intOrPtr*)(_t82 + 0x408));
				if( *((intOrPtr*)(_t82 + 0x408)) != 0) {
					E000D54EF(_t62);
				}
				_t63 =  *((intOrPtr*)(_t82 + 0x404));
				if( *((intOrPtr*)(_t82 + 0x404)) != 0) {
					E000D54EF(_t63);
				}
				_t64 =  *((intOrPtr*)(_t82 + 0x400));
				if( *((intOrPtr*)(_t82 + 0x400)) != 0) {
					E000D54EF(_t64);
				}
				_t65 =  *((intOrPtr*)(_t82 + 0x3f8));
				if( *((intOrPtr*)(_t82 + 0x3f8)) != 0) {
					E000D54EF(_t65);
				}
				_t66 =  *(_t82 + 0x498);
				if(_t66 != 0xffffffff) {
					TlsFree(_t66);
				}
				DeleteCriticalSection(_t82);
				return E000BF670(_t81, _t82, 0, 0x4e8);
			}

0x00094e9c
0x00094e9c
0x00094e9c
0x00094ea0
0x00094ea3
0x00094eab
0x00094eae
0x00094eae
0x00094eb3
0x00094ebb
0x00094ebe
0x00094ebe
0x00094eca
0x00094ed6
0x00094edb
0x00094ee3
0x00094ee6
0x00094ee6
0x00094eeb
0x00094ef3
0x00094ef6
0x00094efc
0x00094efc
0x00094f0a
0x00094f17
0x00094f23
0x00094f2f
0x00094f3b
0x00094f47
0x00094f53
0x00094f5f
0x00094f6b
0x00094f77
0x00094f80
0x00094f8c
0x00094f95
0x00094f9a
0x00094f9a
0x00094fa3
0x00094fa8
0x00094fa8
0x00094fad
0x00094fb5
0x00094fb8
0x00094fb8
0x00094fbd
0x00094fc5
0x00094fc8
0x00094fc8
0x00094fcd
0x00094fd5
0x00094fd8
0x00094fd8
0x00094fdd
0x00094fe5
0x00094fe8
0x00094fe8
0x00094fed
0x00094ff6
0x00094ff9
0x00094ff9
0x00095000
0x00095018

APIs

CloseHandle.KERNEL32(?,?,?,00000000,?,0009545F,?,?,?,?,?,?), ref: 00094EF6
DeleteCriticalSection.KERNEL32(?,?,?,00000000,?,0009545F,?,?,?,?,?,?), ref: 00094F0A
TlsFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0009545F,?,?), ref: 00094FF9
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0009545F,?,?), ref: 00095000

Part of subcall function 00091160: LocalFree.KERNEL32(?,?,00094EB3,?,00000000,?,0009545F,?,?,?,?,?,?), ref: 0009116A

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CriticalDeleteFreeSection$CloseHandleLocal
String ID:
API String ID: 3671900028-0
Opcode ID: a8835b27ea0551f2b69a22e4398b7223ccff4aac8f1d98472ef7d5597d6e129e
Instruction ID: f0351a84e090723a7f6cbc54e6654e0076879d4eb3b610277520c785d3bfd7cb
Opcode Fuzzy Hash: a8835b27ea0551f2b69a22e4398b7223ccff4aac8f1d98472ef7d5597d6e129e
Instruction Fuzzy Hash: 0C41A8B1500B05ABDE60FBB4C88AFDBB3ECAF04345F44082AB69AD3152EB34E5459725

Uniqueness

Uniqueness Score: -1.00%

Function 000C60E2, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E000C60E2(void* __ecx) {
				void* __ebx;
				void* __edi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t15;
				void* _t16;
				long _t17;

				_t11 = __ecx;
				_t17 = GetLastError();
				_t10 = 0;
				_t2 =  *0xfa05c; // 0x6
				_t20 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E000C523F(_t11, 1, 0x364); // executed
					_t16 = _t3;
					_pop(_t13);
					if(_t16 != 0) {
						_t4 = E000C88AE(_t10, _t13, _t16, __eflags,  *0xfa05c, _t16);
						__eflags = _t4;
						if(_t4 != 0) {
							E000C5ED0(_t13, _t16, 0xfb13c);
							E000C511A(_t10);
							__eflags = _t16;
							if(_t16 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t16);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E000C511A();
						L8:
						SetLastError(_t17);
					}
				} else {
					_t16 = E000C8858(0, _t11, _t15, _t20, _t2);
					if(_t16 != 0) {
						L9:
						SetLastError(_t17);
						_t10 = _t16;
					} else {
						goto L2;
					}
				}
				return _t10;
			}

0x000c60e2
0x000c60ed
0x000c60ef
0x000c60f1
0x000c60f6
0x000c60f9
0x000c6107
0x000c610e
0x000c6113
0x000c6116
0x000c6119
0x000c612b
0x000c6130
0x000c6132
0x000c613d
0x000c6143
0x000c614b
0x000c614d
0x00000000
0x00000000
0x00000000
0x00000000
0x000c6134
0x000c6134
0x00000000
0x000c6134
0x000c611b
0x000c611b
0x000c611c
0x000c611c
0x000c614f
0x000c6150
0x000c6150
0x000c60fb
0x000c6101
0x000c6105
0x000c6158
0x000c6159
0x000c615f
0x00000000
0x00000000
0x00000000
0x000c6105
0x000c6166

APIs

GetLastError.KERNEL32(?,00000100,00000000,000C3E3B,000B16CE,80004005,00000000,?,cabextract.cpp,000001C7), ref: 000C60E7
SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 000C6150
SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 000C6159

Strings

@Mt, xrefs: 000C60E7

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorLast
String ID: @Mt
API String ID: 1452528299-1491384996
Opcode ID: 359257ca547f025147bb8edd6f042b183f798a886e2241f03411e103d3e06063
Instruction ID: 5c0ab2104db41ef98d5ad3695a60c8b2d88a26cabd40464e7dee95473ce0d12c
Opcode Fuzzy Hash: 359257ca547f025147bb8edd6f042b183f798a886e2241f03411e103d3e06063
Instruction Fuzzy Hash: B901F97A200A006A923227346C4AF6F3BDDDBD2773B2D002DFD19A2253EF2A8C055531

Uniqueness

Uniqueness Score: -1.00%

Function 0009501B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0009501B(signed short* _a4) {
				signed int _t8;
				int _t9;
				int _t12;
				signed int _t13;
				short* _t15;
				signed int _t16;
				signed short* _t17;
				int _t19;

				_t8 =  *0xfaa50; // 0x1
				_t15 = L"burn.clean.room";
				_t19 = 1;
				if((_t8 & 0x00000001) != 0) {
					_t9 =  *0xfaa4c; // 0xf
				} else {
					 *0xfaa50 = _t8 | 1;
					_t9 = lstrlenW(_t15);
					 *0xfaa4c = _t9;
				}
				_t17 = _a4;
				if(_t17 == 0) {
					L8:
					_t19 = 0;
				} else {
					_t16 =  *_t17 & 0x0000ffff;
					if(_t16 == 0x2d || _t16 == 0x2f) {
						_t12 = CompareStringW(0x7f, _t19,  &(_t17[1]), _t9, _t15, _t9); // executed
						if(_t12 != 2) {
							goto L8;
						} else {
							_t13 =  *0xfaa4c; // 0xf
							if( *((short*)(_t17 + 2 + _t13 * 2)) != 0x3d) {
								goto L8;
							}
						}
					} else {
						goto L8;
					}
				}
				return _t19;
			}

0x0009501e
0x00095027
0x0009502c
0x00095030
0x00095047
0x00095032
0x00095035
0x0009503a
0x00095040
0x00095040
0x0009504c
0x00095051
0x00095082
0x00095082
0x00095053
0x00095053
0x00095059
0x0009506a
0x00095073
0x00000000
0x00095075
0x00095075
0x00095080
0x00000000
0x00000000
0x00095080
0x00000000
0x00000000
0x00000000
0x00095059
0x0009508a

APIs

lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,00091104,?,?,00000000), ref: 0009503A
CompareStringW.KERNELBASE(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,00091104,?,?,00000000), ref: 0009506A

Strings

burn.clean.room, xrefs: 00095027, 00095034, 00095061

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CompareStringlstrlen
String ID: burn.clean.room
API String ID: 1433953587-3055529264
Opcode ID: c188dd86245bbcb0487986808653b73b043fcfca8fb120960c943aac4f86bf35
Instruction ID: af756cee48282cee036ceca80445df7ddfa3c5508b5a994ad379264be305d6c7
Opcode Fuzzy Hash: c188dd86245bbcb0487986808653b73b043fcfca8fb120960c943aac4f86bf35
Instruction Fuzzy Hash: 2801F9B2600625AE97318F5ADC84D77B7ACFB497517104117FA0DC3A20D3759C50E7E2

Uniqueness

Uniqueness Score: -1.00%

Function 000D33DB, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E000D33DB(void* __ecx, intOrPtr* _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v8;
				void* _t11;
				int _t14;
				void* _t21;

				_v8 = _v8 & 0x00000000;
				_t11 = E000D31C7(_a4, _a8,  &_v8); // executed
				_t21 = _t11;
				if(_t21 != 0x80070490 && _t21 >= 0) {
					_t14 = CompareStringW(0x7f, 0, _v8, 0xffffffff, L"yes", 0xffffffff);
					asm("sbb eax, eax");
					 *_a12 =  ~(_t14 - 2) + 1;
				}
				if(_v8 != 0) {
					E000D54EF(_v8);
				}
				return _t21;
			}

0x000d33df
0x000d33ee
0x000d33f3
0x000d33fb
0x000d3411
0x000d341f
0x000d3422
0x000d3422
0x000d3428
0x000d342d
0x000d342d
0x000d3438

APIs

Part of subcall function 000D31C7: VariantInit.OLEAUT32(?), ref: 000D31DD
Part of subcall function 000D31C7: SysAllocString.OLEAUT32(?), ref: 000D31F9
Part of subcall function 000D31C7: VariantClear.OLEAUT32(?), ref: 000D3280
Part of subcall function 000D31C7: SysFreeString.OLEAUT32(00000000), ref: 000D328B

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,yes,000000FF,?,?,00000000,00000000,?,?,00098413,?,Hidden,?), ref: 000D3411

Strings

yes, xrefs: 000D3403

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: String$Variant$AllocClearCompareFreeInit
String ID: yes
API String ID: 1027225580-1978086825
Opcode ID: cf8457285787896a679de6d09c946ce23a3735e0b93ad794a58c0c248df16095
Instruction ID: 86ae17cb851806c3abf1ae4f665e1b122539cf9f05cb0300a2c2e490ecda63ee
Opcode Fuzzy Hash: cf8457285787896a679de6d09c946ce23a3735e0b93ad794a58c0c248df16095
Instruction Fuzzy Hash: 3AF0C235591229FFCB119BA8CC06FEEBBA8DB05335F104365B920A62D1C6755E00D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 000D0E3F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000D0E3F(void* _a4, short* _a8, int _a12, void** _a16) {
				signed short _t5;
				void* _t8;
				signed short _t12;
				int _t14;

				_t14 = 0;
				_t5 = RegOpenKeyExW(_a4, _a8, 0, _a12, _a16); // executed
				_t12 = _t5;
				_t8 =  <=  ? _t12 : _t12 & 0x0000ffff | 0x80070000;
				if(_t8 != 0x80070002) {
					if(_t12 != 0) {
						_t14 =  >=  ? 0x80004005 : _t8;
						E000937D3(0x80004005, "regutil.cpp", 0xa7, _t14);
					}
				} else {
					_t14 = 0x80070002;
				}
				return _t14;
			}

0x000d0e46
0x000d0e52
0x000d0e58
0x000d0e69
0x000d0e6e
0x000d0e76
0x000d0e81
0x000d0e8f
0x000d0e8f
0x000d0e70
0x000d0e70
0x000d0e70
0x000d0e98

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,000D5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 000D0E52

Strings

regutil.cpp, xrefs: 000D0E8A

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: Open
String ID: regutil.cpp
API String ID: 71445658-955085611
Opcode ID: bed32bd6902233985b15bf539c7806fc1414bf7b284ad317050a99a131b1157b
Instruction ID: dd3b6380a1c740c8b22d82e8d21da5bdf9c7f78f35ae02313d72b3828878291a
Opcode Fuzzy Hash: bed32bd6902233985b15bf539c7806fc1414bf7b284ad317050a99a131b1157b
Instruction Fuzzy Hash: 88F0A772701235ABEF245A569C00BBB7EC5DF446A0F118625BD4DDA651D236CC10E7E0

Uniqueness

Uniqueness Score: -1.00%

Function 000CF349, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E000CF349() {
				void* _t3;
				void* _t5;
				void* _t7;

				_push(_t3);
				_push(_t5);
				E000D9814(_t3, _t5, _t7, 0xf8024, 0xfa94c); // executed
				goto __eax;
			}

0x000cf353
0x000cf354
0x000cf35b
0x000cf362

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000CF35B

Part of subcall function 000D9814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000D9891
Part of subcall function 000D9814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000D98A2

Strings

px<n, xrefs: 000CF349, 000CF355

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: px<n
API String ID: 1269201914-3378541512
Opcode ID: b28dc67e3cfe02471bd59049a05bf120ef34896e89ad85692c0a72e9dbfab660
Instruction ID: aedfdadd3a70101230ce2c84195881d00c47715178db197ec592d99d83fe1cfa
Opcode Fuzzy Hash: b28dc67e3cfe02471bd59049a05bf120ef34896e89ad85692c0a72e9dbfab660
Instruction Fuzzy Hash: 60B0929225860A7C22445310A806C7A0209C3C2F24334C03BBB0098441AC840A062032

Uniqueness

Uniqueness Score: -1.00%

Function 000CF36A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E000CF36A() {
				void* _t3;
				void* _t5;
				void* _t7;

				_push(_t3);
				_push(_t5);
				E000D9814(_t3, _t5, _t7, 0xf8024, 0xfa944); // executed
				goto __eax;
			}

0x000cf353
0x000cf354
0x000cf35b
0x000cf362

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000CF35B

Part of subcall function 000D9814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000D9891
Part of subcall function 000D9814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000D98A2

Strings

px<n, xrefs: 000CF355

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: px<n
API String ID: 1269201914-3378541512
Opcode ID: 233916b6db23d6f5ece622f846264148a72ea09b9e00e3a49f3e1cc462d2c321
Instruction ID: 25e27c19ab28d251a7bd78162de25c15738ecdadd54f01968304f9d6296d342a
Opcode Fuzzy Hash: 233916b6db23d6f5ece622f846264148a72ea09b9e00e3a49f3e1cc462d2c321
Instruction Fuzzy Hash: 4AB0929125860A6D228493145906D7A0149C3C6F20334C03AB604C9545EC8409062132

Uniqueness

Uniqueness Score: -1.00%

Function 000CF37A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E000CF37A() {
				void* _t3;
				void* _t5;
				void* _t7;

				_push(_t3);
				_push(_t5);
				E000D9814(_t3, _t5, _t7, 0xf8024, 0xfa948); // executed
				goto __eax;
			}

0x000cf353
0x000cf354
0x000cf35b
0x000cf362

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000CF35B

Part of subcall function 000D9814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000D9891
Part of subcall function 000D9814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000D98A2

Strings

px<n, xrefs: 000CF355

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: px<n
API String ID: 1269201914-3378541512
Opcode ID: 3fe0a03680e9387868a1b99cf1417bbee0f7b9e83a865fc2c6fcbd1df3082b54
Instruction ID: 80f7b4ca953477b1dd0e8274917f1741d46aece19095d791f06d6cf69b0e92d8
Opcode Fuzzy Hash: 3fe0a03680e9387868a1b99cf1417bbee0f7b9e83a865fc2c6fcbd1df3082b54
Instruction Fuzzy Hash: 34B0929125860A6C228493145806D7A0149C3C6F20334C13AB604C9541EC8019462132

Uniqueness

Uniqueness Score: -1.00%

Function 000C85A5, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000C85A5(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E000C856E(_t19) - _t19 >> 1) + (E000C856E(_t19) - _t19 >> 1);
					_t6 = E000C5154(_t14, (E000C856E(_t19) - _t19 >> 1) + (E000C856E(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E000BF0F0(_t18, _t19, _t12);
					}
					E000C511A(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}

0x000c85a5
0x000c85af
0x000c85b3
0x000c85c4
0x000c85c8
0x000c85cd
0x000c85d3
0x000c85d8
0x000c85dd
0x000c85e2
0x000c85e9
0x000c85b5
0x000c85b5
0x000c85b5
0x000c85f4

APIs

GetEnvironmentStringsW.KERNEL32 ref: 000C85A9
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 000C85E9

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 9acf896a1741656098fd5ffe3c6bf684f2027451aa81afd3004eac39b3d19c34
Instruction ID: 29ad422281876ee1b4e609793310735c69168b57629d33acc20546b1f3836638
Opcode Fuzzy Hash: 9acf896a1741656098fd5ffe3c6bf684f2027451aa81afd3004eac39b3d19c34
Instruction Fuzzy Hash: 10E06537505D216BE52223297C4AFBF2B58DFC1BB172A0119F91886242FE649D0541B9

Uniqueness

Uniqueness Score: -1.00%

Function 00093A72, Relevance: 3.0, APIs: 2, Instructions: 14
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 58%

			E00093A72(void* _a4, long _a8, signed int _a12) {
				void* _t8;

				asm("sbb eax, eax");
				_t8 = RtlReAllocateHeap(GetProcessHeap(),  ~_a12 & 0x00000008, _a4, _a8); // executed
				return _t8;
			}

0x00093a80
0x00093a8d
0x00093a94

APIs

GetProcessHeap.KERNEL32(?,000001C7,?,?,0009227D,?,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000), ref: 00093A86
RtlReAllocateHeap.NTDLL(00000000,?,0009227D,?,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 00093A8D

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: da0f4f00d9e7ba970af8c401a52cc95a9f7eccde8f777a7fb3a8147263912f54
Instruction ID: 4fdaafca2147b8e82d0c6b8fcd63224081934b17716abf2bae2122795638f6d1
Opcode Fuzzy Hash: da0f4f00d9e7ba970af8c401a52cc95a9f7eccde8f777a7fb3a8147263912f54
Instruction Fuzzy Hash: 3ED0C932150209EB9F005FE8DC09DAE3BACEB586127408406FD15C2110C73DE4609A60

Uniqueness

Uniqueness Score: -1.00%

Function 000D3499, Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E000D3499(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v28;
				short _v30;
				void _v32;
				void* _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				void* _v56;
				short _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t31;
				void* _t39;
				void* _t46;
				void* _t48;
				short _t49;
				void* _t55;
				intOrPtr* _t59;
				signed int _t60;
				void* _t65;
				signed int _t74;
				void* _t75;
				void* _t76;

				_t31 =  *0xfa008; // 0x90c8e23b
				_v8 = _t31 ^ _t74;
				_v40 = _a4;
				_v48 = _a12;
				_t60 = 6;
				memset( &_v32, 0, _t60 << 2);
				_t76 = _t75 + 0xc;
				_v36 = 0;
				_v44 = 0;
				__imp__#8( &_v64);
				_t39 = E000D2F23(0,  &_v36, 0); // executed
				_t59 = _v36;
				_t69 = 1;
				_t71 =  ==  ? 0x80004005 : _t39;
				if(( ==  ? 0x80004005 : _t39) >= 0) {
					_t46 =  *((intOrPtr*)( *_t59 + 0x110))(_t59, 0);
					_t71 = _t46;
					if(_t46 >= 0) {
						_t48 =  *((intOrPtr*)( *_t59 + 0x118))(_t59, 0);
						_t71 = _t48;
						if(_t48 >= 0) {
							_t49 = 0x12;
							_v30 = _t49;
							_v20 = _v40;
							_v32 = 1;
							_v28 = 1;
							_v16 = _a8;
							_t69 = _t76 - 0x10;
							_v64 = 0x2011;
							_v56 =  &_v32;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd"); // executed
							_t55 =  *((intOrPtr*)( *_t59 + 0xe8))(_t59,  &_v44);
							_t71 =  ==  ? 0x8007006e : _t55;
							if(( ==  ? 0x8007006e : _t55) >= 0) {
								 *_v48 = _t59;
								_t59 = 0;
							}
						}
					}
				}
				if(_t59 != 0) {
					 *((intOrPtr*)( *_t59 + 8))(_t59);
				}
				return E000BDE36(_t59, _v8 ^ _t74, _t65, _t69, _t71);
			}

0x000d349f
0x000d34a6
0x000d34af
0x000d34bc
0x000d34c1
0x000d34c2
0x000d34c2
0x000d34c7
0x000d34cb
0x000d34ce
0x000d34da
0x000d34df
0x000d34e6
0x000d34ee
0x000d34f3
0x000d34fa
0x000d3500
0x000d3504
0x000d350b
0x000d3511
0x000d3515
0x000d3519
0x000d351a
0x000d3527
0x000d352d
0x000d3531
0x000d3535
0x000d3540
0x000d3542
0x000d3549
0x000d354e
0x000d3550
0x000d3551
0x000d3552
0x000d3553
0x000d3563
0x000d3568
0x000d356d
0x000d356f
0x000d356f
0x000d3568
0x000d3515
0x000d3504
0x000d3573
0x000d3578
0x000d3578
0x000d358d

APIs

VariantInit.OLEAUT32(?), ref: 000D34CE

Part of subcall function 000D2F23: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,000D34DF,00000000,?,00000000), ref: 000D2F3D
Part of subcall function 000D2F23: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,000BBDED,?,000952FD,?,00000000,?), ref: 000D2F49

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorHandleInitLastModuleVariant
String ID:
API String ID: 52713655-0
Opcode ID: a26a04bc0e2b8b00aab9f705039fdee06e71e01079fde6a28c9d50fcf13d0dd9
Instruction ID: 6be39442f3e09f5db6b4769d0c5f4cf097a09e2ec57e0ca610275097cbae1ca6
Opcode Fuzzy Hash: a26a04bc0e2b8b00aab9f705039fdee06e71e01079fde6a28c9d50fcf13d0dd9
Instruction Fuzzy Hash: 6A313BB6E007199BCB11DFA8D884ADEB7F8EF08710F01456AED15EB311D6719E008BA5

Uniqueness

Uniqueness Score: -1.00%

Function 000D5728, Relevance: 1.6, APIs: 1, Instructions: 60
registryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E000D5728(void* __ecx, intOrPtr _a4, short* _a8, intOrPtr _a12, char** _a16) {
				void* _v8;
				void* _t13;
				char** _t24;
				void* _t27;

				_push(__ecx);
				_v8 = 0;
				_t13 = E000D5664(__ecx, _a4,  &_v8); // executed
				_t24 = _a16;
				_t27 = _t13;
				if(_t27 == 0x80070002 || _t27 == 0x80070003) {
					L5:
					_t27 = 1;
					goto L6;
				} else {
					if(_t27 < 0) {
						L6:
						if(_v8 != 0) {
							RegCloseKey(_v8);
							_v8 = 0;
						}
						if(_t27 == 1 || _t27 < 0) {
							if(_a12 != 0) {
								_t27 = E000921A5(_t24, _a12, 0);
							} else {
								if( *_t24 != 0) {
									E000D54EF( *_t24);
									 *_t24 = 0;
								}
							}
						}
						return _t27;
					}
					_t27 = E000D0F6E(_v8, _a8, _t24);
					if(_t27 == 0x80070002 || _t27 == 0x80070003) {
						goto L5;
					} else {
						goto L6;
					}
				}
			}

0x000d572b
0x000d5738
0x000d573b
0x000d5740
0x000d5743
0x000d574b
0x000d5777
0x000d5779
0x00000000
0x000d5755
0x000d5757
0x000d577a
0x000d577d
0x000d5782
0x000d5788
0x000d5788
0x000d578e
0x000d5797
0x000d57b2
0x000d5799
0x000d579b
0x000d579f
0x000d57a4
0x000d57a4
0x000d579b
0x000d5797
0x000d57bc
0x000d57bc
0x000d5765
0x000d576d
0x00000000
0x00000000
0x00000000
0x00000000
0x000d576d

APIs

RegCloseKey.ADVAPI32(80070490,00000000,80070490,000FAAA0,00000000,80070490,00000000,?,000A890E,WiX\Burn,PackageCache,00000000,000FAAA0,00000000,00000000,80070490), ref: 000D5782

Part of subcall function 000D0F6E: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 000D0FE4
Part of subcall function 000D0F6E: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 000D101F

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: QueryValue$Close
String ID:
API String ID: 1979452859-0
Opcode ID: 6fefc293a01d1d736ae46fc92e967cf00609b142b5e8ca38b23ba2ca7aeebf87
Instruction ID: f3fff6648520b739abcc2ec13ba86af47e714203f3ef9a21f0244bfaac7f7fd4
Opcode Fuzzy Hash: 6fefc293a01d1d736ae46fc92e967cf00609b142b5e8ca38b23ba2ca7aeebf87
Instruction Fuzzy Hash: DE11A336C05729EBCF216EA4AC81AAEBAA5EB04322B25423BED0167311C3314D50DAF0

Uniqueness

Uniqueness Score: -1.00%

Function 000C523F, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E000C523F(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t16;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0xfb5b8, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E000C4A8E();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E000C3E36())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E000C4ADD(_t15, _t16, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				_t16 = _t13 % _t18;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x000c523f
0x000c5245
0x000c524a
0x000c5258
0x000c5258
0x000c525e
0x000c5260
0x000c5260
0x000c5277
0x000c5280
0x000c5288
0x00000000
0x00000000
0x000c5268
0x000c526a
0x000c528c
0x000c5291
0x000c5297
0x00000000
0x000c5297
0x000c526d
0x000c5272
0x000c5273
0x000c5275
0x00000000
0x00000000
0x000c5275
0x00000000
0x000c5277
0x000c5250
0x000c5251
0x000c5256
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,000C6113,00000001,00000364), ref: 000C5280

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 11b08ec726407ffde9ec00e15ce62e79c3caef1f135c3f8fad0c37a80cba73ca
Instruction ID: 85163fb4e7accf535cef664bba5162177c9261316bbacc4bdfedc46f5a4bc47a
Opcode Fuzzy Hash: 11b08ec726407ffde9ec00e15ce62e79c3caef1f135c3f8fad0c37a80cba73ca
Instruction Fuzzy Hash: C0F0BB3E544924569BB15B618C05F5F37C8DF53771B194119EC04AB1D1DB20FC4046E1

Uniqueness

Uniqueness Score: -1.00%

Function 000C5154, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E000C5154(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				void* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = _a4;
				if(_t9 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E000C3E36())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t9 == 0) {
					_t9 = _t9 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0xfb5b8, 0, _t9); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E000C4A8E();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E000C4ADD(_t7, _t8, __eflags, _t9);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x000c5154
0x000c515a
0x000c5160
0x000c5192
0x000c5197
0x000c519d
0x00000000
0x000c519d
0x000c5164
0x000c5166
0x000c5166
0x000c517d
0x000c5186
0x000c518e
0x00000000
0x00000000
0x000c516e
0x000c5170
0x00000000
0x00000000
0x000c5173
0x000c5178
0x000c5179
0x000c517b
0x00000000
0x00000000
0x000c517b
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,000C1E90,?,0000015D,?,?,?,?,000C32E9,000000FF,00000000,?,?), ref: 000C5186

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b6a1b8c55408fd75ba3320b61cb62f25169e48535fa0a9f567cb01b64f70b158
Instruction ID: eadb72dda43499b9ff7f442c2ad56a7180ba3001f432291cb93d692c4eb39656
Opcode Fuzzy Hash: b6a1b8c55408fd75ba3320b61cb62f25169e48535fa0a9f567cb01b64f70b158
Instruction Fuzzy Hash: 1AE0E52D240A2497E67127258C28F9F36C8DB417F2F0D4118AC25960D1DB20EC8082A1

Uniqueness

Uniqueness Score: -1.00%

Function 000934C5, Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,000A89CA,0000001C,80070490,00000000,00000000,80070490), ref: 000934E5

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 460ba6022f28611f9a8313422373dead8e01b363ad481b1c355eb6ba0594e55c
Instruction ID: 771d964d7806b65257394e3c49ee9283034e925ec03a74561c6fbdfa63d31224
Opcode Fuzzy Hash: 460ba6022f28611f9a8313422373dead8e01b363ad481b1c355eb6ba0594e55c
Instruction Fuzzy Hash: 6FE012763012257BAE022E666D05DEB7B9CDF157507018051BE40D6101EB65EA10A6B0

Uniqueness

Uniqueness Score: -1.00%

Function 000D2DD0, Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000D2DD0() {
				struct HINSTANCE__* _t1;

				_t1 =  *0xfb680; // 0x0
				if(_t1 != 0) {
					_t1 = FreeLibrary(_t1); // executed
					 *0xfb680 = 0;
					 *0xfb6bc = 0;
					 *0xfb6b8 = 0;
					 *0xfb6b4 = 0;
					 *0xfb6b0 = 0;
					 *0xfb6ac = 0;
					 *0xfb6a8 = 0;
					 *0xfb6c0 = 0;
				}
				 *0xfb6c4 = 0;
				return _t1;
			}

0x000d2dd0
0x000d2dda
0x000d2ddd
0x000d2de3
0x000d2de9
0x000d2def
0x000d2df5
0x000d2dfb
0x000d2e01
0x000d2e07
0x000d2e0d
0x000d2e0d
0x000d2e13
0x000d2e1a

APIs

FreeLibrary.KERNELBASE(00000000,00000000,0009547B,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000D2DDD

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 3e4fac2fbf7835c08a5a7a85b503d453670eb4575ebafa92fc05614e59688335
Instruction ID: 5a56330a83e632cd5ef7c0850c9f0461148a27582e8f67c22ce9ced6309cd326
Opcode Fuzzy Hash: 3e4fac2fbf7835c08a5a7a85b503d453670eb4575ebafa92fc05614e59688335
Instruction Fuzzy Hash: 1AE0F6F59263299AAB508F59FD445627FBCBB58B41311865FF400D2A60C3BC8440EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 000914B2, Relevance: 1.3, APIs: 1, Instructions: 54
stringCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E000914B2(unsigned int _a4, WCHAR* _a8, unsigned int _a12, intOrPtr _a16) {
				unsigned int _t9;
				signed int _t10;
				signed int _t13;
				signed int _t14;
				unsigned int _t15;
				void* _t16;
				unsigned int _t18;
				unsigned int _t20;
				unsigned int _t21;

				_t9 = _a4;
				_t20 = 0;
				_t14 = _t13 | 0xffffffff;
				if( *_t9 == 0) {
					L4:
					_t18 = _a12;
					if(_t18 == 0) {
						_t9 = lstrlenW(_a8);
						_t18 = _t9;
					}
					_t4 = _t18 + 1; // 0x1
					_t16 = _t4;
					_t15 =  >=  ? _t16 : _t14;
					asm("sbb eax, eax");
					_t10 = _t9 & 0x80070216;
					if(_t16 < _t18) {
						L10:
						return _t10;
					} else {
						if(_t20 >= _t15) {
							L9:
							_t10 = E00091A6E(_t16,  *_a4, _t20, _a8, _t18, 0, 0, 0x200);
							goto L10;
						}
						_t20 = _t15;
						_t10 = E0009143C(_a4, _t15, _a16); // executed
						if(_t10 < 0) {
							goto L10;
						}
						goto L9;
					}
				}
				_t9 = E00093B51( *_t9);
				_t21 = _t9;
				if(_t21 != _t14) {
					_t20 = _t21 >> 1;
					goto L4;
				}
				return 0x80070057;
			}

0x000914b5
0x000914ba
0x000914bc
0x000914c1
0x000914d9
0x000914da
0x000914df
0x000914e4
0x000914ea
0x000914ea
0x000914ec
0x000914ec
0x000914f1
0x000914f4
0x000914f6
0x000914fd
0x0009152d
0x00000000
0x000914ff
0x00091501
0x00091515
0x00091528
0x00000000
0x00091528
0x00091506
0x0009150c
0x00091513
0x00000000
0x00000000
0x00000000
0x00091513
0x000914fd
0x000914c5
0x000914ca
0x000914ce
0x000914d7
0x00000000
0x000914d7
0x00000000

APIs

lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,000921B8,?,00000000,?,00000000,?,000938BD,00000000,?,00000104), ref: 000914E4

Part of subcall function 00093B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,000921DC,000001C7,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 00093B59
Part of subcall function 00093B51: HeapSize.KERNEL32(00000000,?,000921DC,000001C7,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 00093B60

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: Heap$ProcessSizelstrlen
String ID:
API String ID: 3492610842-0
Opcode ID: 0a639a7fd76ef0b78ac3bc540e55898e809bb1d3858be98dfc15c7fc78317822
Instruction ID: c1bb0f322d59a0d6cce86200aee5f9e00ce8409879512a9672bb784d49f68545
Opcode Fuzzy Hash: 0a639a7fd76ef0b78ac3bc540e55898e809bb1d3858be98dfc15c7fc78317822
Instruction Fuzzy Hash: 9201283734021AEFCF215E54DC44FDE7795AF45760F228225FA359B1A1D731EC10A690

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000BC0FA, Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 364
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E000BC0FA(void* __ebx, void* __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr* _a56, intOrPtr* _a60, intOrPtr* _a64, intOrPtr* _a68, intOrPtr* _a72, intOrPtr _a76) {
				void* _v8;
				intOrPtr _t83;
				intOrPtr* _t85;
				intOrPtr _t88;
				intOrPtr* _t90;
				intOrPtr* _t94;
				intOrPtr* _t99;
				intOrPtr* _t100;
				intOrPtr _t105;
				intOrPtr _t106;
				intOrPtr* _t108;
				intOrPtr* _t111;
				intOrPtr* _t113;
				intOrPtr _t134;
				intOrPtr _t138;
				intOrPtr _t146;
				void* _t159;
				intOrPtr _t162;
				intOrPtr* _t164;
				intOrPtr* _t172;
				intOrPtr _t173;
				void* _t175;
				intOrPtr _t176;
				intOrPtr _t185;
				void* _t186;
				intOrPtr _t187;
				intOrPtr* _t189;
				intOrPtr* _t195;
				intOrPtr* _t197;
				intOrPtr _t199;
				void* _t200;

				_t186 = __edi;
				_t159 = __ebx;
				_v8 = 0;
				if(E000A7EF7(_a24) != 0) {
					E00091F20( &_v8, L" -%ls", _t82);
					_t200 = _t200 + 0xc;
				}
				_push(_t159);
				_push(_t186);
				_t83 = E000938D4(8, 1);
				_t187 = _a12;
				 *((intOrPtr*)(_t187 + 0x7c)) = _t83;
				if(_t83 != 0) {
					 *((intOrPtr*)(_t187 + 0x80)) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t187 + 0x7c)))) = E000938D4(0x58, 1);
					_t85 =  *((intOrPtr*)(_t187 + 0x7c));
					__eflags = _t85;
					if(_t85 != 0) {
						_t162 = _a44;
						 *((intOrPtr*)( *_t85 + 4)) = 3;
						_t88 =  *((intOrPtr*)( *((intOrPtr*)(_t187 + 0x7c))));
						 *((intOrPtr*)(_t88 + 0x10)) = _t162;
						 *((intOrPtr*)(_t88 + 0x14)) = _a48;
						_t90 = E000921A5( *((intOrPtr*)( *((intOrPtr*)(_t187 + 0x7c)))), _a20, 0);
						__eflags = _t90;
						if(_t90 >= 0) {
							_t94 = E000921A5( *((intOrPtr*)( *((intOrPtr*)(_t187 + 0x7c)))) + 0x18, _a32, 0);
							__eflags = _t94;
							if(_t94 >= 0) {
								_t99 = E000921A5( *((intOrPtr*)( *((intOrPtr*)(_t187 + 0x7c)))) + 0x38, _a36, 0);
								__eflags = _t99;
								if(_t99 >= 0) {
									_t100 = _a40;
									_t172 = 0;
									__eflags = _t100;
									if(_t100 == 0) {
										L18:
										__eflags = _a72;
										if(_a72 == 0) {
											L22:
											_t173 = _a28;
											__eflags = _t173 - 4;
											if(_t173 == 4) {
												L25:
												_t185 = 1;
												_t195 = 0;
												__eflags = 0;
											} else {
												__eflags = _t173 - 3;
												if(_t173 == 3) {
													goto L25;
												} else {
													_t195 = 0;
													_t185 = 0;
												}
											}
											 *((intOrPtr*)( *((intOrPtr*)(_t187 + 0x7c)) + 4)) = _t185;
											 *((intOrPtr*)(_t187 + 0x40)) = _t173;
											 *((intOrPtr*)(_t187 + 0xa8)) = 1;
											 *((intOrPtr*)(_t187 + 0x8c)) = 1;
											 *((intOrPtr*)(_t187 + 0x14)) = _a16;
											__eflags = _t173 - 4;
											if(_t173 == 4) {
												L29:
												_t105 = 2;
											} else {
												__eflags = _t173 - 3;
												if(_t173 == 3) {
													goto L29;
												} else {
													_t105 = _t195;
												}
											}
											 *((intOrPtr*)(_t187 + 0x28)) = _t162;
											 *((intOrPtr*)(_t187 + 0x30)) = _t162;
											 *((intOrPtr*)(_t187 + 0x44)) = _t105;
											_t106 = _a48;
											 *((intOrPtr*)(_t187 + 0x2c)) = _t106;
											 *((intOrPtr*)(_t187 + 0x34)) = _t106;
											 *((intOrPtr*)(_t187 + 0x1c)) = _a52;
											_t108 = E000921A5(_t187, _a20, 0);
											__eflags = _t108;
											if(_t108 >= 0) {
												_t52 = _t187 + 0x24; // 0x2e4
												_t197 = E000921A5(_t52, _a20, 0);
												__eflags = _t197;
												if(_t197 >= 0) {
													__eflags = _a56;
													if(_a56 == 0) {
														L37:
														_t111 = _v8;
														__eflags = _t111;
														if(_t111 == 0) {
															L40:
															__eflags = _a60;
															if(_a60 == 0) {
																L47:
																__eflags = _a64;
																if(_a64 == 0) {
																	L54:
																	_t175 = _a4 + 0xf7530000;
																	asm("adc eax, 0xfffcfff9");
																	__eflags = _a8 - 4;
																	if(__eflags > 0) {
																		L58:
																		_t113 = 0;
																		__eflags = 0;
																	} else {
																		if(__eflags < 0) {
																			L57:
																			_t113 = 1;
																		} else {
																			__eflags = _t175 - 0x9c10000;
																			if(_t175 > 0x9c10000) {
																				goto L58;
																			} else {
																				goto L57;
																			}
																		}
																	}
																	_t164 = _a68;
																	 *((intOrPtr*)(_t187 + 0xb0)) = _t113;
																	__eflags = _t164;
																	if(_t164 != 0) {
																		_t176 = E000938D4(0x10, 1);
																		 *((intOrPtr*)(_t187 + 0x84)) = _t176;
																		__eflags = _t176;
																		if(_t176 != 0) {
																			 *((intOrPtr*)(_t187 + 0x88)) = 1;
																			 *((intOrPtr*)(_t176 + 0xc)) =  *((intOrPtr*)(_t164 + 0xc));
																			_t197 = E000921A5( *((intOrPtr*)(_t187 + 0x84)),  *_t164, 0);
																			__eflags = _t197;
																			if(_t197 < 0) {
																				goto L31;
																			} else {
																				_t197 = E000921A5( *((intOrPtr*)(_t187 + 0x84)) + 4,  *((intOrPtr*)(_t164 + 4)), 0);
																				__eflags = _t197;
																				if(_t197 >= 0) {
																					_t197 = E000921A5( *((intOrPtr*)(_t187 + 0x84)) + 8,  *((intOrPtr*)(_t164 + 8)), 0);
																					__eflags = _t197;
																					if(_t197 < 0) {
																						_push("Failed to copy display name for pseudo bundle.");
																						goto L67;
																					}
																				} else {
																					_push("Failed to copy version for pseudo bundle.");
																					goto L67;
																				}
																			}
																		} else {
																			_t189 = 0x8007000e;
																			_t197 = 0x8007000e;
																			E000937D3(_t117, "pseudobundle.cpp", 0x86, 0x8007000e);
																			_push("Failed to allocate memory for dependency providers.");
																			goto L4;
																		}
																	}
																} else {
																	_t64 = _t187 + 0x9c; // 0x35c
																	_t166 = _t64;
																	_t197 = E000921A5(_t64, _a64, 0);
																	__eflags = _t197;
																	if(_t197 >= 0) {
																		_t134 = _v8;
																		__eflags = _t134;
																		if(_t134 == 0) {
																			L53:
																			 *((intOrPtr*)(_t187 + 0x18)) = 1;
																			goto L54;
																		} else {
																			_t197 = E00091EF2(_t166, _t134, 0);
																			__eflags = _t197;
																			if(_t197 >= 0) {
																				goto L53;
																			} else {
																				_push("Failed to append relation type to uninstall arguments for related bundle package");
																				goto L67;
																			}
																		}
																	} else {
																		_push("Failed to copy uninstall arguments for related bundle package");
																		goto L67;
																	}
																}
															} else {
																_t59 = _t187 + 0x98; // 0x358
																_t167 = _t59;
																_t197 = E000921A5(_t59, _a60, 0);
																__eflags = _t197;
																if(_t197 >= 0) {
																	_t138 = _v8;
																	__eflags = _t138;
																	if(_t138 == 0) {
																		L46:
																		 *((intOrPtr*)(_t187 + 0xac)) = 1;
																		goto L47;
																	} else {
																		_t197 = E00091EF2(_t167, _t138, 0);
																		__eflags = _t197;
																		if(_t197 >= 0) {
																			goto L46;
																		} else {
																			_push("Failed to append relation type to repair arguments for related bundle package");
																			goto L67;
																		}
																	}
																} else {
																	_push("Failed to copy repair arguments for related bundle package");
																	goto L67;
																}
															}
														} else {
															_t57 = _t187 + 0x94; // 0x354
															_t197 = E00091EF2(_t57, _t111, 0);
															__eflags = _t197;
															if(_t197 >= 0) {
																goto L40;
															} else {
																_push("Failed to append relation type to install arguments for related bundle package");
																goto L67;
															}
														}
													} else {
														_t55 = _t187 + 0x94; // 0x354
														_t197 = E000921A5(_t55, _a56, 0);
														__eflags = _t197;
														if(_t197 >= 0) {
															goto L37;
														} else {
															_push("Failed to copy install arguments for related bundle package");
															goto L67;
														}
													}
												} else {
													_push("Failed to copy cache id for pseudo bundle.");
													goto L67;
												}
											} else {
												L31:
												_push("Failed to copy key for pseudo bundle.");
												goto L67;
											}
										} else {
											_t199 = _a76;
											 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t187 + 0x7c)))) + 0x30)) = E000938D4(_t199, _t172);
											_t146 =  *((intOrPtr*)( *((intOrPtr*)(_t187 + 0x7c))));
											__eflags =  *((intOrPtr*)(_t146 + 0x30));
											if( *((intOrPtr*)(_t146 + 0x30)) != 0) {
												 *((intOrPtr*)(_t146 + 0x34)) = _t199;
												E000B1664( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t187 + 0x7c)))) + 0x30)),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t187 + 0x7c)))) + 0x34)), _a72, _t199);
												goto L22;
											} else {
												_t189 = 0x8007000e;
												_t197 = 0x8007000e;
												E000937D3(_t146, "pseudobundle.cpp", 0x3f, 0x8007000e);
												_push("Failed to allocate memory for pseudo bundle payload hash.");
												goto L4;
											}
										}
									} else {
										__eflags =  *_t100;
										if( *_t100 == 0) {
											goto L18;
										} else {
											_t197 = E000921A5( *((intOrPtr*)( *((intOrPtr*)(_t187 + 0x7c)))) + 0x40, _t100, 0);
											__eflags = _t197;
											if(_t197 >= 0) {
												_t172 = 0;
												__eflags = 0;
												goto L18;
											} else {
												_push("Failed to copy download source for pseudo bundle.");
												goto L67;
											}
										}
									}
								} else {
									_push("Failed to copy local source path for pseudo bundle.");
									goto L67;
								}
							} else {
								_push("Failed to copy filename for pseudo bundle.");
								goto L67;
							}
						} else {
							_push("Failed to copy key for pseudo bundle payload.");
							L67:
							_push(_t197);
							goto L68;
						}
					} else {
						_t189 = 0x8007000e;
						_t197 = 0x8007000e;
						E000937D3(_t85, "pseudobundle.cpp", 0x29, 0x8007000e);
						_push("Failed to allocate space for burn payload inside of related bundle struct");
						goto L4;
					}
				} else {
					_t189 = 0x8007000e;
					_t197 = 0x8007000e;
					E000937D3(_t83, "pseudobundle.cpp", 0x25, 0x8007000e);
					_push("Failed to allocate space for burn package payload inside of related bundle struct");
					L4:
					_push(_t189);
					L68:
					E000D012F();
				}
				_t114 = _v8;
				if(_v8 != 0) {
					E000D54EF(_t114);
				}
				return _t197;
			}

0x000bc0fa
0x000bc0fa
0x000bc104
0x000bc10e
0x000bc11a
0x000bc11f
0x000bc11f
0x000bc122
0x000bc123
0x000bc12a
0x000bc12f
0x000bc132
0x000bc137
0x000bc15b
0x000bc169
0x000bc16b
0x000bc16e
0x000bc170
0x000bc18f
0x000bc199
0x000bc1a3
0x000bc1a5
0x000bc1a8
0x000bc1b0
0x000bc1b7
0x000bc1b9
0x000bc1d4
0x000bc1db
0x000bc1dd
0x000bc1f8
0x000bc1ff
0x000bc201
0x000bc20d
0x000bc210
0x000bc212
0x000bc214
0x000bc23d
0x000bc23d
0x000bc241
0x000bc299
0x000bc299
0x000bc29c
0x000bc29f
0x000bc2ac
0x000bc2ae
0x000bc2af
0x000bc2af
0x000bc2a1
0x000bc2a1
0x000bc2a4
0x00000000
0x000bc2a6
0x000bc2a6
0x000bc2a8
0x000bc2a8
0x000bc2a4
0x000bc2b4
0x000bc2ba
0x000bc2bd
0x000bc2c3
0x000bc2cc
0x000bc2cf
0x000bc2d2
0x000bc2dd
0x000bc2df
0x000bc2d4
0x000bc2d4
0x000bc2d7
0x00000000
0x000bc2d9
0x000bc2d9
0x000bc2d9
0x000bc2d7
0x000bc2e0
0x000bc2e3
0x000bc2ec
0x000bc2ef
0x000bc2f2
0x000bc2f5
0x000bc2fc
0x000bc2ff
0x000bc306
0x000bc308
0x000bc318
0x000bc321
0x000bc323
0x000bc325
0x000bc331
0x000bc334
0x000bc356
0x000bc356
0x000bc359
0x000bc35b
0x000bc37b
0x000bc37b
0x000bc37e
0x000bc3cd
0x000bc3cd
0x000bc3d1
0x000bc41d
0x000bc423
0x000bc429
0x000bc42e
0x000bc431
0x000bc442
0x000bc442
0x000bc442
0x000bc433
0x000bc433
0x000bc43d
0x000bc43f
0x000bc435
0x000bc435
0x000bc43b
0x00000000
0x00000000
0x00000000
0x00000000
0x000bc43b
0x000bc433
0x000bc444
0x000bc447
0x000bc44d
0x000bc44f
0x000bc45e
0x000bc460
0x000bc466
0x000bc468
0x000bc48b
0x000bc498
0x000bc4ab
0x000bc4ad
0x000bc4af
0x00000000
0x000bc4b5
0x000bc4ca
0x000bc4cc
0x000bc4ce
0x000bc4ec
0x000bc4ee
0x000bc4f0
0x000bc4f2
0x00000000
0x000bc4f2
0x000bc4d0
0x000bc4d0
0x00000000
0x000bc4d0
0x000bc4ce
0x000bc46a
0x000bc46a
0x000bc47a
0x000bc47c
0x000bc481
0x00000000
0x000bc481
0x000bc468
0x000bc3d3
0x000bc3d5
0x000bc3d5
0x000bc3e5
0x000bc3e7
0x000bc3e9
0x000bc3f5
0x000bc3f8
0x000bc3fa
0x000bc416
0x000bc416
0x00000000
0x000bc3fc
0x000bc406
0x000bc408
0x000bc40a
0x00000000
0x000bc40c
0x000bc40c
0x00000000
0x000bc40c
0x000bc40a
0x000bc3eb
0x000bc3eb
0x00000000
0x000bc3eb
0x000bc3e9
0x000bc380
0x000bc382
0x000bc382
0x000bc392
0x000bc394
0x000bc396
0x000bc3a2
0x000bc3a5
0x000bc3a7
0x000bc3c3
0x000bc3c3
0x00000000
0x000bc3a9
0x000bc3b3
0x000bc3b5
0x000bc3b7
0x00000000
0x000bc3b9
0x000bc3b9
0x00000000
0x000bc3b9
0x000bc3b7
0x000bc398
0x000bc398
0x00000000
0x000bc398
0x000bc396
0x000bc35d
0x000bc35f
0x000bc36b
0x000bc36d
0x000bc36f
0x00000000
0x000bc371
0x000bc371
0x00000000
0x000bc371
0x000bc36f
0x000bc336
0x000bc33a
0x000bc346
0x000bc348
0x000bc34a
0x00000000
0x000bc34c
0x000bc34c
0x00000000
0x000bc34c
0x000bc34a
0x000bc327
0x000bc327
0x00000000
0x000bc327
0x000bc30a
0x000bc30a
0x000bc30a
0x00000000
0x000bc30a
0x000bc243
0x000bc243
0x000bc252
0x000bc25a
0x000bc25c
0x000bc25f
0x000bc27f
0x000bc291
0x00000000
0x000bc261
0x000bc261
0x000bc26e
0x000bc270
0x000bc275
0x00000000
0x000bc275
0x000bc25f
0x000bc216
0x000bc216
0x000bc219
0x00000000
0x000bc21b
0x000bc22b
0x000bc22d
0x000bc22f
0x000bc23b
0x000bc23b
0x00000000
0x000bc231
0x000bc231
0x00000000
0x000bc231
0x000bc22f
0x000bc219
0x000bc203
0x000bc203
0x00000000
0x000bc203
0x000bc1df
0x000bc1df
0x00000000
0x000bc1df
0x000bc1bb
0x000bc1bb
0x000bc4f7
0x000bc4f7
0x00000000
0x000bc4f7
0x000bc172
0x000bc172
0x000bc17f
0x000bc181
0x000bc186
0x00000000
0x000bc186
0x000bc139
0x000bc139
0x000bc146
0x000bc148
0x000bc14d
0x000bc152
0x000bc152
0x000bc4f8
0x000bc4f8
0x000bc4fe
0x000bc4ff
0x000bc506
0x000bc509
0x000bc509
0x000bc514

Strings

Failed to copy filename for pseudo bundle., xrefs: 000BC1DF
Failed to append relation type to repair arguments for related bundle package, xrefs: 000BC3B9
Failed to copy key for pseudo bundle., xrefs: 000BC30A
Failed to copy local source path for pseudo bundle., xrefs: 000BC203
Failed to allocate space for burn package payload inside of related bundle struct, xrefs: 000BC14D
Failed to append relation type to uninstall arguments for related bundle package, xrefs: 000BC40C
Failed to allocate memory for pseudo bundle payload hash., xrefs: 000BC275
Failed to copy repair arguments for related bundle package, xrefs: 000BC398
-%ls, xrefs: 000BC114
Failed to copy download source for pseudo bundle., xrefs: 000BC231
Failed to copy key for pseudo bundle payload., xrefs: 000BC1BB
Failed to allocate memory for dependency providers., xrefs: 000BC481
Failed to copy install arguments for related bundle package, xrefs: 000BC34C
pseudobundle.cpp, xrefs: 000BC141, 000BC17A, 000BC269, 000BC475
Failed to allocate space for burn payload inside of related bundle struct, xrefs: 000BC186
Failed to copy version for pseudo bundle., xrefs: 000BC4D0
Failed to copy display name for pseudo bundle., xrefs: 000BC4F2
Failed to copy cache id for pseudo bundle., xrefs: 000BC327
Failed to append relation type to install arguments for related bundle package, xrefs: 000BC371
Failed to copy uninstall arguments for related bundle package, xrefs: 000BC3EB

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: -%ls$Failed to allocate memory for dependency providers.$Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of related bundle struct$Failed to allocate space for burn payload inside of related bundle struct$Failed to append relation type to install arguments for related bundle package$Failed to append relation type to repair arguments for related bundle package$Failed to append relation type to uninstall arguments for related bundle package$Failed to copy cache id for pseudo bundle.$Failed to copy display name for pseudo bundle.$Failed to copy download source for pseudo bundle.$Failed to copy filename for pseudo bundle.$Failed to copy install arguments for related bundle package$Failed to copy key for pseudo bundle payload.$Failed to copy key for pseudo bundle.$Failed to copy local source path for pseudo bundle.$Failed to copy repair arguments for related bundle package$Failed to copy uninstall arguments for related bundle package$Failed to copy version for pseudo bundle.$pseudobundle.cpp
API String ID: 1357844191-2832335422
Opcode ID: 6835bf6f1789e43249f30d06052a78340ca345d44b5838e96e38f199d96aae73
Instruction ID: 21e46ba769dbbb38d8c6529c2e2b11440b55a6967b8e247d5d0b01972c1b26a6
Opcode Fuzzy Hash: 6835bf6f1789e43249f30d06052a78340ca345d44b5838e96e38f199d96aae73
Instruction Fuzzy Hash: 67C1BF72A00656BFEB259F68C851EFA76E8BF08710B044129FD15EB352DB71ED109B90

Uniqueness

Uniqueness Score: -1.00%

Function 000944E9, Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E000944E9(void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t13;
				int _t24;
				signed short _t31;
				signed short _t34;
				signed short _t37;
				void* _t45;
				int _t47;
				int _t48;
				signed int _t60;

				_t45 = __edx;
				_t13 =  *0xfa008; // 0x90c8e23b
				_v8 = _t13 ^ _t60;
				asm("stosd");
				_v28 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t47 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 0x20,  &_v28) != 0) {
					_v24.PrivilegeCount = 1;
					_v12 = 2;
					if(LookupPrivilegeValueW(0, L"SeShutdownPrivilege",  &(_v24.Privileges)) != 0) {
						if(AdjustTokenPrivileges(_v28, 0,  &_v24, 0x10, 0, 0) != 0) {
							do {
								_t48 = 0;
								Sleep(0x3e8);
								_push(0x80040002);
								_push(1);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								if( *0xfaa5c() == 0) {
									_t48 =  <=  ? GetLastError() : _t30 & 0x0000ffff | 0x80070000;
								}
								_t24 = _t47;
								_t47 = _t47 + 1;
							} while (_t24 < 0xa && (_t48 == 0x800704f7 || _t48 == 0x80070015));
							if(_t48 < 0) {
								E000937D3(_t24, "engine.cpp", 0x376, _t48);
								_push("Failed to schedule restart.");
								goto L13;
							}
						} else {
							_t31 = GetLastError();
							_t53 =  <=  ? _t31 : _t31 & 0x0000ffff | 0x80070000;
							_t48 =  >=  ? 0x80004005 :  <=  ? _t31 : _t31 & 0x0000ffff | 0x80070000;
							E000937D3(0x80004005, "engine.cpp", 0x362, _t48);
							_push("Failed to adjust token to add shutdown privileges.");
							goto L13;
						}
					} else {
						_t34 = GetLastError();
						_t56 =  <=  ? _t34 : _t34 & 0x0000ffff | 0x80070000;
						_t48 =  >=  ? 0x80004005 :  <=  ? _t34 : _t34 & 0x0000ffff | 0x80070000;
						E000937D3(0x80004005, "engine.cpp", 0x35d, _t48);
						_push("Failed to get shutdown privilege LUID.");
						goto L13;
					}
				} else {
					_t37 = GetLastError();
					_t59 =  <=  ? _t37 : _t37 & 0x0000ffff | 0x80070000;
					_t48 =  >=  ? 0x80004005 :  <=  ? _t37 : _t37 & 0x0000ffff | 0x80070000;
					E000937D3(0x80004005, "engine.cpp", 0x356, _t48);
					_push("Failed to get process token.");
					L13:
					_push(_t48);
					E000D012F();
				}
				if(_v28 != 0) {
					CloseHandle(_v28);
				}
				return E000BDE36(0, _v8 ^ _t60, _t45, _t47, _t48);
			}

0x000944e9
0x000944ef
0x000944f6
0x00094501
0x00094504
0x00094507
0x00094508
0x00094509
0x00094510
0x00094521
0x0009455e
0x0009456c
0x0009457b
0x000945c9
0x00094600
0x00094605
0x00094607
0x0009460d
0x00094612
0x00094614
0x00094615
0x00094616
0x00094617
0x00094620
0x00094633
0x00094633
0x00094636
0x00094638
0x00094639
0x00094650
0x0009465d
0x00094662
0x00000000
0x00094662
0x000945cb
0x000945cb
0x000945dc
0x000945e6
0x000945f4
0x000945f9
0x00000000
0x000945f9
0x0009457d
0x0009457d
0x0009458e
0x00094598
0x000945a6
0x000945ab
0x00000000
0x000945ab
0x00094523
0x00094523
0x00094534
0x0009453e
0x0009454c
0x00094551
0x00094667
0x00094667
0x00094668
0x0009466e
0x00094672
0x00094677
0x00094677
0x0009468f

APIs

GetCurrentProcess.KERNEL32(00000020,?,00000001,00000000,?,?,?,?,?,?,?), ref: 00094512
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00094519
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00094523
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00094573
GetLastError.KERNEL32 ref: 0009457D
CloseHandle.KERNEL32(?), ref: 00094677

Strings

Failed to get process token., xrefs: 00094551
@Mt, xrefs: 00094523, 0009457D, 000945CB, 00094622
Failed to adjust token to add shutdown privileges., xrefs: 000945F9
Failed to schedule restart., xrefs: 00094662
engine.cpp, xrefs: 00094547, 000945A1, 000945EF, 00094658
SeShutdownPrivilege, xrefs: 00094566
Failed to get shutdown privilege LUID., xrefs: 000945AB

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorLastProcess$CloseCurrentHandleLookupOpenPrivilegeTokenValue
String ID: @Mt$Failed to adjust token to add shutdown privileges.$Failed to get process token.$Failed to get shutdown privilege LUID.$Failed to schedule restart.$SeShutdownPrivilege$engine.cpp
API String ID: 4232854991-1984516673
Opcode ID: 3253593b894a7c6776450f7bb10d09710e30d64a7281311936a34bf2ea9c7129
Instruction ID: 6c24eeff9344b315f2f5195abaf339429e27a1d4b19a742c931e7b342069a5a1
Opcode Fuzzy Hash: 3253593b894a7c6776450f7bb10d09710e30d64a7281311936a34bf2ea9c7129
Instruction Fuzzy Hash: 3F41CAB2A40325EBFB205BB59C45FBBBBD8EB01751F020126FE05F6291D7648D0196F6

Uniqueness

Uniqueness Score: -1.00%

Function 00096184, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 147
COMMONCrypto

Download Yara Rule

C-Code - Quality: 19%

			E00096184(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				struct _OSVERSIONINFOEXW _v292;
				intOrPtr _v300;
				intOrPtr _v312;
				signed int _v316;
				intOrPtr _v320;
				signed int _v324;
				void* __ebx;
				signed int __edi;
				intOrPtr* __esi;
				void* __ebp;
				signed int _t33;
				signed int _t42;
				signed short _t49;
				intOrPtr _t52;
				signed int _t53;
				intOrPtr _t59;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t64;
				signed int _t68;

				_t59 = __edx;
				_t33 =  *0xfa008; // 0x90c8e23b
				_v8 = _t33 ^ _t68;
				_t52 = _a8;
				E000BF670(_t60,  &_v292, 0, 0x11c);
				_v292.dwOSVersionInfoSize = 0x11c;
				_t61 =  &_v316;
				_t53 = 6;
				memset(_t61, 0, _t53 << 2);
				_t62 = _t61 + _t53;
				if(GetVersionExW( &_v292) != 0) {
					_t42 = _a4 + 0xfffffffc;
					if(_t42 <= 9) {
						switch( *((intOrPtr*)(_t42 * 4 +  &M00096338))) {
							case 0:
								_t48 = _v292.wProductType & 0x000000ff;
								asm("cdq");
								_v312 = _t59;
								_v300 = 1;
								goto L21;
							case 1:
								__eax = _v292.wSuiteMask;
								__eax = _v292.wSuiteMask >> 2;
								goto L6;
							case 2:
								__eax = _v292.wSuiteMask;
								__eax = _v292.wSuiteMask >> 7;
								goto L6;
							case 3:
								__eax = _v292.wSuiteMask;
								__eax = _v292.wSuiteMask >> 1;
								goto L6;
							case 4:
								__eax = _v292.wSuiteMask;
								__eax = _v292.wSuiteMask >> 9;
								goto L6;
							case 5:
								__eax = _v292.wSuiteMask;
								goto L6;
							case 6:
								__eax = _v292.wSuiteMask;
								__eax = _v292.wSuiteMask >> 5;
								goto L6;
							case 7:
								__eax = _v292.wSuiteMask;
								__eax = _v292.wSuiteMask >> 0xa;
								L6:
								__edi = 0;
								__edi = 1;
								__eax = __eax & 1;
								goto L7;
							case 8:
								__edi = 0;
								__edi = 1;
								_push(1);
								_push(2);
								_push(0);
								_push(0);
								__esi = __imp__VerSetConditionMask;
								__eax =  *__esi();
								_push(1);
								_push(1);
								_push(__edx);
								_push(__eax);
								__eax =  *__esi();
								_push(1);
								_push(0x20);
								_push(__edx);
								_push(__eax);
								__eax =  *__esi();
								_push(1);
								_push(0x10);
								_push(__edx);
								_push(__eax);
								__eax =  *__esi();
								_push(__edx);
								 &_v292 = VerifyVersionInfoW( &_v292, 0x33,  &_v292);
								L7:
								asm("cdq");
								_v312 = __edx;
								goto L20;
							case 9:
								__eax = _v292.wSuiteMask;
								__edi = 0;
								__edi = 1;
								if((__al & 0x00000010) == 0) {
									L18:
									asm("xorps xmm0, xmm0");
									asm("movlpd [ebp-0x140], xmm0");
									__esi = _v320;
									__eax = _v324;
								} else {
									__eax = __eax & 0x00000100;
									__ecx = 0;
									if(__cx != __ax) {
										goto L18;
									} else {
										__eax = 1;
									}
								}
								_v312 = __esi;
								L20:
								_v300 = __edi;
								L21:
								_v316 = _t48;
								goto L22;
						}
					}
					L22:
					_t64 = E000AFF73(_t59,  &_v316, _t52);
					if(_t64 < 0) {
						_push("Failed to set variant value.");
						goto L24;
					}
				} else {
					_t49 = GetLastError();
					_t67 =  <=  ? _t49 : _t49 & 0x0000ffff | 0x80070000;
					_t64 =  >=  ? 0x80004005 :  <=  ? _t49 : _t49 & 0x0000ffff | 0x80070000;
					E000937D3(0x80004005, "variable.cpp", 0x6a1, _t64);
					_push("Failed to get OS info.");
					L24:
					_push(_t64);
					E000D012F();
				}
				return E000BDE36(_t52, _v8 ^ _t68, _t59, _t62, _t64);
			}

0x00096184
0x0009618d
0x00096194
0x00096198
0x000961ac
0x000961b4
0x000961c0
0x000961c8
0x000961c9
0x000961c9
0x000961da
0x00096217
0x0009621d
0x00096223
0x00000000
0x0009622a
0x0009622e
0x0009622f
0x00096235
0x00000000
0x00000000
0x00096244
0x00096247
0x00000000
0x00000000
0x0009625b
0x0009625e
0x00000000
0x00000000
0x00096263
0x00096266
0x00000000
0x00000000
0x0009626a
0x0009626d
0x00000000
0x00000000
0x00096272
0x00000000
0x00000000
0x00096277
0x0009627a
0x00000000
0x00000000
0x0009627f
0x00096282
0x0009624a
0x0009624a
0x0009624c
0x0009624d
0x00000000
0x00000000
0x00096287
0x00096289
0x0009628a
0x0009628b
0x0009628d
0x0009628e
0x0009628f
0x00096295
0x00096297
0x00096298
0x00096299
0x0009629a
0x0009629b
0x0009629d
0x0009629e
0x000962a0
0x000962a1
0x000962a2
0x000962a4
0x000962a5
0x000962a7
0x000962a8
0x000962a9
0x000962ab
0x000962b6
0x0009624f
0x0009624f
0x00096250
0x00000000
0x00000000
0x000962be
0x000962c1
0x000962c3
0x000962c6
0x000962d8
0x000962d8
0x000962db
0x000962e3
0x000962e9
0x000962c8
0x000962c8
0x000962cd
0x000962d2
0x00000000
0x000962d4
0x000962d4
0x000962d4
0x000962d2
0x000962ef
0x000962f5
0x000962f5
0x000962fb
0x000962fb
0x00000000
0x00000000
0x00096223
0x00096301
0x0009630e
0x00096312
0x00096314
0x00000000
0x00096314
0x000961dc
0x000961dc
0x000961ed
0x000961f7
0x00096205
0x0009620a
0x00096319
0x00096319
0x0009631a
0x00096320
0x00096333

APIs

GetVersionExW.KERNEL32(0000011C), ref: 000961D2
GetLastError.KERNEL32 ref: 000961DC

Strings

Failed to get OS info., xrefs: 0009620A
variable.cpp, xrefs: 00096200
@Mt, xrefs: 000961DC
Failed to set variant value., xrefs: 00096314

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorLastVersion
String ID: @Mt$Failed to get OS info.$Failed to set variant value.$variable.cpp
API String ID: 305913169-4142700709
Opcode ID: d70a3663c5fb1677f00c56c2eaa1a41f6852c247bbc472ece34e397d99c42d62
Instruction ID: 62e2d6479719be65aa73ae5ec844fe1638ce9e2b2baa7716330d285d2194c20c
Opcode Fuzzy Hash: d70a3663c5fb1677f00c56c2eaa1a41f6852c247bbc472ece34e397d99c42d62
Instruction Fuzzy Hash: D7419471E05228ABDF309BA9CC45EEE7BB8EB89710F01419AF509E7150DA359E81DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0009834D, Relevance: 61.6, APIs: 5, Strings: 30, Instructions: 331
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0009834D(struct _CRITICAL_SECTION* _a4, intOrPtr _a8) {
				char _v8;
				signed int _v12;
				signed int _v16;
				char _v20;
				void* _v24;
				int _v28;
				char _v32;
				char _v36;
				void _v60;
				intOrPtr* _t97;
				int _t148;
				struct _CRITICAL_SECTION* _t154;
				signed int _t155;
				intOrPtr* _t158;
				signed int _t159;
				int _t169;
				signed int _t170;
				void* _t171;
				signed int _t172;
				struct _CRITICAL_SECTION* _t174;
				void* _t176;
				int _t177;
				void* _t179;
				void* _t180;

				_t154 = _a4;
				_t155 = 6;
				_v24 = 0;
				_v16 = 0;
				memset( &_v60, 0, _t155 << 2);
				_t180 = _t179 + 0xc;
				_v32 = 0;
				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				_v36 = 0;
				_v28 = 0;
				EnterCriticalSection(_t154);
				if(E000D3803(_a8, L"Variable",  &_v24) >= 0) {
					_t97 = _v24;
					_t166 =  &_v32;
					_t157 =  *_t97;
					_t176 =  *((intOrPtr*)( *_t97 + 0x20))(_t97,  &_v32);
					if(_t176 >= 0) {
						_t169 = 0;
						_a4 = 0;
						if(_v32 > 0) {
							while(1) {
								_t176 = E000D3760(_t157, _v24,  &_v16, _t169);
								if(_t176 < 0) {
									break;
								}
								_t176 = E000D31C7(_v16, L"Id",  &_v8);
								if(_t176 < 0) {
									_push("Failed to get @Id.");
									goto L57;
								} else {
									_t176 = E000D33DB(_t157, _v16, L"Hidden",  &_v20);
									if(_t176 < 0) {
										_push("Failed to get @Hidden.");
										goto L57;
									} else {
										_t176 = E000D33DB(_t157, _v16, L"Persisted",  &_v36);
										if(_t176 < 0) {
											_push("Failed to get @Persisted.");
											goto L57;
										} else {
											_t176 = E000D31C7(_v16, L"Value",  &_v12);
											if(_t176 == 0x80070490) {
												_t177 = _t169;
												goto L25;
											} else {
												if(_t176 < 0) {
													_push("Failed to get @Value.");
													goto L57;
												} else {
													_t176 = E000B02F4( &_v60, _v12, _t169);
													if(_t176 < 0) {
														_push("Failed to set variant value.");
														goto L57;
													} else {
														_t176 = E000D31C7(_v16, L"Type",  &_v12);
														if(_t176 < 0) {
															_push("Failed to get @Type.");
															goto L57;
														} else {
															_t148 = CompareStringW(0x7f, _t169, _v12, 0xffffffff, L"numeric", 0xffffffff);
															_t177 = 2;
															if(_t148 != _t177) {
																if(CompareStringW(0x7f, _t169, _v12, 0xffffffff, L"string", 0xffffffff) != _t177) {
																	if(CompareStringW(0x7f, _t169, _v12, 0xffffffff, L"version", 0xffffffff) != _t177) {
																		_push(_v12);
																		_t171 = 0x80070057;
																		_t176 = 0x80070057;
																		_push("Invalid value for @Type: %ls");
																		goto L42;
																	} else {
																		if(_v20 == 0) {
																			_push(_v60);
																			E000D061A(_t177, "Initializing version variable \'%ls\' to value \'%ls\'", _v8);
																			_t180 = _t180 + 0x10;
																		}
																		_t177 = 3;
																		goto L25;
																	}
																} else {
																	if(_v20 != 0) {
																		goto L26;
																	} else {
																		_push(_v60);
																		E000D061A(_t177, "Initializing string variable \'%ls\' to value \'%ls\'", _v8);
																		_t180 = _t180 + 0x10;
																		goto L25;
																	}
																	goto L27;
																}
															} else {
																if(_v20 == 0) {
																	_push(_v60);
																	E000D061A(_t177, "Initializing numeric variable \'%ls\' to value \'%ls\'", _v8);
																	_t180 = _t180 + 0x10;
																}
																_t177 = 1;
																L25:
																if(_v20 != 0) {
																	L26:
																	E000D061A(2, "Initializing hidden variable \'%ls\'", _v8);
																	_t180 = _t180 + 0xc;
																}
																L27:
																_t176 = E000AFEB7(_t166,  &_v60, _t177);
																if(_t176 < 0) {
																	_push("Failed to change variant type.");
																	goto L57;
																} else {
																	_t176 = E000955B6(_t157, _t154, _v8,  &_v28);
																	if(_t176 < 0) {
																		_push(_v8);
																		_push("Failed to find variable value \'%ls\'.");
																		goto L51;
																	} else {
																		_t170 = _v28;
																		if(_t176 != 1) {
																			_t124 =  *((intOrPtr*)(_t154 + 0x20));
																			if( *((intOrPtr*)(_t170 * 0x38 +  *((intOrPtr*)(_t154 + 0x20)) + 0x2c)) > 0) {
																				_t171 = 0x80070057;
																				_t176 = 0x80070057;
																				E000937D3(_t124, "variable.cpp", 0x18a, 0x80070057);
																				_push(_v8);
																				_push("Attempt to set built-in variable value: %ls");
																				L42:
																				_push(_t171);
																				goto L43;
																			} else {
																				goto L33;
																			}
																		} else {
																			_t176 = E00096AC6(_t122, _t157, _t154, _v8, _t170);
																			if(_t176 >= 0) {
																				L33:
																				_t172 = _t170 * 0x38;
																				 *((intOrPtr*)(_t172 +  *((intOrPtr*)(_t154 + 0x20)) + 0x20)) = _v20;
																				 *((intOrPtr*)(_t172 +  *((intOrPtr*)(_t154 + 0x20)) + 0x28)) = _v36;
																				_t176 = E000B035B(_t166,  *((intOrPtr*)(_t154 + 0x20)) + 8 + _t172,  &_v60);
																				if(_t176 < 0) {
																					_push(_v8);
																					_push("Failed to set value of variable: %ls");
																					goto L51;
																				} else {
																					_t176 = E000B0246( *((intOrPtr*)(_t154 + 0x20)) + 8 + _t172, _v20);
																					if(_t176 < 0) {
																						_push("Failed to set variant encryption");
																						goto L57;
																					} else {
																						_t157 = _v16;
																						if(_t157 != 0) {
																							 *((intOrPtr*)( *_t157 + 8))(_t157);
																							_v16 = _v16 & 0x00000000;
																						}
																						E000B0499( &_v60);
																						if(_v12 != 0) {
																							E00092793(_v12);
																							_v12 = _v12 & 0x00000000;
																						}
																						_t174 = _a4 + 1;
																						_a4 = _t174;
																						if(_t174 < _v32) {
																							_t169 = 0;
																							continue;
																						}
																					}
																				}
																			} else {
																				_push(_v8);
																				_push("Failed to insert variable \'%ls\'.");
																				L51:
																				_push(_t176);
																				L43:
																				E000D012F();
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
								goto L58;
							}
							_push("Failed to get next node.");
							goto L57;
						}
					} else {
						_push("Failed to get variable node count.");
						goto L57;
					}
				} else {
					_push("Failed to select variable nodes.");
					L57:
					_push(_t176);
					E000D012F();
				}
				L58:
				LeaveCriticalSection(_t154);
				_t158 = _v24;
				if(_t158 != 0) {
					 *((intOrPtr*)( *_t158 + 8))(_t158);
				}
				_t159 = _v16;
				if(_t159 != 0) {
					 *((intOrPtr*)( *_t159 + 8))(_t159);
				}
				if(_v12 != 0) {
					E000D54EF(_v12);
				}
				if(_v8 != 0) {
					E000D54EF(_v8);
				}
				E000B0499( &_v60);
				return _t176;
			}

0x00098354
0x0009835d
0x00098360
0x00098366
0x00098369
0x00098369
0x0009836c
0x0009836f
0x00098372
0x00098375
0x00098378
0x0009837b
0x0009837e
0x00098399
0x000983a5
0x000983a8
0x000983ad
0x000983b2
0x000983b6
0x000983c2
0x000983c4
0x000983ca
0x000983d0
0x000983dd
0x000983e1
0x00000000
0x00000000
0x000983f8
0x000983fc
0x000986c6
0x00000000
0x00098402
0x00098413
0x00098417
0x000986bf
0x00000000
0x0009841d
0x0009842e
0x00098432
0x000986b8
0x00000000
0x00098438
0x00098449
0x00098451
0x0009853d
0x00000000
0x00098457
0x00098459
0x0009866d
0x00000000
0x0009845f
0x0009846c
0x00098470
0x00098666
0x00000000
0x00098476
0x00098487
0x0009848b
0x0009865f
0x00000000
0x00098491
0x000984a0
0x000984a8
0x000984ab
0x000984e3
0x00098518
0x00098645
0x00098648
0x0009864d
0x0009864f
0x00000000
0x0009851e
0x00098522
0x00098524
0x00098530
0x00098535
0x00098535
0x0009853a
0x00000000
0x0009853a
0x000984e5
0x000984e9
0x00000000
0x000984eb
0x000984eb
0x000984f7
0x000984fc
0x00000000
0x000984fc
0x00000000
0x000984e9
0x000984ad
0x000984b1
0x000984b3
0x000984bf
0x000984c4
0x000984c4
0x000984c9
0x0009853f
0x00098543
0x00098545
0x0009854f
0x00098554
0x00098554
0x00098557
0x00098561
0x00098565
0x000986b1
0x00000000
0x0009856b
0x00098578
0x0009857c
0x000986a6
0x000986a9
0x00000000
0x00098582
0x00098582
0x00098588
0x000985a7
0x000985b2
0x00098685
0x00098695
0x00098697
0x0009869c
0x0009869f
0x00098654
0x00098654
0x00000000
0x00000000
0x00000000
0x00000000
0x0009858a
0x00098594
0x00098598
0x000985b8
0x000985be
0x000985c1
0x000985cb
0x000985e1
0x000985e5
0x0009867b
0x0009867e
0x00000000
0x000985eb
0x000985fc
0x00098600
0x00098674
0x00000000
0x00098602
0x00098602
0x00098607
0x0009860c
0x0009860f
0x0009860f
0x00098617
0x00098620
0x00098625
0x0009862a
0x0009862a
0x00098631
0x00098632
0x00098638
0x0009863e
0x00000000
0x0009863e
0x00098638
0x00098600
0x0009859a
0x0009859a
0x0009859d
0x000986ae
0x000986ae
0x00098655
0x00098655
0x0009865a
0x00098598
0x00098588
0x0009857c
0x00098565
0x000984ab
0x0009848b
0x00098470
0x00098459
0x00098451
0x00098432
0x00098417
0x00000000
0x000983fc
0x000986cd
0x00000000
0x000986cd
0x000983b8
0x000983b8
0x00000000
0x000983b8
0x0009839b
0x0009839b
0x000986d2
0x000986d2
0x000986d3
0x000986d9
0x000986da
0x000986db
0x000986e1
0x000986e6
0x000986eb
0x000986eb
0x000986ee
0x000986f3
0x000986f8
0x000986f8
0x000986ff
0x00098704
0x00098704
0x0009870d
0x00098712
0x00098712
0x0009871b
0x00098728

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,80070490,?,?,?,?,?,?,?,=S,000BBF87,?,?,?), ref: 0009837E
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,=S,000BBF87,?,?,?,?,=S,Chain), ref: 000986DB

Strings

Failed to get variable node count., xrefs: 000983B8
Invalid value for @Type: %ls, xrefs: 0009864F
Initializing hidden variable '%ls', xrefs: 00098548
version, xrefs: 00098503
Attempt to set built-in variable value: %ls, xrefs: 0009869F
numeric, xrefs: 00098493
Initializing numeric variable '%ls' to value '%ls', xrefs: 000984B9
Failed to find variable value '%ls'., xrefs: 000986A9
Failed to get @Value., xrefs: 0009866D
Failed to set variant value., xrefs: 00098666
Hidden, xrefs: 00098406
Variable, xrefs: 00098388
Initializing string variable '%ls' to value '%ls', xrefs: 000984F1
Initializing version variable '%ls' to value '%ls', xrefs: 0009852A
Failed to select variable nodes., xrefs: 0009839B
Failed to get @Hidden., xrefs: 000986BF
Failed to get @Type., xrefs: 0009865F
Failed to set variant encryption, xrefs: 00098674
Failed to get @Persisted., xrefs: 000986B8
Failed to change variant type., xrefs: 000986B1
Value, xrefs: 0009843C
Failed to get next node., xrefs: 000986CD
Failed to get @Id., xrefs: 000986C6
=S, xrefs: 0009834D
Persisted, xrefs: 00098421
variable.cpp, xrefs: 00098690
Failed to insert variable '%ls'., xrefs: 0009859D
Failed to set value of variable: %ls, xrefs: 0009867E
string, xrefs: 000984CE
Type, xrefs: 0009847A

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: =S$Attempt to set built-in variable value: %ls$Failed to change variant type.$Failed to find variable value '%ls'.$Failed to get @Hidden.$Failed to get @Id.$Failed to get @Persisted.$Failed to get @Type.$Failed to get @Value.$Failed to get next node.$Failed to get variable node count.$Failed to insert variable '%ls'.$Failed to select variable nodes.$Failed to set value of variable: %ls$Failed to set variant encryption$Failed to set variant value.$Hidden$Initializing hidden variable '%ls'$Initializing numeric variable '%ls' to value '%ls'$Initializing string variable '%ls' to value '%ls'$Initializing version variable '%ls' to value '%ls'$Invalid value for @Type: %ls$Persisted$Type$Value$Variable$numeric$string$variable.cpp$version
API String ID: 3168844106-1768023205
Opcode ID: 0ccaac171e36ae1848e64f7e1b9cf26cb6c7a0b15b1d1370558fb65d4dbe6162
Instruction ID: d48a49cbf146627be196faa4b44cc3cd8436765ff4a4ff42a542ca1498a157cd
Opcode Fuzzy Hash: 0ccaac171e36ae1848e64f7e1b9cf26cb6c7a0b15b1d1370558fb65d4dbe6162
Instruction Fuzzy Hash: D6B1D472D4031ABBDF219B94CC05EEEBB75AF45710F118256FA04BB391CB719A00EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 000A52E3, Relevance: 52.7, APIs: 17, Strings: 13, Instructions: 222
filepipesleepCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E000A52E3(long _a4) {
				long _v8;
				signed int _v12;
				void _v16;
				signed int _v20;
				WCHAR* _v24;
				void _v28;
				void _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				WCHAR* _t40;
				long _t43;
				signed int _t44;
				signed short _t48;
				signed short _t56;
				signed short _t62;
				signed short _t67;
				signed short _t73;
				signed short _t79;
				void* _t83;
				long _t84;
				signed int _t88;
				void* _t109;

				_t84 = _a4;
				_t88 = 0;
				_v40 =  *((intOrPtr*)(_t84 + 0x10));
				_v36 =  *((intOrPtr*)(_t84 + 0x14));
				_t40 =  *(_t84 + 4);
				_v24 = _t40;
				_v16 = lstrlenW(_t40) + _t41;
				_t43 = GetCurrentProcessId();
				_v32 = _v32 & 0;
				_a4 = _a4 & 0;
				_v28 = _t43;
				_t44 = 0;
				_v20 = 0;
				while(1) {
					L1:
					_t83 =  *(_t109 + _t44 * 4 - 0x24);
					if(_t83 == 0xffffffff) {
						break;
					}
					_v8 = 1;
					if(SetNamedPipeHandleState(_t83,  &_v8, 0, 0) == 0) {
						_t48 = GetLastError();
						_t91 =  <=  ? _t48 : _t48 & 0x0000ffff | 0x80070000;
						_t88 =  >=  ? 0x80004005 :  <=  ? _t48 : _t48 & 0x0000ffff | 0x80070000;
						E000937D3(0x80004005, "pipe.cpp", 0x1ce, _t88);
						_push("Failed to set pipe to non-blocking.");
						goto L28;
					} else {
						_v12 = _v12 & 0x00000000;
						do {
							if(ConnectNamedPipe(_t83, 0) != 0) {
								goto L9;
							} else {
								_t52 = GetLastError();
								if(_t52 == 0x217) {
									_t88 = 0;
									L11:
									_v8 = _v8 & 0x00000000;
									if(SetNamedPipeHandleState(_t83,  &_v8, 0, 0) == 0) {
										_t56 = GetLastError();
										_t94 =  <=  ? _t56 : _t56 & 0x0000ffff | 0x80070000;
										_t88 =  >=  ? 0x80004005 :  <=  ? _t56 : _t56 & 0x0000ffff | 0x80070000;
										E000937D3(0x80004005, "pipe.cpp", 0x1f9, _t88);
										_push("Failed to reset pipe to blocking.");
										goto L28;
									} else {
										if(WriteFile(_t83,  &_v16, 4,  &_a4, 0) == 0) {
											_t62 = GetLastError();
											_t97 =  <=  ? _t62 : _t62 & 0x0000ffff | 0x80070000;
											_t88 =  >=  ? 0x80004005 :  <=  ? _t62 : _t62 & 0x0000ffff | 0x80070000;
											E000937D3(0x80004005, "pipe.cpp", 0x1ff, _t88);
											_push("Failed to write secret length to pipe.");
											goto L28;
										} else {
											_t31 =  &_v24; // 0x9442a
											if(WriteFile(_t83,  *_t31, _v16,  &_a4, 0) == 0) {
												_t67 = GetLastError();
												_t100 =  <=  ? _t67 : _t67 & 0x0000ffff | 0x80070000;
												_t88 =  >=  ? 0x80004005 :  <=  ? _t67 : _t67 & 0x0000ffff | 0x80070000;
												E000937D3(0x80004005, "pipe.cpp", 0x204, _t88);
												_push("Failed to write secret to pipe.");
												goto L28;
											} else {
												if(WriteFile(_t83,  &_v28, 4,  &_a4, 0) == 0) {
													_t73 = GetLastError();
													_t103 =  <=  ? _t73 : _t73 & 0x0000ffff | 0x80070000;
													_t88 =  >=  ? 0x80004005 :  <=  ? _t73 : _t73 & 0x0000ffff | 0x80070000;
													E000937D3(0x80004005, "pipe.cpp", 0x209, _t88);
													_push("Failed to write our process id to pipe.");
													goto L28;
												} else {
													if(ReadFile(_t83,  &_v32, 4,  &_a4, 0) == 0) {
														_t79 = GetLastError();
														_t106 =  <=  ? _t79 : _t79 & 0x0000ffff | 0x80070000;
														_t88 =  >=  ? 0x80004005 :  <=  ? _t79 : _t79 & 0x0000ffff | 0x80070000;
														E000937D3(0x80004005, "pipe.cpp", 0x20f, _t88);
														_push("Failed to read ACK from pipe.");
														goto L28;
													} else {
														_t44 = _v20 + 1;
														_v20 = _t44;
														if(_t44 < 2) {
															goto L1;
														} else {
														}
													}
												}
											}
										}
									}
								} else {
									if(_t52 != 0x218) {
										_t88 =  <=  ? _t52 : _t52 & 0x0000ffff | 0x80070000;
										break;
									} else {
										_t52 = _v12;
										if(_t52 >= 0x708) {
											_t88 = 0x800705b4;
											L21:
											E000937D3(_t52, "pipe.cpp", 0x1f3, _t88);
											_push("Failed to wait for child to connect to pipe.");
											L28:
											_push(_t88);
											E000D012F();
										} else {
											_t52 = _t52 + 1;
											_t88 = 0x80070218;
											_v12 = _t52;
											Sleep(0x64);
											goto L9;
										}
									}
								}
							}
							goto L29;
							L9:
						} while (_t88 == 0x80070218);
						if(_t88 < 0) {
							goto L21;
						} else {
							goto L11;
						}
					}
					break;
				}
				L29:
				return _t88;
			}

0x000a52e9
0x000a52f2
0x000a52f4
0x000a52fa
0x000a52fd
0x000a5301
0x000a530c
0x000a530f
0x000a5315
0x000a5318
0x000a5321
0x000a5324
0x000a5326
0x000a5329
0x000a5329
0x000a5329
0x000a5330
0x00000000
0x00000000
0x000a533d
0x000a534e
0x000a557b
0x000a5588
0x000a5592
0x000a55a0
0x000a55a5
0x00000000
0x000a5354
0x000a5354
0x000a5358
0x000a5363
0x00000000
0x000a5365
0x000a5365
0x000a536c
0x000a5457
0x000a53ac
0x000a53ac
0x000a53c1
0x000a554a
0x000a5557
0x000a5561
0x000a556f
0x000a5574
0x00000000
0x000a53c7
0x000a53dc
0x000a5519
0x000a5526
0x000a5530
0x000a553e
0x000a5543
0x00000000
0x000a53e2
0x000a53eb
0x000a53f7
0x000a54e5
0x000a54f2
0x000a54fc
0x000a550a
0x000a550f
0x00000000
0x000a53fd
0x000a5412
0x000a54b1
0x000a54be
0x000a54c8
0x000a54d6
0x000a54db
0x00000000
0x000a5418
0x000a542d
0x000a547d
0x000a548a
0x000a5494
0x000a54a2
0x000a54a7
0x00000000
0x000a542f
0x000a5432
0x000a5433
0x000a5439
0x00000000
0x00000000
0x000a543f
0x000a5439
0x000a542d
0x000a5412
0x000a53f7
0x000a53dc
0x000a5372
0x000a5377
0x000a544f
0x00000000
0x000a537d
0x000a537d
0x000a5385
0x000a545e
0x000a5463
0x000a546e
0x000a5473
0x000a55aa
0x000a55aa
0x000a55ab
0x000a538b
0x000a538b
0x000a538c
0x000a5393
0x000a5396
0x00000000
0x000a5396
0x000a5385
0x000a5377
0x000a536c
0x00000000
0x000a539c
0x000a539c
0x000a53a6
0x00000000
0x00000000
0x00000000
0x00000000
0x000a53a6
0x00000000
0x000a534e
0x000a55b3
0x000a55ba

APIs

lstrlenW.KERNEL32(?,?,00000000,?,000DB4F0,?,00000000,?,0009442A,?,000DB4F0), ref: 000A5304
GetCurrentProcessId.KERNEL32(?,0009442A,?,000DB4F0), ref: 000A530F
SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,0009442A,?,000DB4F0), ref: 000A5346
ConnectNamedPipe.KERNEL32(?,00000000,?,0009442A,?,000DB4F0), ref: 000A535B
GetLastError.KERNEL32(?,0009442A,?,000DB4F0), ref: 000A5365
Sleep.KERNEL32(00000064,?,0009442A,?,000DB4F0), ref: 000A5396
SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,0009442A,?,000DB4F0), ref: 000A53B9
WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,0009442A,?,000DB4F0), ref: 000A53D4
WriteFile.KERNEL32(?,*D,000DB4F0,00000000,00000000,?,0009442A,?,000DB4F0), ref: 000A53EF
WriteFile.KERNEL32(?,comres.dll,00000004,feclient.dll,00000000,?,0009442A,?,000DB4F0), ref: 000A540A
ReadFile.KERNEL32(?,wininet.dll,00000004,feclient.dll,00000000,?,0009442A,?,000DB4F0), ref: 000A5425
GetLastError.KERNEL32(?,0009442A,?,000DB4F0), ref: 000A547D
GetLastError.KERNEL32(?,0009442A,?,000DB4F0), ref: 000A54B1
GetLastError.KERNEL32(?,0009442A,?,000DB4F0), ref: 000A54E5
GetLastError.KERNEL32(?,0009442A,?,000DB4F0), ref: 000A557B

Strings

comres.dll, xrefs: 000A5408
Failed to read ACK from pipe., xrefs: 000A54A7
Failed to reset pipe to blocking., xrefs: 000A5574
Failed to write secret to pipe., xrefs: 000A550F
Failed to write our process id to pipe., xrefs: 000A54DB
feclient.dll, xrefs: 000A5402, 000A541D
Failed to write secret length to pipe., xrefs: 000A5543
Failed to set pipe to non-blocking., xrefs: 000A55A5
crypt32.dll, xrefs: 000A53D2
Failed to wait for child to connect to pipe., xrefs: 000A5473
wininet.dll, xrefs: 000A5423
*D, xrefs: 000A53EB
pipe.cpp, xrefs: 000A5469, 000A549D, 000A54D1, 000A5505, 000A5539, 000A556A, 000A559B

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorLast$File$NamedPipeWrite$HandleState$ConnectCurrentProcessReadSleeplstrlen
String ID: *D$Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$comres.dll$crypt32.dll$feclient.dll$pipe.cpp$wininet.dll
API String ID: 2944378912-3473256259
Opcode ID: de6e8c1f2992a95f305cf23c55a41b3de9e29c1831e829291f7ddfa68d87cec5
Instruction ID: ca3cca7b6fed5d26f99b0fb9f0fbc21d8050d631fac21587cca2cec979c195a3
Opcode Fuzzy Hash: de6e8c1f2992a95f305cf23c55a41b3de9e29c1831e829291f7ddfa68d87cec5
Instruction Fuzzy Hash: 4261A9B2E40725AAFB209AF5CC49BEEB6E8AF04741F114125FE05FB190D764CE4086F5

Uniqueness

Uniqueness Score: -1.00%

Function 000D72F4, Relevance: 45.8, APIs: 13, Strings: 13, Instructions: 340
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E000D72F4(void* __ebx, void* __eflags, int _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				int _v20;
				int _v24;
				int _v28;
				void* __edi;
				int _t110;
				int _t111;
				int _t112;
				int _t114;
				int _t116;
				int _t117;
				int _t118;
				int _t119;
				int _t120;
				int _t121;
				int _t122;
				int _t123;
				int _t124;
				int _t125;
				int _t128;
				void* _t147;
				intOrPtr* _t150;
				void* _t151;
				signed int _t153;
				intOrPtr* _t154;
				intOrPtr _t160;
				int _t161;

				_t149 = __ebx;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_t160 = E000938D4(0x48, 1);
				if(_t160 != 0) {
					_t150 = _a4;
					 *((intOrPtr*)(_t160 + 0x40)) = _t150;
					 *((intOrPtr*)( *_t150 + 4))(_t150, __ebx);
					_t7 = _t160 + 0x20; // 0x20
					_t8 = _t160 + 0x24; // 0x24
					_t161 = E000D64F4(_t8, _t150, L"author", _t8, _t7);
					__eflags = _t161;
					if(_t161 >= 0) {
						_t9 = _t160 + 0x28; // 0x28
						_t10 = _t160 + 0x2c; // 0x2c
						_t161 = E000D658C(_t10, _t150, L"category", _t10, _t9);
						__eflags = _t161;
						if(_t161 >= 0) {
							_t11 = _t160 + 0x30; // 0x30
							_t12 = _t160 + 0x34; // 0x34
							_t161 = E000D6624(_t12, _t150, L"entry", _t12, _t11);
							__eflags = _t161;
							if(_t161 >= 0) {
								_t13 = _t160 + 0x38; // 0x38
								_t14 = _t160 + 0x3c; // 0x3c
								_t161 = E000D66BC(_t14, _t150, L"link", _t14, _t13);
								__eflags = _t161;
								if(_t161 >= 0) {
									_t158 =  &_v16;
									_t161 =  *((intOrPtr*)( *_t150 + 0x30))(_t150,  &_v16);
									__eflags = _t161;
									if(_t161 >= 0) {
										_t110 = E000D3760( &_v16, _v16,  &_v12,  &_v8);
										_t161 = _t110;
										__eflags = _t161;
										if(_t161 != 0) {
											L45:
											_t111 =  *(_t160 + 8);
											__eflags = _t111;
											if(_t111 == 0) {
												L54:
												_t112 = 0x8007000d;
												_push(0x8007000d);
												_push(0x197);
												goto L55;
											} else {
												__eflags =  *_t111;
												if( *_t111 == 0) {
													goto L54;
												} else {
													_t114 =  *(_t160 + 0x14);
													__eflags = _t114;
													if(_t114 == 0) {
														L53:
														_t112 = 0x8007000d;
														_push(0x8007000d);
														_push(0x19c);
														goto L55;
													} else {
														__eflags =  *_t114;
														if( *_t114 == 0) {
															goto L53;
														} else {
															__eflags =  *(_t160 + 0x1c);
															if( *(_t160 + 0x1c) != 0) {
																L52:
																 *_a8 = _t160;
																_t160 = 0;
															} else {
																__eflags =  *(_t160 + 0x18);
																if( *(_t160 + 0x18) != 0) {
																	goto L52;
																} else {
																	_t112 = 0x8007000d;
																	_push(0x8007000d);
																	_push(0x1a1);
																	L55:
																	_push("atomutil.cpp");
																	_t161 = _t112;
																	E000937D3(_t112);
																}
															}
														}
													}
												}
											}
										} else {
											_t151 = CompareStringW;
											_v28 = _t161;
											_v24 = _t110;
											_v20 = _t110;
											_a4 = _t110;
											while(1) {
												_t116 = CompareStringW(0x7f, _t110, _v8, 0xffffffff, L"generator", 0xffffffff);
												__eflags = _t116 - 2;
												if(_t116 != 2) {
													goto L13;
												}
												_push(_v12);
												_push(_t160);
												L12:
												_t128 = E000D67C4(_t158);
												L39:
												_t161 = _t128;
												__eflags = _t161;
												if(_t161 >= 0) {
													L40:
													__eflags = _v8;
													if(_v8 != 0) {
														__imp__#6(_v8);
														_t68 =  &_v8;
														 *_t68 = _v8 & 0x00000000;
														__eflags =  *_t68;
													}
													_t158 = _v12;
													__eflags = _t158;
													if(_t158 != 0) {
														 *((intOrPtr*)( *_t158 + 8))(_t158);
														_t72 =  &_v12;
														 *_t72 = _v12 & 0x00000000;
														__eflags =  *_t72;
													}
													_t161 = E000D3760(_t158, _v16,  &_v12,  &_v8);
													__eflags = _t161;
													if(_t161 == 0) {
														_t161 = _v28;
														_t110 = 0;
														__eflags = 0;
														continue;
													} else {
														goto L45;
													}
												}
												goto L56;
												L13:
												_t117 = CompareStringW(0x7f, 0, _v8, 0xffffffff, L"icon", 0xffffffff);
												__eflags = _t117 - 2;
												if(_t117 != 2) {
													_t118 = CompareStringW(0x7f, 0, _v8, 0xffffffff, 0xf3c78, 0xffffffff);
													__eflags = _t118 - 2;
													if(_t118 != 2) {
														_t119 = CompareStringW(0x7f, 0, _v8, 0xffffffff, L"logo", 0xffffffff);
														__eflags = _t119 - 2;
														if(_t119 != 2) {
															_t120 = CompareStringW(0x7f, 0, _v8, 0xffffffff, L"subtitle", 0xffffffff);
															__eflags = _t120 - 2;
															if(_t120 != 2) {
																_t121 = CompareStringW(0x7f, 0, _v8, 0xffffffff, L"title", 0xffffffff);
																__eflags = _t121 - 2;
																if(_t121 != 2) {
																	_t122 = CompareStringW(0x7f, 0, _v8, 0xffffffff, L"updated", 0xffffffff);
																	__eflags = _t122 - 2;
																	if(_t122 != 2) {
																		_t123 = CompareStringW(0x7f, 0, _v8, 0xffffffff, L"author", 0xffffffff);
																		__eflags = _t123 - 2;
																		if(_t123 != 2) {
																			_t124 = CompareStringW(0x7f, 0, _v8, 0xffffffff, L"category", 0xffffffff);
																			__eflags = _t124 - 2;
																			if(_t124 != 2) {
																				_t125 = CompareStringW(0x7f, 0, _v8, 0xffffffff, L"entry", 0xffffffff);
																				__eflags = _t125 - 2;
																				if(_t125 != 2) {
																					__eflags = CompareStringW(0x7f, 0, _v8, 0xffffffff, L"link", 0xffffffff) - 2;
																					if(__eflags != 0) {
																						_t64 = _t160 + 0x44; // 0x44
																						_t128 = E000D79CC(_t151, __eflags, _v12, _t64);
																						goto L39;
																					} else {
																						_t161 = E000D76A1(_v12,  *((intOrPtr*)(_t160 + 0x3c)) + _t161);
																						__eflags = _t161;
																						if(_t161 >= 0) {
																							_v28 = _v28 + 0x28;
																							goto L40;
																						}
																					}
																				} else {
																					_t161 = E000D6FB7(_v12,  *((intOrPtr*)(_t160 + 0x34)) + _v24);
																					__eflags = _t161;
																					if(_t161 >= 0) {
																						_v24 = _v24 + 0x40;
																						goto L40;
																					}
																				}
																			} else {
																				_t161 = E000D6BF6(_v12,  *((intOrPtr*)(_t160 + 0x2c)) + _v20);
																				__eflags = _t161;
																				if(_t161 >= 0) {
																					_v20 = _v20 + 0x10;
																					goto L40;
																				}
																			}
																		} else {
																			_t161 = E000D6ACD(_v12,  *((intOrPtr*)(_t160 + 0x24)) + _a4);
																			__eflags = _t161;
																			if(_t161 >= 0) {
																				_a4 = _a4 + 0xc;
																				goto L40;
																			}
																		}
																	} else {
																		_t40 = _t160 + 0x18; // 0x18
																		_t128 = E000D6754(_t158, _t40, _v12);
																		goto L39;
																	}
																} else {
																	_t37 = _t160 + 0x14; // 0x14
																	_t147 = _t37;
																	goto L15;
																}
															} else {
																_t35 = _t160 + 0x10; // 0x10
																_t147 = _t35;
																goto L15;
															}
														} else {
															_t33 = _t160 + 0xc; // 0xc
															_t147 = _t33;
															goto L15;
														}
													} else {
														_t31 = _t160 + 8; // 0x8
														_t147 = _t31;
														goto L15;
													}
												} else {
													_t28 = _t160 + 4; // 0x4
													_t147 = _t28;
													L15:
													_push(_v12);
													_push(_t147);
													goto L12;
												}
												goto L56;
											}
										}
									}
								}
							}
						}
					}
					L56:
					_pop(_t149);
				} else {
					_t161 = 0x8007000e;
					E000937D3(_t89, "atomutil.cpp", 0x134, 0x8007000e);
				}
				if(_v8 != 0) {
					__imp__#6(_v8);
				}
				_t153 = _v12;
				if(_t153 != 0) {
					 *((intOrPtr*)( *_t153 + 8))(_t153);
				}
				_t154 = _v16;
				if(_t154 != 0) {
					 *((intOrPtr*)( *_t154 + 8))(_t154);
				}
				if(_t160 != 0) {
					E000D7B68(_t149, _t160, _t160);
				}
				return _t161;
			}

0x000d72f4
0x000d7302
0x000d7305
0x000d7308
0x000d7310
0x000d7314
0x000d7331
0x000d7334
0x000d733a
0x000d733d
0x000d7341
0x000d7350
0x000d7352
0x000d7354
0x000d735a
0x000d735e
0x000d736d
0x000d736f
0x000d7371
0x000d7377
0x000d737b
0x000d738a
0x000d738c
0x000d738e
0x000d7394
0x000d7398
0x000d73a7
0x000d73a9
0x000d73ab
0x000d73b3
0x000d73bb
0x000d73bd
0x000d73bf
0x000d73d0
0x000d73d5
0x000d73d7
0x000d73d9
0x000d7605
0x000d7605
0x000d7608
0x000d760a
0x000d764c
0x000d764c
0x000d7651
0x000d7652
0x00000000
0x000d760c
0x000d760e
0x000d7611
0x00000000
0x000d7613
0x000d7613
0x000d7616
0x000d7618
0x000d763f
0x000d763f
0x000d7644
0x000d7645
0x00000000
0x000d761a
0x000d761a
0x000d761d
0x00000000
0x000d761f
0x000d761f
0x000d7622
0x000d7636
0x000d7639
0x000d763b
0x000d7624
0x000d7624
0x000d7627
0x00000000
0x000d7629
0x000d7629
0x000d762e
0x000d762f
0x000d7657
0x000d7657
0x000d765c
0x000d765e
0x000d765e
0x000d7627
0x000d7622
0x000d761d
0x000d7618
0x000d7611
0x000d73df
0x000d73df
0x000d73e5
0x000d73e8
0x000d73eb
0x000d73ee
0x000d73f8
0x000d7407
0x000d7409
0x000d740c
0x00000000
0x00000000
0x000d740e
0x000d7411
0x000d7412
0x000d7412
0x000d75bd
0x000d75bd
0x000d75bf
0x000d75c1
0x000d75c7
0x000d75c7
0x000d75cb
0x000d75d0
0x000d75d6
0x000d75d6
0x000d75d6
0x000d75d6
0x000d75da
0x000d75dd
0x000d75df
0x000d75e4
0x000d75e7
0x000d75e7
0x000d75e7
0x000d75e7
0x000d75fb
0x000d75fd
0x000d75ff
0x000d73f3
0x000d73f6
0x000d73f6
0x00000000
0x00000000
0x00000000
0x00000000
0x000d75ff
0x00000000
0x000d741c
0x000d742c
0x000d742e
0x000d7431
0x000d744c
0x000d744e
0x000d7451
0x000d7468
0x000d746a
0x000d746d
0x000d7484
0x000d7486
0x000d7489
0x000d74a0
0x000d74a2
0x000d74a5
0x000d74bc
0x000d74be
0x000d74c1
0x000d74e4
0x000d74e6
0x000d74e9
0x000d751d
0x000d751f
0x000d7522
0x000d7556
0x000d7558
0x000d755b
0x000d758e
0x000d7591
0x000d75b1
0x000d75b8
0x00000000
0x000d7593
0x000d75a1
0x000d75a3
0x000d75a5
0x000d75ab
0x00000000
0x000d75ab
0x000d75a5
0x000d755d
0x000d756c
0x000d756e
0x000d7570
0x000d7576
0x00000000
0x000d7576
0x000d7570
0x000d7524
0x000d7533
0x000d7535
0x000d7537
0x000d753d
0x00000000
0x000d753d
0x000d7537
0x000d74eb
0x000d74fa
0x000d74fc
0x000d74fe
0x000d7504
0x00000000
0x000d7504
0x000d74fe
0x000d74c3
0x000d74c6
0x000d74ca
0x00000000
0x000d74ca
0x000d74a7
0x000d74a7
0x000d74a7
0x00000000
0x000d74a7
0x000d748b
0x000d748b
0x000d748b
0x00000000
0x000d748b
0x000d746f
0x000d746f
0x000d746f
0x00000000
0x000d746f
0x000d7453
0x000d7453
0x000d7453
0x00000000
0x000d7453
0x000d7433
0x000d7433
0x000d7433
0x000d7436
0x000d7436
0x000d7439
0x00000000
0x000d7439
0x00000000
0x000d7431
0x000d73f8
0x000d73d9
0x000d73bf
0x000d73ab
0x000d738e
0x000d7371
0x000d7663
0x000d7663
0x000d7316
0x000d7316
0x000d7326
0x000d7326
0x000d7668
0x000d766d
0x000d766d
0x000d7673
0x000d7678
0x000d767d
0x000d767d
0x000d7680
0x000d7685
0x000d768a
0x000d768a
0x000d768f
0x000d7692
0x000d7692
0x000d769e

APIs

Part of subcall function 000938D4: GetProcessHeap.KERNEL32(?,000001C7,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938E5
Part of subcall function 000938D4: RtlAllocateHeap.NTDLL(00000000,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938EC

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,generator,000000FF,?,?,?), ref: 000D7407
SysFreeString.OLEAUT32(00000000), ref: 000D75D0
SysFreeString.OLEAUT32(00000000), ref: 000D766D

Strings

category, xrefs: 000D7362, 000D750F
icon, xrefs: 000D741E
generator, xrefs: 000D73FA
atomutil.cpp, xrefs: 000D7321, 000D7657
(, xrefs: 000D75AB
title, xrefs: 000D7492
subtitle, xrefs: 000D7476
logo, xrefs: 000D745A
entry, xrefs: 000D737F, 000D7548
@, xrefs: 000D7576
link, xrefs: 000D739C, 000D757E
author, xrefs: 000D7345, 000D74D6
updated, xrefs: 000D74AE

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: String$FreeHeap$AllocateCompareProcess
String ID: ($@$atomutil.cpp$author$category$entry$generator$icon$link$logo$subtitle$title$updated
API String ID: 1555028553-2592408802
Opcode ID: cd0ce9c93f902ccd17b66be0f889130526b12f6b4fdcdd07190526fa2ef754fb
Instruction ID: 57aa4c6945ed51824984a76b0259655133e815e314af911d647bb2d6ae2f96b1
Opcode Fuzzy Hash: cd0ce9c93f902ccd17b66be0f889130526b12f6b4fdcdd07190526fa2ef754fb
Instruction Fuzzy Hash: B7B18431948716BBCB219B58CC41FAE76B4AF04720F600356F629AA7D1E771EE40DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0009A311, Relevance: 45.8, APIs: 8, Strings: 18, Instructions: 299
registryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0009A311(long _a4, intOrPtr _a8) {
				int _v8;
				char _v12;
				int _v16;
				int _v20;
				int _v24;
				intOrPtr _v32;
				void _v48;
				signed short _t79;
				signed short _t85;
				void* _t87;
				void* _t89;
				void* _t103;
				long _t106;
				signed short _t110;
				void* _t114;
				WCHAR* _t131;
				signed int _t132;
				long _t143;
				void* _t145;
				void* _t147;
				void* _t148;
				void* _t158;
				void* _t159;

				_t132 = 6;
				memset( &_v48, 0, _t132 << 2);
				_t159 = _t158 + 0xc;
				_t143 = _a4;
				_v12 = 0;
				_v20 = 0;
				_v16 = 0;
				_t131 = 0;
				_t72 =  ==  ? 1 : 0x101;
				_v24 = 0;
				_a4 =  ==  ? 1 : 0x101;
				_v8 = 0;
				if(E000971CF(_a8,  *((intOrPtr*)(_t143 + 0x1c)),  &_v12, 0) >= 0) {
					if( *((intOrPtr*)(_t143 + 0x20)) == 0) {
						L5:
						_t145 = E000D0E3F( *((intOrPtr*)(_t143 + 0x18)), _v12, _a4,  &_v16);
						if(_t145 != 0x80070002) {
							if(_t145 >= 0) {
								_t79 = RegQueryValueExW(_v16, _v20, 0,  &_v24, 0,  &_v8);
								if(_t79 != 2) {
									if(_t79 == 0) {
										_t131 = E000938D4(_v8 + 2, 1);
										if(_t131 != 0) {
											_t85 = RegQueryValueExW(_v16, _v20, 0,  &_v24, _t131,  &_v8);
											if(_t85 == 0) {
												_t87 = _v24 - 1;
												if(_t87 == 0) {
													L38:
													_t89 = E000B02F4( &_v48, _t131, 0);
													goto L39;
												} else {
													_t103 = _t87 - 1;
													if(_t103 == 0) {
														if( *((intOrPtr*)(_t143 + 0x28)) == 0) {
															goto L38;
														} else {
															_t147 = E00091EDE( &_v48, _v8);
															if(_t147 >= 0) {
																_v32 = 2;
																_t106 = ExpandEnvironmentStringsW(_t131, _v48, _v8);
																_a4 = _t106;
																if(_t106 <= _v8) {
																	goto L40;
																} else {
																	_t148 = E00091EDE( &_v48, _t106);
																	if(_t148 < 0) {
																		goto L33;
																	} else {
																		if(_a4 == ExpandEnvironmentStringsW(_t131, _v48, _a4)) {
																			goto L40;
																		} else {
																			_t110 = GetLastError();
																			_t151 =  <=  ? _t110 : _t110 & 0x0000ffff | 0x80070000;
																			_t148 =  >=  ? 0x80004005 :  <=  ? _t110 : _t110 & 0x0000ffff | 0x80070000;
																			E000937D3(0x80004005, "search.cpp", 0x396, _t148);
																			_push("Failed to get expand environment string.");
																			goto L46;
																		}
																	}
																}
															} else {
																L33:
																_push("Failed to allocate string buffer.");
																goto L46;
															}
														}
													} else {
														_t114 = _t103;
														if(_t114 == 0) {
															if(_v8 != 4) {
																goto L26;
															} else {
																asm("cdq");
																_push(0);
																_push( *_t131);
																goto L28;
															}
														} else {
															if(_t114 == 7) {
																if(_v8 == 8) {
																	_push(_t131[2]);
																	_push( *_t131);
																	L28:
																	_push( &_v48);
																	_t89 = E000B02B0();
																	L39:
																	_t147 = _t89;
																	L40:
																	if(_t147 >= 0) {
																		_t148 = E000AFEB7(0,  &_v48,  *((intOrPtr*)(_t143 + 0x14)));
																		if(_t148 >= 0) {
																			_t148 = E00098137(_a8,  *((intOrPtr*)(_t143 + 4)),  &_v48);
																			if(_t148 < 0) {
																				_push("Failed to set variable.");
																				goto L46;
																			}
																		} else {
																			_push("Failed to change value type.");
																			goto L46;
																		}
																	} else {
																		_push("Failed to read registry value.");
																		goto L46;
																	}
																} else {
																	L26:
																	_t148 = 0x8000ffff;
																	goto L47;
																}
															} else {
																_t148 = 0x80004001;
																E000D012F(0x80004001, "Unsupported registry key value type. Type = \'%u\'", _v24);
																_t159 = _t159 + 0xc;
																goto L47;
															}
														}
													}
												}
											} else {
												_t154 =  <=  ? _t85 : _t85 & 0x0000ffff | 0x80070000;
												_t148 =  >=  ? 0x80004005 :  <=  ? _t85 : _t85 & 0x0000ffff | 0x80070000;
												E000937D3(0x80004005, "search.cpp", 0x375, _t148);
												_push("Failed to query registry key value.");
												goto L46;
											}
										} else {
											_t148 = 0x8007000e;
											E000937D3(_t82, "search.cpp", 0x372, 0x8007000e);
											_push("Failed to allocate memory registry value.");
											_push(0x8007000e);
											E000D012F();
											goto L47;
										}
									} else {
										_t157 =  <=  ? _t79 : _t79 & 0x0000ffff | 0x80070000;
										_t148 =  >=  ? 0x80004005 :  <=  ? _t79 : _t79 & 0x0000ffff | 0x80070000;
										E000937D3(0x80004005, "search.cpp", 0x36f, _t148);
										_push("Failed to query registry key value size.");
										goto L46;
									}
								} else {
									_push(_v20);
									E000D061A(_t79, "Registry value not found. Key = \'%ls\', Value = \'%ls\'", _v12);
									_t159 = _t159 + 0x10;
									goto L7;
								}
							} else {
								_push("Failed to open registry key.");
								goto L46;
							}
						} else {
							E000D061A(2, "Registry key not found. Key = \'%ls\'", _v12);
							_t159 = _t159 + 0xc;
							L7:
							_t148 = E00098137(_a8,  *((intOrPtr*)(_t143 + 4)),  &_v48);
							if(_t148 >= 0) {
								_t148 = 0;
							} else {
								_push("Failed to clear variable.");
								goto L46;
							}
						}
					} else {
						_t148 = E000971CF(_a8,  *((intOrPtr*)(_t143 + 0x20)),  &_v20, 0);
						if(_t148 >= 0) {
							goto L5;
						} else {
							_push("Failed to format value string.");
							goto L46;
						}
					}
				} else {
					_push("Failed to format key string.");
					L46:
					_push(_t148);
					E000D012F();
					if(_t148 < 0) {
						L47:
						_push(_t148);
						E000D061A(2, "RegistrySearchValue failed: ID \'%ls\', HRESULT 0x%x", _v12);
					}
				}
				E00092793(_v12);
				E00092793(_v20);
				if(_v16 != 0) {
					RegCloseKey(_v16);
					_v16 = _v16 & 0x00000000;
				}
				if(_t131 != 0) {
					E00093999(_t131);
				}
				E000B0499( &_v48);
				return _t148;
			}

0x0009a31c
0x0009a322
0x0009a322
0x0009a324
0x0009a32b
0x0009a32f
0x0009a337
0x0009a33d
0x0009a340
0x0009a343
0x0009a346
0x0009a350
0x0009a35f
0x0009a36e
0x0009a391
0x0009a3a3
0x0009a3ab
0x0009a3e7
0x0009a40b
0x0009a410
0x0009a42a
0x0009a46c
0x0009a470
0x0009a4aa
0x0009a4ae
0x0009a4e5
0x0009a4e8
0x0009a5e2
0x0009a5e9
0x00000000
0x0009a4ee
0x0009a4ee
0x0009a4f1
0x0009a54d
0x00000000
0x0009a553
0x0009a55f
0x0009a563
0x0009a572
0x0009a57d
0x0009a583
0x0009a589
0x00000000
0x0009a58b
0x0009a595
0x0009a599
0x00000000
0x0009a59b
0x0009a5ab
0x00000000
0x0009a5ad
0x0009a5ad
0x0009a5be
0x0009a5c8
0x0009a5d6
0x0009a5db
0x00000000
0x0009a5db
0x0009a5ab
0x0009a599
0x0009a565
0x0009a565
0x0009a565
0x00000000
0x0009a565
0x0009a563
0x0009a4f3
0x0009a4f4
0x0009a4f7
0x0009a540
0x00000000
0x0009a542
0x0009a544
0x0009a545
0x0009a546
0x00000000
0x0009a546
0x0009a4f9
0x0009a4fc
0x0009a51d
0x0009a529
0x0009a52c
0x0009a52e
0x0009a531
0x0009a532
0x0009a5ee
0x0009a5ee
0x0009a5f0
0x0009a5f2
0x0009a607
0x0009a60b
0x0009a623
0x0009a627
0x0009a629
0x00000000
0x0009a629
0x0009a60d
0x0009a60d
0x00000000
0x0009a60d
0x0009a5f4
0x0009a5f4
0x00000000
0x0009a5f4
0x0009a51f
0x0009a51f
0x0009a51f
0x00000000
0x0009a51f
0x0009a4fe
0x0009a501
0x0009a50c
0x0009a511
0x00000000
0x0009a511
0x0009a4fc
0x0009a4f7
0x0009a4f1
0x0009a4b0
0x0009a4bb
0x0009a4c5
0x0009a4d3
0x0009a4d8
0x00000000
0x0009a4d8
0x0009a472
0x0009a472
0x0009a482
0x0009a487
0x0009a48c
0x0009a48d
0x00000000
0x0009a493
0x0009a42c
0x0009a437
0x0009a441
0x0009a44f
0x0009a454
0x00000000
0x0009a454
0x0009a412
0x0009a412
0x0009a41e
0x0009a423
0x00000000
0x0009a423
0x0009a3e9
0x0009a3e9
0x00000000
0x0009a3e9
0x0009a3ad
0x0009a3b7
0x0009a3bc
0x0009a3bf
0x0009a3ce
0x0009a3d2
0x0009a3de
0x0009a3d4
0x0009a3d4
0x00000000
0x0009a3d4
0x0009a3d2
0x0009a370
0x0009a381
0x0009a385
0x00000000
0x0009a387
0x0009a387
0x00000000
0x0009a387
0x0009a385
0x0009a361
0x0009a361
0x0009a62e
0x0009a62e
0x0009a62f
0x0009a638
0x0009a63a
0x0009a63a
0x0009a645
0x0009a64a
0x0009a638
0x0009a650
0x0009a658
0x0009a661
0x0009a666
0x0009a66c
0x0009a66c
0x0009a672
0x0009a675
0x0009a675
0x0009a67e
0x0009a68b

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0009A356
_MREFOpen@16.MSPDB140-MSVCRT ref: 0009A37C
RegCloseKey.ADVAPI32(00000000,?,00000000,?,?,?,?,?), ref: 0009A666

Strings

Registry key not found. Key = '%ls', xrefs: 0009A3B0
Failed to query registry key value., xrefs: 0009A4D8
search.cpp, xrefs: 0009A44A, 0009A47D, 0009A4CE, 0009A5D1
Unsupported registry key value type. Type = '%u', xrefs: 0009A506
Failed to format key string., xrefs: 0009A361
Failed to set variable., xrefs: 0009A629
Failed to format value string., xrefs: 0009A387
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 0009A418
Failed to change value type., xrefs: 0009A60D
Failed to allocate string buffer., xrefs: 0009A565
RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 0009A63E
Failed to query registry key value size., xrefs: 0009A454
@Mt, xrefs: 0009A5AD
Failed to open registry key., xrefs: 0009A3E9
Failed to read registry value., xrefs: 0009A5F4
Failed to get expand environment string., xrefs: 0009A5DB
Failed to allocate memory registry value., xrefs: 0009A487
Failed to clear variable., xrefs: 0009A3D4

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: Open@16$Close
String ID: @Mt$Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$search.cpp
API String ID: 2348241696-2701756978
Opcode ID: ff80a6fd1307eb688a89a1c50adafb6f2d9d03f77fa060e39eacdc953c5e8047
Instruction ID: 1e1ab522a591742cfd3dbfbe4bc1efc8dc007df5732a0824e34555fe23b1db63
Opcode Fuzzy Hash: ff80a6fd1307eb688a89a1c50adafb6f2d9d03f77fa060e39eacdc953c5e8047
Instruction Fuzzy Hash: 7EA1DB72F40715FBDF21AAA4CC45BEE7AA9AF05310F158122FD14BA251D771DE00A7E2

Uniqueness

Uniqueness Score: -1.00%

Function 000BD22C, Relevance: 45.8, APIs: 10, Strings: 16, Instructions: 276
processCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E000BD22C(void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, DWORD* _a20) {
				signed int _v8;
				char _v88;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				struct _SECURITY_ATTRIBUTES* _v120;
				signed short _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				struct _PROCESS_INFORMATION _v148;
				intOrPtr _v152;
				WCHAR* _v156;
				DWORD* _v160;
				intOrPtr _v164;
				void* _v168;
				signed int _v172;
				signed short _v176;
				signed int _v180;
				char _v184;
				struct _STARTUPINFOW _v252;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t73;
				signed int _t84;
				signed short _t86;
				signed short _t89;
				signed short _t100;
				signed short _t104;
				signed short _t105;
				long _t119;
				signed short _t123;
				signed short _t124;
				signed short _t127;
				void* _t134;
				DWORD* _t139;
				signed short _t140;
				void* _t143;
				void* _t147;
				signed short _t156;
				signed short _t159;
				signed short _t162;
				signed int _t163;

				_t143 = __edx;
				_t73 =  *0xfa008; // 0x90c8e23b
				_v8 = _t73 ^ _t163;
				_v156 = _a4;
				_v152 = _a8;
				_v132 = _a12;
				_v128 = _a16;
				_v160 = _a20;
				asm("stosd");
				_t133 = 0;
				_v116 = 0;
				asm("stosd");
				_v112 = 0;
				_v120 = 0;
				_v108 = 0;
				asm("stosd");
				asm("stosd");
				E000BF670( &_v104,  &_v252, 0, 0x44);
				_v124 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t84 =  &_v104;
				__imp__UuidCreate(_t84);
				if((_t84 | 0x00000001) >= 0) {
					_t86 =  &_v104;
					__imp__StringFromGUID2(_t86,  &_v88, 0x27);
					__eflags = _t86;
					if(_t86 != 0) {
						_t89 = E00091F20( &_v112, L"NetFxSection.%ls",  &_v88);
						__eflags = _t89;
						if(_t89 >= 0) {
							__eflags = E00091F20( &_v116, L"NetFxEvent.%ls",  &_v88);
							if(__eflags >= 0) {
								_t153 = E000BCC24(0, _t134, __eflags, _v112, _v116,  &_v108);
								__eflags = _t153;
								if(_t153 >= 0) {
									_push(_v112);
									_t153 = E00091F62( &_v120, L"%ls /pipe %ls", _v152);
									__eflags = _t153;
									if(_t153 >= 0) {
										_t146 = _v156;
										_v252.cb = 0x44;
										_t100 = CreateProcessW(_v156, _v120, 0, 0, 0, 0x8000000, 0, 0,  &_v252,  &_v148);
										__eflags = _t100;
										if(_t100 != 0) {
											_t133 = _v108;
											_t146 = WaitForMultipleObjects;
											_v168 = _v148.hProcess;
											_v164 =  *((intOrPtr*)(_v108 + 4));
											while(1) {
												_t104 = WaitForMultipleObjects(2,  &_v168, 0, 0x64);
												__eflags = _t104;
												if(_t104 == 0) {
													break;
												}
												__eflags = _t104 - 1;
												if(_t104 != 1) {
													__eflags = _t104 - 0xffffffff;
													if(_t104 == 0xffffffff) {
														_t105 = GetLastError();
														__eflags = _t105;
														_t156 =  <=  ? _t105 : _t105 & 0x0000ffff | 0x80070000;
														__eflags = _t156;
														_t153 =  >=  ? 0x80004005 : _t156;
														E000937D3(0x80004005, "NetFxChainer.cpp", 0x19e, _t153);
														_push("Failed to wait for netfx chainer process to complete");
														L2:
														_push(_t153);
														E000D012F();
														L29:
														if(_v112 != 0) {
															E000D54EF(_v112);
														}
														if(_v116 != 0) {
															E000D54EF(_v116);
														}
														E00092793(_v120);
														E000BCEF5(_t133, _t146, _t133);
														_t147 = CloseHandle;
														if(_v148.hThread != 0) {
															CloseHandle(_v148.hThread);
															_v148.hThread = _v148.hThread & 0x00000000;
														}
														if(_v148.hProcess != 0) {
															CloseHandle(_v148.hProcess);
														}
														return E000BDE36(_t133, _v8 ^ _t163, _t143, _t147, _t153);
													}
													continue;
												}
												_t153 = E000BD12C(_t133, _v132, _v128);
												__eflags = _t153;
												if(_t153 >= 0) {
													continue;
												}
												_push("Failed to process netfx chainer message.");
												goto L2;
											}
											_t119 = E000BCFFC(_t133,  &_v124);
											_t139 = _v160;
											 *_t139 = _t119;
											__eflags = _t119 - 0x8000000a;
											if(_t119 != 0x8000000a) {
												_t140 = _v124;
												__eflags = _t140;
												if(_t140 < 0) {
													_t146 =  &_v184;
													asm("stosd");
													asm("stosd");
													asm("stosd");
													asm("stosd");
													_v180 = _v180 & 0x00000000;
													_t56 =  &_v172;
													 *_t56 = _v172 & 0x00000000;
													__eflags =  *_t56;
													_v184 = 1;
													_v176 = _t140;
													_v132( &_v184, _v128);
												}
												goto L29;
											}
											_t123 = GetExitCodeProcess(_v148, _t139);
											__eflags = _t123;
											if(_t123 != 0) {
												goto L29;
											}
											_t124 = GetLastError();
											__eflags = _t124;
											_t159 =  <=  ? _t124 : _t124 & 0x0000ffff | 0x80070000;
											__eflags = _t159;
											_t153 =  >=  ? 0x80004005 : _t159;
											E000937D3(0x80004005, "NetFxChainer.cpp", 0x18a, _t153);
											_push("Failed to get netfx return code.");
											goto L2;
										}
										_t127 = GetLastError();
										__eflags = _t127;
										_t162 =  <=  ? _t127 : _t127 & 0x0000ffff | 0x80070000;
										__eflags = _t162;
										_t153 =  >=  ? 0x80004005 : _t162;
										E000937D3(0x80004005, "NetFxChainer.cpp", 0x17a,  >=  ? 0x80004005 : _t162);
										E000D012F( >=  ? 0x80004005 : _t162, "Failed to CreateProcess on path: %ls", _t146);
										L12:
										_t133 = _v108;
										goto L29;
									}
									_push("Failed to allocate netfx chainer arguments.");
									L11:
									_push(_t153);
									E000D012F();
									goto L12;
								}
								_push("Failed to create netfx chainer.");
								goto L11;
							}
							_push("Failed to allocate event name.");
							goto L2;
						}
						_push("Failed to allocate section name.");
						goto L2;
					}
					_t153 = 0x8007000e;
					E000937D3(_t86, "NetFxChainer.cpp", 0x168, 0x8007000e);
					_push("Failed to convert netfx chainer guid into string.");
					goto L2;
				}
				_push("Failed to create netfx chainer guid.");
				goto L2;
			}

0x000bd22c
0x000bd235
0x000bd23c
0x000bd242
0x000bd24b
0x000bd254
0x000bd25b
0x000bd263
0x000bd270
0x000bd271
0x000bd276
0x000bd279
0x000bd27a
0x000bd27d
0x000bd280
0x000bd283
0x000bd284
0x000bd28c
0x000bd293
0x000bd29f
0x000bd2a0
0x000bd2a1
0x000bd2a2
0x000bd2a3
0x000bd2a7
0x000bd2b2
0x000bd2cc
0x000bd2d0
0x000bd2d6
0x000bd2d8
0x000bd303
0x000bd30d
0x000bd30f
0x000bd32f
0x000bd331
0x000bd34c
0x000bd34e
0x000bd350
0x000bd367
0x000bd37e
0x000bd383
0x000bd385
0x000bd38e
0x000bd3a1
0x000bd3bc
0x000bd3c2
0x000bd3c4
0x000bd408
0x000bd411
0x000bd417
0x000bd420
0x000bd44e
0x000bd45b
0x000bd45d
0x000bd45f
0x00000000
0x00000000
0x000bd428
0x000bd42b
0x000bd449
0x000bd44c
0x000bd4cb
0x000bd4da
0x000bd4dc
0x000bd4e4
0x000bd4e6
0x000bd4f4
0x000bd4f9
0x000bd2b9
0x000bd2b9
0x000bd2ba
0x000bd541
0x000bd545
0x000bd54a
0x000bd54a
0x000bd553
0x000bd558
0x000bd558
0x000bd560
0x000bd566
0x000bd572
0x000bd578
0x000bd580
0x000bd582
0x000bd582
0x000bd590
0x000bd598
0x000bd598
0x000bd5ac
0x000bd5ac
0x00000000
0x000bd44c
0x000bd439
0x000bd43b
0x000bd43d
0x00000000
0x00000000
0x000bd43f
0x00000000
0x000bd43f
0x000bd466
0x000bd46b
0x000bd471
0x000bd473
0x000bd478
0x000bd503
0x000bd506
0x000bd508
0x000bd50f
0x000bd515
0x000bd516
0x000bd517
0x000bd518
0x000bd51f
0x000bd526
0x000bd526
0x000bd526
0x000bd52e
0x000bd538
0x000bd53e
0x000bd53e
0x00000000
0x000bd508
0x000bd485
0x000bd48b
0x000bd48d
0x00000000
0x00000000
0x000bd493
0x000bd4a2
0x000bd4a4
0x000bd4ac
0x000bd4ae
0x000bd4bc
0x000bd4c1
0x00000000
0x000bd4c1
0x000bd3c6
0x000bd3d5
0x000bd3d7
0x000bd3df
0x000bd3e1
0x000bd3ef
0x000bd3fb
0x000bd35f
0x000bd35f
0x00000000
0x000bd35f
0x000bd387
0x000bd357
0x000bd357
0x000bd358
0x00000000
0x000bd35e
0x000bd352
0x00000000
0x000bd352
0x000bd333
0x00000000
0x000bd333
0x000bd311
0x00000000
0x000bd311
0x000bd2da
0x000bd2ea
0x000bd2ef
0x00000000
0x000bd2ef
0x000bd2b4
0x00000000

APIs

UuidCreate.RPCRT4(?), ref: 000BD2A7
StringFromGUID2.OLE32(?,?,00000027), ref: 000BD2D0
CreateProcessW.KERNEL32 ref: 000BD3BC
GetLastError.KERNEL32(?,?,?,?), ref: 000BD3C6
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00000064,?,?,?,?), ref: 000BD45B
GetExitCodeProcess.KERNEL32 ref: 000BD485
GetLastError.KERNEL32(?,?,?,?), ref: 000BD493
GetLastError.KERNEL32(?,?,?,?), ref: 000BD4CB

Part of subcall function 000BD12C: WaitForSingleObject.KERNEL32(?,000000FF,74E5F730,00000000,?,?,?,?,000BD439,?), ref: 000BD145
Part of subcall function 000BD12C: ReleaseMutex.KERNEL32(?,?,?,?,000BD439,?), ref: 000BD161
Part of subcall function 000BD12C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 000BD1A4
Part of subcall function 000BD12C: ReleaseMutex.KERNEL32(?), ref: 000BD1BB
Part of subcall function 000BD12C: SetEvent.KERNEL32(?), ref: 000BD1C4

CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 000BD580
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 000BD598

Strings

Failed to create netfx chainer., xrefs: 000BD352
Failed to convert netfx chainer guid into string., xrefs: 000BD2EF
Failed to allocate netfx chainer arguments., xrefs: 000BD387
Failed to wait for netfx chainer process to complete, xrefs: 000BD4F9
%ls /pipe %ls, xrefs: 000BD373
Failed to allocate event name., xrefs: 000BD333
D, xrefs: 000BD3A1
Failed to allocate section name., xrefs: 000BD311
NetFxEvent.%ls, xrefs: 000BD31F
Failed to CreateProcess on path: %ls, xrefs: 000BD3F5
Failed to process netfx chainer message., xrefs: 000BD43F
@Mt, xrefs: 000BD3C6, 000BD493, 000BD4CB
NetFxChainer.cpp, xrefs: 000BD2E5, 000BD3EA, 000BD4B7, 000BD4EF
Failed to create netfx chainer guid., xrefs: 000BD2B4
Failed to get netfx return code., xrefs: 000BD4C1
NetFxSection.%ls, xrefs: 000BD2FD

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorLastWait$CloseCreateHandleMutexObjectProcessReleaseSingle$CodeEventExitFromMultipleObjectsStringUuid
String ID: %ls /pipe %ls$@Mt$D$Failed to CreateProcess on path: %ls$Failed to allocate event name.$Failed to allocate netfx chainer arguments.$Failed to allocate section name.$Failed to convert netfx chainer guid into string.$Failed to create netfx chainer guid.$Failed to create netfx chainer.$Failed to get netfx return code.$Failed to process netfx chainer message.$Failed to wait for netfx chainer process to complete$NetFxChainer.cpp$NetFxEvent.%ls$NetFxSection.%ls
API String ID: 2531618940-1412010341
Opcode ID: fbeb9e7b79ce71dc111dcb4dc61ce069f6189d787bcdb1d22160d7f3f92c5ce0
Instruction ID: a59d44e610533e8b666b0f32f3d3e8fe02fc99f8440d5f59e8b415f1074f02c2
Opcode Fuzzy Hash: fbeb9e7b79ce71dc111dcb4dc61ce069f6189d787bcdb1d22160d7f3f92c5ce0
Instruction Fuzzy Hash: 2BA19671D40728ABEB209BA4CC45BEEB7F8AF04710F110066FA09F7252E7759E449FA1

Uniqueness

Uniqueness Score: -1.00%

Function 0009567D, Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 476
stringCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 63%

			E0009567D(struct _CRITICAL_SECTION* _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr _a20) {
				signed int _v8;
				char _v12;
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _t138;
				WCHAR* _t141;
				intOrPtr _t143;
				WCHAR* _t144;
				signed short _t156;
				signed short _t162;
				intOrPtr _t168;
				signed short _t169;
				WCHAR* _t190;
				intOrPtr _t199;
				signed int _t215;
				void* _t216;
				char _t219;
				void* _t221;
				char _t227;
				intOrPtr* _t228;
				signed int _t229;
				intOrPtr* _t237;
				WCHAR* _t238;
				signed int _t239;
				WCHAR* _t240;
				signed int _t241;
				signed int _t242;
				WCHAR* _t243;
				intOrPtr _t244;
				WCHAR* _t248;
				WCHAR* _t249;
				intOrPtr _t250;
				void* _t265;

				_t215 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_v8 = 0;
				_v20 = 0;
				_v36 = 0;
				_v32 = 0;
				EnterCriticalSection(_a4);
				_t238 = _a8;
				_t248 = E00091EDE( &_v16, lstrlenW(_t238) + 1);
				_a8 = _t248;
				if(_t248 >= 0) {
					while(1) {
						_push(0x5b);
						_t216 = E000BF7CA(_t219);
						_t221 = _t238;
						if(_t216 == 0) {
							break;
						}
						_t12 = _t216 + 2; // 0x2
						_push(0x5d);
						_t138 = E000BF7CA(_t221);
						_v40 = _t138;
						if(_t138 == 0) {
							break;
						}
						_t219 = (_t138 - _t216 >> 1) - 1;
						_v20 = _t219;
						if(_t219 != 0) {
							if(_t216 <= _t238) {
								L12:
								_t26 = _t216 + 2; // 0x2
								_v28 = 0 | _a20 == 0x00000000;
								_t249 = E00098281(_a20 == 0,  &_v12, _t26, _t219);
								_a8 = _t249;
								if(_t249 < 0) {
									_push("Failed to get variable name.");
									L7:
									_push(_t249);
									L8:
									E000D012F();
									L66:
									_t215 = _v8;
									goto L67;
								}
								_t219 = _v24;
								_push(1);
								_push(4 + _v8 * 4);
								if(_t219 == 0) {
									_t244 = E000938D4();
									_v24 = _t244;
									if(_t244 == 0) {
										_t243 = 0x8007000e;
										_t249 = 0x8007000e;
										_a8 = 0x8007000e;
										E000937D3(_t180, "variable.cpp", 0x4b6, 0x8007000e);
										_push("Failed to allocate variable array.");
										L37:
										_push(_t243);
										goto L8;
									}
									L17:
									if(_v20 < 2) {
										L20:
										if(_a20 == 0) {
											L22:
											_t215 = _v8;
											if(_v36 == 0) {
												_t245 = _t244 + _t215 * 4;
												_t249 = E00097203(_t219, _a4, _v12, _t244 + _t215 * 4);
												_a8 = _t249;
												if(_t249 != 0x80070490) {
													L27:
													_t246 = _v28;
													L28:
													if(_t249 < 0) {
														_push("Failed to set variable value.");
														goto L2;
													}
													_t215 = _t215 + 1;
													_v8 = _t215;
													_t249 = E00098260(_t246,  &_v12, L"[%d]", _t215);
													_t265 = _t265 + 0x10;
													_a8 = _t249;
													if(_t249 < 0) {
														_push("Failed to format placeholder string.");
														goto L2;
													}
													_t249 = E0009823E(_t246,  &_v16, _v12, 0);
													_a8 = _t249;
													if(_t249 < 0) {
														_push("Failed to append placeholder.");
														goto L2;
													}
													L31:
													_t238 = _v40 + 2;
													continue;
												}
												_t190 = E000922F9(_t245, 0xdb524, 0);
												L26:
												_t249 = _t190;
												_a8 = _t249;
												goto L27;
											}
											_t190 = E000921A5(_t244 + _t215 * 4, L"*****", 0);
											goto L26;
										}
										_t249 = E00097E13(_t219, _a4, _v12,  &_v36);
										_a8 = _t249;
										if(_t249 < 0) {
											E000D012F(_t249, "Failed to determine variable visibility: \'%ls\'.", _v12);
											goto L66;
										}
										goto L22;
									}
									_t219 = 0x5c;
									if(_t219 !=  *((intOrPtr*)(_t216 + 2))) {
										goto L20;
									}
									_t41 = _t216 + 4; // 0x4
									_t215 = _v8;
									_t246 = _v28;
									_t249 = E00098281(_v28, _t244 + _t215 * 4, _t41, 1);
									_a8 = _t249;
									goto L28;
								}
								_push(_t219);
								_t199 = E00093A72();
								if(_t199 == 0) {
									_t243 = 0x8007000e;
									_t249 = 0x8007000e;
									_a8 = 0x8007000e;
									E000937D3(_t199, "variable.cpp", 0x4b0, 0x8007000e);
									_push("Failed to reallocate variable array.");
									goto L37;
								}
								_t244 = _t199;
								_v24 = _t244;
								goto L17;
							}
							_t249 = E0009823E(0 | _a20 == 0x00000000,  &_v16, _t238, _t216 - _t238 >> 1);
							_a8 = _t249;
							if(_t249 < 0) {
								L6:
								_push("Failed to append string.");
								goto L7;
							} else {
								_t219 = _v20;
								goto L12;
							}
						}
						_t249 = E0009823E(0 | _a20 == 0x00000000,  &_v16, _t238, (_t138 - _t238 >> 1) + 1);
						_a8 = _t249;
						if(_t249 >= 0) {
							goto L31;
						}
						goto L6;
					}
					_t218 = 0 | _a20 == 0x00000000;
					_t141 = E0009823E(_a20 == 0,  &_v16, _t238, 0);
					_t249 = _t141;
					_a8 = _t249;
					if(_t249 < 0) {
						goto L6;
					}
					_push(_v8);
					L000CF3D0();
					_t240 = _t141;
					_v32 = _t240;
					if(_t240 != 0) {
						_push(_v16);
						_push(0);
						_push(_t240);
						L000CF3E0();
						if(0 == 0) {
							_t227 = 0;
							_t241 = 0;
							if(_v8 <= 0) {
								L53:
								_t242 = _v32;
								_t156 =  &_v20;
								_push(_t156);
								_push(0xdb524);
								_push(_t242);
								_push(_t227);
								_v20 = _t227;
								L000CF3F0();
								if(_t156 == 0xea || _t156 == 0) {
									if(_a12 == 0) {
										L64:
										_t228 = _a16;
										if(_t228 != 0) {
											 *_t228 = _v20;
										}
										goto L66;
									}
									_v20 = _v20 + 1;
									_t249 = E0009821F(_t218,  &_v12, _v20 + 1);
									_a8 = _t249;
									if(_t249 >= 0) {
										_t162 =  &_v20;
										_push(_t162);
										_push(_v12);
										_push(_t242);
										_push(0);
										L000CF3F0();
										if(_t162 == 0) {
											_t249 = E00098281(_t218, _a12, _v12, 0);
											_a8 = _t249;
											if(_t249 >= 0) {
												goto L64;
											}
											_push("Failed to copy string.");
											goto L7;
										}
										_t254 =  <=  ? _t162 : _t162 & 0x0000ffff | 0x80070000;
										_t249 =  >=  ? 0x80004005 :  <=  ? _t162 : _t162 & 0x0000ffff | 0x80070000;
										_a8 = _t249;
										E000937D3(0x80004005, "variable.cpp", 0x508, _t249);
										_push("Failed to format record.");
										goto L7;
									}
									_push("Failed to allocate string.");
								} else {
									_t257 =  <=  ? _t156 : _t156 & 0x0000ffff | 0x80070000;
									_t249 =  >=  ? 0x80004005 :  <=  ? _t156 : _t156 & 0x0000ffff | 0x80070000;
									_a8 = _t249;
									E000937D3(0x80004005, "variable.cpp", 0x4fe, _t249);
									_push("Failed to get formatted length.");
								}
								goto L7;
							}
							_t168 = _v24;
							_t229 = _v8;
							do {
								_t237 =  *((intOrPtr*)(_t168 + _t241 * 4));
								_t249 = _a8;
								if( *_t237 == 0) {
									goto L51;
								}
								_push(_t237);
								_t89 = _t241 + 1; // 0x1
								_t169 = _t89;
								_push(_t169);
								_push(_v32);
								L000CF3E0();
								if(_t169 != 0) {
									_t261 =  <=  ? _t169 : _t169 & 0x0000ffff | 0x80070000;
									_t249 =  >=  ? 0x80004005 :  <=  ? _t169 : _t169 & 0x0000ffff | 0x80070000;
									_a8 = _t249;
									E000937D3(0x80004005, "variable.cpp", 0x4f2, _t249);
									_push("Failed to set record string.");
									goto L7;
								}
								_t168 = _v24;
								_t229 = _v8;
								L51:
								_t241 = _t241 + 1;
							} while (_t241 < _t229);
							_t227 = 0;
							goto L53;
						}
						_t264 =  <=  ? 0 : 0xffffffff80070000;
						_t249 =  >=  ? 0x80004005 :  <=  ? 0 : 0xffffffff80070000;
						_a8 = _t249;
						E000937D3(0x80004005, "variable.cpp", 0x4ea, _t249);
						_push("Failed to set record format string.");
						goto L7;
					}
					_t243 = 0x8007000e;
					_t249 = 0x8007000e;
					_a8 = 0x8007000e;
					E000937D3(_t141, "variable.cpp", 0x4e6, 0x8007000e);
					_push("Failed to allocate record.");
					goto L37;
				} else {
					_push("Failed to allocate buffer for format string.");
					L2:
					_push(_t249);
					E000D012F();
					L67:
					LeaveCriticalSection(_a4);
					_t143 = _v24;
					if(_t143 == 0) {
						L77:
						_t144 = _v32;
						if(_t144 != 0) {
							_push(_t144);
							L000CF3C0();
						}
						if(_a20 == 0) {
							E00092793(0);
							E00092793(_v16);
							E00092793(_v12);
						} else {
							if(_v16 != 0) {
								E000D54EF(_v16);
							}
							if(_v12 != 0) {
								E000D54EF(_v12);
							}
						}
						return _t249;
					}
					_t239 = 0;
					if(_t215 == 0) {
						L76:
						E00093999(_t143);
						goto L77;
					}
					_t250 = _t143;
					do {
						if(_a20 == 0) {
							E00092793( *((intOrPtr*)(_t250 + _t239 * 4)));
						} else {
							if( *((intOrPtr*)(_t250 + _t239 * 4)) != 0) {
								E000D54EF( *((intOrPtr*)(_t250 + _t239 * 4)));
							}
						}
						_t239 = _t239 + 1;
					} while (_t239 < _t215);
					_t249 = _a8;
					_t143 = _v24;
					goto L76;
				}
			}

0x0009568b
0x0009568d
0x00095690
0x00095693
0x00095696
0x00095699
0x0009569c
0x0009569f
0x000956a2
0x000956a8
0x000956bd
0x000956bf
0x000956c4
0x000958b1
0x000958b1
0x000958b9
0x000958bc
0x000958bf
0x00000000
0x00000000
0x000956dc
0x000956df
0x000956e2
0x000956e7
0x000956ee
0x00000000
0x00000000
0x000956fa
0x000956fd
0x00095700
0x0009573c
0x00095764
0x00095767
0x00095776
0x0009577e
0x00095780
0x00095785
0x00095998
0x0009572d
0x0009572d
0x0009572e
0x0009572e
0x00095b50
0x00095b50
0x00000000
0x00095b50
0x0009578e
0x00095791
0x0009579a
0x0009579d
0x000957b9
0x000957bb
0x000957c0
0x00095977
0x00095982
0x00095989
0x0009598c
0x00095991
0x0009593d
0x0009593d
0x00000000
0x0009593d
0x000957c6
0x000957ca
0x000957f2
0x000957f6
0x00095814
0x00095818
0x0009581b
0x00095830
0x0009583f
0x00095841
0x0009584a
0x0009585f
0x0009585f
0x00095862
0x00095864
0x0009596d
0x00000000
0x0009596d
0x0009586a
0x00095876
0x0009587e
0x00095880
0x00095883
0x00095888
0x00095963
0x00000000
0x00095963
0x0009589e
0x000958a0
0x000958a5
0x00095959
0x00000000
0x00095959
0x000958ab
0x000958ae
0x00000000
0x000958ae
0x00095855
0x0009585a
0x0009585a
0x0009585c
0x00000000
0x0009585c
0x00095829
0x00000000
0x00095829
0x00095807
0x00095809
0x0009580e
0x0009594c
0x00000000
0x00095951
0x00000000
0x0009580e
0x000957ce
0x000957d3
0x00000000
0x00000000
0x000957d5
0x000957d8
0x000957e1
0x000957eb
0x000957ed
0x00000000
0x000957ed
0x0009579f
0x000957a0
0x000957a7
0x0009591e
0x00095929
0x00095930
0x00095933
0x00095938
0x00000000
0x00095938
0x000957ad
0x000957af
0x00000000
0x000957af
0x00095758
0x0009575a
0x0009575f
0x00095728
0x00095728
0x00000000
0x00095761
0x00095761
0x00000000
0x00095761
0x0009575f
0x0009571b
0x0009571d
0x00095722
0x00000000
0x00000000
0x00000000
0x00095722
0x000958ca
0x000958d6
0x000958db
0x000958dd
0x000958e2
0x00000000
0x00000000
0x000958e8
0x000958eb
0x000958f0
0x000958f2
0x000958f7
0x000959a2
0x000959a7
0x000959a8
0x000959a9
0x000959b0
0x000959e7
0x000959e9
0x000959ee
0x00095a21
0x00095a21
0x00095a24
0x00095a27
0x00095a28
0x00095a2d
0x00095a2e
0x00095a2f
0x00095a32
0x00095a3c
0x00095ab0
0x00095b44
0x00095b44
0x00095b49
0x00095b4e
0x00095b4e
0x00000000
0x00095b49
0x00095abb
0x00095ac8
0x00095aca
0x00095acf
0x00095adb
0x00095ae0
0x00095ae1
0x00095ae4
0x00095ae5
0x00095ae6
0x00095aed
0x00095b31
0x00095b33
0x00095b38
0x00000000
0x00000000
0x00095b3a
0x00000000
0x00095b3a
0x00095afa
0x00095b04
0x00095b12
0x00095b15
0x00095b1a
0x00000000
0x00095b1a
0x00095ad1
0x00095a42
0x00095a4d
0x00095a57
0x00095a65
0x00095a68
0x00095a6d
0x00095a6d
0x00000000
0x00095a3c
0x000959f0
0x000959f3
0x000959f6
0x000959f6
0x000959fe
0x00095a01
0x00000000
0x00000000
0x00095a03
0x00095a04
0x00095a04
0x00095a07
0x00095a08
0x00095a0b
0x00095a12
0x00095a82
0x00095a8c
0x00095a9a
0x00095a9d
0x00095aa2
0x00000000
0x00095aa2
0x00095a14
0x00095a17
0x00095a1a
0x00095a1a
0x00095a1b
0x00095a1f
0x00000000
0x00095a1f
0x000959bd
0x000959c7
0x000959d5
0x000959d8
0x000959dd
0x00000000
0x000959dd
0x000958fd
0x00095908
0x0009590f
0x00095912
0x00095917
0x00000000
0x000956ca
0x000956ca
0x000956cf
0x000956cf
0x000956d0
0x00095b53
0x00095b56
0x00095b5c
0x00095b61
0x00095b9c
0x00095b9c
0x00095ba1
0x00095ba3
0x00095ba4
0x00095ba4
0x00095bad
0x00095bd0
0x00095bd8
0x00095be0
0x00095baf
0x00095bb3
0x00095bb8
0x00095bb8
0x00095bc1
0x00095bc6
0x00095bc6
0x00095bc1
0x00095bed
0x00095bed
0x00095b65
0x00095b69
0x00095b96
0x00095b97
0x00000000
0x00095b97
0x00095b6b
0x00095b6d
0x00095b71
0x00095b86
0x00095b73
0x00095b77
0x00095b7c
0x00095b7c
0x00095b77
0x00095b8b
0x00095b8c
0x00095b90
0x00095b93
0x00000000
0x00095b93

APIs

EnterCriticalSection.KERNEL32(000002C0,00000100,00000100,00000000,00000000,?,000999BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 000956A2
lstrlenW.KERNEL32(00000000,?,000999BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 000956AC
_wcschr.LIBVCRUNTIME ref: 000958B4
LeaveCriticalSection.KERNEL32(000002C0,00000000,00000000,00000000,00000000,00000000,00000001,?,000999BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0), ref: 00095B56

Strings

Failed to allocate string., xrefs: 00095AD1
Failed to set variable value., xrefs: 0009596D
Failed to reallocate variable array., xrefs: 00095938
Failed to allocate variable array., xrefs: 00095991
Failed to copy string., xrefs: 00095B3A
Failed to get formatted length., xrefs: 00095A6D
Failed to get variable name., xrefs: 00095998
Failed to append placeholder., xrefs: 00095959
Failed to determine variable visibility: '%ls'., xrefs: 00095946
Failed to format placeholder string., xrefs: 00095963
Failed to append string., xrefs: 00095728
*****, xrefs: 00095820
[%d], xrefs: 0009586F
Failed to set record format string., xrefs: 000959DD
variable.cpp, xrefs: 0009590A, 0009592B, 00095984, 000959D0, 00095A60, 00095A95, 00095B0D
Failed to allocate record., xrefs: 00095917
Failed to format record., xrefs: 00095B1A
Failed to allocate buffer for format string., xrefs: 000956CA
Failed to set record string., xrefs: 00095AA2

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CriticalSection$EnterLeave_wcschrlstrlen
String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$variable.cpp
API String ID: 1026845265-2050445661
Opcode ID: 2304fbde55200e5ba664b9b874d8127caa3b23ef735dfe47caa0266177143375
Instruction ID: e2f2de3b3d92c2d51bc103974d5a43db3c38584989e50715c41f973780b62d8e
Opcode Fuzzy Hash: 2304fbde55200e5ba664b9b874d8127caa3b23ef735dfe47caa0266177143375
Instruction Fuzzy Hash: 43F1B071D00729EBDF229FA58C41AEFBBA9EF04751F11412AFD14AB241D7349E01EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 000D15CB, Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 320
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E000D15CB(void* __edx) {
				signed int _v8;
				char* _v12;
				int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char* _v44;
				int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				char* _v108;
				int _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				void* _v140;
				int _v160;
				intOrPtr _v164;
				char _v168;
				void _v240;
				char _v312;
				char _v384;
				char _v456;
				char _v528;
				char _v532;
				int _v536;
				struct _SECURITY_DESCRIPTOR _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t65;
				signed short _t103;
				struct _SECURITY_DESCRIPTOR* _t112;
				signed short _t116;
				void* _t117;
				signed short _t119;
				signed short _t120;
				signed short _t121;
				signed short _t122;
				signed short _t123;
				signed short _t124;
				signed short _t125;
				signed short _t126;
				intOrPtr _t128;
				void* _t131;
				char _t133;
				intOrPtr* _t134;
				intOrPtr _t135;
				signed int _t167;

				_t131 = __edx;
				_t65 =  *0xfa008; // 0x90c8e23b
				_v8 = _t65 ^ _t167;
				_v556.Revision = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				E000BF670( &(_v556.Sbz1),  &_v168, 0, 0xa0);
				_t133 = 0x48;
				_v536 = 0;
				E000BF670(_t133,  &_v240, 0, _t133);
				E000BF670(_t133,  &_v312, 0, _t133);
				E000BF670(_t133,  &_v384, 0, _t133);
				E000BF670(_t133,  &_v456, 0, _t133);
				E000BF670(_t133,  &_v528, 0, _t133);
				_v532 = 0;
				if(InitializeSecurityDescriptor( &_v556, 1) != 0) {
					_t134 = __imp__CreateWellKnownSid;
					_push( &_v532);
					_v532 = _t133;
					_push( &_v240);
					_push(0);
					_push(0x1a);
					if( *_t134() != 0) {
						_v532 = _t133;
						_push( &_v532);
						_push( &_v312);
						_push(0);
						_push(0x17);
						if( *_t134() != 0) {
							_v532 = _t133;
							_push( &_v532);
							_push( &_v384);
							_push(0);
							_push(0x18);
							if( *_t134() != 0) {
								_v532 = _t133;
								_push( &_v532);
								_push( &_v456);
								_push(0);
								_push(0x10);
								if( *_t134() != 0) {
									_v532 = _t133;
									_push( &_v532);
									_push( &_v528);
									_push(0);
									_push(0x16);
									if( *_t134() != 0) {
										asm("movaps xmm0, [0xf6480]");
										_v140 =  &_v240;
										_v108 =  &_v312;
										_t128 = 3;
										_v76 =  &_v384;
										_t135 = 2;
										asm("movups [ebp-0x98], xmm0");
										_v44 =  &_v456;
										asm("movaps xmm0, [0xf6480]");
										asm("movups [ebp-0x78], xmm0");
										_v12 =  &_v528;
										asm("movaps xmm0, [0xf6480]");
										asm("movups [ebp-0x58], xmm0");
										_t103 =  &_v168;
										_v168 = _t128;
										asm("movaps xmm0, [0xf6480]");
										asm("movups [ebp-0x38], xmm0");
										asm("movaps xmm0, [0xf6480]");
										_v164 = _t135;
										_v160 = 0;
										_v136 = _t128;
										_v132 = _t135;
										_v128 = 0;
										_v104 = _t128;
										_v100 = _t135;
										_v96 = 0;
										_v72 = _t128;
										_v68 = _t135;
										_v64 = 0;
										_v40 = _t128;
										_v36 = _t135;
										_v32 = 0;
										asm("movups [ebp-0x18], xmm0");
										__imp__SetEntriesInAclA(5, _t103, 0,  &_v536);
										if(_t103 == 0) {
											if(SetSecurityDescriptorOwner( &_v556,  &_v240, 0) != 0) {
												if(SetSecurityDescriptorGroup( &_v556,  &_v240, 0) != 0) {
													if(SetSecurityDescriptorDacl( &_v556, 1, _v536, 0) != 0) {
														_t112 =  &_v556;
														__imp__CoInitializeSecurity(_t112, 0xffffffff, 0, 0, 6, _t135, 0, 0x3000, 0);
														_t136 = _t112;
													} else {
														_t116 = GetLastError();
														_t139 =  <=  ? _t116 : _t116 & 0x0000ffff | 0x80070000;
														_t117 = 0x80004005;
														_t136 =  >=  ? 0x80004005 :  <=  ? _t116 : _t116 & 0x0000ffff | 0x80070000;
														_push( >=  ? 0x80004005 :  <=  ? _t116 : _t116 & 0x0000ffff | 0x80070000);
														_push(0xdf);
														goto L2;
													}
												} else {
													_t119 = GetLastError();
													_t142 =  <=  ? _t119 : _t119 & 0x0000ffff | 0x80070000;
													_t117 = 0x80004005;
													_t136 =  >=  ? 0x80004005 :  <=  ? _t119 : _t119 & 0x0000ffff | 0x80070000;
													_push( >=  ? 0x80004005 :  <=  ? _t119 : _t119 & 0x0000ffff | 0x80070000);
													_push(0xd9);
													goto L2;
												}
											} else {
												_t120 = GetLastError();
												_t145 =  <=  ? _t120 : _t120 & 0x0000ffff | 0x80070000;
												_t117 = 0x80004005;
												_t136 =  >=  ? 0x80004005 :  <=  ? _t120 : _t120 & 0x0000ffff | 0x80070000;
												_push( >=  ? 0x80004005 :  <=  ? _t120 : _t120 & 0x0000ffff | 0x80070000);
												_push(0xd3);
												goto L2;
											}
										} else {
											_t148 =  <=  ? _t103 : _t103 & 0x0000ffff | 0x80070000;
											_t117 = 0x80004005;
											_t136 =  >=  ? 0x80004005 :  <=  ? _t103 : _t103 & 0x0000ffff | 0x80070000;
											_push( >=  ? 0x80004005 :  <=  ? _t103 : _t103 & 0x0000ffff | 0x80070000);
											_push(0xce);
											goto L2;
										}
									} else {
										_t121 = GetLastError();
										_t151 =  <=  ? _t121 : _t121 & 0x0000ffff | 0x80070000;
										_t117 = 0x80004005;
										_t136 =  >=  ? 0x80004005 :  <=  ? _t121 : _t121 & 0x0000ffff | 0x80070000;
										_push( >=  ? 0x80004005 :  <=  ? _t121 : _t121 & 0x0000ffff | 0x80070000);
										_push(0x9a);
										goto L2;
									}
								} else {
									_t122 = GetLastError();
									_t154 =  <=  ? _t122 : _t122 & 0x0000ffff | 0x80070000;
									_t117 = 0x80004005;
									_t136 =  >=  ? 0x80004005 :  <=  ? _t122 : _t122 & 0x0000ffff | 0x80070000;
									_push( >=  ? 0x80004005 :  <=  ? _t122 : _t122 & 0x0000ffff | 0x80070000);
									_push(0x93);
									goto L2;
								}
							} else {
								_t123 = GetLastError();
								_t157 =  <=  ? _t123 : _t123 & 0x0000ffff | 0x80070000;
								_t117 = 0x80004005;
								_t136 =  >=  ? 0x80004005 :  <=  ? _t123 : _t123 & 0x0000ffff | 0x80070000;
								_push( >=  ? 0x80004005 :  <=  ? _t123 : _t123 & 0x0000ffff | 0x80070000);
								_push(0x8c);
								goto L2;
							}
						} else {
							_t124 = GetLastError();
							_t160 =  <=  ? _t124 : _t124 & 0x0000ffff | 0x80070000;
							_t117 = 0x80004005;
							_t136 =  >=  ? 0x80004005 :  <=  ? _t124 : _t124 & 0x0000ffff | 0x80070000;
							_push( >=  ? 0x80004005 :  <=  ? _t124 : _t124 & 0x0000ffff | 0x80070000);
							_push(0x85);
							goto L2;
						}
					} else {
						_t125 = GetLastError();
						_t163 =  <=  ? _t125 : _t125 & 0x0000ffff | 0x80070000;
						_t117 = 0x80004005;
						_t136 =  >=  ? 0x80004005 :  <=  ? _t125 : _t125 & 0x0000ffff | 0x80070000;
						_push( >=  ? 0x80004005 :  <=  ? _t125 : _t125 & 0x0000ffff | 0x80070000);
						_push(0x7e);
						goto L2;
					}
				} else {
					_t126 = GetLastError();
					_t166 =  <=  ? _t126 : _t126 & 0x0000ffff | 0x80070000;
					_t117 = 0x80004005;
					_t136 =  >=  ? 0x80004005 :  <=  ? _t126 : _t126 & 0x0000ffff | 0x80070000;
					_push( >=  ? 0x80004005 :  <=  ? _t126 : _t126 & 0x0000ffff | 0x80070000);
					_push(0x77);
					L2:
					_push("srputil.cpp");
					E000937D3(_t117);
				}
				if(_v536 != 0) {
					LocalFree(_v536);
				}
				return E000BDE36(0, _v8 ^ _t167, _t131, _t133, _t136);
			}

0x000d15cb
0x000d15d4
0x000d15db
0x000d15eb
0x000d15f1
0x000d15f8
0x000d15f9
0x000d15fa
0x000d15fb
0x000d15fd
0x000d1605
0x000d160c
0x000d1614
0x000d161c
0x000d162a
0x000d1638
0x000d1646
0x000d1654
0x000d165c
0x000d1673
0x000d16a5
0x000d16b1
0x000d16b8
0x000d16be
0x000d16bf
0x000d16c0
0x000d16c6
0x000d16f1
0x000d16f7
0x000d16fe
0x000d16ff
0x000d1700
0x000d1706
0x000d1737
0x000d173d
0x000d1744
0x000d1745
0x000d1746
0x000d174c
0x000d177d
0x000d1783
0x000d178a
0x000d178b
0x000d178c
0x000d1792
0x000d17c3
0x000d17c9
0x000d17d0
0x000d17d1
0x000d17d2
0x000d17d8
0x000d1803
0x000d1810
0x000d181c
0x000d1827
0x000d1828
0x000d1833
0x000d1834
0x000d183b
0x000d1844
0x000d184b
0x000d184f
0x000d1858
0x000d1860
0x000d1864
0x000d186a
0x000d1870
0x000d1878
0x000d187d
0x000d1886
0x000d188c
0x000d1892
0x000d1898
0x000d189b
0x000d189e
0x000d18a1
0x000d18a4
0x000d18a7
0x000d18aa
0x000d18ad
0x000d18b0
0x000d18b3
0x000d18b6
0x000d18b9
0x000d18bd
0x000d18c5
0x000d1901
0x000d1943
0x000d1986
0x000d19bf
0x000d19c6
0x000d19cc
0x000d1988
0x000d1988
0x000d1999
0x000d199c
0x000d19a3
0x000d19a6
0x000d19a7
0x00000000
0x000d19a7
0x000d1945
0x000d1945
0x000d1956
0x000d1959
0x000d1960
0x000d1963
0x000d1964
0x00000000
0x000d1964
0x000d1903
0x000d1903
0x000d1914
0x000d1917
0x000d191e
0x000d1921
0x000d1922
0x00000000
0x000d1922
0x000d18c7
0x000d18d2
0x000d18d5
0x000d18dc
0x000d18df
0x000d18e0
0x00000000
0x000d18e0
0x000d17da
0x000d17da
0x000d17eb
0x000d17ee
0x000d17f5
0x000d17f8
0x000d17f9
0x00000000
0x000d17f9
0x000d1794
0x000d1794
0x000d17a5
0x000d17a8
0x000d17af
0x000d17b2
0x000d17b3
0x00000000
0x000d17b3
0x000d174e
0x000d174e
0x000d175f
0x000d1762
0x000d1769
0x000d176c
0x000d176d
0x00000000
0x000d176d
0x000d1708
0x000d1708
0x000d1719
0x000d171c
0x000d1723
0x000d1726
0x000d1727
0x00000000
0x000d1727
0x000d16c8
0x000d16c8
0x000d16d9
0x000d16dc
0x000d16e3
0x000d16e6
0x000d16e7
0x00000000
0x000d16e7
0x000d1675
0x000d1675
0x000d1686
0x000d1689
0x000d1690
0x000d1693
0x000d1694
0x000d1696
0x000d1696
0x000d169b
0x000d169b
0x000d19d4
0x000d19dc
0x000d19dc
0x000d19f4

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 000D166B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000D1675
CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 000D16C2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000D16C8
CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 000D1702
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000D1708
CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 000D1748
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000D174E
CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 000D178E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000D1794
CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 000D17D4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000D17DA
SetEntriesInAclA.ADVAPI32(00000005,?,00000000,?), ref: 000D18BD
LocalFree.KERNEL32(?), ref: 000D19DC

Strings

srputil.cpp, xrefs: 000D1696
@Mt, xrefs: 000D1675, 000D16C8, 000D1708, 000D174E, 000D1794, 000D17DA, 000D1903, 000D1945, 000D1988

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorLast$CreateKnownWell$DescriptorEntriesFreeInitializeLocalSecurity
String ID: @Mt$srputil.cpp
API String ID: 3627156773-3464653251
Opcode ID: e6cbf8cf441f9c5f0c3916874976204f71526809211b47d6cb9eb1f5fb37f7da
Instruction ID: b0d88c71a63959a90115839dc8371758807251d63ba297303ceb48764e87cb8a
Opcode Fuzzy Hash: e6cbf8cf441f9c5f0c3916874976204f71526809211b47d6cb9eb1f5fb37f7da
Instruction Fuzzy Hash: DEB11372D41329AAEB209BA58D44BEBBBFCEB08740F014167FD09F7150E7749D848AB4

Uniqueness

Uniqueness Score: -1.00%

Function 000A44E7, Relevance: 38.7, APIs: 10, Strings: 12, Instructions: 181
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E000A44E7(void* _a4, short* _a8, intOrPtr* _a12) {
				struct _OVERLAPPED* _v8;
				void _v12;
				long _v16;
				void _v20;
				long _v24;
				void _v28;
				long _t26;
				intOrPtr _t41;
				intOrPtr* _t66;
				void* _t69;
				void* _t70;
				void* _t71;

				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				_v16 = 0;
				_t26 = GetCurrentProcessId();
				_t69 = _a4;
				_v28 = _t26;
				_v24 = 0;
				if(ReadFile(_t69,  &_v12, 4,  &_v16, 0) != 0) {
					_t31 = _v12 >> 1;
					if(_v12 >> 1 <= 0xff) {
						_t71 = E00091EDE( &_v8, _t31 + 1);
						if(_t71 >= 0) {
							if(ReadFile(_t69, _v8, _v12,  &_v16, 0) != 0) {
								if(CompareStringW(0, 0, _v8, 0xffffffff, _a8, 0xffffffff) == 2) {
									if(ReadFile(_t69,  &_v20, 4,  &_v16, 0) != 0) {
										_t66 = _a12;
										_t41 =  *_t66;
										if(_t41 != 0) {
											if(_t41 == _v20) {
												goto L15;
											} else {
												_t70 = 0x8007000d;
												_t71 = 0x8007000d;
												E000937D3(_t41, "pipe.cpp", 0x36d, 0x8007000d);
												_push("Verification process id from parent does not match.");
												goto L4;
											}
										} else {
											 *_t66 = _v20;
											L15:
											if(WriteFile(_t69,  &_v28, 4,  &_v24, 0) == 0) {
												_t74 =  <=  ? GetLastError() : _t47 & 0x0000ffff | 0x80070000;
												_t71 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t47 & 0x0000ffff | 0x80070000;
												E000937D3(0x80004005, "pipe.cpp", 0x373, _t71);
												_push("Failed to inform parent process that child is running.");
												goto L17;
											}
										}
									} else {
										_t77 =  <=  ? GetLastError() : _t53 & 0x0000ffff | 0x80070000;
										_t71 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t53 & 0x0000ffff | 0x80070000;
										E000937D3(0x80004005, "pipe.cpp", 0x362, _t71);
										_push("Failed to read verification process id from parent pipe.");
										goto L17;
									}
								} else {
									_t70 = 0x8007000d;
									_t71 = 0x8007000d;
									E000937D3(_t37, "pipe.cpp", 0x35c, 0x8007000d);
									_push("Verification secret from parent does not match.");
									goto L4;
								}
							} else {
								_t80 =  <=  ? GetLastError() : _t57 & 0x0000ffff | 0x80070000;
								_t71 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t57 & 0x0000ffff | 0x80070000;
								E000937D3(0x80004005, "pipe.cpp", 0x355, _t71);
								_push("Failed to read verification secret from parent pipe.");
								goto L17;
							}
						} else {
							_push("Failed to allocate buffer for verification secret.");
							goto L17;
						}
					} else {
						_t70 = 0x8007000d;
						_t71 = 0x8007000d;
						E000937D3(_t31, "pipe.cpp", 0x34d, 0x8007000d);
						_push("Verification secret from parent is too big.");
						L4:
						_push(_t70);
						goto L18;
					}
				} else {
					_t83 =  <=  ? GetLastError() : _t61 & 0x0000ffff | 0x80070000;
					_t71 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t61 & 0x0000ffff | 0x80070000;
					E000937D3(0x80004005, "pipe.cpp", 0x347, _t71);
					_push("Failed to read size of verification secret from parent pipe.");
					L17:
					_push(_t71);
					L18:
					E000D012F();
				}
				if(_v8 != 0) {
					E000D54EF(_v8);
				}
				return _t71;
			}

0x000a44f2
0x000a44f5
0x000a44f8
0x000a44fb
0x000a44fe
0x000a4504
0x000a4508
0x000a4514
0x000a4523
0x000a4560
0x000a4567
0x000a4596
0x000a459a
0x000a45b7
0x000a4608
0x000a463c
0x000a4673
0x000a4676
0x000a467a
0x000a46ef
0x00000000
0x000a46f1
0x000a46f1
0x000a4701
0x000a4703
0x000a4708
0x00000000
0x000a4708
0x000a467c
0x000a467f
0x000a4681
0x000a4696
0x000a46a9
0x000a46b3
0x000a46c1
0x000a46c6
0x00000000
0x000a46c6
0x000a4696
0x000a463e
0x000a464f
0x000a4659
0x000a4667
0x000a466c
0x00000000
0x000a466c
0x000a460a
0x000a460a
0x000a461a
0x000a461c
0x000a4621
0x00000000
0x000a4621
0x000a45b9
0x000a45ca
0x000a45d4
0x000a45e2
0x000a45e7
0x00000000
0x000a45e7
0x000a459c
0x000a459c
0x00000000
0x000a459c
0x000a4569
0x000a4569
0x000a4579
0x000a457b
0x000a4580
0x000a4585
0x000a4585
0x00000000
0x000a4585
0x000a4525
0x000a4536
0x000a4540
0x000a454e
0x000a4553
0x000a46cb
0x000a46cb
0x000a46cc
0x000a46cc
0x000a46d2
0x000a46d7
0x000a46dc
0x000a46dc
0x000a46e9

APIs

GetCurrentProcessId.KERNEL32(?,8000FFFF,feclient.dll,?,000A49FE,000DB4D8,?,feclient.dll,00000000,?,?), ref: 000A44FE
ReadFile.KERNEL32(feclient.dll,feclient.dll,00000004,?,00000000,?,000A49FE,000DB4D8,?,feclient.dll,00000000,?,?), ref: 000A451F
GetLastError.KERNEL32(?,000A49FE,000DB4D8,?,feclient.dll,00000000,?,?), ref: 000A4525
WriteFile.KERNEL32(feclient.dll,?,00000004,000A49FE,00000000,?,000A49FE,000DB4D8,?,feclient.dll,00000000,?,?), ref: 000A468E
GetLastError.KERNEL32(?,000A49FE,000DB4D8,?,feclient.dll,00000000,?,?), ref: 000A4698

Strings

feclient.dll, xrefs: 000A44ED, 000A451D, 000A451E, 000A45B2, 000A4637, 000A468D
msasn1.dll, xrefs: 000A4636
Failed to allocate buffer for verification secret., xrefs: 000A459C
Failed to read size of verification secret from parent pipe., xrefs: 000A4553
Failed to read verification secret from parent pipe., xrefs: 000A45E7
Verification process id from parent does not match., xrefs: 000A4708
Failed to inform parent process that child is running., xrefs: 000A46C6
@Mt, xrefs: 000A4525, 000A45B9, 000A463E, 000A4698
Verification secret from parent does not match., xrefs: 000A4621
Verification secret from parent is too big., xrefs: 000A4580
Failed to read verification process id from parent pipe., xrefs: 000A466C
pipe.cpp, xrefs: 000A4549, 000A4574, 000A45DD, 000A4615, 000A4662, 000A46BC, 000A46FC

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorFileLast$CurrentProcessReadWrite
String ID: @Mt$Failed to allocate buffer for verification secret.$Failed to inform parent process that child is running.$Failed to read size of verification secret from parent pipe.$Failed to read verification process id from parent pipe.$Failed to read verification secret from parent pipe.$Verification process id from parent does not match.$Verification secret from parent does not match.$Verification secret from parent is too big.$feclient.dll$msasn1.dll$pipe.cpp
API String ID: 3008747291-2498692050
Opcode ID: b71c4a760cefa575c1837a12e43c3989e9ab31a0f3e27d1792ec42b7be312e50
Instruction ID: abe6200a0d8ddbb5bb5ea1a61b8709b5610b75dca693c704407bece9de74171b
Opcode Fuzzy Hash: b71c4a760cefa575c1837a12e43c3989e9ab31a0f3e27d1792ec42b7be312e50
Instruction Fuzzy Hash: AE51D476E40315BBEB219AE68C85FAFB6E8AF46710F110126FE11FB190D7748E0096E1

Uniqueness

Uniqueness Score: -1.00%

Function 000B25AF, Relevance: 36.9, APIs: 3, Strings: 18, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E000B25AF(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* __ebx;
				int _t39;
				signed int _t48;
				intOrPtr _t50;
				void* _t57;
				void* _t58;
				void* _t59;

				_t45 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t43 = _a4;
				_t50 = _a8;
				if(E000D31C7(_a4, L"DetectCondition", _t50 + 0x90) >= 0) {
					if(E000D31C7(_t43, L"InstallArguments", _t50 + 0x94) >= 0) {
						if(E000D31C7(_t43, L"UninstallArguments", _t50 + 0x9c) >= 0) {
							if(E000D31C7(_t43, L"RepairArguments", _t50 + 0x98) >= 0) {
								_t57 = E000D33DB(_t45, _t43, L"Repairable", _t50 + 0xac);
								if(_t57 == 0x80070490 || _t57 >= 0) {
									_t58 = E000D31C7(_t43, L"Protocol",  &_v8);
									if(_t58 < 0) {
										if(_t58 == 0x80070490) {
											goto L14;
										} else {
											_push("Failed to get @Protocol.");
											goto L25;
										}
									} else {
										if(CompareStringW(0x7f, 0, _v8, 0xffffffff, L"burn", 0xffffffff) != 2) {
											_t39 = CompareStringW(0x7f, 0, _v8, 0xffffffff, L"netfx4", 0xffffffff);
											_t48 = 2;
											if(_t39 != _t48) {
												if(CompareStringW(0x7f, 0, _v8, 0xffffffff, L"none", 0xffffffff) != 2) {
													_t59 = 0x8000ffff;
													E000D012F(0x8000ffff, "Invalid protocol type: %ls", _v8);
												} else {
													 *(_t50 + 0xb0) =  *(_t50 + 0xb0) & 0x00000000;
													goto L14;
												}
											} else {
												 *(_t50 + 0xb0) = _t48;
												goto L14;
											}
										} else {
											 *(_t50 + 0xb0) = 1;
											L14:
											_t59 = E000B1970(_t43, _t43, _t50);
											if(_t59 >= 0) {
												_t59 = E000B17C4(_t43, _t50);
												if(_t59 < 0) {
													_push("Failed to parse command lines.");
													goto L25;
												}
											} else {
												_push("Failed to parse exit codes.");
												goto L25;
											}
										}
									}
								} else {
									_push("Failed to get @Repairable.");
									goto L25;
								}
							} else {
								_push("Failed to get @RepairArguments.");
								goto L25;
							}
						} else {
							_push("Failed to get @UninstallArguments.");
							goto L25;
						}
					} else {
						_push("Failed to get @InstallArguments.");
						goto L25;
					}
				} else {
					_push("Failed to get @DetectCondition.");
					L25:
					_push(_t59);
					E000D012F();
				}
				if(_v8 != 0) {
					E000D54EF(_v8);
				}
				return _t59;
			}

0x000b25af
0x000b25b2
0x000b25b3
0x000b25b8
0x000b25bd
0x000b25d6
0x000b25f8
0x000b261a
0x000b263c
0x000b265a
0x000b2662
0x000b2681
0x000b2685
0x000b2725
0x00000000
0x000b2727
0x000b2727
0x00000000
0x000b2727
0x000b268b
0x000b26a6
0x000b26d6
0x000b26da
0x000b26dd
0x000b26fc
0x000b270a
0x000b2715
0x000b26fe
0x000b26fe
0x00000000
0x000b26fe
0x000b26df
0x000b26df
0x00000000
0x000b26df
0x000b26a8
0x000b26a8
0x000b26b2
0x000b26b9
0x000b26bd
0x000b2735
0x000b2739
0x000b273b
0x00000000
0x000b273b
0x000b26bf
0x000b26bf
0x00000000
0x000b26bf
0x000b26bd
0x000b26a6
0x000b2668
0x000b2668
0x00000000
0x000b2668
0x000b263e
0x000b263e
0x00000000
0x000b263e
0x000b261c
0x000b261c
0x00000000
0x000b261c
0x000b25fa
0x000b25fa
0x00000000
0x000b25fa
0x000b25d8
0x000b25d8
0x000b2740
0x000b2740
0x000b2741
0x000b2747
0x000b274c
0x000b2751
0x000b2751
0x000b275e

Strings

netfx4, xrefs: 000B26C8
Failed to parse command lines., xrefs: 000B273B
UninstallArguments, xrefs: 000B260B
InstallArguments, xrefs: 000B25E9
Repairable, xrefs: 000B264F
Failed to get @RepairArguments., xrefs: 000B263E
Failed to parse exit codes., xrefs: 000B26BF
Failed to get @Protocol., xrefs: 000B2727
Failed to get @Repairable., xrefs: 000B2668
Invalid protocol type: %ls, xrefs: 000B270F
Failed to get @UninstallArguments., xrefs: 000B261C
Failed to get @InstallArguments., xrefs: 000B25FA
RepairArguments, xrefs: 000B262D
DetectCondition, xrefs: 000B25C7
Protocol, xrefs: 000B2676
burn, xrefs: 000B2693
Failed to get @DetectCondition., xrefs: 000B25D8
none, xrefs: 000B26E9

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: DetectCondition$Failed to get @DetectCondition.$Failed to get @InstallArguments.$Failed to get @Protocol.$Failed to get @RepairArguments.$Failed to get @Repairable.$Failed to get @UninstallArguments.$Failed to parse command lines.$Failed to parse exit codes.$InstallArguments$Invalid protocol type: %ls$Protocol$RepairArguments$Repairable$UninstallArguments$burn$netfx4$none
API String ID: 760788290-1911311241
Opcode ID: 694f5efe196734223ca929f0be4301b453bf551b145132438727d23b28a71bb7
Instruction ID: cf864630a9094b4d798ed8f0035d17bb7ac95f797698638ef97cedfd25f20c03
Opcode Fuzzy Hash: 694f5efe196734223ca929f0be4301b453bf551b145132438727d23b28a71bb7
Instruction Fuzzy Hash: 1B41ED32BC87A6BAC72561618C42FEEB65C5B15730F210311FE21BA3D1CB64BD0052E6

Uniqueness

Uniqueness Score: -1.00%

Function 0009F09D, Relevance: 33.4, APIs: 3, Strings: 16, Instructions: 180
registryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0009F09D(void* __edx, void* __eflags, intOrPtr _a4, void* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				char _v12;
				char _v16;
				char _v20;
				signed short _t54;
				signed short _t59;
				void* _t70;
				void* _t71;
				void* _t76;
				intOrPtr _t77;
				void* _t79;

				_t76 = __edx;
				_t77 = _a4;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				_push(E000A3C30( *((intOrPtr*)(_t77 + 8))));
				_push(E000A3C30(_a16));
				_push(E000A4257(_a12));
				E0009550F(2, 0x20000173,  *((intOrPtr*)(_t77 + 0x50)));
				E000D39CD( &_v16,  &_v20);
				_t70 = _a8;
				_t47 =  >=  ? L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" : L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run";
				_a4 =  >=  ? L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" : L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run";
				if(_t70 == 0) {
					L6:
					if(_a12 == 1) {
						goto L8;
					} else {
						goto L7;
					}
				} else {
					_t79 = E000D1344(_t70, L"Resume", _a12);
					if(_t79 >= 0) {
						if(_a12 != 3) {
							goto L6;
						} else {
							_t79 = E000D1344(_t70, L"Installed", 1);
							if(_t79 >= 0) {
								L7:
								if(_a16 == 0) {
									L17:
									_t79 = E000D0E3F( *((intOrPtr*)(_t77 + 0x4c)), _a4, 0x20006,  &_v8);
									if(_t79 == 0x80070002 || _t79 == 0x80070003) {
										_t79 = 0;
										goto L22;
									} else {
										_t59 =  ==  ? 0 : RegDeleteValueW(_v8,  *(_t77 + 0x10));
										if(_t59 == 0) {
											L22:
											if(_t70 != 0) {
												_t54 =  ==  ? 0 : RegDeleteValueW(_t70, L"BundleResumeCommandLine");
												if(_t54 != 0) {
													_t82 =  <=  ? _t54 : _t54 & 0x0000ffff | 0x80070000;
													_t79 =  >=  ? 0x80004005 :  <=  ? _t54 : _t54 & 0x0000ffff | 0x80070000;
													E000937D3(0x80004005, "registration.cpp", 0x4e1, _t79);
													_push("Failed to delete resume command line value.");
													goto L25;
												}
											}
										} else {
											_t85 =  <=  ? _t59 : _t59 & 0x0000ffff | 0x80070000;
											_t79 =  >=  ? 0x80004005 :  <=  ? _t59 : _t59 & 0x0000ffff | 0x80070000;
											E000937D3(0x80004005, "registration.cpp", 0x4d7, _t79);
											_push("Failed to delete run key value.");
											goto L25;
										}
									}
								} else {
									L8:
									if( *((intOrPtr*)(_t77 + 8)) != 0) {
										goto L17;
									} else {
										_push(L"burn.runonce");
										_t79 = E00091F20( &_v12, L"\"%ls\" /%ls",  *((intOrPtr*)(_t77 + 0x54)));
										if(_t79 >= 0) {
											_t79 = E000D0A88( *((intOrPtr*)(_t77 + 0x4c)), _a4, 0x20006,  &_v8);
											if(_t79 >= 0) {
												_t79 = E000D1392(_t71, _t76, _v8,  *(_t77 + 0x10), _v12);
												if(_t79 >= 0) {
													_t79 = E000D1392(_t71, _t76, _t70, L"BundleResumeCommandLine",  *((intOrPtr*)(_t77 + 0x58)));
													if(_t79 < 0) {
														_push("Failed to write resume command line value.");
														goto L25;
													}
												} else {
													_push("Failed to write run key value.");
													goto L25;
												}
											} else {
												_push("Failed to create run key.");
												goto L25;
											}
										} else {
											_push("Failed to format resume command line for RunOnce.");
											goto L25;
										}
									}
								}
							} else {
								_push("Failed to write Installed value.");
								goto L25;
							}
						}
					} else {
						_push("Failed to write Resume value.");
						L25:
						_push(_t79);
						E000D012F();
					}
				}
				if(_v12 != 0) {
					E000D54EF(_v12);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				return _t79;
			}

0x0009f09d
0x0009f0a6
0x0009f0ab
0x0009f0b3
0x0009f0b6
0x0009f0bc
0x0009f0c4
0x0009f0cd
0x0009f0d6
0x0009f0e1
0x0009f0f1
0x0009f0ff
0x0009f102
0x0009f105
0x0009f10a
0x0009f14d
0x0009f151
0x00000000
0x00000000
0x00000000
0x00000000
0x0009f10c
0x0009f11a
0x0009f11e
0x0009f12e
0x00000000
0x0009f130
0x0009f13d
0x0009f141
0x0009f153
0x0009f157
0x0009f1f4
0x0009f208
0x0009f210
0x0009f261
0x00000000
0x0009f21a
0x0009f22b
0x0009f230
0x0009f263
0x0009f265
0x0009f278
0x0009f27d
0x0009f28a
0x0009f294
0x0009f2a2
0x0009f2a7
0x00000000
0x0009f2a7
0x0009f27d
0x0009f232
0x0009f23d
0x0009f247
0x0009f255
0x0009f25a
0x00000000
0x0009f25a
0x0009f230
0x0009f15d
0x0009f15d
0x0009f161
0x00000000
0x0009f167
0x0009f167
0x0009f17d
0x0009f184
0x0009f1a4
0x0009f1a8
0x0009f1c2
0x0009f1c6
0x0009f1e0
0x0009f1e4
0x0009f1ea
0x00000000
0x0009f1ea
0x0009f1c8
0x0009f1c8
0x00000000
0x0009f1c8
0x0009f1aa
0x0009f1aa
0x00000000
0x0009f1aa
0x0009f186
0x0009f186
0x00000000
0x0009f186
0x0009f184
0x0009f161
0x0009f143
0x0009f143
0x00000000
0x0009f143
0x0009f141
0x0009f120
0x0009f120
0x0009f2ac
0x0009f2ac
0x0009f2ad
0x0009f2b3
0x0009f11e
0x0009f2b8
0x0009f2bd
0x0009f2bd
0x0009f2c6
0x0009f2cb
0x0009f2cb
0x0009f2d9

APIs

Part of subcall function 000D39CD: GetVersionExW.KERNEL32(?,?,00000000,?), ref: 000D3A1A

RegCloseKey.ADVAPI32(00000000,?,00020006,00020006,00000000,?,?,00000002,00000000,?,00000000,00000001,00000002), ref: 0009F2CB

Part of subcall function 000D1344: RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,?,0009F11A,00000005,Resume,?,?,?,00000002,00000000), ref: 000D1359

Strings

registration.cpp, xrefs: 0009F250, 0009F29D
Failed to delete resume command line value., xrefs: 0009F2A7
burn.runonce, xrefs: 0009F167
Failed to format resume command line for RunOnce., xrefs: 0009F186
Installed, xrefs: 0009F132
Resume, xrefs: 0009F10F
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 0009F0AE
BundleResumeCommandLine, xrefs: 0009F1D5, 0009F267
Failed to write resume command line value., xrefs: 0009F1EA
"%ls" /%ls, xrefs: 0009F172
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 0009F0FA
Failed to write Installed value., xrefs: 0009F143
Failed to create run key., xrefs: 0009F1AA
Failed to write Resume value., xrefs: 0009F120
Failed to write run key value., xrefs: 0009F1C8
Failed to delete run key value., xrefs: 0009F25A

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CloseValueVersion
String ID: "%ls" /%ls$BundleResumeCommandLine$Failed to create run key.$Failed to delete resume command line value.$Failed to delete run key value.$Failed to format resume command line for RunOnce.$Failed to write Installed value.$Failed to write Resume value.$Failed to write resume command line value.$Failed to write run key value.$Installed$Resume$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce$burn.runonce$registration.cpp
API String ID: 2348918689-3140388177
Opcode ID: ea5a1ab80b34cee70ff72cdb108c7b6dfee38f3b09deefdfd40afa24771d21b7
Instruction ID: 4b91c4fdf235a3056249d92d18844206c3d44ee9c85db1bfedb741941bf6d9c0
Opcode Fuzzy Hash: ea5a1ab80b34cee70ff72cdb108c7b6dfee38f3b09deefdfd40afa24771d21b7
Instruction Fuzzy Hash: 8551D336A40766FADF216BA5CC42BFEBAA4AF04750F114136FE00FA191D771DE50A6D0

Uniqueness

Uniqueness Score: -1.00%

Function 000AE177, Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 144
registryCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E000AE177(void* __eflags, void** _a4) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				void _v24;
				struct tagMSG _v52;
				struct _WNDCLASSW _v92;
				int _t47;
				signed short _t58;
				signed short _t61;
				struct HWND__* _t67;
				signed int _t69;
				void** _t82;
				void* _t83;

				asm("stosd");
				_t69 = 0xa;
				_push(7);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				memset( &_v52, memset( &_v92, 0, _t69 << 2), 0 << 2);
				_t82 = _a4;
				_t83 = E000AE05E(_t82[1],  &_v24);
				if(_t83 >= 0) {
					_v92.lpfnWndProc = E000AE31B;
					_v92.hInstance = _t82[1];
					_v92.hCursor = LoadCursorW(0, 0x7f00);
					_v92.lpszClassName = L"WixBurnSplashScreen";
					if(RegisterClassW( &_v92) != 0) {
						_t67 = CreateWindowExW(0x80, _v92.lpszClassName, _t82[2], 0x90000000, _v20, _v16, _v12, _v8, 0, 0, _t82[1],  &_v24);
						if(_t67 != 0) {
							 *(_t82[3]) = _t67;
							SetEvent( *_t82);
							while(1) {
								_t47 = GetMessageW( &_v52, 0, 0, 0);
								if(_t47 == 0) {
									break;
								}
								if(_t47 == 0xffffffff) {
									_t83 = 0x8000ffff;
									_push("Unexpected return value from message pump.");
									L13:
									_push(_t83);
									E000D012F();
									L14:
									L15:
									UnregisterClassW(L"WixBurnSplashScreen", _t82[1]);
									if(_v24 != 0) {
										DeleteObject(_v24);
									}
									return _t83;
								}
								if(IsDialogMessageW(_t67,  &_v52) == 0) {
									TranslateMessage( &_v52);
									DispatchMessageW( &_v52);
								}
							}
							goto L14;
						}
						_t58 = GetLastError();
						_t86 =  <=  ? _t58 : _t58 & 0x0000ffff | 0x80070000;
						_t83 =  >=  ? 0x80004005 :  <=  ? _t58 : _t58 & 0x0000ffff | 0x80070000;
						E000937D3(0x80004005, "splashscreen.cpp", 0x8b, _t83);
						_push("Failed to create window.");
						goto L13;
					}
					_t61 = GetLastError();
					_t89 =  <=  ? _t61 : _t61 & 0x0000ffff | 0x80070000;
					_t83 =  >=  ? 0x80004005 :  <=  ? _t61 : _t61 & 0x0000ffff | 0x80070000;
					E000937D3(0x80004005, "splashscreen.cpp", 0x85, _t83);
					_push("Failed to register window.");
					goto L13;
				}
				_push("Failed to load splash screen.");
				_push(_t83);
				E000D012F();
				goto L15;
			}

0x000ae184
0x000ae187
0x000ae188
0x000ae18a
0x000ae18b
0x000ae18c
0x000ae18d
0x000ae199
0x000ae19b
0x000ae1aa
0x000ae1ae
0x000ae1cd
0x000ae1d5
0x000ae1de
0x000ae1e5
0x000ae1f5
0x000ae25a
0x000ae25e
0x000ae298
0x000ae29c
0x000ae2cc
0x000ae2d5
0x000ae2dd
0x00000000
0x00000000
0x000ae2a7
0x000ae2e1
0x000ae2e6
0x000ae2eb
0x000ae2eb
0x000ae2ec
0x000ae2f3
0x000ae2f4
0x000ae2fc
0x000ae306
0x000ae30b
0x000ae30b
0x000ae318
0x000ae318
0x000ae2b6
0x000ae2bc
0x000ae2c6
0x000ae2c6
0x000ae2b6
0x00000000
0x000ae2df
0x000ae260
0x000ae271
0x000ae27b
0x000ae289
0x000ae28e
0x00000000
0x000ae28e
0x000ae1f7
0x000ae208
0x000ae212
0x000ae220
0x000ae225
0x00000000
0x000ae225
0x000ae1b0
0x000ae1b5
0x000ae1b6
0x00000000

APIs

Part of subcall function 000AE05E: LoadBitmapW.USER32(?,00000001), ref: 000AE094
Part of subcall function 000AE05E: GetLastError.KERNEL32 ref: 000AE0A0

LoadCursorW.USER32(00000000,00007F00), ref: 000AE1D8
RegisterClassW.USER32 ref: 000AE1EC
GetLastError.KERNEL32 ref: 000AE1F7
UnregisterClassW.USER32 ref: 000AE2FC
DeleteObject.GDI32(00000000), ref: 000AE30B

Strings

WixBurnSplashScreen, xrefs: 000AE1E5, 000AE2F7
Unexpected return value from message pump., xrefs: 000AE2E6
Failed to load splash screen., xrefs: 000AE1B0
@Mt, xrefs: 000AE1F7, 000AE260
Failed to register window., xrefs: 000AE225
Failed to create window., xrefs: 000AE28E
splashscreen.cpp, xrefs: 000AE21B, 000AE284

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ClassErrorLastLoad$BitmapCursorDeleteObjectRegisterUnregister
String ID: @Mt$Failed to create window.$Failed to load splash screen.$Failed to register window.$Unexpected return value from message pump.$WixBurnSplashScreen$splashscreen.cpp
API String ID: 164797020-398884887
Opcode ID: 070dc2be336717a5de6b5cbb9f50149d5615f79973ec94f09d07adcf075ec1d0
Instruction ID: 3f99260e08162166731dab4dee642598446ca143a09e46c053117d7f943bbf47
Opcode Fuzzy Hash: 070dc2be336717a5de6b5cbb9f50149d5615f79973ec94f09d07adcf075ec1d0
Instruction Fuzzy Hash: 1641AF72A00659FFEB119BE5DD49EAEBBB9FF04300F110126FA05E6160D7749D10DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 000AE563, Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 135
registryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E000AE563(signed int _a4) {
				int _v8;
				void _v12;
				struct tagMSG _v40;
				struct _WNDCLASSW _v80;
				int _t35;
				intOrPtr _t37;
				struct HWND__* _t44;
				int _t47;
				signed short _t57;
				signed short _t60;
				void** _t64;
				signed int _t65;
				void* _t77;
				struct HWND__* _t79;

				_t64 = _a4;
				_t65 = 0xa;
				_t79 = 0;
				_t35 = memset( &_v80, 0, _t65 << 2);
				_push(7);
				_v12 = 0;
				memset( &_v40, _t35, 0 << 2);
				_t77 = _t64[2];
				_v8 = 0;
				_t37 =  *((intOrPtr*)(_t77 + 0x490));
				_a4 = 0 | _t37 == 0x00000002;
				if(_t37 != 2 || TlsSetValue( *(_t77 + 0x498),  *(_t77 + 0x4b0)) != 0) {
					_v80.hInstance = _t64[1];
					_v80.lpfnWndProc = E000AE705;
					_v80.lpszClassName = L"WixBurnMessageWindow";
					if(RegisterClassW( &_v80) != 0) {
						_v12 = _a4;
						_v8 = _t77 + 0xb8;
						_t44 = CreateWindowExW(0x80, _v80.lpszClassName, _t79, 0x90000000, 0x80000000, 8, _t79, _t79, _t79, _t79, _t64[1],  &_v12);
						if(_t44 != 0) {
							 *(_t77 + 0x3e0) = _t44;
							SetEvent( *_t64);
							while(1) {
								_t47 = GetMessageW( &_v40, _t79, _t79, _t79);
								if(_t47 == 0) {
									break;
								}
								if(_t47 == 0xffffffff) {
									_t79 = 0x8000ffff;
									_push("Unexpected return value from message pump.");
									L14:
									_push(_t79);
									E000D012F();
									goto L15;
								}
								if(IsDialogMessageW(_v40,  &_v40) == 0) {
									TranslateMessage( &_v40);
									DispatchMessageW( &_v40);
								}
							}
							goto L15;
						}
						_t57 = GetLastError();
						_t82 =  <=  ? _t57 : _t57 & 0x0000ffff | 0x80070000;
						_t79 =  >=  ? 0x80004005 :  <=  ? _t57 : _t57 & 0x0000ffff | 0x80070000;
						E000937D3(0x80004005, "uithread.cpp", 0x8a, _t79);
						_push("Failed to create window.");
						goto L14;
					}
					_t60 = GetLastError();
					_t85 =  <=  ? _t60 : _t60 & 0x0000ffff | 0x80070000;
					_t79 =  >=  ? 0x80004005 :  <=  ? _t60 : _t60 & 0x0000ffff | 0x80070000;
					E000937D3(0x80004005, "uithread.cpp", 0x80, _t79);
					_push("Failed to register window.");
					goto L14;
				} else {
					_t79 = 0x8007139f;
					L15:
					UnregisterClassW(L"WixBurnMessageWindow", _t64[1]);
					return _t79;
				}
			}

0x000ae56a
0x000ae573
0x000ae577
0x000ae579
0x000ae57b
0x000ae581
0x000ae584
0x000ae586
0x000ae58b
0x000ae58e
0x000ae59a
0x000ae5a0
0x000ae5c5
0x000ae5cc
0x000ae5d3
0x000ae5e3
0x000ae620
0x000ae629
0x000ae64c
0x000ae654
0x000ae68b
0x000ae693
0x000ae6cb
0x000ae6d2
0x000ae6d6
0x00000000
0x00000000
0x000ae6a4
0x000ae6da
0x000ae6df
0x000ae6e4
0x000ae6e4
0x000ae6e5
0x00000000
0x000ae6eb
0x000ae6b5
0x000ae6bb
0x000ae6c5
0x000ae6c5
0x000ae6b5
0x00000000
0x000ae6d8
0x000ae656
0x000ae667
0x000ae671
0x000ae67f
0x000ae684
0x00000000
0x000ae684
0x000ae5e5
0x000ae5f6
0x000ae600
0x000ae60e
0x000ae613
0x00000000
0x000ae5b8
0x000ae5b8
0x000ae6ec
0x000ae6f4
0x000ae702
0x000ae702

APIs

TlsSetValue.KERNEL32(?,?), ref: 000AE5AE
RegisterClassW.USER32 ref: 000AE5DA
GetLastError.KERNEL32 ref: 000AE5E5
CreateWindowExW.USER32 ref: 000AE64C
GetLastError.KERNEL32 ref: 000AE656
UnregisterClassW.USER32 ref: 000AE6F4

Strings

Unexpected return value from message pump., xrefs: 000AE6DF
uithread.cpp, xrefs: 000AE609, 000AE67A
@Mt, xrefs: 000AE5E5, 000AE656
Failed to register window., xrefs: 000AE613
Failed to create window., xrefs: 000AE684
WixBurnMessageWindow, xrefs: 000AE5D3, 000AE6EF

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
String ID: @Mt$Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
API String ID: 213125376-1740149921
Opcode ID: 28685af1e48aaa8d6901fc4ca4a53b6e968a7c12b5b030101f30b242928b180d
Instruction ID: 0c8404c6db70280b3b4349e499c497c0febf623b3c2badc0615b9e3168b85fe1
Opcode Fuzzy Hash: 28685af1e48aaa8d6901fc4ca4a53b6e968a7c12b5b030101f30b242928b180d
Instruction Fuzzy Hash: D1418076A01254EFEB209BE5DC44ADEBFE8FF09750F214126FD09EA290D7349900DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0009F410, Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 152
registryCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E0009F410(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _t59;
				char* _t60;
				void* _t64;
				void* _t72;

				_t57 = __edx;
				_t54 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_v12 = _v12 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t59 = _a4;
				_t64 = E0009E7CD(__ecx, _t59,  &_v12);
				if(_t64 >= 0) {
					_t64 = E000D0A88( *((intOrPtr*)(_t59 + 0x4c)), _v12, 0x20006,  &_v8);
					if(_t64 >= 0) {
						if(E000D1392(__ecx, __edx, _v8, L"ThisVersionInstalled", "Y") >= 0) {
							if(E000D1392(__ecx, __edx, _v8, L"PackageName",  *((intOrPtr*)(_t59 + 0x60))) >= 0) {
								if(E000D1392(_t54, __edx, _v8, L"PackageVersion",  *((intOrPtr*)(_t59 + 0x64))) >= 0) {
									if(E000D1392(_t54, __edx, _v8, L"Publisher",  *((intOrPtr*)(_t59 + 0x68))) >= 0) {
										_t40 =  *((intOrPtr*)(_t59 + 0xa4));
										if( *((intOrPtr*)(_t59 + 0xa4)) == 0) {
											L16:
											_t60 = L"ReleaseType";
											if(E000D1392(_t54, _t57, _v8, _t60,  *((intOrPtr*)(_t59 + 0xb0))) >= 0) {
												_t61 = _a8;
												if(E0009EDB1(_t54, _t57, _v8, _a8, L"LogonUser", L"InstalledBy") >= 0) {
													if(E0009EDB1(_t54, _t57, _v8, _t61, L"Date", L"InstalledDate") >= 0) {
														_t72 = E0009EDB1(_t54, _t57, _v8, _t61, L"InstallerName", L"InstallerName");
														if(_t72 >= 0) {
															_t72 = E0009EDB1(_t54, _t57, _v8, _t61, L"InstallerVersion", L"InstallerVersion");
															if(_t72 < 0) {
																_push(L"InstallerVersion");
																goto L26;
															}
														} else {
															_push(L"InstallerName");
															goto L26;
														}
													} else {
														_push(L"InstalledDate");
														goto L26;
													}
												} else {
													_push(L"InstalledBy");
													goto L26;
												}
											} else {
												_push(_t60);
												goto L26;
											}
										} else {
											_t72 = E000D1392(_t54, _t57, _v8, L"PublishingGroup", _t40);
											if(_t72 >= 0) {
												goto L16;
											} else {
												_push(L"PublishingGroup");
												goto L26;
											}
										}
									} else {
										_push(L"Publisher");
										goto L26;
									}
								} else {
									_push(L"PackageVersion");
									goto L26;
								}
							} else {
								_push(L"PackageName");
								goto L26;
							}
						} else {
							_push(L"ThisVersionInstalled");
							L26:
							_push("Failed to write %ls value.");
							_push(_t72);
							E000D012F();
						}
					} else {
						_push("Failed to create the key for update registration.");
						goto L2;
					}
				} else {
					_push("Failed to get the formatted key path for update registration.");
					L2:
					_push(_t64);
					E000D012F();
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
					_v8 = _v8 & 0x00000000;
				}
				if(_v12 != 0) {
					E000D54EF(_v12);
				}
				return _t72;
			}

0x0009f410
0x0009f410
0x0009f413
0x0009f414
0x0009f415
0x0009f41c
0x0009f422
0x0009f42c
0x0009f430
0x0009f458
0x0009f45c
0x0009f47b
0x0009f49b
0x0009f4bb
0x0009f4db
0x0009f4e7
0x0009f4ef
0x0009f50f
0x0009f515
0x0009f527
0x0009f52c
0x0009f546
0x0009f566
0x0009f57f
0x0009f583
0x0009f59c
0x0009f5a0
0x0009f5a2
0x00000000
0x0009f5a2
0x0009f585
0x0009f585
0x00000000
0x0009f585
0x0009f568
0x0009f568
0x00000000
0x0009f568
0x0009f548
0x0009f548
0x00000000
0x0009f548
0x0009f529
0x0009f529
0x00000000
0x0009f529
0x0009f4f1
0x0009f4ff
0x0009f503
0x00000000
0x0009f505
0x0009f505
0x00000000
0x0009f505
0x0009f503
0x0009f4dd
0x0009f4dd
0x00000000
0x0009f4dd
0x0009f4bd
0x0009f4bd
0x00000000
0x0009f4bd
0x0009f49d
0x0009f49d
0x00000000
0x0009f49d
0x0009f47d
0x0009f47d
0x0009f5a7
0x0009f5a7
0x0009f5ac
0x0009f5ad
0x0009f5b2
0x0009f45e
0x0009f45e
0x00000000
0x0009f45e
0x0009f432
0x0009f432
0x0009f437
0x0009f437
0x0009f438
0x0009f43e
0x0009f5b9
0x0009f5be
0x0009f5c4
0x0009f5c4
0x0009f5cc
0x0009f5d1
0x0009f5d1
0x0009f5dd

APIs

RegCloseKey.ADVAPI32(00000000,00000000,000A0348,InstallerVersion,InstallerVersion,00000000,000A0348,InstallerName,InstallerName,00000000,000A0348,Date,InstalledDate,00000000,000A0348,LogonUser), ref: 0009F5BE

Part of subcall function 000D1392: RegSetValueExW.ADVAPI32(00020006,00020006,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,0009F1C2,00000000,?,00020006), ref: 000D13C5

Strings

PublishingGroup, xrefs: 0009F4F2, 0009F505
ReleaseType, xrefs: 0009F515, 0009F51A, 0009F529
InstalledBy, xrefs: 0009F52F, 0009F548
Date, xrefs: 0009F554
LogonUser, xrefs: 0009F534
Publisher, xrefs: 0009F4CA, 0009F4DD
ThisVersionInstalled, xrefs: 0009F46A, 0009F47D
PackageVersion, xrefs: 0009F4AA, 0009F4BD
InstallerName, xrefs: 0009F56F, 0009F574, 0009F575, 0009F585
Failed to create the key for update registration., xrefs: 0009F45E
Failed to write %ls value., xrefs: 0009F5A7
InstalledDate, xrefs: 0009F54F, 0009F568
InstallerVersion, xrefs: 0009F58C, 0009F591, 0009F592, 0009F5A2
Failed to get the formatted key path for update registration., xrefs: 0009F432
PackageName, xrefs: 0009F48A, 0009F49D

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CloseValue
String ID: Date$Failed to create the key for update registration.$Failed to get the formatted key path for update registration.$Failed to write %ls value.$InstalledBy$InstalledDate$InstallerName$InstallerVersion$LogonUser$PackageName$PackageVersion$Publisher$PublishingGroup$ReleaseType$ThisVersionInstalled
API String ID: 3132538880-2703781546
Opcode ID: 22f8821337e7d660a47cfee8be670c4ec1f4fa47af7861d695f9833cc8aa551c
Instruction ID: 7e54a9119dc9b9bab2d7302e638c16ee903d74f59635fd3e4ce3b0bbea25b0ee
Opcode Fuzzy Hash: 22f8821337e7d660a47cfee8be670c4ec1f4fa47af7861d695f9833cc8aa551c
Instruction Fuzzy Hash: 8E417831A41BA7BFDF225A51CC02EBE7A699B50710F164261FA00FA392D7619E10F790

Uniqueness

Uniqueness Score: -1.00%

Function 000BC517, Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E000BC517(intOrPtr __ecx, void* __eflags, signed int _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr* _a24) {
				signed int _v8;
				intOrPtr _t121;
				intOrPtr _t176;
				intOrPtr* _t190;
				intOrPtr* _t197;
				intOrPtr _t198;
				intOrPtr _t203;
				signed int _t206;
				intOrPtr _t207;
				intOrPtr _t208;
				signed int _t209;
				signed int _t210;
				signed int _t212;
				void* _t214;
				void* _t220;
				signed int _t223;
				intOrPtr* _t224;
				void* _t225;

				_t193 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t190 = _a24;
				_t121 = E000938D4( *(_t190 + 0x80) << 3, 1);
				_t212 = _a4;
				 *((intOrPtr*)(_t212 + 0x7c)) = _t121;
				if(_t121 != 0) {
					_t206 = 0;
					 *(_t212 + 0x80) =  *(_t190 + 0x80);
					_a4 = 0;
					if( *(_t190 + 0x80) <= 0) {
						L16:
						 *(_t212 + 0x14) =  *(_t212 + 0x14) & 0x00000000;
						 *((intOrPtr*)(_t212 + 0xa8)) = 1;
						 *((intOrPtr*)(_t212 + 0x8c)) =  *((intOrPtr*)(_t190 + 0x8c));
						 *((intOrPtr*)(_t212 + 0x40)) =  *((intOrPtr*)(_t190 + 0x40));
						 *((intOrPtr*)(_t212 + 0x44)) =  *((intOrPtr*)(_t190 + 0x44));
						 *((intOrPtr*)(_t212 + 0x28)) =  *((intOrPtr*)(_t190 + 0x28));
						 *((intOrPtr*)(_t212 + 0x2c)) =  *((intOrPtr*)(_t190 + 0x2c));
						 *((intOrPtr*)(_t212 + 0x30)) =  *((intOrPtr*)(_t190 + 0x30));
						 *((intOrPtr*)(_t212 + 0x34)) =  *((intOrPtr*)(_t190 + 0x34));
						 *((intOrPtr*)(_t212 + 0x1c)) =  *((intOrPtr*)(_t190 + 0x1c));
						if(E000921A5(_t212,  *_t190, 0) >= 0) {
							_t97 = _t212 + 0x24; // 0x124
							if(E000921A5(_t97,  *((intOrPtr*)(_t190 + 0x24)), 0) >= 0) {
								 *((intOrPtr*)(_t212 + 0xb0)) =  *((intOrPtr*)(_t190 + 0xb0));
								if(E000A7C29(_t193,  &_v8,  *_a8,  *((intOrPtr*)(_a8 + 4)),  *((intOrPtr*)(_a8 + 8)),  *((intOrPtr*)(_a8 + 0x1c)), 1, _a16, _a20, _a12,  *((intOrPtr*)(_t135 + 0xc))) >= 0) {
									_t109 = _t212 + 0x94; // 0x194
									if(E000921A5(_t109, _v8, 0) >= 0) {
										_t112 = _t212 + 0x98; // 0x198
										_t220 = E000921A5(_t112, _v8, 0);
										if(_t220 >= 0) {
											_t114 = _t212 + 0x9c; // 0x19c
											 *((intOrPtr*)(_t212 + 0xac)) = 1;
											_t220 = E000921A5(_t114, _v8, 0);
											if(_t220 >= 0) {
												 *((intOrPtr*)(_t212 + 0x18)) = 1;
											} else {
												_push("Failed to copy uninstall arguments for passthrough bundle package");
												goto L23;
											}
										} else {
											_push("Failed to copy related arguments for passthrough bundle package");
											goto L23;
										}
									} else {
										_push("Failed to copy install arguments for passthrough bundle package");
										goto L23;
									}
								} else {
									_push("Failed to recreate command-line arguments.");
									goto L23;
								}
							} else {
								_push("Failed to copy cache id for passthrough pseudo bundle.");
								goto L23;
							}
						} else {
							_push("Failed to copy key for passthrough pseudo bundle.");
							goto L23;
						}
					} else {
						while(1) {
							_t223 = _t206 << 3;
							_a24 =  *((intOrPtr*)(_t190 + 0x7c)) + _t223;
							 *((intOrPtr*)(_t223 +  *((intOrPtr*)(_t212 + 0x7c)))) = E000938D4(0x58, 1);
							_t150 =  *((intOrPtr*)(_t212 + 0x7c));
							_t207 =  *((intOrPtr*)(_t223 +  *((intOrPtr*)(_t212 + 0x7c))));
							if(_t207 == 0) {
								break;
							}
							_t197 = _a24;
							 *((intOrPtr*)(_t207 + 4)) =  *((intOrPtr*)( *_t197 + 4));
							_t198 =  *_t197;
							_t208 =  *((intOrPtr*)(_t223 +  *((intOrPtr*)(_t212 + 0x7c))));
							 *((intOrPtr*)(_t208 + 0x10)) =  *((intOrPtr*)(_t198 + 0x10));
							 *((intOrPtr*)(_t208 + 0x14)) =  *((intOrPtr*)(_t198 + 0x14));
							_t220 = E000921A5( *((intOrPtr*)(_t223 +  *((intOrPtr*)(_t212 + 0x7c)))),  *((intOrPtr*)( *_a24)), 0);
							if(_t220 < 0) {
								_push("Failed to copy key for passthrough pseudo bundle payload.");
								goto L23;
							} else {
								_t220 = E000921A5( *((intOrPtr*)( *((intOrPtr*)(_t212 + 0x7c)) + _a4 * 8)) + 0x18,  *((intOrPtr*)( *_a24 + 0x18)), 0);
								if(_t220 < 0) {
									_push("Failed to copy filename for passthrough pseudo bundle.");
									goto L23;
								} else {
									_t220 = E000921A5( *((intOrPtr*)( *((intOrPtr*)(_t212 + 0x7c)) + _a4 * 8)) + 0x38,  *((intOrPtr*)( *_a24 + 0x38)), 0);
									if(_t220 < 0) {
										_push("Failed to copy local source path for passthrough pseudo bundle.");
										goto L23;
									} else {
										_t224 = _a24;
										_t173 =  *_t224;
										if( *((intOrPtr*)( *_t224 + 0x40)) == 0) {
											L12:
											_t174 =  *_t224;
											if( *((intOrPtr*)( *_t224 + 0x30)) == 0) {
												L15:
												_t209 = _a4;
												_t193 =  *((intOrPtr*)(_t212 + 0x7c));
												 *((intOrPtr*)( *((intOrPtr*)(_t212 + 0x7c)) + 4 + _t209 * 8)) =  *((intOrPtr*)(_t224 + 4));
												_t206 = _t209 + 1;
												_a4 = _t206;
												if(_t206 <  *(_t190 + 0x80)) {
													continue;
												} else {
													goto L16;
												}
											} else {
												_t176 = E000938D4( *((intOrPtr*)(_t174 + 0x34)), 0);
												_t210 = _a4;
												 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t212 + 0x7c)) + _t210 * 8)) + 0x30)) = _t176;
												_t177 =  *((intOrPtr*)(_t212 + 0x7c));
												_t203 =  *((intOrPtr*)( *((intOrPtr*)(_t212 + 0x7c)) + _t210 * 8));
												if( *((intOrPtr*)(_t203 + 0x30)) == 0) {
													_t214 = 0x8007000e;
													_t220 = 0x8007000e;
													E000937D3(_t177, "pseudobundle.cpp", 0xc9, 0x8007000e);
													_push("Failed to allocate memory for pseudo bundle payload hash.");
													goto L2;
												} else {
													 *((intOrPtr*)(_t203 + 0x34)) =  *((intOrPtr*)( *_t224 + 0x34));
													E000B1664( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t212 + 0x7c)) + _t210 * 8)) + 0x30)),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t212 + 0x7c)) + _t210 * 8)) + 0x34)),  *((intOrPtr*)( *_t224 + 0x30)),  *((intOrPtr*)( *_t224 + 0x34)));
													_t225 = _t225 + 0x10;
													goto L15;
												}
											}
										} else {
											_t220 = E000921A5( *((intOrPtr*)( *((intOrPtr*)(_t212 + 0x7c)) + _a4 * 8)) + 0x40,  *((intOrPtr*)(_t173 + 0x40)), 0);
											if(_t220 < 0) {
												_push("Failed to copy download source for passthrough pseudo bundle.");
												L23:
												_push(_t220);
												goto L3;
											} else {
												_t224 = _a24;
												goto L12;
											}
										}
									}
								}
							}
							goto L36;
						}
						_t214 = 0x8007000e;
						_t220 = 0x8007000e;
						E000937D3(_t150, "pseudobundle.cpp", 0xb3, 0x8007000e);
						_push("Failed to allocate space for burn payload inside of related bundle struct");
						goto L2;
					}
				} else {
					_t214 = 0x8007000e;
					_t220 = 0x8007000e;
					E000937D3(_t121, "pseudobundle.cpp", 0xab, 0x8007000e);
					_push("Failed to allocate space for burn package payload inside of passthrough bundle.");
					L2:
					_push(_t214);
					L3:
					E000D012F();
				}
				L36:
				if(_v8 != 0) {
					E000D54EF(_v8);
				}
				return _t220;
			}

0x000bc517
0x000bc51a
0x000bc51b
0x000bc520
0x000bc531
0x000bc536
0x000bc539
0x000bc53e
0x000bc56f
0x000bc571
0x000bc577
0x000bc580
0x000bc6d7
0x000bc6d7
0x000bc6db
0x000bc6eb
0x000bc6f4
0x000bc6fa
0x000bc700
0x000bc706
0x000bc70c
0x000bc712
0x000bc71a
0x000bc729
0x000bc799
0x000bc7a6
0x000bc7b5
0x000bc7e4
0x000bc7ef
0x000bc803
0x000bc813
0x000bc81f
0x000bc823
0x000bc833
0x000bc839
0x000bc849
0x000bc84d
0x000bc859
0x000bc84f
0x000bc84f
0x00000000
0x000bc84f
0x000bc825
0x000bc825
0x00000000
0x000bc825
0x000bc805
0x000bc805
0x00000000
0x000bc805
0x000bc7e6
0x000bc7e6
0x00000000
0x000bc7e6
0x000bc7a8
0x000bc7a8
0x00000000
0x000bc7a8
0x000bc72b
0x000bc72b
0x00000000
0x000bc72b
0x000bc586
0x000bc586
0x000bc58b
0x000bc594
0x000bc59f
0x000bc5a2
0x000bc5a5
0x000bc5aa
0x00000000
0x00000000
0x000bc5b0
0x000bc5ba
0x000bc5c0
0x000bc5c2
0x000bc5c8
0x000bc5ce
0x000bc5e3
0x000bc5e7
0x000bc768
0x00000000
0x000bc5ed
0x000bc609
0x000bc60d
0x000bc761
0x00000000
0x000bc613
0x000bc62f
0x000bc633
0x000bc75a
0x00000000
0x000bc639
0x000bc639
0x000bc63c
0x000bc642
0x000bc668
0x000bc668
0x000bc66e
0x000bc6ba
0x000bc6ba
0x000bc6bd
0x000bc6c3
0x000bc6c7
0x000bc6c8
0x000bc6d1
0x00000000
0x00000000
0x00000000
0x00000000
0x000bc670
0x000bc675
0x000bc67d
0x000bc683
0x000bc686
0x000bc689
0x000bc690
0x000bc739
0x000bc749
0x000bc74b
0x000bc750
0x00000000
0x000bc696
0x000bc69b
0x000bc6b2
0x000bc6b7
0x00000000
0x000bc6b7
0x000bc690
0x000bc644
0x000bc65b
0x000bc65f
0x000bc732
0x000bc76d
0x000bc76d
0x00000000
0x000bc665
0x000bc665
0x00000000
0x000bc665
0x000bc65f
0x000bc642
0x000bc633
0x000bc60d
0x00000000
0x000bc5e7
0x000bc773
0x000bc783
0x000bc785
0x000bc78a
0x00000000
0x000bc78a
0x000bc540
0x000bc540
0x000bc550
0x000bc552
0x000bc557
0x000bc55c
0x000bc55c
0x000bc55d
0x000bc55d
0x000bc563
0x000bc860
0x000bc864
0x000bc869
0x000bc869
0x000bc876

Strings

Failed to copy filename for passthrough pseudo bundle., xrefs: 000BC761
Failed to copy uninstall arguments for passthrough bundle package, xrefs: 000BC84F
Failed to copy related arguments for passthrough bundle package, xrefs: 000BC825
Failed to recreate command-line arguments., xrefs: 000BC7E6
Failed to allocate space for burn package payload inside of passthrough bundle., xrefs: 000BC557
Failed to allocate memory for pseudo bundle payload hash., xrefs: 000BC750
Failed to copy download source for passthrough pseudo bundle., xrefs: 000BC732
pseudobundle.cpp, xrefs: 000BC54B, 000BC744, 000BC77E
Failed to allocate space for burn payload inside of related bundle struct, xrefs: 000BC78A
Failed to copy key for passthrough pseudo bundle payload., xrefs: 000BC768
Failed to copy local source path for passthrough pseudo bundle., xrefs: 000BC75A
Failed to copy cache id for passthrough pseudo bundle., xrefs: 000BC7A8
Failed to copy install arguments for passthrough bundle package, xrefs: 000BC805
Failed to copy key for passthrough pseudo bundle., xrefs: 000BC72B

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of passthrough bundle.$Failed to allocate space for burn payload inside of related bundle struct$Failed to copy cache id for passthrough pseudo bundle.$Failed to copy download source for passthrough pseudo bundle.$Failed to copy filename for passthrough pseudo bundle.$Failed to copy install arguments for passthrough bundle package$Failed to copy key for passthrough pseudo bundle payload.$Failed to copy key for passthrough pseudo bundle.$Failed to copy local source path for passthrough pseudo bundle.$Failed to copy related arguments for passthrough bundle package$Failed to copy uninstall arguments for passthrough bundle package$Failed to recreate command-line arguments.$pseudobundle.cpp
API String ID: 1357844191-115096447
Opcode ID: 260a1133e8a3df63cc976a5c4ad81a091da69d9c1a131fb223d952d3beaa849c
Instruction ID: 84b7ed5a55a18cff8d729550701fa188a5b91e92ca2029545743f2dc92562bdc
Opcode Fuzzy Hash: 260a1133e8a3df63cc976a5c4ad81a091da69d9c1a131fb223d952d3beaa849c
Instruction Fuzzy Hash: 39B15A75A40616EFEB21DF24C881F99BBA1BF48710F114169FD14AB352CB31E921EF90

Uniqueness

Uniqueness Score: -1.00%

Function 0009B106, Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 23%

			E0009B106(intOrPtr _a4) {
				void* _t35;
				signed short _t40;
				intOrPtr* _t45;
				void* _t47;
				intOrPtr _t49;
				signed int _t50;
				signed int _t53;
				intOrPtr _t56;
				signed int _t57;
				intOrPtr* _t61;
				signed int _t62;
				signed int _t63;
				signed int _t64;

				_t57 = 0;
				_t61 = GetModuleHandleW(0);
				if(_t61 != 0) {
					if(0x5a4d ==  *_t61) {
						_t49 =  *((intOrPtr*)(_t61 + 0x3c));
						if( *((intOrPtr*)(_t49 + _t61)) == 0x4550) {
							_t5 = _t61 + 0x18; // 0x18
							_t45 = _t5 + ( *(_t49 + _t61 + 0x14) & 0x0000ffff) + _t49;
							if(E000BF919(_t45, ".wixburn", 8) == 0) {
								L13:
								if( *((intOrPtr*)(_t45 + 0x10)) >= 0x34) {
									_t47 =  *((intOrPtr*)(_t45 + 0xc)) + _t61;
									if( *((intOrPtr*)(_t47 + 4)) == 2) {
										_t56 = _a4;
										_t50 = _t57;
										while(1) {
											_t26 =  *((intOrPtr*)(_t56 + _t50 * 4));
											if( *((intOrPtr*)(_t56 + _t50 * 4)) !=  *((intOrPtr*)(_t47 + 8 + _t50 * 4))) {
												break;
											}
											_t50 = _t50 + 1;
											if(_t50 != 4) {
												continue;
											} else {
											}
											goto L25;
										}
										_t62 = 0x8007000d;
										_t57 = 0x8007000d;
										E000937D3(_t26, "section.cpp", 0x18a, 0x8007000d);
										_push("Bundle guid didn\'t match the guid in the PE Header in memory.");
										goto L24;
									} else {
										_t63 = 0x8007000d;
										_t57 = 0x8007000d;
										E000937D3(_t25, "section.cpp", 0x184, 0x8007000d);
										_push( *((intOrPtr*)(_t47 + 4)));
										_push("Failed to read section info, unsupported version: %08x");
										goto L18;
									}
								} else {
									_t63 = 0x8007000d;
									_t57 = 0x8007000d;
									E000937D3(_t25, "section.cpp", 0x17a, 0x8007000d);
									_push( *((intOrPtr*)(_t45 + 0x10)));
									_push("Failed to read section info, data to short: %u");
									L18:
									_push(_t63);
									E000D012F();
								}
							} else {
								_t53 =  *( *((intOrPtr*)(_t61 + 0x3c)) + _t61 + 6) & 0x0000ffff;
								_t35 = 1;
								while(_t35 < _t53) {
									_t45 = _t45 + 0x28;
									_t35 = _t35 + 1;
									if( *_t45 != 0x7869772e ||  *((intOrPtr*)(_t45 + 4)) != 0x6e727562) {
										continue;
									} else {
										goto L13;
									}
									goto L25;
								}
								_t62 = 0x8007000d;
								_t57 = 0x8007000d;
								E000937D3(_t35, "section.cpp", 0x16e, 0x8007000d);
								_push("Failed to find Burn section.");
								L24:
								_push(_t62);
								E000D012F();
							}
							L25:
						} else {
							_t64 = 0x8007000d;
							_t57 = 0x8007000d;
							E000937D3(0x5a4d, "section.cpp", 0x155, 0x8007000d);
							_push("Failed to find valid NT image header in buffer.");
							goto L5;
						}
					} else {
						_t64 = 0x8007000d;
						_t57 = 0x8007000d;
						E000937D3(0x5a4d, "section.cpp", 0x14a, 0x8007000d);
						_push("Failed to find valid DOS image header in buffer.");
						L5:
						_push(_t64);
						goto L2;
					}
				} else {
					_t40 = GetLastError();
					_t60 =  <=  ? _t40 : _t40 & 0x0000ffff | 0x80070000;
					_t57 =  >=  ? 0x80004005 :  <=  ? _t40 : _t40 & 0x0000ffff | 0x80070000;
					E000937D3(0x80004005, "section.cpp", 0x140, _t57);
					_push("Failed to get module handle to process.");
					_push(_t57);
					L2:
					E000D012F();
				}
				return _t57;
			}

0x0009b10b
0x0009b114
0x0009b118
0x0009b162
0x0009b183
0x0009b18d
0x0009b1b5
0x0009b1ba
0x0009b1cc
0x0009b1f2
0x0009b1f6
0x0009b23a
0x0009b240
0x0009b26c
0x0009b26f
0x0009b271
0x0009b271
0x0009b278
0x00000000
0x00000000
0x0009b27a
0x0009b27e
0x00000000
0x00000000
0x0009b280
0x00000000
0x0009b27e
0x0009b282
0x0009b292
0x0009b294
0x0009b299
0x00000000
0x0009b242
0x0009b242
0x0009b252
0x0009b254
0x0009b259
0x0009b25c
0x00000000
0x0009b25c
0x0009b1f8
0x0009b1f8
0x0009b208
0x0009b20a
0x0009b20f
0x0009b212
0x0009b261
0x0009b261
0x0009b262
0x0009b267
0x0009b1ce
0x0009b1d1
0x0009b1d8
0x0009b1d9
0x0009b1dd
0x0009b1e0
0x0009b1e7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0009b1e7
0x0009b219
0x0009b229
0x0009b22b
0x0009b230
0x0009b29e
0x0009b29e
0x0009b29f
0x0009b2a5
0x0009b2a6
0x0009b18f
0x0009b18f
0x0009b19f
0x0009b1a1
0x0009b1a6
0x00000000
0x0009b1a6
0x0009b164
0x0009b164
0x0009b174
0x0009b176
0x0009b17b
0x0009b180
0x0009b180
0x00000000
0x0009b180
0x0009b11a
0x0009b11a
0x0009b12b
0x0009b135
0x0009b143
0x0009b148
0x0009b14d
0x0009b14e
0x0009b14e
0x0009b154
0x0009b2ac

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,0009B9F7,00000008,?,00000000,00000000,?,?,?,00000000,77639EB0,00000000), ref: 0009B10E
GetLastError.KERNEL32(?,0009B9F7,00000008,?,00000000,00000000,?,?,?,00000000,77639EB0,00000000), ref: 0009B11A
_memcmp.LIBVCRUNTIME ref: 0009B1C2

Strings

Failed to find Burn section., xrefs: 0009B230
Failed to find valid NT image header in buffer., xrefs: 0009B1A6
section.cpp, xrefs: 0009B13E, 0009B16F, 0009B19A, 0009B203, 0009B224, 0009B24D, 0009B28D
@Mt, xrefs: 0009B11A
Failed to find valid DOS image header in buffer., xrefs: 0009B17B
.wix, xrefs: 0009B1E1
burn, xrefs: 0009B1E9
Bundle guid didn't match the guid in the PE Header in memory., xrefs: 0009B299
Failed to get module handle to process., xrefs: 0009B148
.wixburn, xrefs: 0009B1BC
Failed to read section info, data to short: %u, xrefs: 0009B212
Failed to read section info, unsupported version: %08x, xrefs: 0009B25C

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorHandleLastModule_memcmp
String ID: .wix$.wixburn$@Mt$Bundle guid didn't match the guid in the PE Header in memory.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get module handle to process.$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$burn$section.cpp
API String ID: 3888311042-1519075653
Opcode ID: daa4a6bfeb5658875fb29d4ced13007dd2a7677f7b79ff33822125731b77d851
Instruction ID: fbd6a66927f9ca73e8ad9a3b8bb9f0d7e7f8f06cd0c2ad6e5eb733fae8a3dd77
Opcode Fuzzy Hash: daa4a6bfeb5658875fb29d4ced13007dd2a7677f7b79ff33822125731b77d851
Instruction Fuzzy Hash: 88411772384311B7DF306651ED82F6A7696EF80B30F25402BFA065F6C2DB64C901A7B6

Uniqueness

Uniqueness Score: -1.00%

Function 0009A17D, Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 138
registryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0009A17D(intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				int _v12;
				int _v16;
				int _v20;
				signed short _t51;
				intOrPtr _t55;
				signed short _t60;
				void* _t64;
				void* _t66;
				void* _t70;

				_t55 = _a4;
				_a4 =  *((intOrPtr*)(_t55 + 0x24));
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				if(E000971CF(_a8,  *((intOrPtr*)(_t55 + 0x1c)),  &_v8, 0) >= 0) {
					_t64 = 1;
					_t37 =  ==  ? 1 : 0x101;
					_t66 = E000D0E3F( *((intOrPtr*)(_t55 + 0x18)), _v8,  ==  ? 1 : 0x101,  &_v16);
					if(_t66 < 0) {
						_push(_v8);
						if(_t66 != 0x80070002) {
							_push("Failed to open registry key. Key = \'%ls\'");
							_push(_t66);
							E000D012F();
							_t70 = _t70 + 0xc;
							L18:
							if(_t66 < 0) {
								_push(_t66);
								E000D061A(2, "RegistrySearchExists failed: ID \'%ls\', HRESULT 0x%x", _v8);
							}
							L20:
							E00092793(_v8);
							E00092793(_v12);
							if(_v16 != 0) {
								RegCloseKey(_v16);
							}
							return _t66;
						}
						_push("Registry key not found. Key = \'%ls\'");
						_push(2);
						E000D061A();
						_t70 = _t70 + 0xc;
						L14:
						_t64 = 0;
						L15:
						_t66 = E00098152(_a8,  *((intOrPtr*)(_t55 + 4)), _t64, 0, 0);
						if(_t66 >= 0) {
							goto L20;
						}
						_push("Failed to set variable.");
						L2:
						_push(_t66);
						E000D012F();
						goto L18;
					}
					if( *((intOrPtr*)(_t55 + 0x20)) == 0) {
						goto L15;
					}
					_t66 = E000971CF(_a8,  *((intOrPtr*)(_t55 + 0x20)),  &_v12, 0);
					if(_t66 >= 0) {
						_t51 = RegQueryValueExW(_v16, _v12, 0,  &_v20, 0, 0);
						_t60 = _t51;
						if(_t60 == 0) {
							goto L15;
						}
						if(_t60 == 0) {
							_push(_v12);
							E000D061A(2, "Registry value not found. Key = \'%ls\', Value = \'%ls\'", _v8);
							_t70 = _t70 + 0x10;
							goto L14;
						}
						if(_t51 == 0) {
							goto L15;
						}
						_t69 =  <=  ? _t51 : _t51 & 0x0000ffff | 0x80070000;
						_t66 =  >=  ? 0x80004005 :  <=  ? _t51 : _t51 & 0x0000ffff | 0x80070000;
						E000937D3(0x80004005, "search.cpp", 0x322, _t66);
						_push("Failed to query registry key value.");
						goto L2;
					}
					_push("Failed to format value string.");
					goto L2;
				}
				_push("Failed to format key string.");
				goto L2;
			}

0x0009a184
0x0009a18f
0x0009a199
0x0009a19f
0x0009a1a2
0x0009a1a5
0x0009a1b1
0x0009a1cb
0x0009a1d5
0x0009a1e4
0x0009a1e8
0x0009a286
0x0009a28f
0x0009a2c2
0x0009a2c7
0x0009a2c8
0x0009a2cd
0x0009a2d0
0x0009a2d2
0x0009a2d4
0x0009a2df
0x0009a2e4
0x0009a2e7
0x0009a2ea
0x0009a2f2
0x0009a2fb
0x0009a300
0x0009a300
0x0009a30e
0x0009a30e
0x0009a291
0x0009a296
0x0009a298
0x0009a29d
0x0009a2a0
0x0009a2a0
0x0009a2a2
0x0009a2b2
0x0009a2b6
0x00000000
0x00000000
0x0009a2b8
0x0009a1b8
0x0009a1b8
0x0009a1b9
0x00000000
0x0009a1bf
0x0009a1f2
0x00000000
0x00000000
0x0009a209
0x0009a20d
0x0009a226
0x0009a22e
0x0009a231
0x00000000
0x00000000
0x0009a237
0x0009a26f
0x0009a27c
0x0009a281
0x00000000
0x0009a281
0x0009a23b
0x00000000
0x00000000
0x0009a248
0x0009a252
0x0009a260
0x0009a265
0x00000000
0x0009a265
0x0009a20f
0x00000000
0x0009a20f
0x0009a1b3
0x00000000

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0009A1A8
_MREFOpen@16.MSPDB140-MSVCRT ref: 0009A204
RegQueryValueExW.ADVAPI32(000002C0,00000000,00000000,000002C0,00000000,00000000,000002C0,?,00000000,00000000,?,00000000,00000101,000002C0,000002C0,?), ref: 0009A226
RegCloseKey.ADVAPI32(00000000,00000000,00000000,000002C0,00000100,00000000,000002C0), ref: 0009A300

Strings

Registry key not found. Key = '%ls', xrefs: 0009A291
Failed to query registry key value., xrefs: 0009A265
search.cpp, xrefs: 0009A25B
Failed to set variable., xrefs: 0009A2B8
Failed to format key string., xrefs: 0009A1B3
Failed to open registry key. Key = '%ls', xrefs: 0009A2C2
RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 0009A2D8
Failed to format value string., xrefs: 0009A20F
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 0009A275

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: Open@16$CloseQueryValue
String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$search.cpp
API String ID: 2702208347-46557908
Opcode ID: 5460683f27acd76a1cf03b58dd2084e53ca7d3017fb8702e90eb629b5ead7b38
Instruction ID: 102c4ad8dc3ae556d1ca1a74f0feba7cfb88a1bc41aed405c645ee7203b49d13
Opcode Fuzzy Hash: 5460683f27acd76a1cf03b58dd2084e53ca7d3017fb8702e90eb629b5ead7b38
Instruction Fuzzy Hash: 87419772E40314BBDF216F99CD06FEDBB65EF05710F114166FD08A9292D7728E10A6E2

Uniqueness

Uniqueness Score: -1.00%

Function 000A95AC, Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 122
fileCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E000A95AC(void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16) {
				intOrPtr _t15;
				intOrPtr _t26;
				signed short _t27;
				intOrPtr _t32;
				void* _t34;
				void* _t36;
				WCHAR* _t37;
				intOrPtr _t39;
				intOrPtr _t40;

				_t36 = __edx;
				_t37 = _a12;
				_t34 = CreateFileW(_t37, 0x80000000, 5, 0, 3, 0x8000000, 0);
				_a12 = _t34;
				if(_t34 != 0xffffffff) {
					_t15 = _a4;
					__eflags =  *((intOrPtr*)(_t15 + 0x20));
					if( *((intOrPtr*)(_t15 + 0x20)) == 0) {
						__eflags =  *((intOrPtr*)(_t15 + 0x1c));
						if( *((intOrPtr*)(_t15 + 0x1c)) == 0) {
							__eflags =  *((intOrPtr*)(_t15 + 0x30));
							if(__eflags == 0) {
								goto L12;
							} else {
								_t40 = E000A8F8E(_t36, __eflags,  *((intOrPtr*)(_t15 + 0x30)),  *((intOrPtr*)(_t15 + 0x34)), _t37, _t34);
								__eflags = _t40;
								if(_t40 >= 0) {
									goto L12;
								} else {
									_push(_a8);
									_push("Failed to verify payload hash: %ls");
									goto L6;
								}
							}
						} else {
							_t26 = E000A91F7(_t36, _t15, _t37, _t34);
							goto L4;
						}
					} else {
						_t26 = E000AA998(_t36, _t15, _t37, _t34);
						L4:
						_t40 = _t26;
						__eflags = _t40;
						if(_t40 >= 0) {
							L12:
							_t39 = _a16;
							_t32 = _a8;
							__eflags = _t39;
							_push(_t32);
							_push(_t37);
							_t17 =  ==  ? L"Copying" : L"Moving";
							E000D061A(2, "%ls payload from working path \'%ls\' to path \'%ls\'",  ==  ? L"Copying" : L"Moving");
							_push(0x7d0);
							_push(3);
							_push(1);
							__eflags = _t39;
							if(_t39 == 0) {
								_push(_t32);
								_push(_t37);
								_t40 = E000D3FE7();
								__eflags = _t40;
								if(_t40 < 0) {
									_push(_t32);
									_push(_t37);
									_push("Failed to copy %ls to %ls");
									goto L17;
								}
							} else {
								_push(1);
								_push(_t32);
								_push(_t37);
								_t40 = E000D41D1();
								__eflags = _t40;
								if(_t40 < 0) {
									_push(_t32);
									_push(_t37);
									_push("Failed to move %ls to %ls");
									L17:
									_push(_t40);
									E000D012F();
								}
							}
						} else {
							_push(_a8);
							_push("Failed to verify payload signature: %ls");
							L6:
							_push(_t40);
							E000D012F();
						}
					}
					CloseHandle(_a12);
				} else {
					_t27 = GetLastError();
					_t43 =  <=  ? _t27 : _t27 & 0x0000ffff | 0x80070000;
					_t40 =  >=  ? 0x80004005 :  <=  ? _t27 : _t27 & 0x0000ffff | 0x80070000;
					E000937D3(0x80004005, "cache.cpp", 0x56b, _t40);
					E000D012F(_t40, "Failed to open payload in working path: %ls", _t37);
				}
				return _t40;
			}

0x000a95ac
0x000a95b1
0x000a95cd
0x000a95cf
0x000a95d5
0x000a9619
0x000a961c
0x000a961f
0x000a9645
0x000a9648
0x000a9654
0x000a9657
0x00000000
0x000a9659
0x000a9666
0x000a9668
0x000a966a
0x00000000
0x000a966c
0x000a966c
0x000a966f
0x00000000
0x000a966f
0x000a966a
0x000a964a
0x000a964d
0x00000000
0x000a964d
0x000a9621
0x000a9624
0x000a9629
0x000a9629
0x000a962b
0x000a962d
0x000a9676
0x000a9676
0x000a967f
0x000a9682
0x000a9684
0x000a9685
0x000a968b
0x000a9696
0x000a969e
0x000a96a3
0x000a96a5
0x000a96a7
0x000a96a9
0x000a96c3
0x000a96c4
0x000a96ca
0x000a96cc
0x000a96ce
0x000a96d0
0x000a96d1
0x000a96d2
0x00000000
0x000a96d2
0x000a96ab
0x000a96ab
0x000a96ad
0x000a96ae
0x000a96b4
0x000a96b6
0x000a96b8
0x000a96ba
0x000a96bb
0x000a96bc
0x000a96d7
0x000a96d7
0x000a96d8
0x000a96dd
0x000a96b8
0x000a962f
0x000a962f
0x000a9632
0x000a9637
0x000a9637
0x000a9638
0x000a963d
0x000a962d
0x000a96e4
0x000a95d7
0x000a95d7
0x000a95e8
0x000a95f2
0x000a9600
0x000a960c
0x000a9611
0x000a96ef

APIs

CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000,?,00000000,?,000AA63D,?,00000000,?,?,000BB049), ref: 000A95C7
GetLastError.KERNEL32(?,000AA63D,?,00000000,?,?,000BB049,?,00000000,?,00000000,?,?,000BB049,?), ref: 000A95D7
CloseHandle.KERNEL32(?,000BB049,00000001,00000003,000007D0,?,?,000BB049,?), ref: 000A96E4

Strings

Copying, xrefs: 000A9679
cache.cpp, xrefs: 000A95FB
Failed to verify payload signature: %ls, xrefs: 000A9632
Failed to copy %ls to %ls, xrefs: 000A96D2
%ls payload from working path '%ls' to path '%ls', xrefs: 000A968F
@Mt, xrefs: 000A95D7
Failed to move %ls to %ls, xrefs: 000A96BC
Moving, xrefs: 000A9686, 000A968E
Failed to open payload in working path: %ls, xrefs: 000A9606
Failed to verify payload hash: %ls, xrefs: 000A966F

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: %ls payload from working path '%ls' to path '%ls'$@Mt$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open payload in working path: %ls$Failed to verify payload hash: %ls$Failed to verify payload signature: %ls$Moving$cache.cpp
API String ID: 2528220319-494904194
Opcode ID: d2b5318bbc4bc61bb2b43ef11fc6fe8a2d65033b8dbf97e7a6ad3b0658a2fceb
Instruction ID: ef2e0adcfa4e13aa3cc10a47ada596239268a876bc5c5e8ba709f43a38345df9
Opcode Fuzzy Hash: d2b5318bbc4bc61bb2b43ef11fc6fe8a2d65033b8dbf97e7a6ad3b0658a2fceb
Instruction Fuzzy Hash: F931D471F40764BFEB312AA68C06FAF3A5CDF42B50F01015AFE09BB292D6619D0086F5

Uniqueness

Uniqueness Score: -1.00%

Function 000B1341, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 80
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E000B1341(void* __ebx, char _a4) {
				signed short _t30;
				signed short _t34;
				void* _t37;
				void* _t42;
				intOrPtr _t49;

				_t37 = __ebx;
				_t1 =  &_a4; // 0x9533d
				_t49 =  *_t1;
				_t42 = 0;
				if( *(_t49 + 0x20) != 0) {
					 *((intOrPtr*)(_t49 + 0x2c)) = 5;
					if(SetEvent( *(_t49 + 0x24)) != 0) {
						if(WaitForSingleObject( *(_t49 + 0x20), 0xffffffff) != 0) {
							_t30 = GetLastError();
							_t45 =  <=  ? _t30 : _t30 & 0x0000ffff | 0x80070000;
							_t42 =  >=  ? 0x80004005 :  <=  ? _t30 : _t30 & 0x0000ffff | 0x80070000;
							E000937D3(0x80004005, "cabextract.cpp", 0x10b, _t42);
							_push("Failed to wait for thread to terminate.");
							goto L5;
						}
					} else {
						_t34 = GetLastError();
						_t48 =  <=  ? _t34 : _t34 & 0x0000ffff | 0x80070000;
						_t42 =  >=  ? 0x80004005 :  <=  ? _t34 : _t34 & 0x0000ffff | 0x80070000;
						E000937D3(0x80004005, "cabextract.cpp", 0x105, _t42);
						_push("Failed to set begin operation event.");
						L5:
						_push(_t42);
						E000D012F();
					}
				}
				_push(_t37);
				if( *(_t49 + 0x20) != 0) {
					CloseHandle( *(_t49 + 0x20));
					 *(_t49 + 0x20) =  *(_t49 + 0x20) & 0x00000000;
				}
				if( *(_t49 + 0x24) != 0) {
					CloseHandle( *(_t49 + 0x24));
					 *(_t49 + 0x24) =  *(_t49 + 0x24) & 0x00000000;
				}
				if( *(_t49 + 0x28) != 0) {
					CloseHandle( *(_t49 + 0x28));
					 *(_t49 + 0x28) =  *(_t49 + 0x28) & 0x00000000;
				}
				if( *((intOrPtr*)(_t49 + 0x4c)) != 0) {
					E00093999( *((intOrPtr*)(_t49 + 0x4c)));
				}
				if( *((intOrPtr*)(_t49 + 0x1c)) != 0) {
					E000D54EF( *((intOrPtr*)(_t49 + 0x1c)));
				}
				return _t42;
			}

0x000b1341
0x000b1345
0x000b1345
0x000b1349
0x000b134e
0x000b1357
0x000b1366
0x000b13aa
0x000b13ac
0x000b13bd
0x000b13c7
0x000b13d5
0x000b13da
0x00000000
0x000b13da
0x000b1368
0x000b1368
0x000b1379
0x000b1383
0x000b1391
0x000b1396
0x000b13df
0x000b13df
0x000b13e0
0x000b13e6
0x000b1366
0x000b13eb
0x000b13f2
0x000b13f7
0x000b13f9
0x000b13f9
0x000b1401
0x000b1406
0x000b1408
0x000b1408
0x000b1410
0x000b1415
0x000b1417
0x000b1417
0x000b1420
0x000b1425
0x000b1425
0x000b142e
0x000b1433
0x000b1433
0x000b143d

APIs

SetEvent.KERNEL32(000DB468,=S,00000000,?,0009C06D,=S,000952B5,00000000,?,000A763B,?,00095565,00095371,00095371,00000000,?), ref: 000B135E
GetLastError.KERNEL32(?,0009C06D,=S,000952B5,00000000,?,000A763B,?,00095565,00095371,00095371,00000000,?,00095381,FFF9E89D,00095381), ref: 000B1368
WaitForSingleObject.KERNEL32(000DB478,000000FF,?,0009C06D,=S,000952B5,00000000,?,000A763B,?,00095565,00095371,00095371,00000000,?,00095381), ref: 000B13A2
GetLastError.KERNEL32(?,0009C06D,=S,000952B5,00000000,?,000A763B,?,00095565,00095371,00095371,00000000,?,00095381,FFF9E89D,00095381), ref: 000B13AC
CloseHandle.KERNEL32(00000000,00095381,=S,00000000,?,0009C06D,=S,000952B5,00000000,?,000A763B,?,00095565,00095371,00095371,00000000), ref: 000B13F7
CloseHandle.KERNEL32(00000000,00095381,=S,00000000,?,0009C06D,=S,000952B5,00000000,?,000A763B,?,00095565,00095371,00095371,00000000), ref: 000B1406
CloseHandle.KERNEL32(00000000,00095381,=S,00000000,?,0009C06D,=S,000952B5,00000000,?,000A763B,?,00095565,00095371,00095371,00000000), ref: 000B1415

Strings

cabextract.cpp, xrefs: 000B138C, 000B13D0
Failed to wait for thread to terminate., xrefs: 000B13DA
=S, xrefs: 000B1345
@Mt, xrefs: 000B1368, 000B13AC
=S, xrefs: 000B1348
Failed to set begin operation event., xrefs: 000B1396

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CloseHandle$ErrorLast$EventObjectSingleWait
String ID: =S$=S$@Mt$Failed to set begin operation event.$Failed to wait for thread to terminate.$cabextract.cpp
API String ID: 1206859064-3556682624
Opcode ID: 1bf8e9a85219a8446fff98166bda30838cea0328a2e1536328ca4e1194bb2ffc
Instruction ID: 76788f07bff9c466d7c4e21a15c84229a5981cd91ce99dee3b3f65303618d307
Opcode Fuzzy Hash: 1bf8e9a85219a8446fff98166bda30838cea0328a2e1536328ca4e1194bb2ffc
Instruction Fuzzy Hash: BB219132200700DBE7315B26DC49BE777F6FF88712F01062EE99A919A0EB79E441DA35

Uniqueness

Uniqueness Score: -1.00%

Function 000A9496, Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 101fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000,?,00000000,?,000AA5CE,?,00000000,?,?,000BB041), ref: 000A94B1
GetLastError.KERNEL32(?,000AA5CE,?,00000000,?,?,000BB041,?,00000000,?,00000000,?,?,000BB041,?), ref: 000A94BF
CloseHandle.KERNEL32(?,000BB041,00000001,00000003,000007D0,?,?,000BB041,?), ref: 000A959E

Strings

Copying, xrefs: 000A9533
cache.cpp, xrefs: 000A94E3
Failed to verify container hash: %ls, xrefs: 000A9520
Failed to copy %ls to %ls, xrefs: 000A958C
Failed to open container in working path: %ls, xrefs: 000A94EE
@Mt, xrefs: 000A94BF
Failed to move %ls to %ls, xrefs: 000A9576
Moving, xrefs: 000A9540, 000A9548
%ls container from working path '%ls' to path '%ls', xrefs: 000A9549

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: %ls container from working path '%ls' to path '%ls'$@Mt$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open container in working path: %ls$Failed to verify container hash: %ls$Moving$cache.cpp
API String ID: 2528220319-3178167427
Opcode ID: 564d805d07690bf22e5ac6b85a9699bd099c2970f16729d5a70e29c0b203b54a
Instruction ID: 9e94df199c78477cf65d9358b2833e3fdf64ef7cdda1a4ce946b0bf51b341d1f
Opcode Fuzzy Hash: 564d805d07690bf22e5ac6b85a9699bd099c2970f16729d5a70e29c0b203b54a
Instruction Fuzzy Hash: 5A21E671F80764BFE72219BA9C47FAB3658DF52B50F010159FE09BE2C1D2A19D1086F5

Uniqueness

Uniqueness Score: -1.00%

Function 000D43A6, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 247
fileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E000D43A6(signed short _a4, signed short* _a8, long _a12, long _a16, long _a20, signed short _a24, signed short _a28) {
				void* _v8;
				signed short _v12;
				char _v16;
				WCHAR* _t36;
				signed short _t38;
				void* _t41;
				signed short _t45;
				signed short _t49;
				signed short _t50;
				long _t60;
				signed short _t61;
				signed short _t65;
				signed short _t68;
				signed short _t73;
				intOrPtr _t76;
				void* _t77;
				long _t78;
				signed short _t82;
				long _t83;
				signed short _t85;
				void* _t86;
				signed short* _t87;
				signed short _t88;
				signed short _t91;
				signed short _t96;
				signed short _t97;

				_t83 = 0;
				_v16 = 0;
				_v12 = 0;
				if(_a8 != 0) {
					__eflags = _a4;
					if(_a4 != 0) {
						_t36 = _a12;
						__eflags = _t36;
						if(_t36 != 0) {
							__eflags = 0 -  *_t36;
							if(0 !=  *_t36) {
								_t86 = CreateFileW(_t36, 0x80000000, 5, 0, 3, 0x8000080, 0);
								_v8 = _t86;
								__eflags = _t86 - 0xffffffff;
								if(_t86 != 0xffffffff) {
									L14:
									_t38 =  &_v16;
									__imp__GetFileSizeEx(_t86, _t38);
									__eflags = _t38;
									if(_t38 != 0) {
										__eflags = _a16 - _t83;
										if(_a16 == _t83) {
											L25:
											__eflags = _a28;
											if(_a28 == 0) {
												_t76 = _v16;
												_t39 = _v12;
												_t73 = _t76 - _t83;
												_t77 = _t76 - _t83;
												_push(0);
												_pop(0);
												asm("sbb eax, edi");
												__eflags = 0 - _v12;
												if(__eflags > 0) {
													L27:
													_t87 = _a4;
													__eflags =  *_t87;
													if( *_t87 == 0) {
														__eflags = _t73;
														if(_t73 == 0) {
															L30:
															_t88 = 0;
															 *_a8 = 0;
															L51:
															_t41 = _v8;
															__eflags = _t41 - 0xffffffff;
															if(_t41 != 0xffffffff) {
																CloseHandle(_t41);
															}
															L53:
															goto L54;
														}
														_t85 = E000938D4(_t73, 1);
														__eflags = _t85;
														if(_t85 != 0) {
															L40:
															_t78 = 0;
															_t45 = 0;
															_a12 = 0;
															_a24 = 0;
															while(1) {
																_a16 = _t78;
																_t88 = E000D3D92(_t73, _t45,  &_a16);
																__eflags = _t88;
																if(_t88 < 0) {
																	break;
																}
																_t49 = ReadFile(_v8, _a24 + _t85, _a16,  &_a12, 0);
																__eflags = _t49;
																if(_t49 == 0) {
																	_t50 = GetLastError();
																	__eflags = _t50;
																	_t91 =  <=  ? _t50 : _t50 & 0x0000ffff | 0x80070000;
																	__eflags = _t91;
																	_t88 =  >=  ? 0x80004005 : _t91;
																	E000937D3(0x80004005, "fileutil.cpp", 0x399, _t88);
																	break;
																}
																_t45 = _a24 + _a12;
																__eflags = _a12;
																_a24 = _t45;
																if(_a12 != 0) {
																	_t78 = 0;
																	__eflags = 0;
																	continue;
																}
																__eflags = _t45 - _t73;
																if(_t45 == _t73) {
																	 *_a4 = _t85;
																	_t85 = 0;
																	 *_a8 = _t73;
																} else {
																	_t88 = 0x8000ffff;
																}
																break;
															}
															__eflags = _t85;
															if(_t85 != 0) {
																E00093999(_t85);
															}
															goto L51;
														}
														_t39 = 0x8007000e;
														_push(0x8007000e);
														_t88 = 0x8007000e;
														_push(0x38c);
														L16:
														_push("fileutil.cpp");
														E000937D3(_t39);
														goto L51;
													}
													__eflags = _t73;
													if(_t73 != 0) {
														_t85 = E00093A72( *_t87, _t73, 1);
														__eflags = _t85;
														if(_t85 != 0) {
															goto L40;
														}
														_t39 = 0x8007000e;
														_push(0x8007000e);
														_t88 = 0x8007000e;
														_push(0x37f);
														goto L16;
													}
													E00093999( *_t87);
													 *_t87 = 0;
													goto L30;
												}
												if(__eflags < 0) {
													L34:
													_t88 = 0x8007007a;
													_push(0x8007007a);
													_push(0x371);
													goto L16;
												}
												__eflags = _a24 - _t77;
												if(_a24 >= _t77) {
													goto L27;
												}
												goto L34;
											}
											_t73 = _a24;
											__eflags = 0;
											goto L27;
										}
										_t83 = _a20;
										__eflags = 0 - _v12;
										if(__eflags < 0) {
											L22:
											_t60 = SetFilePointer(_t86, _t83, 0, 1);
											__eflags = _t60 - 0xffffffff;
											if(_t60 != 0xffffffff) {
												goto L25;
											}
											_t39 = GetLastError();
											__eflags = _t39;
											_t88 =  <=  ? _t39 : _t39 & 0x0000ffff | 0x80070000;
											__eflags = _t88;
											if(_t88 >= 0) {
												goto L25;
											}
											_push(_t88);
											_push(0x35f);
											goto L16;
										}
										if(__eflags > 0) {
											L21:
											_t88 = 0x80070057;
											goto L51;
										}
										__eflags = _t83 - _v16;
										if(_t83 <= _v16) {
											goto L22;
										}
										goto L21;
									}
									_t61 = GetLastError();
									__eflags = _t61;
									_t96 =  <=  ? _t61 : _t61 & 0x0000ffff | 0x80070000;
									_t39 = 0x80004005;
									__eflags = _t96;
									_t88 =  >=  ? 0x80004005 : _t96;
									_push(_t88);
									_push(0x351);
									goto L16;
								}
								_t82 = GetLastError();
								_t88 = 0x80070002;
								__eflags = _t82;
								_t65 =  <=  ? _t82 : _t82 & 0x0000ffff | 0x80070000;
								__eflags = _t65 - 0x80070002;
								if(_t65 == 0x80070002) {
									goto L53;
								}
								__eflags = _t82;
								if(_t82 == 0) {
									_t86 = _v8;
									goto L14;
								}
								_t97 = _t65;
								__eflags = _t97;
								_t88 =  >=  ? 0x80004005 : _t97;
								E000937D3(0x80004005, "fileutil.cpp", 0x34c, _t88);
								goto L53;
							}
							_t68 = 0x80070057;
							_push(0x80070057);
							_push(0x342);
							goto L2;
						}
						_t68 = 0x80070057;
						_push(0x80070057);
						_push(0x341);
					} else {
						_t68 = 0x80070057;
						_push(0x80070057);
						_push(0x340);
					}
					goto L2;
				} else {
					_t68 = 0x80070057;
					_push(0x80070057);
					_push(0x33f);
					L2:
					_push("fileutil.cpp");
					_t88 = _t68;
					E000937D3(_t68);
					L54:
					return _t88;
				}
			}

0x000d43ae
0x000d43b0
0x000d43b3
0x000d43b9
0x000d43da
0x000d43dc
0x000d43eb
0x000d43ee
0x000d43f0
0x000d4401
0x000d4404
0x000d4431
0x000d4433
0x000d4436
0x000d4439
0x000d4481
0x000d4481
0x000d4486
0x000d448c
0x000d448e
0x000d44bf
0x000d44c2
0x000d450b
0x000d450b
0x000d450f
0x000d4537
0x000d453c
0x000d453f
0x000d4541
0x000d4543
0x000d4545
0x000d4546
0x000d4548
0x000d454a
0x000d4516
0x000d4516
0x000d4519
0x000d451c
0x000d4585
0x000d4587
0x000d452b
0x000d452e
0x000d4530
0x000d4647
0x000d4647
0x000d464a
0x000d464d
0x000d4650
0x000d4650
0x000d4656
0x00000000
0x000d4656
0x000d4591
0x000d4593
0x000d4595
0x000d45a9
0x000d45a9
0x000d45ab
0x000d45ad
0x000d45b0
0x000d45b7
0x000d45b7
0x000d45c5
0x000d45c7
0x000d45c9
0x00000000
0x00000000
0x000d45dd
0x000d45e3
0x000d45e5
0x000d460f
0x000d461e
0x000d4620
0x000d4628
0x000d462a
0x000d4638
0x00000000
0x000d4638
0x000d45ea
0x000d45ed
0x000d45f1
0x000d45f4
0x000d45b5
0x000d45b5
0x00000000
0x000d45b5
0x000d45f6
0x000d45f8
0x000d4604
0x000d4606
0x000d460b
0x000d45fa
0x000d45fa
0x000d45fa
0x00000000
0x000d45f8
0x000d463d
0x000d463f
0x000d4642
0x000d4642
0x00000000
0x000d463f
0x000d4597
0x000d459c
0x000d459d
0x000d459f
0x000d44b0
0x000d44b0
0x000d44b5
0x00000000
0x000d44b5
0x000d451e
0x000d4520
0x000d456d
0x000d456f
0x000d4571
0x00000000
0x00000000
0x000d4573
0x000d4578
0x000d4579
0x000d457b
0x00000000
0x000d457b
0x000d4524
0x000d4529
0x00000000
0x000d4529
0x000d454c
0x000d4553
0x000d4553
0x000d4558
0x000d4559
0x00000000
0x000d4559
0x000d454e
0x000d4551
0x00000000
0x00000000
0x00000000
0x000d4551
0x000d4511
0x000d4514
0x00000000
0x000d4514
0x000d44c4
0x000d44c9
0x000d44cc
0x000d44df
0x000d44e4
0x000d44ea
0x000d44ed
0x00000000
0x00000000
0x000d44ef
0x000d44fa
0x000d44fc
0x000d44ff
0x000d4501
0x00000000
0x00000000
0x000d4503
0x000d4504
0x00000000
0x000d4504
0x000d44ce
0x000d44d5
0x000d44d5
0x00000000
0x000d44d5
0x000d44d0
0x000d44d3
0x00000000
0x00000000
0x00000000
0x000d44d3
0x000d4490
0x000d449b
0x000d449d
0x000d44a0
0x000d44a5
0x000d44a7
0x000d44aa
0x000d44ab
0x00000000
0x000d44ab
0x000d443d
0x000d443f
0x000d444c
0x000d444e
0x000d4451
0x000d4453
0x00000000
0x00000000
0x000d4459
0x000d445b
0x000d447e
0x00000000
0x000d447e
0x000d445d
0x000d4464
0x000d4466
0x000d4474
0x00000000
0x000d4474
0x000d4406
0x000d440b
0x000d440c
0x00000000
0x000d440c
0x000d43f2
0x000d43f7
0x000d43f8
0x000d43de
0x000d43de
0x000d43e3
0x000d43e4
0x000d43e4
0x00000000
0x000d43bb
0x000d43bb
0x000d43c0
0x000d43c1
0x000d43c6
0x000d43c6
0x000d43cb
0x000d43cd
0x000d4658
0x000d465e
0x000d465e

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000080,00000000,?,?,00000000,?,00000000,?,?,?), ref: 000D4425
GetLastError.KERNEL32 ref: 000D443B
GetFileSizeEx.KERNEL32(00000000,?), ref: 000D4486
GetLastError.KERNEL32 ref: 000D4490
CloseHandle.KERNEL32(?), ref: 000D4650

Strings

@Mt, xrefs: 000D460F
fileutil.cpp, xrefs: 000D43C6, 000D446F, 000D44B0, 000D4633

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleSize
String ID: @Mt$fileutil.cpp
API String ID: 3555958901-3352924005
Opcode ID: 553ff599fb0d0ccd12ec7c1afccce719a218de0989fcbb0d169805b02eca292e
Instruction ID: a0c6ce99892fb9681b3e19d958cd5a33467d2413078ff3453fdd189042a6a0b5
Opcode Fuzzy Hash: 553ff599fb0d0ccd12ec7c1afccce719a218de0989fcbb0d169805b02eca292e
Instruction Fuzzy Hash: DD71CF71A00715ABEF319E699C44BAF76E8EF40760F15412BFD1AEB380D675CE009AB1

Uniqueness

Uniqueness Score: -1.00%

Function 000AE3F4, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 95
threadCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E000AE3F4(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				long _v8;
				int _v12;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void _v32;
				void* _t23;
				void* _t29;
				int _t31;
				void* _t47;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_t23 = CreateEventW(0, 1, 0, 0);
				_v16 = _t23;
				if(_t23 != 0) {
					_v32 = _t23;
					_v28 = _a4;
					_v24 = _a8;
					_v20 = _a12;
					_t29 = CreateThread(0, 0, E000AE177,  &_v32, 0,  &_v8);
					_v12 = _t29;
					if(_t29 != 0) {
						_t31 = WaitForMultipleObjects(2,  &_v16, 0, 0xffffffff);
					} else {
						_t46 =  <=  ? GetLastError() : _t33 & 0x0000ffff | 0x80070000;
						_t47 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t33 & 0x0000ffff | 0x80070000;
						E000937D3(0x80004005, "splashscreen.cpp", 0x42, _t47);
						_push("Failed to create UI thread.");
						goto L2;
					}
				} else {
					_t50 =  <=  ? GetLastError() : _t36 & 0x0000ffff | 0x80070000;
					_t47 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t36 & 0x0000ffff | 0x80070000;
					E000937D3(0x80004005, "splashscreen.cpp", 0x39, _t47);
					_push("Failed to create modal event.");
					L2:
					_push(_t47);
					_t31 = E000D012F();
				}
				if(_v12 != 0) {
					_t31 = CloseHandle(_v12);
					_v12 = 0;
				}
				if(_v16 != 0) {
					return CloseHandle(_v16);
				}
				return _t31;
			}

0x000ae401
0x000ae402
0x000ae403
0x000ae404
0x000ae40c
0x000ae40f
0x000ae412
0x000ae415
0x000ae41b
0x000ae420
0x000ae45c
0x000ae462
0x000ae468
0x000ae46e
0x000ae481
0x000ae487
0x000ae48c
0x000ae4c9
0x000ae48e
0x000ae49f
0x000ae4a9
0x000ae4b4
0x000ae4b9
0x00000000
0x000ae4b9
0x000ae422
0x000ae433
0x000ae43d
0x000ae448
0x000ae44d
0x000ae452
0x000ae452
0x000ae453
0x000ae459
0x000ae4d8
0x000ae4dd
0x000ae4df
0x000ae4df
0x000ae4e5
0x00000000
0x000ae4ea
0x000ae4f1

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,00000000,?,?,00095386,?,?), ref: 000AE415
GetLastError.KERNEL32(?,?,00095386,?,?), ref: 000AE422
CreateThread.KERNEL32 ref: 000AE481
GetLastError.KERNEL32(?,?,00095386,?,?), ref: 000AE48E
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00095386,?,?), ref: 000AE4C9
CloseHandle.KERNEL32(?,?,?,00095386,?,?), ref: 000AE4DD
CloseHandle.KERNEL32(?,?,?,00095386,?,?), ref: 000AE4EA

Strings

Failed to create UI thread., xrefs: 000AE4B9
@Mt, xrefs: 000AE422, 000AE48E
splashscreen.cpp, xrefs: 000AE443, 000AE4AF
Failed to create modal event., xrefs: 000AE44D

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: @Mt$Failed to create UI thread.$Failed to create modal event.$splashscreen.cpp
API String ID: 2351989216-3303989277
Opcode ID: a31e3d0d5b0a3db58c27901950033b64f204b6cb76e68ef83594aae7608cac59
Instruction ID: 6d94f0a2dc244f1efe2ecfa4d8126e7d14cfb3c62c1dd0eaa85224a05e13a537
Opcode Fuzzy Hash: a31e3d0d5b0a3db58c27901950033b64f204b6cb76e68ef83594aae7608cac59
Instruction Fuzzy Hash: 90317075D01259BFEB109BA9DC05AAFBBF8EB49710F11412AFD14F6250D7344A008AA0

Uniqueness

Uniqueness Score: -1.00%

Function 000B1224, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 88
threadCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E000B1224(intOrPtr _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t20;
				intOrPtr _t50;

				_t50 = _a4;
				_v16 =  *(_t50 + 0x28);
				_v12 =  *(_t50 + 0x20);
				_v8 = 0;
				_t20 = WaitForMultipleObjects(2,  &_v16, 0, 0xffffffff);
				if(_t20 == 0) {
					if(ResetEvent( *(_t50 + 0x28)) != 0) {
						 *((intOrPtr*)(_t50 + 0x2c)) = 0;
					} else {
						_t37 =  <=  ? GetLastError() : _t23 & 0x0000ffff | 0x80070000;
						_t38 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t23 & 0x0000ffff | 0x80070000;
						_v8 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t23 & 0x0000ffff | 0x80070000;
						E000937D3(0x80004005, "cabextract.cpp", 0x13e, _t38);
						_push("Failed to reset operation complete event.");
						goto L7;
					}
				} else {
					if(_t20 == 1) {
						if(GetExitCodeThread( *(_t50 + 0x20),  &_v8) == 0) {
							_t43 =  <=  ? GetLastError() : _t29 & 0x0000ffff | 0x80070000;
							_t44 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t29 & 0x0000ffff | 0x80070000;
							_v8 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t29 & 0x0000ffff | 0x80070000;
							E000937D3(0x80004005, "cabextract.cpp", 0x145, _t44);
							_push("Failed to get extraction thread exit code.");
							goto L7;
						}
					} else {
						_t47 =  <=  ? GetLastError() : _t32 & 0x0000ffff | 0x80070000;
						_t48 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t32 & 0x0000ffff | 0x80070000;
						_v8 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t32 & 0x0000ffff | 0x80070000;
						E000937D3(0x80004005, "cabextract.cpp", 0x14b, _t48);
						_push("Failed to wait for operation complete event.");
						L7:
						_push(_v8);
						E000D012F();
					}
				}
				return _v8;
			}

0x000b122b
0x000b1236
0x000b123c
0x000b1246
0x000b1249
0x000b1251
0x000b12ef
0x000b1333
0x000b12f1
0x000b1302
0x000b130c
0x000b131a
0x000b131d
0x000b1322
0x00000000
0x000b1322
0x000b1257
0x000b125a
0x000b12a6
0x000b12bd
0x000b12c7
0x000b12d5
0x000b12d8
0x000b12dd
0x00000000
0x000b12dd
0x000b125c
0x000b126d
0x000b1277
0x000b1285
0x000b1288
0x000b128d
0x000b1327
0x000b1327
0x000b132a
0x000b1330
0x000b125a
0x000b133e

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,74E5F5E0,?,?,000952FD,000952B5,00000000,0009533D), ref: 000B1249
GetLastError.KERNEL32 ref: 000B125C
GetExitCodeThread.KERNEL32(000DB478,?), ref: 000B129E
GetLastError.KERNEL32 ref: 000B12AC
ResetEvent.KERNEL32(000DB450), ref: 000B12E7
GetLastError.KERNEL32 ref: 000B12F1

Strings

cabextract.cpp, xrefs: 000B1280, 000B12D0, 000B1315
@Mt, xrefs: 000B125C, 000B12AC, 000B12F1
Failed to wait for operation complete event., xrefs: 000B128D
Failed to get extraction thread exit code., xrefs: 000B12DD
Failed to reset operation complete event., xrefs: 000B1322

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
String ID: @Mt$Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
API String ID: 2979751695-3863148819
Opcode ID: 3b40c8346b5c2faf6a0a9f9b955f0acc338cf91a36d56844996f0ca6b010891a
Instruction ID: f53686bf4ddc5db24c92e0e8672d6be22965dfc42c4d4951764b6c555765c0bc
Opcode Fuzzy Hash: 3b40c8346b5c2faf6a0a9f9b955f0acc338cf91a36d56844996f0ca6b010891a
Instruction Fuzzy Hash: 5421C171700304EFEB149B7A9D56AFEBBE8EF09710F40412FB956E61A0E734DA009A24

Uniqueness

Uniqueness Score: -1.00%

Function 0009D5C0, Relevance: 19.3, APIs: 4, Strings: 7, Instructions: 61
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 18%

			E0009D5C0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HINSTANCE__* _t9;
				signed short _t15;
				signed short _t18;
				intOrPtr* _t21;
				intOrPtr _t24;
				void* _t25;

				_t24 = _a4;
				_t2 = _t24 + 4; // 0x69006e
				_t9 = LoadLibraryW( *( *_t2 + 0x50));
				 *(_t24 + 0xc) = _t9;
				if(_t9 != 0) {
					_t21 = GetProcAddress(_t9, "BootstrapperApplicationCreate");
					if(_t21 != 0) {
						_t5 = _t24 + 0x10; // 0xdb4a0
						_t25 =  *_t21(_a8, _a12, _t5);
						if(_t25 < 0) {
							_push("Failed to create UX.");
							goto L6;
						}
					} else {
						_t15 = GetLastError();
						_t28 =  <=  ? _t15 : _t15 & 0x0000ffff | 0x80070000;
						_t25 =  >=  ? 0x80004005 :  <=  ? _t15 : _t15 & 0x0000ffff | 0x80070000;
						E000937D3(0x80004005, "userexperience.cpp", 0x5d, _t25);
						_push("Failed to get BootstrapperApplicationCreate entry-point");
						goto L6;
					}
				} else {
					_t18 = GetLastError();
					_t31 =  <=  ? _t18 : _t18 & 0x0000ffff | 0x80070000;
					_t25 =  >=  ? 0x80004005 :  <=  ? _t18 : _t18 & 0x0000ffff | 0x80070000;
					E000937D3(0x80004005, "userexperience.cpp", 0x59, _t25);
					_push("Failed to load UX DLL.");
					L6:
					_push(_t25);
					E000D012F();
				}
				return _t25;
			}

0x0009d5c4
0x0009d5c7
0x0009d5cd
0x0009d5d3
0x0009d5d8
0x0009d618
0x0009d61c
0x0009d650
0x0009d65c
0x0009d660
0x0009d662
0x00000000
0x0009d662
0x0009d61e
0x0009d61e
0x0009d62f
0x0009d639
0x0009d644
0x0009d649
0x00000000
0x0009d649
0x0009d5da
0x0009d5da
0x0009d5eb
0x0009d5f5
0x0009d600
0x0009d605
0x0009d667
0x0009d667
0x0009d668
0x0009d66e
0x0009d673

APIs

LoadLibraryW.KERNEL32(?,00000000,?,000946F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00095386,?,?), ref: 0009D5CD
GetLastError.KERNEL32(?,000946F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00095386,?,?), ref: 0009D5DA
GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 0009D612
GetLastError.KERNEL32(?,000946F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00095386,?,?), ref: 0009D61E

Strings

Failed to create UX., xrefs: 0009D662
userexperience.cpp, xrefs: 0009D5FB, 0009D63F
@Mt, xrefs: 0009D5DA, 0009D61E
Failed to load UX DLL., xrefs: 0009D605
Failed to get BootstrapperApplicationCreate entry-point, xrefs: 0009D649
wininet.dll, xrefs: 0009D5F8, 0009D63C, 0009D667
BootstrapperApplicationCreate, xrefs: 0009D60C

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: @Mt$BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp$wininet.dll
API String ID: 1866314245-1212135836
Opcode ID: 51f5f73665564e35fc6c08ddc87cc42a92ed93f87fabe80e68d882296b6e4295
Instruction ID: 289c8c92459dad57aeb8b9cfa770bdb509f1301efd68394c63b68d67c6d1aa49
Opcode Fuzzy Hash: 51f5f73665564e35fc6c08ddc87cc42a92ed93f87fabe80e68d882296b6e4295
Instruction Fuzzy Hash: 4911C636A81722ABEB215BA99C05F6777D4DF05750F02813BFE0AE7690DB25CC009AF4

Uniqueness

Uniqueness Score: -1.00%

Function 000A91F7, Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 223
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E000A91F7(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _v28;
				void* _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v52;
				intOrPtr _v64;
				void* _v68;
				intOrPtr _v72;
				intOrPtr _v80;
				char _v92;
				signed int _v100;
				void* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				void _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t64;
				void* _t69;
				short* _t72;
				signed short _t74;
				char* _t88;
				signed short _t90;
				signed short _t100;
				void* _t104;
				void* _t106;
				signed int* _t107;
				signed short _t108;
				intOrPtr _t109;
				signed int _t111;
				void* _t118;
				void* _t119;
				void* _t122;
				signed int _t141;

				_t118 = __edx;
				_t64 =  *0xfa008; // 0x90c8e23b
				_v8 = _t64 ^ _t141;
				_t109 = _a12;
				_v44 = _a8;
				_v40 = _t109;
				E000BF670(_t119,  &_v92, 0, 0x30);
				_v24 = 0xaac56b;
				_v20 = 0x11d0cd44;
				_v32 = 0;
				_v36 = 0;
				_t111 = 9;
				_t69 = memset( &_v128, 0, _t111 << 2);
				_v28 = _t69;
				_t122 = _t69;
				_v16 = 0xc000c28c;
				_v12 = 0xee95c24f;
				if(E000921A5( &_v32, _a8, _t69) >= 0) {
					_t72 = _v32;
					while(0 !=  *_t72) {
						 *_t72 =  *_t72 + 0x20;
						_t72 = _t72 + 2;
					}
					_push(0);
					_push(0);
					_push( &_v28);
					_push(_t109);
					L000CF45C();
					_t74 = GetLastError();
					if(_t74 != 0x7a) {
						if(_t74 == 0) {
							goto L11;
						} else {
							_t137 =  <=  ? _t74 : _t74 & 0x0000ffff | 0x80070000;
							_t104 = 0x80004005;
							_t128 =  >=  ? 0x80004005 :  <=  ? _t74 : _t74 & 0x0000ffff | 0x80070000;
							_push(_t128);
							_push(0x778);
							goto L8;
						}
					} else {
						_t106 = E000938D4(_v28, 1);
						_push(0);
						_t122 = _t106;
						_t107 =  &_v28;
						_push(_t122);
						_push(_t107);
						_push(_t109);
						L000CF45C();
						if(_t107 != 0) {
							L11:
							_t110 = 1 + _v28 * 2;
							if(E00091EDE( &_v36, 1 + _v28 * 2) >= 0) {
								if(E000926EE(0, _t122, _v28, _v36, _t110) >= 0) {
									_v92 = 0x30;
									_v68 =  &_v128;
									_v100 = _v28;
									_v108 = _v40;
									_v116 = _v36;
									_v112 = _v32;
									_t110 = 2;
									_v80 = _t110;
									_v72 = _t110;
									_v64 = 1;
									_v52 = 0x80;
									_v128 = 0x24;
									_v104 = _t122;
									_v120 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x1c)) + 8));
									_push( &_v92);
									_t88 =  &_v24;
									_push(_t88);
									_push(0xffffffff);
									L000CF42C();
									_t128 = _t88;
									if(_t88 == 0) {
										L18:
										_v64 = _t110;
										_push( &_v92);
										_t90 =  &_v24;
										_push(_t90);
										_push(0xffffffff);
										L000CF42C();
										if(_t90 != 0) {
											_t131 =  <=  ? _t90 : _t90 & 0x0000ffff | 0x80070000;
											_t128 =  >=  ? 0x80004005 :  <=  ? _t90 : _t90 & 0x0000ffff | 0x80070000;
											E000937D3(0x80004005, "cache.cpp", 0x7a3, _t128);
											_push("Could not close verify handle.");
											goto L20;
										}
									} else {
										_v52 = _v52 | 0x00001000;
										_push( &_v92);
										_t100 =  &_v24;
										_push(_t100);
										_push(0xffffffff);
										L000CF42C();
										if(_t100 == 0) {
											goto L18;
										} else {
											_t134 =  <=  ? _t100 : _t100 & 0x0000ffff | 0x80070000;
											_t128 =  >=  ? 0x80004005 :  <=  ? _t100 : _t100 & 0x0000ffff | 0x80070000;
											E000937D3(0x80004005, "cache.cpp", 0x79d,  >=  ? 0x80004005 :  <=  ? _t100 : _t100 & 0x0000ffff | 0x80070000);
											E000D012F( >=  ? 0x80004005 :  <=  ? _t100 : _t100 & 0x0000ffff | 0x80070000, "Could not verify file %ls.", _v44);
										}
									}
								} else {
									_push("Failed to encode file hash.");
									goto L20;
								}
							} else {
								_push("Failed to allocate string.");
								goto L20;
							}
						} else {
							_t108 = GetLastError();
							_t140 =  <=  ? _t108 : _t108 & 0x0000ffff | 0x80070000;
							_t104 = 0x80004005;
							_t128 =  >=  ? 0x80004005 :  <=  ? _t108 : _t108 & 0x0000ffff | 0x80070000;
							_push(_t128);
							_push(0x773);
							L8:
							_push("cache.cpp");
							E000937D3(_t104);
							_push("Failed to get file hash.");
							goto L20;
						}
					}
				} else {
					_push("Failed to allocate memory");
					L20:
					_push(_t128);
					E000D012F();
				}
				if(_v32 != 0) {
					E000D54EF(_v32);
				}
				if(_v36 != 0) {
					E000D54EF(_v36);
				}
				if(_t122 != 0) {
					E00093999(_t122);
				}
				return E000BDE36(_t110, _v8 ^ _t141, _t118, _t122, _t128);
			}

0x000a91f7
0x000a91fd
0x000a9204
0x000a9208
0x000a9218
0x000a921b
0x000a921e
0x000a9226
0x000a922f
0x000a9239
0x000a923c
0x000a9241
0x000a9242
0x000a9245
0x000a9248
0x000a924e
0x000a9256
0x000a9266
0x000a9272
0x000a927e
0x000a9277
0x000a927b
0x000a927b
0x000a9285
0x000a9286
0x000a928a
0x000a928b
0x000a928c
0x000a9297
0x000a929c
0x000a92f1
0x00000000
0x000a92f3
0x000a92fe
0x000a9301
0x000a9308
0x000a930b
0x000a930c
0x00000000
0x000a930c
0x000a929e
0x000a92a3
0x000a92a8
0x000a92aa
0x000a92ac
0x000a92af
0x000a92b0
0x000a92b1
0x000a92b2
0x000a92b9
0x000a9313
0x000a9316
0x000a932b
0x000a9348
0x000a9357
0x000a935e
0x000a9364
0x000a936a
0x000a9370
0x000a9376
0x000a937e
0x000a937f
0x000a9385
0x000a9388
0x000a938f
0x000a9396
0x000a939d
0x000a93a3
0x000a93a9
0x000a93aa
0x000a93ad
0x000a93ae
0x000a93b0
0x000a93b5
0x000a93b9
0x000a9410
0x000a9413
0x000a9416
0x000a9417
0x000a941a
0x000a941b
0x000a941d
0x000a9424
0x000a9431
0x000a943b
0x000a9449
0x000a944e
0x00000000
0x000a944e
0x000a93bb
0x000a93bb
0x000a93c5
0x000a93c6
0x000a93c9
0x000a93ca
0x000a93cc
0x000a93d3
0x00000000
0x000a93d5
0x000a93e0
0x000a93ea
0x000a93f8
0x000a9406
0x000a940b
0x000a93d3
0x000a934a
0x000a934a
0x00000000
0x000a934a
0x000a932d
0x000a932d
0x00000000
0x000a932d
0x000a92bb
0x000a92bb
0x000a92c8
0x000a92cb
0x000a92d2
0x000a92d5
0x000a92d6
0x000a92db
0x000a92db
0x000a92e0
0x000a92e5
0x00000000
0x000a92e5
0x000a92b9
0x000a9268
0x000a9268
0x000a9453
0x000a9453
0x000a9454
0x000a945a
0x000a945f
0x000a9464
0x000a9464
0x000a946d
0x000a9472
0x000a9472
0x000a9479
0x000a947c
0x000a947c
0x000a9493

APIs

GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,?,00000000,00000000,00000003,00000000,00000000), ref: 000A9297
GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,000007D0,00000001), ref: 000A92BB

Strings

Failed to allocate string., xrefs: 000A932D
cache.cpp, xrefs: 000A92DB, 000A93F3, 000A9444
Could not verify file %ls., xrefs: 000A9400
@Mt, xrefs: 000A9291
Failed to allocate memory, xrefs: 000A9268
Failed to encode file hash., xrefs: 000A934A
Failed to get file hash., xrefs: 000A92E5
$, xrefs: 000A9396
Could not close verify handle., xrefs: 000A944E
0, xrefs: 000A9357

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorLast
String ID: $$0$@Mt$Could not close verify handle.$Could not verify file %ls.$Failed to allocate memory$Failed to allocate string.$Failed to encode file hash.$Failed to get file hash.$cache.cpp
API String ID: 1452528299-2643272629
Opcode ID: 3542c660610c0403cface61c2ea014276f67eb5ef9f3d5a528c3f8933534a67b
Instruction ID: a1544b85d71b8586fa7e19b5dfacfb6c17f18f4a7e7665bf31002600a29d1234
Opcode Fuzzy Hash: 3542c660610c0403cface61c2ea014276f67eb5ef9f3d5a528c3f8933534a67b
Instruction Fuzzy Hash: 84714072E00229ABDB11DBE9C841BEEB7F8AF09710F110126E915FB291E7749D418BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00093083, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00093083(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12) {
				signed int _v8;
				signed int _v12;
				long _v16;
				signed int _t49;
				long _t57;
				void* _t63;
				signed short _t65;
				signed short _t66;
				long _t69;
				signed short _t77;
				signed short _t78;
				WCHAR* _t79;
				long _t81;
				long _t84;
				long _t85;
				long _t87;
				void* _t88;

				_t79 = _a8;
				_t49 = 0;
				_v12 = _v12 & 0;
				_t81 = 0;
				_v8 = 0;
				_v16 = 0;
				_t84 = 0x40;
				if((_a12 & 0x00000001) == 0) {
					L16:
					if((_a12 & 0x00000002) == 0) {
						_v8 = _v8 & 0x00000000;
						_v12 = _t49;
						goto L30;
					} else {
						_a12 = _a12 & 0x00000000;
						_t83 =  !=  ? _t49 : _t79;
						_a8 =  !=  ? _t49 : _t79;
						_t85 =  >  ? _t81 : _t84;
						_t88 = E00091EDE( &_v12, _t85);
						if(_t88 >= 0) {
							_t57 = GetFullPathNameW(_a8, _t85, _v12,  &_a12);
							if(_t57 != 0) {
								if(_t85 >= _t57) {
									L26:
									if(_t57 <= 0x104) {
										L28:
										_t49 = _v12;
										L30:
										_t80 =  !=  ? _t49 : _t79;
										_t88 = E000921A5(_a4,  !=  ? _t49 : _t79, 0);
									} else {
										_t88 = E00093593( &_v12);
										if(_t88 >= 0) {
											goto L28;
										}
									}
								} else {
									_t34 = _t57 + 7; // 0x7
									_t87 =  <  ? _t57 : _t34;
									_t88 = E00091EDE( &_v12, _t87);
									if(_t88 >= 0) {
										_t57 = GetFullPathNameW(_a8, _t87, _v12,  &_a12);
										if(_t57 != 0) {
											if(_t87 >= _t57) {
												goto L26;
											} else {
												_t63 = 0x8007007a;
												_push(0x8007007a);
												_t88 = 0x8007007a;
												_push(0x149);
												goto L4;
											}
										} else {
											_t65 = GetLastError();
											_t91 =  <=  ? _t65 : _t65 & 0x0000ffff | 0x80070000;
											_t63 = 0x80004005;
											_t88 =  >=  ? 0x80004005 :  <=  ? _t65 : _t65 & 0x0000ffff | 0x80070000;
											_push(_t88);
											_push(0x144);
											goto L4;
										}
									}
								}
							} else {
								_t66 = GetLastError();
								_t94 =  <=  ? _t66 : _t66 & 0x0000ffff | 0x80070000;
								_t63 = 0x80004005;
								_t88 =  >=  ? 0x80004005 :  <=  ? _t66 : _t66 & 0x0000ffff | 0x80070000;
								_push(_t88);
								_push(0x139);
								goto L4;
							}
						}
					}
				} else {
					_v16 = _t84;
					_t88 = E00091EDE( &_v8, _t84);
					if(_t88 >= 0) {
						_t69 = ExpandEnvironmentStringsW(_t79, _v8, _v16);
						if(_t69 != 0) {
							_t81 = _v16;
							if(_t81 >= _t69) {
								L11:
								if(_t69 <= 0x104) {
									L15:
									_t49 = _v8;
									goto L16;
								} else {
									_t88 =  ==  ? 0 : E00093593( &_v8);
									if(_t88 >= 0) {
										_t88 = E0009275D(_v8,  &_v16);
										if(_t88 >= 0) {
											_t81 = _v16;
											goto L15;
										}
									}
								}
							} else {
								_v16 = _t69;
								_t88 = E00091EDE( &_v8, _t69);
								if(_t88 >= 0) {
									_t69 = ExpandEnvironmentStringsW(_t79, _v8, _v16);
									if(_t69 != 0) {
										_t81 = _v16;
										if(_t81 >= _t69) {
											goto L11;
										} else {
											_t63 = 0x8007007a;
											_push(0x8007007a);
											_t88 = 0x8007007a;
											_push(0x118);
											goto L4;
										}
									} else {
										_t77 = GetLastError();
										_t98 =  <=  ? _t77 : _t77 & 0x0000ffff | 0x80070000;
										_t63 = 0x80004005;
										_t88 =  >=  ? 0x80004005 :  <=  ? _t77 : _t77 & 0x0000ffff | 0x80070000;
										_push(_t88);
										_push(0x113);
										goto L4;
									}
								}
							}
						} else {
							_t78 = GetLastError();
							_t101 =  <=  ? _t78 : _t78 & 0x0000ffff | 0x80070000;
							_t63 = 0x80004005;
							_t88 =  >=  ? 0x80004005 :  <=  ? _t78 : _t78 & 0x0000ffff | 0x80070000;
							_push(_t88);
							_push(0x108);
							L4:
							_push("pathutil.cpp");
							E000937D3(_t63);
						}
					}
				}
				if(_v12 != 0) {
					E000D54EF(_v12);
				}
				if(_v8 != 0) {
					E000D54EF(_v8);
				}
				return _t88;
			}

0x0009308a
0x0009308d
0x0009308f
0x00093092
0x0009309c
0x0009309f
0x000930a2
0x000930a3
0x000931b0
0x000931b4
0x000932b1
0x000932b5
0x00000000
0x000931ba
0x000931ba
0x000931c2
0x000931ca
0x000931cd
0x000931d7
0x000931db
0x000931ec
0x000931f4
0x00093221
0x00093296
0x0009329b
0x000932ac
0x000932ac
0x000932b8
0x000932bc
0x000932c8
0x0009329d
0x000932a6
0x000932aa
0x00000000
0x00000000
0x000932aa
0x00093223
0x00093228
0x0009322b
0x00093238
0x0009323c
0x0009324d
0x00093255
0x00093282
0x00000000
0x00093284
0x00093284
0x00093289
0x0009328a
0x0009328c
0x00000000
0x0009328c
0x00093257
0x00093257
0x00093268
0x0009326b
0x00093272
0x00093275
0x00093276
0x00000000
0x00093276
0x00093255
0x0009323c
0x000931f6
0x000931f6
0x00093207
0x0009320a
0x00093211
0x00093214
0x00093215
0x00000000
0x00093215
0x000931f4
0x000931db
0x000930a9
0x000930ad
0x000930b6
0x000930ba
0x000930c7
0x000930cf
0x00093104
0x00093109
0x0009316f
0x00093174
0x000931ad
0x000931ad
0x00000000
0x00093176
0x00093189
0x0009318e
0x000931a0
0x000931a4
0x000931aa
0x00000000
0x000931aa
0x000931a4
0x0009318e
0x0009310b
0x0009310c
0x00093118
0x0009311c
0x00093129
0x00093131
0x00093159
0x0009315e
0x00000000
0x00093160
0x00093160
0x00093165
0x00093166
0x00093168
0x00000000
0x00093168
0x00093133
0x00093133
0x00093144
0x00093147
0x0009314e
0x00093151
0x00093152
0x00000000
0x00093152
0x00093131
0x0009311c
0x000930d1
0x000930d1
0x000930e2
0x000930e5
0x000930ec
0x000930ef
0x000930f0
0x000930f5
0x000930f5
0x000930fa
0x000930fa
0x000930cf
0x000930ba
0x000932ce
0x000932d3
0x000932d3
0x000932dc
0x000932e1
0x000932e1
0x000932ee

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,00000040,00000000,00000000), ref: 000930C7
GetLastError.KERNEL32 ref: 000930D1
ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00093129
GetLastError.KERNEL32 ref: 00093133
GetFullPathNameW.KERNEL32(00000000,00000040,00000000,00000000,00000000,00000040,00000000,00000000), ref: 000931EC
GetLastError.KERNEL32 ref: 000931F6
GetFullPathNameW.KERNEL32(00000000,00000007,00000000,00000000,00000000,00000007), ref: 0009324D
GetLastError.KERNEL32 ref: 00093257

Strings

@Mt, xrefs: 000930D1, 00093133, 000931F6, 00093257
pathutil.cpp, xrefs: 000930F5

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorLast$EnvironmentExpandFullNamePathStrings
String ID: @Mt$pathutil.cpp
API String ID: 1547313835-1527316599
Opcode ID: f95a640af04f23a487c675c2d6cdf1d115ca144537c4d561678c94114cf1b82b
Instruction ID: bf5c912a37944cdf28db083dbbba14e2d78823fb8eab51ea8c3e7b9e2ec167fd
Opcode Fuzzy Hash: f95a640af04f23a487c675c2d6cdf1d115ca144537c4d561678c94114cf1b82b
Instruction Fuzzy Hash: 77618332E00225ABEF219BA58C49BEE7BE8EF44750F124166FD15E7150E735CE00ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 000AE05E, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E000AE05E(struct HINSTANCE__* _a4, void** _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct tagMONITORINFO _v48;
				struct tagPOINT _v56;
				void* _v72;
				void* _v76;
				void _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t33;
				int _t36;
				void* _t38;
				struct HMONITOR__* _t44;
				signed short _t60;
				void** _t64;
				signed int _t65;
				void* _t67;
				struct HINSTANCE__* _t75;
				void* _t78;
				void* _t79;
				int _t80;
				signed int _t84;

				_t33 =  *0xfa008; // 0x90c8e23b
				_v8 = _t33 ^ _t84;
				_t75 = _a4;
				_t64 = _a8;
				_t65 = 6;
				_t80 = 0;
				_t36 = memset( &_v80, 0, _t65 << 2);
				_t67 = 0xa;
				_t78 =  &_v48;
				_v56.x = 0;
				memset(_t78, _t36, 0 << 2);
				_t79 = _t78 + _t67;
				_v56.y = 0;
				_t38 = LoadBitmapW(_t75, 1);
				 *_t64 = _t38;
				if(_t38 != 0) {
					GetObjectW(_t38, 0x18,  &_v80);
					_t64[1] = 0x80000000;
					_t64[2] = 0x80000000;
					_t64[3] = _v76;
					_t64[4] = _v72;
					_t44 = GetCursorPos( &_v56);
					if(_t44 != 0) {
						__imp__MonitorFromPoint(_v56.x, _v56.y, 2);
						if(_t44 != 0) {
							_v48.cbSize = 0x28;
							if(GetMonitorInfoW(_t44,  &_v48) != 0) {
								asm("cdq");
								_t64[1] = (_v20 - _t64[3] - _v48.rcWork - _t75 >> 1) + _v48.rcWork;
								asm("cdq");
								_t64[2] = (_v16 - _v24 - _t64[4] - _t75 >> 1) + _v24;
							}
						}
					}
				} else {
					_t60 = GetLastError();
					_t83 =  <=  ? _t60 : _t60 & 0x0000ffff | 0x80070000;
					_t80 =  >=  ? 0x80004005 :  <=  ? _t60 : _t60 & 0x0000ffff | 0x80070000;
					E000937D3(0x80004005, "splashscreen.cpp", 0xe8, _t80);
					_push("Failed to load splash screen bitmap.");
					_push(_t80);
					E000D012F();
				}
				return E000BDE36(_t64, _v8 ^ _t84, _t75, _t79, _t80);
			}

0x000ae064
0x000ae06b
0x000ae06e
0x000ae074
0x000ae07b
0x000ae081
0x000ae083
0x000ae085
0x000ae088
0x000ae08b
0x000ae08e
0x000ae08e
0x000ae091
0x000ae094
0x000ae09a
0x000ae09e
0x000ae0e7
0x000ae0f2
0x000ae0f5
0x000ae0fb
0x000ae101
0x000ae108
0x000ae110
0x000ae11a
0x000ae122
0x000ae127
0x000ae138
0x000ae143
0x000ae14b
0x000ae157
0x000ae15f
0x000ae15f
0x000ae138
0x000ae122
0x000ae0a0
0x000ae0a0
0x000ae0b1
0x000ae0bb
0x000ae0c9
0x000ae0ce
0x000ae0d3
0x000ae0d4
0x000ae0da
0x000ae174

APIs

LoadBitmapW.USER32(?,00000001), ref: 000AE094
GetLastError.KERNEL32 ref: 000AE0A0
GetObjectW.GDI32(00000000,00000018,?), ref: 000AE0E7
GetCursorPos.USER32(?), ref: 000AE108
MonitorFromPoint.USER32(?,?,00000002), ref: 000AE11A
GetMonitorInfoW.USER32 ref: 000AE130

Strings

(, xrefs: 000AE127
Failed to load splash screen bitmap., xrefs: 000AE0CE
@Mt, xrefs: 000AE0A0
splashscreen.cpp, xrefs: 000AE0C4

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: Monitor$BitmapCursorErrorFromInfoLastLoadObjectPoint
String ID: ($@Mt$Failed to load splash screen bitmap.$splashscreen.cpp
API String ID: 2342928100-3075711378
Opcode ID: 758ea92b6c1077c149bebac3c0abb8292170b6aacec94c2799f3bef1c89151a2
Instruction ID: 4276c4bf3705ecfb0231c7b364a7a40dfb36aed48216089fd4e43143f02cc1e2
Opcode Fuzzy Hash: 758ea92b6c1077c149bebac3c0abb8292170b6aacec94c2799f3bef1c89151a2
Instruction Fuzzy Hash: 2A313F71A01215EFDB50DFB9D945A9EBBF5EB08710F14811AFD14EB241EB74D901CB60

Uniqueness

Uniqueness Score: -1.00%

Function 000964B6, Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E000964B6(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v528;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t10;
				char* _t14;
				signed short _t15;
				signed short _t23;
				signed short _t27;
				void* _t30;
				void* _t36;
				signed short _t39;
				signed short _t42;
				signed int _t46;

				_t36 = __edx;
				_t30 = __ebx;
				_t10 =  *0xfa008; // 0x90c8e23b
				_v8 = _t10 ^ _t46;
				_t37 = _a8;
				E000BF670(_a8,  &_v528, 0, 0x208);
				_t14 =  &_v528;
				_push(0x104);
				_push(_t14);
				if(_a4 == 0) {
					_t15 = GetSystemDirectoryW();
					__eflags = _t15;
					if(_t15 != 0) {
						goto L6;
					} else {
						_t23 = GetLastError();
						__eflags = _t23;
						_t42 =  <=  ? _t23 : _t23 & 0x0000ffff | 0x80070000;
						__eflags = _t42;
						_t39 =  >=  ? 0x80004005 : _t42;
						E000937D3(0x80004005, "variable.cpp", 0x77e, _t39);
						_push("Failed to get 64-bit system folder.");
						goto L11;
					}
				} else {
					__imp__GetSystemWow64DirectoryW();
					if(_t14 != 0) {
						L6:
						__eflags = _v528;
						if(__eflags == 0) {
							L9:
							_t39 = E000B02F4(_t37,  &_v528, 0);
							__eflags = _t39;
							if(_t39 < 0) {
								_push("Failed to set system folder variant value.");
								goto L11;
							}
						} else {
							_t39 = E0009338F(0, __eflags,  &_v528, 0x104);
							__eflags = _t39;
							if(_t39 >= 0) {
								goto L9;
							} else {
								_push("Failed to backslash terminate system folder.");
								goto L11;
							}
						}
					} else {
						_t27 =  !=  ? 0 : GetLastError();
						if(_t27 == 0) {
							goto L6;
						} else {
							_t45 =  <=  ? _t27 : _t27 & 0x0000ffff | 0x80070000;
							_t39 =  >=  ? 0x80004005 :  <=  ? _t27 : _t27 & 0x0000ffff | 0x80070000;
							E000937D3(0x80004005, "variable.cpp", 0x777, _t39);
							_push("Failed to get 32-bit system folder.");
							L11:
							_push(_t39);
							E000D012F();
						}
					}
				}
				return E000BDE36(_t30, _v8 ^ _t46, _t36, _t37, _t39);
			}

0x000964b6
0x000964b6
0x000964bf
0x000964c6
0x000964cb
0x000964dc
0x000964e4
0x000964f3
0x000964f4
0x000964f5
0x00096546
0x0009654c
0x0009654e
0x00000000
0x00096550
0x00096550
0x0009655f
0x00096561
0x00096569
0x0009656b
0x00096579
0x0009657e
0x00000000
0x0009657e
0x000964f7
0x000964f7
0x000964ff
0x00096585
0x00096585
0x0009658d
0x000965a9
0x000965b8
0x000965ba
0x000965bc
0x000965be
0x00000000
0x000965be
0x0009658f
0x0009659c
0x0009659e
0x000965a0
0x00000000
0x000965a2
0x000965a2
0x00000000
0x000965a2
0x000965a0
0x00096505
0x00096510
0x00096515
0x00000000
0x00096517
0x00096522
0x0009652c
0x0009653a
0x0009653f
0x000965c3
0x000965c3
0x000965c4
0x000965ca
0x00096515
0x000964ff
0x000965dc

APIs

GetSystemWow64DirectoryW.KERNEL32(?,00000104), ref: 000964F7
GetLastError.KERNEL32 ref: 00096505
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00096546
GetLastError.KERNEL32 ref: 00096550

Strings

variable.cpp, xrefs: 00096535, 00096574
Failed to get 32-bit system folder., xrefs: 0009653F
Failed to backslash terminate system folder., xrefs: 000965A2
Failed to get 64-bit system folder., xrefs: 0009657E
@Mt, xrefs: 00096505, 00096550
Failed to set system folder variant value., xrefs: 000965BE

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: DirectoryErrorLastSystem$Wow64
String ID: @Mt$Failed to backslash terminate system folder.$Failed to get 32-bit system folder.$Failed to get 64-bit system folder.$Failed to set system folder variant value.$variable.cpp
API String ID: 2634638900-950553170
Opcode ID: f25fe423b61a88df34a33872c81bbb9c5802d8d7f7b32b73fe4c984ad7a72dd4
Instruction ID: cb1639dfe824e24b64c376d42a89fad552a8e7dd1bdd9640d2cc792b5f5c1b2d
Opcode Fuzzy Hash: f25fe423b61a88df34a33872c81bbb9c5802d8d7f7b32b73fe4c984ad7a72dd4
Instruction Fuzzy Hash: 9421FBB1A41735A6EF2067B59C06BAB77E89F00750F124167FD08EB281EA65CE04D5F1

Uniqueness

Uniqueness Score: -1.00%

Function 00091174, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 53
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00091174(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				long _t11;
				void* _t14;
				struct HINSTANCE__* _t15;
				void* _t18;
				intOrPtr _t21;
				void* _t22;
				signed int _t23;

				_t23 = 0;
				_v8 = 0;
				__imp__HeapSetInformation(0, 1, 0, 0, _t18, _t22, _t14, __ecx);
				_t15 = GetModuleHandleW(L"kernel32");
				_t9 = GetProcAddress(_t15, "SetDefaultDllDirectories");
				if(_t9 == 0) {
					L3:
					_t10 = GetProcAddress(_t15, "SetDllDirectoryW");
					if(_t10 == 0) {
						L5:
						_t11 = GetLastError();
					} else {
						_t11 =  *_t10(0xdb524);
						if(_t11 == 0) {
							goto L5;
						}
					}
					if(_a8 > _t23) {
						_t21 = _a4;
						do {
							_t11 = E000937D6( *((intOrPtr*)(_t21 + _t23 * 4)),  &_v8);
							_t23 = _t23 + 1;
						} while (_t23 < _a8);
					}
				} else {
					_t11 =  *_t9(0x800);
					if(_t11 == 0) {
						GetLastError();
						goto L3;
					}
				}
				return _t11;
			}

0x0009117b
0x00091182
0x00091185
0x00091196
0x0009119e
0x000911ac
0x000911bb
0x000911c1
0x000911c9
0x000911d6
0x000911d6
0x000911cb
0x000911d0
0x000911d4
0x00000000
0x00000000
0x000911d4
0x000911db
0x000911dd
0x000911e0
0x000911e7
0x000911ec
0x000911ed
0x000911e0
0x000911ae
0x000911b3
0x000911b7
0x000911b9
0x00000000
0x000911b9
0x000911b7
0x000911f8

APIs

HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,0009111A,cabinet.dll,00000009,?,?,00000000), ref: 00091185
GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,0009111A,cabinet.dll,00000009,?,?,00000000), ref: 00091190
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0009119E
GetLastError.KERNEL32(?,?,?,?,0009111A,cabinet.dll,00000009,?,?,00000000), ref: 000911B9
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 000911C1
GetLastError.KERNEL32(?,?,?,?,0009111A,cabinet.dll,00000009,?,?,00000000), ref: 000911D6

Strings

kernel32, xrefs: 0009118B
@Mt, xrefs: 000911A4
SetDefaultDllDirectories, xrefs: 00091198
SetDllDirectoryW, xrefs: 000911BB

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: AddressErrorLastProc$HandleHeapInformationModule
String ID: @Mt$SetDefaultDllDirectories$SetDllDirectoryW$kernel32
API String ID: 3104334766-2581781056
Opcode ID: 08480cf923c708250aa0dd77f042eb11bccc3c13847d7cc0c71801747df84235
Instruction ID: f7c5dc04753922a55fde4cc81863150e8db7adfa58206fbaa5731ea9c2abbce2
Opcode Fuzzy Hash: 08480cf923c708250aa0dd77f042eb11bccc3c13847d7cc0c71801747df84235
Instruction Fuzzy Hash: E5017171741616FB9B206BA6AC09EAF7FACFF40791B018013FE1596240DB74DA019BB1

Uniqueness

Uniqueness Score: -1.00%

Function 000AE31B, Relevance: 16.6, APIs: 11, Instructions: 86
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000AE31B(void** _a4, int _a8, int _a12, long _a16) {
				void* _t16;
				void* _t19;
				long _t28;
				struct HDC__* _t32;
				void* _t35;
				void* _t36;
				void* _t38;
				void* _t39;
				struct HWND__* _t41;
				void** _t43;
				long _t45;

				_t41 = _a4;
				_t43 = GetWindowLongW(_t41, 0xffffffeb);
				_t16 = 2;
				_a4 = _t43;
				_t35 = _a8 - _t16;
				if(_t35 == 0) {
					PostQuitMessage(0);
					return 0;
				}
				_t36 = _t35 - 0x12;
				if(_t36 == 0) {
					_t32 = CreateCompatibleDC(_a12);
					_t19 = SelectObject(_t32,  *_t43);
					StretchBlt(_a12, 0, 0, _a4[3], _a4[4], _t32, 0, 0,  *(_t20 + 0xc),  *(_t20 + 0x10), 0xcc0020);
					SelectObject(_t32, _t19);
					DeleteDC(_t32);
					return 1;
				}
				_t45 = _a16;
				_t38 = _t36 - 0x6d;
				if(_t38 == 0) {
					SetWindowLongW(_t41, 0xffffffeb,  *_t45);
					L8:
					return DefWindowProcW(_t41, _a8, _a12, _t45);
				}
				_t39 = _t38 - 1;
				if(_t39 == 0) {
					_t28 = DefWindowProcW(_t41, 0x82, _a12, _t45);
					SetWindowLongW(_t41, 0xffffffeb, 0);
					return _t28;
				}
				if(_t39 != _t16) {
					goto L8;
				}
				return _t16;
			}

0x000ae320
0x000ae32f
0x000ae333
0x000ae334
0x000ae337
0x000ae339
0x000ae3e6
0x00000000
0x000ae3ec
0x000ae33f
0x000ae342
0x000ae3a8
0x000ae3ab
0x000ae3cd
0x000ae3d5
0x000ae3d8
0x00000000
0x000ae3e1
0x000ae344
0x000ae347
0x000ae34a
0x000ae380
0x000ae386
0x00000000
0x000ae38e
0x000ae34c
0x000ae34f
0x000ae364
0x000ae371
0x00000000
0x000ae377
0x000ae353
0x00000000
0x00000000
0x00000000

APIs

GetWindowLongW.USER32(?,000000EB), ref: 000AE326
DefWindowProcW.USER32(?,00000082,?,?), ref: 000AE364
SetWindowLongW.USER32 ref: 000AE371
SetWindowLongW.USER32 ref: 000AE380
DefWindowProcW.USER32(?,?,?,?), ref: 000AE38E
CreateCompatibleDC.GDI32(?), ref: 000AE39A
SelectObject.GDI32(00000000,00000000), ref: 000AE3AB
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 000AE3CD
SelectObject.GDI32(00000000,00000000), ref: 000AE3D5
DeleteDC.GDI32(00000000), ref: 000AE3D8
PostQuitMessage.USER32(00000000), ref: 000AE3E6

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: Window$Long$ObjectProcSelect$CompatibleCreateDeleteMessagePostQuitStretch
String ID:
API String ID: 409979828-0
Opcode ID: 98857430f797d0ba814e44ca54a8bb95633afc55311b619b90e32d5ee5e6b84f
Instruction ID: a8ca6fe86f082254e75f8c09089a2b64eb6e63de903fc063ac5efcf129d44d08
Opcode Fuzzy Hash: 98857430f797d0ba814e44ca54a8bb95633afc55311b619b90e32d5ee5e6b84f
Instruction Fuzzy Hash: 0A218C33100108FFEF255FA9DC4CE7B3FA9EF4A321B164519FA16971A0D7758A10AB61

Uniqueness

Uniqueness Score: -1.00%

Function 000AD01A, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 117
threadCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E000AD01A(char _a4, intOrPtr _a8, intOrPtr _a12, char _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, char _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr* _a52, intOrPtr* _a56) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v96;
				void _v100;
				void* __edi;
				intOrPtr _t76;
				char _t77;
				intOrPtr _t85;
				void* _t86;
				intOrPtr _t87;
				void* _t88;
				intOrPtr _t89;
				void* _t90;

				E000BF670(_t86,  &_v100, 0, 0x2c);
				E000BF670(_t86,  &_v56, 0, 0x2c);
				_t77 = _a4;
				_v96 = _a12;
				_t85 = _a40;
				_t87 = _a32;
				_t9 =  &_a36; // 0x9444c
				_t89 =  *_t9;
				_v80 = _a20;
				_v76 = _a24;
				_v52 = _a8;
				_v48 = _a44;
				_v44 = _a48;
				_t19 =  &_a16; // 0x9535e
				_v40 =  *_t19;
				_v100 = _t77;
				_v56 = _t77;
				_v36 = _a20;
				_v32 = _a24;
				_v12 = 0;
				_v8 = 0;
				_t76 = _a28;
				_v72 = _t76;
				_v68 = _t87;
				_v64 = _t89;
				_v60 = _t85;
				_v28 = _t76;
				_v24 = _t87;
				_v20 = _t89;
				_v16 = _t85;
				_t88 = CreateThread(0, 0, E000AAB3C,  &_v100, 0, 0);
				if(_t88 != 0) {
					_t90 = E000A4FB3(0, _t85, _a8, E000AC59C,  &_v56,  &_v12);
					if(_t90 >= 0) {
						_push(_v12);
						E000ACCF4(0, _t88);
						 *_a52 = _v12;
						 *_a56 = _v8;
					} else {
						_push("Failed to pump messages in child process.");
						_push(_t90);
						E000D012F();
					}
					CloseHandle(_t88);
				} else {
					_t93 =  <=  ? GetLastError() : _t71 & 0x0000ffff | 0x80070000;
					_t90 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t71 & 0x0000ffff | 0x80070000;
					E000937D3(0x80004005, "elevation.cpp", 0x45c, _t90);
					_push("Failed to create elevated cache thread.");
					_push(_t90);
					E000D012F();
				}
				return _t90;
			}

0x000ad02c
0x000ad038
0x000ad043
0x000ad046
0x000ad04c
0x000ad04f
0x000ad052
0x000ad052
0x000ad055
0x000ad05b
0x000ad061
0x000ad067
0x000ad06d
0x000ad070
0x000ad073
0x000ad079
0x000ad07c
0x000ad082
0x000ad089
0x000ad096
0x000ad099
0x000ad09c
0x000ad0a0
0x000ad0a3
0x000ad0a6
0x000ad0a9
0x000ad0ac
0x000ad0af
0x000ad0b2
0x000ad0b5
0x000ad0be
0x000ad0c2
0x000ad116
0x000ad11a
0x000ad12b
0x000ad12f
0x000ad13a
0x000ad142
0x000ad11c
0x000ad11c
0x000ad121
0x000ad122
0x000ad128
0x000ad145
0x000ad0c4
0x000ad0d5
0x000ad0df
0x000ad0ed
0x000ad0f2
0x000ad0f7
0x000ad0f8
0x000ad0fe
0x000ad153

APIs

CreateThread.KERNEL32 ref: 000AD0B8
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 000AD0C4
CloseHandle.KERNEL32(00000000,00000000,?,?,000AC59C,00000001,?,?,?,?,?,00000000,00000000,?,?,?), ref: 000AD145

Strings

^S, xrefs: 000AD070
LD, xrefs: 000AD052, 000AD0E2, 000AD0F7
@Mt, xrefs: 000AD0C4
Failed to pump messages in child process., xrefs: 000AD11C
Failed to create elevated cache thread., xrefs: 000AD0F2
elevation.cpp, xrefs: 000AD0E8

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CloseCreateErrorHandleLastThread
String ID: @Mt$Failed to create elevated cache thread.$Failed to pump messages in child process.$LD$^S$elevation.cpp
API String ID: 747004058-4059000166
Opcode ID: 45e2974ed6e557e80127c184a7f51454d2db26b6a71561f2fd72ad9236ccf992
Instruction ID: 5268dc8dfc623b7828693e64aa046d62c1a9f6c84a132ab2983fe28916829ec0
Opcode Fuzzy Hash: 45e2974ed6e557e80127c184a7f51454d2db26b6a71561f2fd72ad9236ccf992
Instruction Fuzzy Hash: 2C41D1B5E01219AFDB01DFA9D8859EEBBF8EF49310F10412AFD09E7341D774A9418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 000A51E9, Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 90
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E000A51E9(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				intOrPtr _t45;
				void* _t48;

				_t39 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_v12 = _v12 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t48 = E000CF7B2( &_v12,  &_v8, _a8);
				if(_t48 >= 0) {
					_t48 = E000CF7B2( &_v12,  &_v8, _a12);
					if(_t48 >= 0) {
						_t45 = _a4;
						if( *((intOrPtr*)(_t45 + 0x14)) == 0xffffffff) {
							L8:
							_t48 = E000A4880(_t39,  *((intOrPtr*)(_t45 + 0x10)), 0xf0000003, _v12, _v8);
							if(_t48 >= 0) {
								if( *(_t45 + 0xc) != 0 && WaitForSingleObject( *(_t45 + 0xc), 0x2bf20) == 0xffffffff) {
									_t52 =  <=  ? GetLastError() : _t30 & 0x0000ffff | 0x80070000;
									_t48 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t30 & 0x0000ffff | 0x80070000;
									E000937D3(0x80004005, "pipe.cpp", 0x242, _t48);
									_push("Failed to wait for child process exit.");
									goto L13;
								}
							} else {
								_push("Failed to post terminate message to child process.");
								goto L13;
							}
						} else {
							_t48 = E000A4880(_t39,  *((intOrPtr*)(_t45 + 0x14)), 0xf0000003, _v12, _v8);
							if(_t48 >= 0) {
								goto L8;
							} else {
								_push("Failed to post terminate message to child process cache thread.");
								L13:
								_push(_t48);
								E000D012F();
							}
						}
					} else {
						_push("Failed to write restart to message buffer.");
						goto L2;
					}
				} else {
					_push("Failed to write exit code to message buffer.");
					L2:
					_push(_t48);
					E000D012F();
				}
				return _t48;
			}

0x000a51e9
0x000a51ec
0x000a51ed
0x000a51ee
0x000a51f5
0x000a5207
0x000a520b
0x000a522f
0x000a5233
0x000a523e
0x000a524a
0x000a5268
0x000a5277
0x000a527b
0x000a5288
0x000a52ae
0x000a52b8
0x000a52c6
0x000a52cb
0x00000000
0x000a52cb
0x000a527d
0x000a527d
0x00000000
0x000a527d
0x000a524c
0x000a525b
0x000a525f
0x00000000
0x000a5261
0x000a5261
0x000a52d0
0x000a52d0
0x000a52d1
0x000a52d7
0x000a525f
0x000a5235
0x000a5235
0x00000000
0x000a5235
0x000a520d
0x000a520d
0x000a5212
0x000a5212
0x000a5213
0x000a5219
0x000a52e0

APIs

WaitForSingleObject.KERNEL32(?,0002BF20,?,F0000003,00000000,00000000,?,00000000,00000000,00000000,00095386,00000000,00000000,?,00000000), ref: 000A5292
GetLastError.KERNEL32(?,?,?,00094B5B,?,?,00000000,?,?,?,?,?,?,000DB490,?,?), ref: 000A529D

Strings

Failed to write restart to message buffer., xrefs: 000A5235
@Mt, xrefs: 000A529D
Failed to write exit code to message buffer., xrefs: 000A520D
Failed to post terminate message to child process cache thread., xrefs: 000A5261
Failed to post terminate message to child process., xrefs: 000A527D
Failed to wait for child process exit., xrefs: 000A52CB
pipe.cpp, xrefs: 000A52C1

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: @Mt$Failed to post terminate message to child process cache thread.$Failed to post terminate message to child process.$Failed to wait for child process exit.$Failed to write exit code to message buffer.$Failed to write restart to message buffer.$pipe.cpp
API String ID: 1211598281-29363476
Opcode ID: a916a023db1c942948612483b9aabad6e07b14cee9db7294d6233cf8c955effe
Instruction ID: c4a41902434f243b835a7ad02b5133d3867db30dee82d6febc2b0348eea49819
Opcode Fuzzy Hash: a916a023db1c942948612483b9aabad6e07b14cee9db7294d6233cf8c955effe
Instruction Fuzzy Hash: F821C133941B29BBDB125AE59C01BDEBBA8FB02322F110316F900B6191D7359E5097E0

Uniqueness

Uniqueness Score: -1.00%

Function 000AF3E6, Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E000AF3E6(void* __ecx, intOrPtr _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr* _a24) {
				char _v8;
				char _v12;
				intOrPtr* _t41;
				intOrPtr* _t46;
				intOrPtr* _t49;
				intOrPtr _t57;
				intOrPtr _t60;
				intOrPtr* _t71;
				intOrPtr* _t72;
				signed int* _t75;
				void* _t77;

				_t62 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t60 = _a4;
				_v12 = 0;
				_v8 = 0;
				EnterCriticalSection( *(_t60 + 0xc));
				_t77 = E0009D459( *(_t60 + 0xc) + 0xb8);
				if(_t77 >= 0) {
					_t71 = _a12;
					if(_t71 == 0 ||  *_t71 == 0) {
						_t72 = _a8;
						if(_t72 == 0 ||  *_t72 == 0) {
							_t77 = 0x80070057;
							_push("UX did not provide container or payload id.");
							goto L34;
						} else {
							_t77 = E0009C0A9(_t62,  *(_t60 + 0xc) + 0x2a8, _t72,  &_v12);
							if(_t77 >= 0) {
								_t75 = _v12 + 0x2c;
								goto L15;
							}
							_push(_t72);
							_push("UX requested unknown container with id: %ls");
							goto L13;
						}
					} else {
						_t77 = E0009CC57(_t62,  *(_t60 + 0xc) + 0x2b8, _t71,  &_v8);
						if(_t77 >= 0) {
							_t57 = _v8;
							if( *((intOrPtr*)(_t57 + 4)) != 2) {
								_t75 = _t57 + 0x40;
								L15:
								_t41 = _a16;
								if(_t41 == 0 ||  *_t41 == 0) {
									if( *_t75 != 0) {
										E000D54EF( *_t75);
										 *_t75 =  *_t75 & 0x00000000;
									}
									goto L29;
								} else {
									_t77 = E000921A5(_t75, _t41, 0);
									if(_t77 >= 0) {
										_t46 = _a20;
										if(_t46 == 0 ||  *_t46 == 0) {
											L29:
											if(_t75[1] != 0) {
												E000D54EF(_t75[1]);
												_t75[1] = _t75[1] & 0x00000000;
											}
											goto L31;
										} else {
											_t77 = E000921A5( &(_t75[1]), _t46, 0);
											if(_t77 >= 0) {
												_t49 = _a24;
												if(_t49 == 0 ||  *_t49 == 0) {
													L31:
													if(_t75[2] != 0) {
														E000D54EF(_t75[2]);
														_t75[2] = _t75[2] & 0x00000000;
													}
												} else {
													_t77 = E000921A5( &(_t75[2]), _t49, 0);
													if(_t77 >= 0) {
														goto L35;
													}
													_push("Failed to set download password.");
													L34:
													_push(_t77);
													E000D012F();
												}
												goto L35;
											}
											_push("Failed to set download user.");
											goto L34;
										}
									}
									_push("Failed to set download URL.");
									goto L34;
								}
							}
							_push(_t71);
							_t77 = 0x800710dd;
							_push("UX denied while trying to set download URL on embedded payload: %ls");
							goto L13;
						} else {
							_push(_t71);
							_push("UX requested unknown payload with id: %ls");
							L13:
							_push(_t77);
							E000D012F();
							L35:
							goto L36;
						}
					}
				} else {
					_push("Engine is active, cannot change engine state.");
					_push(_t77);
					E000D012F();
					L36:
					LeaveCriticalSection( *(_t60 + 0xc));
					return _t77;
				}
			}

0x000af3e6
0x000af3e9
0x000af3ea
0x000af3ec
0x000af3f2
0x000af3f5
0x000af3fb
0x000af40f
0x000af413
0x000af428
0x000af42f
0x000af472
0x000af477
0x000af560
0x000af565
0x00000000
0x000af486
0x000af499
0x000af49d
0x000af4b6
0x00000000
0x000af4b6
0x000af49f
0x000af4a0
0x00000000
0x000af4a0
0x000af436
0x000af449
0x000af44d
0x000af457
0x000af45e
0x000af46d
0x000af4b9
0x000af4b9
0x000af4be
0x000af52e
0x000af532
0x000af537
0x000af537
0x00000000
0x000af4c7
0x000af4cf
0x000af4d3
0x000af4df
0x000af4e4
0x000af53a
0x000af53e
0x000af543
0x000af548
0x000af548
0x00000000
0x000af4ed
0x000af4f8
0x000af4fc
0x000af505
0x000af50a
0x000af54c
0x000af550
0x000af555
0x000af55a
0x000af55a
0x000af513
0x000af51e
0x000af522
0x00000000
0x00000000
0x000af524
0x000af56a
0x000af56a
0x000af56b
0x000af571
0x00000000
0x000af50a
0x000af4fe
0x00000000
0x000af4fe
0x000af4e4
0x000af4d5
0x00000000
0x000af4d5
0x000af4be
0x000af460
0x000af461
0x000af466
0x00000000
0x000af44f
0x000af44f
0x000af450
0x000af4a5
0x000af4a5
0x000af4a6
0x000af572
0x00000000
0x000af572
0x000af44d
0x000af415
0x000af415
0x000af41a
0x000af41b
0x000af573
0x000af576
0x000af583
0x000af583

APIs

EnterCriticalSection.KERNEL32(?), ref: 000AF3FB
LeaveCriticalSection.KERNEL32(?), ref: 000AF576

Strings

UX denied while trying to set download URL on embedded payload: %ls, xrefs: 000AF466
Failed to set download URL., xrefs: 000AF4D5
UX requested unknown container with id: %ls, xrefs: 000AF4A0
UX did not provide container or payload id., xrefs: 000AF565
UX requested unknown payload with id: %ls, xrefs: 000AF450
Engine is active, cannot change engine state., xrefs: 000AF415
Failed to set download user., xrefs: 000AF4FE
Failed to set download password., xrefs: 000AF524

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Engine is active, cannot change engine state.$Failed to set download URL.$Failed to set download password.$Failed to set download user.$UX denied while trying to set download URL on embedded payload: %ls$UX did not provide container or payload id.$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
API String ID: 3168844106-2615595102
Opcode ID: b80e1b9ce4358629225fc7d7087612003180fb155a282a1ab3ec3f1300bc1289
Instruction ID: 57d51f4690374a3d298aff86f25f05404882496e4c4bf1678371ee62e7d6c50e
Opcode Fuzzy Hash: b80e1b9ce4358629225fc7d7087612003180fb155a282a1ab3ec3f1300bc1289
Instruction Fuzzy Hash: 3941D371E00A13ABDB61AEF5C805ABA77A8EF06711F158176FA04EB241DB34ED40C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 000BA024, Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 172
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E000BA024(intOrPtr* _a4, WCHAR* _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				intOrPtr _t62;
				intOrPtr _t64;
				void* _t68;
				intOrPtr* _t72;
				void* _t79;
				signed int _t83;
				long _t84;
				signed short _t86;
				intOrPtr* _t94;
				intOrPtr* _t95;
				intOrPtr* _t98;
				intOrPtr* _t99;
				void* _t100;
				WCHAR* _t103;
				intOrPtr* _t104;
				void* _t105;

				_v8 = _v8 & 0x00000000;
				_t62 = 0xdb524;
				_t104 = _a4;
				_v12 = 0xdb524;
				_t5 = _t104 + 4; // 0x75c08524
				_t95 =  *_t5;
				if(_t95 == 0) {
					_t6 = _t104 + 8; // 0x2c453905
					_t98 =  *_t6;
					if(_t98 != 0) {
						_t62 =  *_t98;
					}
				} else {
					_t62 =  *_t95;
				}
				_t7 = _t104 + 0xc; // 0x458b3e74
				_t99 =  *_t7;
				_a4 = _t62;
				if(_t99 != 0) {
					_v12 =  *_t99;
				}
				_t10 = _t95 + 0x2c; // 0x75c08550
				_t94 = _t10;
				if(_t95 != 0) {
					_v20 =  *((intOrPtr*)(_t95 + 0x18));
					_t64 =  *((intOrPtr*)(_t95 + 0x1c));
				} else {
					_t12 = _t99 + 0x40; // 0x458b3eb4
					_t94 = _t12;
					_v20 =  *((intOrPtr*)(_t99 + 0x10));
					_t64 =  *((intOrPtr*)(_t99 + 0x14));
				}
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v16 = _t64;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(_t95 == 0) {
					_t68 =  !=  ? 0x20000152 : 0x2000014f;
				} else {
					_t68 = (0 | _t99 != 0x00000000) + 0x20000150;
				}
				_push( *_t94);
				_push("download");
				_push(_v12);
				E0009550F(2, _t68, _a4);
				_t103 = _a8;
				if(E000D4315(_t103,  &_v8) == 0) {
					L16:
					_v36 = _v36 & 0x00000000;
					_v40 = E000B993C;
					_v32 = _t104;
					_t72 =  *_t94;
					_t97 = 0x62;
					if(_t97 !=  *_t72) {
						L24:
						_v52 =  *_t104;
						_v48 = _a4;
						_v44 = _v12;
						_v24 =  &_v52;
						_v28 = E000B9855;
						_t79 = E000D635A(_t97, _t94, _v20, _v16, _t103,  &_v40,  &_v28);
						L25:
						_t105 = _t79;
						if(_t105 < 0) {
							_push(_t103);
							E000D012F(_t105, "Failed attempt to download URL: \'%ls\' to: \'%ls\'",  *_t94);
						}
						goto L27;
					}
					_t97 = 0x69;
					if(_t97 !=  *((intOrPtr*)(_t72 + 2))) {
						goto L24;
					}
					_t97 = 0x74;
					if(_t97 !=  *((intOrPtr*)(_t72 + 4))) {
						goto L24;
					}
					_t100 = 0x73;
					if(_t100 !=  *((intOrPtr*)(_t72 + 6))) {
						goto L24;
					}
					_t97 =  *(_t72 + 8) & 0x0000ffff;
					_a8 = 0x3a;
					if(_a8 == _t97) {
						L23:
						_t79 = E000BDC0D(_t100,  &_v40, _t94, _t103);
						goto L25;
					}
					if(_t100 != _t97) {
						goto L24;
					}
					_t97 = _a8;
					if(_a8 !=  *((intOrPtr*)(_t72 + 0xa))) {
						goto L24;
					}
					goto L23;
				} else {
					_t83 = _v8;
					if((_t83 & 0x00000001) == 0) {
						goto L16;
					}
					_t84 = _t83 & 0xfffffffe;
					_v8 = _t84;
					if(SetFileAttributesW(_t103, _t84) != 0) {
						goto L16;
					}
					_t86 = GetLastError();
					_t108 =  <=  ? _t86 : _t86 & 0x0000ffff | 0x80070000;
					_t105 =  >=  ? 0x80004005 :  <=  ? _t86 : _t86 & 0x0000ffff | 0x80070000;
					E000937D3(0x80004005, "apply.cpp", 0x568, _t105);
					E000D012F(_t105, "Failed to clear readonly bit on payload destination path: %ls", _t103);
					L27:
					return _t105;
				}
			}

0x000ba02a
0x000ba02e
0x000ba035
0x000ba039
0x000ba03c
0x000ba03c
0x000ba041
0x000ba047
0x000ba047
0x000ba04c
0x000ba04e
0x000ba04e
0x000ba043
0x000ba043
0x000ba043
0x000ba050
0x000ba050
0x000ba053
0x000ba058
0x000ba05c
0x000ba05c
0x000ba05f
0x000ba05f
0x000ba064
0x000ba0a2
0x000ba0a5
0x000ba066
0x000ba069
0x000ba069
0x000ba06c
0x000ba06f
0x000ba06f
0x000ba072
0x000ba079
0x000ba07d
0x000ba082
0x000ba083
0x000ba084
0x000ba08a
0x000ba08b
0x000ba08c
0x000ba08f
0x000ba0b6
0x000ba091
0x000ba098
0x000ba098
0x000ba0b9
0x000ba0bb
0x000ba0c0
0x000ba0c9
0x000ba0ce
0x000ba0e0
0x000ba13d
0x000ba13d
0x000ba141
0x000ba148
0x000ba14b
0x000ba14f
0x000ba153
0x000ba19c
0x000ba19e
0x000ba1a4
0x000ba1aa
0x000ba1b0
0x000ba1ba
0x000ba1ca
0x000ba1cf
0x000ba1cf
0x000ba1d3
0x000ba1d5
0x000ba1de
0x000ba1e3
0x00000000
0x000ba1d3
0x000ba157
0x000ba15c
0x00000000
0x00000000
0x000ba160
0x000ba165
0x00000000
0x00000000
0x000ba169
0x000ba16e
0x00000000
0x00000000
0x000ba170
0x000ba174
0x000ba17f
0x000ba18f
0x000ba195
0x00000000
0x000ba195
0x000ba184
0x00000000
0x00000000
0x000ba186
0x000ba18d
0x00000000
0x00000000
0x00000000
0x000ba0e2
0x000ba0e2
0x000ba0e7
0x00000000
0x00000000
0x000ba0e9
0x000ba0ee
0x000ba0f9
0x00000000
0x00000000
0x000ba0fb
0x000ba10c
0x000ba116
0x000ba124
0x000ba130
0x000ba1e7
0x000ba1ee
0x000ba1ee

APIs

SetFileAttributesW.KERNEL32(?,00000000,?,00000000,?,?,?,00000001,00000000,?), ref: 000BA0F1
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 000BA0FB

Strings

:, xrefs: 000BA174
Failed attempt to download URL: '%ls' to: '%ls', xrefs: 000BA1D8
@Mt, xrefs: 000BA0FB
download, xrefs: 000BA0BB
Failed to clear readonly bit on payload destination path: %ls, xrefs: 000BA12A
apply.cpp, xrefs: 000BA11F

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: :$@Mt$Failed attempt to download URL: '%ls' to: '%ls'$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$download
API String ID: 1799206407-2545347765
Opcode ID: 426d2b5fb83aa5ab7b41826f25f5c1183eb900b81cdb474a2544cce2a4f44e5c
Instruction ID: e9416ab0304c17780835574176f161b9859b6895924622fb631046b4953ed826
Opcode Fuzzy Hash: 426d2b5fb83aa5ab7b41826f25f5c1183eb900b81cdb474a2544cce2a4f44e5c
Instruction Fuzzy Hash: 4251AE71A00209AFDB51EFA9C840AEFB7F5EF05710F10845AE905EB251E335EE41CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 000D635A, Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E000D635A(void* __ecx, intOrPtr* _a4, signed short _a8, WCHAR* _a12, WCHAR* _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				char _v12;
				signed int _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				char _v28;
				signed short _v32;
				void* _v36;
				WCHAR* _v40;
				char _v44;
				signed int _t57;
				WCHAR* _t69;
				signed short _t78;
				WCHAR* _t85;
				void* _t88;
				intOrPtr* _t90;

				_t82 = __ecx;
				_v16 = _v16 | 0xffffffff;
				_t81 = _a4;
				asm("xorps xmm0, xmm0");
				_v12 = 0;
				_t85 = 0;
				_v8 = 0;
				_v20 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("movlpd [ebp-0x18], xmm0");
				asm("movlpd [ebp-0x20], xmm0");
				_t88 = E000921A5( &_v12,  *_a4, 0);
				if(_t88 < 0) {
					L12:
					_t48 = _v20;
					if(_v20 != 0) {
						E000D54EF(_t48);
					}
					if(_t85 != 0) {
						 *0xfa96c(_t85);
					}
					if(_v12 != 0) {
						E000D54EF(_v12);
					}
					return _t88;
				}
				 *0xfa98c(L"Burn", 0, 0, 0, 0);
				_t85 = 0;
				if(0 != 0) {
					E000D56B2(__ecx, L"WiX\\Burn", L"DownloadTimeout", 0x78,  &_v8);
					_t57 = _v8;
					if(_t57 != 0) {
						_t90 =  *0xfa970; // 0xda79b
						_v8 = _t57 * 0x3e8;
						 *_t90(0, 2,  &_v8, 4);
						 *_t90(0, 6,  &_v8, 4);
						 *_t90(0, 5,  &_v8, 4);
					}
					_t88 = E000D5BBF(_t82, _t85,  &_v12,  *((intOrPtr*)(_t81 + 4)),  *((intOrPtr*)(_t81 + 8)), _a24,  &_v36,  &_v44);
					if(_t88 >= 0) {
						E000D5C68(_t82, _a16,  &_v20,  &_v16,  &_v28);
						_t88 = E000D5916(_t85,  &_v12,  *((intOrPtr*)(_t81 + 4)),  *((intOrPtr*)(_t81 + 8)), _a16, _a8, _a12, _v36, _v32, _v28, _v24, _v16, _a20, _a24);
						if(_t88 >= 0) {
							_t69 = _v20;
							if(_t69 != 0 &&  *_t69 != 0) {
								DeleteFileW(_t69);
							}
						}
						if(_v16 != 0xffffffff) {
							CloseHandle(_v16);
						}
					}
				} else {
					_t78 = GetLastError();
					_t93 =  <=  ? _t78 : _t78 & 0x0000ffff | 0x80070000;
					_t88 =  >=  ? 0x80004005 :  <=  ? _t78 : _t78 & 0x0000ffff | 0x80070000;
					E000937D3(0x80004005, "dlutil.cpp", 0x84, _t88);
				}
			}

0x000d635a
0x000d6360
0x000d6367
0x000d636a
0x000d6372
0x000d6375
0x000d6377
0x000d637a
0x000d637d
0x000d6380
0x000d6387
0x000d638c
0x000d6396
0x000d639a
0x000d64c3
0x000d64c3
0x000d64c8
0x000d64cb
0x000d64cb
0x000d64d2
0x000d64d5
0x000d64d5
0x000d64df
0x000d64e4
0x000d64e4
0x000d64f1
0x000d64f1
0x000d63ab
0x000d63b1
0x000d63b5
0x000d63fa
0x000d63ff
0x000d6404
0x000d6406
0x000d6414
0x000d641e
0x000d6429
0x000d6434
0x000d6434
0x000d6451
0x000d6455
0x000d6466
0x000d6499
0x000d649d
0x000d649f
0x000d64a4
0x000d64ae
0x000d64ae
0x000d64a4
0x000d64b8
0x000d64bd
0x000d64bd
0x000d64b8
0x000d63b7
0x000d63b7
0x000d63c8
0x000d63d2
0x000d63e0
0x000d63e0

APIs

GetLastError.KERNEL32 ref: 000D63B7
DeleteFileW.KERNEL32(00000000,00000000,00000000,?,?,00000078,000000FF,00000000,?,?,?,00000078,000000FF,?,?,00000078), ref: 000D64AE
CloseHandle.KERNEL32(000000FF,00000000,00000000,?,?,00000078,000000FF,00000000,?,?,?,00000078,000000FF,?,?,00000078), ref: 000D64BD

Strings

dlutil.cpp, xrefs: 000D63DB
@Mt, xrefs: 000D63B7
Burn, xrefs: 000D63A6
WiX\Burn, xrefs: 000D63F5
DownloadTimeout, xrefs: 000D63F0

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CloseDeleteErrorFileHandleLast
String ID: @Mt$Burn$DownloadTimeout$WiX\Burn$dlutil.cpp
API String ID: 3522763407-476958414
Opcode ID: 024740055229327738ad7885d932555297b74861f18dffde61e975052faa6097
Instruction ID: b24d15a725e2f51ea2de4b30dbdaedb626722b4de3ccbd78616acc76e08d90fa
Opcode Fuzzy Hash: 024740055229327738ad7885d932555297b74861f18dffde61e975052faa6097
Instruction Fuzzy Hash: 39514D72D00619BBDF129FA4CC41EEEBBB9EF08710F014156FA14E6290E7368A51DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 000A9080, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E000A9080(intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v28;
				signed int _v32;
				char _v36;
				char _v40;
				signed int _v44;
				intOrPtr _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t40;
				intOrPtr _t44;
				signed short _t57;
				void* _t64;
				void* _t71;
				void* _t72;
				signed int _t73;
				intOrPtr _t79;
				char* _t80;
				void* _t82;
				signed int _t87;
				void* _t88;

				_t40 =  *0xfa008; // 0x90c8e23b
				_v8 = _t40 ^ _t87;
				_t79 = _a8;
				_t80 =  &_v28;
				_v36 = 0x14;
				asm("stosd");
				_v32 = 0;
				_t72 = 0x80070490;
				_v40 = 0;
				_t73 = 0;
				_v48 = _t79;
				asm("stosd");
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t44 =  *((intOrPtr*)( *((intOrPtr*)(_t79 + 0x10))));
				if( *((intOrPtr*)(_t44 + 0xc)) <= 0) {
					L12:
					_t82 = _t72;
					if(_t72 >= 0) {
						L15:
						_t45 = _v32;
						if(_v32 != 0) {
							E00093999(_t45);
						}
						return E000BDE36(_t72, _v8 ^ _t87, _t79, _t80, _t82);
					}
					_push("Failed to find expected public key in certificate chain.");
					_push(_t72);
					L14:
					E000D012F();
					goto L15;
				}
				_t80 = _a4;
				while(1) {
					_t83 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x10)) + _t73 * 4)) + 4));
					_push( &_v36);
					_push( &_v28);
					_push( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x10)) + _t73 * 4)) + 4)) + 0xc)) + 0x38);
					_push(1);
					_push(0);
					_push(0x8004);
					_push(0);
					if( *0xfa93c() == 0) {
						break;
					}
					_t60 = _v36;
					if( *((intOrPtr*)(_t80 + 0x24)) != _v36) {
						L11:
						_t73 = _v44 + 1;
						_v44 = _t73;
						_t44 =  *((intOrPtr*)( *((intOrPtr*)(_v48 + 0x10))));
						if(_t73 <  *((intOrPtr*)(_t44 + 0xc))) {
							continue;
						}
						goto L12;
					}
					_t64 = E000BF919( *((intOrPtr*)(_t80 + 0x20)),  &_v28, _t60);
					_t88 = _t88 + 0xc;
					if(_t64 != 0) {
						goto L11;
					}
					if( *((intOrPtr*)(_t80 + 0x28)) == _t64) {
						_t72 = 0;
						goto L12;
					}
					_t82 = E000D5587(_t73, _t83, 3,  &_v32,  &_v40);
					if(_t82 < 0) {
						_push("Failed to read certificate thumbprint.");
						L20:
						_push(_t82);
						goto L14;
					}
					_t68 = _v40;
					if( *((intOrPtr*)(_t80 + 0x2c)) != _v40) {
						L9:
						_t69 = _v32;
						if(_v32 != 0) {
							E00093999(_t69);
							_v32 = _v32 & 0x00000000;
						}
						goto L11;
					}
					_t71 = E000BF919( *((intOrPtr*)(_t80 + 0x28)), _v32, _t68);
					_t88 = _t88 + 0xc;
					if(_t71 == 0) {
						_t82 = 0;
						goto L15;
					}
					goto L9;
				}
				_t57 = GetLastError();
				_t86 =  <=  ? _t57 : _t57 & 0x0000ffff | 0x80070000;
				_t82 =  >=  ? 0x80004005 :  <=  ? _t57 : _t57 & 0x0000ffff | 0x80070000;
				E000937D3(0x80004005, "cache.cpp", 0x7c4, _t82);
				_push("Failed to get certificate public key identifier.");
				goto L20;
			}

0x000a9086
0x000a908d
0x000a9090
0x000a9098
0x000a909b
0x000a90a2
0x000a90a5
0x000a90a8
0x000a90ad
0x000a90b0
0x000a90b2
0x000a90b5
0x000a90b6
0x000a90b9
0x000a90ba
0x000a90bb
0x000a90bf
0x000a90c4
0x000a917d
0x000a917d
0x000a9181
0x000a9190
0x000a9190
0x000a9195
0x000a9198
0x000a9198
0x000a91af
0x000a91af
0x000a9183
0x000a9188
0x000a9189
0x000a9189
0x00000000
0x000a918f
0x000a90ca
0x000a90cd
0x000a90d3
0x000a90d9
0x000a90dd
0x000a90e4
0x000a90e5
0x000a90e7
0x000a90e9
0x000a90ee
0x000a90f8
0x00000000
0x00000000
0x000a90fe
0x000a9104
0x000a9165
0x000a916b
0x000a916c
0x000a9172
0x000a9177
0x00000000
0x00000000
0x00000000
0x000a9177
0x000a910e
0x000a9113
0x000a9118
0x00000000
0x00000000
0x000a911d
0x000a91be
0x00000000
0x000a91be
0x000a9133
0x000a9137
0x000a91b6
0x000a91bb
0x000a91bb
0x00000000
0x000a91bb
0x000a9139
0x000a913f
0x000a9154
0x000a9154
0x000a9159
0x000a915c
0x000a9161
0x000a9161
0x00000000
0x000a9159
0x000a9148
0x000a914d
0x000a9152
0x000a91b2
0x00000000
0x000a91b2
0x00000000
0x000a9152
0x000a91c2
0x000a91d3
0x000a91dd
0x000a91eb
0x000a91f0
0x00000000

APIs

_memcmp.LIBVCRUNTIME ref: 000A910E

Part of subcall function 000D5587: GetLastError.KERNEL32(?,?,000A9133,?,00000003,00000000,?), ref: 000D55A6

_memcmp.LIBVCRUNTIME ref: 000A9148
GetLastError.KERNEL32 ref: 000A91C2

Strings

Failed to read certificate thumbprint., xrefs: 000A91B6
cache.cpp, xrefs: 000A91E6
Failed to get certificate public key identifier., xrefs: 000A91F0
@Mt, xrefs: 000A91C2
Failed to find expected public key in certificate chain., xrefs: 000A9183

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorLast_memcmp
String ID: @Mt$Failed to find expected public key in certificate chain.$Failed to get certificate public key identifier.$Failed to read certificate thumbprint.$cache.cpp
API String ID: 3428363238-1254166371
Opcode ID: 6dff167b2c370599af2451650f3a99526c1c6e6ce2c23723bbb588300634ba59
Instruction ID: a112259926f0f8c1567fa50ffe426a39b244c410f3bd90e4aca4267b17565133
Opcode Fuzzy Hash: 6dff167b2c370599af2451650f3a99526c1c6e6ce2c23723bbb588300634ba59
Instruction Fuzzy Hash: B2415C71F00216AFDB50DBE9D845AAEB7F9AF09750F014129FA05FB251D674ED00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0009F2DC, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 109
stringCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E0009F2DC(void* __ebx, intOrPtr _a4, void* _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr _t49;
				intOrPtr* _t52;
				char _t54;
				intOrPtr* _t58;
				char _t59;

				_t58 = _a8;
				_t59 = 0;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				if( *((intOrPtr*)(_t58 + 4)) <= 0) {
					L22:
					return _t59;
				}
				_t54 = 0;
				_a8 = 0;
				while(1) {
					_t52 =  *_t58 + _t54;
					_t59 = E000971CF(_a4,  *((intOrPtr*)(_t52 + 8)),  &_v16, 0);
					if(_t59 < 0) {
						break;
					}
					_t59 = E00092D79(_t54, _v16, L"swidtag",  &_v8);
					if(_t59 < 0) {
						_push("Failed to allocate regid folder path.");
						L15:
						_push(_t59);
						E000D012F();
						L16:
						if(_v12 != 0) {
							E000D54EF(_v12);
						}
						if(_v8 != 0) {
							E000D54EF(_v8);
						}
						if(_v16 != 0) {
							E000D54EF(_v16);
						}
						goto L22;
					}
					_t59 = E00092D79(_t54, _v8,  *_t52,  &_v12);
					if(_t59 < 0) {
						_push("Failed to allocate regid file path.");
						goto L15;
					}
					_t59 = E00094013(_v8, 0);
					if(_t59 < 0) {
						_push(_v8);
						_push("Failed to create regid folder: %ls");
						L11:
						_push(_t59);
						E000D012F();
						goto L16;
					}
					_t59 = E000D4C67(_t54, _v12, 0x80,  *(_t52 + 0xc), lstrlenA( *(_t52 + 0xc)), 0);
					if(_t59 < 0) {
						_push(_v12);
						_push("Failed to write tag xml to file: %ls");
						goto L11;
					}
					_t49 = _v20 + 1;
					_t54 = _a8 + 0x10;
					_v20 = _t49;
					_t22 = _t58 + 4; // 0x8680a79
					_push(0);
					_a8 = _t54;
					_pop(0);
					if(_t49 <  *_t22) {
						continue;
					}
					goto L16;
				}
				_push("Failed to format tag folder path.");
				goto L15;
			}

0x0009f2e6
0x0009f2e9
0x0009f2eb
0x0009f2ee
0x0009f2f1
0x0009f2f4
0x0009f2fa
0x0009f407
0x0009f40d
0x0009f40d
0x0009f300
0x0009f302
0x0009f306
0x0009f309
0x0009f31a
0x0009f31e
0x00000000
0x00000000
0x0009f335
0x0009f339
0x0009f3c7
0x0009f3d3
0x0009f3d3
0x0009f3d4
0x0009f3db
0x0009f3e0
0x0009f3e5
0x0009f3e5
0x0009f3ee
0x0009f3f3
0x0009f3f3
0x0009f3fc
0x0009f401
0x0009f401
0x00000000
0x0009f3fc
0x0009f34d
0x0009f351
0x0009f3c0
0x00000000
0x0009f3c0
0x0009f35d
0x0009f361
0x0009f3ad
0x0009f3b0
0x0009f3b5
0x0009f3b5
0x0009f3b6
0x00000000
0x0009f3bb
0x0009f37f
0x0009f383
0x0009f3a3
0x0009f3a6
0x00000000
0x0009f3a6
0x0009f38b
0x0009f38c
0x0009f38f
0x0009f392
0x0009f395
0x0009f397
0x0009f39a
0x0009f39b
0x00000000
0x00000000
0x00000000
0x0009f3a1
0x0009f3ce
0x00000000

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0009F315

Part of subcall function 00094013: CreateDirectoryW.KERNELBASE(0009533D,000953B5,00000000,00000000,?,000A9EE4,00000000,00000000,0009533D,00000000,000952B5,00000000,?,=S,0009D4AC,=S), ref: 00094021
Part of subcall function 00094013: GetLastError.KERNEL32(?,000A9EE4,00000000,00000000,0009533D,00000000,000952B5,00000000,?,=S,0009D4AC,=S,00000000,00000000), ref: 0009402F

lstrlenA.KERNEL32(000DB4F0,00000000,00000094,00000000,00000094,?,?,000A0328,swidtag,00000094,?,000DB508,000A0328,00000000,?,00000000), ref: 0009F368

Part of subcall function 000D4C67: CreateFileW.KERNEL32(000DB4F0,40000000,00000001,00000000,00000002,00000080,00000000,000A0328,00000000,?,0009F37F,?,00000080,000DB4F0,00000000), ref: 000D4C7F
Part of subcall function 000D4C67: GetLastError.KERNEL32(?,0009F37F,?,00000080,000DB4F0,00000000,?,000A0328,?,00000094,?,?,?,?,?,00000000), ref: 000D4C8C

Strings

Failed to allocate regid folder path., xrefs: 0009F3C7
swidtag, xrefs: 0009F328
Failed to format tag folder path., xrefs: 0009F3CE
Failed to write tag xml to file: %ls, xrefs: 0009F3A6
Failed to create regid folder: %ls, xrefs: 0009F3B0
Failed to allocate regid file path., xrefs: 0009F3C0

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CreateErrorLast$DirectoryFileOpen@16lstrlen
String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to create regid folder: %ls$Failed to format tag folder path.$Failed to write tag xml to file: %ls$swidtag
API String ID: 904508749-1201533908
Opcode ID: 09935c03add726dafb011d3482201540f14e8a5ce3a7a529c38feff55474f95a
Instruction ID: 06e5fbf04146f279c8944a668440645962695bc66c4fffb33adf68f678d7b837
Opcode Fuzzy Hash: 09935c03add726dafb011d3482201540f14e8a5ce3a7a529c38feff55474f95a
Instruction Fuzzy Hash: 56316C32D0121ABFCF219AA5DC42BEDBBB5AF04710F108176FA14FA251D7799E50AB90

Uniqueness

Uniqueness Score: -1.00%

Function 000D837F, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E000D837F(void* __ecx, void* __eflags, signed int _a4, intOrPtr* _a8) {
				short* _v8;
				void* __ebx;
				void* __edi;
				signed int _t45;
				signed int _t51;
				short* _t52;
				signed int _t55;
				signed int _t64;
				short* _t67;
				short** _t75;
				short* _t81;
				intOrPtr* _t84;

				_t81 = 0;
				_t84 = E000938D4(0x10, 1);
				_t75 =  *(_a4 + 0x44);
				while(_t75 != 0) {
					if(CompareStringW(0x7f, 0,  *_t75, 0xffffffff, L"http://appsyndication.org/2006/appsyn", 0xffffffff) != 2 || CompareStringW(0x7f, 0, _t75[1], 0xffffffff, L"application", 0xffffffff) != 2) {
						L9:
						_t75 = _t75[4];
						continue;
					} else {
						_t81 = E000921A5(_t84, _t75[2], 0);
						if(_t81 < 0) {
							L29:
							if(_t84 != 0) {
								E000D8530(_t75, _t81, _t84);
							}
							return _t81;
						}
						_t67 = _t75[3];
						while(1) {
							_v8 = _t67;
							if(_t67 == 0) {
								goto L9;
							}
							_t6 =  &(_t67[2]); // 0x700079
							if(CompareStringW(0x7f, 0,  *_t6, 0xffffffff, L"type", 0xffffffff) != 2) {
								L7:
								_t67 = _v8[6];
								continue;
							}
							_t9 = _t84 + 4; // 0x4
							_t81 = E000921A5(_t9, _v8[4], 0);
							if(_t81 < 0) {
								goto L29;
							}
							goto L7;
						}
						goto L9;
					}
				}
				_t75 = _a4;
				_t44 = _t75[0xc];
				if(_t75[0xc] == 0) {
					L22:
					_t45 =  *(_t84 + 8);
					if(_t45 == _t75[0xc]) {
						L28:
						 *_a8 = _t84;
						_t84 = 0;
						goto L29;
					}
					if(_t45 == 0) {
						if( *(_t84 + 0xc) != 0) {
							E00093999( *(_t84 + 0xc));
							 *(_t84 + 0xc) =  *(_t84 + 0xc) & 0x00000000;
						}
						goto L28;
					}
					_t51 = E00093A72( *(_t84 + 0xc), _t45 << 6, 0);
					 *(_t84 + 0xc) = _t51;
					if(_t51 != 0) {
						goto L28;
					}
					_t52 = 0x8007000e;
					_push(0x8007000e);
					_push(0x6c);
					L14:
					_push("apuputil.cpp");
					_t81 = _t52;
					E000937D3(_t52);
					goto L29;
				}
				_t55 = E000938D4(_t44 << 6, 1);
				 *(_t84 + 0xc) = _t55;
				if(_t55 != 0) {
					_a4 = _a4 & 0x00000000;
					if(_t75[0xc] <= 0) {
						L21:
						E000DA280( *(_t84 + 0xc),  *(_t84 + 8), 0x40, E000D7D0A, 0);
						goto L22;
					}
					_t78 = 0;
					_v8 = 0;
					while(1) {
						_t81 = E000D7FEC(_t75[0xd] + _t78,  *_t84, ( *(_t84 + 8) << 6) +  *(_t84 + 0xc));
						if(_t81 < 0) {
							goto L29;
						}
						if(_t81 != 1) {
							 *(_t84 + 8) =  *(_t84 + 8) + 1;
						}
						_t64 = _a4 + 1;
						_t78 =  &(_v8[0x20]);
						_a4 = _t64;
						_v8 =  &(_v8[0x20]);
						if(_t64 < _t75[0xc]) {
							continue;
						} else {
							goto L21;
						}
					}
					goto L29;
				}
				_t52 = 0x8007000e;
				_push(0x8007000e);
				_push(0x54);
				goto L14;
			}

0x000d838a
0x000d8394
0x000d8396
0x000d8433
0x000d83b6
0x000d8430
0x000d8430
0x00000000
0x000d83d3
0x000d83de
0x000d83e2
0x000d851b
0x000d851d
0x000d8520
0x000d8520
0x000d852d
0x000d852d
0x000d83e8
0x000d8429
0x000d8429
0x000d842e
0x00000000
0x00000000
0x000d83f6
0x000d8406
0x000d8423
0x000d8426
0x00000000
0x000d8426
0x000d8410
0x000d8419
0x000d841d
0x00000000
0x00000000
0x00000000
0x000d841d
0x00000000
0x000d8429
0x000d83b6
0x000d843b
0x000d843e
0x000d8443
0x000d84d4
0x000d84d4
0x000d84da
0x000d8514
0x000d8517
0x000d8519
0x00000000
0x000d8519
0x000d84de
0x000d8506
0x000d850b
0x000d8510
0x000d8510
0x00000000
0x000d8506
0x000d84e9
0x000d84ee
0x000d84f3
0x00000000
0x00000000
0x000d84f5
0x000d84fa
0x000d84fb
0x000d8463
0x000d8463
0x000d8468
0x000d846a
0x00000000
0x000d846a
0x000d844f
0x000d8454
0x000d8459
0x000d8474
0x000d847c
0x000d84bd
0x000d84cc
0x00000000
0x000d84d1
0x000d847e
0x000d8480
0x000d8483
0x000d849a
0x000d849e
0x00000000
0x00000000
0x000d84a3
0x000d84a5
0x000d84a5
0x000d84ae
0x000d84af
0x000d84b2
0x000d84b5
0x000d84bb
0x00000000
0x00000000
0x00000000
0x00000000
0x000d84bb
0x00000000
0x000d8483
0x000d845b
0x000d8460
0x000d8461
0x00000000

APIs

Part of subcall function 000938D4: GetProcessHeap.KERNEL32(?,000001C7,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938E5
Part of subcall function 000938D4: RtlAllocateHeap.NTDLL(00000000,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938EC

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000010,00000001,00000000,00000000,00000000,?,?,000B8E1F,000002C0,00000100), ref: 000D83AD
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF,?,?,000B8E1F,000002C0,00000100,000002C0,000002C0,00000100,000002C0,00000410), ref: 000D83C8

Strings

application, xrefs: 000D83BA
apuputil.cpp, xrefs: 000D8463
type, xrefs: 000D83EF
http://appsyndication.org/2006/appsyn, xrefs: 000D83A0

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CompareHeapString$AllocateProcess
String ID: application$apuputil.cpp$http://appsyndication.org/2006/appsyn$type
API String ID: 2664528157-4206478990
Opcode ID: bcc60fe8eb33471e917ddc5fea8a4341dd96505767f40493e43642db49d52607
Instruction ID: 870ca767cc06d69b14c1191cbea14951b54edea9044406786934034cf75e77f4
Opcode Fuzzy Hash: bcc60fe8eb33471e917ddc5fea8a4341dd96505767f40493e43642db49d52607
Instruction Fuzzy Hash: 7951C031644702ABEF619F14CC86F6A77E5EF04760F20C216FA699B3D6DB71E9409B20

Uniqueness

Uniqueness Score: -1.00%

Function 000A0419, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 133
registryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E000A0419(void* __ecx, void* __edx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _t65;
				void* _t68;
				void* _t72;
				void* _t74;
				intOrPtr* _t75;
				void* _t77;
				void* _t78;

				_t72 = __edx;
				_t68 = __ecx;
				_t75 = _a4;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_push(E000A3C30( *((intOrPtr*)(_t75 + 8))));
				_push(E000A4224(_a16));
				_push(E000A4257(_a12));
				E0009550F(2, 0x20000174,  *((intOrPtr*)(_t75 + 0x50)));
				_t78 = _t77 + 0x18;
				if(_a16 != 0) {
					_t65 = E00091F20( &_v16, L"%ls.RebootRequired",  *((intOrPtr*)(_t75 + 0x50)));
					_t78 = _t78 + 0xc;
					if(_t65 < 0) {
						L3:
						_push("Failed to write volatile reboot required registry key.");
						E000D012F();
						_t68 = _t65;
					} else {
						_t65 = E000D0AD5(_t68,  *((intOrPtr*)(_t75 + 0x4c)), _v16, 0x20006, 1, 0,  &_v12, 0);
						if(_t65 < 0) {
							goto L3;
						}
					}
				}
				if(_a12 != 0) {
					_t74 = E000D0E3F( *((intOrPtr*)(_t75 + 0x4c)),  *((intOrPtr*)(_t75 + 0x50)), 0x20006,  &_v8);
					__eflags = _t74;
					if(_t74 >= 0) {
						goto L14;
					} else {
						_push("Failed to open registration key.");
						goto L16;
					}
				} else {
					if(_a20 == 1 || _a20 == 2) {
						E000B840F(_t68, _t75);
					}
					if( *((intOrPtr*)(_t75 + 0x9c)) != 0) {
						E0009EEF9(_t68, _t75);
					}
					_t19 = _t75 + 0x94; // 0x95
					E0009EE0F(_a8, _t19);
					_t74 = E000D0B49(_t68,  *((intOrPtr*)(_t75 + 0x4c)),  *((intOrPtr*)(_t75 + 0x50)), 0, 0);
					if(_t74 == 0x80070002 || _t74 >= 0) {
						E000AA66C(_t68, _t72,  *_t75,  *((intOrPtr*)(_t75 + 0x10)));
						L14:
						__eflags = _a16 - 2;
						_t74 = E0009F09D(_t72, _a16 - 2, _t75, _v8, _a12, 0 | _a16 == 0x00000002);
						__eflags = _t74;
						if(_t74 < 0) {
							_push("Failed to update resume mode.");
							L16:
							_push(_t74);
							E000D012F();
						}
					} else {
						E000D012F(_t74, "Failed to delete registration key: %ls",  *((intOrPtr*)(_t75 + 0x50)));
					}
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
					_v8 = _v8 & 0x00000000;
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
					_v12 = _v12 & 0x00000000;
				}
				if(_v16 != 0) {
					E000D54EF(_v16);
				}
				return _t74;
			}

0x000a0419
0x000a0419
0x000a0420
0x000a0426
0x000a042c
0x000a042f
0x000a0437
0x000a0440
0x000a0449
0x000a0454
0x000a0459
0x000a045f
0x000a046d
0x000a0472
0x000a0477
0x000a0495
0x000a0495
0x000a049b
0x000a04a1
0x000a0479
0x000a048c
0x000a0493
0x00000000
0x00000000
0x000a0493
0x000a0477
0x000a04a5
0x000a058b
0x000a058d
0x000a058f
0x00000000
0x000a0591
0x000a0591
0x00000000
0x000a0591
0x000a04ab
0x000a04af
0x000a04b8
0x000a04b8
0x000a04c3
0x000a04c6
0x000a04c6
0x000a04cb
0x000a04d5
0x000a04e7
0x000a04ef
0x000a050d
0x000a0512
0x000a0514
0x000a0528
0x000a052a
0x000a052c
0x000a052e
0x000a0533
0x000a0533
0x000a0534
0x000a053a
0x000a04f5
0x000a04fe
0x000a0503
0x000a04ef
0x000a0545
0x000a054a
0x000a054c
0x000a054c
0x000a0554
0x000a0559
0x000a055b
0x000a055b
0x000a0563
0x000a0568
0x000a0568
0x000a0574

APIs

RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,?,00000000,?), ref: 000A054A
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,?,00000000,?), ref: 000A0559

Part of subcall function 000D0AD5: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,000A0491,?,00000000,00020006), ref: 000D0AFA

Strings

%ls.RebootRequired, xrefs: 000A0467
Failed to write volatile reboot required registry key., xrefs: 000A0495
Failed to open registration key., xrefs: 000A0591
Failed to update resume mode., xrefs: 000A052E
Failed to delete registration key: %ls, xrefs: 000A04F8

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: Close$Create
String ID: %ls.RebootRequired$Failed to delete registration key: %ls$Failed to open registration key.$Failed to update resume mode.$Failed to write volatile reboot required registry key.
API String ID: 359002179-2517785395
Opcode ID: a3ed8e93db985b37a37520a7366e5e0d3ef6ab232b1126103fdcadc2a6bc5895
Instruction ID: cac0947bb03d13297f0193eed5b25f6200e436f3b264dba896673226bd895ddf
Opcode Fuzzy Hash: a3ed8e93db985b37a37520a7366e5e0d3ef6ab232b1126103fdcadc2a6bc5895
Instruction Fuzzy Hash: B7418032900718FFDF22AEB1DC02EEF7BB9AF45310F14442AFA4561152D7729A50DB61

Uniqueness

Uniqueness Score: -1.00%

Function 000D041B, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 118
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E000D041B(void* __ecx, void* __edx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				char _v8;
				void* __ebx;
				void* __esi;
				intOrPtr* _t17;
				void* _t24;
				void* _t26;
				intOrPtr _t27;
				intOrPtr _t30;
				void* _t41;
				void* _t42;
				void* _t44;

				_t42 = __edi;
				_t41 = __edx;
				_t40 = __ecx;
				_push(__ecx);
				_v8 = 0;
				EnterCriticalSection(0xfb60c);
				_t17 = _a16;
				if(_t17 == 0 ||  *_t17 == 0) {
					_t44 = E00092D79(_t40, _a4, _a8, 0xfb604);
					if(_t44 < 0) {
						goto L21;
					}
					_t44 = E00093446(_t40,  *0xfb604,  &_v8);
					if(_t44 < 0) {
						goto L21;
					}
					_t44 = E00094013(_v8, 0);
					if(_t44 < 0) {
						goto L21;
					}
					_push(0);
					_push(0x80);
					_t24 = 2;
					_t40 = 4;
					_t25 =  !=  ? _t40 : _t24;
					_t26 = CreateFileW( *0xfb604, 0x40000000, 1, 0,  !=  ? _t40 : _t24, ??, ??);
					 *0xfa774 = _t26;
					if(_t26 != 0xffffffff) {
						L11:
						if(_a20 != 0) {
							SetFilePointer(_t26, 0, 0, 2);
						}
						goto L13;
					}
					_t44 =  <=  ? GetLastError() : _t34 & 0x0000ffff | 0x80070000;
					if(_t44 >= 0) {
						_t26 =  *0xfa774; // 0xffffffff
						goto L11;
					}
					E000937D3(_t34, "logutil.cpp", 0x81, _t44);
					goto L21;
				} else {
					_t44 = E00092DE0(_t40, _a4, _a8, _a12, _t17, 0xfb604, 0xfa774);
					if(_t44 < 0) {
						L21:
						LeaveCriticalSection(0xfb60c);
						if(_v8 != 0) {
							E000D54EF(_v8);
						}
						return _t44;
					} else {
						L13:
						if(_a24 != 0) {
							E000D01F0(0, _t41, _t42, _t44);
						}
						_t27 =  *0xfb608; // 0x0
						if(_t27 != 0) {
							E000D0658(_t40, _t41, _t27);
							_t30 =  *0xfb608; // 0x0
							if(_t30 != 0) {
								E000D54EF(_t30);
								 *0xfb608 = 0;
							}
						}
						if(_a28 == 0) {
							L20:
							 *0xfb634 = 0;
							goto L21;
						} else {
							_t44 = E000921A5(_a28,  *0xfb604, 0);
							if(_t44 < 0) {
								goto L21;
							}
							goto L20;
						}
					}
				}
			}

0x000d041b
0x000d041b
0x000d041b
0x000d041e
0x000d0428
0x000d042b
0x000d0431
0x000d0436
0x000d0475
0x000d0479
0x00000000
0x00000000
0x000d048e
0x000d0492
0x00000000
0x00000000
0x000d04a1
0x000d04a5
0x00000000
0x00000000
0x000d04ae
0x000d04af
0x000d04b6
0x000d04b9
0x000d04ba
0x000d04cc
0x000d04d2
0x000d04da
0x000d050b
0x000d050e
0x000d0515
0x000d0515
0x00000000
0x000d050e
0x000d04ed
0x000d04f2
0x000d0506
0x00000000
0x000d0506
0x000d04ff
0x00000000
0x000d043d
0x000d0456
0x000d045a
0x000d0569
0x000d056e
0x000d0577
0x000d057c
0x000d057c
0x000d0588
0x000d0460
0x000d051b
0x000d051e
0x000d0520
0x000d0520
0x000d0525
0x000d052c
0x000d052f
0x000d0534
0x000d053b
0x000d053e
0x000d0543
0x000d0543
0x000d053b
0x000d054c
0x000d0563
0x000d0563
0x00000000
0x000d054e
0x000d055d
0x000d0561
0x00000000
0x00000000
0x00000000
0x000d0561
0x000d054c
0x000d045a

APIs

EnterCriticalSection.KERNEL32(000FB60C,00000000,?,?,?,00095407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 000D042B
CreateFileW.KERNEL32(40000000,00000001,00000000,00000002,00000080,00000000,?,00000000,?,?,?,000FB604,?,00095407,00000000,Setup), ref: 000D04CC
GetLastError.KERNEL32(?,00095407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 000D04DC
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00095407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 000D0515

Part of subcall function 00092DE0: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00092F1F

LeaveCriticalSection.KERNEL32(000FB60C,?,?,000FB604,?,00095407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 000D056E

Strings

logutil.cpp, xrefs: 000D04FA
@Mt, xrefs: 000D04DC

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
String ID: @Mt$logutil.cpp
API String ID: 4111229724-3917315118
Opcode ID: e05253c11496444ca53229c138cd50057bf43015e5849c8853e9bb5734a80590
Instruction ID: d26070519b56a89d8e99bc8a7d5a6fc9e0f2fa3398b83b5aa0de509417fec3e0
Opcode Fuzzy Hash: e05253c11496444ca53229c138cd50057bf43015e5849c8853e9bb5734a80590
Instruction Fuzzy Hash: DA317571A01719AFEB21AF61EC45FAB36A8EB01790F410126FE04EA251D779CD40EFB0

Uniqueness

Uniqueness Score: -1.00%

Function 000BD12C, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E000BD12C(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				char _v16;
				signed int _v24;
				char _v28;
				char _v32;
				void* _t50;
				char _t69;
				signed int _t70;
				intOrPtr _t71;
				void* _t72;

				_v12 = _v12 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t71 = _a4;
				WaitForSingleObject( *(_t71 + 0xc), 0xffffffff);
				ReleaseMutex( *(_t71 + 0xc));
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t69 = 2;
				_push(_a12);
				_v32 = _t69;
				_v28 = 1;
				_v24 = (( *( *((intOrPtr*)(_t71 + 0x10)) + 0x219) & 0x000000ff) + ( *( *((intOrPtr*)(_t71 + 0x10)) + 0x218) & 0x000000ff) >> 0x00000001 & 0x000000ff) * 0x64 / 0xff;
				_push( &_v32);
				if(_a8() == _t69) {
					WaitForSingleObject( *(_t71 + 0xc), 0xffffffff);
					 *((char*)( *((intOrPtr*)(_t71 + 0x10)) + 2)) = 1;
					 *((char*)( *((intOrPtr*)(_t71 + 0x10)) + 3)) = 1;
					ReleaseMutex( *(_t71 + 0xc));
					SetEvent( *(_t71 + 8));
				}
				_t50 = E000BCF56(_t71,  &_v12,  &_v8,  &_v16);
				_t70 = _v8;
				_t72 = _t50;
				if(_t72 >= 0) {
					__eflags = _v12 - 0x1070001;
					if(__eflags == 0) {
						_t72 = E000BD047(__eflags, _a4, _t70, _a8, _a12);
						__eflags = _t72;
						if(_t72 < 0) {
							_push("Failed to send files in use message from netfx chainer.");
							goto L7;
						}
					}
				} else {
					_push("Failed to get message from netfx chainer.");
					L7:
					_push(_t72);
					E000D012F();
				}
				if(_t70 != 0) {
					E00093999(_t70);
				}
				return _t72;
			}

0x000bd132
0x000bd136
0x000bd13c
0x000bd145
0x000bd161
0x000bd170
0x000bd178
0x000bd179
0x000bd17a
0x000bd181
0x000bd182
0x000bd185
0x000bd188
0x000bd191
0x000bd197
0x000bd19d
0x000bd1a4
0x000bd1ad
0x000bd1b4
0x000bd1bb
0x000bd1c4
0x000bd1c4
0x000bd1d7
0x000bd1dc
0x000bd1df
0x000bd1e3
0x000bd1ec
0x000bd1f3
0x000bd204
0x000bd206
0x000bd208
0x000bd20a
0x00000000
0x000bd20a
0x000bd208
0x000bd1e5
0x000bd1e5
0x000bd20f
0x000bd20f
0x000bd210
0x000bd216
0x000bd219
0x000bd21c
0x000bd21c
0x000bd229

APIs

WaitForSingleObject.KERNEL32(?,000000FF,74E5F730,00000000,?,?,?,?,000BD439,?), ref: 000BD145
ReleaseMutex.KERNEL32(?,?,?,?,000BD439,?), ref: 000BD161
WaitForSingleObject.KERNEL32(?,000000FF), ref: 000BD1A4
ReleaseMutex.KERNEL32(?), ref: 000BD1BB
SetEvent.KERNEL32(?), ref: 000BD1C4

Strings

Failed to get message from netfx chainer., xrefs: 000BD1E5
Failed to send files in use message from netfx chainer., xrefs: 000BD20A

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: MutexObjectReleaseSingleWait$Event
String ID: Failed to get message from netfx chainer.$Failed to send files in use message from netfx chainer.
API String ID: 2608678126-3424578679
Opcode ID: 1a30549ae20a85472f93b9fc680797e8a70666d5a26f713160387395112c16b4
Instruction ID: f8e7ca8a950bbeefd85af0c53770304b9f6549c8ccad68eaf6e8909a2e33ef76
Opcode Fuzzy Hash: 1a30549ae20a85472f93b9fc680797e8a70666d5a26f713160387395112c16b4
Instruction Fuzzy Hash: 6B31C831900649AFDB119F94CC08EEEBBF5EF54320F10866AF915A6261D735D9009B90

Uniqueness

Uniqueness Score: -1.00%

Function 0009410D, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0009410D(void* __ecx, WCHAR** _a4) {
				long _v8;
				long _t6;
				void* _t12;
				WCHAR* _t18;
				long _t19;
				WCHAR** _t23;
				long _t26;

				_t18 = 0;
				_t23 = _a4;
				_t6 = 0;
				_v8 = 0;
				_t26 = 0;
				if(_t23 == 0 ||  *_t23 == 0) {
					L5:
					_t19 = GetCurrentDirectoryW(_t6, _t18);
					if(_t19 != 0) {
						if(_v8 >= _t19) {
							goto L12;
						}
						_t26 = E00091EDE(_t23, _t19);
						if(_t26 >= 0 && GetCurrentDirectoryW(_t19,  *_t23) == 0) {
							_t30 =  <=  ? GetLastError() : _t11 & 0x0000ffff | 0x80070000;
							_t12 = 0x80004005;
							_t26 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t11 & 0x0000ffff | 0x80070000;
							_push(_t26);
							_push(0x190);
							L11:
							_push("dirutil.cpp");
							E000937D3(_t12);
						}
						goto L12;
					}
					_t33 =  <=  ? GetLastError() : _t14 & 0x0000ffff | 0x80070000;
					_t12 = 0x80004005;
					_t26 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t14 & 0x0000ffff | 0x80070000;
					_push(_t26);
					_push(0x187);
					goto L11;
				} else {
					_t26 = E0009275D( *_t23,  &_v8);
					if(_t26 < 0) {
						L12:
						return _t26;
					}
					_t6 = _v8;
					if(_t6 != 0) {
						_t18 =  *_t23;
					}
					goto L5;
				}
			}

0x00094113
0x00094116
0x00094119
0x0009411b
0x0009411e
0x00094122
0x00094146
0x0009414e
0x00094152
0x0009417d
0x00000000
0x00000000
0x00094186
0x0009418a
0x000941aa
0x000941ad
0x000941b4
0x000941b7
0x000941b8
0x000941bd
0x000941bd
0x000941c2
0x000941c2
0x00000000
0x0009418a
0x00094165
0x00094168
0x0009416f
0x00094172
0x00094173
0x00000000
0x00094128
0x00094133
0x00094137
0x000941c7
0x000941cf
0x000941cf
0x0009413d
0x00094142
0x00094144
0x00094144
0x00000000
0x00094142

APIs

GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,00000000,crypt32.dll,?,?,000A3ED4,00000001,feclient.dll,?,00000000,?,?,?,00094A0C), ref: 00094148
GetLastError.KERNEL32(?,?,000A3ED4,00000001,feclient.dll,?,00000000,?,?,?,00094A0C,?,?,000DB478,?,00000001), ref: 00094154
GetCurrentDirectoryW.KERNEL32(00000000,?,?,00000000,?,?,000A3ED4,00000001,feclient.dll,?,00000000,?,?,?,00094A0C,?), ref: 0009418F
GetLastError.KERNEL32(?,?,000A3ED4,00000001,feclient.dll,?,00000000,?,?,?,00094A0C,?,?,000DB478,?,00000001), ref: 00094199

Strings

dirutil.cpp, xrefs: 000941BD
crypt32.dll, xrefs: 00094111
@Mt, xrefs: 00094154, 00094199

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CurrentDirectoryErrorLast
String ID: @Mt$crypt32.dll$dirutil.cpp
API String ID: 152501406-4081394309
Opcode ID: a564adf7d3e973add63ac0cc60c89948cd42e55e2e5cc40a8a71cb1d938b203d
Instruction ID: 62a3d66bb85ce7414151c009bcef269e8e61be1487caee9d04552342d60468bb
Opcode Fuzzy Hash: a564adf7d3e973add63ac0cc60c89948cd42e55e2e5cc40a8a71cb1d938b203d
Instruction Fuzzy Hash: D5119A76A01727EBEB219AA94CC4EABB7DCDF14751B120136FD04E7250E765CC41A6F0

Uniqueness

Uniqueness Score: -1.00%

Function 000A444C, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E000A444C(char _a4, intOrPtr _a8, char _a12, intOrPtr* _a16, intOrPtr* _a20) {
				char _t17;
				intOrPtr _t31;
				intOrPtr _t37;
				void* _t38;

				_t38 = 0;
				_t17 =  ==  ? 0 : _a12;
				_a12 = _t17;
				_t37 = _t17 + 8;
				_t31 = E000938D4(_t37, 0);
				if(_t31 != 0) {
					E000B1664(_t31, _t37,  &_a4, 4);
					_t7 = _t37 - 4; // 0xdb504
					_t8 = _t31 + 4; // 0x4
					E000B1664(_t8, _t7,  &_a12, 4);
					if(_a12 != 0) {
						_t11 = _t37 - 8; // 0xdb500
						_t13 = _t31 + 8; // 0x8
						E000B1664(_t13, _t11, _a8, _a12);
					}
					 *_a20 = _t37;
					 *_a16 = _t31;
				} else {
					_t38 = 0x8007000e;
					E000937D3(_t18, "pipe.cpp", 0x2be, 0x8007000e);
					_push("Failed to allocate memory for message.");
					_push(0x8007000e);
					E000D012F();
				}
				return _t38;
			}

0x000a4456
0x000a445c
0x000a4460
0x000a4463
0x000a446c
0x000a4470
0x000a449e
0x000a44a9
0x000a44ad
0x000a44b1
0x000a44bc
0x000a44c1
0x000a44c8
0x000a44cc
0x000a44d1
0x000a44d7
0x000a44dc
0x000a4472
0x000a4472
0x000a4482
0x000a4487
0x000a448c
0x000a448d
0x000a4493
0x000a44e4

APIs

Part of subcall function 000938D4: GetProcessHeap.KERNEL32(?,000001C7,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938E5
Part of subcall function 000938D4: RtlAllocateHeap.NTDLL(00000000,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938EC

_memcpy_s.LIBCMT ref: 000A449E
_memcpy_s.LIBCMT ref: 000A44B1
_memcpy_s.LIBCMT ref: 000A44CC

Strings

feclient.dll, xrefs: 000A4466, 000A449C
Failed to allocate memory for message., xrefs: 000A4487
@G, xrefs: 000A4454
pipe.cpp, xrefs: 000A447D

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: _memcpy_s$Heap$AllocateProcess
String ID: @G$Failed to allocate memory for message.$feclient.dll$pipe.cpp
API String ID: 886498622-2658273809
Opcode ID: f8c39e5f86359903d9d99e7e6a4eec469f394e71418070d4b52c3ab828d82a8c
Instruction ID: 0938258a6ff697a26d6f15ef159ba03898df1d85afb8f41a50b1c44cdbef617b
Opcode Fuzzy Hash: f8c39e5f86359903d9d99e7e6a4eec469f394e71418070d4b52c3ab828d82a8c
Instruction Fuzzy Hash: 501151B660031DABDB119E91CC86DDBB7ACEF49710F00452AFA159B142EBB0DA10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 000AF586, Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E000AF586(void* __ecx, intOrPtr _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr* _a16) {
				char _v8;
				char _v12;
				intOrPtr* _t46;
				intOrPtr* _t58;
				intOrPtr* _t59;
				void* _t62;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_v12 = 0;
				_v8 = 0;
				EnterCriticalSection( *(_a4 + 0xc));
				_t62 = E0009D459( *(_a4 + 0xc) + 0xb8);
				if(_t62 >= 0) {
					_t46 = _a16;
					if(_t46 == 0 ||  *_t46 == 0) {
						L20:
						_t62 = 0x80070057;
					} else {
						_t58 = _a12;
						if(_t58 == 0 ||  *_t58 == 0) {
							_t59 = _a8;
							if(_t59 == 0 ||  *_t59 == 0) {
								goto L20;
							} else {
								_t62 = E0009C0A9(_t48,  *(_a4 + 0xc) + 0x2a8, _t59,  &_v12);
								if(_t62 >= 0) {
									_t62 = E000921A5(_v12 + 0x28, _t46, 0);
									if(_t62 < 0) {
										_push("Failed to set source path for container.");
										goto L19;
									}
								} else {
									_push(_t59);
									_push("UX requested unknown container with id: %ls");
									goto L16;
								}
							}
						} else {
							_t62 = E0009CC57(_t48,  *(_a4 + 0xc) + 0x2b8, _t58,  &_v8);
							if(_t62 >= 0) {
								_t41 = _v8;
								if( *((intOrPtr*)(_v8 + 4)) != 2) {
									_t62 = E000921A5(_t41 + 0x38, _t46, 0);
									if(_t62 < 0) {
										_push("Failed to set source path for payload.");
										L19:
										_push(_t62);
										E000D012F();
									}
								} else {
									_push(_t58);
									_t62 = 0x800710dd;
									_push("UX denied while trying to set source on embedded payload: %ls");
									goto L16;
								}
							} else {
								_push(_t58);
								_push("UX requested unknown payload with id: %ls");
								L16:
								_push(_t62);
								E000D012F();
							}
						}
					}
				} else {
					_push("Engine is active, cannot change engine state.");
					_push(_t62);
					E000D012F();
				}
				LeaveCriticalSection( *(_a4 + 0xc));
				return _t62;
			}

0x000af586
0x000af589
0x000af58a
0x000af592
0x000af598
0x000af59b
0x000af5af
0x000af5b3
0x000af5c8
0x000af5cd
0x000af69c
0x000af69c
0x000af5dc
0x000af5dc
0x000af5e3
0x000af63e
0x000af643
0x00000000
0x000af64a
0x000af660
0x000af664
0x000af687
0x000af68b
0x000af68d
0x00000000
0x000af68d
0x000af666
0x000af666
0x000af667
0x00000000
0x000af667
0x000af664
0x000af5ea
0x000af600
0x000af604
0x000af60e
0x000af615
0x000af631
0x000af635
0x000af637
0x000af692
0x000af692
0x000af693
0x000af699
0x000af617
0x000af617
0x000af618
0x000af61d
0x00000000
0x000af61d
0x000af606
0x000af606
0x000af607
0x000af66c
0x000af66c
0x000af66d
0x000af672
0x000af604
0x000af5e3
0x000af5b5
0x000af5b5
0x000af5ba
0x000af5bb
0x000af5c1
0x000af6a8
0x000af6b5

APIs

EnterCriticalSection.KERNEL32(?), ref: 000AF59B
LeaveCriticalSection.KERNEL32(?), ref: 000AF6A8

Strings

UX denied while trying to set source on embedded payload: %ls, xrefs: 000AF61D
UX requested unknown container with id: %ls, xrefs: 000AF667
Failed to set source path for payload., xrefs: 000AF637
UX requested unknown payload with id: %ls, xrefs: 000AF607
Failed to set source path for container., xrefs: 000AF68D
Engine is active, cannot change engine state., xrefs: 000AF5B5

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Engine is active, cannot change engine state.$Failed to set source path for container.$Failed to set source path for payload.$UX denied while trying to set source on embedded payload: %ls$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
API String ID: 3168844106-4121889706
Opcode ID: ac9dd9e5ec05857c2a4b6e3c46b4738b7b55246fa297d6c111fa62dc4c8a2841
Instruction ID: 4e2cf6265e8b028b03e9e8f95104e6cf24ac6b55041a2362e0d666e651a37a08
Opcode Fuzzy Hash: ac9dd9e5ec05857c2a4b6e3c46b4738b7b55246fa297d6c111fa62dc4c8a2841
Instruction Fuzzy Hash: DD310672A40612AF8B219FD5CC46EBEB3ECDF56720B158126F804FB251DB74ED0087A4

Uniqueness

Uniqueness Score: -1.00%

Function 000970D4, Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 99
stringCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E000970D4(void* __ebx, void* __ecx, WCHAR* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _t38;
				WCHAR* _t48;
				WCHAR* _t49;
				void* _t52;
				void* _t54;

				_t40 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_t48 = _a4;
				_t52 = E00091EDE( &_v8, lstrlenW(_t48) + 1);
				if(_t52 >= 0) {
					while(1) {
						_t38 = E000C3E49(_t40, _t48, L"[]{}");
						if(_t38 == 0) {
							goto L5;
						}
						_t52 = E00091EF2( &_v8, _t48, _t38);
						if(_t52 < 0) {
							_push("Failed to append characters.");
							L14:
							_push(_t52);
							E000D012F();
						} else {
							goto L5;
						}
						L15:
						goto L16;
						L5:
						_t49 =  &(_t48[_t38]);
						_t40 = 0;
						_t24 =  *_t49 & 0x0000ffff;
						if(0 == ( *_t49 & 0x0000ffff)) {
							_t52 = E000921A5(_a8, _v8, 0);
							if(_t52 < 0) {
								_push("Failed to copy string.");
								goto L14;
							}
						} else {
							_t52 = E00091F20( &_v12, L"[\\%c]", _t24);
							_t54 = _t54 + 0xc;
							if(_t52 < 0) {
								_push("Failed to format escape sequence.");
								goto L14;
							} else {
								_t52 = E00091EF2( &_v8, _v12, 0);
								if(_t52 < 0) {
									_push("Failed to append escape sequence.");
									goto L14;
								} else {
									_t48 =  &(_t49[1]);
									continue;
								}
							}
						}
						goto L15;
					}
				} else {
					_push("Failed to allocate buffer for escaped string.");
					_push(_t52);
					E000D012F();
				}
				L16:
				if(_v8 != 0) {
					E000D54EF(_v8);
				}
				if(_v12 != 0) {
					E000D54EF(_v12);
				}
				return _t52;
			}

0x000970d4
0x000970d7
0x000970d8
0x000970d9
0x000970dd
0x000970e3
0x000970f8
0x000970fc
0x00097111
0x0009711c
0x00097122
0x00000000
0x00000000
0x0009712f
0x00097133
0x00097173
0x000971a0
0x000971a0
0x000971a1
0x00000000
0x00000000
0x00000000
0x000971a8
0x00000000
0x00097135
0x00097135
0x00097138
0x0009713a
0x00097140
0x00097195
0x00097199
0x0009719b
0x00000000
0x0009719b
0x00097142
0x00097151
0x00097153
0x00097158
0x00097181
0x00000000
0x0009715a
0x00097168
0x0009716c
0x0009717a
0x00000000
0x0009716e
0x0009716e
0x00000000
0x0009716e
0x0009716c
0x00097158
0x00000000
0x00097140
0x000970fe
0x000970fe
0x00097103
0x00097104
0x0009710a
0x000971a9
0x000971ad
0x000971b2
0x000971b2
0x000971bb
0x000971c0
0x000971c0
0x000971cc

APIs

lstrlenW.KERNEL32(00000000), ref: 000970E7

Strings

[\%c], xrefs: 00097146
Failed to copy string., xrefs: 0009719B
Failed to allocate buffer for escaped string., xrefs: 000970FE
Failed to append characters., xrefs: 00097173
Failed to format escape sequence., xrefs: 00097181
Failed to append escape sequence., xrefs: 0009717A
[]{}, xrefs: 00097111

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: lstrlen
String ID: Failed to allocate buffer for escaped string.$Failed to append characters.$Failed to append escape sequence.$Failed to copy string.$Failed to format escape sequence.$[\%c]$[]{}
API String ID: 1659193697-3250950999
Opcode ID: 05e111c1185961c26f25602257b5e3233c9ab9a8b93d5e9e64e395bbddf8f9dc
Instruction ID: 9f4a8f661f941882de48084d2f4a64ea587946da6c24a5ea7f919d9f1b4de420
Opcode Fuzzy Hash: 05e111c1185961c26f25602257b5e3233c9ab9a8b93d5e9e64e395bbddf8f9dc
Instruction Fuzzy Hash: 3821D833959316BBEF255698DC02FEE77A99F00711F200157F908B6291DB75AE40B2A4

Uniqueness

Uniqueness Score: -1.00%

Function 000B9039, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 171
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E000B9039(void* __ecx, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12) {
				int _v8;
				intOrPtr _v12;
				short* _t46;
				intOrPtr* _t51;
				void* _t80;
				intOrPtr* _t87;
				intOrPtr _t88;
				intOrPtr _t91;
				intOrPtr* _t92;
				intOrPtr* _t96;
				intOrPtr _t97;
				intOrPtr _t99;
				int _t102;
				void* _t114;

				_push(__ecx);
				_push(__ecx);
				_t99 = _a12;
				_t102 = 0;
				_v8 = 0;
				_t46 =  *(_t99 + 0xbc);
				if(_t46 != 0 && CompareStringW(0, 1, _t46, 0xffffffff,  *(_t99 + 0x10), 0xffffffff) != 2) {
					_t51 =  *((intOrPtr*)(_t99 + 0x40));
					if(_t51 != 0 &&  *_t51 != 0) {
						_t96 = _a8;
						if( *_t96 != 5) {
							__eflags =  *_t96 - 3;
							if( *_t96 == 3) {
								L9:
								__eflags = E000B7B00(_t96, _t99, _t51);
								_t80 = 1;
								_t88 =  !=  ? _t80 : 0;
								__eflags = _t88;
								_v8 = _t88;
							} else {
								__eflags =  *_t96 - 6;
								if( *_t96 == 6) {
									goto L9;
								} else {
									__eflags =  *_t96 - 7;
									if( *_t96 == 7) {
										goto L9;
									}
								}
							}
						} else {
							_v8 = 1;
						}
					}
					_t91 = 0;
					_a12 = 0;
					if( *((intOrPtr*)(_t99 + 0xb8)) > 0) {
						_t97 = 0;
						_v12 = 0;
						do {
							_t87 =  *((intOrPtr*)(_t99 + 0xb4)) + _t97;
							if( *_t87 != 2) {
								goto L18;
							} else {
								_t114 =  *((intOrPtr*)(_t99 + 0x3c)) -  *((intOrPtr*)(_t87 + 0xc));
								if(_t114 > 0 || _t114 >= 0 &&  *((intOrPtr*)(_t99 + 0x38)) >  *((intOrPtr*)(_t87 + 8))) {
									goto L18;
								} else {
									if(CompareStringW(0, 1,  *(_t99 + 0xbc), 0xffffffff,  *(_t87 + 0x18), 0xffffffff) == 2) {
										_t92 =  *((intOrPtr*)(_a4 + 0x10));
										_a12 =  *((intOrPtr*)( *_t92 + 0x1c))(_t92,  *(_t87 + 0x18),  *_t87,  *((intOrPtr*)(_t87 + 0x10)),  *((intOrPtr*)(_t87 + 0x2c)),  *((intOrPtr*)(_t87 + 8)),  *((intOrPtr*)(_t87 + 0xc)), _v8);
										_t102 = E0009D58B(_a4, 1, _t59);
										__eflags = _t102;
										if(_t102 >= 0) {
											__eflags = _a12 - 1;
											if(__eflags != 0) {
												L27:
												_push(E000A3C30( *((intOrPtr*)(_t99 + 0xc4))));
												_push(E000A43FA( *((intOrPtr*)(_t87 + 8)),  *((intOrPtr*)(_t87 + 0xc))));
												_push(E000A40EF( *((intOrPtr*)(_t87 + 0x2c))));
												_push(E000A416A( *_t87));
												E0009550F(2, 0x2000006b,  *(_t87 + 0x18));
											} else {
												_t39 = _t99 + 0xc8; // 0x4d8
												_t102 = E000BC517(_t92, __eflags, _t39, _a8, 0,  *((intOrPtr*)(_t99 + 0x40)),  *((intOrPtr*)(_t99 + 0xc0)), _t87 + 0x18);
												__eflags = _t102;
												if(_t102 >= 0) {
													__eflags = 1;
													 *((intOrPtr*)(_t99 + 0xc4)) = 1;
													goto L27;
												} else {
													_push("Failed to initialize update bundle.");
													goto L22;
												}
											}
										} else {
											E000937D3(_t62, "detect.cpp", 0x7e, _t102);
											_push("BA aborted detect forward compatible bundle.");
											L22:
											_push(_t102);
											E000D012F();
										}
									} else {
										_t91 = _a12;
										_t97 = _v12;
										goto L18;
									}
								}
							}
							goto L28;
							L18:
							_t91 = _t91 + 1;
							_t97 = _t97 + 0xf8;
							_a12 = _t91;
							_v12 = _t97;
						} while (_t91 <  *((intOrPtr*)(_t99 + 0xb8)));
					}
				}
				L28:
				return _t102;
			}

0x000b903c
0x000b903d
0x000b9041
0x000b9048
0x000b904a
0x000b904d
0x000b9055
0x000b9077
0x000b907c
0x000b9085
0x000b908b
0x000b9095
0x000b9098
0x000b90a4
0x000b90ab
0x000b90af
0x000b90b0
0x000b90b0
0x000b90b3
0x000b909a
0x000b909a
0x000b909d
0x00000000
0x000b909f
0x000b909f
0x000b90a2
0x00000000
0x00000000
0x000b90a2
0x000b909d
0x000b908d
0x000b9090
0x000b9090
0x000b908b
0x000b90b8
0x000b90ba
0x000b90c3
0x000b90c9
0x000b90cb
0x000b90ce
0x000b90d4
0x000b90d9
0x00000000
0x000b90db
0x000b90de
0x000b90e1
0x00000000
0x000b90ed
0x000b910a
0x000b9138
0x000b914d
0x000b915a
0x000b915c
0x000b915e
0x000b917f
0x000b9182
0x000b91b9
0x000b91c4
0x000b91d0
0x000b91d9
0x000b91e1
0x000b91ec
0x000b9184
0x000b9197
0x000b91a3
0x000b91a5
0x000b91a7
0x000b91b2
0x000b91b3
0x00000000
0x000b91a9
0x000b91a9
0x00000000
0x000b91a9
0x000b91a7
0x000b9160
0x000b9168
0x000b916d
0x000b9172
0x000b9172
0x000b9173
0x000b9179
0x000b910c
0x000b910c
0x000b910f
0x00000000
0x000b910f
0x000b910a
0x000b90e1
0x00000000
0x000b9112
0x000b9112
0x000b9113
0x000b9119
0x000b911c
0x000b911f
0x000b9127
0x000b90c3
0x000b91f4
0x000b91fc

APIs

CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,00000000,00000100,00000000,?,?,?,000A6F20,000000B8,0000001C,00000100), ref: 000B9068
CompareStringW.KERNEL32(00000000,00000001,?,000000FF,000DB4A8,000000FF,?,?,?,000A6F20,000000B8,0000001C,00000100,00000100,00000100,000000B0), ref: 000B9101

Strings

comres.dll, xrefs: 000B9187
detect.cpp, xrefs: 000B9163
BA aborted detect forward compatible bundle., xrefs: 000B916D
Failed to initialize update bundle., xrefs: 000B91A9

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CompareString
String ID: BA aborted detect forward compatible bundle.$Failed to initialize update bundle.$comres.dll$detect.cpp
API String ID: 1825529933-439563586
Opcode ID: 391307df022ae06bbb893c2c1869eea5cdde4f96064810073134862deb354a56
Instruction ID: b5e8f4a802b6310d00de86d9938f6ba1dfa9742f056addab9ed4fdd2361aef6f
Opcode Fuzzy Hash: 391307df022ae06bbb893c2c1869eea5cdde4f96064810073134862deb354a56
Instruction Fuzzy Hash: 3E51E271600216BFDF55AF78CC85EAAB7AAFF05320B104664FA15DA291D731DC60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000D61FA, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128
fileCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E000D61FA(void* __ecx, intOrPtr _a4, void* _a8, long _a12, void* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr* _a36) {
				signed int _v8;
				signed int _v12;
				signed short _t39;
				void* _t40;
				signed short _t48;
				signed int _t49;
				intOrPtr* _t50;
				void* _t54;
				void* _t60;
				signed int _t61;
				intOrPtr* _t64;
				void* _t67;

				_t62 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t64 = _a12;
				_t67 = E000D47D3(__ecx, _a8,  *_t64,  *((intOrPtr*)(_t64 + 4)), 0, 0);
				if(_t67 >= 0) {
					while(1) {
						L2:
						_push( &_v8);
						_push(_a32);
						_push(_a28);
						_push(_a4);
						if( *0xfa974() == 0) {
							break;
						}
						if(_v8 != 0) {
							_t60 = 0;
							_a12 = _a12 & 0;
							while(WriteFile(_a8, _a28 + _t60, _v8 - _t60,  &_a12, 0) != 0) {
								_t60 = _t60 + _a12;
								if(_a12 == 0 || _t60 >= _v8) {
									 *_t64 =  *_t64 + _t60;
									_t49 = 0;
									asm("adc [edi+0x4], eax");
									if(_a16 != 0xffffffff) {
										_t61 = _t49;
										_v12 = _t49;
										if(E000D47D3(_t62, _a16, _t49, _t49, _t49, _t49) >= 0) {
											do {
												_push(0);
												_push( &_v12);
												_t54 = 8;
												WriteFile(_a16, _t64 + _t61 * 8, _t54 - _t61, ??, ??);
												_t61 = _t61 + _v12;
											} while (_v12 != 0 && _t61 < 8);
										}
									}
									_t50 = _a36;
									if(_t50 == 0 ||  *_t50 == 0) {
										L15:
										if(_v8 != 0) {
											goto L2;
										} else {
										}
									} else {
										_t67 = E000D5B46(_t50,  *_t64,  *((intOrPtr*)(_t64 + 4)), _a20, _a24, _a8);
										if(_t67 >= 0) {
											goto L15;
										}
									}
								} else {
									continue;
								}
								goto L20;
							}
							_t48 = GetLastError();
							_t74 =  <=  ? _t48 : _t48 & 0x0000ffff | 0x80070000;
							_t40 = 0x80004005;
							_t67 =  >=  ? 0x80004005 :  <=  ? _t48 : _t48 & 0x0000ffff | 0x80070000;
							_push(_t67);
							_push(0x1a6);
							L19:
							_push("dlutil.cpp");
							E000937D3(_t40);
						}
						L20:
						goto L21;
					}
					_t39 = GetLastError();
					_t71 =  <=  ? _t39 : _t39 & 0x0000ffff | 0x80070000;
					_t40 = 0x80004005;
					_t67 =  >=  ? 0x80004005 :  <=  ? _t39 : _t39 & 0x0000ffff | 0x80070000;
					_push(_t67);
					_push(0x19a);
					goto L19;
				}
				L21:
				return _t67;
			}

0x000d61fa
0x000d61fd
0x000d61fe
0x000d61ff
0x000d6205
0x000d6219
0x000d621d
0x000d6224
0x000d6224
0x000d6227
0x000d6228
0x000d622b
0x000d622e
0x000d6239
0x00000000
0x00000000
0x000d6243
0x000d6249
0x000d624b
0x000d624e
0x000d6271
0x000d6278
0x000d627f
0x000d6283
0x000d6284
0x000d628b
0x000d6294
0x000d6296
0x000d62a0
0x000d62a2
0x000d62a2
0x000d62a7
0x000d62aa
0x000d62b5
0x000d62bb
0x000d62be
0x000d62a2
0x000d62a0
0x000d62c9
0x000d62ce
0x000d62ef
0x000d62f3
0x00000000
0x00000000
0x000d62f9
0x000d62d5
0x000d62e9
0x000d62ed
0x00000000
0x00000000
0x000d62ed
0x00000000
0x00000000
0x00000000
0x00000000
0x000d6278
0x000d62fb
0x000d630c
0x000d630f
0x000d6316
0x000d6319
0x000d631a
0x000d6345
0x000d6345
0x000d634a
0x000d634a
0x000d634f
0x00000000
0x000d634f
0x000d6321
0x000d6332
0x000d6335
0x000d633c
0x000d633f
0x000d6340
0x00000000
0x000d6340
0x000d6350
0x000d6357

APIs

Part of subcall function 000D47D3: SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,000A8564,00000000,00000000,00000000,00000000,00000000), ref: 000D47EB
Part of subcall function 000D47D3: GetLastError.KERNEL32(?,?,?,000A8564,00000000,00000000,00000000,00000000,00000000), ref: 000D47F5

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,000D5AC5,?,?,?,?,?,?,?,00010000,?), ref: 000D6263
WriteFile.KERNEL32(000000FF,00000008,00000008,?,00000000,000000FF,00000000,00000000,00000000,00000000,?,000D5AC5,?,?,?,?), ref: 000D62B5
GetLastError.KERNEL32(?,000D5AC5,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 000D62FB
GetLastError.KERNEL32(?,000D5AC5,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 000D6321

Strings

dlutil.cpp, xrefs: 000D6345
@Mt, xrefs: 000D62FB, 000D6321

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorFileLast$Write$Pointer
String ID: @Mt$dlutil.cpp
API String ID: 133221148-4229462785
Opcode ID: a7ab974a9c45f0ebfbbedbe9bae1d5bc5f2466dc4da79ff23708391695936e0c
Instruction ID: 5180f9f0886f46cbbbca55c01e22e8241f33915f9331bcc405f4be35b1ba90db
Opcode Fuzzy Hash: a7ab974a9c45f0ebfbbedbe9bae1d5bc5f2466dc4da79ff23708391695936e0c
Instruction Fuzzy Hash: 20415E72900719EFEB118E94CD44BEA7BA8EF04351F15012ABD04E6290D776DD60DAB0

Uniqueness

Uniqueness Score: -1.00%

Function 000D01F0, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E000D01F0(void* __ebx, void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				short _v528;
				short _v1048;
				char _v1052;
				struct HINSTANCE__* _v1056;
				struct HINSTANCE__* _v1060;
				long _v1064;
				void* __ebp;
				signed int _t25;
				long _t29;
				intOrPtr _t46;
				intOrPtr _t47;
				void* _t52;
				void* _t53;
				void* _t54;
				char* _t56;
				void* _t61;
				unsigned int _t62;
				unsigned int _t64;
				void* _t68;
				void* _t70;
				void* _t71;
				void* _t72;
				intOrPtr _t74;
				void* _t75;
				signed int _t76;
				void* _t77;

				_t68 = __edx;
				_t25 =  *0xfa008; // 0x90c8e23b
				_v8 = _t25 ^ _t76;
				_push(__ebx);
				_push(__esi);
				_t74 =  *0xfa77c; // 0xf6238
				_push(__edi);
				_v1064 = 0x104;
				_v1060 = 0;
				_v1056 = 0;
				_v1052 = 0;
				_t29 = GetModuleFileNameW(0,  &_v528, 0x104);
				_t70 = 0x208;
				if(_t29 == 0) {
					E000BF670(0x208,  &_v528, 0, 0x208);
					_t77 = _t77 + 0xc;
				}
				if(E000D4932( &_v528,  &_v1060,  &_v1056) < 0) {
					_v1060 = 0;
					_v1056 = 0;
				}
				if(GetComputerNameW( &_v1048,  &_v1064) != 0) {
					L7:
					E000D858F(_t70, _t83,  &_v1052, 0);
					_push(_v1052);
					_push("=== Logging started: %ls ===");
					_t71 = 2;
					_push(_t71);
					E000D061A();
					_t62 = _v1056;
					_push(_t62 & 0x0000ffff);
					_push(_t62 >> 0x10);
					_t64 = _v1060;
					_push(_t64 & 0x0000ffff);
					_push(_t64 >> 0x10);
					E000D061A(_t71, "Executable: %ls v%d.%d.%d.%d",  &_v528);
					E000D061A(_t71, "Computer  : %ls",  &_v1048);
					_t46 =  *0xfa778; // 0x3
					_t47 = _t46;
					if(_t47 == 0) {
						_t74 =  *0xfa790; // 0xf6264
					} else {
						_t52 = _t47 - 1;
						if(_t52 == 0) {
							_t74 =  *0xfa780; // 0xf6240
						} else {
							_t53 = _t52 - 1;
							if(_t53 == 0) {
								_t74 =  *0xfa784; // 0xf6248
							} else {
								_t54 = _t53 - 1;
								if(_t54 == 0) {
									_t74 =  *0xfa788; // 0xf6254
								} else {
									if(_t54 == 1) {
										_t74 =  *0xfa78c; // 0xf625c
									}
								}
							}
						}
					}
					E000D061A(_t71, "--- logging level: %hs ---", _t74);
					_pop(_t72);
					_pop(_t75);
					_pop(_t61);
					if(_v1052 != 0) {
						E000D54EF(_v1052);
					}
					return E000BDE36(_t61, _v8 ^ _t76, _t68, _t72, _t75);
				} else {
					_t56 =  &_v1048;
					do {
						 *_t56 = 0;
						_t56 = _t56 + 1;
						_t70 = _t70 - 1;
						_t83 = _t70;
					} while (_t70 != 0);
					goto L7;
				}
			}

0x000d01f0
0x000d01f9
0x000d0200
0x000d0203
0x000d0204
0x000d0205
0x000d0210
0x000d0212
0x000d0220
0x000d0228
0x000d022e
0x000d0234
0x000d023a
0x000d0241
0x000d024c
0x000d0251
0x000d0251
0x000d0270
0x000d0272
0x000d0278
0x000d0278
0x000d0294
0x000d02a4
0x000d02ac
0x000d02b1
0x000d02b7
0x000d02be
0x000d02bf
0x000d02c0
0x000d02c5
0x000d02ce
0x000d02d2
0x000d02d3
0x000d02dc
0x000d02e6
0x000d02ee
0x000d0300
0x000d0305
0x000d030d
0x000d030f
0x000d0345
0x000d0311
0x000d0311
0x000d0314
0x000d033d
0x000d0316
0x000d0316
0x000d0319
0x000d0335
0x000d031b
0x000d031b
0x000d031e
0x000d032d
0x000d0320
0x000d0323
0x000d0325
0x000d0325
0x000d0323
0x000d031e
0x000d0319
0x000d0314
0x000d0352
0x000d0361
0x000d0362
0x000d0363
0x000d0364
0x000d036c
0x000d036c
0x000d0380
0x000d0296
0x000d0296
0x000d029c
0x000d029c
0x000d029e
0x000d029f
0x000d029f
0x000d029f
0x00000000
0x000d029c

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000001,00000000,00000000), ref: 000D0234
GetComputerNameW.KERNEL32 ref: 000D028C

Strings

=== Logging started: %ls ===, xrefs: 000D02B7
Computer : %ls, xrefs: 000D02FA
--- logging level: %hs ---, xrefs: 000D034C
Executable: %ls v%d.%d.%d.%d, xrefs: 000D02E8

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: Name$ComputerFileModule
String ID: --- logging level: %hs ---$=== Logging started: %ls ===$Computer : %ls$Executable: %ls v%d.%d.%d.%d
API String ID: 2577110986-3153207428
Opcode ID: e15784dadb84a224298927fe3593c6d50971ec51d67c60d9f5678d3ece00d240
Instruction ID: 13a388750cbc4ced7d4454b4cc90686032c85328f4337667a590cbe0f923f354
Opcode Fuzzy Hash: e15784dadb84a224298927fe3593c6d50971ec51d67c60d9f5678d3ece00d240
Instruction Fuzzy Hash: 994165F1A0031C9BDB609F649C89EFA77BCEB45300F4041AAFA0DA7602D6349E859F75

Uniqueness

Uniqueness Score: -1.00%

Function 000D143C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 123
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E000D143C(void* _a4, short* _a8, intOrPtr _a12, signed int _a16) {
				char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _t43;
				signed int _t45;
				signed short _t52;
				signed int _t62;
				signed int _t64;
				char* _t65;
				signed int _t66;
				signed int _t68;
				void* _t70;
				char* _t74;
				signed int _t76;
				signed int _t77;
				signed int _t78;
				signed int _t82;
				signed int _t83;

				_t64 = _a16;
				_t43 = 0;
				_v16 = _v16 & 0;
				_t74 = 0;
				_v8 = 0;
				if(_t64 != 0) {
					_t66 = 0;
					_t45 = 1;
					_v12 = 0;
					_a16 = 1;
					if(_t64 == 0) {
						L5:
						_t77 = E00091EDE( &_v8, _t45);
						if(_t77 < 0) {
							L14:
							_t74 = _v8;
							L15:
							if(_t74 != 0) {
								E000D54EF(_t74);
							}
							return _t77;
						}
						_t74 = _v8;
						_t78 = 0;
						_v12 = 0;
						if(_t64 == 0) {
							L10:
							_t43 = _a16;
							_t65 = _t74;
							L11:
							_push( &_v16);
							_t68 = 2;
							_push(_t43 * _t68 >> 0x20);
							_push(_t43 * _t68);
							_t77 = E00096E2E();
							if(_t77 < 0) {
								goto L15;
							}
							_t52 = RegSetValueExW(_a4, _a8, 0, 7, _t65, _v16);
							if(_t52 != 0) {
								_t81 =  <=  ? _t52 : _t52 & 0x0000ffff | 0x80070000;
								_t77 =  >=  ? 0x80004005 :  <=  ? _t52 : _t52 & 0x0000ffff | 0x80070000;
								E000937D3(0x80004005, "regutil.cpp", 0x35c, _t77);
							}
							goto L14;
						} else {
							goto L7;
						}
						while(1) {
							L7:
							_t77 = E00091BEA(_t74, _a16,  *((intOrPtr*)(_a12 + _t78 * 4)));
							if(_t77 < 0) {
								goto L14;
							}
							_t82 = _v12;
							lstrlenW( *(_a12 + _t82 * 4));
							_t74 = _t74 + lstrlenW( *(_a12 + _t82 * 4)) * 2 + 2;
							_t78 = _t82 + 1;
							_v12 = _t78;
							if(_t78 < _t64) {
								continue;
							}
							_t74 = _v8;
							goto L10;
						}
						goto L14;
					} else {
						goto L3;
					}
					while(1) {
						L3:
						_t76 = _t45;
						_t83 = _t45;
						_t62 = lstrlenW( *(_a12 + _t66 * 4));
						_t70 = _a16 + 1 + _t62;
						_t45 =  >=  ? _t70 : _t62 | 0xffffffff;
						_a16 = _t45;
						asm("sbb esi, esi");
						_t77 = _t83 & 0x80070216;
						if(_t70 < _t76) {
							goto L14;
						}
						_t66 = _v12 + 1;
						_v12 = _t66;
						if(_t66 < _t64) {
							continue;
						}
						goto L5;
					}
					goto L14;
				}
				_t65 = 0xf6440;
				goto L11;
			}

0x000d1443
0x000d1446
0x000d1448
0x000d144d
0x000d144f
0x000d1454
0x000d1462
0x000d1464
0x000d1465
0x000d1468
0x000d146d
0x000d14af
0x000d14b9
0x000d14bd
0x000d156f
0x000d156f
0x000d1572
0x000d1574
0x000d1577
0x000d1577
0x000d1584
0x000d1584
0x000d14c3
0x000d14c6
0x000d14c8
0x000d14cd
0x000d1514
0x000d1514
0x000d1517
0x000d1519
0x000d151c
0x000d151f
0x000d1522
0x000d1523
0x000d1529
0x000d152d
0x00000000
0x00000000
0x000d153d
0x000d1545
0x000d1552
0x000d155c
0x000d156a
0x000d156a
0x00000000
0x00000000
0x00000000
0x00000000
0x000d14cf
0x000d14cf
0x000d14de
0x000d14e2
0x00000000
0x00000000
0x000d14eb
0x000d14f1
0x000d1506
0x000d1509
0x000d150a
0x000d150f
0x00000000
0x00000000
0x000d1511
0x00000000
0x000d1511
0x00000000
0x00000000
0x00000000
0x00000000
0x000d146f
0x000d146f
0x000d146f
0x000d1471
0x000d1479
0x000d1485
0x000d148c
0x000d1491
0x000d1494
0x000d1496
0x000d149e
0x00000000
0x00000000
0x000d14a7
0x000d14a8
0x000d14ad
0x00000000
0x00000000
0x00000000
0x000d14ad
0x00000000
0x000d146f
0x000d1456
0x00000000

APIs

lstrlenW.KERNEL32(?,00000000,00000000,BundleUpgradeCode,?,00020006,00000000,?,?,?,00000001), ref: 000D1479
lstrlenW.KERNEL32(?,00000000,00000000,?,00000000,00000001,00000000,00000000,BundleUpgradeCode,?,00020006,00000000,?,?,?,00000001), ref: 000D14F1
lstrlenW.KERNEL32(?,?,?,?,00000001), ref: 000D14FD
RegSetValueExW.ADVAPI32(00020006,?,00000000,00000007,00000000,?,00000000,?,?,00000000,00000001,00000000,00000000,BundleUpgradeCode,?,00020006), ref: 000D153D

Strings

regutil.cpp, xrefs: 000D1565
BundleUpgradeCode, xrefs: 000D1442

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: lstrlen$Value
String ID: BundleUpgradeCode$regutil.cpp
API String ID: 198323757-1648651458
Opcode ID: 4ce049ce531f54190e76fc9bc555c99c61ce9cc2077ca0b43cb9044178aa01df
Instruction ID: 68133f2a3d7cb0cc66b001f353b729adacd2398ac7617f528701c2cbd3001dc6
Opcode Fuzzy Hash: 4ce049ce531f54190e76fc9bc555c99c61ce9cc2077ca0b43cb9044178aa01df
Instruction Fuzzy Hash: EC41A632A00726EFCF21DFA8D845AEE7BAAAF44710F11416AFD05A7251DA34DD119BA0

Uniqueness

Uniqueness Score: -1.00%

Function 000AD206, Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E000AD206(void* __ebx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* __ecx;
				intOrPtr* _t18;
				void* _t43;
				void* _t57;
				intOrPtr _t58;
				void* _t60;
				void* _t61;
				void* _t64;

				_v8 = _v8 | 0xffffffff;
				_t58 = _a4;
				_t18 =  *((intOrPtr*)(_t58 + 0xc8));
				_t61 = E0009D58B(_t58 + 0xb8, 1,  *((intOrPtr*)( *_t18 + 0x74))(_t18, _t57, _t60, _t43));
				if(_t61 >= 0) {
					_push(__ebx);
					_t41 = _t58 + 0x4a0;
					if(E000A4B96(_t58 + 0x4a0, __edx, _t58 + 0x4a0, _t58 + 0x4a4) >= 0) {
						if(E000A4CE8(_t41, 1,  &_v8) >= 0) {
							_push(0x2000000a);
							_push(2);
							E0009550F();
							while(1) {
								_t64 = E000A4ED2( *((intOrPtr*)(_t58 + 0x49c)), _t41, 1, _a8);
								if(_t64 >= 0) {
									break;
								}
								if(_t64 != 0x800704c7) {
									L13:
									if(_t64 < 0) {
										goto L14;
									}
								} else {
									_t64 = 0x80070642;
									if(E0009D742(0x80070642,  *((intOrPtr*)(_t58 + 0xc8)), 0, 0, 0x80070642, 0, 0x15, 0) == 4) {
										continue;
									} else {
										L14:
										_push("Failed to elevate.");
										goto L16;
									}
								}
								goto L17;
							}
							_push(0x2000000b);
							_push(2);
							E0009550F();
							_t64 = E000A52E3(_t41);
							if(_t64 < 0) {
								_push("Failed to connect to elevated child process.");
								goto L16;
							} else {
								_push(0x2000000c);
								_push(2);
								E0009550F();
								goto L13;
							}
						} else {
							_push("Failed to create pipe and cache pipe.");
							goto L16;
						}
					} else {
						_push("Failed to create pipe name and client token.");
						L16:
						_push(_t64);
						E000D012F();
					}
					L17:
				} else {
					E000937D3(_t21, "elevation.cpp", 0x100, _t61);
					_push("UX aborted elevation requirement.");
					_push(_t61);
					E000D012F();
				}
				if(_v8 != 0) {
					CloseHandle(_v8);
					_v8 = _v8 & 0x00000000;
				}
				if(_t64 < 0) {
					E000A4B2B(_t58 + 0x4a0);
				}
				return _t64;
			}

0x000ad20a
0x000ad210
0x000ad213
0x000ad22e
0x000ad232
0x000ad256
0x000ad25e
0x000ad26e
0x000ad28a
0x000ad296
0x000ad29b
0x000ad29d
0x000ad2a4
0x000ad2b5
0x000ad2b9
0x00000000
0x00000000
0x000ad2c1
0x000ad30d
0x000ad30f
0x00000000
0x00000000
0x000ad2c3
0x000ad2d7
0x000ad2e1
0x00000000
0x000ad2e3
0x000ad311
0x000ad311
0x00000000
0x000ad311
0x000ad2e1
0x00000000
0x000ad2c1
0x000ad2e5
0x000ad2ea
0x000ad2ec
0x000ad2f9
0x000ad2fd
0x000ad318
0x00000000
0x000ad2ff
0x000ad2ff
0x000ad304
0x000ad306
0x00000000
0x000ad30c
0x000ad28c
0x000ad28c
0x00000000
0x000ad28c
0x000ad270
0x000ad270
0x000ad31d
0x000ad31d
0x000ad31e
0x000ad324
0x000ad325
0x000ad234
0x000ad23f
0x000ad244
0x000ad249
0x000ad24a
0x000ad250
0x000ad32a
0x000ad32f
0x000ad335
0x000ad335
0x000ad33b
0x000ad344
0x000ad344
0x000ad350

APIs

CloseHandle.KERNEL32(00000000,?,?,00000001,000DB4F0,?,00000001,000000FF,?,?,7692A770,00000000,00000001,00000000,?,000A72F3), ref: 000AD32F

Strings

Failed to elevate., xrefs: 000AD311
Failed to create pipe name and client token., xrefs: 000AD270
Failed to connect to elevated child process., xrefs: 000AD318
Failed to create pipe and cache pipe., xrefs: 000AD28C
UX aborted elevation requirement., xrefs: 000AD244
elevation.cpp, xrefs: 000AD23A

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CloseHandle
String ID: Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$UX aborted elevation requirement.$elevation.cpp
API String ID: 2962429428-3003415917
Opcode ID: 4d6ada41d24e9b48b6a7ae0a2ef93905c22fcd8e536acefba8c9727f3c592df7
Instruction ID: 2d6afe05beb6e5519a5a7a418f504e07392342417cffb57373dca69ff6297d25
Opcode Fuzzy Hash: 4d6ada41d24e9b48b6a7ae0a2ef93905c22fcd8e536acefba8c9727f3c592df7
Instruction Fuzzy Hash: C9310D73A45711BEEF2556E09C46FEF775C9F02720F100217FA0ABA182DA51AE0083A6

Uniqueness

Uniqueness Score: -1.00%

Function 000D40C8, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E000D40C8(WCHAR* _a4, WCHAR* _a8, intOrPtr _a12, long _a16) {
				short _t20;
				WCHAR* _t25;
				long _t28;
				WCHAR* _t29;
				signed short _t32;
				short* _t34;
				short* _t35;

				_t25 = _a8;
				_t35 = 0;
				_t28 =  ==  ? 0 | _a12 != 0x00000000 : 0 | _a12 != 0x00000000 | 0x00000002;
				_a16 = _t28;
				if(MoveFileExW(_a4, _t25, _t28) != 0) {
					L20:
					return _t35;
				}
				_t32 = GetLastError();
				if(_a12 != 0 || _t32 != 0x50 && _t32 != 0xb7) {
					if(_t32 != 2) {
						L8:
						if(_t32 != 3) {
							L18:
							_t35 =  <=  ? _t32 : _t32 & 0x0000ffff | 0x80070000;
							goto L19;
						}
						_t34 = _t35;
						_t29 = _t25;
						if(( *_t25 & 0x0000ffff) == 0) {
							L17:
							_t35 = 0x80070003;
							goto L19;
						}
						_push(0x5c);
						do {
							_t34 =  ==  ? _t29 : _t34;
							_t29 =  &(_t29[1]);
						} while (( *_t29 & 0x0000ffff) != 0);
						if(_t34 == 0) {
							goto L17;
						}
						 *_t34 = 0;
						_t35 = E00094013(_t25, _t35);
						_t20 = 0x5c;
						 *_t34 = _t20;
						if(_t35 >= 0 && MoveFileExW(_a4, _t25, _a16) == 0) {
							_t35 =  <=  ? GetLastError() : _t22 & 0x0000ffff | 0x80070000;
							if(_t35 < 0) {
								E000937D3(_t22, "fileutil.cpp", 0x4cc, _t35);
							}
						}
						goto L19;
					}
					if(E000D4315(_a4, _t35) == 0) {
						goto L18;
					}
					_t32 = 3;
					goto L8;
				} else {
					_t35 = 1;
					L19:
					goto L20;
				}
			}

0x000d40cc
0x000d40d2
0x000d40e2
0x000d40ea
0x000d40f5
0x000d41c9
0x000d41ce
0x000d41ce
0x000d4102
0x000d4107
0x000d4121
0x000d4137
0x000d413a
0x000d41ba
0x000d41c5
0x00000000
0x000d41c5
0x000d413f
0x000d4141
0x000d4146
0x000d41b3
0x000d41b3
0x00000000
0x000d41b3
0x000d4148
0x000d414b
0x000d414e
0x000d4151
0x000d4157
0x000d415e
0x00000000
0x00000000
0x000d4164
0x000d416c
0x000d4170
0x000d4171
0x000d4176
0x000d419a
0x000d419f
0x000d41ac
0x000d41ac
0x000d419f
0x00000000
0x000d4176
0x000d412e
0x00000000
0x00000000
0x000d4136
0x00000000
0x000d4116
0x000d4118
0x000d41c8
0x00000000
0x000d41c8

APIs

MoveFileExW.KERNEL32(00000003,00000001,00000000,00000000,00000101,?,000D4203,00000003,00000001,00000001,000007D0,00000003,00000000,?,000A9E5F,00000000), ref: 000D40ED
GetLastError.KERNEL32(00000001,?,000D4203,00000003,00000001,00000001,000007D0,00000003,00000000,?,000A9E5F,00000000,000007D0,00000001,00000001,00000003), ref: 000D40FC
MoveFileExW.KERNEL32(00000003,00000001,000007D0,00000001,00000000,?,000D4203,00000003,00000001,00000001,000007D0,00000003,00000000,?,000A9E5F,00000000), ref: 000D417F
GetLastError.KERNEL32(?,000D4203,00000003,00000001,00000001,000007D0,00000003,00000000,?,000A9E5F,00000000,000007D0,00000001,00000001,00000003,000007D0), ref: 000D4189

Strings

@Mt, xrefs: 000D40FC, 000D4189
fileutil.cpp, xrefs: 000D41A7

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorFileLastMove
String ID: @Mt$fileutil.cpp
API String ID: 55378915-3352924005
Opcode ID: c85e238e798660a61519d775d5d31a47b2cf73cb6017d12a745c90de94d3b4d7
Instruction ID: 50f1fe5f9a60fca5cf0aa5899b40ea29ff2741c7ef55193e9fc3e0f40ed5e1f6
Opcode Fuzzy Hash: c85e238e798660a61519d775d5d31a47b2cf73cb6017d12a745c90de94d3b4d7
Instruction Fuzzy Hash: 5B21E43A641326ABEF211E648C8167FB6D5EF657A1F020127FD4597350DB318C9192F0

Uniqueness

Uniqueness Score: -1.00%

Function 00097203, Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 92
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 42%

			E00097203(void* __ecx, struct _CRITICAL_SECTION* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t29;
				char* _t38;
				signed int _t46;
				void* _t49;

				_t41 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_v12 = _v12 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				EnterCriticalSection(_a4);
				_t29 = E00095C87(_t41, _a4, _a8,  &_v12);
				_t46 = _v12;
				_t49 = _t29;
				if(_t49 < 0 ||  *((intOrPtr*)(_t46 + 0x18)) != 0) {
					if(_t49 == 0x80070490) {
						goto L18;
					}
					if(_t49 >= 0) {
						if( *((intOrPtr*)(_t46 + 0x18)) != 2 ||  *((intOrPtr*)(_t46 + 0x2c)) != 0 ||  *((intOrPtr*)(_t46 + 0x24)) != 0) {
							_t24 = _t46 + 8; // 0x8
							_t49 = E000B00E0(_t24, _a12);
							if(_t49 >= 0) {
								goto L18;
							}
							_push(_a8);
							_push("Failed to get value as string for variable: %ls");
							L17:
							_push(_t49);
							E000D012F();
						} else {
							_t16 = _t46 + 8; // 0x8
							_t49 = E000B00E0(_t16,  &_v8);
							if(_t49 >= 0) {
								_t49 = E0009567D(_a4, _v8, _a12, 0, 0);
								if(_t49 < 0) {
									_t38 = L"*****";
									if( *((intOrPtr*)(_t46 + 0x20)) == 0) {
										_t38 =  *(_t46 + 8);
									}
									_push(_a8);
									E000D012F(_t49, "Failed to format value \'%ls\' of variable: %ls", _t38);
								}
							} else {
								_push("Failed to get unformatted string.");
								_push(_t49);
								E000D012F();
							}
						}
						goto L18;
					}
					_push(_a8);
					_push("Failed to get variable: %ls");
					goto L17;
				} else {
					_t49 = 0x80070490;
					L18:
					LeaveCriticalSection(_a4);
					E00092793(_v8);
					return _t49;
				}
			}

0x00097203
0x00097206
0x00097207
0x00097208
0x0009720c
0x00097215
0x00097225
0x0009722a
0x0009722d
0x00097231
0x00097249
0x00000000
0x00000000
0x00097251
0x00097264
0x000972d1
0x000972da
0x000972de
0x00000000
0x00000000
0x000972e0
0x000972e3
0x000972e8
0x000972e8
0x000972e9
0x00097272
0x00097275
0x0009727f
0x00097283
0x000972a6
0x000972aa
0x000972b0
0x000972b5
0x000972b7
0x000972b7
0x000972ba
0x000972c4
0x000972c9
0x00097285
0x00097285
0x0009728a
0x0009728b
0x00097291
0x00097283
0x00000000
0x00097264
0x00097253
0x00097256
0x00000000
0x00097239
0x00097239
0x000972f1
0x000972f4
0x000972fd
0x00097309
0x00097309

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,?,0009583F,000002C0,000002C0,00000000,00000100,00000001,00000000,000002C0,00000002), ref: 00097215
LeaveCriticalSection.KERNEL32(00000000,00000000,00000002,00000000,?,?,?,0009583F,000002C0,000002C0,00000000,00000100,00000001,00000000,000002C0,00000002), ref: 000972F4

Strings

Failed to get variable: %ls, xrefs: 00097256
*****, xrefs: 000972B0, 000972BD
Failed to format value '%ls' of variable: %ls, xrefs: 000972BE
Failed to get unformatted string., xrefs: 00097285
Failed to get value as string for variable: %ls, xrefs: 000972E3

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls
API String ID: 3168844106-2873099529
Opcode ID: 4639d7af4eacff39d67a6fdb5882d3934c39f0a5e2849a7c7a221c2474e8b3db
Instruction ID: fb772110f0661bd1e7ba64e807b67cba7c73c11e3c053df03023c0c5181cdb49
Opcode Fuzzy Hash: 4639d7af4eacff39d67a6fdb5882d3934c39f0a5e2849a7c7a221c2474e8b3db
Instruction Fuzzy Hash: A131C03792461AFBDF229B90CC01F9E7B75EF14720F104226F9086A251D736AA50EBE4

Uniqueness

Uniqueness Score: -1.00%

Function 000955B6, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 78
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 56%

			E000955B6(void* __ecx, intOrPtr _a4, short* _a8, intOrPtr* _a12) {
				unsigned int _v8;
				signed int _v12;
				unsigned int _t17;
				signed int _t18;
				void* _t22;
				void* _t23;
				signed int _t25;
				intOrPtr _t33;
				intOrPtr _t37;
				unsigned int _t43;
				intOrPtr _t46;

				_t37 = _a4;
				_t43 =  *(_t37 + 0x1c);
				_t46 = 0;
				_t33 = 0;
				if(_t43 == 0) {
					L10:
					_t46 = 1;
					 *_a12 = _t33;
				} else {
					while(1) {
						_t17 = _t43 >> 1;
						_v8 = _t17;
						_t18 = _t17 + _t33;
						_v12 = _t18;
						_t22 = CompareStringW(0x7f, 0x1000, _a8, 0xffffffff,  *(_t18 * 0x38 +  *((intOrPtr*)(_t37 + 0x20))), 0xffffffff) - 1;
						if(_t22 == 0) {
							goto L5;
						}
						_t23 = _t22 - 1;
						if(_t23 == 0) {
							 *_a12 = _v8 + _t33;
						} else {
							_t25 = _t23 - 1;
							if(_t25 != 0) {
								_t51 =  <=  ? GetLastError() : _t26 & 0x0000ffff | 0x80070000;
								_t46 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t26 & 0x0000ffff | 0x80070000;
								E000937D3(0x80004005, "variable.cpp", 0x59f, _t46);
								_push("Failed to compare strings.");
								_push(_t46);
								E000D012F();
							} else {
								_t33 = _v12 + 1;
								_t43 = _t43 + (_t25 | 0xffffffff) - _v8;
								L6:
								if(_t43 == 0) {
									goto L10;
								} else {
									_t37 = _a4;
									continue;
								}
							}
						}
						goto L11;
						L5:
						_t43 = _v8;
						goto L6;
					}
				}
				L11:
				return _t46;
			}

0x000955bb
0x000955c1
0x000955c4
0x000955c6
0x000955ca
0x0009566a
0x0009566f
0x00095670
0x00000000
0x000955d0
0x000955d2
0x000955d4
0x000955d7
0x000955d9
0x000955f8
0x000955fb
0x00000000
0x00000000
0x000955fd
0x00095600
0x00095666
0x00095602
0x00095602
0x00095605
0x00095632
0x0009563c
0x0009564a
0x0009564f
0x00095654
0x00095655
0x00095607
0x00095610
0x00095611
0x00095618
0x0009561a
0x00000000
0x0009561c
0x0009561c
0x00000000
0x0009561c
0x0009561a
0x00095605
0x00000000
0x00095615
0x00095615
0x00000000
0x00095615
0x000955d0
0x00095672
0x0009567a

APIs

CompareStringW.KERNEL32(0000007F,00001000,?,000000FF,version.dll,000000FF,?,00000000,00000007,0009648B,0009648B,?,0009554A,?,?,00000000), ref: 000955F2
GetLastError.KERNEL32(?,0009554A,?,?,00000000,?,00000000,0009648B,?,00097DDC,?,?,?,?,?), ref: 00095621

Strings

Failed to compare strings., xrefs: 0009564F
variable.cpp, xrefs: 00095645
@Mt, xrefs: 00095621
version.dll, xrefs: 000955E4

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CompareErrorLastString
String ID: @Mt$Failed to compare strings.$variable.cpp$version.dll
API String ID: 1733990998-2902175470
Opcode ID: 6a597c1ddb65867d10bd3690ee96964c9f6f546693b6e5de7cac0af2d265f7cf
Instruction ID: 9ecf6e8e271b9074cfc88a42eb0790e1e5b15581e7a366f85236d60bee864c0c
Opcode Fuzzy Hash: 6a597c1ddb65867d10bd3690ee96964c9f6f546693b6e5de7cac0af2d265f7cf
Instruction Fuzzy Hash: E0212632605614EBDB118FADCC41A6AB7E4EF09761F61031AFD14EB3D0DA30DE0197A0

Uniqueness

Uniqueness Score: -1.00%

Function 000A8003, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 000938D4: GetProcessHeap.KERNEL32(?,000001C7,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938E5
Part of subcall function 000938D4: RtlAllocateHeap.NTDLL(00000000,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938EC

CreateWellKnownSid.ADVAPI32(00000000,00000000,00000000,00000000,00000044,00000001,00000000,00000000,?,?,000A8C10,0000001A,00000000,?,00000000,00000000), ref: 000A804C
GetLastError.KERNEL32(?,?,000A8C10,0000001A,00000000,?,00000000,00000000,?,?,00000000,00000000,?,?,-00000004,00000000), ref: 000A8056

Strings

cache.cpp, xrefs: 000A802A, 000A807A
Failed to allocate memory for well known SID., xrefs: 000A8034
@Mt, xrefs: 000A8056
Failed to create well known SID., xrefs: 000A8084

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: Heap$AllocateCreateErrorKnownLastProcessWell
String ID: @Mt$Failed to allocate memory for well known SID.$Failed to create well known SID.$cache.cpp
API String ID: 2186923214-1788336901
Opcode ID: 1df7212f91095dbd2af4e07cc6b132318c23ef6cff9b2afc314b88cae23d2ca1
Instruction ID: f05d649ae891f0604b7e2a15f7317cb66a485bf03f136b3a94389605cb92f116
Opcode Fuzzy Hash: 1df7212f91095dbd2af4e07cc6b132318c23ef6cff9b2afc314b88cae23d2ca1
Instruction Fuzzy Hash: 37014872645720BAE77066BA5C06F9BBA9CCF41B60F11401BFE08AB281EE658E0056F4

Uniqueness

Uniqueness Score: -1.00%

Function 00096644, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00096644(void* __ebx, void* __edx, void* __edi, intOrPtr _a8) {
				signed int _v8;
				short _v528;
				void* __esi;
				void* __ebp;
				signed int _t7;
				signed short _t18;
				void* _t21;
				void* _t26;
				intOrPtr _t28;
				void* _t29;
				signed int _t33;

				_t27 = __edi;
				_t26 = __edx;
				_t21 = __ebx;
				_t7 =  *0xfa008; // 0x90c8e23b
				_v8 = _t7 ^ _t33;
				_t28 = _a8;
				E000BF670(__edi,  &_v528, 0, 0x208);
				if(GetTempPathW(0x104,  &_v528) != 0) {
					_t29 = E000B02F4(_t28,  &_v528, 0);
					if(_t29 < 0) {
						_push("Failed to set variant value.");
						goto L4;
					}
				} else {
					_t18 = GetLastError();
					_t32 =  <=  ? _t18 : _t18 & 0x0000ffff | 0x80070000;
					_t29 =  >=  ? 0x80004005 :  <=  ? _t18 : _t18 & 0x0000ffff | 0x80070000;
					E000937D3(0x80004005, "variable.cpp", 0x757, _t29);
					_push("Failed to get temp path.");
					L4:
					_push(_t29);
					E000D012F();
				}
				return E000BDE36(_t21, _v8 ^ _t33, _t26, _t27, _t29);
			}

0x00096644
0x00096644
0x00096644
0x0009664d
0x00096654
0x00096658
0x00096669
0x00096685
0x000966cb
0x000966cf
0x000966d1
0x00000000
0x000966d1
0x00096687
0x00096687
0x00096698
0x000966a2
0x000966b0
0x000966b5
0x000966d6
0x000966d6
0x000966d7
0x000966dd
0x000966ee

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 0009667D
GetLastError.KERNEL32 ref: 00096687

Strings

variable.cpp, xrefs: 000966AB
@Mt, xrefs: 00096687
Failed to get temp path., xrefs: 000966B5
Failed to set variant value., xrefs: 000966D1

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorLastPathTemp
String ID: @Mt$Failed to get temp path.$Failed to set variant value.$variable.cpp
API String ID: 1238063741-1002790507
Opcode ID: 33c8caeb7ba1cd64204abbaee5f81955efed53e599d51cabfebd195731e6e2f7
Instruction ID: b365b32269a1b4be8feb688289010e1d04f37201304778621668a3831ab4e47e
Opcode Fuzzy Hash: 33c8caeb7ba1cd64204abbaee5f81955efed53e599d51cabfebd195731e6e2f7
Instruction Fuzzy Hash: 1501DB71F41339A7EB20EB685C06FEA73989F00710F010156FD04EB2C1EA659D0496E5

Uniqueness

Uniqueness Score: -1.00%

Function 000D4038, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E000D4038(void* __ecx, void* __eflags, WCHAR* _a4) {
				signed char _v8;
				void* _t22;

				_v8 = _v8 | 0xffffffff;
				_t22 = 0;
				if(E000D4315(_a4,  &_v8) != 0) {
					if((_v8 & 0x00000007) == 0 || SetFileAttributesW(_a4, 0x80) != 0) {
						L5:
						if(DeleteFileW(_a4) == 0) {
							_t22 =  <=  ? GetLastError() : _t14 & 0x0000ffff | 0x80070000;
							if(_t22 < 0) {
								_push(_t22);
								_push(0x5c2);
								goto L8;
							}
						}
					} else {
						_t22 =  <=  ? GetLastError() : _t14 & 0x0000ffff | 0x80070000;
						if(_t22 >= 0) {
							goto L5;
						} else {
							_push(_t22);
							_push(0x5bc);
							L8:
							_push("fileutil.cpp");
							E000937D3(_t14);
						}
					}
				}
				return _t22;
			}

0x000d403c
0x000d4048
0x000d4051
0x000d405d
0x000d408d
0x000d4098
0x000d40a7
0x000d40ac
0x000d40ae
0x000d40af
0x00000000
0x000d40af
0x000d40ac
0x000d4071
0x000d407e
0x000d4083
0x00000000
0x000d4085
0x000d4085
0x000d4086
0x000d40b4
0x000d40b4
0x000d40b9
0x000d40b9
0x000d4083
0x000d40be
0x000d40c5

APIs

Part of subcall function 000D4315: FindFirstFileW.KERNEL32(000B8FFA,?,000002C0,00000000,00000000), ref: 000D4350
Part of subcall function 000D4315: FindClose.KERNEL32(00000000), ref: 000D435C

SetFileAttributesW.KERNEL32(000B8FFA,00000080,00000000,000B8FFA,000000FF,00000000,?,?,000B8FFA), ref: 000D4067
GetLastError.KERNEL32(?,?,000B8FFA), ref: 000D4071
DeleteFileW.KERNEL32(000B8FFA,00000000,000B8FFA,000000FF,00000000,?,?,000B8FFA), ref: 000D4090
GetLastError.KERNEL32(?,?,000B8FFA), ref: 000D409A

Strings

@Mt, xrefs: 000D4071, 000D409A
fileutil.cpp, xrefs: 000D40B4

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: File$ErrorFindLast$AttributesCloseDeleteFirst
String ID: @Mt$fileutil.cpp
API String ID: 3967264933-3352924005
Opcode ID: 9f7020a35079ef5687e5fe75a6d340e25f07a05c78a464f902fc3250f7117dc3
Instruction ID: 923c10c888f17b8cc0770309aa9e9b6de4b70e844c5233105055a0b9e85df259
Opcode Fuzzy Hash: 9f7020a35079ef5687e5fe75a6d340e25f07a05c78a464f902fc3250f7117dc3
Instruction Fuzzy Hash: 68015E31A01725A7E7316AB98D08A9B7ED8EF047A1F014317FE15E6290D771CE0095F5

Uniqueness

Uniqueness Score: -1.00%

Function 000960BA, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E000960BA(void* __ebx, void* __edx, intOrPtr _a8) {
				signed int _v8;
				short _v524;
				long _v528;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t8;
				void* _t20;
				void* _t25;
				intOrPtr _t26;
				void* _t27;
				signed int _t30;

				_t25 = __edx;
				_t20 = __ebx;
				_t8 =  *0xfa008; // 0x90c8e23b
				_v8 = _t8 ^ _t30;
				_t26 = _a8;
				_v528 = 0x101;
				if(GetUserNameW( &_v524,  &_v528) != 0) {
					L3:
					_t27 = E000B02F4(_t26,  &_v524, 0);
					if(_t27 < 0) {
						_push("Failed to set variant value.");
						goto L5;
					}
				} else {
					_t27 =  <=  ? GetLastError() : _t18 & 0x0000ffff | 0x80070000;
					if(_t27 >= 0) {
						goto L3;
					} else {
						E000937D3(_t18, "variable.cpp", 0x8e5, _t27);
						_push("Failed to get the user name.");
						L5:
						_push(_t27);
						E000D012F();
					}
				}
				return E000BDE36(_t20, _v8 ^ _t30, _t25, _t26, _t27);
			}

0x000960ba
0x000960ba
0x000960c3
0x000960ca
0x000960cf
0x000960df
0x000960f2
0x00096123
0x00096132
0x00096136
0x00096138
0x00000000
0x00096138
0x000960f4
0x00096105
0x0009610a
0x00000000
0x0009610c
0x00096117
0x0009611c
0x0009613d
0x0009613d
0x0009613e
0x00096144
0x0009610a
0x00096156

APIs

GetUserNameW.ADVAPI32(?,?), ref: 000960EA
GetLastError.KERNEL32 ref: 000960F4

Strings

variable.cpp, xrefs: 00096112
@Mt, xrefs: 000960F4
Failed to set variant value., xrefs: 00096138
Failed to get the user name., xrefs: 0009611C

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorLastNameUser
String ID: @Mt$Failed to get the user name.$Failed to set variant value.$variable.cpp
API String ID: 2054405381-3196840712
Opcode ID: 914e203b9b37daaaeba3e29e3beaddc6eb99310e3aaf20a82c4ea7d18675b0b2
Instruction ID: 23c261252cdf2b2c393bf50552adcce89d28ea4eaa7509c82b2d78facb0fe405
Opcode Fuzzy Hash: 914e203b9b37daaaeba3e29e3beaddc6eb99310e3aaf20a82c4ea7d18675b0b2
Instruction Fuzzy Hash: E101F971A01329A7DB20EB69DC09EEFB7A8DF00720F014157FC14E7242EE759E0496E1

Uniqueness

Uniqueness Score: -1.00%

Function 000D9555, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E000D9555() {
				intOrPtr _t1;
				_Unknown_base(*)()* _t3;
				void* _t5;
				_Unknown_base(*)()* _t6;
				struct HINSTANCE__* _t14;

				_t1 =  *0xfb708; // 0x0
				if(_t1 != 1) {
					if(_t1 == 0) {
						_t14 = GetModuleHandleW(L"KERNEL32.DLL");
						if(_t14 != 0) {
							_t3 = GetProcAddress(_t14, "AcquireSRWLockExclusive");
							if(_t3 == 0) {
								goto L5;
							} else {
								 *0xfb70c = _t3;
								_t6 = GetProcAddress(_t14, "ReleaseSRWLockExclusive");
								if(_t6 == 0) {
									goto L5;
								} else {
									 *0xfb710 = _t6;
								}
							}
						} else {
							L5:
							_t14 = 1;
						}
						asm("lock cmpxchg [edx], ecx");
						if(0 != 0 || _t14 != 1) {
							if(0 != 1) {
								_t5 = 1;
							} else {
								goto L12;
							}
						} else {
							L12:
							_t5 = 0;
						}
						return _t5;
					} else {
						return 1;
					}
				} else {
					return 0;
				}
			}

0x000d9555
0x000d9560
0x000d9568
0x000d957a
0x000d957e
0x000d958a
0x000d9592
0x00000000
0x000d9594
0x000d959a
0x000d959f
0x000d95a7
0x00000000
0x000d95a9
0x000d95a9
0x000d95a9
0x000d95a7
0x000d9580
0x000d9580
0x000d9580
0x000d9580
0x000d95b7
0x000d95bd
0x000d95c5
0x000d95cb
0x00000000
0x00000000
0x00000000
0x000d95c7
0x000d95c7
0x000d95c7
0x000d95c7
0x000d95cf
0x000d956a
0x000d956d
0x000d956d
0x000d9562
0x000d9565
0x000d9565

Strings

KERNEL32.DLL, xrefs: 000D956F
ReleaseSRWLockExclusive, xrefs: 000D9594
AcquireSRWLockExclusive, xrefs: 000D9584

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: c4c3ca5d16eeeb553f5c653509f3113f8531a7813a013e21b657eba7567ae352
Instruction ID: 626fafc70af62fe35438a5245383be54f3316ea2a95a000482517e1f7c9a72d2
Opcode Fuzzy Hash: c4c3ca5d16eeeb553f5c653509f3113f8531a7813a013e21b657eba7567ae352
Instruction Fuzzy Hash: 31012872746B229B5FB26EB5BC805BB37C89B41751300423BEA11C7B84D716C841EBF0

Uniqueness

Uniqueness Score: -1.00%

Function 000BD5AF, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E000BD5AF(intOrPtr* __ecx, intOrPtr _a4, intOrPtr* _a8) {
				void* _t10;
				intOrPtr* _t21;
				struct _SECURITY_ATTRIBUTES* _t22;

				_t21 = __ecx;
				_t22 = 0;
				_t1 = _t21 + 8; // 0x8
				 *__ecx = 0xf06ec;
				 *(__ecx + 4) = 1;
				InitializeCriticalSection(_t1);
				_t10 = CreateEventW(0, 1, 0, 0);
				 *(_t21 + 0x28) = _t10;
				if(_t10 != 0) {
					 *((intOrPtr*)(_t21 + 0x20)) = 0;
					 *((intOrPtr*)(_t21 + 0x24)) = 0;
					 *((intOrPtr*)(_t21 + 0x2c)) = _a4;
				} else {
					_t25 =  <=  ? GetLastError() : _t14 & 0x0000ffff | 0x80070000;
					_t22 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t14 & 0x0000ffff | 0x80070000;
					E000937D3(0x80004005, "bitsengine.cpp", 0x11c, _t22);
					_push("Failed to create BITS job complete event.");
					_push(_t22);
					E000D012F();
				}
				 *_a8 = _t22;
				return _t21;
			}

0x000bd5b4
0x000bd5b6
0x000bd5b8
0x000bd5bb
0x000bd5c2
0x000bd5c9
0x000bd5d4
0x000bd5da
0x000bd5df
0x000bd621
0x000bd624
0x000bd627
0x000bd5e1
0x000bd5f2
0x000bd5fc
0x000bd60a
0x000bd60f
0x000bd614
0x000bd615
0x000bd61b
0x000bd62d
0x000bd634

APIs

InitializeCriticalSection.KERNEL32(00000008,00000000,00000000,?,000BDD19,?,?,?,?,?,00000001,00000000,?), ref: 000BD5C9
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,000BDD19,?,?,?,?,?,00000001,00000000,?), ref: 000BD5D4
GetLastError.KERNEL32(?,000BDD19,?,?,?,?,?,00000001,00000000,?), ref: 000BD5E1

Strings

@Mt, xrefs: 000BD5E1
bitsengine.cpp, xrefs: 000BD605
Failed to create BITS job complete event., xrefs: 000BD60F

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CreateCriticalErrorEventInitializeLastSection
String ID: @Mt$Failed to create BITS job complete event.$bitsengine.cpp
API String ID: 3069647169-1626263371
Opcode ID: a1df56a94f88d7186034d0af67e6c389f6921f1624e7e4414af9b7cd67fd6481
Instruction ID: 072263f4e905f9f2b31f8fcd623e526501cfcac3b72871e03f6a96fb082cee9a
Opcode Fuzzy Hash: a1df56a94f88d7186034d0af67e6c389f6921f1624e7e4414af9b7cd67fd6481
Instruction Fuzzy Hash: 59015E76601726BBE710AB6AD805A97BBD8FF49760B014127FD08D7A41E77498108BF8

Uniqueness

Uniqueness Score: -1.00%

Function 000CA059, Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 71%

			E000CA059(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				void* _t80;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				int _t97;
				void* _t98;
				short* _t100;
				int _t102;
				void* _t103;
				signed int _t105;
				short* _t106;
				void* _t109;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0xfa008; // 0x90c8e23b
				_v8 = _t49 ^ _t105;
				_t102 = _a20;
				if(_t102 > 0) {
					_t78 = E000CC675(_a16, _t102);
					_t109 = _t78 - _t102;
					_t4 = _t78 + 1; // 0x1
					_t102 = _t4;
					if(_t109 >= 0) {
						_t102 = _t78;
					}
				}
				_t97 = _a32;
				if(_t97 == 0) {
					_t97 =  *( *_a4 + 8);
					_a32 = _t97;
				}
				_t54 = MultiByteToWideChar(_t97, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t102, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					_pop(_t98);
					_pop(_t103);
					_pop(_t80);
					return E000BDE36(_t80, _v8 ^ _t105, _t95, _t98, _t103);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t104 = 0;
							L37:
							E000C91C7(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t97, 1, _a16, _t102, _t81, _v12);
						_t120 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t99 = _v12;
						_t60 = E000C8969(_t81, _t85, _v12, _t120, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t104 = _t60;
						if(_t104 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t95 = _t104 + _t104;
							_t87 = _t95 + 8;
							__eflags = _t95 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t100 = 0;
								__eflags = 0;
								L30:
								__eflags = _t100;
								if(__eflags == 0) {
									L35:
									E000C91C7(_t100);
									goto L36;
								}
								_t62 = E000C8969(_t81, _t87, _t100, __eflags, _a8, _a12, _t81, _v12, _t100, _t104, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t104 = WideCharToMultiByte(_a32, 0, _t100, _t104, ??, ??, ??, ??);
								__eflags = _t104;
								if(_t104 != 0) {
									E000C91C7(_t100);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t95 + 8;
							__eflags = _t95 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t95 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t95 - _t87;
								asm("sbb eax, eax");
								_t100 = E000C5154(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t100;
								if(_t100 == 0) {
									goto L35;
								}
								 *_t100 = 0xdddd;
								L28:
								_t100 =  &(_t100[4]);
								goto L30;
							}
							__eflags = _t95 - _t87;
							asm("sbb eax, eax");
							E000D9DF0();
							_t100 = _t106;
							__eflags = _t100;
							if(_t100 == 0) {
								goto L35;
							}
							 *_t100 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t124 = _t104 - _t70;
						if(_t104 > _t70) {
							goto L36;
						}
						_t71 = E000C8969(_t81, 0, _t99, _t124, _a8, _a12, _t81, _t99, _a24, _t70, 0, 0, 0);
						_t104 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E000C5154(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E000D9DF0();
					_t81 = _t106;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}

0x000ca05e
0x000ca05f
0x000ca060
0x000ca067
0x000ca06c
0x000ca072
0x000ca078
0x000ca07e
0x000ca081
0x000ca081
0x000ca084
0x000ca086
0x000ca086
0x000ca084
0x000ca088
0x000ca08d
0x000ca094
0x000ca097
0x000ca097
0x000ca0b3
0x000ca0b9
0x000ca0be
0x000ca251
0x000ca254
0x000ca255
0x000ca256
0x000ca264
0x000ca0c4
0x000ca0c4
0x000ca0c7
0x000ca0cc
0x000ca0d0
0x000ca124
0x000ca124
0x000ca126
0x000ca128
0x000ca246
0x000ca246
0x000ca248
0x000ca249
0x00000000
0x000ca24f
0x000ca139
0x000ca13f
0x000ca141
0x00000000
0x00000000
0x000ca147
0x000ca159
0x000ca15e
0x000ca162
0x00000000
0x00000000
0x000ca16f
0x000ca1a9
0x000ca1ac
0x000ca1af
0x000ca1b1
0x000ca1b3
0x000ca1b5
0x000ca201
0x000ca201
0x000ca203
0x000ca203
0x000ca205
0x000ca23f
0x000ca240
0x00000000
0x000ca245
0x000ca219
0x000ca21e
0x000ca220
0x00000000
0x00000000
0x000ca224
0x000ca225
0x000ca226
0x000ca229
0x000ca265
0x000ca268
0x000ca22b
0x000ca22b
0x000ca22c
0x000ca22c
0x000ca239
0x000ca23b
0x000ca23d
0x000ca26e
0x00000000
0x00000000
0x00000000
0x00000000
0x000ca23d
0x000ca1b7
0x000ca1ba
0x000ca1bc
0x000ca1be
0x000ca1c0
0x000ca1c3
0x000ca1c8
0x000ca1e3
0x000ca1e5
0x000ca1ef
0x000ca1f1
0x000ca1f2
0x000ca1f4
0x00000000
0x00000000
0x000ca1f6
0x000ca1fc
0x000ca1fc
0x00000000
0x000ca1fc
0x000ca1ca
0x000ca1cc
0x000ca1d0
0x000ca1d5
0x000ca1d7
0x000ca1d9
0x00000000
0x00000000
0x000ca1db
0x00000000
0x000ca1db
0x000ca171
0x000ca176
0x00000000
0x00000000
0x000ca17c
0x000ca17e
0x00000000
0x00000000
0x000ca195
0x000ca19a
0x000ca19e
0x00000000
0x00000000
0x00000000
0x000ca1a4
0x000ca0d7
0x000ca0d9
0x000ca0db
0x000ca0e3
0x000ca102
0x000ca104
0x000ca10e
0x000ca110
0x000ca111
0x000ca113
0x00000000
0x00000000
0x000ca119
0x000ca11f
0x000ca11f
0x00000000
0x000ca11f
0x000ca0e7
0x000ca0eb
0x000ca0f0
0x000ca0f4
0x00000000
0x00000000
0x000ca0fa
0x00000000
0x000ca0fa

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,000C3382,000C3382,?,?,?,000CA2AA,00000001,00000001,E3E85006), ref: 000CA0B3
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,000CA2AA,00000001,00000001,E3E85006,?,?,?), ref: 000CA139
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,E3E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 000CA233
__freea.LIBCMT ref: 000CA240

Part of subcall function 000C5154: RtlAllocateHeap.NTDLL(00000000,?,?,?,000C1E90,?,0000015D,?,?,?,?,000C32E9,000000FF,00000000,?,?), ref: 000C5186

__freea.LIBCMT ref: 000CA249
__freea.LIBCMT ref: 000CA26E

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: d94bf1aad628a1f62697aca782b26cc64aa20a2c52ba870bbc5cd249882a03fc
Instruction ID: 9e2783f42e3f40f44d515c8c60e81db45f543c971db4a6b1fcae8a5d693f9510
Opcode Fuzzy Hash: d94bf1aad628a1f62697aca782b26cc64aa20a2c52ba870bbc5cd249882a03fc
Instruction Fuzzy Hash: 3651BE7270022AABEB258F68CC86FBF77AAEB46754F19422DFC04D6141EB35DC408661

Uniqueness

Uniqueness Score: -1.00%

Function 000921BC, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 117
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 33%

			E000921BC(signed int __edx, intOrPtr* _a4, char* _a8, signed int _a12, int _a16) {
				signed int _t17;
				unsigned int _t18;
				signed int _t19;
				signed short _t24;
				intOrPtr _t25;
				signed short _t31;
				signed int _t34;
				int _t36;
				char* _t38;
				void* _t39;
				intOrPtr _t41;
				intOrPtr _t42;
				int _t44;
				unsigned int _t46;
				intOrPtr* _t47;
				unsigned int _t49;
				int _t51;

				_t37 = _a4;
				_t44 = __edx | 0xffffffff;
				_t17 = _a12;
				_t51 = 0;
				_t34 = _t17;
				_t46 = 0;
				if( *_a4 == 0) {
					L4:
					_t38 = _a8;
					if(_t17 != 0) {
						if(_t38[_t17] == 0) {
							_t34 = _t17 - 1;
						}
						L11:
						_t18 = _t34 + 1;
						if(_t46 >= _t18) {
							L20:
							_t19 = _a12;
							_push(_t46);
							_t47 = _a4;
							_push( *_t47);
							_t39 = 0xffffffff;
							_t20 =  ==  ? _t39 : _t19;
							if(MultiByteToWideChar(_a16, _t51, _a8,  ==  ? _t39 : _t19, ??, ??) != 0) {
								 *((short*)( *_t47 + _t34 * 2)) = 0;
								L23:
								return _t51;
							}
							_t24 = GetLastError();
							_t55 =  <=  ? _t24 : _t24 & 0x0000ffff | 0x80070000;
							_t25 = 0x80004005;
							_t51 =  >=  ? 0x80004005 :  <=  ? _t24 : _t24 & 0x0000ffff | 0x80070000;
							_push(_t51);
							_push(0x22f);
							L7:
							_push("strutil.cpp");
							E000937D3(_t25);
							goto L23;
						}
						_t46 = _t18;
						if(_t46 < 0x7fffffff) {
							_push(1);
							_t41 =  *_a4;
							_push(_t46 + _t46);
							if(_t41 == 0) {
								_t25 = E000938D4();
							} else {
								_push(_t41);
								_t25 = E00093A72();
							}
							_t42 = _t25;
							if(_t42 != 0) {
								 *_a4 = _t42;
								goto L20;
							} else {
								_t51 = 0x8007000e;
								_push(0x8007000e);
								_push(0x228);
								goto L7;
							}
						}
						_t51 = 0x8007000e;
						goto L23;
					}
					_t36 = MultiByteToWideChar(_a16, _t51, _t38, _t44, _t51, _t51);
					if(_t36 != 0) {
						_t34 = _t36 - 1;
						goto L11;
					}
					_t31 = GetLastError();
					_t58 =  <=  ? _t31 : _t31 & 0x0000ffff | 0x80070000;
					_t25 = 0x80004005;
					_t51 =  >=  ? 0x80004005 :  <=  ? _t31 : _t31 & 0x0000ffff | 0x80070000;
					_push(_t51);
					_push(0x20c);
					goto L7;
				}
				_t49 = E00093B51( *_t37);
				_t44 = _t44 | 0xffffffff;
				if(_t49 != _t44) {
					_t46 = _t49 >> 1;
					_t17 = _t34;
					goto L4;
				}
				_t51 = 0x80070057;
				goto L23;
			}

0x000921bf
0x000921c2
0x000921c5
0x000921ca
0x000921cc
0x000921cf
0x000921d3
0x000921f3
0x000921f3
0x000921f8
0x00092248
0x0009224a
0x0009224a
0x0009224d
0x0009224d
0x00092252
0x0009229c
0x0009229c
0x000922a1
0x000922a2
0x000922a5
0x000922a9
0x000922aa
0x000922bd
0x000922ec
0x000922f0
0x000922f6
0x000922f6
0x000922bf
0x000922d0
0x000922d3
0x000922da
0x000922dd
0x000922de
0x00092232
0x00092232
0x00092237
0x00000000
0x00092237
0x00092254
0x0009225c
0x0009226b
0x0009226d
0x00092272
0x00092275
0x0009227f
0x00092277
0x00092277
0x00092278
0x00092278
0x00092284
0x00092288
0x0009229a
0x00000000
0x0009228a
0x0009228a
0x0009228f
0x00092290
0x00000000
0x00092290
0x00092288
0x0009225e
0x00000000
0x0009225e
0x00092208
0x0009220c
0x00092241
0x00000000
0x00092241
0x0009220e
0x0009221f
0x00092222
0x00092229
0x0009222c
0x0009222d
0x00000000
0x0009222d
0x000921dc
0x000921de
0x000921e3
0x000921ef
0x000921f1
0x00000000
0x000921f1
0x000921e5
0x00000000

APIs

MultiByteToWideChar.KERNEL32(8007139F,00000000,?,?,00000000,00000000,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 00092202
GetLastError.KERNEL32(?,00000000,00000000,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 0009220E

Part of subcall function 00093B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,000921DC,000001C7,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 00093B59
Part of subcall function 00093B51: HeapSize.KERNEL32(00000000,?,000921DC,000001C7,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 00093B60

Strings

@Mt, xrefs: 0009220E, 000922BF
strutil.cpp, xrefs: 00092232

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: @Mt$strutil.cpp
API String ID: 3662877508-3983159554
Opcode ID: bd76a2df4cff65c3f1288de43996190eab4ecdb8fca85f6404a06af00b53a00f
Instruction ID: 18e324dbf6e9b749dd662773c48263c72d5fd0b0e1359ea4162b2bf102b99bd7
Opcode Fuzzy Hash: bd76a2df4cff65c3f1288de43996190eab4ecdb8fca85f6404a06af00b53a00f
Instruction Fuzzy Hash: F331B832601216FBEF209B69CC44AAB77D9EF45764B11422AFD15DB2A0EB31CC40A7E0

Uniqueness

Uniqueness Score: -1.00%

Function 000AC59C, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 163
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E000AC59C(void* __ecx, void* __edx, intOrPtr* _a4, signed int _a8, intOrPtr* _a12) {
				signed int _t87;
				void* _t96;

				_t97 = _a4;
				_t96 = 0;
				_t87 =  *_a4 - 1;
				if(_t87 > 0x13) {
					L23:
					_t96 = 0x80070057;
					E000937D3(_t87, "elevation.cpp", 0x5e4, 0x80070057);
					E000D012F(0x80070057, "Unexpected elevated message sent to child process, msg: %u",  *_t97);
					L24:
					return _t96;
				}
				switch( *((intOrPtr*)(_t87 * 4 +  &M000AC7AC))) {
					case 0:
						_t92 = E000AAEB2(__ecx, __edx, _t101,  *((intOrPtr*)(_a8 + 0x20)),  *((intOrPtr*)(_a8 + 0x24)),  *((intOrPtr*)(_t91 + 8)),  *((intOrPtr*)(_t91 + 0xc)),  *((intOrPtr*)(_t97 + 0xc)),  *((intOrPtr*)(_t97 + 4)));
						goto L21;
					case 1:
						__eax = _a8;
						__esi =  *(_a8 + 8);
						__eflags =  *__esi;
						if( *__esi != 0) {
							ReleaseMutex( *__esi) = CloseHandle( *__esi);
							 *__esi = 0;
						}
						__esi = __edi;
						goto L22;
					case 2:
						_a8 = E000AC29D(__ecx, __edx, __eflags,  *((intOrPtr*)(_a8 + 0x24)),  *((intOrPtr*)(__eax + 0x20)),  *((intOrPtr*)(__eax + 0x28)), __esi[3], __esi[1]);
						goto L21;
					case 3:
						_a8 = E000AC484(__ecx, __edx, __eflags,  *((intOrPtr*)(_a8 + 0x24)), __esi[3], __esi[1]);
						goto L21;
					case 4:
						_a8 = E000AC3DF(__ecx, __edx, __eflags,  *((intOrPtr*)(_a8 + 0x24)),  *((intOrPtr*)(__eax + 0x20)), __esi[3], __esi[1]);
						goto L21;
					case 5:
						__eax = _a8;
						__esi = E0009FDDF(__ecx,  *((intOrPtr*)(_a8 + 0x24)), __esi[3], __esi[1]);
						__eflags = __esi;
						if(__esi < 0) {
							_push("Failed to save state.");
							_push(__esi);
							__eax = E000D012F();
							_pop(__ecx);
							_pop(__ecx);
						}
						goto L22;
					case 6:
						goto L23;
					case 7:
						_a8 = E000AC1D8(__ecx, __edx, __eflags,  *((intOrPtr*)(_a8 + 0x24)), __esi[3], __esi[1]);
						goto L21;
					case 8:
						__ecx = _a8;
						 *((intOrPtr*)(__ecx + 0x24)) =  *((intOrPtr*)(__ecx + 0x24)) + 0xb4;
						__eax = E000AB35A(__ecx, __edx, __eflags,  *((intOrPtr*)(__ecx + 4)),  *((intOrPtr*)(__ecx + 0x18)),  *((intOrPtr*)(__ecx + 0x24)) + 0xb4,  *((intOrPtr*)(__ecx + 0x20)), __esi[3], __esi[1]);
						goto L21;
					case 9:
						_a8 = E000AB561(__ecx, __eflags,  *((intOrPtr*)(_a8 + 4)),  *((intOrPtr*)(__eax + 0x18)),  *((intOrPtr*)(__eax + 0x20)), __esi[3], __esi[1]);
						goto L21;
					case 0xa:
						_a8 = E000AB813(__ecx, __eflags,  *((intOrPtr*)(_a8 + 4)),  *((intOrPtr*)(__eax + 0x18)),  *((intOrPtr*)(__eax + 0x20)), __esi[3], __esi[1]);
						goto L21;
					case 0xb:
						_a8 = E000ABAB9(__ecx, __eflags,  *((intOrPtr*)(_a8 + 4)),  *((intOrPtr*)(__eax + 0x18)),  *((intOrPtr*)(__eax + 0x20)), __esi[3], __esi[1]);
						goto L21;
					case 0xc:
						__ecx = _a8;
						 *((intOrPtr*)(__ecx + 0x24)) =  *((intOrPtr*)(__ecx + 0x24)) + 0xb4;
						__eax = E000ABD23(__ecx, __edi, __eflags,  *((intOrPtr*)(__ecx + 0x18)),  *((intOrPtr*)(__ecx + 0x24)) + 0xb4, __esi[3], __esi[1]);
						goto L21;
					case 0xd:
						__ecx = _a8;
						 *((intOrPtr*)(__ecx + 0x24)) =  *((intOrPtr*)(__ecx + 0x24)) + 0xb4;
						__eax = E000ABC1C(__ecx, __edx, __edi, __eflags,  *((intOrPtr*)(__ecx + 0x18)),  *((intOrPtr*)(__ecx + 0x24)) + 0xb4, __esi[3], __esi[1]);
						goto L21;
					case 0xe:
						_a8 = E000AC0B1(__ecx, __eflags,  *((intOrPtr*)(_a8 + 0x18)), __esi[3], __esi[1]);
						goto L21;
					case 0xf:
						_a8 = E000AB2C2(__ecx, __edx, __eflags,  *((intOrPtr*)(_a8 + 0x18)), __esi[3], __esi[1]);
						goto L21;
					case 0x10:
						_a8 = E000ABE05(__ecx, __eflags,  *((intOrPtr*)(_a8 + 4)),  *((intOrPtr*)(__eax + 0x10)),  *((intOrPtr*)(__eax + 0x20)), __esi[3], __esi[1]);
						L21:
						_t98 = _t92;
						L22:
						 *_a12 = _t98;
						goto L24;
				}
			}

0x000ac5a0
0x000ac5a4
0x000ac5a8
0x000ac5ac
0x000ac77d
0x000ac77d
0x000ac78d
0x000ac79a
0x000ac7a2
0x000ac7a7
0x000ac7a7
0x000ac5b2
0x00000000
0x000ac5ce
0x00000000
0x00000000
0x000ac5d8
0x000ac5db
0x000ac5de
0x000ac5e0
0x000ac5ec
0x000ac5f2
0x000ac5f2
0x000ac5f4
0x00000000
0x00000000
0x000ac60d
0x00000000
0x00000000
0x000ac623
0x00000000
0x00000000
0x000ac63c
0x00000000
0x00000000
0x000ac649
0x000ac657
0x000ac659
0x000ac65b
0x000ac661
0x000ac666
0x000ac667
0x000ac66c
0x000ac66d
0x000ac66d
0x00000000
0x00000000
0x00000000
0x00000000
0x000ac67f
0x00000000
0x00000000
0x000ac68c
0x000ac698
0x000ac6a4
0x00000000
0x00000000
0x000ac6c0
0x00000000
0x00000000
0x000ac6dc
0x00000000
0x00000000
0x000ac6f8
0x00000000
0x00000000
0x000ac6ff
0x000ac70b
0x000ac714
0x00000000
0x00000000
0x000ac71b
0x000ac727
0x000ac730
0x00000000
0x00000000
0x000ac743
0x00000000
0x00000000
0x000ac756
0x00000000
0x00000000
0x000ac76f
0x000ac774
0x000ac774
0x000ac776
0x000ac779
0x00000000
0x00000000

APIs

ReleaseMutex.KERNEL32(?), ref: 000AC5E4
CloseHandle.KERNEL32(?), ref: 000AC5EC

Strings

Unexpected elevated message sent to child process, msg: %u, xrefs: 000AC794
Failed to save state., xrefs: 000AC661
elevation.cpp, xrefs: 000AC788

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CloseHandleMutexRelease
String ID: Failed to save state.$Unexpected elevated message sent to child process, msg: %u$elevation.cpp
API String ID: 4207627910-1576875097
Opcode ID: 06984ab6832c7c894803b6ea7f45d85fbd86bd73fce5652d54af694165d4867e
Instruction ID: 7b3fb42ab9db8bed17d5062367431519d7754f6cfce8cd040c082a7f037bd8c7
Opcode Fuzzy Hash: 06984ab6832c7c894803b6ea7f45d85fbd86bd73fce5652d54af694165d4867e
Instruction Fuzzy Hash: 1561D83A104514FFDB229F94CD41C59BBB2FF0A310716C559FA695A632C732E921EF41

Uniqueness

Uniqueness Score: -1.00%

Function 000D10C5, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E000D10C5(void* _a4, short* _a8, signed int* _a12, signed int* _a16) {
				int* _v8;
				int _v12;
				int _v16;
				signed short _t44;
				void* _t47;
				int* _t51;
				long _t71;
				signed int _t72;
				signed int _t73;
				signed short _t75;
				unsigned int _t79;
				unsigned int _t80;
				unsigned int _t81;
				WCHAR* _t82;
				void* _t86;
				void* _t87;
				void* _t88;

				_v16 = 0;
				_t72 = 0;
				_v12 = 0;
				_t81 = 0;
				_v8 = 0;
				_t44 = RegQueryValueExW(_a4, _a8, 0,  &_v16, 0,  &_v12);
				_t79 = _v12;
				_t75 = _t44;
				if(_t79 == 0) {
					L3:
					_t86 = 0x80070002;
					_t47 =  <=  ? _t75 : _t75 & 0x0000ffff | 0x80070000;
					if(_t47 != 0x80070002) {
						if(_t75 == 0) {
							_t80 = _t79 >> 1;
							if(_t80 == _t81) {
								if(_v16 == 7) {
									if(_t81 >= 2) {
										_t51 = _v8;
										if(0 !=  *((intOrPtr*)(_t51 + _t81 * 2 - 2)) || 0 !=  *((intOrPtr*)(_t51 + _t81 * 2 - 4))) {
											_t86 = 0x80070057;
										} else {
											_t87 = 0;
											if(_t80 != 0) {
												do {
													_t87 = _t87 + 1;
													_t29 = _t72 + 1; // 0x1
													_t63 =  !=  ? _t72 : _t29;
													_t72 =  !=  ? _t72 : _t29;
												} while (_t87 < _t80);
											}
											_t31 = _t72 - 1; // 0x0
											_t52 = _t31;
											 *_a16 = _t31;
											_t86 = E000938F6(_t31, _a16, _a12, _t52, 4, 0);
											if(_t86 >= 0) {
												_t73 = 0;
												_t82 = _v8;
												if( *_a16 > 0) {
													while(1) {
														_t86 = E000921A5( *_a12 + _t73 * 4, _t82, 0);
														if(_t86 < 0) {
															goto L23;
														}
														_t82 =  &(( &(_t82[lstrlenW(_t82)]))[1]);
														_t73 = _t73 + 1;
														if(_t73 <  *_a16) {
															continue;
														} else {
														}
														goto L23;
													}
												}
											}
										}
									} else {
										 *_a12 =  *_a12 & _t72;
										 *_a16 =  *_a16 & _t72;
										_t86 = 0;
									}
								} else {
									_t86 = 0x8007070c;
									_push(0x8007070c);
									_push(0x225);
									goto L6;
								}
							} else {
								_t86 = 0x8000ffff;
							}
						} else {
							_t88 = _t47;
							_t47 = 0x80004005;
							_t86 =  >=  ? 0x80004005 : _t88;
							_push(_t86);
							_push(0x21a);
							L6:
							_push("regutil.cpp");
							E000937D3(_t47);
						}
					}
				} else {
					_t81 = _t79 >> 1;
					_t86 = E00091EDE( &_v8, _t81);
					if(_t86 >= 0) {
						_t71 = RegQueryValueExW(_a4, _a8, 0,  &_v16, _v8,  &_v12);
						_t79 = _v12;
						_t75 = _t71;
						goto L3;
					}
				}
				L23:
				_t48 = _v8;
				if(_v8 != 0) {
					E000D54EF(_t48);
				}
				return _t86;
			}

0x000d10d8
0x000d10e0
0x000d10e2
0x000d10e8
0x000d10ea
0x000d10ed
0x000d10f3
0x000d10f6
0x000d10fa
0x000d1131
0x000d1134
0x000d1140
0x000d1145
0x000d114d
0x000d1170
0x000d1174
0x000d1184
0x000d1196
0x000d11a9
0x000d11b3
0x000d1230
0x000d11bc
0x000d11bc
0x000d11c0
0x000d11c2
0x000d11cb
0x000d11cf
0x000d11d2
0x000d11d5
0x000d11d7
0x000d11c2
0x000d11de
0x000d11de
0x000d11e9
0x000d11f0
0x000d11f4
0x000d11f9
0x000d11fb
0x000d1200
0x000d1202
0x000d1213
0x000d1217
0x00000000
0x00000000
0x000d1226
0x000d1229
0x000d122c
0x00000000
0x00000000
0x000d122e
0x00000000
0x000d122c
0x000d1202
0x000d1200
0x000d11f4
0x000d1198
0x000d119b
0x000d11a0
0x000d11a2
0x000d11a2
0x000d1186
0x000d1186
0x000d118b
0x000d118c
0x00000000
0x000d118c
0x000d1176
0x000d1176
0x000d1176
0x000d114f
0x000d114f
0x000d1151
0x000d1158
0x000d115b
0x000d115c
0x000d1161
0x000d1161
0x000d1166
0x000d1166
0x000d114d
0x000d10fc
0x000d1101
0x000d110a
0x000d110e
0x000d1126
0x000d112c
0x000d112f
0x00000000
0x000d112f
0x000d110e
0x000d1235
0x000d1235
0x000d123a
0x000d123d
0x000d123d
0x000d124a

APIs

RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 000D10ED
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,000A6EF3,00000100,000000B0,00000088,00000410,000002C0), ref: 000D1126
lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 000D121A

Strings

regutil.cpp, xrefs: 000D1161
BundleUpgradeCode, xrefs: 000D10CC

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: QueryValue$lstrlen
String ID: BundleUpgradeCode$regutil.cpp
API String ID: 3790715954-1648651458
Opcode ID: 97a800e983cf0254511e6b698a9f3ea71e6c65d09e4b7920a669fe46d70096ce
Instruction ID: 6ec898f86b300704145bcaa4c37a7e7bd73718c523aa26ba9c1a9e00d5b2aeb2
Opcode Fuzzy Hash: 97a800e983cf0254511e6b698a9f3ea71e6c65d09e4b7920a669fe46d70096ce
Instruction Fuzzy Hash: CC41BE35A0031ABBDB258F98C885AFEB7B9EF44710B11416AED15EB310DA35ED119BA0

Uniqueness

Uniqueness Score: -1.00%

Function 000D85CB, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 137
timeCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E000D85CB(intOrPtr _a4, struct _FILETIME* _a8) {
				signed int _v8;
				struct _SYSTEMTIME _v24;
				signed int _v28;
				struct _FILETIME* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t21;
				void* _t26;
				signed short _t32;
				signed int _t35;
				signed short _t38;
				void* _t40;
				void* _t42;
				void* _t44;
				void* _t46;
				signed short _t50;
				signed short* _t54;
				void* _t56;
				void* _t57;
				signed short* _t58;
				signed int _t64;
				void* _t65;

				_t21 =  *0xfa008; // 0x90c8e23b
				_v8 = _t21 ^ _t64;
				_v28 = _v28 & 0x00000000;
				_t50 = 0;
				_v32 = _a8;
				_t58 =  &_v24;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t26 = E000921A5( &_v28, _a4, 0);
				_t60 = _t26;
				if(_t26 < 0) {
					L23:
					if(_v28 != 0) {
						E000D54EF(_v28);
					}
					return E000BDE36(_t50, _v8 ^ _t64, 0, _t58, _t60);
				}
				_t58 = _v28;
				_t54 = _t58;
				if(_t58 == 0) {
					L21:
					if(SystemTimeToFileTime( &_v24, _v32) == 0) {
						_t32 = GetLastError();
						_t63 =  <=  ? _t32 : _t32 & 0x0000ffff | 0x80070000;
						_t60 =  >=  ? 0x80004005 :  <=  ? _t32 : _t32 & 0x0000ffff | 0x80070000;
						E000937D3(0x80004005, "timeutil.cpp", 0xbf,  >=  ? 0x80004005 :  <=  ? _t32 : _t32 & 0x0000ffff | 0x80070000);
					}
					goto L23;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t35 =  *_t58 & 0x0000ffff;
					if(_t35 == 0) {
						goto L21;
					}
					_t56 = 0x54;
					if(_t56 == _t35) {
						L6:
						 *_t58 = 0;
						_t58 =  &(_t58[1]);
						_t38 = _t50;
						if(_t38 == 0) {
							_v24.wYear = E000C6490(_t54, _t54, 0, 0xa);
							L18:
							_t65 = _t65 + 0xc;
							L19:
							_t54 = _t58;
							_t50 = _t50 + 1;
							L20:
							_t58 =  &(_t58[1]);
							if(_t58 != 0) {
								continue;
							}
							goto L21;
						}
						_t40 = _t38 - 1;
						if(_t40 == 0) {
							_v24.wMonth = E000C6490(_t54, _t54, 0, 0xa);
							goto L18;
						}
						_t42 = _t40 - 1;
						if(_t42 == 0) {
							_v24.wDay = E000C6490(_t54, _t54, 0, 0xa);
							goto L18;
						}
						_t44 = _t42 - 1;
						if(_t44 == 0) {
							_v24.wHour = E000C6490(_t54, _t54, 0, 0xa);
							goto L18;
						}
						_t46 = _t44 - 1;
						if(_t46 == 0) {
							_v24.wMinute = E000C6490(_t54, _t54, 0, 0xa);
							goto L18;
						}
						if(_t46 != 1) {
							goto L19;
						}
						_v24.wSecond = E000C6490(_t54, _t54, 0, 0xa);
						goto L18;
					}
					_t57 = 0x3a;
					if(_t57 == _t35) {
						goto L6;
					}
					_push(0x2d);
					_pop(0);
					if(0 != _t35) {
						goto L20;
					}
					goto L6;
				}
				goto L21;
			}

0x000d85d1
0x000d85d8
0x000d85e2
0x000d85e6
0x000d85ea
0x000d85ed
0x000d85f2
0x000d85f5
0x000d85f6
0x000d85f7
0x000d85fc
0x000d8601
0x000d8605
0x000d8710
0x000d8714
0x000d8719
0x000d8719
0x000d8730
0x000d8730
0x000d860b
0x000d860e
0x000d8612
0x000d86d1
0x000d86e0
0x000d86e2
0x000d86f3
0x000d86fd
0x000d870b
0x000d870b
0x00000000
0x00000000
0x00000000
0x00000000
0x000d8618
0x000d8618
0x000d8618
0x000d861e
0x00000000
0x00000000
0x000d8626
0x000d862a
0x000d8640
0x000d8644
0x000d8649
0x000d864c
0x000d864e
0x000d86bd
0x000d86c1
0x000d86c1
0x000d86c4
0x000d86c4
0x000d86c6
0x000d86c7
0x000d86c8
0x000d86cb
0x00000000
0x00000000
0x00000000
0x000d86cb
0x000d8650
0x000d8653
0x000d86ae
0x00000000
0x000d86ae
0x000d8655
0x000d8658
0x000d869f
0x00000000
0x000d869f
0x000d865a
0x000d865d
0x000d8690
0x00000000
0x000d8690
0x000d865f
0x000d8662
0x000d8681
0x00000000
0x000d8681
0x000d8667
0x00000000
0x00000000
0x000d8672
0x00000000
0x000d8672
0x000d862e
0x000d8632
0x00000000
0x00000000
0x000d8634
0x000d8636
0x000d863a
0x00000000
0x00000000
0x00000000
0x000d863a
0x00000000

APIs

SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 000D86D8
GetLastError.KERNEL32 ref: 000D86E2

Strings

@Mt, xrefs: 000D86E2
timeutil.cpp, xrefs: 000D8706
clbcatq.dll, xrefs: 000D85E9, 000D85F4

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: Time$ErrorFileLastSystem
String ID: @Mt$clbcatq.dll$timeutil.cpp
API String ID: 2781989572-3479073874
Opcode ID: 71233141b8f7485376a352a94cde5e8ee8a530da214e135eedaf847d6acb67db
Instruction ID: dd22cf1d139ba28b9c763230b3a5b8520b840d5eb39fca9935195e893ec0bf7c
Opcode Fuzzy Hash: 71233141b8f7485376a352a94cde5e8ee8a530da214e135eedaf847d6acb67db
Instruction Fuzzy Hash: 0241C571B40305B6EB649BB88C45FBFB7A9EF90721F14851AB901A7391DA36CE0083B5

Uniqueness

Uniqueness Score: -1.00%

Function 000D4212, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000D4212(void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				char _v12;
				void* _v16;
				char _v20;
				void* _t34;
				void* _t37;
				signed short* _t39;
				signed int _t42;
				void* _t44;
				void* _t45;
				signed int _t49;
				void* _t50;

				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_t50 = E000D4315(_a4, _a8);
				if(_t50 == 0) {
					L21:
					if(_v12 != 0) {
						E00092647(_v12, _v8);
					}
					if(_v16 != 0) {
						RegCloseKey(_v16);
					}
					return _t50;
				}
				_t34 = E000D0E3F(0x80000002, L"SYSTEM\\CurrentControlSet\\Control\\Session Manager", 1,  &_v16);
				if(_t34 == 0x80070002 || _t34 < 0) {
					L20:
					goto L21;
				} else {
					_t37 = E000D10C5(_v16, L"PendingFileRenameOperations",  &_v12,  &_v8);
					if(_t37 != 0x80070002 && _t37 >= 0) {
						_t49 = 0;
						if(_v8 <= 0) {
							goto L20;
						}
						_a8 = 0x5c;
						_t45 = 0x3f;
						do {
							_t39 =  *(_v12 + _t49 * 4);
							if(_t39 == 0) {
								goto L17;
							}
							_t42 =  *_t39 & 0x0000ffff;
							if(_t42 == 0) {
								goto L17;
							}
							if(_a8 == _t42 && _t45 == _t39[1] && _t45 == _t39[2]) {
								_t44 = 0x5c;
								if(_t44 == _t39[3]) {
									_t39 =  &(_t39[4]);
								}
							}
							if(E00092D05( &_v20, _a4, _t39,  &_v20) < 0) {
								goto L20;
							} else {
								if(_v20 == 2) {
									_t50 = 0;
									goto L20;
								}
								_t45 = 0x3f;
							}
							L17:
							_t49 = _t49 + 2;
						} while (_t49 < _v8);
					}
					goto L20;
				}
			}

0x000d4222
0x000d4225
0x000d4228
0x000d422b
0x000d4233
0x000d4237
0x000d42ed
0x000d42f0
0x000d42f8
0x000d42f8
0x000d4300
0x000d4305
0x000d4305
0x000d4312
0x000d4312
0x000d424e
0x000d425a
0x000d42ec
0x00000000
0x000d4268
0x000d4278
0x000d427f
0x000d4285
0x000d428a
0x00000000
0x00000000
0x000d428e
0x000d4295
0x000d4296
0x000d4299
0x000d429e
0x00000000
0x00000000
0x000d42a0
0x000d42a6
0x00000000
0x00000000
0x000d42ac
0x000d42bc
0x000d42c1
0x000d42c3
0x000d42c3
0x000d42c1
0x000d42d5
0x00000000
0x000d42d7
0x000d42db
0x000d42ea
0x00000000
0x000d42ea
0x000d42df
0x000d42df
0x000d42e0
0x000d42e0
0x000d42e3
0x000d42e8
0x00000000
0x000d427f

APIs

Part of subcall function 000D4315: FindFirstFileW.KERNEL32(000B8FFA,?,000002C0,00000000,00000000), ref: 000D4350
Part of subcall function 000D4315: FindClose.KERNEL32(00000000), ref: 000D435C

RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,wininet.dll), ref: 000D4305

Part of subcall function 000D0E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,000D5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 000D0E52

Part of subcall function 000D10C5: RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 000D10ED
Part of subcall function 000D10C5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,000A6EF3,00000100,000000B0,00000088,00000410,000002C0), ref: 000D1126

Strings

PendingFileRenameOperations, xrefs: 000D4270
crypt32.dll, xrefs: 000D423D
\, xrefs: 000D428E
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 000D4244

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CloseFindQueryValue$FileFirstOpen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$\$crypt32.dll
API String ID: 3397690329-3978359083
Opcode ID: 4a13dea24eb797e21f2fba4af2b0d699c2d21245f08e8f761da2bced3e814ccb
Instruction ID: 485818fc2d019c3e0946bdea093379556dc30c2bde33f4bef35b9b26aa30fbc5
Opcode Fuzzy Hash: 4a13dea24eb797e21f2fba4af2b0d699c2d21245f08e8f761da2bced3e814ccb
Instruction Fuzzy Hash: 8F319F35A00319BBDF21AFD5CC81ABEBBB9EF00750F99817BF904A6251D7319A40DB64

Uniqueness

Uniqueness Score: -1.00%

Function 000BD047, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E000BD047(void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v20;
				signed int _t31;
				intOrPtr _t33;
				signed int _t45;
				signed int* _t46;
				signed int* _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int* _t53;
				intOrPtr _t54;

				_t53 = _a8;
				_t45 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t51 =  *_t53;
				_t49 = E000938D4(_t51 << 2, 1);
				_a8 = _t49;
				if(_t49 != 0) {
					_t31 = 0;
					if( *_t53 > 0) {
						_t4 =  &(_t53[1]); // 0x4
						_t46 = _t4;
						do {
							 *(_t49 + _t31 * 4) = _t46;
							_t31 = _t31 + 1;
							_t46 =  &(_t46[0x83]);
						} while (_t31 <  *_t53);
					}
					_v20 = 3;
					_v16 = 2;
					_v12 = _t51;
					_v8 = _t49;
					_t33 = _a12( &_v20, _a16);
					_t52 = _a4;
					_t54 = _t33;
					WaitForSingleObject( *(_t52 + 0xc), 0xffffffff);
					 *((intOrPtr*)( *((intOrPtr*)(_t52 + 0x10)) + 0x424)) = _t45;
					 *((intOrPtr*)( *((intOrPtr*)(_t52 + 0x10)) + 0x428)) = _t54;
					if(_t54 == 2) {
						 *((char*)( *((intOrPtr*)(_t52 + 0x10)) + 2)) = 1;
						 *((char*)( *((intOrPtr*)(_t52 + 0x10)) + 3)) = 1;
					}
					ReleaseMutex( *(_t52 + 0xc));
					SetEvent( *(_t52 + 8));
					E00093999(_a8);
				} else {
					_t45 = 0x8007000e;
					E000937D3(_t30, "NetFxChainer.cpp", 0xe4, 0x8007000e);
					_push("Failed to allocate buffer.");
					_push(0x8007000e);
					E000D012F();
				}
				return _t45;
			}

0x000bd04f
0x000bd058
0x000bd05a
0x000bd05d
0x000bd05e
0x000bd05f
0x000bd060
0x000bd06d
0x000bd06f
0x000bd074
0x000bd09d
0x000bd0a1
0x000bd0a3
0x000bd0a3
0x000bd0a6
0x000bd0a6
0x000bd0a9
0x000bd0aa
0x000bd0b0
0x000bd0a6
0x000bd0ba
0x000bd0c2
0x000bd0c9
0x000bd0cc
0x000bd0cf
0x000bd0d2
0x000bd0d5
0x000bd0dc
0x000bd0e5
0x000bd0ee
0x000bd0f7
0x000bd0fc
0x000bd103
0x000bd103
0x000bd10a
0x000bd113
0x000bd11c
0x000bd076
0x000bd076
0x000bd086
0x000bd08b
0x000bd090
0x000bd091
0x000bd097
0x000bd129

APIs

Part of subcall function 000938D4: GetProcessHeap.KERNEL32(?,000001C7,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938E5
Part of subcall function 000938D4: RtlAllocateHeap.NTDLL(00000000,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938EC

WaitForSingleObject.KERNEL32(?,000000FF), ref: 000BD0DC
ReleaseMutex.KERNEL32(?), ref: 000BD10A
SetEvent.KERNEL32(?), ref: 000BD113

Strings

NetFxChainer.cpp, xrefs: 000BD081
Failed to allocate buffer., xrefs: 000BD08B

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: Heap$AllocateEventMutexObjectProcessReleaseSingleWait
String ID: Failed to allocate buffer.$NetFxChainer.cpp
API String ID: 944053411-3611226795
Opcode ID: a5875cf16227dd6c021c144ca1636d3371dba9d7e1b3ec33aa43adb979b41947
Instruction ID: 1e7d6914de172229517941fa9d48f0cc0d9f5fb454b487795577f482fec2ff14
Opcode Fuzzy Hash: a5875cf16227dd6c021c144ca1636d3371dba9d7e1b3ec33aa43adb979b41947
Instruction Fuzzy Hash: F421A3B560030ABFDB109F68D845AA9F7F5FF08314F10862AF92497352D775A950DB60

Uniqueness

Uniqueness Score: -1.00%

Function 000D0658, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62
filestringCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E000D0658(void* __ecx, void* __edx, CHAR* _a4) {
				long _v8;
				int _t9;
				CHAR* _t18;
				void* _t21;
				void* _t22;
				void* _t25;
				void* _t28;

				_t22 = __edx;
				_push(__ecx);
				_t18 = _a4;
				_t28 = 0;
				_t25 = 0;
				_v8 = _v8 & 0;
				_t9 = lstrlenA(_t18);
				_t21 =  *0xfa774; // 0xffffffff
				_a4 = _t9;
				if(_t21 != 0xffffffff) {
					if(_t9 == 0) {
						L9:
						return _t28;
					}
					L4:
					while(1) {
						if(WriteFile(_t21, _t25 + _t18, _t9 - _t25,  &_v8, 0) != 0) {
							L6:
							_t25 = _t25 + _v8;
							_t9 = _a4;
							if(_t25 >= _t9) {
								goto L9;
							}
							_t21 =  *0xfa774; // 0xffffffff
							continue;
						}
						_t28 =  <=  ? GetLastError() : _t14 & 0x0000ffff | 0x80070000;
						if(_t28 < 0) {
							E000937D3(_t14, "logutil.cpp", 0x310, _t28);
							goto L9;
						}
						goto L6;
					}
				}
				_t28 = E00092384(_t21, _t22, 0xfb608, _t18, 0);
				if(_t28 >= 0) {
					_t28 = 0;
				}
				goto L9;
			}

0x000d0658
0x000d065b
0x000d065d
0x000d0662
0x000d0664
0x000d0666
0x000d066a
0x000d0670
0x000d0676
0x000d067c
0x000d0696
0x000d06ea
0x000d06f2
0x000d06f2
0x00000000
0x000d0698
0x000d06ae
0x000d06c8
0x000d06c8
0x000d06cb
0x000d06d0
0x00000000
0x00000000
0x000d06d2
0x00000000
0x000d06d2
0x000d06c1
0x000d06c6
0x000d06e5
0x00000000
0x000d06e5
0x00000000
0x000d06c6
0x000d0698
0x000d068a
0x000d068e
0x000d0690
0x000d0690
0x00000000

APIs

lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,?,000CFF0B,?,?,00000000,00000000,0000FDE9), ref: 000D066A
WriteFile.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000,?,?,000CFF0B,?,?,00000000,00000000,0000FDE9), ref: 000D06A6
GetLastError.KERNEL32(?,?,000CFF0B,?,?,00000000,00000000,0000FDE9), ref: 000D06B0

Strings

logutil.cpp, xrefs: 000D06E0
@Mt, xrefs: 000D06B0

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorFileLastWritelstrlen
String ID: @Mt$logutil.cpp
API String ID: 606256338-3917315118
Opcode ID: 82feded0ec76c833c2dba06434fd4e16670ff4c5ca40973cc206020694213f43
Instruction ID: 26d9f194030b328dfa7b302dd40763023122237c50bad131a3137a73f37020d5
Opcode Fuzzy Hash: 82feded0ec76c833c2dba06434fd4e16670ff4c5ca40973cc206020694213f43
Instruction Fuzzy Hash: E411C672A01325ABD7209A6ADC44EEFBBACEB85760F014216FD09D7240D634DD10D6F0

Uniqueness

Uniqueness Score: -1.00%

Function 00091209, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00091209(void* __ecx, intOrPtr _a4, intOrPtr* _a8, short*** _a12) {
				int _v8;
				int _v12;
				PWCHAR* _t21;
				signed short _t24;
				void* _t35;

				_v8 = 0;
				_v12 = 0;
				_t35 = E00091EF2( &_v8, L"ignored ", 0);
				if(_t35 >= 0) {
					_t35 = E00091EF2( &_v8, _a4, 0);
					if(_t35 >= 0) {
						_t21 = CommandLineToArgvW(_v8,  &_v12);
						if(_t21 != 0) {
							_t8 =  &(_t21[1]); // 0x4
							 *_a12 = _t8;
							 *_a8 = _v12 - 1;
						} else {
							_t24 = GetLastError();
							_t39 =  <=  ? _t24 : _t24 & 0x0000ffff | 0x80070000;
							_t35 =  >=  ? 0x80004005 :  <=  ? _t24 : _t24 & 0x0000ffff | 0x80070000;
							E000937D3(0x80004005, "apputil.cpp", 0x63, _t35);
						}
					}
				}
				if(_v8 != 0) {
					E000D54EF(_v8);
				}
				return _t35;
			}

0x0009121c
0x0009121f
0x00091227
0x0009122b
0x0009123a
0x0009123e
0x00091247
0x0009124f
0x0009127e
0x00091284
0x0009128d
0x00091251
0x00091251
0x00091262
0x0009126c
0x00091277
0x00091277
0x0009124f
0x0009123e
0x00091292
0x00091297
0x00091297
0x000912a3

APIs

CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,00095137,00000000,?), ref: 00091247
GetLastError.KERNEL32(?,?,?,00095137,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00091251

Strings

apputil.cpp, xrefs: 00091272
@Mt, xrefs: 00091251
ignored , xrefs: 00091216

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ArgvCommandErrorLastLine
String ID: @Mt$apputil.cpp$ignored
API String ID: 3459693003-13743265
Opcode ID: 388e1e57ffd8fe1182db766929f1103e726917a11d3b36702183f8df1c2e402d
Instruction ID: 9b2f8a2f77fb20f4392df3c015bdc248e1619631032d958cb568c9bbe06d8978
Opcode Fuzzy Hash: 388e1e57ffd8fe1182db766929f1103e726917a11d3b36702183f8df1c2e402d
Instruction Fuzzy Hash: 4D118F71A00229FB9F21EB99C805DEFBBE8EF44750B01415AFD04E7211E7309E10AAA0

Uniqueness

Uniqueness Score: -1.00%

Function 000C605E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E000C605E(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t10;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_push(_t30);
				_t36 = GetLastError();
				_t2 =  *0xfa05c; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E000C523F(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E000C88AE(_t20, _t25, _t31, __eflags,  *0xfa05c, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E000C5ED0(_t25, _t31, 0xfb13c);
							E000C511A(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E000C511A();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E000C51FC(_t20, _t25, _t29, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0xfa05c; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t10 = E000C523F(_t25, 1, 0x364); // executed
							_t32 = _t10;
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E000C88AE(_t21, _t27, _t32, __eflags,  *0xfa05c, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E000C5ED0(_t27, _t32, 0xfb13c);
									E000C511A(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E000C511A();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E000C8858(0, _t25, _t31, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E000C8858(__ebx, _t23, _t30, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x000c605e
0x000c605e
0x000c605e
0x000c6061
0x000c6068
0x000c606a
0x000c606f
0x000c6072
0x000c6080
0x000c6087
0x000c608c
0x000c608f
0x000c6092
0x000c60a4
0x000c60a9
0x000c60ab
0x000c60b6
0x000c60bd
0x000c60c2
0x000c60c5
0x000c60c7
0x00000000
0x00000000
0x00000000
0x00000000
0x000c60ad
0x000c60ad
0x00000000
0x000c60ad
0x000c6094
0x000c6094
0x000c6095
0x000c6095
0x000c609a
0x000c60d5
0x000c60d6
0x000c60dc
0x000c60e1
0x000c60e4
0x000c60e5
0x000c60e6
0x000c60ed
0x000c60ef
0x000c60f1
0x000c60f6
0x000c60f9
0x000c6107
0x000c610e
0x000c6113
0x000c6116
0x000c6119
0x000c612b
0x000c6130
0x000c6132
0x000c613d
0x000c6143
0x000c614b
0x000c614d
0x00000000
0x00000000
0x00000000
0x00000000
0x000c6134
0x000c6134
0x00000000
0x000c6134
0x000c611b
0x000c611b
0x000c611c
0x000c611c
0x000c614f
0x000c6150
0x000c6150
0x000c60fb
0x000c6101
0x000c6105
0x000c6158
0x000c6159
0x000c615f
0x00000000
0x00000000
0x00000000
0x000c6105
0x000c6166
0x000c6166
0x000c6074
0x000c607a
0x000c607e
0x000c60c9
0x000c60ca
0x000c60d4
0x00000000
0x00000000
0x00000000
0x000c607e

APIs

GetLastError.KERNEL32(?,00000000,000C19F5,00000000,80004004,?,000C1CF9,00000000,80004004,00000000,00000000), ref: 000C6062
SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 000C60CA
SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 000C60D6
_abort.LIBCMT ref: 000C60DC

Strings

@Mt, xrefs: 000C6062

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorLast$_abort
String ID: @Mt
API String ID: 88804580-1491384996
Opcode ID: 30c92929cd79930bddf4267ed58e82124360741807a8b1bb0b77521c7634b591
Instruction ID: 9e14b135323313c36f9416017d1438bd5082058c970e0ea7f02e123a44e4b812
Opcode Fuzzy Hash: 30c92929cd79930bddf4267ed58e82124360741807a8b1bb0b77521c7634b591
Instruction Fuzzy Hash: A4F0F43A100E0066D27233746C0EFAF26DA9BC2B72F39011DFD19B2593FF2598416576

Uniqueness

Uniqueness Score: -1.00%

Function 0009D39D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E0009D39D(intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr* _t10;
				long _t15;
				long _t18;
				intOrPtr _t19;

				_t19 = _a4;
				_t18 = 0;
				_t2 = _t19 + 0x18; // 0xd0
				EnterCriticalSection(_t2);
				_t3 = _t19 + 0x30; // 0xe8
				_t15 = 1;
				if(InterlockedCompareExchange(_t3, 1, 0) != 0) {
					_t15 = 0;
					_t18 = 0x8007139f;
				}
				_t4 = _t19 + 0x18; // 0xd0
				LeaveCriticalSection(_t4);
				_t10 = _a8;
				if(_t10 != 0) {
					 *_t10 = _t15;
				}
				if(_t18 < 0) {
					E000937D3(_t10, "userexperience.cpp", 0xea, _t18);
					_push("Engine active cannot be changed because it was already in that state.");
					_push(_t18);
					E000D012F();
				}
				return _t18;
			}

0x0009d3a2
0x0009d3a6
0x0009d3a8
0x0009d3ac
0x0009d3b5
0x0009d3b8
0x0009d3c3
0x0009d3c5
0x0009d3c7
0x0009d3c7
0x0009d3cc
0x0009d3d0
0x0009d3d6
0x0009d3db
0x0009d3dd
0x0009d3dd
0x0009d3e1
0x0009d3ee
0x0009d3f3
0x0009d3f8
0x0009d3f9
0x0009d3ff
0x0009d406

APIs

EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,000A6E4B,000000B8,00000000,?,00000000,7692A770), ref: 0009D3AC
InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 0009D3BB
LeaveCriticalSection.KERNEL32(000000D0,?,000A6E4B,000000B8,00000000,?,00000000,7692A770), ref: 0009D3D0

Strings

userexperience.cpp, xrefs: 0009D3E9
Engine active cannot be changed because it was already in that state., xrefs: 0009D3F3

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CriticalSection$CompareEnterExchangeInterlockedLeave
String ID: Engine active cannot be changed because it was already in that state.$userexperience.cpp
API String ID: 3376869089-1544469594
Opcode ID: 62dde1730baa13b03103958f0854931d83ae9f7e3838880058c771715f196f1a
Instruction ID: 3378e40c5c2864bf2ad947ffe18e4645c13c67ce93791e6de4401d0a5749543b
Opcode Fuzzy Hash: 62dde1730baa13b03103958f0854931d83ae9f7e3838880058c771715f196f1a
Instruction Fuzzy Hash: 7BF0AF76340304AFAB206FA6EC84E9773ADEB85765B00442BFA05D7240DA74E9058734

Uniqueness

Uniqueness Score: -1.00%

Function 000AF086, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E000AF086(intOrPtr _a4, long _a8) {
				signed short _t7;
				int _t13;

				_t13 = 0;
				if(PostThreadMessageW( *(_a4 + 0x10), 0x9001, 0, _a8) == 0) {
					_t7 = GetLastError();
					_t16 =  <=  ? _t7 : _t7 & 0x0000ffff | 0x80070000;
					_t13 =  >=  ? 0x80004005 :  <=  ? _t7 : _t7 & 0x0000ffff | 0x80070000;
					E000937D3(0x80004005, "EngineForApplication.cpp", 0x292, _t13);
					_push("Failed to post plan message.");
					_push(_t13);
					E000D012F();
				}
				return _t13;
			}

0x000af090
0x000af0a3
0x000af0a5
0x000af0b6
0x000af0c0
0x000af0ce
0x000af0d3
0x000af0d8
0x000af0d9
0x000af0df
0x000af0e4

APIs

PostThreadMessageW.USER32 ref: 000AF09B
GetLastError.KERNEL32 ref: 000AF0A5

Strings

Failed to post plan message., xrefs: 000AF0D3
EngineForApplication.cpp, xrefs: 000AF0C9
@Mt, xrefs: 000AF0A5

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: @Mt$EngineForApplication.cpp$Failed to post plan message.
API String ID: 2609174426-3268938296
Opcode ID: 47e2483238be0605190b6217ae78bf0da8fbd40c6f4ceefc616cc9416b3c5c50
Instruction ID: 252fec86baaafd7da90012ef4321be9daceb5081740ea916084f728a574a2143
Opcode Fuzzy Hash: 47e2483238be0605190b6217ae78bf0da8fbd40c6f4ceefc616cc9416b3c5c50
Instruction Fuzzy Hash: 09F0A732745330BBE72126AA9C05E877BC4DF04BA0F024026FE0CEA191D6158C0095F4

Uniqueness

Uniqueness Score: -1.00%

Function 000AF194, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E000AF194(intOrPtr _a4, int _a8) {
				signed short _t7;
				long _t13;

				_t13 = 0;
				if(PostThreadMessageW( *(_a4 + 0x10), 0x9005, _a8, 0) == 0) {
					_t7 = GetLastError();
					_t16 =  <=  ? _t7 : _t7 & 0x0000ffff | 0x80070000;
					_t13 =  >=  ? 0x80004005 :  <=  ? _t7 : _t7 & 0x0000ffff | 0x80070000;
					E000937D3(0x80004005, "EngineForApplication.cpp", 0x2c3, _t13);
					_push("Failed to post shutdown message.");
					_push(_t13);
					E000D012F();
				}
				return _t13;
			}

0x000af19b
0x000af1b1
0x000af1b3
0x000af1c4
0x000af1ce
0x000af1dc
0x000af1e1
0x000af1e6
0x000af1e7
0x000af1ed
0x000af1f2

APIs

PostThreadMessageW.USER32 ref: 000AF1A9
GetLastError.KERNEL32 ref: 000AF1B3

Strings

EngineForApplication.cpp, xrefs: 000AF1D7
@Mt, xrefs: 000AF1B3
Failed to post shutdown message., xrefs: 000AF1E1

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: @Mt$EngineForApplication.cpp$Failed to post shutdown message.
API String ID: 2609174426-4186911712
Opcode ID: 2d38a58c2c295021ac00738405b73929f148f361319f023d46c4c14864d7a2f2
Instruction ID: 81bf2d1b0a360d0ea04b97726e820150e30d6edf241fd809500687b2e705b82c
Opcode Fuzzy Hash: 2d38a58c2c295021ac00738405b73929f148f361319f023d46c4c14864d7a2f2
Instruction Fuzzy Hash: 7CF0A736B45330BFE7206AAA9C09E977BC4EF04B60F024026BE18FA191D6558D0096F4

Uniqueness

Uniqueness Score: -1.00%

Function 000B051A, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(000DB468,00000000,?,000B145A,?,00000000,?,0009C121,?,000952FD,?,000A73B2,?,?,000952FD,?), ref: 000B0524
GetLastError.KERNEL32(?,000B145A,?,00000000,?,0009C121,?,000952FD,?,000A73B2,?,?,000952FD,?,0009533D,00000001), ref: 000B052E

Strings

cabextract.cpp, xrefs: 000B0552
@Mt, xrefs: 000B052E
Failed to set begin operation event., xrefs: 000B055C

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorEventLast
String ID: @Mt$Failed to set begin operation event.$cabextract.cpp
API String ID: 3848097054-2803796375
Opcode ID: cc48d8009e05d7cb9a5457f1b7102e6f9904a6fe04f23c37f0b843c62b326579
Instruction ID: 6a43ded32d686ead63f9610163d5516618c41de9a13de6c6ee1f9950930bb73c
Opcode Fuzzy Hash: cc48d8009e05d7cb9a5457f1b7102e6f9904a6fe04f23c37f0b843c62b326579
Instruction Fuzzy Hash: 44F0EC33B05730ABE72066BA6C05BDB77D8DF09760B020126FD09F7551E6159D0056F9

Uniqueness

Uniqueness Score: -1.00%

Function 000D937F, Relevance: 7.6, APIs: 5, Instructions: 119
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000D937F(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _v8;
				void* _v12;
				void* _v16;
				char _v20;
				char _v24;
				void* _t58;
				void* _t60;

				_t58 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				_v24 = 0;
				_t60 = E000D0E3F(_a4,  *0xfa7e0, 0x20019,  &_v16);
				if(_t60 == 0x80070002 || _t60 < 0) {
					L17:
					if(_v12 != 0) {
						RegCloseKey(_v12);
						_v12 = 0;
					}
					if(_v8 != 0) {
						RegCloseKey(_v8);
						_v8 = 0;
					}
					if(_v16 != 0) {
						RegCloseKey(_v16);
					}
					return _t60;
				} else {
					_t60 = E000D0E3F(_v16, _a8, 0x20019,  &_v8);
					if(_t60 != 0x80070002 && _t60 >= 0) {
						_t60 = E000D0E3F(_v8,  *0xfa7e4, 0x20019,  &_v12);
						if(_t60 != 0x80070002 && _t60 >= 0) {
							_t60 = E000D0B49(_t58, _v12, _a12, 0, 1);
							if(_t60 < 0) {
								goto L17;
							}
							_t60 = E000D0E9B(_v12,  &_v20, 0);
							if(_t60 >= 0 && _v20 <= 0) {
								if(_v12 != 0) {
									RegCloseKey(_v12);
									_v12 = 0;
								}
								_t60 = E000D0B49(_t58, _v8,  *0xfa7e4, 0, 0);
								if(_t60 >= 0) {
									_t60 = E000D0E9B(_v8, 0,  &_v24);
									if(_t60 >= 0 && _v24 == 0) {
										if(_v8 != 0) {
											RegCloseKey(_v8);
											_v8 = 0;
										}
										_t60 = E000D0B49(_t58, _v16, _a8, 0, 0);
									}
								}
							}
						}
					}
					goto L17;
				}
			}

0x000d937f
0x000d9399
0x000d939f
0x000d93a2
0x000d93a5
0x000d93a8
0x000d93b6
0x000d93be
0x000d94a6
0x000d94a9
0x000d94ae
0x000d94b0
0x000d94b0
0x000d94b6
0x000d94bb
0x000d94bd
0x000d94bd
0x000d94c3
0x000d94c8
0x000d94c8
0x000d94d2
0x000d93cc
0x000d93e0
0x000d93e8
0x000d940d
0x000d9415
0x000d9431
0x000d9435
0x00000000
0x00000000
0x000d9444
0x000d9448
0x000d9452
0x000d9457
0x000d9459
0x000d9459
0x000d946c
0x000d9470
0x000d947f
0x000d9483
0x000d948d
0x000d9492
0x000d9494
0x000d9494
0x000d94a4
0x000d94a4
0x000d9483
0x000d9470
0x000d9448
0x000d9415
0x00000000
0x000d93e8

APIs

Part of subcall function 000D0E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,000D5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 000D0E52

RegCloseKey.ADVAPI32(00000001,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019,00000001,00000000,00000000,00020019,00000000,00000001), ref: 000D9457
RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019), ref: 000D9492
RegCloseKey.ADVAPI32(00000001,00000001,00020019,00000000,00000000,00000000,00000000), ref: 000D94AE
RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000), ref: 000D94BB
RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000), ref: 000D94C8

Part of subcall function 000D0B49: RegCloseKey.ADVAPI32(00000000), ref: 000D0CA0

Part of subcall function 000D0E9B: RegQueryInfoKeyW.ADVAPI32 ref: 000D0EB3

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: Close$InfoOpenQuery
String ID:
API String ID: 796878624-0
Opcode ID: 9eedb1df8ebac6ea74b55e92cbf7bcf26c7d5b84a2ceaca39885146a3f37b2ae
Instruction ID: daf7749f539a461d5b8ce6170350de05c322fe3ab8d60e1c5b1a0a4f69a0058f
Opcode Fuzzy Hash: 9eedb1df8ebac6ea74b55e92cbf7bcf26c7d5b84a2ceaca39885146a3f37b2ae
Instruction Fuzzy Hash: 2E410B72C01329BFDF11AF958D81DADFB79EF04364F1141ABE90466222C3324E519AA0

Uniqueness

Uniqueness Score: -1.00%

Function 0009738E, Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E0009738E(void* __ecx, struct _CRITICAL_SECTION* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _t15;
				void* _t22;

				_t20 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				EnterCriticalSection(_a4);
				_t22 = E00095C87(_t20, _a4, _a8,  &_v8);
				_t15 = _v8;
				if(_t22 < 0 ||  *((intOrPtr*)(_t15 + 0x18)) != 0) {
					if(_t22 != 0x80070490) {
						if(_t22 >= 0) {
							_t22 = E000B00E0(_t15 + 8, _a12);
							if(_t22 < 0) {
								_push(_a8);
								_push("Failed to get value as string for variable: %ls");
								goto L8;
							}
						} else {
							_push(_a8);
							_push("Failed to get value of variable: %ls");
							L8:
							_push(_t22);
							E000D012F();
						}
					}
				} else {
					_t22 = 0x80070490;
				}
				LeaveCriticalSection(_a4);
				return _t22;
			}

0x0009738e
0x00097391
0x00097392
0x0009739a
0x000973af
0x000973b1
0x000973b6
0x000973cb
0x000973cf
0x000973e7
0x000973eb
0x000973ed
0x000973f0
0x00000000
0x000973f0
0x000973d1
0x000973d1
0x000973d4
0x000973f5
0x000973f5
0x000973f6
0x000973fb
0x000973cf
0x000973be
0x000973be
0x000973be
0x00097401
0x0009740d

APIs

EnterCriticalSection.KERNEL32(000952B5,WixBundleOriginalSource,?,?,000AA41D,000953B5,WixBundleOriginalSource,=S,000FAA90,?,00000000,0009533D,?,000A7587,?,?), ref: 0009739A
LeaveCriticalSection.KERNEL32(000952B5,000952B5,00000000,00000000,?,?,000AA41D,000953B5,WixBundleOriginalSource,=S,000FAA90,?,00000000,0009533D,?,000A7587), ref: 00097401

Strings

WixBundleOriginalSource, xrefs: 00097396
Failed to get value of variable: %ls, xrefs: 000973D4
Failed to get value as string for variable: %ls, xrefs: 000973F0

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls$WixBundleOriginalSource
API String ID: 3168844106-30613933
Opcode ID: 48a6a72418b076d5b87c2b4c6692fe0006cff06bb875e7915becb19a2c51a11b
Instruction ID: 5a2f3c931e106f0568f4371d366d142f669fd8823d9ab7631a5706ea939fff66
Opcode Fuzzy Hash: 48a6a72418b076d5b87c2b4c6692fe0006cff06bb875e7915becb19a2c51a11b
Instruction Fuzzy Hash: EB01B133965229FBDF225F50CC05A9E3B65DB04761F11C121FD08AA220D7369E10B7E0

Uniqueness

Uniqueness Score: -1.00%

Function 000CD038, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E000CD038(void* __ebx, signed int __edx, signed int _a4, void* _a8, signed int _a12) {
				signed int _v8;
				long _v12;
				struct _OVERLAPPED* _v16;
				long _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				void* _v52;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t62;
				intOrPtr _t66;
				signed char _t68;
				signed int _t69;
				signed int _t71;
				signed int _t73;
				signed int _t74;
				signed int _t77;
				intOrPtr _t79;
				signed int _t87;
				signed int _t89;
				signed int _t90;
				signed int _t106;
				signed int _t107;
				signed int _t109;
				intOrPtr _t111;
				signed int _t116;
				signed int _t118;
				void* _t119;
				signed int _t120;
				signed int _t121;
				void* _t122;

				_t118 = __edx;
				_t104 = __ebx;
				_t62 =  *0xfa008; // 0x90c8e23b
				_v8 = _t62 ^ _t121;
				_t109 = _a12;
				_v12 = _t109;
				_t120 = _a4;
				_t119 = _a8;
				_v52 = _t119;
				if(_t109 != 0) {
					__eflags = _t119;
					if(_t119 != 0) {
						_push(__ebx);
						_t106 = _t120 >> 6;
						_t118 = (_t120 & 0x0000003f) * 0x30;
						_v32 = _t106;
						_t66 =  *((intOrPtr*)(0xfb158 + _t106 * 4));
						_v48 = _t66;
						_v28 = _t118;
						_t107 =  *((intOrPtr*)(_t66 + _t118 + 0x29));
						__eflags = _t107 - 2;
						if(_t107 == 2) {
							L6:
							_t68 =  !_t109;
							__eflags = _t68 & 0x00000001;
							if((_t68 & 0x00000001) != 0) {
								_t66 = _v48;
								L9:
								__eflags =  *(_t66 + _t118 + 0x28) & 0x00000020;
								if(__eflags != 0) {
									E000CD2C2(_t120, 0, 0, 2);
									_t122 = _t122 + 0x10;
								}
								_t69 = E000CCBDD(_t107, _t118, __eflags, _t120);
								__eflags = _t69;
								if(_t69 == 0) {
									_t111 =  *((intOrPtr*)(0xfb158 + _v32 * 4));
									_t71 = _v28;
									__eflags =  *(_t111 + _t71 + 0x28) & 0x00000080;
									if(( *(_t111 + _t71 + 0x28) & 0x00000080) == 0) {
										_v24 = 0;
										_v20 = 0;
										_v16 = 0;
										_t73 = WriteFile( *(_t111 + _t71 + 0x18), _t119, _v12,  &_v20, 0);
										__eflags = _t73;
										if(_t73 == 0) {
											_v24 = GetLastError();
										}
										_t120 =  &_v24;
										goto L28;
									}
									_t87 = _t107;
									__eflags = _t87;
									if(_t87 == 0) {
										_t89 = E000CCC53( &_v24, _t120, _t119, _v12);
										goto L17;
									}
									_t90 = _t87 - 1;
									__eflags = _t90;
									if(_t90 == 0) {
										_t89 = E000CCE20( &_v24, _t120, _t119, _v12);
										goto L17;
									}
									__eflags = _t90 != 1;
									if(_t90 != 1) {
										goto L34;
									}
									_t89 = E000CCD32( &_v24, _t120, _t119, _v12);
									goto L17;
								} else {
									__eflags = _t107;
									if(_t107 == 0) {
										_t89 = E000CC9BD( &_v24, _t120, _t119, _v12);
										L17:
										L15:
										_t120 = _t89;
										L28:
										_t119 =  &_v44;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t74 = _v40;
										__eflags = _t74;
										if(_t74 != 0) {
											__eflags = _t74 - _v36;
											L40:
											_pop(_t104);
											L41:
											return E000BDE36(_t104, _v8 ^ _t121, _t118, _t119, _t120);
										}
										_t77 = _v44;
										__eflags = _t77;
										if(_t77 == 0) {
											_t119 = _v52;
											L34:
											_t116 = _v28;
											_t79 =  *((intOrPtr*)(0xfb158 + _v32 * 4));
											__eflags =  *(_t79 + _t116 + 0x28) & 0x00000040;
											if(( *(_t79 + _t116 + 0x28) & 0x00000040) == 0) {
												L37:
												 *((intOrPtr*)(E000C3E36())) = 0x1c;
												_t81 = E000C3E23();
												 *_t81 =  *_t81 & 0x00000000;
												__eflags =  *_t81;
												L38:
												goto L40;
											}
											__eflags =  *_t119 - 0x1a;
											if( *_t119 != 0x1a) {
												goto L37;
											}
											goto L40;
										}
										_t120 = 5;
										__eflags = _t77 - _t120;
										if(_t77 != _t120) {
											_t81 = E000C3E00(_t77);
										} else {
											 *((intOrPtr*)(E000C3E36())) = 9;
											 *(E000C3E23()) = _t120;
										}
										goto L38;
									}
									__eflags = _t107 - 1 - 1;
									if(_t107 - 1 > 1) {
										goto L34;
									}
									_t89 = E000CCB70( &_v24, _t119, _v12);
									goto L15;
								}
							}
							 *(E000C3E23()) =  *_t97 & 0x00000000;
							 *((intOrPtr*)(E000C3E36())) = 0x16;
							_t81 = E000C3D7A();
							goto L38;
						}
						__eflags = _t107 - 1;
						if(_t107 != 1) {
							goto L9;
						}
						goto L6;
					}
					 *(E000C3E23()) =  *_t99 & _t119;
					 *((intOrPtr*)(E000C3E36())) = 0x16;
					E000C3D7A();
					goto L41;
				}
				goto L41;
			}

0x000cd038
0x000cd038
0x000cd040
0x000cd047
0x000cd04a
0x000cd04d
0x000cd051
0x000cd055
0x000cd058
0x000cd05d
0x000cd066
0x000cd068
0x000cd089
0x000cd08e
0x000cd094
0x000cd097
0x000cd09a
0x000cd0a1
0x000cd0a4
0x000cd0a7
0x000cd0ab
0x000cd0ae
0x000cd0b5
0x000cd0b7
0x000cd0b9
0x000cd0bb
0x000cd0da
0x000cd0dd
0x000cd0dd
0x000cd0e2
0x000cd0eb
0x000cd0f0
0x000cd0f0
0x000cd0f4
0x000cd0fa
0x000cd0fc
0x000cd13a
0x000cd141
0x000cd144
0x000cd149
0x000cd198
0x000cd19b
0x000cd19e
0x000cd1aa
0x000cd1b0
0x000cd1b2
0x000cd1ba
0x000cd1ba
0x000cd1bd
0x00000000
0x000cd1bd
0x000cd14e
0x000cd14e
0x000cd151
0x000cd18a
0x00000000
0x000cd18a
0x000cd153
0x000cd153
0x000cd156
0x000cd17a
0x00000000
0x000cd17a
0x000cd158
0x000cd15b
0x00000000
0x00000000
0x000cd16a
0x00000000
0x000cd0fe
0x000cd0fe
0x000cd100
0x000cd12d
0x000cd132
0x000cd11d
0x000cd11d
0x000cd1c0
0x000cd1c0
0x000cd1c3
0x000cd1c4
0x000cd1c5
0x000cd1c6
0x000cd1c9
0x000cd1cb
0x000cd230
0x000cd233
0x000cd233
0x000cd234
0x000cd243
0x000cd243
0x000cd1cd
0x000cd1d0
0x000cd1d2
0x000cd1f8
0x000cd1fb
0x000cd1fe
0x000cd201
0x000cd208
0x000cd20d
0x000cd218
0x000cd21d
0x000cd223
0x000cd228
0x000cd228
0x000cd22b
0x00000000
0x000cd22b
0x000cd20f
0x000cd212
0x00000000
0x00000000
0x00000000
0x000cd214
0x000cd1d6
0x000cd1d7
0x000cd1d9
0x000cd1f0
0x000cd1db
0x000cd1e0
0x000cd1eb
0x000cd1eb
0x00000000
0x000cd1d9
0x000cd104
0x000cd107
0x00000000
0x00000000
0x000cd115
0x00000000
0x000cd11a
0x000cd0fc
0x000cd0c2
0x000cd0ca
0x000cd0d0
0x00000000
0x000cd0d0
0x000cd0b0
0x000cd0b3
0x00000000
0x00000000
0x00000000
0x000cd0b3
0x000cd06f
0x000cd076
0x000cd07c
0x00000000
0x000cd081
0x00000000

Strings

@Mt, xrefs: 000CD1B4

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID:
String ID: @Mt
API String ID: 0-1491384996
Opcode ID: a977b7906bff1e36a5016e0f85d35a9f24822ca01feb41599763da061f5c2d54
Instruction ID: 39dcace474817292a066f1f287eaa1942a85c964c44535ae4b03b7c72a27d640
Opcode Fuzzy Hash: a977b7906bff1e36a5016e0f85d35a9f24822ca01feb41599763da061f5c2d54
Instruction Fuzzy Hash: 3E51A571D1020AABDB259FA4C845FEEBBB8EF55320F14406FF805A7292D7759A02CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000D35A4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122
memoryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E000D35A4(intOrPtr _a4, signed char _a8, intOrPtr* _a12) {
				void* _v8;
				void* _v12;
				char _v16;
				intOrPtr _v24;
				char _v32;
				short _t29;
				void* _t31;
				intOrPtr* _t48;
				intOrPtr* _t55;
				intOrPtr* _t56;
				void* _t62;

				_t55 = 0;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				__imp__#8( &_v32);
				_t29 = 8;
				_v32 = _t29;
				__imp__#2(_a4);
				_v24 = _t29;
				if(_t29 != 0) {
					_t31 = E000D2F23(0,  &_v8, 0);
					_t55 = _v8;
					_t62 =  ==  ? 0x80004005 : _t31;
					if(_t62 < 0) {
						goto L13;
					}
					if((_a8 & 0x00000001) == 0) {
						L5:
						_t62 =  *((intOrPtr*)( *_t55 + 0x110))(_t55, 0);
						if(_t62 >= 0) {
							_t62 =  *((intOrPtr*)( *_t55 + 0x118))(_t55, 0);
							if(_t62 >= 0) {
								 *((intOrPtr*)( *_t55 + 0xfc))(_t55, 0);
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t62 =  ==  ? 0x8007006e :  *((intOrPtr*)( *_t55 + 0xe8))(_t55,  &_v16);
								if(_t62 >= 0) {
									_t48 = _a12;
									if(_t48 != 0) {
										 *_t48 = _t55;
										_t55 = 0;
									}
									_t62 = 0;
								} else {
									_push( &_v12);
									_push(_t55);
									if( *((intOrPtr*)( *_t55 + 0xf0))() == 0) {
										E000D2E85( &_v12, _v12);
									}
								}
							}
						}
						goto L13;
					}
					_t62 =  *((intOrPtr*)( *_t55 + 0x120))(_t55, 0xffffffff);
					if(_t62 < 0) {
						goto L13;
					}
					goto L5;
				} else {
					_t62 = 0x8007000e;
					E000937D3(_t29, "xmlutil.cpp", 0x16a, 0x8007000e);
					L13:
					__imp__#9( &_v32);
					if(_t55 != 0) {
						 *((intOrPtr*)( *_t55 + 8))(_t55);
					}
					_t56 = _v12;
					if(_t56 != 0) {
						 *((intOrPtr*)( *_t56 + 8))(_t56);
					}
					return _t62;
				}
			}

0x000d35b2
0x000d35b4
0x000d35b8
0x000d35bb
0x000d35be
0x000d35c6
0x000d35ca
0x000d35ce
0x000d35d4
0x000d35d9
0x000d35fb
0x000d3600
0x000d360d
0x000d3612
0x00000000
0x00000000
0x000d361c
0x000d362f
0x000d3639
0x000d363d
0x000d3649
0x000d364d
0x000d3653
0x000d3668
0x000d3669
0x000d366a
0x000d366b
0x000d367c
0x000d3681
0x000d369e
0x000d36a3
0x000d36a5
0x000d36a7
0x000d36a7
0x000d36a9
0x000d3683
0x000d3688
0x000d3689
0x000d3692
0x000d3697
0x000d3697
0x000d3692
0x000d3681
0x000d364d
0x00000000
0x000d363d
0x000d3629
0x000d362d
0x00000000
0x00000000
0x00000000
0x000d35db
0x000d35db
0x000d35eb
0x000d36ab
0x000d36af
0x000d36b7
0x000d36bc
0x000d36bc
0x000d36bf
0x000d36c4
0x000d36c9
0x000d36c9
0x000d36d4
0x000d36d4

APIs

VariantInit.OLEAUT32(000002C0), ref: 000D35BE
SysAllocString.OLEAUT32(?), ref: 000D35CE
VariantClear.OLEAUT32(?), ref: 000D36AF

Strings

xmlutil.cpp, xrefs: 000D35E6

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: Variant$AllocClearInitString
String ID: xmlutil.cpp
API String ID: 2213243845-1270936966
Opcode ID: 79496fe5ab014ffe60edd38b36b538c9030c0818a700f8843181e84c66717cca
Instruction ID: dd59620653b1ef49cc13ad7c04936eda719de76b1632175f232e2ecfb3f91ab7
Opcode Fuzzy Hash: 79496fe5ab014ffe60edd38b36b538c9030c0818a700f8843181e84c66717cca
Instruction Fuzzy Hash: 53416371900725ABCB119FA9C888EAEBBF8AF45710F0545A6FD05EB311D775DE008BB1

Uniqueness

Uniqueness Score: -1.00%

Function 000C65D0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E000C65D0(int* _a4, char* _a8, int _a12, short _a16, intOrPtr _a20) {
				int _v8;
				char _v12;
				intOrPtr _v20;
				char _v24;
				void* __ebx;
				void* __edi;
				signed int* _t21;
				intOrPtr _t23;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t31;
				char _t32;
				int* _t33;
				intOrPtr* _t35;
				signed int* _t37;
				char* _t39;
				int _t43;
				void* _t46;
				int _t47;

				_t39 = _a8;
				_t47 = _a12;
				if(_t39 == 0 && _t47 != 0) {
					_t37 = _a4;
					if(_t37 != 0) {
						 *_t37 =  *_t37 & 0x00000000;
					}
					return 0;
				}
				_t21 = _a4;
				if(_t21 != 0) {
					 *_t21 =  *_t21 | 0xffffffff;
				}
				if(_t47 <= 0x7fffffff) {
					E000C19B7(_t39,  &_v24, _t46, _a20);
					_t23 = _v20;
					if( *((intOrPtr*)(_t23 + 0xa8)) != 0) {
						_v8 = 0;
						_t43 = WideCharToMultiByte( *(_t23 + 8), 0,  &_a16, 1, _t39, _t47, 0,  &_v8);
						if(_t43 == 0) {
							if(GetLastError() != 0x7a) {
								L14:
								_t26 = E000C3E36();
								_push(0x2a);
								_pop(0);
								 *_t26 = 0;
								L15:
								if(_v12 != 0) {
									 *(_v24 + 0x350) =  *(_v24 + 0x350) & 0xfffffffd;
								}
								goto L17;
							}
							if(_t39 != 0 && _t47 != 0) {
								E000BF670(_t47, _t39, 0, _t47);
							}
							L32:
							_t28 = E000C3E36();
							_push(0x22);
							_pop(0);
							 *_t28 = 0;
							E000C3D7A();
							goto L15;
						}
						if(_v8 != 0) {
							goto L14;
						}
						_t31 = _a4;
						if(_t31 != 0) {
							 *_t31 = _t43;
						}
						goto L15;
					}
					_t32 = _a16;
					if(_t32 <= 0xff) {
						if(_t39 == 0) {
							L22:
							_t33 = _a4;
							if(_t33 != 0) {
								 *_t33 = 1;
							}
							goto L15;
						}
						if(_t47 == 0) {
							goto L32;
						}
						 *_t39 = _t32;
						goto L22;
					}
					if(_t39 != 0 && _t47 != 0) {
						E000BF670(_t47, _t39, 0, _t47);
					}
					goto L14;
				} else {
					_t35 = E000C3E36();
					_push(0x16);
					_pop(0);
					 *_t35 = 0;
					E000C3D7A();
					L17:
					return 0;
				}
			}

0x000c65d9
0x000c65dd
0x000c65e2
0x000c65e8
0x000c65ed
0x000c65ef
0x000c65ef
0x00000000
0x000c65f2
0x000c65f6
0x000c65fb
0x000c65fd
0x000c65fd
0x000c6607
0x000c6620
0x000c6625
0x000c6630
0x000c6692
0x000c66a9
0x000c66ad
0x000c66c8
0x000c6653
0x000c6653
0x000c6658
0x000c665a
0x000c665b
0x000c665d
0x000c6661
0x000c6666
0x000c6666
0x00000000
0x000c6661
0x000c66cc
0x000c66d5
0x000c66da
0x000c66dd
0x000c66dd
0x000c66e2
0x000c66e4
0x000c66e5
0x000c66e7
0x00000000
0x000c66e7
0x000c66b2
0x00000000
0x00000000
0x000c66b4
0x000c66b9
0x000c66bb
0x000c66bb
0x00000000
0x000c66b9
0x000c6632
0x000c663e
0x000c6678
0x000c6680
0x000c6680
0x000c6685
0x000c6687
0x000c6687
0x00000000
0x000c6685
0x000c667c
0x00000000
0x00000000
0x000c667e
0x00000000
0x000c667e
0x000c6642
0x000c664b
0x000c6650
0x00000000
0x000c6609
0x000c6609
0x000c660e
0x000c6610
0x000c6611
0x000c6613
0x000c666d
0x00000000
0x000c666f

APIs

WideCharToMultiByte.KERNEL32(000DB508,00000000,00000006,00000001,comres.dll,?,00000000,?,00000000,?,?,00000000,00000006,?,comres.dll,?), ref: 000C66A3
GetLastError.KERNEL32 ref: 000C66BF

Strings

comres.dll, xrefs: 000C664A, 000C6698, 000C66D4
@Mt, xrefs: 000C66BF

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: @Mt$comres.dll
API String ID: 203985260-2307691686
Opcode ID: cffda1bd5941bfe8c688bc55b85809e8115af832c404db09b7151805123638e1
Instruction ID: d64603b500458cdd55795a32799e6e8a0b1302282f99909584c8b8912ce681b0
Opcode Fuzzy Hash: cffda1bd5941bfe8c688bc55b85809e8115af832c404db09b7151805123638e1
Instruction Fuzzy Hash: 4331E131600205ABDB71AF69D886FAF3BE89F52760F14412DF8159B292DB32CD00C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 000CE652, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000CE652(void* __eflags, signed int _a4) {
				intOrPtr _t13;
				void* _t21;
				signed int _t33;
				long _t35;

				_t33 = _a4;
				if(E000C8D4E(_t33) != 0xffffffff) {
					_t13 =  *0xfb158; // 0xad8098
					if(_t33 != 1 || ( *(_t13 + 0x88) & 0x00000001) == 0) {
						if(_t33 != 2 || ( *(_t13 + 0x58) & 0x00000001) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L6:
						_t21 = E000C8D4E(2);
						if(E000C8D4E(1) == _t21) {
							goto L1;
						}
						L7:
						if(CloseHandle(E000C8D4E(_t33)) != 0) {
							goto L1;
						}
						_t35 = GetLastError();
						L9:
						E000C8CBD(_t33);
						 *((char*)( *((intOrPtr*)(0xfb158 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x30)) = 0;
						if(_t35 == 0) {
							return 0;
						}
						return E000C3E00(_t35) | 0xffffffff;
					}
				}
				L1:
				_t35 = 0;
				goto L9;
			}

0x000ce659
0x000ce666
0x000ce66c
0x000ce674
0x000ce682
0x00000000
0x00000000
0x00000000
0x00000000
0x000ce68a
0x000ce68a
0x000ce68c
0x000ce69e
0x00000000
0x00000000
0x000ce6a0
0x000ce6b0
0x00000000
0x00000000
0x000ce6b8
0x000ce6ba
0x000ce6bb
0x000ce6d3
0x000ce6da
0x00000000
0x000ce6e8
0x00000000
0x000ce6e3
0x000ce674
0x000ce668
0x000ce668
0x00000000

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,000CE570,?), ref: 000CE6A8
GetLastError.KERNEL32(?,000CE570,?), ref: 000CE6B2
__dosmaperr.LIBCMT ref: 000CE6DD

Strings

@Mt, xrefs: 000CE6B2

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: @Mt
API String ID: 2583163307-1491384996
Opcode ID: 38b38650be7129d63b97c59a503c4294af9f3d4007bd0d5e18865d4167fb5592
Instruction ID: ae5f18f0c15d2b1801f8b4f09c3a85effe8ee2456623e94d48a5742218969329
Opcode Fuzzy Hash: 38b38650be7129d63b97c59a503c4294af9f3d4007bd0d5e18865d4167fb5592
Instruction Fuzzy Hash: 76014932A2129016E2742374DC45FBE7B895BF27B4F29411EF915CB2D2DF748C809394

Uniqueness

Uniqueness Score: -1.00%

Function 0009155F, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0009155F(short** _a4, intOrPtr _a8, int _a12, int _a16) {
				short** _t15;
				int _t16;
				void* _t17;

				_t15 = _a4;
				_t16 = _a12;
				_t17 = E000921A5(_t15, _a8, _t16);
				if(_t17 < 0) {
					L6:
					return _t17;
				}
				if(_t16 != 0) {
					L4:
					if(LCMapStringW(0x7f, _a16,  *_t15, _t16,  *_t15, _t16) == 0) {
						_t20 =  <=  ? GetLastError() : _t10 & 0x0000ffff | 0x80070000;
						_t17 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t10 & 0x0000ffff | 0x80070000;
						E000937D3(0x80004005, "strutil.cpp", 0xa51, _t17);
					}
					goto L6;
				}
				_t17 = E00091C57( *_t15, 0x7fffffff,  &_a12);
				if(_t17 < 0) {
					goto L6;
				}
				_t16 = _a12;
				goto L4;
			}

0x00091563
0x00091568
0x00091575
0x00091579
0x000915dc
0x000915e1
0x000915e1
0x0009157d
0x00091598
0x000915ab
0x000915be
0x000915c8
0x000915d6
0x000915d6
0x00000000
0x000915ab
0x0009158f
0x00091593
0x00000000
0x00000000
0x00091595
0x00000000

APIs

LCMapStringW.KERNEL32(0000007F,00000000,00000000,000A6EF3,00000000,000A6EF3,00000000,00000000,000A6EF3,00000000,00000000,00000000,?,00092326,00000000,00000000), ref: 000915A3
GetLastError.KERNEL32(?,00092326,00000000,00000000,000A6EF3,00000200,?,000D516B,00000000,000A6EF3,00000000,000A6EF3,00000000,00000000,00000000), ref: 000915AD

Strings

@Mt, xrefs: 000915AD
strutil.cpp, xrefs: 000915D1

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorLastString
String ID: @Mt$strutil.cpp
API String ID: 3728238275-3983159554
Opcode ID: 3e0dbd743d339c371137e7bca876ee4a970d05548d10e42987a069ef94a2fd55
Instruction ID: aa74e5e02afbaa2da71b16b64bb17adf8c56f230812d1f718e7415a4004cf2bf
Opcode Fuzzy Hash: 3e0dbd743d339c371137e7bca876ee4a970d05548d10e42987a069ef94a2fd55
Instruction Fuzzy Hash: 2201F537600A26B7DF219E969C40E977BA9EF85760B030215FE159B150D721DC1097F0

Uniqueness

Uniqueness Score: -1.00%

Function 000CD244, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E000CD244(void* __ecx, void* __eflags, signed int _a4, union _LARGE_INTEGER _a8, union _LARGE_INTEGER* _a12, intOrPtr _a16) {
				signed int _v8;
				void* _v12;
				void* _t15;
				signed int _t19;
				signed int _t32;
				signed int _t33;
				signed int _t36;

				_t36 = _a4;
				_push(_t32);
				_t15 = E000C8D4E(_t36);
				_t33 = _t32 | 0xffffffff;
				if(_t15 != _t33) {
					_push(_a16);
					if(SetFilePointerEx(_t15, _a8, _a12,  &_v12) != 0) {
						if((_v12 & _v8) == _t33) {
							goto L2;
						} else {
							_t19 = _v12;
							_t39 = (_t36 & 0x0000003f) * 0x30;
							 *( *((intOrPtr*)(0xfb158 + (_t36 >> 6) * 4)) + _t39 + 0x28) =  *( *((intOrPtr*)(0xfb158 + (_t36 >> 6) * 4)) + 0x28 + (_t36 & 0x0000003f) * 0x30) & 0x000000fd;
						}
					} else {
						E000C3E00(GetLastError());
						goto L2;
					}
				} else {
					 *((intOrPtr*)(E000C3E36())) = 9;
					L2:
					_t19 = _t33;
				}
				return _t19;
			}

0x000cd24c
0x000cd24f
0x000cd251
0x000cd256
0x000cd25c
0x000cd26f
0x000cd285
0x000cd2a0
0x00000000
0x000cd2a2
0x000cd2a2
0x000cd2ad
0x000cd2b7
0x000cd2b7
0x000cd287
0x000cd28e
0x00000000
0x000cd293
0x000cd25e
0x000cd263
0x000cd269
0x000cd269
0x000cd26b
0x000cd2c1

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000002,?,00000000,?,00000000,?,?,?,000CD2D8,?,00000000,00000002,00000000), ref: 000CD27D
GetLastError.KERNEL32(?,000CD2D8,?,00000000,00000002,00000000,?,000CD0F0,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 000CD287
__dosmaperr.LIBCMT ref: 000CD28E

Strings

@Mt, xrefs: 000CD287

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID: @Mt
API String ID: 2336955059-1491384996
Opcode ID: 78460c01a2a994b56172f55de0045a22ab058030101201fdecbe6c28ecd5cc74
Instruction ID: 803d1db387ac9788e8f74f60610204d02581bca56b545ec13e6e1c7f9eefd9f4
Opcode Fuzzy Hash: 78460c01a2a994b56172f55de0045a22ab058030101201fdecbe6c28ecd5cc74
Instruction Fuzzy Hash: A8012832614215ABCB159FA9DC05EAE3B69EB85330B24421EF8118B191EB70DD0197A0

Uniqueness

Uniqueness Score: -1.00%

Function 000933D7, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000933D7(WCHAR** _a4, struct HINSTANCE__* _a8) {
				long _t6;
				WCHAR** _t10;
				long _t11;
				void* _t12;

				_t10 = _a4;
				_t11 = 0x104;
				while(1) {
					_t12 = E00091EDE(_t10, _t11);
					if(_t12 < 0) {
						break;
					}
					_t6 = GetModuleFileNameW(_a8,  *_t10, _t11);
					if(_t6 == 0) {
						_t15 =  <=  ? GetLastError() : _t7 & 0x0000ffff | 0x80070000;
						_t12 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t7 & 0x0000ffff | 0x80070000;
						E000937D3(0x80004005, "pathutil.cpp", 0x1d4, _t12);
					} else {
						if(_t6 != _t11) {
							_t12 = 0;
						} else {
							_t3 = _t6 + 1; // 0x1
							_t11 = _t3;
							continue;
						}
					}
					break;
				}
				return _t12;
			}

0x000933db
0x000933e0
0x000933e5
0x000933ec
0x000933f0
0x00000000
0x00000000
0x000933f8
0x00093400
0x00093420
0x0009342a
0x00093438
0x00093402
0x00093404
0x0009340b
0x00093406
0x00093406
0x00093406
0x00000000
0x00093406
0x00093404
0x00000000
0x00093400
0x00093443

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,000910DD,?,00000000), ref: 000933F8
GetLastError.KERNEL32(?,?,?,000910DD,?,00000000), ref: 0009340F

Strings

@Mt, xrefs: 0009340F
pathutil.cpp, xrefs: 00093433

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: @Mt$pathutil.cpp
API String ID: 2776309574-1527316599
Opcode ID: a95206db5cc39293bbd692ef61d3e3778b87833afcd3fa55f37fb0c217759e50
Instruction ID: d34acae760fc50737974df4bd3ad88e1a8219da73f4484317bcea707fc4f3534
Opcode Fuzzy Hash: a95206db5cc39293bbd692ef61d3e3778b87833afcd3fa55f37fb0c217759e50
Instruction Fuzzy Hash: 0DF0F633B04330ABEB32666A5C48E87BAD9DF45BA0B034122FE05EB150C721DD00AAF0

Uniqueness

Uniqueness Score: -1.00%

Function 000D602B, Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E000D602B(signed int __ecx, intOrPtr _a4, signed int _a8, signed int _a12, signed int _a16, signed int* _a20) {
				signed int _v8;
				signed int _t25;
				signed int* _t29;
				signed int* _t37;
				signed int _t48;
				intOrPtr _t50;
				signed int _t53;
				void* _t58;
				void* _t62;
				void* _t63;
				void* _t64;

				_t39 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t37 = _a16;
				_t50 = _a4;
				while(1) {
					_a16 = _a16 & 0x00000000;
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(_t50);
					if( *0xfa984() != 0) {
						_t53 = E000D8924(_t39, _t50, 0x13,  &_v8);
						__eflags = _t53;
					} else {
						_t53 =  <=  ? GetLastError() : _t31 & 0x0000ffff | 0x80070000;
						E000D012F(_t53, "Failed to send request to URL: %ls, trying to process HTTP status code anyway.",  *_a8);
						_t58 = _t58 + 0xc;
						_t62 = E000D8924(_t39, _t50, 0x13,  &_v8);
					}
					if(_t62 < 0) {
						break;
					}
					_t25 = _v8;
					_t39 = 0x194;
					_t63 = _t25 - 0x194;
					if(_t63 > 0) {
						_t39 = 0x19e;
						__eflags = _t25 - 0x19e;
						if(__eflags > 0) {
							_t39 = _t25 - 0x1f6;
							__eflags = _t39;
							if(_t39 == 0) {
								L40:
								_t53 = 0x80070003;
								L41:
								if(_a16 != 0) {
									continue;
								}
								break;
							}
							_t39 = _t39 - 1;
							__eflags = _t39;
							if(_t39 == 0) {
								goto L40;
							}
							_t39 = _t39 - 1;
							__eflags = _t39;
							if(_t39 == 0) {
								L39:
								_t53 = 0x80070102;
								goto L41;
							}
							L38:
							__eflags = _t53;
							_t53 =  >=  ? 0x8000ffff : _t53;
							_t39 = _a8;
							_push( *_a8);
							E000D012F(_t53, "Unknown HTTP status code %d, returned from URL: %ls", _t25);
							_t58 = _t58 + 0x10;
							goto L41;
						}
						if(__eflags == 0) {
							_t53 = 0x80010135;
							goto L41;
						}
						_t39 = _t25 - 0x195;
						__eflags = _t39;
						if(_t39 == 0) {
							_t53 = 0x80070032;
							goto L41;
						}
						_t39 = _t39;
						__eflags = _t39;
						if(_t39 == 0) {
							L30:
							_a16 = _a16 & 0x00000000;
							_t53 = 0x80070005;
							 *_t37 =  *_t37 & 0x00000000;
							_t48 = _a12;
							__eflags = _t48;
							if(_t48 != 0) {
								_t39 =  *_t48;
								__eflags = _t39;
								if(_t39 != 0) {
									_t53 =  *_t39( *((intOrPtr*)(_t48 + 4)), _t50, _t25,  &_a16, _t37);
								}
							}
							goto L41;
						}
						_t39 = _t39 - 1;
						__eflags = _t39;
						if(_t39 == 0) {
							goto L39;
						}
						_t39 = _t39;
						__eflags = _t39;
						if(_t39 != 0) {
							goto L38;
						}
						L29:
						_t53 = 0x80070002;
						goto L41;
					}
					if(_t63 == 0) {
						goto L29;
					}
					_t39 = 0x12f;
					_t64 = _t25 - 0x194;
					if(_t64 > 0) {
						_t39 = _t25 - 0x190;
						__eflags = _t39;
						if(_t39 == 0) {
							_t53 = 0x800700a1;
							goto L41;
						}
						_t39 = _t39 - 1;
						__eflags = _t39;
						if(_t39 == 0) {
							goto L30;
						}
						_t39 = _t39;
						__eflags = _t39;
						if(_t39 != 0) {
							goto L38;
						}
						_t53 = 0x80070005;
						goto L41;
					}
					if(_t64 == 0) {
						L13:
						_t53 = E000D898E(_t39, _t50, 0x33, _a8);
						if(_t53 < 0) {
							break;
						} else {
							 *_t37 = 1;
							goto L41;
						}
					}
					_t39 = _t25 - 0xc8;
					if(_t39 == 0) {
						_t29 = _a20;
						 *_t29 =  *_t29 & 0x00000000;
						__eflags =  *_t29;
						L17:
						_t53 = 0;
						goto L41;
					}
					_t39 = _t39 - 6;
					if(_t39 == 0) {
						 *_a20 = 1;
						goto L17;
					}
					_t39 = _t39 - 0x5f;
					if(_t39 == 0 || _t39 == 0) {
						goto L13;
					} else {
						goto L38;
					}
				}
				return _t53;
			}

0x000d602b
0x000d602e
0x000d602f
0x000d6034
0x000d6039
0x000d603c
0x000d603c
0x000d6040
0x000d6042
0x000d6044
0x000d6046
0x000d6048
0x000d6051
0x000d6096
0x000d6098
0x000d6053
0x000d6064
0x000d6072
0x000d6077
0x000d6086
0x000d6086
0x000d609a
0x00000000
0x00000000
0x000d60a0
0x000d60a3
0x000d60a8
0x000d60aa
0x000d6141
0x000d6146
0x000d6148
0x000d61a7
0x000d61a7
0x000d61ad
0x000d61e0
0x000d61e0
0x000d61e5
0x000d61e9
0x00000000
0x00000000
0x00000000
0x000d61e9
0x000d61af
0x000d61af
0x000d61b2
0x00000000
0x00000000
0x000d61b4
0x000d61b4
0x000d61b7
0x000d61d9
0x000d61d9
0x00000000
0x000d61d9
0x000d61b9
0x000d61be
0x000d61c0
0x000d61c3
0x000d61c6
0x000d61cf
0x000d61d4
0x00000000
0x000d61d4
0x000d614a
0x000d619e
0x00000000
0x000d619e
0x000d614e
0x000d614e
0x000d6154
0x000d6197
0x00000000
0x000d6197
0x000d6157
0x000d6157
0x000d615a
0x000d616e
0x000d616e
0x000d6172
0x000d6177
0x000d617a
0x000d617d
0x000d617f
0x000d6181
0x000d6183
0x000d6185
0x000d6193
0x000d6193
0x000d6185
0x00000000
0x000d617f
0x000d615c
0x000d615c
0x000d615f
0x00000000
0x00000000
0x000d6162
0x000d6162
0x000d6165
0x00000000
0x00000000
0x000d6167
0x000d6167
0x00000000
0x000d6167
0x000d60b0
0x00000000
0x00000000
0x000d60b6
0x000d60b9
0x000d60bb
0x000d6116
0x000d6116
0x000d611c
0x000d6137
0x00000000
0x000d6137
0x000d611e
0x000d611e
0x000d6121
0x00000000
0x00000000
0x000d6124
0x000d6124
0x000d6127
0x00000000
0x00000000
0x000d612d
0x00000000
0x000d612d
0x000d60bd
0x000d60dc
0x000d60e7
0x000d60eb
0x00000000
0x000d60f1
0x000d60f1
0x00000000
0x000d60f1
0x000d60eb
0x000d60c1
0x000d60c7
0x000d6107
0x000d610a
0x000d610a
0x000d610d
0x000d610d
0x00000000
0x000d610d
0x000d60c9
0x000d60cc
0x000d60ff
0x00000000
0x000d60ff
0x000d60ce
0x000d60d1
0x00000000
0x00000000
0x00000000
0x00000000
0x000d60d1
0x000d61f7

APIs

GetLastError.KERNEL32 ref: 000D6053

Part of subcall function 000D8924: GetLastError.KERNEL32(?,?,?,000D6096,?,00000013,00000000), ref: 000D8957

Strings

@Mt, xrefs: 000D6053
Unknown HTTP status code %d, returned from URL: %ls, xrefs: 000D61C9
Failed to send request to URL: %ls, trying to process HTTP status code anyway., xrefs: 000D606C

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorLast
String ID: @Mt$Failed to send request to URL: %ls, trying to process HTTP status code anyway.$Unknown HTTP status code %d, returned from URL: %ls
API String ID: 1452528299-2623630589
Opcode ID: 0ddea9cacc5c583a765957069035f8a5a7ca01ce0250c095c4b6a50ee70a5046
Instruction ID: b091f6eb7250e22c7b88a591c1682a0b7a1d3de64bd160984e37831f2a18f3ae
Opcode Fuzzy Hash: 0ddea9cacc5c583a765957069035f8a5a7ca01ce0250c095c4b6a50ee70a5046
Instruction Fuzzy Hash: 8A41D73A640315A7EB795E68CD25B7A76D4EB01310F1D422FFE029B393DA67CE0096B1

Uniqueness

Uniqueness Score: -1.00%

Function 000C90AA, Relevance: 6.1, APIs: 4, Instructions: 110
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E000C90AA(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t54;
				int _t56;
				signed int _t62;
				int _t65;
				short* _t66;
				signed int _t67;
				short* _t68;

				_t64 = __edx;
				_t34 =  *0xfa008; // 0x90c8e23b
				_v8 = _t34 ^ _t67;
				E000C19B7(_t54,  &_v28, __edx, _a4);
				_t56 = _a24;
				if(_t56 == 0) {
					_t6 = _v24 + 8; // 0xe3e85006
					_t53 =  *_t6;
					_t56 = _t53;
					_a24 = _t53;
				}
				_t65 = 0;
				_t40 = MultiByteToWideChar(_t56, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E000BDE36(_t54, _v8 ^ _t67, _t64, _t65, _t66);
				}
				_t54 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t54 + 0x00000008 & _t40) == 0) {
					_t66 = 0;
					L11:
					if(_t66 != 0) {
						E000BF670(_t65, _t66, _t65, _t54);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t66, _v12);
						if(_t46 != 0) {
							_t65 = GetStringTypeW(_a8, _t66, _t46, _a20);
						}
					}
					L14:
					E000C91C7(_t66);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t54 + 0x00000008;
				_t62 = _t54 + 8;
				if((_t40 & _t54 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t66 = E000C5154(_t62, _t48 & _t62);
					if(_t66 == 0) {
						goto L14;
					}
					 *_t66 = 0xdddd;
					L9:
					_t66 =  &(_t66[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E000D9DF0();
				_t66 = _t68;
				if(_t66 == 0) {
					goto L14;
				}
				 *_t66 = 0xcccc;
				goto L9;
			}

0x000c90aa
0x000c90b2
0x000c90b9
0x000c90c5
0x000c90ca
0x000c90cf
0x000c90d4
0x000c90d4
0x000c90d7
0x000c90d9
0x000c90d9
0x000c90de
0x000c90f7
0x000c90fd
0x000c9102
0x000c91a1
0x000c91a5
0x000c91aa
0x000c91aa
0x000c91c6
0x000c91c6
0x000c9108
0x000c9110
0x000c9114
0x000c9160
0x000c9162
0x000c9164
0x000c9169
0x000c9180
0x000c9188
0x000c9198
0x000c9198
0x000c9188
0x000c919a
0x000c919b
0x00000000
0x000c91a0
0x000c911b
0x000c911d
0x000c911f
0x000c9127
0x000c9144
0x000c914e
0x000c9153
0x00000000
0x00000000
0x000c9155
0x000c915b
0x000c915b
0x00000000
0x000c915b
0x000c912b
0x000c912f
0x000c9134
0x000c9138
0x00000000
0x00000000
0x000c913a
0x00000000

APIs

MultiByteToWideChar.KERNEL32(?,00000000,E3E85006,000C234D,00000000,00000000,000C3382,?,000C3382,?,00000001,000C234D,E3E85006,00000001,000C3382,000C3382), ref: 000C90F7
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 000C9180
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 000C9192
__freea.LIBCMT ref: 000C919B

Part of subcall function 000C5154: RtlAllocateHeap.NTDLL(00000000,?,?,?,000C1E90,?,0000015D,?,?,?,?,000C32E9,000000FF,00000000,?,?), ref: 000C5186

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 083bc0b06d8055ff47ce16cc58332fa53a009b1ecc7b19f31a54da296b7bc315
Instruction ID: e5bc769984e154eb9380712d0502e658f0e04351324debfaa39a9ae711550fbb
Opcode Fuzzy Hash: 083bc0b06d8055ff47ce16cc58332fa53a009b1ecc7b19f31a54da296b7bc315
Instruction Fuzzy Hash: F331DE72A0020AABDF249F65CC4AEEE7BA5EF41310B09412DFC14D7251EB35DD54CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000D5587, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E000D5587(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16) {
				char _v8;
				intOrPtr* _t29;
				void* _t31;
				void* _t34;

				_t34 = 0;
				_push( &_v8);
				_push(0);
				_push(_a8);
				_v8 = 0;
				_push(_a4);
				if( *0xfa938() != 0) {
					_t31 = E000938D4(_v8, 1);
					if(_t31 != 0) {
						_push( &_v8);
						_push(_t31);
						_push(_a8);
						_push(_a4);
						if( *0xfa938() != 0) {
							_t29 = _a16;
							 *_a12 = _t31;
							_t31 = 0;
							if(_t29 == 0) {
								L10:
								L11:
								return _t34;
							}
							 *_t29 = _v8;
							L8:
							if(_t31 != 0) {
								E00093999(_t31);
							}
							goto L10;
						}
						_t38 =  <=  ? GetLastError() : _t21 & 0x0000ffff | 0x80070000;
						_t34 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t21 & 0x0000ffff | 0x80070000;
						E000937D3(0x80004005, "certutil.cpp", 0x1f, _t34);
						goto L8;
					}
					_t34 = 0x8007000e;
					E000937D3(_t14, "certutil.cpp", 0x1b, 0x8007000e);
					goto L10;
				}
				_t41 =  <=  ? GetLastError() : _t25 & 0x0000ffff | 0x80070000;
				_t34 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t25 & 0x0000ffff | 0x80070000;
				E000937D3(0x80004005, "certutil.cpp", 0x17, _t34);
				goto L11;
			}

0x000d558f
0x000d5591
0x000d5592
0x000d5593
0x000d5596
0x000d5599
0x000d55a4
0x000d55e1
0x000d55e5
0x000d55fe
0x000d55ff
0x000d5600
0x000d5603
0x000d560e
0x000d5640
0x000d5643
0x000d5645
0x000d5649
0x000d565a
0x000d565b
0x000d5661
0x000d5661
0x000d564e
0x000d5650
0x000d5652
0x000d5655
0x000d5655
0x00000000
0x000d5652
0x000d5621
0x000d562b
0x000d5636
0x00000000
0x000d5636
0x000d55e7
0x000d55f4
0x00000000
0x000d55f4
0x000d55b7
0x000d55c1
0x000d55cc
0x00000000

APIs

GetLastError.KERNEL32(?,?,000A9133,?,00000003,00000000,?), ref: 000D55A6

Strings

@Mt, xrefs: 000D55A6, 000D5610
certutil.cpp, xrefs: 000D55C7, 000D55EF, 000D5631

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: ErrorLast
String ID: @Mt$certutil.cpp
API String ID: 1452528299-3619458523
Opcode ID: 002bc6895ef7a36c7365863dff999361adb62768b37b301797e82097ebc77a62
Instruction ID: 39bd14b1ad1344dabf024982528454bd8051445e56f7527e28f7c7f7dcefe0d5
Opcode Fuzzy Hash: 002bc6895ef7a36c7365863dff999361adb62768b37b301797e82097ebc77a62
Instruction Fuzzy Hash: CF21F272641729FBEB219B658D04BAB7BE9DF44791F010026BD05EB290EA71CD01AAB0

Uniqueness

Uniqueness Score: -1.00%

Function 000D3119, Relevance: 6.1, APIs: 4, Instructions: 73
memoryCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E000D3119(void* __eax, intOrPtr* _a4, intOrPtr _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v20;
				char _v28;
				intOrPtr* _t36;
				intOrPtr* _t39;
				signed int _t40;
				signed int _t41;
				signed int* _t43;
				void* _t46;
				void* _t47;
				void* _t51;

				_v8 = _v8 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				__imp__#2(_a8);
				_t46 = __eax;
				__imp__#8( &_v28);
				_t39 = _a4;
				_t47 =  *((intOrPtr*)( *_t39 + 0x44))(_t39,  &_v8);
				if(_t47 >= 0) {
					_t47 = E000D336E( &_v12, _v8, __eax,  &_v12);
					if(_t47 != 1 && _t47 >= 0) {
						_t36 = _v12;
						_t47 =  *((intOrPtr*)( *_t36 + 0x20))(_t36,  &_v28);
						_t51 = _t47;
						if(_t51 >= 0 && _t51 == 0) {
							_t43 = _a12;
							if(_t43 != 0) {
								_v20 = _v20 & 0x00000000;
								 *_t43 = _v20;
							}
						}
					}
				}
				_t40 = _v8;
				if(_t40 != 0) {
					 *((intOrPtr*)( *_t40 + 8))(_t40);
				}
				_t41 = _v12;
				if(_t41 != 0) {
					 *((intOrPtr*)( *_t41 + 8))(_t41);
				}
				__imp__#9( &_v28);
				if(_t46 != 0) {
					__imp__#6(_t46);
				}
				return _t47;
			}

0x000d311f
0x000d3123
0x000d312c
0x000d3132
0x000d3138
0x000d313e
0x000d314b
0x000d314f
0x000d315e
0x000d3163
0x000d3169
0x000d3176
0x000d3178
0x000d317a
0x000d317e
0x000d3183
0x000d3188
0x000d318c
0x000d318c
0x000d3183
0x000d317a
0x000d3163
0x000d318e
0x000d3193
0x000d3198
0x000d3198
0x000d319b
0x000d31a0
0x000d31a5
0x000d31a5
0x000d31ac
0x000d31b4
0x000d31b7
0x000d31b7
0x000d31c4

APIs

SysAllocString.OLEAUT32(?), ref: 000D312C
VariantInit.OLEAUT32(?), ref: 000D3138
VariantClear.OLEAUT32(?), ref: 000D31AC
SysFreeString.OLEAUT32(00000000), ref: 000D31B7

Part of subcall function 000D336E: SysAllocString.OLEAUT32(?), ref: 000D3383

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: String$AllocVariant$ClearFreeInit
String ID:
API String ID: 347726874-0
Opcode ID: 8c44bf41499cb52ce65d64bfe2787e1e0fa89d471d88c369149c3c86388cdbe0
Instruction ID: 28e25cb881f6d78e2aec9878b34b21680692cdb0db10dbb0e7de7f471a26e53e
Opcode Fuzzy Hash: 8c44bf41499cb52ce65d64bfe2787e1e0fa89d471d88c369149c3c86388cdbe0
Instruction Fuzzy Hash: 3B213A3590121AFFCB24DFA5C848EAEBBF8BF45711F15015EE9019B220DB319E05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0009730C, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E0009730C(void* __ecx, struct _CRITICAL_SECTION* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _t15;
				void* _t22;

				_t20 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				EnterCriticalSection(_a4);
				_t22 = E00095C87(_t20, _a4, _a8,  &_v8);
				_t15 = _v8;
				if(_t22 < 0 ||  *((intOrPtr*)(_t15 + 0x18)) != 0) {
					if(_t22 != 0x80070490) {
						if(_t22 >= 0) {
							_t22 = E000B006A(_t20, _t15 + 8, _a12);
							if(_t22 < 0) {
								_push(_a8);
								_push("Failed to get value as numeric for variable: %ls");
								goto L8;
							}
						} else {
							_push(_a8);
							_push("Failed to get value of variable: %ls");
							L8:
							_push(_t22);
							E000D012F();
						}
					}
				} else {
					_t22 = 0x80070490;
				}
				LeaveCriticalSection(_a4);
				return _t22;
			}

0x0009730c
0x0009730f
0x00097310
0x00097318
0x0009732d
0x0009732f
0x00097334
0x00097349
0x0009734d
0x00097365
0x00097369
0x0009736b
0x0009736e
0x00000000
0x0009736e
0x0009734f
0x0009734f
0x00097352
0x00097373
0x00097373
0x00097374
0x00097379
0x0009734d
0x0009733c
0x0009733c
0x0009733c
0x0009737f
0x0009738b

APIs

EnterCriticalSection.KERNEL32(?), ref: 00097318
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 0009737F

Strings

Failed to get value as numeric for variable: %ls, xrefs: 0009736E
Failed to get value of variable: %ls, xrefs: 00097352

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as numeric for variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-4270472870
Opcode ID: 9feb8302fa162af877fc52c8d62839ac6fca843a771089e6b95ffd9bc7f2521e
Instruction ID: 0e28a33aac53247cc5314324cacb4fe9a72fce9180d498ea72591cb70223d694
Opcode Fuzzy Hash: 9feb8302fa162af877fc52c8d62839ac6fca843a771089e6b95ffd9bc7f2521e
Instruction Fuzzy Hash: AC017177965229FBCF155F64CC05A9E3B699F04721F01C165FD08AA221C3369F10BBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00097481, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00097481(void* __ecx, void* __edx, struct _CRITICAL_SECTION* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _t15;
				void* _t21;
				void* _t23;

				_t21 = __edx;
				_t20 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				EnterCriticalSection(_a4);
				_t23 = E00095C87(_t20, _a4, _a8,  &_v8);
				_t15 = _v8;
				if(_t23 < 0 ||  *((intOrPtr*)(_t15 + 0x18)) != 0) {
					if(_t23 != 0x80070490) {
						if(_t23 >= 0) {
							_t23 = E000B01D0(_t20, _t21, _t15 + 8, _a12);
							if(_t23 < 0) {
								_push(_a8);
								_push("Failed to get value as version for variable: %ls");
								goto L8;
							}
						} else {
							_push(_a8);
							_push("Failed to get value of variable: %ls");
							L8:
							_push(_t23);
							E000D012F();
						}
					}
				} else {
					_t23 = 0x80070490;
				}
				LeaveCriticalSection(_a4);
				return _t23;
			}

0x00097481
0x00097481
0x00097484
0x00097485
0x0009748d
0x000974a2
0x000974a4
0x000974a9
0x000974be
0x000974c2
0x000974da
0x000974de
0x000974e0
0x000974e3
0x00000000
0x000974e3
0x000974c4
0x000974c4
0x000974c7
0x000974e8
0x000974e8
0x000974e9
0x000974ee
0x000974c2
0x000974b1
0x000974b1
0x000974b1
0x000974f4
0x00097500

APIs

EnterCriticalSection.KERNEL32(?), ref: 0009748D
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 000974F4

Strings

Failed to get value as version for variable: %ls, xrefs: 000974E3
Failed to get value of variable: %ls, xrefs: 000974C7

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as version for variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-1851729331
Opcode ID: 9506d9f48c09c51f43ad8631448c41fd494853b1a6af4a9bb73f39b66c696f5e
Instruction ID: cb4efb7eb34345661aac89b4a90ff836362856d2ca091f1614f5079118fd748a
Opcode Fuzzy Hash: 9506d9f48c09c51f43ad8631448c41fd494853b1a6af4a9bb73f39b66c696f5e
Instruction Fuzzy Hash: 21018437955229FBCF225F54CC05E9E3F69AF10721F118126FD08AA222C336DE10A7E5

Uniqueness

Uniqueness Score: -1.00%

Function 00097410, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E00097410(void* __ecx, void* __edx, struct _CRITICAL_SECTION* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				void* _t20;
				void* _t22;

				_t20 = __edx;
				_t19 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				EnterCriticalSection(_a4);
				_t22 = E00095C87(_t19, _a4, _a8,  &_v8);
				if(_t22 != 0x80070490) {
					if(_t22 >= 0) {
						_t22 = E000AFF73(_t20, _v8 + 8, _a12);
						if(_t22 < 0) {
							_push(_a8);
							_push("Failed to copy value of variable: %ls");
							goto L5;
						}
					} else {
						_push(_a8);
						_push("Failed to get value of variable: %ls");
						L5:
						_push(_t22);
						E000D012F();
					}
				}
				LeaveCriticalSection(_a4);
				return _t22;
			}

0x00097410
0x00097410
0x00097413
0x00097414
0x0009741c
0x00097431
0x00097439
0x0009743d
0x00097458
0x0009745c
0x0009745e
0x00097461
0x00000000
0x00097461
0x0009743f
0x0009743f
0x00097442
0x00097466
0x00097466
0x00097467
0x0009746c
0x0009743d
0x00097472
0x0009747e

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000006,?,00099752,00000000,?,00000000,00000000,00000000,?,00099590,00000000,?,00000000,00000000), ref: 0009741C
LeaveCriticalSection.KERNEL32(00000000,00000000,00000000,00000000,?,00099752,00000000,?,00000000,00000000,00000000,?,00099590,00000000,?,00000000), ref: 00097472

Strings

Failed to copy value of variable: %ls, xrefs: 00097461
Failed to get value of variable: %ls, xrefs: 00097442

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to copy value of variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-2936390398
Opcode ID: 4b3d31dfe20db4237eb512eedcb68081c6a0cf88d0b19322dcb4e92cf7c73c23
Instruction ID: 23846caf845477497d409ce4d28a8d5eb3f68de5eec990067c145250d2b36a48
Opcode Fuzzy Hash: 4b3d31dfe20db4237eb512eedcb68081c6a0cf88d0b19322dcb4e92cf7c73c23
Instruction Fuzzy Hash: 3CF08176950229FBCF126F94CC05E9E7F649F05361F008021FD08AA322D3369A20A7E4

Uniqueness

Uniqueness Score: -1.00%

Function 000C1246, Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000C1246() {
				void* _t4;
				void* _t8;

				E000C1854();
				E000C17E8();
				if(E000C1548() != 0) {
					_t4 = E000C14FA(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E000C1584();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x000c1246
0x000c124b
0x000c1257
0x000c125c
0x000c1261
0x000c1263
0x000c126e
0x000c1265
0x000c1265
0x00000000
0x000c1265
0x000c1259
0x000c1259
0x000c125b
0x000c125b

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 000C1246
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 000C124B
___vcrt_initialize_locks.LIBVCRUNTIME ref: 000C1250

Part of subcall function 000C1548: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 000C1559

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 000C1265

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 294756368ebb91e0d837f8d85631f380e5f2af2aa371e18ba28d844398db2aca
Instruction ID: f386985750ffecf030cf2b58cd022b9525ba3590896ea1fb9359ed55ce3eae7f
Opcode Fuzzy Hash: 294756368ebb91e0d837f8d85631f380e5f2af2aa371e18ba28d844398db2aca
Instruction Fuzzy Hash: 15C0483C00860198AEA03BF52242FED038A0FE3385B9020CEF866A7643AD1A043F3032

Uniqueness

Uniqueness Score: -1.00%

Function 000D4661, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 136
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000D4661(intOrPtr _a4) {
				char _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				char _v24;
				signed short* _t64;
				intOrPtr _t65;
				intOrPtr _t67;
				signed int _t78;
				signed int _t79;
				signed int _t80;
				void* _t82;
				intOrPtr _t83;
				signed int _t84;
				void* _t85;
				signed int _t86;

				_t86 = 0;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_v24 = 0;
				_v20 = 0;
				_t84 = E000D0E3F(0x80000002, L"SYSTEM\\CurrentControlSet\\Control\\Session Manager", 3,  &_v16);
				if(_t84 != 0x80070002) {
					if(_t84 >= 0) {
						_t84 = E000D10C5(_v16, L"PendingFileRenameOperations",  &_v8,  &_v12);
						if(_t84 == 0x80070002) {
							goto L1;
						} else {
							if(_t84 >= 0) {
								_t78 = 0;
								if(_v12 > 0) {
									_t82 = 0x3f;
									do {
										_t64 =  *(_v8 + _t78 * 4);
										if(_t64 == 0) {
											L21:
											_t65 = _v20;
											goto L24;
										} else {
											_t79 =  *_t64 & 0x0000ffff;
											if(_t79 == 0) {
												goto L21;
											} else {
												_t85 = 0x5c;
												if(_t85 == _t79 && _t82 == _t64[1] && _t82 == _t64[2] && _t85 == _t64[3]) {
													_t64 =  &(_t64[4]);
												}
												_t84 = E00092D05( &_v24, _a4, _t64,  &_v24);
												if(_t84 >= 0) {
													if(_v24 != 2) {
														_t65 = _v20;
													} else {
														_t69 = _v8;
														if( *(_v8 + _t78 * 4) != _t86) {
															E000D54EF( *((intOrPtr*)(_t69 + _t78 * 4)));
															 *(_v8 + _t78 * 4) = _t86;
														}
														_t71 =  *(_v8 + 4 + _t78 * 4);
														if( *(_v8 + 4 + _t78 * 4) != 0) {
															E000D54EF(_t71);
															 *(_v8 + 4 + _t78 * 4) = _t86;
														}
														_t65 = 1;
														_v20 = 1;
													}
													_t82 = 0x3f;
													goto L24;
												}
											}
										}
										goto L31;
										L24:
										_t78 = _t78 + 2;
									} while (_t78 < _v12);
									if(_t65 != 0) {
										_t80 = _t86;
										if(_v12 > _t80) {
											do {
												_t67 = _v8;
												_t83 =  *((intOrPtr*)(_t67 + _t80 * 4));
												if(_t83 != 0) {
													 *((intOrPtr*)(_t67 + _t86 * 4)) = _t83;
													_t86 = _t86 + 1;
												}
												_t80 = _t80 + 1;
											} while (_t80 < _v12);
										}
										_v12 = _t86;
										_t84 = E000D143C(_v16, L"PendingFileRenameOperations", _v8, _t86);
									}
								}
							}
						}
					}
				} else {
					L1:
					_t84 = _t86;
				}
				L31:
				_t56 = _v8;
				if(_v8 != 0) {
					E00092647(_t56, _v12);
				}
				if(_v16 != 0) {
					RegCloseKey(_v16);
				}
				return _t84;
			}

0x000d466d
0x000d467c
0x000d467f
0x000d4682
0x000d4685
0x000d4688
0x000d4690
0x000d4699
0x000d46a4
0x000d46bf
0x000d46c3
0x00000000
0x000d46c5
0x000d46c7
0x000d46cd
0x000d46d2
0x000d46da
0x000d46db
0x000d46de
0x000d46e3
0x000d475d
0x000d475d
0x00000000
0x000d46e5
0x000d46e5
0x000d46eb
0x00000000
0x000d46ed
0x000d46ef
0x000d46f3
0x000d4707
0x000d4707
0x000d4717
0x000d471b
0x000d4725
0x000d4762
0x000d4727
0x000d4727
0x000d472d
0x000d4732
0x000d473a
0x000d473a
0x000d4740
0x000d4746
0x000d4749
0x000d4751
0x000d4751
0x000d4757
0x000d4758
0x000d4758
0x000d4767
0x00000000
0x000d4767
0x000d471b
0x000d46eb
0x00000000
0x000d4768
0x000d4768
0x000d476b
0x000d4776
0x000d4778
0x000d477d
0x000d477f
0x000d477f
0x000d4782
0x000d4787
0x000d4789
0x000d478c
0x000d478c
0x000d478d
0x000d478e
0x000d477f
0x000d4797
0x000d47a7
0x000d47a7
0x000d4776
0x000d46d2
0x000d46c7
0x000d46c3
0x000d469b
0x000d469b
0x000d469b
0x000d469b
0x000d47a9
0x000d47a9
0x000d47ae
0x000d47b4
0x000d47b4
0x000d47bd
0x000d47c2
0x000d47c2
0x000d47d0

APIs

Part of subcall function 000D0E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,000D5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 000D0E52

RegCloseKey.ADVAPI32(00000000,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00000003,?,00000000,00000000,00000101), ref: 000D47C2

Strings

PendingFileRenameOperations, xrefs: 000D46B2, 000D479A
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 000D4672

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 47109696-3023217399
Opcode ID: eaccab25068e8faaddaf348b64edcf876517aebc26518fdc6f10044663bf4a38
Instruction ID: 7fc6d26ecc49e3a12b1ab8e924171420d35f70ce42da098fab3de25732e57095
Opcode Fuzzy Hash: eaccab25068e8faaddaf348b64edcf876517aebc26518fdc6f10044663bf4a38
Instruction Fuzzy Hash: C6417E75E04319EBCB20EF94C9819AEBBF9EF46B10F21406BE505AB311DB719E50DB60

Uniqueness

Uniqueness Score: -1.00%

Function 000D9220, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103
registryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E000D9220(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v20;
				char _v24;
				void* _t55;
				void* _t58;

				_t55 = __edx;
				_t54 = __ecx;
				_v20 = 0;
				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				_v24 = 0;
				_t58 = E000D8CFB(__ecx, _a8,  &_v20);
				if(_t58 >= 0) {
					_t58 = E000D0AD5(__ecx, _a4, _v20, 0x20006, 0, 0,  &_v12,  &_v24);
					if(_t58 >= 0) {
						_push(_a12);
						_t58 = E00091F20( &_v16, L"%ls\\%ls",  *0xfa7e4);
						if(_t58 >= 0) {
							_t58 = E000D0AD5(_t54, _v12, _v16, 0x20006, 0, 0,  &_v8,  &_v24);
							if(_t58 >= 0) {
								_t58 = E000D1392(_t54, _t55, _v8,  *0xfa7d4, _a16);
								if(_t58 >= 0) {
									_t58 = E000D1392(_t54, _t55, _v8,  *0xfa7d8, _a20);
									if(_t58 >= 0 && _a24 != 0) {
										_t58 = E000D1344(_v8,  *0xfa7dc, _a24);
									}
								}
							}
						}
					}
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
					_v8 = 0;
				}
				if(_v16 != 0) {
					E000D54EF(_v16);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
					_v12 = 0;
				}
				if(_v20 != 0) {
					E000D54EF(_v20);
				}
				return _t58;
			}

0x000d9220
0x000d9220
0x000d9232
0x000d9235
0x000d9238
0x000d923b
0x000d923e
0x000d9246
0x000d924a
0x000d926b
0x000d926f
0x000d9275
0x000d928c
0x000d9293
0x000d92ab
0x000d92af
0x000d92c2
0x000d92c6
0x000d92d9
0x000d92dd
0x000d92f5
0x000d92f5
0x000d92dd
0x000d92c6
0x000d92af
0x000d9293
0x000d926f
0x000d9300
0x000d9305
0x000d9307
0x000d9307
0x000d930d
0x000d9312
0x000d9312
0x000d931a
0x000d931f
0x000d9321
0x000d9321
0x000d9327
0x000d932c
0x000d932c
0x000d9339

APIs

Part of subcall function 000D8CFB: lstrlenW.KERNEL32(00000100,?,?,000D9098,000002C0,00000100,00000100,00000100,?,?,?,000B7B40,?,?,000001BC,00000000), ref: 000D8D1B

RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000), ref: 000D9305
RegCloseKey.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 000D931F

Part of subcall function 000D0AD5: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,000A0491,?,00000000,00020006), ref: 000D0AFA

Part of subcall function 000D1392: RegSetValueExW.ADVAPI32(00020006,00020006,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,0009F1C2,00000000,?,00020006), ref: 000D13C5

Part of subcall function 000D1392: RegDeleteValueW.ADVAPI32(00020006,00020006,00000000,?,?,0009F1C2,00000000,?,00020006,?,00020006,00020006,00000000,?,?,?), ref: 000D13F5

Part of subcall function 000D1344: RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,?,0009F11A,00000005,Resume,?,?,?,00000002,00000000), ref: 000D1359

Strings

%ls\%ls, xrefs: 000D9281

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: Value$Close$CreateDeletelstrlen
String ID: %ls\%ls
API String ID: 3924016894-2125769799
Opcode ID: 239d89fdbbbec2c1ba4f857dd474572a708a90e4bc01b1bb089be2bc5fd2702d
Instruction ID: 1e074fee2a047d7c29899e28eac48a648483f57d28562975818044f614d8fa00
Opcode Fuzzy Hash: 239d89fdbbbec2c1ba4f857dd474572a708a90e4bc01b1bb089be2bc5fd2702d
Instruction Fuzzy Hash: 7631ED72C0122EBBCF11AF95CC818EEBBB9FF04750B11416AFA0476621D7358E50EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 000D1392, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E000D1392(void* __ecx, void* __edx, void* _a4, short* _a8, char* _a12) {
				signed int _v8;
				signed short _t12;
				void* _t14;
				signed short _t18;
				signed short _t22;

				_t22 = 0;
				_v8 = _v8 & 0;
				if(_a12 == 0) {
					_t12 = RegDeleteValueW(_a4, _a8);
					if(_t12 == 2 || _t12 == 3) {
						_t12 = 0;
					}
					if(_t12 != 0) {
						_t26 =  <=  ? _t12 : _t12 & 0x0000ffff | 0x80070000;
						_t14 = 0x80004005;
						_t22 =  >=  ? 0x80004005 :  <=  ? _t12 : _t12 & 0x0000ffff | 0x80070000;
						_push(_t22);
						_push(0x2fe);
						goto L9;
					}
				} else {
					_t22 = E000D0A2B(_a12, 0xffffffff,  &_v8);
					if(_t22 >= 0) {
						_t18 = RegSetValueExW(_a4, _a8, 0, 1, _a12, _v8);
						if(_t18 != 0) {
							_t29 =  <=  ? _t18 : _t18 & 0x0000ffff | 0x80070000;
							_t14 = 0x80004005;
							_t22 =  >=  ? 0x80004005 :  <=  ? _t18 : _t18 & 0x0000ffff | 0x80070000;
							_push(_t22);
							_push(0x2f5);
							L9:
							_push("regutil.cpp");
							E000937D3(_t14);
						}
					}
				}
				return _t22;
			}

0x000d1397
0x000d1399
0x000d139f
0x000d13f5
0x000d13fe
0x000d1405
0x000d1405
0x000d1409
0x000d1416
0x000d1419
0x000d1420
0x000d1423
0x000d1424
0x00000000
0x000d1424
0x000d13a1
0x000d13af
0x000d13b3
0x000d13c5
0x000d13cd
0x000d13da
0x000d13dd
0x000d13e4
0x000d13e7
0x000d13e8
0x000d1429
0x000d1429
0x000d142e
0x000d142e
0x000d13cd
0x000d13b3
0x000d1439

APIs

RegSetValueExW.ADVAPI32(00020006,00020006,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,0009F1C2,00000000,?,00020006), ref: 000D13C5
RegDeleteValueW.ADVAPI32(00020006,00020006,00000000,?,?,0009F1C2,00000000,?,00020006,?,00020006,00020006,00000000,?,?,?), ref: 000D13F5

Strings

regutil.cpp, xrefs: 000D1429

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: Value$Delete
String ID: regutil.cpp
API String ID: 1738766685-955085611
Opcode ID: 3b638b6cfa42a7b3b4f494489726fc0d5482406c87dddcdd5118e3981456e009
Instruction ID: 74ba3aabe9337b41e39b84044dbcecabad80c24ad114451538ab959dde5cbf7a
Opcode Fuzzy Hash: 3b638b6cfa42a7b3b4f494489726fc0d5482406c87dddcdd5118e3981456e009
Instruction Fuzzy Hash: F811C632E40339BBEF215EA58C05BEA76E5EF04750F014222FE14EA2A0DB71CD1096E0

Uniqueness

Uniqueness Score: -1.00%

Function 000D54F8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53
sleepCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E000D54F8(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, long _a36) {
				char _v8;
				signed short _t16;
				char _t22;
				signed short _t25;

				_t22 = 0;
				_v8 = 0;
				_t16 = E000921A5( &_v8, _a4, 0);
				_t25 = _t16;
				if(_t25 < 0) {
					L8:
					if(_v8 != 0) {
						E000D54EF(_v8);
					}
					return _t25;
				}
				_t25 = 0x80004005;
				while(_t22 <= _a32) {
					if(_t22 != 0) {
						Sleep(_a36);
					}
					__imp__SetNamedSecurityInfoW(_v8, _a8, _a12, _a16, _a20, _a24, _a28);
					_t25 =  <=  ? _t16 : _t16 & 0x0000ffff | 0x80070000;
					_t22 = _t22 + 1;
					if(_t25 < 0) {
						continue;
					} else {
						break;
					}
				}
				if(_t25 < 0) {
					E000937D3(_t16, "aclutil.cpp", 0x399, _t25);
				}
				goto L8;
			}

0x000d54fe
0x000d5507
0x000d550b
0x000d5510
0x000d5514
0x000d556f
0x000d5573
0x000d5578
0x000d5578
0x000d5584
0x000d5584
0x000d5516
0x000d551b
0x000d5522
0x000d5527
0x000d5527
0x000d5542
0x000d5553
0x000d5556
0x000d5559
0x00000000
0x00000000
0x00000000
0x00000000
0x000d5559
0x000d555d
0x000d556a
0x000d556a
0x00000000

APIs

Sleep.KERNEL32(20000004,00000000,00000000,00000000,00000000,00000000,?,?,000A8C90,?,00000001,20000004,00000000,00000000,?,00000000), ref: 000D5527
SetNamedSecurityInfoW.ADVAPI32(00000000,?,000007D0,00000003,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,000A8C90,?), ref: 000D5542

Strings

aclutil.cpp, xrefs: 000D5565

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: InfoNamedSecuritySleep
String ID: aclutil.cpp
API String ID: 2352087905-2159165307
Opcode ID: d047698b38bd34579518faf464fca2394658a7806cffb7badfefcca72b7c0057
Instruction ID: 395c6a04e18b15ad2ebc7d4e734e412cb6def59e2b1462e54a5fd8b664032cae
Opcode Fuzzy Hash: d047698b38bd34579518faf464fca2394658a7806cffb7badfefcca72b7c0057
Instruction Fuzzy Hash: 6A018237801A28BBDF229E94DC05ECE7EA6EF44761F020116BE0466214D6328D60ABB0

Uniqueness

Uniqueness Score: -1.00%

Function 000A55BD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 000A55D9
CoUninitialize.OLE32(?,00000000,?,?,?,?,?,?,?), ref: 000A5633

Strings

Failed to initialize COM on cache thread., xrefs: 000A55E5

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: InitializeUninitialize
String ID: Failed to initialize COM on cache thread.
API String ID: 3442037557-3629645316
Opcode ID: 418897b6d290e91b4d8b83c7b35a2abdf818c2222b80f572436ad7174270887b
Instruction ID: bfc44872a75d7a8c6cec9a205e115213e09af482b093924139bd81fc2df09e83
Opcode Fuzzy Hash: 418897b6d290e91b4d8b83c7b35a2abdf818c2222b80f572436ad7174270887b
Instruction Fuzzy Hash: 2E016172600619BFC7058FA5DC80DDAF7ACFF08354F418126FA08D7211DB31AE149BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00096418, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E00096418(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				void* _t26;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t26 = 0;
				_v8 = _v8 & 0;
				_v12 = _v12 & 0;
				E000D09BB(_t22, GetCurrentProcess(),  &_v12);
				if(_v12 != 0) {
					if(E00095BF0(_t22, _a4,  &_v8) >= 0) {
						_t26 = E000B02F4(_a8, _v8, 0);
						if(_t26 < 0) {
							_push("Failed to set variant value.");
							goto L5;
						}
					} else {
						_push("Failed to get 64-bit folder.");
						L5:
						_push(_t26);
						E000D012F();
					}
				}
				if(_v8 != 0) {
					E000D54EF(_v8);
				}
				return _t26;
			}

0x00096418
0x0009641b
0x0009641c
0x00096421
0x00096423
0x00096426
0x00096431
0x00096439
0x0009644b
0x00096461
0x00096465
0x00096467
0x00000000
0x00096467
0x0009644d
0x0009644d
0x0009646c
0x0009646c
0x0009646d
0x00096473
0x0009644b
0x00096478
0x0009647d
0x0009647d
0x00096488

APIs

GetCurrentProcess.KERNEL32(?), ref: 0009642A

Part of subcall function 000D09BB: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00095D8F,00000000), ref: 000D09CF
Part of subcall function 000D09BB: GetProcAddress.KERNEL32(00000000), ref: 000D09D6
Part of subcall function 000D09BB: GetLastError.KERNEL32(?,?,?,00095D8F,00000000), ref: 000D09ED

Part of subcall function 00095BF0: RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00095C77

Strings

Failed to set variant value., xrefs: 00096467
Failed to get 64-bit folder., xrefs: 0009644D

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: AddressCloseCurrentErrorHandleLastModuleProcProcess
String ID: Failed to get 64-bit folder.$Failed to set variant value.
API String ID: 3109562764-2681622189
Opcode ID: 4a119bf3dbe8ab0d7f0cf149fd53662f6e0fea08ef9e89b42a32687270dfac0d
Instruction ID: c0134674c872b8c18aa6e1f471cad4ff83f092e8d6b9f57af00bcafe50dffece
Opcode Fuzzy Hash: 4a119bf3dbe8ab0d7f0cf149fd53662f6e0fea08ef9e89b42a32687270dfac0d
Instruction Fuzzy Hash: 1A016232901328BBDF11A7D4DC06AEEBB78EF00721F114156F90066152D7729E40E7E0

Uniqueness

Uniqueness Score: -1.00%

Function 000CD3D3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E000CD3D3(void* __ebx, void* __edi, void* __eflags) {
				signed int _t37;
				void* _t38;

				E000BE830(__ebx, __edi, 0xf7fc8, 0xc);
				_t37 = 0;
				 *(_t38 - 0x1c) = 0;
				E000C8C77( *((intOrPtr*)( *((intOrPtr*)(_t38 + 8)))));
				 *((intOrPtr*)(_t38 - 4)) = 0;
				if(( *( *((intOrPtr*)(0xfb158 + ( *( *( *(_t38 + 0xc))) >> 6) * 4)) + 0x28 + ( *( *( *(_t38 + 0xc))) & 0x0000003f) * 0x30) & 0x00000001) == 0) {
					L3:
					 *((intOrPtr*)(E000C3E36())) = 9;
					_t37 = _t37 | 0xffffffff;
				} else {
					if(FlushFileBuffers(E000C8D4E(_t36)) == 0) {
						_t37 = E000C3E23();
						 *_t37 = GetLastError();
						goto L3;
					}
				}
				 *(_t38 - 0x1c) = _t37;
				 *((intOrPtr*)(_t38 - 4)) = 0xfffffffe;
				E000CD45F();
				return E000BE876();
			}

0x000cd3da
0x000cd3df
0x000cd3e1
0x000cd3e9
0x000cd3ef
0x000cd412
0x000cd435
0x000cd43a
0x000cd440
0x000cd414
0x000cd424
0x000cd42b
0x000cd433
0x00000000
0x000cd433
0x000cd424
0x000cd443
0x000cd446
0x000cd44d
0x000cd459

APIs

Part of subcall function 000C8C77: EnterCriticalSection.KERNEL32(?), ref: 000C8C92

FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 000CD41C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 000CD42D

Strings

@Mt, xrefs: 000CD42D

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: BuffersCriticalEnterErrorFileFlushLastSection
String ID: @Mt
API String ID: 4109680722-1491384996
Opcode ID: 60aaf63af076f239d407264c940812122008f5d5bb034779e999d134eef0680f
Instruction ID: b235735d2fb17da54744b0a7085ce6fbb40833e708abbd87c6a14549ece6f435
Opcode Fuzzy Hash: 60aaf63af076f239d407264c940812122008f5d5bb034779e999d134eef0680f
Instruction Fuzzy Hash: 7C01A231A102049FD714BF78D80AF9E7BA5AF49720B14821EF9259F2E3DB74D941DB90

Uniqueness

Uniqueness Score: -1.00%

Function 000A0598, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41
registryCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E000A0598(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _t19;
				void* _t24;

				_t19 = __edx;
				_v8 = _v8 & 0x00000000;
				_t24 = E000D0E3F( *((intOrPtr*)(_a4 + 0x4c)),  *((intOrPtr*)(_a4 + 0x50)), 0x20006,  &_v8);
				if(_t24 >= 0) {
					_t24 = E0009F09D(_t19, __eflags, _t21, _v8, 1, 0);
					__eflags = _t24;
					if(_t24 < 0) {
						_push("Failed to update resume mode.");
						goto L4;
					}
				} else {
					_push("Failed to open registration key.");
					L4:
					_push(_t24);
					E000D012F();
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				return _t24;
			}

0x000a0598
0x000a059c
0x000a05b9
0x000a05bd
0x000a05d3
0x000a05d5
0x000a05d7
0x000a05d9
0x00000000
0x000a05d9
0x000a05bf
0x000a05bf
0x000a05de
0x000a05de
0x000a05df
0x000a05e5
0x000a05ea
0x000a05ef
0x000a05ef
0x000a05fc

APIs

Part of subcall function 000D0E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,000D5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 000D0E52

RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,00000001,00000000,?,?,000BBB7C,00000101,?), ref: 000A05EF

Strings

Failed to open registration key., xrefs: 000A05BF
Failed to update resume mode., xrefs: 000A05D9

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to open registration key.$Failed to update resume mode.
API String ID: 47109696-3366686031
Opcode ID: 611ccc1cafd362558a123549eb15004e8312f6d0f055783bc79cbbc97ca74428
Instruction ID: c4dcf94aac480b4f7c49a00f23b8ad6b532debdf9823b44ddd8f27a2e1916be1
Opcode Fuzzy Hash: 611ccc1cafd362558a123549eb15004e8312f6d0f055783bc79cbbc97ca74428
Instruction Fuzzy Hash: 58F0C832D4162DFBDB229AA5DC02BDFB769EF01750F100056F600B6151DB75AF1096D0

Uniqueness

Uniqueness Score: -1.00%

Function 000D30BF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E000D30BF(void* __eax, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t12;
				intOrPtr* _t15;
				void* _t16;

				if(_a12 == 0) {
					L6:
					return 0x80070057;
				}
				_t15 = _a4;
				if(_t15 == 0) {
					goto L6;
				}
				__imp__#2(_a8, _t12);
				if(__eax != 0) {
					_t16 =  *((intOrPtr*)( *_t15 + 0xbc))(_t15, __eax, _a12);
					__imp__#6(__eax);
				} else {
					_t16 = 0x8007000e;
					E000937D3(__eax, "xmlutil.cpp", 0x66, 0x8007000e);
				}
				return _t16;
			}

0x000d30c7
0x000d310f
0x00000000
0x000d310f
0x000d30c9
0x000d30ce
0x00000000
0x00000000
0x000d30d4
0x000d30de
0x000d3101
0x000d3104
0x000d30e0
0x000d30e0
0x000d30ed
0x000d30ed
0x00000000

APIs

SysAllocString.OLEAUT32(?), ref: 000D30D4
SysFreeString.OLEAUT32(00000000), ref: 000D3104

Strings

xmlutil.cpp, xrefs: 000D30E8

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: String$AllocFree
String ID: xmlutil.cpp
API String ID: 344208780-1270936966
Opcode ID: e73c4ba0967e85814840a8b0ede48f7406daae25b29e019f6f3978d6ca3f7414
Instruction ID: ee4b3c99e47760b26e6f0dc0f6e506a3ade55f4ba992b08ac784b1b2a982ed38
Opcode Fuzzy Hash: e73c4ba0967e85814840a8b0ede48f7406daae25b29e019f6f3978d6ca3f7414
Instruction Fuzzy Hash: 70F0B436201759E7DB315E449C09FAB7BA5AF41B60F15002AFD046B310C7758E50AAB1

Uniqueness

Uniqueness Score: -1.00%

Function 000D336E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E000D336E(void* __eax, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t12;
				intOrPtr* _t15;
				void* _t16;

				_t15 = _a4;
				if(_t15 == 0 || _a12 == 0) {
					return 0x80070057;
				} else {
					__imp__#2(_a8, _t12);
					if(__eax != 0) {
						_t16 =  *((intOrPtr*)( *_t15 + 0x1c))(_t15, __eax, _a12);
						__imp__#6(__eax);
					} else {
						_t16 = 0x8007000e;
						E000937D3(__eax, "xmlutil.cpp", 0x340, 0x8007000e);
					}
					return _t16;
				}
			}

0x000d3372
0x000d3377
0x00000000
0x000d337f
0x000d3383
0x000d338d
0x000d33b0
0x000d33b3
0x000d338f
0x000d338f
0x000d339f
0x000d339f
0x00000000
0x000d33bb

APIs

SysAllocString.OLEAUT32(?), ref: 000D3383
SysFreeString.OLEAUT32(00000000), ref: 000D33B3

Strings

xmlutil.cpp, xrefs: 000D339A

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: String$AllocFree
String ID: xmlutil.cpp
API String ID: 344208780-1270936966
Opcode ID: 78c516feb401fbb80e29461836f0e09c10e8cecd4d902719e1f3cbf76d919f87
Instruction ID: 83d50b43012a3c3c652a94a27dd1b136888b0b2697c3a3c0a119d6202f386c4e
Opcode Fuzzy Hash: 78c516feb401fbb80e29461836f0e09c10e8cecd4d902719e1f3cbf76d919f87
Instruction Fuzzy Hash: 64F09035200218E7C7210A49DD08E6A77A8AB85B60B15011AFD04AB3108B78CB10AAF2

Uniqueness

Uniqueness Score: -1.00%

Function 000D1344, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000D1344(void* _a4, short* _a8, char _a12) {
				signed short _t5;
				int _t9;

				_t9 = 0;
				_t5 = RegSetValueExW(_a4, _a8, 0, 4,  &_a12, 4);
				if(_t5 != 0) {
					_t12 =  <=  ? _t5 : _t5 & 0x0000ffff | 0x80070000;
					_t9 =  >=  ? 0x80004005 :  <=  ? _t5 : _t5 & 0x0000ffff | 0x80070000;
					E000937D3(0x80004005, "regutil.cpp", 0x372, _t9);
				}
				return _t9;
			}

0x000d134d
0x000d1359
0x000d1361
0x000d136e
0x000d1378
0x000d1386
0x000d1386
0x000d138f

APIs

RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,?,0009F11A,00000005,Resume,?,?,?,00000002,00000000), ref: 000D1359

Strings

regutil.cpp, xrefs: 000D1381
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 000D1347

Memory Dump Source

Source File: 00000014.00000002.506058853.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000014.00000002.506020947.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506111492.00000000000DB000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.506134102.00000000000FA000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.506151623.00000000000FE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_90000_vcredist_x86.jbxd

Similarity

API ID: Value
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce$regutil.cpp
API String ID: 3702945584-2416625845
Opcode ID: 65ee0799d85a681cb5c150627624146827f9d4c3b5b2683acbf453f04f6d6a1d
Instruction ID: ac3242d4280145721662b195fcd9be717677dd808e85983589519b18404a06ea
Opcode Fuzzy Hash: 65ee0799d85a681cb5c150627624146827f9d4c3b5b2683acbf453f04f6d6a1d
Instruction Fuzzy Hash: 57E06D72B443397AEB306AA68C05FE77ACCDF04BA0F014021BF08EA590D6618D00D6E4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report fillProxy_for_terminal_20210702_v1.0.0.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Jbx Signature Overview

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre