Edit tour

Windows Analysis Report
dotNetFx40_Full_x86_x64.exe

Overview

General Information

Sample Name:	dotNetFx40_Full_x86_x64.exe
Analysis ID:	680861
MD5:	a67cf67f2c63eb833a0059bfa3b87541
SHA1:	971203f435fc295141f8ab53edfb360de393af05
SHA256:	c157266c22151be6b4c7e83cf58e1dbb7f1788677a06e7a07e29e31ed97774ae
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Uses 32bit PE files

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Found potential string decryption / allocating functions

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

PE file does not import any functions

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Classification

Process Tree

System is w10x64

dotNetFx40_Full_x86_x64.exe (PID: 5584 cmdline: "C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe" MD5: A67CF67F2C63EB833A0059BFA3B87541)

Setup.exe (PID: 5352 cmdline: C:\5d17b88cf41ba603370ca60cf86c\\Setup.exe /x86 /x64 MD5: 006F8A615020A4A17F5E63801485DF46)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: dotNetFx40_Full_x86_x64.exe

Virustotal: Detection: 8%

Perma Link

Antivirus / Scanner detection for submitted sample

Source: dotNetFx40_Full_x86_x64.exe

Avira: detected

Source: dotNetFx40_Full_x86_x64.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1033\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1025\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1028\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1030\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1031\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1029\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1036\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1035\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1032\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1038\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1037\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1040\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1041\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1042\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1044\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1043\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1046\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1045\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1055\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1053\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\2052\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1049\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\3082\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\2070\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\3076\eula.rtf	Jump to behavior

Source: dotNetFx40_Full_x86_x64.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\amd64\MSBuild.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.630853212.0000000009C06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <DebugSymbolsProjectOutputGroupDependency Include="@(_ReferenceRelatedPaths->'%(FullPath)')" Condition="'%(Extension)' == '.pdb'"/> source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 4.0.dll.exe.pdb.xml-TargetFrameworkSubsets;InstalledAssemblySubsetTables7FullFrameworkAssemblyTables=FullTargetFrameworkSubsetNames source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_state.pdb9R source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.622705342.000000000943F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_state.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.622705342.000000000943F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Copy references that are marked as "CopyLocal" and their dependencies, including .pdbs, .xmls and satellites. source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dfshim.pdbN source: netfx_Core.mzz.0.dr
Source:	Binary string: Microsoft.VisualBasic.Activities.Compiler.pdbLP& source: netfx_Core.mzz.0.dr
Source:	Binary string: ComSvcConfig.pdb@{ source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilca74e6feca-34d3-48ad-9b77-e765b9fbef06\Microsoft.Build.Tasks.v4.0.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: DataSvcUtil.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilca2a83e267-7f7d-4216-aa5c-0ca1e5bfb4f4\Microsoft.Build.Conversion.v4.0.pdb' source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Setup.pdb source: Setup.exe, Setup.exe, 00000014.00000002.712372782.0000000000C11000.00000020.00000001.01000000.00000008.sdmp, Setup.exe, 00000014.00000000.633476162.0000000000C11000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\Temp\1\ilca99fdc434-123c-406d-b00d-fdf344963d45\Microsoft.Build.Utilities.v4.0.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sbscmp10.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.631617104.0000000009CD9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualC.STLCLR.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscorsn.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.630853212.0000000009C06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_regsql.pdb` source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.622705342.000000000943F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <!-- Record the .pdb if one was produced. --> source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sqmapi.pdb source: Setup.exe, 00000014.00000002.716563523.0000000070421000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: Microsoft.Data.Entity.Build.Tasks.pdb9 source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: SetupEngine.pdb source: Setup.exe, 00000014.00000002.715763798.000000006D921000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: netfxperf.pdb! source: netfx_Core.mzz.0.dr
Source:	Binary string: ServiceMonikerSupport.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.631617104.0000000009CD9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: $(IntermediateOutputPath)$(XamlTemporaryAssemblyName).pdb" source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Data.Entity.Build.Tasks.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: FileTracker.pdb` source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilca99fdc434-123c-406d-b00d-fdf344963d45\Microsoft.Build.Utilities.v4.0.pdbJ source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: AspNetMMCExt.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: PresentationHost.pdb source: netfx_Core.mzz.0.dr
Source:	Binary string: mscoree.pdb(M source: netfx_Core.mzz.0.dr
Source:	Binary string: <!-- Add any missing .pdb extension, as the compiler does --> source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.630853212.0000000009C06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ComSvcConfig.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscoree.pdb source: netfx_Core.mzz.0.dr
Source:	Binary string: <!-- Whether or not a .pdb file is produced. --> source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: @(_ReferenceRelatedPaths) - Paths to .xmls and .pdbs. source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_state.pdb!p source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.622705342.000000000943F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscorsn.pdby source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.630853212.0000000009C06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_regsql.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.622705342.000000000943F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.Activities.Compiler.pdbh source: netfx_Core.mzz.0.dr
Source:	Binary string: clretwrc.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: vbc.pdb source: netfx_Core.mzz.0.dr
Source:	Binary string: PresentationBuildTasks.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.631617104.0000000009CD9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.Activities.Compiler.pdb source: netfx_Core.mzz.0.dr
Source:	Binary string: D:\Temp\1\ilca204e016b-af71-45e4-a74f-7e966c67d9a6\Microsoft.Build.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ilasm.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625605459.000000000971C000.00000004.00000800.00020000.00000000.sdmp, dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dfshim.pdb source: netfx_Core.mzz.0.dr
Source:	Binary string: EdmGen.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscorpe.dllCreateICeeFileGenCreateICeeFileGenDestroyICeeFileGenDestroyICeeFileGen.Myalink.dllCreateALinkCreateALinkComImport_VtblGap As Integer.pdbCLSID_CorSymWriter&%s.sdata M source: netfx_Core.mzz.0.dr
Source:	Binary string: aspnet_wp.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.622705342.000000000943F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: peverify.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.630853212.0000000009C06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: PresentationHostProxy.pdb source: netfx_Core.mzz.0.dr
Source:	Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb4 source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.630853212.0000000009C06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: $(IntermediateOutputPath)$(XamlTemporaryAssemblyName).pdb" /> source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilcaac540338-5a68-4975-889b-93a13c396061\Microsoft.Build.Framework.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netfxperf.pdb source: netfx_Core.mzz.0.dr
Source:	Binary string: .pdbError: CoCreateInstance(IID_ISymUnmanagedWriter) returns %X source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: boxstub.pdb source: dotNetFx40_Full_x86_x64.exe
Source:	Binary string: .pdb.dmetaError: failed to open file '%S' source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625605459.000000000971C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <_DebugSymbolsIntermediatePath Include="@(_DebugSymbolsIntermediatePathTemporary->'%(RootDir)%(Directory)%(Filename).pdb')"/> source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilca08cb66d7-c242-441b-8811-f78f134a4521\Microsoft.Build.Engine.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: vbc.pdbN source: netfx_Core.mzz.0.dr
Source:	Binary string: PresentationHost.pdb source: netfx_Core.mzz.0.dr
Source:	Binary string: .pdb; source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ServiceMonikerSupport.pdbI$ source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.631617104.0000000009CD9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilca74e6feca-34d3-48ad-9b77-e765b9fbef06\Microsoft.Build.Tasks.v4.0.pdbZ\ source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <!-- Copy the debug information file (.pdb), if any --> source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Workflow.Compiler.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: MmcAspExt.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp, dotNetFx40_Full_x86_x64.exe, 00000000.00000003.630742969.0000000009BF0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <_DebugSymbolsIntermediatePath Include="$(IntermediateOutputPath)$(TargetName).pdb" Condition="'$(_DebugSymbolsProduced)'=='true' and '@(_DebugSymbolsIntermediatePath)'==''"/> source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilcaac540338-5a68-4975-889b-93a13c396061\Microsoft.Build.Framework.pdb} source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: FileTracker.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: EdmGen.pdb8D source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: SetupUi.pdb source: Setup.exe, Setup.exe, 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: SetupResources.pdb source: SetupResources.dll4.0.dr, SetupResources.dll18.0.dr, SetupResources.dll7.0.dr
Source:	Binary string: D:\Temp\1\ilca2a83e267-7f7d-4216-aa5c-0ca1e5bfb4f4\Microsoft.Build.Conversion.v4.0.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp

Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://localhost/data.svc
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/SampleNamespace

Source: dotNetFx40_Full_x86_x64.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe

Code function: 20_2_6D2BCBE6

20_2_6D2BCBE6

Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe	Code function: String function: 6D2BE8E8 appears 149 times
Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe	Code function: String function: 6D2D265B appears 183 times

Source: SetupResources.dll16.0.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: SetupResources.dll7.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll1.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll11.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll4.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll22.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll14.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll17.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll16.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll19.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll13.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll5.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll8.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll9.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll10.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll21.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll2.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll18.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll0.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll3.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll15.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll6.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll12.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll20.0.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll23.0.dr	Static PE information: No import functions for PE file found

Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.631617104.0000000009CD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePresentationBuildTasks.dllT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.631617104.0000000009CD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameServiceMonikerSupport.dllT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.631617104.0000000009CD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesbscmp10.dllT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Build.Conversion.v4.0.dllT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Build.dllT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Build.Engine.dllT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Build.Framework.dllT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Build.Tasks.v4.0.dllT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Build.Utilities.v4.0.dllT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Data.Entity.Build.Tasks.dllT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.VisualC.STLCLR.dll^ vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Workflow.Compiler.exeT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmcAspExt.dllT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.440640792.0000000000B77000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBoxStub.exeT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625605459.000000000971C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameilasm.exeT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.622705342.000000000943F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameaspnet_regiis.exeT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.622705342.000000000943F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameaspnet_regsql.exeT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.622705342.000000000943F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameaspnet_state.exeT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.622705342.000000000943F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameaspnet_wp.exeT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000000.413074040.000000000109E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBoxStub.exeT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.630853212.0000000009C06000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMSBuild.exeT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.630853212.0000000009C06000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorsn.dllT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.630853212.0000000009C06000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepeverify.dllT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAspNetMMCExt.dllT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclretwrc.dllT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: originalFileName vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: backupOfOriginalFileName vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: get_OriginalFileName vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameComSvcConfig.exeT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDataSvcUtil.exeT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEdmGen.exeT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileTracker.dll^ vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileTrackerUI.dll^ vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameilasm.exeT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.630742969.0000000009BF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMmcAspExt.dllT vs dotNetFx40_Full_x86_x64.exe
Source: dotNetFx40_Full_x86_x64.exe	Binary or memory string: OriginalFilenameBoxStub.exeT vs dotNetFx40_Full_x86_x64.exe

Source: dotNetFx40_Full_x86_x64.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Setup.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Setup.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Setup.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Setup.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: dotNetFx40_Full_x86_x64.exe

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: dotNetFx40_Full_x86_x64.exe

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: dotNetFx40_Full_x86_x64.exe

Virustotal: Detection: 8%

Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe

File read: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe

Jump to behavior

Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe "C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe"
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	Process created: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe C:\5d17b88cf41ba603370ca60cf86c\\Setup.exe /x86 /x64
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	Process created: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe C:\5d17b88cf41ba603370ca60cf86c\\Setup.exe /x86 /x64	Jump to behavior

Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe

File created: C:\Users\user\AppData\Local\Temp\dd_dotNetFx40_Full_x86_x64_decompression_log.txt

Jump to behavior

Source: classification engine

Classification label: mal56.winEXE@3/123@0/0

Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe

Code function: 20_2_6D2C6525 __EH_prolog3_catch,CoInitialize,CoCreateInstance,CoUninitialize,__CxxThrowException@8,

20_2_6D2C6525

Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe

Code function: 20_2_6D2C1360 GetDiskFreeSpaceExW,GetLastError,

20_2_6D2C1360

Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe

Code function: 20_2_6D2C681A __EH_prolog3,GetLastError,GetLastError,SetLastError,SetLastError,FormatMessageW,GetLastError,SetLastError,LocalFree,

20_2_6D2C681A

Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe

Code function: 20_2_6D2AEFE2 CreateToolhelp32Snapshot,_memset,Process32FirstW,Process32NextW,CloseHandle,

20_2_6D2AEFE2

Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\NetFxSetupMutex

Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe

Code function: 20_2_6D2C7A10 LoadResource,LockResource,SizeofResource,

20_2_6D2C7A10

Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSB4098: MSBuild is invoking VCBuild to build this project. Project-to-project references between VC++ projects (.VCPROJ) and C#/VB/VJ# projects (.CSPROJ, .VBPROJ, .VJSPROJ) are not supported by the command-line build systems when building stand-alone VC++ projects. Projects that contain such project-to-project references will fail to build. Please build the solution file containing this project instead.
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSB2013: The project-to-project reference with GUID {0} could not be converted because a valid .SLN file containing all projects could not be found.
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSB4126: The specified solution configuration "{0}" is invalid. Please specify a valid solution configuration using the Configuration and Platform properties (e.g. MSBuild.exe Solution.sln /p:Configuration=Debug /p:Platform="Any CPU") or leave those properties blank to use the default solution configuration.
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <SolutionExt Condition="'$(SolutionExt)'==''">Undefined</SolutionExt> <!-- Example, .sln -->
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <SolutionPath Condition="'$(SolutionPath)'==''">Undefined</SolutionPath> <!-- Example, f:\MySolutions\MySolution\MySolution.sln -->
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: *.sln.sln
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: that exist on disk. For IDE builds and command-line .SLN builds, the solution build manager
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <SolutionFileName Condition="'$(SolutionFileName)'==''">Undefined</SolutionFileName> <!-- Example, MySolution.sln -->
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <!-- NOTE: The item Include and the Exists function are operating relative to the PROJECT (.csproj, .vbproj etc.) directory in this case -->
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .vbproj
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <!-- Example, c:\MyProjects\MyProject\MyProject.csproj -->
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: uration "{0}" is invalid. Please specify a valid solution configuration using the Configuration and Platform properties (e.g. MSBuild.exe Solution.sln /p:Configuration=Debug /p:Platform="Any CPU") or leave those properties blank to use the default solution configuration.
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.630853212.0000000009C06000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: *.sln+AmbiguousProjectError
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <ProjectFileName Condition=" '$(ProjectFileName)' == '' ">$(MSBuildProjectFile)</ProjectFileName> <!-- Example, MyProject.csproj -->
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \\?\globalroot.sln
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.630853212.0000000009C06000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .csproj
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <ProjectExt Condition=" '$(ProjectExt)' == '' ">$(MSBuildProjectExtension)</ProjectExt> <!-- Example, .csproj -->
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: yMSB4051: Project {0} is referencing a project with GUID {1}, but a project with this GUID was not found in the .SLN file.
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .csprojM{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .vbprojM{F184B08F-C81C-45F6-A57F-5ABD9991F28F}
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Unexpected return type from this.rawGroups.ItemGroupsAndChooses.sln
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp, dotNetFx40_Full_x86_x64.exe, 00000000.00000003.630853212.0000000009C06000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .config.sln
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.630853212.0000000009C06000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.630853212.0000000009C06000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: /ignoreprojectextensions:.sln
Source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.630853212.0000000009C06000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.

Source: dotNetFx40_Full_x86_x64.exe

Static file information: File size 50449456 > 1048576

Source: dotNetFx40_Full_x86_x64.exe

Static PE information: Raw size of .reloc is bigger than: 0x100000 < 0x2ff0e30

Source: dotNetFx40_Full_x86_x64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: dotNetFx40_Full_x86_x64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: dotNetFx40_Full_x86_x64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: dotNetFx40_Full_x86_x64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dotNetFx40_Full_x86_x64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: dotNetFx40_Full_x86_x64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: dotNetFx40_Full_x86_x64.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: dotNetFx40_Full_x86_x64.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\amd64\MSBuild.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.630853212.0000000009C06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <DebugSymbolsProjectOutputGroupDependency Include="@(_ReferenceRelatedPaths->'%(FullPath)')" Condition="'%(Extension)' == '.pdb'"/> source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 4.0.dll.exe.pdb.xml-TargetFrameworkSubsets;InstalledAssemblySubsetTables7FullFrameworkAssemblyTables=FullTargetFrameworkSubsetNames source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_state.pdb9R source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.622705342.000000000943F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_state.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.622705342.000000000943F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Copy references that are marked as "CopyLocal" and their dependencies, including .pdbs, .xmls and satellites. source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dfshim.pdbN source: netfx_Core.mzz.0.dr
Source:	Binary string: Microsoft.VisualBasic.Activities.Compiler.pdbLP& source: netfx_Core.mzz.0.dr
Source:	Binary string: ComSvcConfig.pdb@{ source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilca74e6feca-34d3-48ad-9b77-e765b9fbef06\Microsoft.Build.Tasks.v4.0.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: DataSvcUtil.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilca2a83e267-7f7d-4216-aa5c-0ca1e5bfb4f4\Microsoft.Build.Conversion.v4.0.pdb' source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Setup.pdb source: Setup.exe, Setup.exe, 00000014.00000002.712372782.0000000000C11000.00000020.00000001.01000000.00000008.sdmp, Setup.exe, 00000014.00000000.633476162.0000000000C11000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\Temp\1\ilca99fdc434-123c-406d-b00d-fdf344963d45\Microsoft.Build.Utilities.v4.0.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sbscmp10.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.631617104.0000000009CD9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualC.STLCLR.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscorsn.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.630853212.0000000009C06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_regsql.pdb` source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.622705342.000000000943F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <!-- Record the .pdb if one was produced. --> source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sqmapi.pdb source: Setup.exe, 00000014.00000002.716563523.0000000070421000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: Microsoft.Data.Entity.Build.Tasks.pdb9 source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: SetupEngine.pdb source: Setup.exe, 00000014.00000002.715763798.000000006D921000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: netfxperf.pdb! source: netfx_Core.mzz.0.dr
Source:	Binary string: ServiceMonikerSupport.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.631617104.0000000009CD9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: $(IntermediateOutputPath)$(XamlTemporaryAssemblyName).pdb" source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Data.Entity.Build.Tasks.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: FileTracker.pdb` source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilca99fdc434-123c-406d-b00d-fdf344963d45\Microsoft.Build.Utilities.v4.0.pdbJ source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: AspNetMMCExt.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: PresentationHost.pdb source: netfx_Core.mzz.0.dr
Source:	Binary string: mscoree.pdb(M source: netfx_Core.mzz.0.dr
Source:	Binary string: <!-- Add any missing .pdb extension, as the compiler does --> source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.630853212.0000000009C06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ComSvcConfig.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscoree.pdb source: netfx_Core.mzz.0.dr
Source:	Binary string: <!-- Whether or not a .pdb file is produced. --> source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: @(_ReferenceRelatedPaths) - Paths to .xmls and .pdbs. source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_state.pdb!p source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.622705342.000000000943F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscorsn.pdby source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.630853212.0000000009C06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_regsql.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.622705342.000000000943F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.Activities.Compiler.pdbh source: netfx_Core.mzz.0.dr
Source:	Binary string: clretwrc.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: vbc.pdb source: netfx_Core.mzz.0.dr
Source:	Binary string: PresentationBuildTasks.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.631617104.0000000009CD9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.Activities.Compiler.pdb source: netfx_Core.mzz.0.dr
Source:	Binary string: D:\Temp\1\ilca204e016b-af71-45e4-a74f-7e966c67d9a6\Microsoft.Build.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ilasm.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625605459.000000000971C000.00000004.00000800.00020000.00000000.sdmp, dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dfshim.pdb source: netfx_Core.mzz.0.dr
Source:	Binary string: EdmGen.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscorpe.dllCreateICeeFileGenCreateICeeFileGenDestroyICeeFileGenDestroyICeeFileGen.Myalink.dllCreateALinkCreateALinkComImport_VtblGap As Integer.pdbCLSID_CorSymWriter&%s.sdata M source: netfx_Core.mzz.0.dr
Source:	Binary string: aspnet_wp.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.622705342.000000000943F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: peverify.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.630853212.0000000009C06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: PresentationHostProxy.pdb source: netfx_Core.mzz.0.dr
Source:	Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb4 source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.630853212.0000000009C06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: $(IntermediateOutputPath)$(XamlTemporaryAssemblyName).pdb" /> source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilcaac540338-5a68-4975-889b-93a13c396061\Microsoft.Build.Framework.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netfxperf.pdb source: netfx_Core.mzz.0.dr
Source:	Binary string: .pdbError: CoCreateInstance(IID_ISymUnmanagedWriter) returns %X source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: boxstub.pdb source: dotNetFx40_Full_x86_x64.exe
Source:	Binary string: .pdb.dmetaError: failed to open file '%S' source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625605459.000000000971C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <_DebugSymbolsIntermediatePath Include="@(_DebugSymbolsIntermediatePathTemporary->'%(RootDir)%(Directory)%(Filename).pdb')"/> source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilca08cb66d7-c242-441b-8811-f78f134a4521\Microsoft.Build.Engine.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: vbc.pdbN source: netfx_Core.mzz.0.dr
Source:	Binary string: PresentationHost.pdb source: netfx_Core.mzz.0.dr
Source:	Binary string: .pdb; source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ServiceMonikerSupport.pdbI$ source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.631617104.0000000009CD9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilca74e6feca-34d3-48ad-9b77-e765b9fbef06\Microsoft.Build.Tasks.v4.0.pdbZ\ source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <!-- Copy the debug information file (.pdb), if any --> source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Workflow.Compiler.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: MmcAspExt.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp, dotNetFx40_Full_x86_x64.exe, 00000000.00000003.630742969.0000000009BF0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <_DebugSymbolsIntermediatePath Include="$(IntermediateOutputPath)$(TargetName).pdb" Condition="'$(_DebugSymbolsProduced)'=='true' and '@(_DebugSymbolsIntermediatePath)'==''"/> source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilcaac540338-5a68-4975-889b-93a13c396061\Microsoft.Build.Framework.pdb} source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: FileTracker.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: EdmGen.pdb8D source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: SetupUi.pdb source: Setup.exe, Setup.exe, 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: SetupResources.pdb source: SetupResources.dll4.0.dr, SetupResources.dll18.0.dr, SetupResources.dll7.0.dr
Source:	Binary string: D:\Temp\1\ilca2a83e267-7f7d-4216-aa5c-0ca1e5bfb4f4\Microsoft.Build.Conversion.v4.0.pdb source: dotNetFx40_Full_x86_x64.exe, 00000000.00000003.625836746.000000000975F000.00000004.00000800.00020000.00000000.sdmp

Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe	Code function: 20_2_00C13DF5 push ecx; ret	20_2_00C13E08
Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe	Code function: 20_2_6D2D2709 push ecx; ret	20_2_6D2D271C
Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe	Code function: 20_2_6D2CAA75 push ecx; ret	20_2_6D2CAA88

Source: dotNetFx40_Full_x86_x64.exe

Static PE information: section name: .boxld01

Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe

Code function: 20_2_00C14B70 LoadLibraryW,GetProcAddress,GetProcAddress,_EncodePointerInternal@4,_EncodePointerInternal@4,GetProcAddress,_EncodePointerInternal@4,GetProcAddress,_EncodePointerInternal@4,GetProcAddress,_EncodePointerInternal@4,GetProcAddress,_EncodePointerInternal@4,_DecodePointerInternal@4,_DecodePointerInternal@4,_DecodePointerInternal@4,_DecodePointerInternal@4,_DecodePointerInternal@4,_DecodePointerInternal@4,

20_2_00C14B70

Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1049\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1025\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\SetupEngine.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1053\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\sqmapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1030\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1046\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1045\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\3082\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\2052\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1055\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1028\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1029\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\SetupUtility.exe	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\3076\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\2070\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1038\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1035\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1036\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1037\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1041\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1033\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1040\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1042\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1043\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\SetupUi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1031\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1044\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1032\SetupResources.dll	Jump to dropped file

Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1033\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1025\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1028\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1030\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1031\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1029\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1036\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1035\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1032\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1038\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1037\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1040\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1041\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1042\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1044\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1043\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1046\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1045\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1055\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1053\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\2052\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\1049\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\3082\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\2070\eula.rtf	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File created: C:\5d17b88cf41ba603370ca60cf86c\3076\eula.rtf	Jump to behavior

Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_20-18646
Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_20-18835

Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\5d17b88cf41ba603370ca60cf86c\1049\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\5d17b88cf41ba603370ca60cf86c\1025\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\5d17b88cf41ba603370ca60cf86c\1053\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\5d17b88cf41ba603370ca60cf86c\1030\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\5d17b88cf41ba603370ca60cf86c\1046\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\5d17b88cf41ba603370ca60cf86c\1045\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\5d17b88cf41ba603370ca60cf86c\3082\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\5d17b88cf41ba603370ca60cf86c\2052\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\5d17b88cf41ba603370ca60cf86c\1055\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\5d17b88cf41ba603370ca60cf86c\1028\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\5d17b88cf41ba603370ca60cf86c\1029\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\5d17b88cf41ba603370ca60cf86c\SetupUtility.exe	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\5d17b88cf41ba603370ca60cf86c\3076\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\5d17b88cf41ba603370ca60cf86c\2070\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\5d17b88cf41ba603370ca60cf86c\1038\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\5d17b88cf41ba603370ca60cf86c\1035\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\5d17b88cf41ba603370ca60cf86c\1036\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\5d17b88cf41ba603370ca60cf86c\1037\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\5d17b88cf41ba603370ca60cf86c\1041\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\5d17b88cf41ba603370ca60cf86c\1033\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\5d17b88cf41ba603370ca60cf86c\1040\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\5d17b88cf41ba603370ca60cf86c\1043\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\5d17b88cf41ba603370ca60cf86c\1042\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\5d17b88cf41ba603370ca60cf86c\1044\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\5d17b88cf41ba603370ca60cf86c\1031\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\5d17b88cf41ba603370ca60cf86c\1032\SetupResources.dll	Jump to dropped file

Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe

API call chain: ExitProcess graph end node

graph_20-18836

Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe

Code function: 20_2_00C12BA5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

20_2_00C12BA5

Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe

20_2_00C14B70

Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe

Code function: 20_2_6D2D20C8 GetProcessHeap,HeapFree,InterlockedPushEntrySList,

20_2_6D2D20C8

Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe	Code function: 20_2_00C12BA5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_00C12BA5
Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe	Code function: 20_2_00C145BE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_00C145BE
Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe	Code function: 20_2_6D2C87C1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_6D2C87C1
Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe	Code function: 20_2_6D2CB38A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_6D2CB38A

Source: C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe

Code function: 20_2_00C13FA4 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

20_2_00C13FA4

Source: C:\5d17b88cf41ba603370ca60cf86c\Setup.exe

Code function: 20_2_6D2BF6DE __EH_prolog3_GS,_memset,_memset,GetVersionExW,

20_2_6D2BF6DE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	Path Interception	1 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	6 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
dotNetFx40_Full_x86_x64.exe	9%	Virustotal		Browse
dotNetFx40_Full_x86_x64.exe	100%	Avira	TR/Patched.Gen

Dropped Files

Source	Detection	Scanner	Link
C:\5d17b88cf41ba603370ca60cf86c\1025\SetupResources.dll	0%	Metadefender	Browse
C:\5d17b88cf41ba603370ca60cf86c\1025\SetupResources.dll	0%	ReversingLabs
C:\5d17b88cf41ba603370ca60cf86c\1028\SetupResources.dll	0%	Metadefender	Browse
C:\5d17b88cf41ba603370ca60cf86c\1028\SetupResources.dll	0%	ReversingLabs
C:\5d17b88cf41ba603370ca60cf86c\1029\SetupResources.dll	0%	Metadefender	Browse
C:\5d17b88cf41ba603370ca60cf86c\1029\SetupResources.dll	0%	ReversingLabs
C:\5d17b88cf41ba603370ca60cf86c\1030\SetupResources.dll	0%	Metadefender	Browse
C:\5d17b88cf41ba603370ca60cf86c\1030\SetupResources.dll	0%	ReversingLabs
C:\5d17b88cf41ba603370ca60cf86c\1031\SetupResources.dll	0%	Metadefender	Browse
C:\5d17b88cf41ba603370ca60cf86c\1031\SetupResources.dll	0%	ReversingLabs
C:\5d17b88cf41ba603370ca60cf86c\1032\SetupResources.dll	0%	Metadefender	Browse
C:\5d17b88cf41ba603370ca60cf86c\1032\SetupResources.dll	0%	ReversingLabs
C:\5d17b88cf41ba603370ca60cf86c\1033\SetupResources.dll	0%	Metadefender	Browse
C:\5d17b88cf41ba603370ca60cf86c\1033\SetupResources.dll	0%	ReversingLabs
C:\5d17b88cf41ba603370ca60cf86c\1035\SetupResources.dll	0%	Metadefender	Browse
C:\5d17b88cf41ba603370ca60cf86c\1035\SetupResources.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://tempuri.org/	0%	URL Reputation	safe
http://tempuri.org/SampleNamespace	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://tempuri.org/	dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/SampleNamespace	dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	dotNetFx40_Full_x86_x64.exe, 00000000.00000003.623333583.00000000094D3000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	680861
Start date and time:	2022-08-09 10:51:42 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	dotNetFx40_Full_x86_x64.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal56.winEXE@3/123@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 7% (good quality ratio 6.5%) Quality average: 76.9% Quality standard deviation: 29.2%
HCA Information:	Successful, ratio: 95% Number of executed functions: 52 Number of non-executed functions: 143
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 52.109.76.141, 52.109.76.33, 52.109.12.24
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, licensing.mp.microsoft.com, login.live.com, store-images.s-microsoft.com, config.officeapps.live.com, sls.update.microsoft.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\5d17b88cf41ba603370ca60cf86c\1029\SetupResources.dll	https://gscs-b2c.lge.com/downloadFile?fileId=JCmfbdhuo6i4ujSC2MbC6Q	Get hash	malicious	Browse
C:\5d17b88cf41ba603370ca60cf86c\1028\SetupResources.dll	https://gscs-b2c.lge.com/downloadFile?fileId=JCmfbdhuo6i4ujSC2MbC6Q	Get hash	malicious	Browse
C:\5d17b88cf41ba603370ca60cf86c\1028\SetupResources.dll	TinyTakeSetup_v_5_2_16.exe	Get hash	malicious	Browse
C:\5d17b88cf41ba603370ca60cf86c\1025\SetupResources.dll	https://gscs-b2c.lge.com/downloadFile?fileId=JCmfbdhuo6i4ujSC2MbC6Q	Get hash	malicious	Browse

Created / dropped Files

C:\5d17b88cf41ba603370ca60cf86c\1025\LocalizedData.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	74214
Entropy (8bit):	4.180711029644354
Encrypted:	false
SSDEEP:	384:4w1hDxsSsxGMZzhKtQOsitz0SBijTJ3ejrwddv:PhDxsnxGMdAVBijTJ3eHm
MD5:	C5BF74C96A711B3F7004CA6BDDECC491
SHA1:	4C4D42FF69455F267CE98F1DB8F2C5D76A1046DA
SHA-256:	6B67C8A77C1A637B72736595AFDF77BDB3910AA9FE48D959775806A0683FFA66
SHA-512:	2F2071BF9966BFFE64C90263F4B9BD5EFCAC4F976C4E42FBDEAA5D6A6DEE51C33F4902CF5E3D0897E1C841E9182E25C86D42E392887BC3CE3D9ED3D780D96AC9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".. . J..9.0.1. ..4.:.J.D. .'.D.%.9./.'./. .A.J. .H.6.9. .'.D..H.'.A.B... .D.E.2.J./. .E.F. .'.D.E.9.D.H.E.'.... .1.'.,.9. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.'.D.E.D.A. .'.D.*.E.G.J./.J.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.e.x.

C:\5d17b88cf41ba603370ca60cf86c\1025\SetupResources.dll

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17240
Entropy (8bit):	5.619267132242324
Encrypted:	false
SSDEEP:	192:Ea4ZUfwxW1NX2QxqaSzWUrfncpNWLIeWkQKPnEtObMacxc8hjXHUz1TrOKA+nfW6:Nx2SX2vPzBrSNWkeWkLXci2jXHU46iQ
MD5:	35B62B395968B7754C298FBB410E9821
SHA1:	DE95297EE33466DDA2A63C8658E79F17EBBB2911
SHA-256:	4BC6711145430AC74F0D8F80A41DD89ACE79427EBAF7D3CFE479A43DB08D66E1
SHA-512:	CD34802098D57CA81446B32D2CD39B3B3FA659ED0A366167C09DAD5FF583B2266E28BA044486E343E4336A40E85D4A713E4E67EAC00B6CBFC3D4C33A1B9BD23B
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: , Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........(...............................................P............@.......................................... ...$...........,..X............................................................................................text...G...........................@..@.rsrc....0... ...&..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\1025\eula.rtf

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	7567
Entropy (8bit):	4.307679152385702
Encrypted:	false
SSDEEP:	192:sf3yLpQxL75CD7sH08JUXthIT2M+bOx7BnT7QUm2:AyLpQxL7YsH08JUXQT2M+s7BnT7QUm2
MD5:	AF1A4F6740A8B51683DFD89D520EB729
SHA1:	6B02C8E704D2D90DE9E0B63FA389B2899C75E567
SHA-256:	E4BA6C3852C94BB2034DFFED5A0FE45150E873B98ABA95A2C3A93A71227EF605
SHA-512:	C669728CA1AF1513DB36EAEE9F15AA7B0209E2F9E85C7FAE759794D05DEEF2920712C9C6F7AAF4ED1B13BF83D310DF6E770CD6C9A49D7FE62FD5F9A11464B255
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{\rtf1\fbidis\ansi\ansicpg1256\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset178 Tahoma;}{\f1\fswiss\fprq2\fcharset0 Tahoma;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\froman\fprq2\fcharset178 Times New Roman;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\rtlpar\nowidctlpar\sb120\sa120\qr\lang1025\b\f0\rtlch\fs20\'c7\'e1\'d4\'d1\'e6\'d8 \'c7\'e1\'c5\'d6\'c7\'dd\'ed\'c9 \'e1\'ca\'d1\'ce\'ed\'d5 \'c8\'d1\'e4\'c7\'e3\'cc \lang1033\f1\ltrch MICROSOFT\par..\pard\brdrb\brdrs\brdrw10\brsp20 \rtlpar\nowidctlpar\sb120\sa120\qr MICROSOFT .NET FRAMEWORK 4\lang1025\f0\rtlch \'e1\'e4\'d9\'c7\'e3 \'c7\'e1\'ca\'d4\'db\'ed\'e1 \lang1033\f1\ltrch WINDOWS\lang1025\f0\rtlch \'e3\'e4 \lang1033\f1\ltrch MICROSOFT\par..MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE\lang1025\f0\rtlch \'e1\'e4\'d9\'c7\'e3 \'c7\'e1\'ca\'d4\'db\'ed\'e1 \lang1033\f1\ltrch WINDOWS\lang1025\f0\rtlch \'e3\'e4 \lang1033\f1\ltrch MICROSOFT\f2\par..\lang3073\f

C:\5d17b88cf41ba603370ca60cf86c\1028\LocalizedData.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	60816
Entropy (8bit):	4.3418522371704045
Encrypted:	false
SSDEEP:	384:4wCGbCWB6rFk+2jP8lxtrzh1hsPN7ODPnPgQy50sJCXnofDPiv:tbCWYFrewYTJCf
MD5:	967A6D769D849C5ED66D6F46B0B9C5A4
SHA1:	C0FF5F094928B2FA8B61E97639C42782E95CC74F
SHA-256:	0BC010947BFF6EC1CE9899623CCFDFFD702EEE6D2976F28D9E06CC98A79CF542
SHA-512:	219B13F1BEEB7D690AF9D9C7D98904494C878FBE9904F8CB7501B9BB4F48762F9D07C3440EFA0546600FF62636AC34CB4B32E270CF90CB47A9E08F9CB473030C
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."..[..z._!q.l(W.v.['`!j._.N.WL..0.Y..s.0}.......S..&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;....b.jHh&.l.t.;./.A.&.g.t.;..0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."..d..[. .M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. ..S...g.\..g.N.a(u.z._\PbkK.

C:\5d17b88cf41ba603370ca60cf86c\1028\SetupResources.dll

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14168
Entropy (8bit):	5.9724110685335825
Encrypted:	false
SSDEEP:	192:fc2+tUfwZWPl53LmlVlSW1g+/axw0lczWpXEWUQKPnEtObMacxc8hjeyveCXzHbk:hzuwLmlCW1g+/kmzWpXEWULXci2jpv3e
MD5:	7C136B92983CEC25F85336056E45F3E8
SHA1:	0BB527E7004601E920E2AAC467518126E5352618
SHA-256:	F2E8CA58FA8D8E694D04E14404DEC4E8EA5F231D3F2E5C2F915BD7914849EB2B
SHA-512:	06DA50DDB2C5F83E6E4B4313CBDAE14EED227EEC85F94024A185C2D7F535B6A68E79337557727B2B40A39739C66D526968AAEDBCFEF04DAB09DC0426CFBEFBF4
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: TinyTakeSetup_v_5_2_16.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................@......E.....@.......................................... ..X............ ..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\1028\eula.rtf

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	6309
Entropy (8bit):	4.470827969332999
Encrypted:	false
SSDEEP:	96:/R8NRf8TTVKTu4LuTu4LrzZD41raZM4HbegdxqKZJQ1/FSMZJujgzc/MpD1JzIf2:/R4Rfm2NBZMjOfro2n6CA2
MD5:	6F2F198B6D2F11C0CBCE4541900BF75C
SHA1:	75EC16813D55AAF41D4D6E3C8D4948E548996D96
SHA-256:	D7D3CFBE65FE62DFA343827811A8071EC54F68D72695C82BEC9D9037D4B4D27A
SHA-512:	B1F5B812182C7A8BF1C1A8D0F616B44B0896F2AC455AFEE56C44522B458A8638F5C18200A8FB23B56DC1471E5AB7C66BE1BE9B794E12EC06F44BEEA4D9D03D6F
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg950\deff0\deflang1033\deflangfe1028{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset136 \'b7\'73\'b2\'d3\'a9\'fa\'c5\'e9;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Msftedit 5.41.21.2509;}{\info{\horzdoc}{\\lchars (<?[`\'7b\'a2\'47\'a2\'44?\'a1\'a5\'a1\'a7}{\*\fchars !'),.:\'3b>?]\|\'7d\'a2\'46\'a1\'50?\'a1\'56\'a1\'58\'a1\'a6\'a1\'a8\'a1\'45\'a1\'4b}}..\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs28 MICROSOFT \lang1028\f1\'b3\'6e\'c5\'e9\'bc\'57\'b8\'c9\'b1\'c2\'c5\'76\'b1\'f8\'b4\'da\lang1033\f2\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0\fs20 MICROSOFT WINDOWS \lang1028\f1\'a7\'40\'b7\'7e\'a8\'74\'b2\'ce\'aa\'ba\lang1033\f0 MICROSOFT .NET FRAMEWORK 4\f2\par..\f0 MICROSOFT WINDOWS \lang1028\f1\'a7\'40\'b7\'7e\'a8\'74\'b2\'ce\'aa\'ba\lang1033\f0 MICROSOFT .NET FRAMEWORK 4 \lang1028\f1\'a5\'ce\'a4\'e1\'ba\'dd\'b3\'5d\'a9

C:\5d17b88cf41ba603370ca60cf86c\1029\LocalizedData.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	80970
Entropy (8bit):	3.7136351704498183
Encrypted:	false
SSDEEP:	384:4w9jRY/svLov/QvQovOLeyndT/jfB7eyNdT9eTiyn15byYOMbqav8qAMrZEXw/Fm:Wt/jPvoZJZ0z
MD5:	0B6ED582EB557573E959E37EBE2FCA6A
SHA1:	82C19C7EAFB28593F453341ECA225873FB011D4C
SHA-256:	8A0DA440261940ED89BAD7CD65BBC941CC56001D9AA94515E346D57B7B0838FC
SHA-512:	ABA3D19F408BD74F010EC49B31A2658E0884661D2EFDA7D999558C90A4589B500570CC80410BA1C323853CA960E7844845729FFF708E3A52EA25F597FAD90759
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.n.s.t.a.l.a...n... .p.r.o.g.r.a.m. .n.e.l.z.e. .s.p.u.s.t.i.t. .v. .r.e.~.i.m.u. .k.o.m.p.a.t.i.b.i.l.i.t.y... .D.a.l.a... .i.n.f.o.r.m.a.c.e. .n.a.l.e.z.n.e.t.e. .v. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.s.o.u.b.o.r.u. .R.e.a.d.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.

C:\5d17b88cf41ba603370ca60cf86c\1029\SetupResources.dll

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18264
Entropy (8bit):	5.308536555634371
Encrypted:	false
SSDEEP:	384:sIr67PAteQx2PoipahxPh1KuMWp1eWCLXci2jpvsH:sv6CMi2jpvsH
MD5:	62876C2FE28B1B5C434B9FAD80ABE9F9
SHA1:	BE3D479204B8E36933E0EECC250C330E69A06D02
SHA-256:	36E316718C8BBBD7B511E9074FC0EECB9ACD0A9B572F593A5A569CC93276D932
SHA-512:	FFDD2D8DB4AE62EA07178677D8C8745CF54D7EDBE1683478A2C588D5B84EF9EA970E2B1C44E3B8F18B33D189655B0C42D5747392DB97176A38FAB4CBAB3E3F10
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: , Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......V.....@.......................................... ..d(...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\1029\eula.rtf

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	3726
Entropy (8bit):	5.271587861695615
Encrypted:	false
SSDEEP:	96:4BfgejTQpTfD/g7OyGBB2nZsEAVxfw8EMpDRI/YFkvvApzdYPBGx2:sfN7OHn2nZsEmf+Oa/c2
MD5:	B02C48825414EDCA106C92182D32BC8A
SHA1:	CF00219D69E3CFF9777BABECE1EE9D8CDC776AC9
SHA-256:	C6147000FC34894C724C09CB69FFCE75DD1263B69D063F75466D70B67B3C80DD
SHA-512:	B8AFE051701189F60789D0340FD15E81491456284305B55C4582D0153A2C8CB25F1EDD05F40B50893C7CBB80EC57FF635D764DB5F56AA2E945CF29E9C550E9BA
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1250\deff0\deflang1029\deflangfe1029{\fonttbl{\f0\fswiss\fprq2\fcharset238 Tahoma;}{\f1\froman\fprq2\fcharset238{\\fname Times New Roman;}Times New Roman CE;}{\f2\fswiss\fprq2\fcharset238 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs20 DODATKOV\'c9 LICEN\'c8N\'cd PODM\'cdNKY PRO SOFTWARE SPOLE\'c8NOSTI MICROSOFT\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\lang1029\f0 MICROSOFT .NET FRAMEWORK 4 PRO OPERA\'c8N\'cd SYST\'c9M MICROSOFT WINDOWS\lang1033\f1\par..\lang1029\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE PRO OPERA\'c8N\'cd SYST\'c9M MICROSOFT WINDOWS\par..\pard\brdrb\brdrs\brdrw10\brsp20 A P\'d8IDRU\'8eEN\'c9 JAZYKOV\'c9 SADY\par..\pard\nowidctlpar\sb120\sa120\b0 Licenci k\~tomuto dodatku v\'e1m poskytuje spole\'e8nost Microsoft Corporation (nebo n\'eckter\'e1 z\~jej\'edch afilac\'ed v\~z\'e1vislosti na tom, kde bydl\'edte).\lang1033\b

C:\5d17b88cf41ba603370ca60cf86c\1030\LocalizedData.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	77748
Entropy (8bit):	3.5770566057374418
Encrypted:	false
SSDEEP:	384:4wvo3sGYQTjtLCpCggWuUyl+JMcf/zmSmRLAgRQJmS+e/JAu1O2Xx+v:9o8GYQTjtLCYggWuUMe+e/J8
MD5:	69925E463A6FEDCE8C8E1B68404502FB
SHA1:	76341E490A432A636ED721F0C964FD9026773DD7
SHA-256:	5F370D2CCDD5FA316BCE095BF22670123C09DE175B7801D0A77CDB68174AC6B7
SHA-512:	5F61ABEC49E1F9CC44C26B83AA5B32C217EBEBA63ED90D25836F51F810C59F71EC7430DC5338EFBA9BE720F800204891E5AB9A5F5EC1FF51EF46C629482E5220
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.n.s.t.a.l.l.a.t.i.o.n.s.p.r.o.g.r.a.m.m.e.t. .k.a.n. .i.k.k.e. .k...r.e. .i. .k.o.m.p.a.t.i.b.i.l.i.t.e.t.s.t.i.l.s.t.a.n.d... .D.u. .k.a.n. .f.i.n.d.e. .f.l.e.r.e. .o.p.l.y.s.n.i.n.g.e.r. .i. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.V.i.g.t.i.g.t.-.f.i.l.e.n.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.

C:\5d17b88cf41ba603370ca60cf86c\1030\SetupResources.dll

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18264
Entropy (8bit):	5.237828095883879
Encrypted:	false
SSDEEP:	384:cNX61hALPTIOWWptfeWuLXci2jXHUgyh1J:cQweMi2jXHUgU1J
MD5:	9F0CD8981979154CC2A6393DA42731C5
SHA1:	AFFAFE8CF152C25DF75CF3E6B67B7AA8A4A80056
SHA-256:	30C86AE90DE0EE7D2A637AB7EF7AE450690A55A5EA8C007169BAB57B10F0E013
SHA-512:	036253A9B4718EC38C7784ABA6AA124E4A334170AD13546126B0D746F003A4FC571165DBDA3BC3DD1911C343326CAE22C0A3C0A82A17D7F5943D2F2057E3C060
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......9a....@.......................................... ..$(...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\1030\eula.rtf

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	3314
Entropy (8bit):	5.229229499381171
Encrypted:	false
SSDEEP:	96:MTBfIGPzxT1B9TwDXOC1uJzGTcDC5bhPqljShnEGiBe4YOMpDIbu0L9D+Ogp+Ogj:If/Jqn1uJzGTcDC5bhSljShnEGioDOOa
MD5:	B756C9B475E1E5955D8BF1544DF556F7
SHA1:	03ACD306196D5C0CDFBEB947CE3E018C08FD08CB
SHA-256:	204021CC428C70F76DE750C0B01404E3396EE8602C8F25F44635F6F2BDBF693A
SHA-512:	88E44178770025B960BF2329901B6BEC90115B62D9F44A43FD914AEF687C2FCE7E370D9BA8CAAF9BF930553EB99580C47F8E7FDC0C32FE9A921DD368BF8E4658
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1030\b\f0\fs28 TILL\'c6G TIL LICENSVILK\'c5R FOR MICROSOFT-SOFTWARE\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\lang1030\f0\fs22 MICROSOFT .NET FRAMEWORK 4 TIL MICROSOFT WINDOWS-OPERATIVSYSTEM\lang1033\par..\lang1030 MICROSOFT .NET FRAMEWORK 4-KLIENTPROFIL TIL MICROSOFT WINDOWS-OPERATIVSYSTEM\par..OG TILKNYTTEDE SPROGPAKKER\lang1033\f1\fs20\par..\pard\nowidctlpar\sb120\sa120\lang1030\b0\f0 Microsoft Corporation (eller, afh\'e6ngigt af hvor De bor, et af dets associerede selskaber) licenserer dette till\'e6g til Dem.\lang1033\b \lang1030\b0 Hvis De har licens til at bruge Microsoft Windows-operativsystemsoftware (som dette till\'e6g g\'e6lder for) ("

C:\5d17b88cf41ba603370ca60cf86c\1031\LocalizedData.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	82346
Entropy (8bit):	3.5798945100215325
Encrypted:	false
SSDEEP:	1536:guayUbZwf+2CzQHsjz1VbxzPGnz6solo8xKc6JT/1Sy:JayUtwf+2CzQHshPGnz6solo8xKc6JTd
MD5:	8505219C0A8D950FF07DC699D8208309
SHA1:	7A557356C57F1FA6D689EA4C411E727438AC46DF
SHA-256:	C48986CDB7FE3401234E0A6540EB394C1201846B5BEB1F12F83DC6E14674873A
SHA-512:	7BCDAD0CB4B478068434F4EBD554474B69562DC83DF9A423B54C1701CA3B43C3B92DE09EE195A86C0D244AA5EF96C77B1A08E73F1F2918C8AC7019F8DF27B419
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".D.a.s. .S.e.t.u.p. .k.a.n.n. .n.i.c.h.t. .i.m. .K.o.m.p.a.t.i.b.i.l.i.t...t.s.m.o.d.u.s. .a.u.s.g.e.f...h.r.t. .w.e.r.d.e.n... .W.e.i.t.e.r.e. .I.n.f.o.r.m.a.t.i.o.n.e.n. .f.i.n.d.e.n. .S.i.e. .i.n. .d.e.r. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.I.n.f.o.d.a.t.e.i.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.

C:\5d17b88cf41ba603370ca60cf86c\1031\SetupResources.dll

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18776
Entropy (8bit):	5.135663555520085
Encrypted:	false
SSDEEP:	384:lQ16m3rhGrcHN/USYvYVA9WKieW8bLXci2jXHU2Ze:lEhCSVYvYVAA+Mi2jXHU2A
MD5:	7C9AE49B3A400C728A55DD1CACC8FFB2
SHA1:	DD3A370F541010AD650F4F6AA42E0CFC68A00E66
SHA-256:	402C796FEBCD78ACE8F1C5975E39193CFF77F891CFF4D32F463F9A9C83806D4A
SHA-512:	D30FE9F78A49C533BE5C00D88B8C2E66A8DFAC6D1EAE94A230CD937F0893F6D4A0EECE59C1D2C3C8126FFA9A9648EC55A94E248CD8C7F9677F45C231F84F221B
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P.......D....@.......................................... ..`+...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\1031\eula.rtf

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	3419
Entropy (8bit):	5.19064562442276
Encrypted:	false
SSDEEP:	96:MWBfVBITvyTqDyiRc3E5Zob0MpDmqgH4KYXsY/49Uo2:VffWX5Zm0O3Q32
MD5:	94190970FB79C7085DE2E97AE4630B07
SHA1:	272677F49985098CA0477D6A8C1E70E4BDDB646C
SHA-256:	A448FE5954EC68B7C395DA387545C1664C3F4BAADE021E6157EC142997D93CA2
SHA-512:	7A7EE485D20912FC533E83EAE0F151DC142C2F01051735D1F9B20A7146154A04C8269FC9F71AC82E57925B566E07E716CDED6DB8B11026225CEAAC209311531F
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1041{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1031\b\f0\fs20 ERG\'c4NZENDE LIZENZBESTIMMUNGEN F\'dcR MICROSOFT-SOFTWARE\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0 MICROSOFT .NET FRAMEWORK 4 F\'dcR MICROSOFT WINDOWS-BETRIEBSSYSTEM\f1\par..\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE F\'dcR MICROSOFT WINDOWS-BETRIEBSSYSTEM\par..UND ZUGEH\'d6RIGE LANGUAGE PACKS\f1\par..\pard\nowidctlpar\sb120\sa120\b0\f0 Microsoft Corporation (oder eine andere Microsoft-Konzerngesellschaft, wenn diese an dem Ort, an dem Sie leben, die Software lizenziert) lizenziert diese Softwareerg\'e4nzung an Sie. Wenn Sie \'fcber eine Lizenz f\'fcr Microsoft Windows-Betriebssystem-Software verf\'fcgen (f\'fcr die diese Softwareerg\

C:\5d17b88cf41ba603370ca60cf86c\1032\LocalizedData.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	86284
Entropy (8bit):	4.3740758325121645
Encrypted:	false
SSDEEP:	384:4w+7UVysuXHXeXAehlT++sTGoheXrW4MgcyvF773/xSFVQbleaS8tOnjiJLtchH0:+3OQeHll5PunjiJr
MD5:	3BF8DA35B14FBCC564E03F6342BB71F2
SHA1:	8F9139F0BB813BF95F8C437548738D32848D8940
SHA-256:	39EFE12C689EDFEA041613B0E4D6EC78AFEC8FE38A0E4ADC656591FFEF8F415D
SHA-512:	31B050647BA4BD0C2762D77307E1ED2A324E9B152C06ED496B86EA063CDC18BF2BB1F08D2E9B4AF3429A2BC333D7891338D7535487C83495304A5F78776DBC03
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."....... ........... ............. ... ................. ....... ......................... ..... ................... ....................... ........................... ....... ......................... .......................,. ................... ....... .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;............. .r.e.a.d.m.e.&.l.t.;./.A.&.g.t.;..."./.

C:\5d17b88cf41ba603370ca60cf86c\1032\SetupResources.dll

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19288
Entropy (8bit):	5.607263971475317
Encrypted:	false
SSDEEP:	384:jwB6VfhGGglsETXrI7k1tcVlUHe3YRPWTBZWwLXci2jXHUQ:jlpGGKQVlhsSLMi2jXHUQ
MD5:	E663B67A66ADF9375D1D183CA5FDD23D
SHA1:	30360546A00FFF0A7C2B47F4B01C89E771F13971
SHA-256:	574FBDEDCDA1F9F34C997AC3F192CBA72A67D6534B2E9AB80A35AB3543621D58
SHA-512:	46E7FFB4889A43059665893ABF1D2B6BF3430A617023FFA91F54AF6D5062444B844D8811ED2D037E756993F733986479E93784AC25C553F70F1CF8D1B67182A3
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........0...............................................P............@.......................................... ..`-...........4..X............................................................................................text...G...........................@..@.rsrc....0... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\1032\eula.rtf

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	8876
Entropy (8bit):	4.086204739568071
Encrypted:	false
SSDEEP:	192:/foOHY6P6Km5NHMQaEjxPSuHON0SuQI62:R46Pm5Ns0jxpeuQV2
MD5:	2091F5DA2BF884F747103A31D2DC947B
SHA1:	AAD26EB74B793D7DE2F466150F609C276D398FB5
SHA-256:	B7A7F2388600D9D059DCDF300845938E429A0FF16EB03BDECE48825805069B7E
SHA-512:	AE798ACD11E9A4ADD33DA760B46200E24B9F9403BBBFAF6CB45E25193D346BDE3B91C9B79BB7E10E529DEDD824A89D23212745CF9E9E5EBB44319E9DD812C61D
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset161 Tahoma;}{\f1\froman\fprq2\fcharset161{\\fname Times New Roman;}Times New Roman Greek;}{\f2\fswiss\fprq2\fcharset161 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1032\b\f0\fs20\'d3\'d5\'cc\'d0\'cb\'c7\'d1\'d9\'cc\'c1\'d4\'c9\'ca\'cf\'c9 \'cf\'d1\'cf\'c9 \'c1\'c4\'c5\'c9\'c1\'d3 \'d7\'d1\'c7\'d3\'c7\'d3 \'cb\'cf\'c3\'c9\'d3\'cc\'c9\'ca\'cf\'d5 \'d4\'c7\'d3 MICROSOFT\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\lang1032\f0 MICROSOFT .NET FRAMEWORK 4 \'c3\'c9\'c1 \'cb\'c5\'c9\'d4\'cf\'d5\'d1\'c3\'c9\'ca\'cf \'d3\'d5\'d3\'d4\'c7\'cc\'c1 MICROSOFT WINDOWS\lang1033\f1\par..\lang1032\f0\'d0\'d1\'cf\'d6\'c9\'cb \'d0\'d1\'cf\'c3\'d1\'c1\'cc\'cc\'c1\'d4\'cf\'d3-\'d0\'c5\'cb\'c1\'d4\'c7 MICROSOFT .NET FRAMEWORK 4 \'c3\'c9\'c1 \'cb\'c5\'c9\'d4\'cf\'d5\'d1\'c3\'c9\'ca\'cf \'d3\'d5\'d3\

C:\5d17b88cf41ba603370ca60cf86c\1033\LocalizedData.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	77232
Entropy (8bit):	3.5669629909438734
Encrypted:	false
SSDEEP:	384:4w6JjgKW5D8U2JhrDheHQTBNgNSdfUGNatvcc7QDBuGdSJgkR6Sqzxu:gJsKKIrDPT7lSJYI
MD5:	326518603D85ACD79A6258886FC85456
SHA1:	F1CEF14BC4671A132225D22A1385936AD9505348
SHA-256:	665797C7840B86379019E5A46227F888FA1A36A593EA41F9170EF018C337B577
SHA-512:	F8A514EFD70E81D0F2F983282D69040BCA6E42F29AA5DF554E6874922A61F112E311AD5D2B719B6CA90012F69965447FB91E8CD4103EFB2453FF160A9062E5D3
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.e. .s.e.t.u.p. .c.a.n.n.o.t. .r.u.n. .i.n. .c.o.m.p.a.t.i.b.i.l.i.t.y. .m.o.d.e... .F.o.r. .m.o.r.e. .i.n.f.o.r.m.a.t.i.o.n.,. .s.e.e. .t.h.e. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.R.e.a.d.m.e. .f.i.l.e.&.l.t.;./.A.&.g.t.;...". ./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.

C:\5d17b88cf41ba603370ca60cf86c\1033\SetupResources.dll

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17240
Entropy (8bit):	5.151474565875158
Encrypted:	false
SSDEEP:	192:byk5nUfwTW7JwWp0eW6jp8M+9HS8bC/TJs7kFkzQKPnEtObMacxc8hjeyveCXZBe:pgoTWp0eWB9ygC/TfFkzLXci2jpv8
MD5:	9547D24AC04B4D0D1DBF84F74F54FAF7
SHA1:	71AF6001C931C3DE7C98DDC337D89AB133FE48BB
SHA-256:	36D0159ED1A7D88000737E920375868765C0A1DD6F5A5ACBB79CF7D97D9E7A34
SHA-512:	8B6048F4185A711567679E2DE4789407077CE5BFE72102D3CB1F23051B8D3E6BFD5886C801D85B4E62F467DD12DA1C79026A4BC20B17F54C693B2F24E499D40F
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........(...............................................P......<f....@.......................................... ...%...........,..X............................................................................................text...G...........................@..@.rsrc....%... ...&..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\1033\eula.rtf

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	3188
Entropy (8bit):	5.285087573798006
Encrypted:	false
SSDEEP:	96:MHfTLNnTkWBTkFDZ8f4wHlre7MUxprfKmMb0+MW+1Ep9qeelN+sznM+IEp+Lk2:yfyTLillHW+mMhyAspz2
MD5:	B7129C4881F118FCB38F27CFB00CD36D
SHA1:	148989B710205C6A67B3F960567F6DAA98D75BDA
SHA-256:	DA3D6A6AC223744DF01C920EAE5F43E017F52350831C4F3F6BB38D78232EA3B4
SHA-512:	C0816D7676DDF0774EB9022BD305CDCDFEF590BE38E20C2D5584968BCA78E10A14BE375FA892593F11D04BE2734A30B5C1D21814B88C31814C713E08546436E7
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\froman\fprq2\fcharset0 Times New Roman;}{\f1\fswiss\fprq2\fcharset0 Tahoma;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;\red255\green0\blue0;\red0\green0\blue128;}..{\*\generator Msftedit 5.41.21.2508;}\viewkind4\uc1\pard\sb120\sa120\f0\fs20\par..\b\f1\fs28 MICROSOFT SOFTWARE SUPPLEMENTAL LICENSE TERMS\par..\fs22 MICROSOFT .NET FRAMEWORK 4 FOR MICROSOFT WINDOWS OPERATING SYSTEM \f0\par..\f1 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE FOR MICROSOFT WINDOWS OPERATING SYSTEM \f0\par..\pard\brdrb\brdrs\brdrw10\brsp20 \sb120\sa120\f1 AND ASSOCIATED LANGUAGE PACKS\b0\f0\par..\pard\sb120\sa120\f1\fs20 Microsoft Corporation (or based on where you live, one of its affiliates) licenses this supplement to you. If you are licensed to use Microsoft Windows operating system software (for which this supplement is applicable) (the \ldblquote software\rdblquote ), you may use this supplement. You may

C:\5d17b88cf41ba603370ca60cf86c\1035\LocalizedData.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	77022
Entropy (8bit):	3.5745326569682434
Encrypted:	false
SSDEEP:	1536:wT42CX8ugmmuM92kEMeeGOCOUJPePJiWGICG+JND:wT42CX8ugmmuM92kEMeeGOCOUJPePJi/
MD5:	1AA252256C895B806E4E55F3EA8D5FFB
SHA1:	0322EE94C3D5EA26418A2FEA3F7E62EC5D04B81D
SHA-256:	8A68B3B6522C30502202ECB8D16AE160856947254461AC845B39451A3F2DB35F
SHA-512:	CE57784892C0BE55A00CED0ADC594A534D8A40819790CA483A29B6CD544C7A75AE4E9BDE9B6DC6DE489CECEB7883B7C2EA0E98A38FCC96D511157D61C8AA3E63
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".A.s.e.n.n.u.s.o.h.j.e.l.m.a.a. .e.i. .v.o.i. .s.u.o.r.i.t.t.a.a. .y.h.t.e.e.n.s.o.p.i.v.u.u.s.t.i.l.a.s.s.a... .L.i.s...t.i.e.t.o.j.a. .o.n. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.L.u.e. .m.i.n.u.t. .-.t.i.e.d.o.s.t.o.s.s.a.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.

C:\5d17b88cf41ba603370ca60cf86c\1035\SetupResources.dll

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18264
Entropy (8bit):	5.166182954405893
Encrypted:	false
SSDEEP:	192:rJkinUfwVWVRdufl0fXA1Z1j93S0WHpdcIirs442QXWMkeWEQKPnEtObMacxc8hg:rO16Lwz51JWMkeWELXci2jpvi
MD5:	881ADF55D51976CA592033A7ADF620B8
SHA1:	E82ED85E25411610D1F977A99368A7A6547C7C47
SHA-256:	88FCE9BFC0458E375811A7F1EA7CB9777E241D373EEF15D4B23835F77979D54C
SHA-512:	FED744A6E37F18B6CC3708EEB9F3E874269B1CBDB63B54284470E39E2B01D3DFB61F3626E34638231B9034FA699BDCCD7FE623D8478B205723EF45C1AA595FF9
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......(.....@.......................................... ..x)...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\1035\eula.rtf

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	3702
Entropy (8bit):	5.238529406475761
Encrypted:	false
SSDEEP:	96:MWBfuMAh8TZhqTy9DbDixX7zR7MrrqX37ILY7TpLgoyk1zERRe5g9KIMpDnYA06m:VfeRzH3vmLQzE6AOAC2
MD5:	4A43D21D1576E040DC9F5B90162A0401
SHA1:	1616FA39D9E4E7B2BB927CADED944DD14BD05656
SHA-256:	F0E2739892A1CE8A6445CEC72FF9AD88E939E21C719552E8ACD746F92F9FAFB7
SHA-512:	7A7C50B7EC09282A828B06C6A52340C1CAEFF0CFA01FF81375483045972D3645092B5B385103C19ACCADBE5B758DFF85A9DC6FDC00F9AF32AEE076E2C49F79BA
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1041{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1035\b\f0\fs20 MICROSOFT-OHJELMISTON T\'c4YDENNYSOSAN K\'c4YTT\'d6OIKEUSSOPIMUKSEN EHDOT\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\lang1035\f0 MICROSOFT .NET FRAMEWORK 4 MICROSOFT WINDOWS -K\'c4YTT\'d6J\'c4RJESTELM\'c4\'c4N\lang1033\f1\par..\lang1035\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE MICROSOFT WINDOWS -K\'c4YTT\'d6J\'c4RJESTELM\'c4\'c4N\par..\lang1033 SEK\'c4 NIIHIN LIITTYV\'c4T KIELIPAKETIT\par..\pard\nowidctlpar\sb120\sa120\lang1035\b0 Microsoft Corporation (tai asiakkaan asuinpaikan mukaan m\'e4\'e4r\'e4ytyv\'e4 Microsoft Corporationin konserniyhti\'f6) my\'f6nt\'e4\'e4 asiakkaalle t\'e4m\'e4n t\'e4ydennysosan k\'e4ytt\'f6oikeudet.\la

C:\5d17b88cf41ba603370ca60cf86c\1036\LocalizedData.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	82962
Entropy (8bit):	3.5891850903091727
Encrypted:	false
SSDEEP:	384:4wCFpNvOvt1jagJVzRzchryjiTIJz0kbG52bxVv:WvotpaluaIJzaIv
MD5:	1DAD88FAED661DB34EEF535D36563EE2
SHA1:	0525B2F97EDDBD26325FDDC561BF8A0CDA3B0497
SHA-256:	9605468D426BCBBE00165339D84804E5EB2547BFE437D640320B7BFEF0B399B6
SHA-512:	CCD0BFFBF0538152CCCD4B081C15079716A5FF9AD04CEE8679B7F721441F89EB7C6F8004CFF7E1DDE9188F5201F573000D0C078474EDF124CFA4C619E692D6BC
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".L.e. .p.r.o.g.r.a.m.m.e. .d.'.i.n.s.t.a.l.l.a.t.i.o.n. .n.e. .p.e.u.t. .p.a.s. .s.'.e.x...c.u.t.e.r. .e.n. .m.o.d.e. .d.e. .c.o.m.p.a.t.i.b.i.l.i.t..... .P.o.u.r. .p.l.u.s. .d.'.i.n.f.o.r.m.a.t.i.o.n.s.,. .c.o.n.s.u.l.t.e.z. .l.e. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.f.i.c.h.i.e.r. .r.e.a.d.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.

C:\5d17b88cf41ba603370ca60cf86c\1036\SetupResources.dll

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18776
Entropy (8bit):	5.112489568342605
Encrypted:	false
SSDEEP:	384:J7Z66AY9li3OoDDkbiWpQeWELXci2jpv8:JffiZDgycMi2jpv8
MD5:	93F57216FE49E7E2A75844EDFCCC2E09
SHA1:	DCCD52787F147E9581D303A444C8EE134AFC61A8
SHA-256:	2506827219B461B7C6C862DAE29C8BFF8CB7F4A6C28D2FF60724CAC70903987D
SHA-512:	EADFFB534C5447C24B50C7DEFA5902F9EB2DCC4CF9AF8F43FA889B3367EA25DFA6EA87FF89C59F1B7BBF7106888F05C7134718021B44337AE5B7D1F808303BB1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P......B\|....@.......................................... ...+...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\1036\eula.rtf

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	3526
Entropy (8bit):	5.107243175407303
Encrypted:	false
SSDEEP:	96:MTBfEhmvTf8vTR/DSIem21HDpHD1cT+Tot4er42xzK8/ptMpDLaFNsNGlDPsCU2:IfJw95eJlx1E+Tot4er42xzKuOKPU2
MD5:	E0DA85DB8B02A89A63601EA6B9AD7FF8
SHA1:	5F91C397CF3FBF4475FF71339B2D69C45694130F
SHA-256:	8880B979A4F8ECDD529241D9AE02583FECD21010EA1E255A1CBCD0C6FB2F75E9
SHA-512:	C8F47154145507C89D9B599D725C3444A206AE2AFAC2ACA4B2EA18980DEC134A25FC539CE1FB2291AF942DC1CA25EE2FFF323FB17F43F5BF91157A30B19BCD17
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1036\b\f0\fs20 TERMES DE CONTRAT DE LICENCE D\rquote UN SUPPL\'c9MENT MICROSOFT\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0 MICROSOFT .NET FRAMEWORK\~4 POUR LE SYST\'c8ME D\rquote EXPLOITATION MICROSOFT WINDOWS\f1\par..\f0 MICROSOFT .NET FRAMEWORK\~4 CLIENT PROFILE POUR LE SYST\'c8ME D\rquote EXPLOITATION MICROSOFT WINDOWS\par..ET LES LANGAGE PACKS ASSOCI\'c9S\par..\pard\nowidctlpar\sb120\sa120\b0 Microsoft Corporation (ou, en fonction du lieu o\'f9 vous vivez, l\rquote un de ses affili\'e9s) vous accorde une licence pour ce suppl\'e9ment.\b \b0 Si vous \'eates titulaire d\rquote une licence d\rquote utilisation du logiciel de syst\'e8me d\rquote exploita

C:\5d17b88cf41ba603370ca60cf86c\1037\LocalizedData.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	72076
Entropy (8bit):	4.190903034087703
Encrypted:	false
SSDEEP:	384:4wkvJlqaYsxaAzdNhXdQGKbvvGu1kZJNvSX33qLv:OHqaBxaeJN7T
MD5:	16E6416756C1829238EF1814EBF48AD6
SHA1:	C9236906317B3D806F419B7A98598DD21E27AD64
SHA-256:	C0EE256567EA26BBD646F019A1D12F3ECED20B992718976514AFA757ADF15DEA
SHA-512:	AA595ED0B3B1DB280F94B29FA0CB9DB25441A1EF54355ABF760B6B837E8CE8E035537738E666D27DD2A8D295D7517C325A5684E16304887CCB17313CA4290CE6
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."............... ............. ....... ............. ........... ......... ............... ........... ......... .........,. ....... .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;......... .R.e.a.d.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.e.x.

C:\5d17b88cf41ba603370ca60cf86c\1037\SetupResources.dll

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	16728
Entropy (8bit):	5.741920618836553
Encrypted:	false
SSDEEP:	192:KADkdHUfwVW13jowXiTeISvjpHawC1wWmeW8QKPnEtObMacxc8hjeyveCX1HQ:K506Qrw5wWmeW8LXci2jpvfw
MD5:	06CC83E6C677DB13757DF4242F5679F7
SHA1:	493D44DA1C36A5CEC83B0420BEBC2BF76A9262E8
SHA-256:	8E3C9332AB38DAD95A4293C466EAB88B17DEE82C87BE047839E85BB816B6146E
SHA-512:	D4E1694AFE2A35A7A2DB3C8B2A4F83A536DE0AFC5871AE44591317B5B6489B3911F7AEDE8AD9584DCB0BAA8D84B65A20393D587D6F993035FA7DFE13AEAF10CF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........&...............................................P............@.......................................... ..."...........*..X............................................................................................text...G...........................@..@.rsrc....0... ...$..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\1037\eula.rtf

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	6851
Entropy (8bit):	4.46966326918659
Encrypted:	false
SSDEEP:	96:2Rf64JJR1vTJ3R1vTJZZDg1YGZmF1plypIuw75TYgnMJ9nqIQ2fPMpicPtxScRtZ:0fXRskPWIHxYnJVPOxScl9ZnlfZ4LH2
MD5:	74C015D4E8024F9A49CF8D183CBDB0F5
SHA1:	8428260A9E522A712EFC8740AF848BD7521DEB8E
SHA-256:	D7718CF8F97F78656AA8964721757EA7E369FC7BBB052777C90E63D07C7CC7C5
SHA-512:	BB8748054F194450BC0383D4E88600F00E01BA8FD182C3C3A5A09CFBB0C2FBC30B9CECBAD0B99DDA1EEFA5C3EB56AD50CCACF3FE39302842F16A17082F5F8D04
Malicious:	false
Preview:	{\rtf1\fbidis\ansi\ansicpg1255\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset177 Tahoma;}{\f1\fswiss\fprq2\fcharset0 Tahoma;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\froman\fprq2\fcharset177 Times New Roman;}}..{\colortbl ;\red0\green0\blue0;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\rtlpar\nowidctlpar\sb120\sa120\qr\lang1037\b\f0\rtlch\fs20\'fa\'f0\'e0\'e9 \'f8\'f9\'e9\'e5\'ef \'ee\'f9\'ec\'e9\'ee\'e9\'ed \'f2\'e1\'e5\'f8 \'fa\'e5\'eb\'f0\'fa \lang1033\f1\ltrch MICROSOFT\f2\par..\pard\brdrb\brdrs\brdrw10\brsp20 \rtlpar\nowidctlpar\sb120\sa120\qr\f1 MICROSOFT .NET FRAMEWORK 4\lang1037\f0\rtlch \'f2\'e1\'e5\'f8 \'ee\'f2\'f8\'eb\'fa \'e4\'e4\'f4\'f2\'ec\'e4 \lang1033\f1\ltrch MICROSOFT WINDOWS\par..\lang1037\f0\rtlch\'f4\'f8\'e5\'f4\'e9\'ec \'ec\'f7\'e5\'e7 \'f9\'ec \lang1033\f1\ltrch MICROSOFT .NET FRAMEWORK 4\lang1037\f0\rtlch \'f2\'e1\'e5\'f8 \'ee\'f2\'f8\'eb\'fa \'e4\'e4\'f4\'f2\'ec\'e4 \lang1033\f1\ltrch MICROSOFT

C:\5d17b88cf41ba603370ca60cf86c\1038\LocalizedData.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	86442
Entropy (8bit):	3.674300926924721
Encrypted:	false
SSDEEP:	1536:Ji+5JLuNF70SNjPBzuXrXdJHbdi3kC4kL1:Ji+5JLyF70SNjPBzuXrXdJHbdi3kCZZ
MD5:	89D4356E0F226E75CA71D48690E8EC15
SHA1:	2336CAA971527977F47512BC74E88CEC3F770C7D
SHA-256:	FCBB619DEB2D57B791A78954B0342DBB2FEF7DDD711066A0786C8EF669D2B385
SHA-512:	FA03D55A4AAFE94CBF5C134A65BD809FC86C042BC1B8FFBC9A2A5412EB70A468551C05C44B6CE81F638DF43CCA599AA1DD6F42F2DF3012C8A95A3612DF7C821E
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".A. .t.e.l.e.p...t.Q. .n.e.m. .f.u.t.t.a.t.h.a.t... .k.o.m.p.a.t.i.b.i.l.i.s. ...z.e.m.m...d.b.a.n... .T.o.v...b.b.i. .i.n.f.o.r.m...c.i... .a. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.F.o.n.t.o.s. .f...j.l.b.a.n.&.l.t.;./.A.&.g.t.;. .o.l.v.a.s.h.a.t....."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.

C:\5d17b88cf41ba603370ca60cf86c\1038\SetupResources.dll

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18776
Entropy (8bit):	5.210200964255437
Encrypted:	false
SSDEEP:	384:mTW68sRjOP2w99bfc/ta4V3mfCHpeEVn3i0MC4wWqyWpLXci2jpv5nNY:m+Aj0R99bfKtHVWfCJeEVn3i0MC44pMQ
MD5:	C1BF3D63576D619B24837B72986DFAD4
SHA1:	7392C7B478090831EB2E213BF1224E4F16FDD4D8
SHA-256:	0995DD70D260673F954DE54FDBA53D55218C536034BE6342E135C7D514073869
SHA-512:	597F327DF59B0F0CF39FC8753154E55CA8053F489F3FAA5A59C3E7F2115148FE4B49313A94C7CE802AF4B9A1D3FDDF92D3EDC60246E68B17F4CA57CFA3B33397
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P.......(....@.......................................... ..4+...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\1038\eula.rtf

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	4254
Entropy (8bit):	5.3269919672171735
Encrypted:	false
SSDEEP:	96:k8BfeEfTtXeTjXyZD+dtQRzrGJ6JwtxYMpDNeb6CZXKEp5/Eupwy9Ep+LM2:kgffCXPdOzSJ6JwkOBjC0V2
MD5:	58E6E6D6258994D6A08C6101F11F302D
SHA1:	DF2DB9DA70204CBB539D17DF860A6C45613EF086
SHA-256:	70546BABD12AFAF9FFCC437712DF5491DDF9A6AF8AB4F319FC0EA23AFB186726
SHA-512:	A4A992E2E44C8594E22849C3ED9019C32CF4085E90CC45F0E45A210E68A574A47BF1A06FA405B1F725E1A4DEFBD27E46FE52F3E7A829C8288EC0208BEAC3238B
Malicious:	false
Preview:	{\rtf1\fbidis\ansi\ansicpg1250\deff0\deflang1038\deflangfe1038{\fonttbl{\f0\fswiss\fprq2\fcharset238 Tahoma;}{\f1\froman\fprq2\fcharset238{\\fname Times New Roman;}Times New Roman CE;}{\f2\fswiss\fprq2\fcharset238 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\b\f0\fs20 KIEG\'c9SZ\'cdT\'d5 LICENCFELT\'c9TELEK MICROSOFT SZOFTVERHEZ\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\f0 MICROSOFT .NET-KERETRENDSZER 4 MICROSOFT WINDOWS OPER\'c1CI\'d3S RENDSZERHEZ\f1\par..\f0 MICROSOFT .NET-KERETRENDSZER 4 \'dcGYF\'c9LPROFIL MICROSOFT WINDOWS OPER\'c1CI\'d3S RENDSZERHEZ\par..\'c9S A KAPCSOL\'d3D\'d3 NYELVI CSOMAGOK\f1\par..\pard\ltrpar\nowidctlpar\sb120\sa120\b0\f0 Ezen kieg\'e9sz\'edt\'e9s licenc\'e9t a Microsoft Corporation (vagy az \'d6n lakhelye alapj\'e1n egy t\'e1rsv\'e1llalata) ny\'fajtja \'d6nnek.\b \b0\'d6n akkor haszn\'e1lhatja ezt a kieg\'e9sz\'edt\'e9st, ha rende

C:\5d17b88cf41ba603370ca60cf86c\1040\LocalizedData.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	80060
Entropy (8bit):	3.556654700353072
Encrypted:	false
SSDEEP:	384:4wFACg1fPK/YBZ3tMa9eIzNZNs4fzWmJVo5HnscuRv:/ACgNKjaVLJi2
MD5:	EDA1EC689D45C7FAA97DA4171B1B7493
SHA1:	807FE12689C232EBD8364F48744C82CA278EA9E6
SHA-256:	80FAA30A7592E8278533D3380DCB212E748C190AAEEF62136897E09671059B36
SHA-512:	8385A5DE4EB6B38169DD1EB03926BC6D4604545801F13D99CEE3ACEDE3D34EC9F9D96B828A23AE6246809DC666E67F77A163979679956297533DA40F9365BF2C
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.m.p.o.s.s.i.b.i.l.e. .e.s.e.g.u.i.r.e. .i.l. .p.r.o.g.r.a.m.m.a. .d.i. .i.n.s.t.a.l.l.a.z.i.o.n.e. .i.n. .m.o.d.a.l.i.t... .d.i. .c.o.m.p.a.t.i.b.i.l.i.t..... .P.e.r. .u.l.t.e.r.i.o.r.i. .i.n.f.o.r.m.a.z.i.o.n.i.,. .v.e.d.e.r.e. .i.l. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.f.i.l.e. .R.e.a.d.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.

C:\5d17b88cf41ba603370ca60cf86c\1040\SetupResources.dll

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18264
Entropy (8bit):	5.142702232041524
Encrypted:	false
SSDEEP:	384:77n6Tg7AtONBKHno5hWXeWFLXci2jpvz2:7XAbs+ZMi2jpvz2
MD5:	E4860FC5D4C114D5C0781714F3BF041A
SHA1:	864CE88E8AB1DB9AFF6935F9231521B6B72D5974
SHA-256:	6B2D479D2D2B238EC1BA9D14F9A68DC552BC05DCBCC9007C7BB8BE66DEFC643B
SHA-512:	39B0A97C4E83D5CCA1CCCCE494831ADBC18DF1530C02E6A2C13DAE66150F66A7C987A26CECB5587EA71DD530C8BE1E46922FE8C65AE94145D90B0A057C06548D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......^.....@.......................................... ...)...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\1040\eula.rtf

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	3643
Entropy (8bit):	5.117983582325958
Encrypted:	false
SSDEEP:	96:rwBfYOP/TfVTJDwXtxjCJEZ+jw/Njppm/F/ZaFgcT/okOct2:yfYXRzMjsA9/EFxDt2
MD5:	6C9C19BFED724146512493F05CBA4F0F
SHA1:	DE249075AAC70D4661ED559FD64DE9F33DE43DB5
SHA-256:	C405AB9949C10619742AF1AF153521FFD85C16821324C16233B025F982A98CAD
SHA-512:	709A522477121EE32152DBE7F90EE4B597621761854B55A791C07C9521FFB899A21C0B84351A68AC3A583B43A91AC5164EF34259D153D21B47C404B4313893B3
Malicious:	false
Preview:	{\rtf1\fbidis\ansi\ansicpg1252\deff0\deflang1040\deflangfe1041{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\b\f0\fs20 CONDIZIONI DI LICENZA SOFTWARE MICROSOFT SUPPLEMENTARI\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\f0 MICROSOFT .NET FRAMEWORK 4 PER IL SISTEMA OPERATIVO MICROSOFT WINDOWS\f1\par..\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE PER IL SISTEMA OPERATIVO MICROSOFT WINDOWS\par..E RELATIVI LANGUAGE PACK \f1\par..\pard\ltrpar\nowidctlpar\sb120\sa120\b0\f0 Microsoft Corporation (o, in base al luogo di residenza del licenziatario, una delle sue consociate) concede in licenza al licenziatario il presente supplemento.\b \b0 Qualora il licenziatario sia autorizzato a utilizzare il software per il sistema operativo Microsoft Windows (per il qua

C:\5d17b88cf41ba603370ca60cf86c\1041\LocalizedData.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	68226
Entropy (8bit):	4.416259780276574
Encrypted:	false
SSDEEP:	384:4wVzQOXe7GoXHoMIpYnxKJMlvWy0aO8rRnfJGnav:3QOu7GlCnkJMlvWy0aO8rRnfJ5
MD5:	64FFA6FF8866A15AFF326F11A892BEAD
SHA1:	378201477564507A481BA06EA1BC0620B6254900
SHA-256:	7570390094C0A199F37B8F83758D09DD2CECD147132C724A810F9330499E0CBF
SHA-512:	EA5856617B82D13C9A312CB4F10673DBC4B42D9AC5703AD871E8BDFCC6549E262E61288737AB8EBCF77219D24C0822E7DACF043D1F2D94A97C9B7EC0A5917EF2
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."..0.0.0.0.0.0o0.N.c.0.0.0g0.[L.g0M0~0[0.0.0s.0}k0d0D0f0o0.0&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;..0.0.0.0 ..0.0.0&.l.t.;./.A.&.g.t.;..0.SgqW0f0O0`0U0D0.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. ..0.0.0

C:\5d17b88cf41ba603370ca60cf86c\1041\SetupResources.dll

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15704
Entropy (8bit):	5.929554826924656
Encrypted:	false
SSDEEP:	192:Cg0rjUfwtW1+/FuZhS5CSJk/lhAW5kEW1QKPnEtObMacxc8hjeyveCXPX:5hC7mS53JkNSW5kEW1LXci2jpvJ
MD5:	278FD7595B580A016705D00BE363612F
SHA1:	89A299A9ABECB624C3606267371B7C07B74B3B26
SHA-256:	B3ECD3AEA74D0D97539C4971C69F87C4B5FE478FC42A4A31F7E1593D1EBA073F
SHA-512:	838D23D35D8D042A208E8FA88487CD1C72DA48F336157D03B9549DD55C75DA60A83F6DD2B3107EB3E5A24F3FAD70AE1629ACC563371711117C3C3E299B59D838
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!........."...............................................@............@.......................................... ..h............&..X............................................................................................text...G...........................@..@.rsrc.... ... ... ..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\1041\eula.rtf

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	10125
Entropy (8bit):	4.144479793761895
Encrypted:	false
SSDEEP:	192:tEf13/qC2+PCsANROmuuU8EhZFJEj2VQoKOwyWAOxzpOh+uqaJgt2:tBtQoCnGDzhuqz2
MD5:	75CE7D721BDB78F1020ACF2B206B1859
SHA1:	CC0418DE8806811D21B19005BC5DB0092767F340
SHA-256:	2ABDC7246E95E420B4E66CC3C07ACDB56FF390BCD524E0D8525D5BF345030A5A
SHA-512:	FAFAC863DC825FC0B104751FE62CDA2C43048683F9D7E45659784206EA67F1AA98EA282AFC2A3A4BA287D03F73B21EC1E2F8C02F5D036CE96CAEFD851A5389E5
Malicious:	false
Preview:	{\rtf1\fbidis\ansi\ansicpg932\deff0\deflang1033\deflangfe1041{\fonttbl{\f0\fmodern\fprq2\fcharset128 \'82\'6c\'82\'72 \'82\'6f\'83\'53\'83\'56\'83\'62\'83\'4e;}{\f1\fswiss\fprq2\fcharset0 Tahoma;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Msftedit 5.41.21.2509;}{\info{\horzdoc}{\\lchars $(<?[\'5c\'7b\'81\'92\'5c\'81\'e1\'81\'65\'81\'67}{\*\fchars !%'),.:\'3b>?]\'7d\'81\'91\'81\'8b\'81\'45\'81\'e2\'81\'66\'81\'68\'81\'f1}}..\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\lang1041\b\f0\fs20\'83\'7d\'83\'43\'83\'4e\'83\'8d\'83\'5c\'83\'74\'83\'67\lang1033\f1 \lang1041\f0\'83\'5c\'83\'74\'83\'67\'83\'45\'83\'46\'83\'41\'92\'c7\'89\'c1\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\lang1033\f2\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\f1 MICROSOFT WINDOWS \lang1041\f0\'83\'49\'83\'79\'83\'8c\'81\'5b\'83\'65\'83\'42\'83\'93\'83\'4f\lang1033\f1 \lang1041\

C:\5d17b88cf41ba603370ca60cf86c\1042\LocalizedData.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	65238
Entropy (8bit):	4.384411743704147
Encrypted:	false
SSDEEP:	384:4wsx1QzSzXLGKgooDQA0pb5ywW4JSUQvEQzH/dv:egtqpb5yw5Jg
MD5:	78C16DA54542C9ED8FA32FED3EFAF10D
SHA1:	AD8CFE972C8A418C54230D886E549E00C7E16C40
SHA-256:	E3E3A2288FF840AB0E7C5E8F7B4CFB1F26E597FB17CFC581B7728116BD739ED1
SHA-512:	D9D7BB82A1D752A424BF81BE3D86ABEA484ACBB63D35C90A8EE628E14CF34A7E8A02F37D2EA82AA2CE2C9AA4E8416A7A6232C632B7655F2033C4AAAB208C60BF
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".8.X. .......... .$.X. ...\.....D. ....`. ... ........ ...8.\. .....@. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;..... ..... ...\|.&.l.t.;./.A.&.g.t.;.D. .8.p.X.....$..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.

C:\5d17b88cf41ba603370ca60cf86c\1042\SetupResources.dll

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15192
Entropy (8bit):	5.9622226182057325
Encrypted:	false
SSDEEP:	192:Hpix6f+jYxzekdPKNS0N7gVCAMWpCeWRQKPnEtObMacxc8hjeyveCXmo+:3ibMj0lgRMWpCeWRLXci2jpv8o+
MD5:	FCFD69EC15A6897A940B0435439BF5FC
SHA1:	6DE41CABDB45294819FC003560F9A2D1E3DB9A7B
SHA-256:	90F377815E3C81FC9AE5F5B277257B82811417CA3FFEACD73BAB530061B3BE45
SHA-512:	4DC3580B372CEE1F4C01569BAEA8CD0A92BC613648DB22FF1855920E47387A151964B295A1126597B44BB0C596E8757B1FCF47CDA010F9BBB15A88F97F41B8BF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!......... ...............................................@......v.....@.......................................... ...............$..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\1042\eula.rtf

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	12687
Entropy (8bit):	4.39170120937692
Encrypted:	false
SSDEEP:	192:MUf0PVF4MjeKojIfE6wK+b/mIr4tIAcAIce5rD6O1IuonKZim+dfNAW6qUK84Zn+:aK0wB/Tr4TmckIuCm+TAWdUN/re2
MD5:	A3B318528E286EC387E81934E5D3B081
SHA1:	CEDCC08D008E21C0E88EEF8354DAB8CFF2EF51AD
SHA-256:	2954EDB51628942A37A9BF58DA628932638C35ED61744892E42623FE4CCD06A0
SHA-512:	3544D9BE654C859CDE2B9CD8614C5ABED89E488DFEE2F51AB92A509873DC504942E375388D12379DE9D29DEEDE662667F8CC4BC6D2DCD50C5AC865CE6C44352D
Malicious:	false
Preview:	{\rtf1\fbidis\ansi\ansicpg949\deff0\deflang1033\deflangfe1042{\fonttbl{\f0\fswiss\fprq2\fcharset0 Arial;}{\f1\froman\fprq2\fcharset129 \'b9\'d9\'c5\'c1;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Msftedit 5.41.21.2509;}{\info{\horzdoc}{\\lchars $(<?[\'5c\'7b\'a1\'cc\'a1\'cd\'a1\'ec\'a1\'ae\'a1\'b0}{\*\fchars !%'),.:\'3b>?]\'7d\'a1\'cb\'a1\'c6\'a1\'ed\'a1\'af\'a1\'b1}}..\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\b\f0\fs28 MICROSOFT \lang1042\f1\'bc\'d2\'c7\'c1\'c6\'ae\'bf\'fe\'be\'ee\lang1033\f0 \lang1042\f1\'c3\'df\'b0\'a1\lang1033\f0 \lang1042\f1\'bb\'e7\'bf\'eb\'b1\'c7\lang1033\f0 \lang1042\f1\'b0\'e8\'be\'e0\'bc\'ad\lang1033\f0\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\fs20 MICROSOFT WINDOWS \lang1042\f1\'bf\'ee\'bf\'b5\lang1033\f0 \lang1042\f1\'c3\'bc\'c1\'a6\'bf\'eb\lang1033\f0 MICROSOFT .NET FRAMEWORK 4\par..MICROSOFT WINDOWS \lang1042\f1\'bf\'ee\'bf\'b5\lang1033\f0 \lang1042\f1\'c3\'bc\'c1\'a6\'bf\'eb\lang1033\f0 MICROSOFT .N

C:\5d17b88cf41ba603370ca60cf86c\1043\LocalizedData.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	79634
Entropy (8bit):	3.5656146816718155
Encrypted:	false
SSDEEP:	384:4wCsfDNzgDbRiRVqxdYRF405vYtyVB1HaAzTGZUeJvuQFKhlQ5gwJBKQauJf1tSY:jbZKbRyVqb82IB+GlQ5gwJBzauJzkA
MD5:	6506B4E64EBF6121997FA227E762589F
SHA1:	71BC1478C012D9EC57FC56A5266DD325B7801221
SHA-256:	415112AE783A87427C2FADD7B010ADE4F1A7C23B27E4B714B7B507C16B572A1C
SHA-512:	39024EA9D42352F7C1BD6FEFE0574054ECEB4059F773CFAEB26C42FAADA2540AE95FB34718D30CCB6DA157D2597F80D12A024461FBD0E8D510431BA6FFA81EC2
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".S.e.t.u.p. .k.a.n. .n.i.e.t. .w.o.r.d.e.n. .u.i.t.g.e.v.o.e.r.d. .i.n. .d.e. .c.o.m.p.a.t.i.b.i.l.i.t.e.i.t.s.m.o.d.u.s... .R.a.a.d.p.l.e.e.g. .h.e.t. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.L.e.e.s.m.i.j.-.b.e.s.t.a.n.d.&.l.t.;./.A.&.g.t.;. .v.o.o.r. .m.e.e.r. .i.n.f.o.r.m.a.t.i.e..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.

C:\5d17b88cf41ba603370ca60cf86c\1043\SetupResources.dll

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19288
Entropy (8bit):	5.101791972320269
Encrypted:	false
SSDEEP:	384:3124Y0WDDkowwX8OZjv1t2WlLeWvLXci2jpvc:lYZhzMi2jpvc
MD5:	76D6E9F15D842E6A56EE42C9C5CCABCA
SHA1:	36E6FA7C032F69DEA2C34B5934AC556AAE738CBB
SHA-256:	A961DE62DA74B05EAF593BB78A4A5A4C5586FE2D0D4A45D99675D03E7F01D7C5
SHA-512:	F9E04AA073EBF98BDD13F6A0A9214DDA42CD5FDFEC24873CF171B77D31408CA6698BF0C9D931A93BDD7A54FE55A9E6394F2C8050C7E847455E4A36585E36D6EB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........0...............................................P......ky....@.......................................... ...,...........4..X............................................................................................text...G...........................@..@.rsrc....0... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\1043\eula.rtf

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	3546
Entropy (8bit):	5.203062637938479
Encrypted:	false
SSDEEP:	96:rTBfrnjTsVT08DfQhtJlIcm3wEM8LPMpDlGu3x+O0H+Ozo+SBT+OZt6S2:ZfLltGwEMAPOkukO0eONNOT2
MD5:	305AE79EC7D0E8D1F826D70D7D469BB4
SHA1:	BBE8FFD83FCA6C013A20CDEE6EA0AFFD988C4815
SHA-256:	69537AEF05EDFB55EC32897B3DD59724A825FDDECCD92BDD5E8840CB92B1B383
SHA-512:	A7368CEC366E8F717F3FD51FA71133A02C5E7B44D095B849320E15F8D95DC1A58AB977FA9A4C1633FCD1AD82D929FF8FB2271C816BE8B2B8892D7389E3E3EACD
Malicious:	false
Preview:	{\rtf1\fbidis\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\lang1043\b\f0\fs20 AANVULLENDE LICENTIEVOORWAARDEN VOOR MICROSOFT-SOFTWARE\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\lang1043\f0 MICROSOFT .NET FRAMEWORK 4 VOOR HET BESTURINGSSYSTEEM MICROSOFT WINDOWS\lang1033\f1\par..\lang1043\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE VOOR HET BESTURINGSSYSTEEM MICROSOFT WINDOWS \par..EN GERELATEERDE TAALPAKKETTEN\lang1033\f1\par..\pard\ltrpar\nowidctlpar\sb120\sa120\lang1043\b0\f0 Microsoft Corporation (of, afhankelijk uw locatie, een van haar gelieerde ondernemingen) geeft dit supplement aan u in licentie.\lang1033\b \lang1043\b0 Als u een licentie hebt voor het gebruik van Microsoft Windows

C:\5d17b88cf41ba603370ca60cf86c\1044\LocalizedData.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	79296
Entropy (8bit):	3.5898407770439955
Encrypted:	false
SSDEEP:	384:4wn2IhI4z6T1sHCqeHveRWUw+KbGpK+9C/E6b2NJBf2OEuv:V9hI4z6T1siqeHveRhAo9CM6b2NJBuOD
MD5:	120104FA24709C2A9D8EFC84FF0786CD
SHA1:	B513FA545EFAE045864D8527A5EC6B6CEBE31BB9
SHA-256:	516525636B91C16A70AEF8D6F6B424DC1EE7F747B8508B396EE88131B2BB0947
SHA-512:	1EA8EB2BE9D5F4EF6F1F2C0D90CB228A9BB58D7143CCAFE77E18CE52EC4ACA25DDE0BA18430FD4D3D7962D079CCBE7E2552B2C7090361E03C6FDFB7C2B9C7325
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.n.s.t.a.l.l.a.s.j.o.n.s.p.r.o.g.r.a.m.m.e.t. .k.a.n. .i.k.k.e. .k.j...r.e. .i. .k.o.m.p.a.t.i.b.i.l.i.t.e.t.s.m.o.d.u.s... .H.v.i.s. .d.u. .v.i.l. .h.a. .m.e.r. .i.n.f.o.r.m.a.s.j.o.n.,. .s.e. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.V.i.k.t.i.g.-.f.i.l.e.n.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.

C:\5d17b88cf41ba603370ca60cf86c\1044\SetupResources.dll

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17752
Entropy (8bit):	5.209166644217636
Encrypted:	false
SSDEEP:	384:cNeu+Oeu+Oeu+rW56qxYBlgFAcUm/rW9eWoLXci2jpv72:TIxYBegm/WgMi2jpv72
MD5:	BACEA57A781C43738A3B065103479BB5
SHA1:	45E277CC370150293252535D5371B2C0F79B4874
SHA-256:	8B372354A54643F1159FAB562D0F2DFE21F08A3D67DBB7337242846316D3BEC4
SHA-512:	CD0BB774D1373A7B735AE9A867387527DAB28D7635B5DE881F92B66ECD87DA4E8F4605F3DF093294CA3060F993220472D3C926780BEB57BF3E90ECC081F0F1E1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........*...............................................P.......H....@.......................................... ..t'..............X............................................................................................text...G...........................@..@.rsrc....0... ...(..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\1044\eula.rtf

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	3046
Entropy (8bit):	5.1859499604057495
Encrypted:	false
SSDEEP:	48:rPN3nffnyzInT7BjTgLDRn0l392N4S2ZOMb5XgNRc9q5QB34pg5lqM9TX/ufMpDn:rPBffyUnT7BjTADRn0lN2N4S2wG5wNRq
MD5:	830EBCED0F03F267EEE7A5167C4E91A4
SHA1:	740075166941E5623ECB488B0390F25A84FEEC77
SHA-256:	2D0B46674BB383A56E6061D25F0D446C8B50C83C92269A3FCCB657429E9EF4BE
SHA-512:	CD146C8F35C1095E142EEDF2B486A22593A417138CAE35FBA00DEFB5395D6DAA34C84B6A345AE88A5B365D4E17190FD3C7F3AA384D2D4472E0413F432280F53E
Malicious:	false
Preview:	{\rtf1\fbidis\ansi\ansicpg1252\deff0\deflang1044\deflangfe1044{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\b\f0\fs28 TILLEGGSLISENSVILK\'c5R FOR MICROSOFT-PROGRAMVARE\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\f0\fs22 MICROSOFT .NET FRAMEWORK 4 FOR MICROSOFT WINDOWS-OPERATIVSYSTEM\f1\par..\f0 MICROSOFT .NET FRAMEWORK 4-KLIENTPROFIL FOR MICROSOFT WINDOWS-OPERATIVSYSTEM\par..OG TILKNYTTEDE SPR\'c5KPAKKER\f1\par..\pard\ltrpar\nowidctlpar\sb120\sa120\b0\f0\fs20 Microsoft Corporation (eller, avhengig av hvor du bor, et av dets tilknyttede selskaper) lisensierer dette tillegget til deg.\b \b0 Hvis du er lisensiert til \'e5 bruke Microsoft Windows-operativsystemprogramvare (som dette tillegget gjelder for) (\ldblquote programvaren\rdblquote ), har du r

C:\5d17b88cf41ba603370ca60cf86c\1045\LocalizedData.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	82374
Entropy (8bit):	3.6806551409534465
Encrypted:	false
SSDEEP:	768:lz2ue+xTxXUpUqTvvUOfUs6LArUpFymrqQtr8BAyfO4RkSzXunasvJH2TF0wpYl7:lz2ue+xTxXUpUOvvUOfUs6LqTavdJkUr
MD5:	BDB583C7A48F811BE3B0F01FCEA40470
SHA1:	E8453946A6B926E4F4AE5B02BA1D648DAF23E133
SHA-256:	611B7B7352188ADFFD6380B9C8A85B8FF97C09A1C293BB7AC0EF5478A0E18AC8
SHA-512:	27B02226F8F86CA4D00789317C79E8CA0089F5B910BED14AA664EEAB6BE66E98DE3BAFD7670C895D70AB9C34ECE5F05199F3556FDDC1B165904E3432A51C008D
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.n.s.t.a.l.a.t.o.r. .n.i.e. .m.o.\|.e. .d.z.i.a.B.a... .w. .t.r.y.b.i.e. .z.g.o.d.n.o.[.c.i... .A.b.y. .u.z.y.s.k.a... .w.i...c.e.j. .i.n.f.o.r.m.a.c.j.i.,. .z.o.b.a.c.z. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.P.l.i.k. .R.e.a.d.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.

C:\5d17b88cf41ba603370ca60cf86c\1045\SetupResources.dll

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18264
Entropy (8bit):	5.2854545598714635
Encrypted:	false
SSDEEP:	192:fa1YUfwxWVxSIn+hnISv7N/blaRr26WneWAQKPnEtObMacxc8hjeyveCXW:iN2Gan9xblaRr26WneWALXci2jpvQ
MD5:	550C79640EEE713C73EB67B0736A92E6
SHA1:	51656BB182048F0ABFC57DC2DF9703D59E264442
SHA-256:	F90002DA2068F868D5A710444EA30F91AE2229DBEB660166C1E28935E4AB6078
SHA-512:	F90A9A5C399DEC2649E8EC088139E5FE4DD0419BDF7B5988BE8F437A35040A1E0D2F03D326B8C38B2F4F1CFDBE0269445120D95061BD691296E7C9B20C5EAC31
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P............@.......................................... ...(...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\1045\eula.rtf

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	4040
Entropy (8bit):	5.362038982382671
Encrypted:	false
SSDEEP:	96:rTBfQaJRTIRTjzH+oDgQUoIs89FcG5ywI5Et/+TMm9MpDcA/+MvsNcUOsG9jeLdp:Zfo+Bs18ncG5Y5Et/+Z9OwAjs7OtRwdp
MD5:	BB93B108D4BE954133380F7709E7BA1E
SHA1:	34376037B3C5879142796A2F524E5B3EA6097ED1
SHA-256:	4F2D6A8979C89592877555FE8F576D5F631132452AFE86114D35E9531A1CA948
SHA-512:	69C60EF8C0E6A8F7A92EC9A9C94C99F6DDE39477D8DEE041ABF7A164025D7EBFC9F0C7399AD8C9ED150861B00FC47F1F1CB40BB245AA87ED7904B1BAE6A4271B
Malicious:	false
Preview:	{\rtf1\fbidis\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset238 Tahoma;}{\f1\froman\fprq2\fcharset238{\\fname Times New Roman;}Times New Roman CE;}{\f2\fswiss\fprq2\fcharset238 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\lang1045\b\f0\fs20 UZUPE\'a3NIAJ\'a5CE POSTANOWIENIA LICENCYJNE DOTYCZ\'a5CE OPROGRAMOWANIA MICROSOFT\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\f0 MICROSOFT .NET FRAMEWORK 4 DLA SYSTEMU OPERACYJNEGO MICROSOFT WINDOWS\f1\par..\f0 PROFIL KLIENTA PROGRAMU MICROSOFT .NET FRAMEWORK 4 DLA SYSTEMU OPERACYJNEGO MICROSOFT WINDOWS\par..I POWI\'a5ZANYCH PAKIET\'d3W J\'caZYKOWYCH\f1\par..\pard\ltrpar\nowidctlpar\sb120\sa120\b0\f0 Microsoft \lang1045 Corporation (lub, w\~zale\'bfno\'9cci od miejsca zamieszkania Licencjobiorcy, jeden z\~podmiot\'f3w stowarzyszonych Microsoft Corporation) udziela Licencjobiorcy

C:\5d17b88cf41ba603370ca60cf86c\1046\LocalizedData.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	80738
Entropy (8bit):	3.581949939963976
Encrypted:	false
SSDEEP:	384:4wl7DAQput9emRem6cvMOem6QemIAY/YEQTeQoqk7EHd9nKxXq5fKsLaG5m73Rdv:geOeqeCe1CkyJtG07g
MD5:	A03D2063D388FC7A1B4C36D85EFA5A1A
SHA1:	88BD5E2FF285EE421CCC523F7582E05A8C3323F8
SHA-256:	61D8339E89A9E48F8AE2D929900582BB8373F08D553EC72D5E38A0840B47C8A3
SHA-512:	3A219F36E57D90CA92E9FAEC4DFD34841C2C9244DA4FE7E1D70608DDE7857AA36325BDB46652A42922919F782BB7C97F567E69A9FC51942722B8FD66CD4ECAF0
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".N...o. ... .p.o.s.s...v.e.l. .e.x.e.c.u.t.a.r. .a. .i.n.s.t.a.l.a.....o. .e.m. .m.o.d.o. .d.e. .c.o.m.p.a.t.i.b.i.l.i.d.a.d.e... .P.a.r.a. .o.b.t.e.r. .m.a.i.s. .i.n.f.o.r.m.a.....e.s.,. .c.o.n.s.u.l.t.e. .o. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.a.r.q.u.i.v.o. .L.e.i.a.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.

C:\5d17b88cf41ba603370ca60cf86c\1046\SetupResources.dll

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18264
Entropy (8bit):	5.203641313145023
Encrypted:	false
SSDEEP:	192:zjkTnUfwVWwwZFf7TOS7LDoKGslNDGf8BjWNeWSQKPnEtObMacxc8hjeyveCXKuj:zom6QT7FprmmWNeWSLXci2jpv3j
MD5:	86CB58F2B6BC1174D200D0ABE5497233
SHA1:	F1174409A44D922C23F376C6BC7609BBDAD5016C
SHA-256:	DD7FB50E88355F46D619D89E47D3057ACC1C069178BA81839970BB13479FCF4C
SHA-512:	AD4C9124F2459FB83C977B235B7ACDDA86AFAEBE9FEBD8BE084AA50E87AB091331A8724EC517D5096487970A3992C7E3D255CDA31DC494544CABA5DEF9C93DD1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......E.....@.......................................... ...(...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\1046\eula.rtf

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	3683
Entropy (8bit):	5.188584376027454
Encrypted:	false
SSDEEP:	96:rTBfAlMu9fTp/9fTdIDsGJ1KlhREerHr7uStmESWp55ztFuMpDl/BRwZ+qf+J4Ed:ZfeuqhGeHVIErn1zuO9BC8q2WEHt+B2
MD5:	E43708161843A33D34D6FDF966D36397
SHA1:	2E5C0450CEBD9A737A90908EEDDAAE2D0B3E2940
SHA-256:	0AF1F04F416712387BF87C93FA846B4E8EB0AC25E284A2A3578C58E2724E2778
SHA-512:	FB334D29BBBC2D19D20C5260C55BF83D9D6D242C6A8F04AC88F8280A63E6AF32FB5D96703E43D39F6863D17B27D9E0E36CBAB1099127E5FA281255A19AE39E0D
Malicious:	false
Preview:	{\rtf1\fbidis\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\lang1046\b\f0\fs20 TERMOS DE LICEN\'c7A COMPLEMENTARES PARA SOFTWARE DA MICROSOFT\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\lang1046\f0 MICROSOFT .NET FRAMEWORK 4 PARA SISTEMA OPERACIONAL MICROSOFT WINDOWS\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\lang1046\f0 PERFIL DO CLIENTE DO MICROSOFT .NET FRAMEWORK 4 PARA SISTEMA OPERACIONAL MICROSOFT WINDOWS\line\par..E PACOTES DE IDIOMAS ASSOCIADOS\lang1033\b0\f1\fs22\par..\pard\ltrpar\nowidctlpar\sb120\sa120\lang1046\f0\fs20 A Microsoft Corporation (ou, dependendo do local em que voc\'ea esteja domiciliado, uma de suas afiliadas) fornece a voc\'ea a licen\'e7a deste supleme

C:\5d17b88cf41ba603370ca60cf86c\1049\LocalizedData.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	81482
Entropy (8bit):	4.270033694989682
Encrypted:	false
SSDEEP:	384:4w7iPuXsPXBUhOLGvVVA5/Fpn9zJop9TE+zkX6JS/5cGhj/6v:MP5XyZVrJF
MD5:	349B52A81342A7AFB8842459E537ECC6
SHA1:	6268343E82FBBABE7618BD873335A8F9F84ED64D
SHA-256:	992BF5AEB06AA3701D50C23FA475B4B86D8997383C9F0E3425663CFBD6B8A2A5
SHA-512:	EF4CBD3F7F572A9F146A524CFBC2EFBD084E6C70A65B96A42339ADC088E3F0524BC202548340969481E7F3DF3AC517AC34B200B56A3B9957802ABD0EFA951C49
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."...5. .C.4.0.5.B.A.O. .2.K.?.>.;.=.8.B.L. .C.A.B.0.=.>.2.:.C. .2. .@.5.6.8.<.5. .A.>.2.<.5.A.B.8.<.>.A.B.8... ...>.?.>.;.=.8.B.5.;.L.=.K.5. .A.2.5.4.5.=.8.O. .A.<... .2. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.D.0.9.;.5. .A.2.5.4.5.=.8.9. .>. .?.@.>.4.C.:.B.5.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.

C:\5d17b88cf41ba603370ca60cf86c\1049\SetupResources.dll

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18264
Entropy (8bit):	5.548909804205606
Encrypted:	false
SSDEEP:	192:eRBvnUfwVWBC623DV3SD1tt9WfXHT7nMsmxeW1QKPnEtObMacxc8hjeyveCXgFK1:e/C6+URiD1vwLoPeW1LXci2jpvaFHM
MD5:	7EF74AF6AB5760950A1D233C582099F1
SHA1:	BF79FF66346907446F4F95E1E785A03CA108EB5D
SHA-256:	658398F1B68D49ABD37FC3B438CD564992D4100ED2A0271CBF83173F33400928
SHA-512:	BBBB099AD24F41785706033962ACFC75039F583BEED40A7CDC8EDA366AB2C77F75A5B2792CF6AACB80B39B6B1BB84ECE372BE926FF3F51028FB404D2F6334D78
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......O.....@.......................................... ..............0..X............................................................................................text...G...........................@..@.rsrc....0... .....................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\1049\eula.rtf

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	54456
Entropy (8bit):	4.950349023670169
Encrypted:	false
SSDEEP:	768:3CR6rdlWFJv3zGz9tWQ2ni8UNo/8PZrS14Z:3CcrMeDZ
MD5:	2277852A45DA18B12BEEC5FB6F08CDC9
SHA1:	E564862D098BD111430C4208EAA1ADD5CD52A601
SHA-256:	59AD806664E3CE4A024452985C4602D5610126A16FC36ADE018A9756ACCC92CC
SHA-512:	ED9726D207479E4DF494C6AF17E64909EA6649DDD8BDC3E37229A73270B4A159B2B11C1ADD462871DD40A23033E6B3F8A26E3EA1FA6E3B7316153AF13B316CD2
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}..{\f38\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604030504040204}Tahoma;}{\f44\fbidi \froman\fcharset0\fprq2 Times New Roman CYR;}{\f45\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0603020202020204}Trebuchet MS;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\*\pa

C:\5d17b88cf41ba603370ca60cf86c\1053\LocalizedData.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	77680
Entropy (8bit):	3.602060477304833
Encrypted:	false
SSDEEP:	384:4w+optBSCVb5v6iMSsCtD7jjktDhHfLSGM3zD0q0Xt//Vvcinnl/06N9mGktJsIO:QqtBSCVb5v69SsuD7jwDkqmGeJsoON
MD5:	B3B1A89458BEC6AF82C5386D26639B59
SHA1:	D9320B8CC862F40C65668A40670081079B63CEA1
SHA-256:	1EF312E8BE9207466FBFDECEE92BFC6C6B7E2DA61979B0908EAF575464E7B7A0
SHA-512:	478CE08619490ED1ECDD8751B5F60DA1EE4AC0D08D9A97468C3F595AC4376FECA59E9C72DD9C83B00C8D78B298BE757C6F24A422B7BE8C041F780524844998BF
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.n.s.t.a.l.l.a.t.i.o.n.s.p.r.o.g.r.a.m.m.e.t. .k.a.n. .i.n.t.e. .k...r.a.s. .i. .k.o.m.p.a.t.i.b.i.l.i.t.e.t.s.l...g.e... .M.e.r. .i.n.f.o.r.m.a.t.i.o.n. .f.i.n.n.s. .i. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.V.i.k.t.i.g.t.-.f.i.l.e.n.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.

C:\5d17b88cf41ba603370ca60cf86c\1053\SetupResources.dll

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17752
Entropy (8bit):	5.196946497211754
Encrypted:	false
SSDEEP:	384:W9U6qxM8IJu5M/oZVQVWpyeWRLXci2jpvE:WIxMwLVWVMi2jpvE
MD5:	28813510B82F45868B5BDC67FFF9C9FA
SHA1:	696A06D1F7B13C20599C53E74969BDC99AB5D30A
SHA-256:	EB0A73F6BFAF65FAA58440D57145709894E9A5354E840805EC02DCE153332249
SHA-512:	A01A7C8147138125BBFF7D135FACF255A0284AFABD2BB28D5CB6E54C86A8F1A685855B5561584574A057D4FCFDEF630A10AD262495C58EA5DF974A3249787D9B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........*...............................................P......8p....@.......................................... ...'..............X............................................................................................text...G...........................@..@.rsrc....0... ...(..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\1053\eula.rtf

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	3865
Entropy (8bit):	5.329033876405121
Encrypted:	false
SSDEEP:	96:rTBfv+/9TfHTGDXtZEOuAs50Y1EIF19VWMpDHvuKMLDBD+d54+QFEp5Tf+8K+l1S:5ffduAs591EIb9gOpqDoDZQmx2W2
MD5:	E2F73097FC60F5347BAD1C1E93B2941B
SHA1:	8564447AF45B488AC713D898405B759365662598
SHA-256:	72860227092C38AE5E00E24C75E9B263E77BD2032EE597AABE408B9176448097
SHA-512:	94ECD5BD5053A417BFF3E49C5E7B362843D2C850DA09D389161D4F4D98DE624473E0F143E6A088AB288AB4DA49B7910FFC80F77401009F560B60470FB13609B1
Malicious:	false
Preview:	{\rtf1\fbidis\ansi\ansicpg1252\deff0\deflang1053\deflangfe1053{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\sb120\sa120\lang1033\b\f0\fs28 TILL\'c4GGSLICENSVILLKOR F\'d6R PROGRAMVARA FR\'c5N MICROSOFT\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\sb120\sa120\fs22 MICROSOFT .NET FRAMEWORK 4 F\'d6R OPERATIVSYSTEMET MICROSOFT WINDOWS\f1\par..\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE F\'d6R OPERATIVSYSTEMET MICROSOFT WINDOWS\par..OCH ASSOCIERADE SPR\'c5KPAKET\f1\par..\pard\ltrpar\nowidctlpar\sb120\sa120\lang1053\b0\f0\fs20 Microsoft Corporation (eller beroende p\'e5 var du bor, ett av dess koncernbolag) licensierar detta till\'e4gg till dig.\lang1033\b \lang1053\b0 Om du innehar licens f\'f6r programvara f\'f6r operativsystemet Microsoft Windows (som detta till\'e4gg g\'e4ller f\'f6r) (\rdblquote pr

C:\5d17b88cf41ba603370ca60cf86c\1055\LocalizedData.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	76818
Entropy (8bit):	3.7161950547055933
Encrypted:	false
SSDEEP:	1536:bM8DL5YHRL87mlQg5IgrbGZzwOS8Frc+iI0jJNJ7rtRpUR:bM8DL5YHRL87mlQg5IgrbGZzwOS8FrcS
MD5:	65E771FED28B924942A10452BBBF5C42
SHA1:	586921B92D5FB297F35EFFC2216342DAC1AE2355
SHA-256:	45E30569A756D9BCBC5F9DAE78BDA02751FD25E1C0AEE471CE112CB4464A6EE2
SHA-512:	D014A2A96F3A5C487EF1CADDD69599DBEC15DA5AD689D68009F1CA4D5CB694105A7903F508476D6FFEC9D81386CB184DF6FC428D34F056190CEE30715514A8F7
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".K.u.r.u.l.u.m. .u.y.u.m.l.u.l.u.k. .m.o.d.u.n.d.a. ...a.l.1._.a.m.a.z... .D.a.h.a. .f.a.z.l.a. .b.i.l.g.i. .i...i.n. .b.k.z... .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.B.e.n.i.o.k.u. .d.o.s.y.a.s.1.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.

C:\5d17b88cf41ba603370ca60cf86c\1055\SetupResources.dll

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17752
Entropy (8bit):	5.263298426482242
Encrypted:	false
SSDEEP:	384:Hfp2mDyEkEIb7/dscoGvXdBXbtRS0W0eW0LXci2jpvhPN:H1DyEkEIFscVXdBXbtRVsMi2jpvhl
MD5:	357A1CBF08A83E657FFAE8639AC1212A
SHA1:	384DF3D9DBBE27731785D92C257B7BA584FBE5E8
SHA-256:	DD7337A6C67B39905A9B01C4212667F27EDFB68E86D1099E20EC37B03C51E7B9
SHA-512:	67E47DF1E462A279C909B7B4255BEC4824554890CFF789BDF6691898A66E71DB007794476508F9290D95ACCE908109AA589A3A01A04125AEBB9EFBF67AEBF25F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........*...............................................P............@.......................................... ...'..............X............................................................................................text...G...........................@..@.rsrc....0... ...(..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\1055\eula.rtf

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	3859
Entropy (8bit):	5.120677849638168
Encrypted:	false
SSDEEP:	96:VSfjQOTqfRRTqfSD+vmScfQEz04jMpDLiIzhZLlZhD2:wfcFpcfEo4jOT2
MD5:	D71A0D5B6CB13901CD35C036D395BE59
SHA1:	B0F83CF648C2E84119A32AFD2E0EF409BB2047CE
SHA-256:	A8850F6DBF56B6C55D255E81B15A3D17196EEE89FFBE41CDFCA19205628C1A7B
SHA-512:	FE7C6E54014AD963F51850973F5AE5872FBA9843F1C20973F5E875008064F870A5217C2C9ADA3D92A3F1B2DF6318D5137814943D6295E72CF27343DF93B957E1
Malicious:	false
Preview:	{\rtf1\fbidis\ansi\ansicpg1254\deff0\deflang1055\deflangfe1055{\fonttbl{\f0\fswiss\fprq2\fcharset162 Tahoma;}{\f1\froman\fprq2\fcharset162{\\fname Times New Roman;}Times New Roman TUR;}{\f2\fswiss\fprq2\fcharset162 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\b\f0\fs20 MICROSOFT YAZILIM EK\'dd L\'ddSANS KO\'deULLARI\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\lang1055\f0 MICROSOFT WINDOWS \'dd\'deLET\'ddM S\'ddSTEMLER\'dd \'dd\'c7\'ddN MICROSOFT .NET FRAMEWORK 4\lang1033\f1\par..\lang1055\f0 MICROSOFT WINDOWS \'dd\'deLET\'ddM S\'ddSTEMLER\'dd \'dd\'c7\'ddN MICROSOFT .NET FRAMEWORK 4 \'ddSTEMC\'dd PROF\'ddL\'dd\par..VE \'ddL\'dd\'deK\'ddL\'dd D\'ddL PAKETLER\'dd\lang1033\f1\par..\pard\ltrpar\nowidctlpar\sb120\sa120\lang1055\b0\f0 Microsoft Corporation (veya ya\'fead\'fd\'f0\'fdn\'fdz yere g\'f6re bir ba\'f0l\'fd \'feirketi) bu ekin lisans\'fdn\'fd size v

C:\5d17b88cf41ba603370ca60cf86c\2052\LocalizedData.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	60684
Entropy (8bit):	4.338517891382778
Encrypted:	false
SSDEEP:	384:4w7yHdhTgqbbT1HjWZez2jtKgst+7x0x8EM5NnqQivGXU4woZukC7FQKAuXR/4mn:dyjg2z2bXXwoZukC7FQKAuXRgcJf
MD5:	10DA125EEABCBB45E0A272688B0E2151
SHA1:	6C4124EC8CA2D03B5187BA567C922B6C3E5EFC93
SHA-256:	1842F22C6FD4CAF6AD217E331B74C6240B19991A82A1A030A6E57B1B8E9FD1EC
SHA-512:	D968ABD74206A280F74BF6947757CCA8DD9091B343203E5C2269AF2E008D3BB0A17FF600EB961DBF69A93DE4960133ADE8D606FB9A99402D33B8889F2D0DA710
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."..[..z.^.e.l.N\|Q.['`!j._.L..0.gsQ..~.Oo`.....S..&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.....e.N&.l.t.;./.A.&.g.t.;..0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".xS}. .M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. ..S...O.[..g.N.^(u.z.^.e.lck8^.L.

C:\5d17b88cf41ba603370ca60cf86c\2052\SetupResources.dll

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14168
Entropy (8bit):	6.010838262457833
Encrypted:	false
SSDEEP:	192:rsLnUfwVWtTXjuQShyjK7tWUEW5IQKPnEtObMacxc8hjeyveCXMOV:4eCTFhMKZWUEW5ILXci2jpvP
MD5:	407CDB7E1C2C862B486CDE45F863AE6E
SHA1:	308AEEBEB1E1663ACA26CE880191F936D0E4E683
SHA-256:	9DD9D76B4EF71188B09F3D074CD98B2DE6EA741530E4EA19D539AE3F870E8326
SHA-512:	7B4F43FC24EB30C234F2713C493B3C13928C591C77A3017E8DD806A41CCFEDD53B0F748B5072052F8F9AC43236E8320B19D708903E3F06C59C6ED3C12722494E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................@.......y....@.......................................... ............... ..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\2052\eula.rtf

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	5827
Entropy (8bit):	4.418112026919231
Encrypted:	false
SSDEEP:	96:M5DBmf0jLTCLLgLTCLLmDjxrDT2k9rkKp7aDKaXzaWZMa/O9wzy6n/MpDTKTGptk:EmfJXoQkRGDtXeWZv/O9XmOdZzQJWBBi
MD5:	4288C2541843F75C348D825FC8B94153
SHA1:	E0DD8ED7BDB3C941A589361EE764F49A3619C264
SHA-256:	C30A7597AA67E2847940E2C24F09B35C07B1EC759ADBCA7C8261141FC1ECCA92
SHA-512:	7BA9991FE4EED625FE7BEF96A1D3AE70CB7616AAD034236D1A2B346A08B48280CB6C20D2B059DA9953919B0265125FE56DC5F4CC619AC653B4C1164ED564B359
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\fnil\fprq2\fcharset134 \'cb\'ce\'cc\'e5;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Msftedit 5.41.21.2509;}{\info{\horzdoc}{\\lchars $(.<?[\'7b\'a3\'a5\'ab\'b7\'91\'93}{\*\fchars !"%'),.:\'3b>?]`\|\'7d~\'a2\'a8\'af\'b0\'b7\'bb\'92\'94\'85\'89\'9b}}..\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs20 MICROSOFT \lang2052\f1\'c8\'ed\'bc\'fe\'b2\'b9\'b3\'e4\'b3\'cc\'d0\'f2\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\lang1033\f2\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\lang2052\f1\'d3\'c3\'d3\'da\lang1033\f0 MICROSOFT WINDOWS \lang2052\f1\'b2\'d9\'d7\'f7\'cf\'b5\'cd\'b3\'b5\'c4\lang1033\f0 MICROSOFT .NET FRAMEWORK 4\f2\par..\lang2052\f1\'d3\'c3\'d3\'da\lang1033\f0 MICROSOFT WINDOWS \lang2052\f1\'b2\'d9\'d7\'f7\'cf\'b5\'cd\'b3\'b5\'c4\lang1033\f0 MICROSOFT .NET FRAMEWORK 4 CLI

C:\5d17b88cf41ba603370ca60cf86c\2070\LocalizedData.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	80254
Entropy (8bit):	3.5905984831890927
Encrypted:	false
SSDEEP:	384:4wdLPpRgMjLeUueUA48DYeUOqeUd/iboeuXWpFPYOAjw/BdgysR0AmhRod30J0qf:fenekeCeRuXWpFxgJMh230JMaWs
MD5:	7FA9926A4BC678E32E5D676C39F8FB97
SHA1:	BBA4311DD30261A9B625046F8A6EA215516C9213
SHA-256:	A25EE75C78C24C50440AD7DE9929C6A6E1CC0629009DC0D01B90CBAC177DD404
SHA-512:	E06423BC1EA50A566D341DC513828608E9B6611FEA81D33FCA471A38F6B2B61B556EA07A5DEC0830F3E87194975D87F267A5E5E1A2BE5E6A86B07C5BB2BDDCB6
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".O. .p.r.o.g.r.a.m.a. .d.e. .c.o.n.f.i.g.u.r.a.....o. .n...o. .p.o.d.e. .s.e.r. .e.x.e.c.u.t.a.d.o. .n.o. .m.o.d.o. .d.e. .c.o.m.p.a.t.i.b.i.l.i.d.a.d.e... .P.a.r.a. .m.a.i.s. .i.n.f.o.r.m.a.....e.s.,. .c.o.n.s.u.l.t.e. .o. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.F.i.c.h.e.i.r.o. .L.e.i.a.-.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.

C:\5d17b88cf41ba603370ca60cf86c\2070\SetupResources.dll

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18776
Entropy (8bit):	5.195239987750812
Encrypted:	false
SSDEEP:	192:8ae5UfwxWr4KyGpTOSZmzmTssa8x91cvWp7eWYQKPnEtObMacxc8hjeyveCXgs:V32NAT7ZmzmYpqUvWp7eWYLXci2jpvas
MD5:	58CB55FA4D9E2F62F675720B1269137D
SHA1:	472F8E4982369C703C78091E66E33BF6B2A03F09
SHA-256:	9C9E0ABFDB8065ECEC3420398DA687FAD4429F4CBF68B7082C8221925BF8D86B
SHA-512:	123906A064033F37891DBB9C2A01A990AFD3C8447E38CDF66265784449FDD94806372A589A7DEA074830EB1DF7812E4877A1EE59171D37F1652167A03D2B961B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P......U^....@.......................................... .. *...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\2070\eula.rtf

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	4015
Entropy (8bit):	5.250694812846901
Encrypted:	false
SSDEEP:	96:r4IffB09DkTLGTHD28ygHx0LlHKe1rvGA9mE0Eyh+iH/OMpiKwIurpEpiT0T8x8w:VfB8ygHclqe1ruAYEBm+imOvurerV2
MD5:	4518BE9A9BCA5BE1D8AC926A4B2C087D
SHA1:	D089427D93EA726380E89ECF00127BD51A4DCFC1
SHA-256:	D838ACF5ED559C58F623F73AF4902A13848502778EEA7AF585AC2E801D7C8C45
SHA-512:	7BCF5248E36D98D74040B6AFB08CA62A3255E397A26FF6DCA9A8E42BADF71BC0005FD8FE8B3CA3A4896434823A9E3401EEC86EF60B1A6CE395CE21A710626478
Malicious:	false
Preview:	{\rtf1\fbidis\ansi\ansicpg1252\deff0\deflang2070\deflangfe1041{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue0;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\b\f0\fs28 TERMOS DE LICENCIAMENTO SUPLEMENTARES PARA SOFTWARE MICROSOFT\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\lang2070\f0\fs22 MICROSOFT .NET FRAMEWORK 4 PARA O SISTEMA OPERATIVO MICROSOFT WINDOWS\lang1033\f1\par..\lang2070\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE PARA O SISTEMA OPERATIVO MICROSOFT WINDOWS\par..E PACOTES DE IDIOMAS ASSOCIADOS\lang1033\f1\fs20\par..\pard\ltrpar\nowidctlpar\sb120\sa120\lang2070\b0\f0 A Microsoft Corporation (ou, dependendo do pa\'eds em que reside, uma das respectivas empresas afiliadas) licencia este suplemento para o Adquirente.\lang1033\b \lang2070\b0 Se o Adquirente es

C:\5d17b88cf41ba603370ca60cf86c\3076\LocalizedData.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	60816
Entropy (8bit):	4.3418522371704045
Encrypted:	false
SSDEEP:	384:4wCGbCWB6rFk+2jP8lxtrzh1hsPN7ODPnPgQy50sJCXnofDPiv:tbCWYFrewYTJCf
MD5:	967A6D769D849C5ED66D6F46B0B9C5A4
SHA1:	C0FF5F094928B2FA8B61E97639C42782E95CC74F
SHA-256:	0BC010947BFF6EC1CE9899623CCFDFFD702EEE6D2976F28D9E06CC98A79CF542
SHA-512:	219B13F1BEEB7D690AF9D9C7D98904494C878FBE9904F8CB7501B9BB4F48762F9D07C3440EFA0546600FF62636AC34CB4B32E270CF90CB47A9E08F9CB473030C
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."..[..z._!q.l(W.v.['`!j._.N.WL..0.Y..s.0}.......S..&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;....b.jHh&.l.t.;./.A.&.g.t.;..0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."..d..[. .M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. ..S...g.\..g.N.a(u.z._\PbkK.

C:\5d17b88cf41ba603370ca60cf86c\3076\SetupResources.dll

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14168
Entropy (8bit):	5.9724110685335825
Encrypted:	false
SSDEEP:	192:fc2+tUfwZWPl53LmlVlSW1g+/axw0lczWpXEWUQKPnEtObMacxc8hjeyveCXzHbk:hzuwLmlCW1g+/kmzWpXEWULXci2jpv3e
MD5:	7C136B92983CEC25F85336056E45F3E8
SHA1:	0BB527E7004601E920E2AAC467518126E5352618
SHA-256:	F2E8CA58FA8D8E694D04E14404DEC4E8EA5F231D3F2E5C2F915BD7914849EB2B
SHA-512:	06DA50DDB2C5F83E6E4B4313CBDAE14EED227EEC85F94024A185C2D7F535B6A68E79337557727B2B40A39739C66D526968AAEDBCFEF04DAB09DC0426CFBEFBF4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................@......E.....@.......................................... ..X............ ..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\3076\eula.rtf

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	6309
Entropy (8bit):	4.470827969332999
Encrypted:	false
SSDEEP:	96:/R8NRf8TTVKTu4LuTu4LrzZD41raZM4HbegdxqKZJQ1/FSMZJujgzc/MpD1JzIf2:/R4Rfm2NBZMjOfro2n6CA2
MD5:	6F2F198B6D2F11C0CBCE4541900BF75C
SHA1:	75EC16813D55AAF41D4D6E3C8D4948E548996D96
SHA-256:	D7D3CFBE65FE62DFA343827811A8071EC54F68D72695C82BEC9D9037D4B4D27A
SHA-512:	B1F5B812182C7A8BF1C1A8D0F616B44B0896F2AC455AFEE56C44522B458A8638F5C18200A8FB23B56DC1471E5AB7C66BE1BE9B794E12EC06F44BEEA4D9D03D6F
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg950\deff0\deflang1033\deflangfe1028{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset136 \'b7\'73\'b2\'d3\'a9\'fa\'c5\'e9;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Msftedit 5.41.21.2509;}{\info{\horzdoc}{\\lchars (<?[`\'7b\'a2\'47\'a2\'44?\'a1\'a5\'a1\'a7}{\*\fchars !'),.:\'3b>?]\|\'7d\'a2\'46\'a1\'50?\'a1\'56\'a1\'58\'a1\'a6\'a1\'a8\'a1\'45\'a1\'4b}}..\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs28 MICROSOFT \lang1028\f1\'b3\'6e\'c5\'e9\'bc\'57\'b8\'c9\'b1\'c2\'c5\'76\'b1\'f8\'b4\'da\lang1033\f2\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0\fs20 MICROSOFT WINDOWS \lang1028\f1\'a7\'40\'b7\'7e\'a8\'74\'b2\'ce\'aa\'ba\lang1033\f0 MICROSOFT .NET FRAMEWORK 4\f2\par..\f0 MICROSOFT WINDOWS \lang1028\f1\'a7\'40\'b7\'7e\'a8\'74\'b2\'ce\'aa\'ba\lang1033\f0 MICROSOFT .NET FRAMEWORK 4 \lang1028\f1\'a5\'ce\'a4\'e1\'ba\'dd\'b3\'5d\'a9

C:\5d17b88cf41ba603370ca60cf86c\3082\LocalizedData.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	79996
Entropy (8bit):	3.5542515107748844
Encrypted:	false
SSDEEP:	1536:Xo/yYrDKRqvf+ffl0VMf/mfL94T+7j2JoiZq:Xo/yYrDKRqvf+feVMf/mfL94T+7j2Jrq
MD5:	2D54FE70376DB0218E8970B28C1C4518
SHA1:	83EE9AC93142751F23D5BB858F7264E27EA2EAB0
SHA-256:	D17C5B638E2A4D43212D21A2052548C8D4909EB6410E30B8A951A292BCDBBEDD
SHA-512:	20C0FB9A046911BC2D702AB321C3992262AC0F80F33DDDA5EC2CCAFE9EF07611774223369E0DC7CB91C9CDA1CBD65C598A7E1C914D6E6CA4B00205A16411BE30
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".E.l. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .n.o. .s.e. .p.u.e.d.e. .e.j.e.c.u.t.a.r. .e.n. .m.o.d.o. .d.e. .c.o.m.p.a.t.i.b.i.l.i.d.a.d... .P.a.r.a. .o.b.t.e.n.e.r. .m...s. .i.n.f.o.r.m.a.c.i...n.,. .v.e.a. .e.l. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.a.r.c.h.i.v.o. .L...a.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.

C:\5d17b88cf41ba603370ca60cf86c\3082\SetupResources.dll

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18776
Entropy (8bit):	5.182140892959793
Encrypted:	false
SSDEEP:	192:ZikgnUfwVWVCe8b1S2U85ZTYG1lmW+eWaQKPnEtObMacxc8hjXHUz1TrOYL18:Zlv6Lbg2zZTf1lmW+eWaLXci2jXHUx8
MD5:	B057315A8C04DF29B7E4FD2B257B75F4
SHA1:	D674D066DF8D1041599FCBDB3BA113600C67AE93
SHA-256:	51B174AE7EE02D8E84C152D812E35F140A61814F3AECD64E0514C3950060E9FE
SHA-512:	F1CD510182DE7BBF8D45068D1B3F72DE58C7B419EFC9768765DF6C180AB3E2D94F3C058143095A66C05BCB70B589D1A5061E5FEE566282E5DB49FFBDEA3C672F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P............@.......................................... .. *...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\3082\eula.rtf

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	3069
Entropy (8bit):	5.138349598257165
Encrypted:	false
SSDEEP:	48:MTN3nfZQZXRFOTfyTZQDeK9xxMFcJ55HsUXHNX/RgMzsrMpDgLmqIy3W0b8EwKg3:MTBfZQZhoTfyTZQDeQxpDHsOH1ZvoMp9
MD5:	D40C65F632063E5CDFEF104E324D0AD4
SHA1:	49FABA625BADF413763BD913EDB62510D3790E98
SHA-256:	AAD96E7F4037E977997C630DEC015ECF09CF73C1F5B73F84944E60B309EAAB66
SHA-512:	6A948FA1602E517021C98861B0DF12FCB707FBBEBF094DDE96D9E60CC7DED30B07C1BF6CA8541117A362B5EB8703D61051CF187083C91076E0AD235CF72B7237
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang3082\b\f0\fs20 T\'c9RMINOS DE LICENCIA COMPLEMENTARIOS DEL SOFTWARE DE MICROSOFT\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0 MICROSOFT .NET FRAMEWORK 4 PARA EL SISTEMA OPERATIVO MICROSOFT WINDOWS\f1\par..\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE PARA EL SISTEMA OPERATIVO MICROSOFT WINDOWS\par..Y PAQUETES DE IDIOMA ASSOCIADOS\f1\par..\pard\nowidctlpar\sb120\sa120\b0\f0 Microsoft Corporation (o, en funci\'f3n del lugar en el que resida, una de sus filiales) le concede la licencia para este complemento. Si obtiene la licencia para utilizar el sistema operativo Microsoft Windows (al que se aplica este suplemento), en adelante el "software", podr\'e1 usar e

C:\5d17b88cf41ba603370ca60cf86c\Client\Parameterinfo.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	201796
Entropy (8bit):	3.4097027044493644
Encrypted:	false
SSDEEP:	384:wYQH0RbAGiYNVrkT+8TodTBltw11VTvcL1wCiUj78leRqmH9Hej2iXWKMNGIe9bs:w2RbYoVQTLTQTDFdPknZ13GpPcbrIl
MD5:	EB9D318BBEA1F384A78EDE1D1051F47D
SHA1:	ECD4391FE00D9BB73964456AF15FCD94DB676CC0
SHA-256:	73B29A019C1821304C65A30F338DB2747B950EBCC0E65C02CFF39A0166316A72
SHA-512:	91716D9A78852DB0ABE526A08C73C8349EEB997AD493A8F5B043E45A4A7AADB15FEBFBBC42641AEEC445BC36B0054A4520E051A0CE4CADD237510033F3A9BCE0
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .S.e.t.u.p.V.e.r.s.i.o.n.=.".1...0.".>..... . .<.U.I. .D.l.l.=.".S.e.t.u.p.U.i...d.l.l.". .N.a.m.e.=.".M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. .4. .C.l.i.e.n.t. .P.r.o.f.i.l.e. .S.e.t.u.p.". .V.e.r.s.i.o.n.=.".4...0...3.0.3.1.9.". ./.>..... . .<.C.o.n.f.i.g.u.r.a.t.i.o.n.>..... . . . .<.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . . . .<.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h. .N.a.m.e.=.".c.r.e.a.t.e.l.a.y.o.u.t.". ./.>..... . . . .<./.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . .<.U.s.e.r.E.x.p.e.r.i.e.n.c.e.D.a.t.a.C.o.l.l.e.c.t.i.o.n. .P.o.l.i.c.y.=.".O.S.C.o.n.t.r.o.l.l.e.d.". ./.>..... . . . .<.B.l.o.c.k.i.n.

C:\5d17b88cf41ba603370ca60cf86c\Client\UiInfo.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	39042
Entropy (8bit):	3.1132391675648923
Encrypted:	false
SSDEEP:	768:24URyd5vssgP7ZgZ/vSguJQvFQXvDINJh6F8hZkV1GO0N0phUl9eu+dODOOODOtK:24URyd5vsTPuZXQYQLIN/6F8hZkV1GOv
MD5:	D7A2E90DD9DF6F93FD4B7354F8EC2B0D
SHA1:	A792C41B62796513E312F19DEE91447B9280B23B
SHA-256:	1D1590EB48E66646ED7917A76302862AC87E6651C841A808CF3FE797B9E697F6
SHA-512:	A3431DA5517428B69D4481A98AB6CDA6849F3B1B33DD44CC2EDFD76DDBF51BD2B45B3C4ED21293F7FEE2789281B8CF5120EF83F11F99DE6FC18C0E3FE5D1D9D5
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.U.I.>......... . . . .<.R.e.s.o.u.r.c.e.D.l.l.>.S.e.t.u.p.R.e.s.o.u.r.c.e.s...d.l.l.<./.R.e.s.o.u.r.c.e.D.l.l.>..... . . . .<.!.-.-..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.H.i.d.e./.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . .-.-.>..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.F.i.l.e.N.a.m.e.>.S.p.l.a.s.h.S.c.r.e.e.n...b.m.p.<./.F.i.l.e.N.a.m.e.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>......... . . . .<.L.C.I.D.H.i.n.t.s.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . . . . .<.R.e.g.K.e.y.>.H.K.C.U.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.V.i.s.u.a.l.S.t.u.d.i.o.\.9...0.\.G.e.n.e.r.a.l.<./.

C:\5d17b88cf41ba603370ca60cf86c\DHtmlHeader.html

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	HTML document, Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	16118
Entropy (8bit):	3.6434775915277604
Encrypted:	false
SSDEEP:	192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjT:fdsOT01KcBUFJFEWUxFzvHH
MD5:	CD131D41791A543CC6F6ED1EA5BD257C
SHA1:	F42A2708A0B42A13530D26515274D1FCDBFE8490
SHA-256:	E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
SHA-512:	A6EE9AF8F8C2C7ACD58DD3C42B8D70C55202B382FFC5A93772AF7BF7D7740C1162BB6D38A4307B1802294A18EB52032D410E128072AF7D4F9D54F415BE020C9A
Malicious:	false
Preview:	..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

C:\5d17b88cf41ba603370ca60cf86c\DisplayIcon.ico

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 13 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
Category:	dropped
Size (bytes):	88533
Entropy (8bit):	7.210526848639953
Encrypted:	false
SSDEEP:	1536:xWayqxMQP8ZOs0JOG58d8vo2zYOvvHAj/4/aXj/Nhhg73BVp5vEdb:e/gB4H8vo2no0/aX7C7Dct
MD5:	F9657D290048E169FFABBBB9C7412BE0
SHA1:	E45531D559C38825FBDE6F25A82A638184130754
SHA-256:	B74AD253B9B8F9FCADE725336509143828EE739CC2B24782BE3ECFF26F229160
SHA-512:	8B93E898148EB8A751BC5E4135EFB36E3AC65AF34EAAC4EA401F1236A2973F003F84B5CFD1BBEE5E43208491AA1B63C428B64E52F7591D79329B474361547268
Malicious:	false
Preview:	..............(...............h...............h...f... .............. .............. ..........^...00......h....#..00..........n)..00...........8........ .h....T.. .... .....&Y..00.... ..%...i........ ._...v...(....... ....................................................................................................w......x......................x..ww...........h...............................w.....w.x..........x................xwvwg.................................................................(....... ...................................jO:.mS?.qWD.v\I.\|cP..kX..q_..sa..yg..{j...p..nh..pj..uo..\|u..xq..\|r..\|u..rx..zy..\|w.}.y...q...d...y...{......S...]..d..i..r..\|...j..j...y...e...k...l..q...y...~...v...y..s..s..m...m...l...n...k...t...l.............................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\Extended\Parameterinfo.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	93314
Entropy (8bit):	3.379177079191028
Encrypted:	false
SSDEEP:	384:tYDmmqzP4JUaGMLiqedW0XeeUnG3GPcbrKFl:tRTaBG2PcbrIl
MD5:	4A61E563A344188E3FDEB19C25197710
SHA1:	BDD1E1774DB4CCE9D5393882B61F1360826C1DFA
SHA-256:	7E682BDF51FAC1B3991E6E6330BBF5E7C63060053A8503DAAEA77AB5CD70888A
SHA-512:	F898AC736AC8017624733BBE50C281239BB6F9472B04FB3459C428B22843637AACE99C6A4023ABBB537070F43A0A34FD900D19A4B90C001772C8A67467805801
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .S.e.t.u.p.V.e.r.s.i.o.n.=.".1...0.".>..... . .<.U.I. .D.l.l.=.".S.e.t.u.p.U.i...d.l.l.". .N.a.m.e.=.".M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. .4. .E.x.t.e.n.d.e.d. .S.e.t.u.p.". .V.e.r.s.i.o.n.=.".4...0...3.0.3.1.9.". ./.>..... . .<.C.o.n.f.i.g.u.r.a.t.i.o.n.>..... . . . .<.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . . . .<.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h. .N.a.m.e.=.".c.r.e.a.t.e.l.a.y.o.u.t.". ./.>..... . . . .<./.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . .<.U.s.e.r.E.x.p.e.r.i.e.n.c.e.D.a.t.a.C.o.l.l.e.c.t.i.o.n. .P.o.l.i.c.y.=.".O.S.C.o.n.t.r.o.l.l.e.d.". ./.>..... . . . .<.B.l.o.c.k.i.n.g.M.u.t.e.x.

C:\5d17b88cf41ba603370ca60cf86c\Extended\UiInfo.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	39050
Entropy (8bit):	3.114226586013312
Encrypted:	false
SSDEEP:	768:24URsd5vssgP7ZgZ/vSguJQvFQXvDINJh6Fuh3kr1UO0NWpPUb9cu+dOtOcOdOjQ:24URsd5vsTPuZXQYQLIN/6Fuh3kr1UOB
MD5:	EC417B1688CA10739C0737B72BF07431
SHA1:	A1CF21FD2183C1C4E308FB3C6600D5855BDB3E51
SHA-256:	0452A6720E55B9D4E61225BB66016513DDE15CE9CC1FB305FC0037D008476787
SHA-512:	B317C2985FCADC551F28791311966F9FDE1B854144723AFD449BE1280AB6D6D6CBE8D50FB113282C3DDB687BEC3048D7F93F2DD97AA63B596FA6C0C80A46481E
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.U.I.>......... . . . .<.R.e.s.o.u.r.c.e.D.l.l.>.S.e.t.u.p.R.e.s.o.u.r.c.e.s...d.l.l.<./.R.e.s.o.u.r.c.e.D.l.l.>..... . . . .<.!.-.-..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.H.i.d.e./.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . .-.-.>..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.F.i.l.e.N.a.m.e.>.S.p.l.a.s.h.S.c.r.e.e.n...b.m.p.<./.F.i.l.e.N.a.m.e.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>......... . . . .<.L.C.I.D.H.i.n.t.s.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . . . . .<.R.e.g.K.e.y.>.H.K.C.U.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.V.i.s.u.a.l.S.t.u.d.i.o.\.9...0.\.G.e.n.e.r.a.l.<./.

C:\5d17b88cf41ba603370ca60cf86c\Graphics\Print.ico

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.923507556620034
Encrypted:	false
SSDEEP:	24:dOjNyw2aSGZHJi4U7Wf0mDX+QF7s/AemFAh:MjNyw/0NW9DOp/ANC
MD5:	7E55DDC6D611176E697D01C90A1212CF
SHA1:	E2620DA05B8E4E2360DA579A7BE32C1B225DEB1B
SHA-256:	FF542E32330B123486797B410621E19EAFB39DF3997E14701AFA4C22096520ED
SHA-512:	283D381AA396820B7E15768B20099D67688DA1F6315EC9F7938C2FCC3167777502CDED0D1BEDDF015A34CC4E5D045BCB665FFD28BA2FBB6FAF50FDD38B31D16E
Malicious:	false
Preview:	............ .h.......(....... ..... .....@.........................................................................................t?.fR.\|bN.y_K.v\H.rXD.oUA.kQ=.hN:.eK7.cI5.cI5.cI5i.........th<..z............................................cI5.cI5...................................................qXE.cI5.cI5.......~.............................................}eS.kR>.cI5......................................................q`.w^L.cI5..............................z..~n..sb..jX.{bP.t[H..~m..kY.nT@.......................................................{..wf.zaM.......vO.......................q..r`.}cQ.w]J..lZ.......t.x^J...........}Z..................................z`M........{aM...............0..............................jY.{aO...........................................................x^K.x^Kk.....................................................n\.y_L...........................r...............................y_L.x^K&.........................s.............

C:\5d17b88cf41ba603370ca60cf86c\Graphics\Rotate1.ico

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.5118974066097444
Encrypted:	false
SSDEEP:	6:kRKqNllGuv/ll2dL/rK//dlQt0tlWMlMN8Fq/wbD4tNZDlNc367YCm6p+Wvtjlpr:pIGOmDAQt8n+uNbctNZ5w6AsXjKHRp5c
MD5:	26A00597735C5F504CF8B3E7E9A7A4C1
SHA1:	D913CB26128D5CA1E1AC3DAB782DE363C9B89934
SHA-256:	37026C4EA2182D7908B3CF0CEF8A6F72BDDCA5F1CFBC702F35B569AD689CF0AF
SHA-512:	08CEFC5A2B625F261668F70CC9E1536DC4878D332792C751884526E49E7FEE1ECFA6FCCFDDF7BE80910393421CC088C0FD0B0C27C7A7EFF2AE03719E06022FDF
Malicious:	false
Preview:	..............h.......(....... .......................................................................................................................................................................................t.r........................................p.nn.l\|.z..........................................g.e.......................................................................................P.N..........................................P.OG.FP.O..........................................?.>...................................................................................................+...........................................3.2%.$+...........................................!. ............{.{.............................................................................................~.~..................................G.......................................G..........

C:\5d17b88cf41ba603370ca60cf86c\Graphics\Rotate2.ico

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.5178766234336925
Encrypted:	false
SSDEEP:	12:pmZX5+9wQaxWbwW3h/7eHzemn0iLHRp5c:Md5EaxWbh/Cnt4
MD5:	8419CAA81F2377E09B7F2F6218E505AE
SHA1:	2CF5AD8C8DA4F1A38AAB433673F4DDDC7AE380E9
SHA-256:	DB89D8A45C369303C04988322B2774D2C7888DA5250B4DAB2846DEEF58A7DE22
SHA-512:	74E504D2C3A8E82925110B7CFB45FDE8A4E6DF53A188E47CF22D664CBB805EBA749D2DB23456FC43A86E57C810BC3D9166E7C72468FBD736DA6A776F8CA015D1
Malicious:	false
Preview:	..............h.......(....... ...............................................................................................................................................................................................................................................................................................................................................................................r.p..........................................q.oj.hq.o..........................................b.`...................................................................................................J.I..................\|.\|...y.y...............Q.PC.BF.E..........................................>.=.........".!..........................................2.1".!'.&..........................................".!.....................................G.......................................G..........

C:\5d17b88cf41ba603370ca60cf86c\Graphics\Rotate3.ico

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.5189797450574103
Encrypted:	false
SSDEEP:	12:pPrMIMxPWk3AyORrabBQ+gra2/MXWM4xfQHRp5c:1gxPbXlBQ+gr1ffO4
MD5:	924FD539523541D42DAD43290E6C0DB5
SHA1:	19A161531A2C9DBC443B0F41B97CBDE7375B8983
SHA-256:	02A7FE932029C6FA24D1C7CC06D08A27E84F43A0CBC47B7C43CAC59424B3D1F6
SHA-512:	86A4C5D981370EFA20183CC4A52C221467692E91539AC38C8DEF1CC200140F6F3D9412B6E62FAF08CA6668DF401D8B842C61B1F3C2A4C4570F3B2CEC79C9EE8B
Malicious:	false
Preview:	..............h.......(....... .................................................................................................................................................................................................................................................................................................................................................................................................................z.z...{.{...........................................................................................................................................................s.q..........................................y.wl.jl.j...............3.2#."*.)..................f.d.........E.D.........(.'..............................U.TE.DF.E..........................................E.D.....................................G.......................................G..........

C:\5d17b88cf41ba603370ca60cf86c\Graphics\Rotate4.ico

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.5119705312617957
Encrypted:	false
SSDEEP:	6:kRK///FleTxml+SzNaoT9Q0/lHOmMdrYln8OUo/XRWl2XOXFBYpqnHp/p5c:p///FPwxUrMunUofRReFNHRp5c
MD5:	BB55B5086A9DA3097FB216C065D15709
SHA1:	1206C708BD08231961F17DA3D604A8956ADDCCFE
SHA-256:	8D82FF7970C9A67DA8134686560FE3A6C986A160CED9D1CC1392F2BA75C698AB
SHA-512:	DE9226064680DA6696976A4A320E08C41F73D127FBB81BF142048996DF6206DDB1C2FE347C483CC8E0E50A00DAB33DB9261D03F1CD7CA757F5CA7BB84865FCA9
Malicious:	false
Preview:	..............h.......(....... .............................................................................................................................................................................................................y.y...\|.\|.............................................................................................................................................................................................................................................,.+".!,.+.........................................(.'......................................................................................=.<..........................................S.RC.BG.F.............................j.h.........H.G..............................y.wj.hi.g..........................................j.h.....................................G.......................................G..........

C:\5d17b88cf41ba603370ca60cf86c\Graphics\Rotate5.ico

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.5083713071878764
Encrypted:	false
SSDEEP:	6:kRKi+Blqkl/QThulVDYa5a//ItEl/aotzauakg//5aM1lkl05Kaag2/JqnHp/p5c:pXBHehqSayIylrtBg/bk4AgzHRp5c
MD5:	3B4861F93B465D724C60670B64FCCFCF
SHA1:	C672D63C62E00E24FBB40DA96A0CC45B7C5EF7F0
SHA-256:	7237051D9AF5DB972A1FECF0B35CD8E9021471740782B0DBF60D3801DC9F5F75
SHA-512:	2E798B0C9E80F639571525F39C2F50838D5244EEDA29B18A1FAE6C15D939D5C8CD29F6785D234B54BDA843A645D1A95C7339707991A81946B51F7E8D5ED40D2C
Malicious:	false
Preview:	..............h.......(....... .................................................................................................{.{...~.~.......................................................................................}.}.........................................................).(#."2.1..........................................).(...................................................................................................=.<..........................................N.ME.DN.M..........................................M.L.......................................................................................e.c..........................................z.xl.jm.k........................................r.p........................................................................................................................G.......................................G..........

C:\5d17b88cf41ba603370ca60cf86c\Graphics\Rotate6.ico

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.5043420982993396
Encrypted:	false
SSDEEP:	12:pjs+/hlRwx5REHevtOkslTaGWOpRFkpRHkCHRp5c:tZ/u+HeilBh/F+Rd4
MD5:	70006BF18A39D258012875AEFB92A3D1
SHA1:	B47788F3F8C5C305982EB1D0E91C675EE02C7BEB
SHA-256:	19ABCEDF93D790E19FB3379CB3B46371D3CBFF48FE7E63F4FDCC2AC23A9943E4
SHA-512:	97FDBDD6EFADBFB08161D8546299952470228A042BD2090CD49896BC31CCB7C73DAB8F9DE50CDAF6459F7F5C14206AF7B90016DEEB1220943D61C7324541FE2C
Malicious:	false
Preview:	..............h.......(....... .................................................................................................... ............................................$.$ ..0./...........................{.{............ ...........<.;..........................................C.BA.@O.N...............{.{...~.~..................G.F..................................................................................................._.]..........................................n.lg.en.l..........................................p.n...............................................................................................................................................................................................................................................................................................................G.......................................G..........

C:\5d17b88cf41ba603370ca60cf86c\Graphics\Rotate7.ico

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.4948009720290445
Encrypted:	false
SSDEEP:	6:kRKIekllisUriJ2IP+eX8iDml8mS8+hlxllwqlllkg2klHYdpqnHp/p5c:p8os0iieX8iNVHX//x2sHYdoHRp5c
MD5:	FB4DFEBE83F554FAF1A5CEC033A804D9
SHA1:	6C9E509A5D1D1B8D495BBC8F57387E1E7E193333
SHA-256:	4F46A9896DE23A92D2B5F963BCFB3237C3E85DA05B8F7660641B3D1D5AFAAE6F
SHA-512:	3CAEB21177685B9054B64DEC997371C4193458FF8607BCE67E4FBE72C4AF0E6808D344DD0D59D3D0F5CE00E4C2B8A4FFCA0F7D9352B0014B9259D76D7F03D404
Malicious:	false
Preview:	..............h.......(....... ....................................................................................................G.F..........................................H.GG.FX.V..............................).(.........G.F.........i.g..................+.*%.$5.4...............n.ln.l{.y.................. .......................u.s............................................................................................................................................................~.~...~.~.................................................................................................................................................................................................................................................................................................................................................G.......................................G..........

C:\5d17b88cf41ba603370ca60cf86c\Graphics\Rotate8.ico

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.513882730304912
Encrypted:	false
SSDEEP:	12:pPv1OuTerb53mpOBfXjQuZfKWpIXE1D6HRp5c:91OEerb53eUQsflpIP4
MD5:	D1C53003264DCE4EFFAF462C807E2D96
SHA1:	92562AD5876A5D0CB35E2D6736B635CB5F5A91D9
SHA-256:	5FB03593071A99C7B3803FE8424520B8B548B031D02F2A86E8F5412AC519723C
SHA-512:	C34F8C05A50DC0DE644D1F9D97696CDB0A1961C7C7E412EB3DF2FD57BBD34199CF802962CA6A4B5445A317D9C7875E86E8E62F6C1DF8CC3415AFC0BD26E285BD
Malicious:	false
Preview:	..............h.......(....... ....................................................................................................g.e..........................................g.eg.ew.u..............................F.E.........g.e..............................E.DA.@P.O..........................................:.9......................................................................................&.%.........................................+.* ..+.*..................................................................................................................................................{.{.......................................................................................~.~...{.{..............................................................................................................................................G.......................................G..........

C:\5d17b88cf41ba603370ca60cf86c\Graphics\Save.ico

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.824239610266714
Encrypted:	false
SSDEEP:	24:Br5ckw0Pce/WPv42lPpJ2/BatY9Y4ollEKeKzn:h6kPccWPQS2UtEYFEKeu
MD5:	7D62E82D960A938C98DA02B1D5201BD5
SHA1:	194E96B0440BF8631887E5E9D3CC485F8E90FBF5
SHA-256:	AE041C8764F56FD89277B34982145D16FC59A4754D261C861B19371C3271C6E5
SHA-512:	AB06B2605F0C1F6B71EF69563C0C977D06C6EA84D58EF7F2BAECBA566D6037D1458C2B58E6BFD70DDEF47DCCBDEA6D9C2F2E46DEA67EA9E92457F754D7042F67
Malicious:	false
Preview:	............ .h.......(....... ..... .....@........................................................................................klT.de..UV..RS..OP..MM..JJ..GG..DD..AA.x;<.x;<.r99.n67..........kl......D$.G2!...............VMH..>3..=6..91.r99..........op.........q[K.G<4..xh...........s..A5..B<..=5.x;<..........uv...........q[K.....G<4..........tg..KC..ID..B<.}>>..........{\|.............q[K.q[K.q[K.q[K.vbR.}j[..VT..OL..ID..AA...............................yz..qr..kl..]\..VT..PL..DD.....................c`..^V..XK..R?..M4..G(..A...;...]\..VT..GG................fg.................................;...]\..JJ................mn..................................A...gg..MM................vw..................................G(..qr..OP..................................................M4..yz..RS..................................................R?.g33..UV....................................................XK..XY..XY..................................

C:\5d17b88cf41ba603370ca60cf86c\Graphics\Setup.ico

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 12 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
Category:	dropped
Size (bytes):	36710
Entropy (8bit):	5.3785085024370805
Encrypted:	false
SSDEEP:	384:IXcWz9GU46B4riEzg8CKcqxkk63gBh6wSphnBcI/ObMFp2rOebgcjTQcho:IMWQ2Bf8qqxMQP8pc4XessTJo
MD5:	3D25D679E0FF0B8C94273DCD8B07049D
SHA1:	A517FC5E96BC68A02A44093673EE7E076AD57308
SHA-256:	288E9AD8F0201E45BC187839F15ACA79D6B9F76A7D3C9274C80F5D4A4C219C0F
SHA-512:	3BDE668004CA7E28390862D0AE9903C756C16255BDBB3F7E73A5B093CE6A57A3165D6797B0A643B254493149231ACA7F7F03E0AF15A0CBE28AFF02F0071EC255
Malicious:	false
Preview:	..............(...............h...............h...V... .............. .............. ..........N...00......h...."..00..........^)..00...........8........ .h....T.. .... ......Y..00.... ..%...i..(....... ....................................................................................................w......x......................x..ww...........h...............................w.....w.x..........x................xwvwg.................................................................(....... ...................................jO:.mS?.qWD.v\I.\|cP..kX..q_..sa..yg..{j...p..nh..pj..uo..\|u..xq..\|r..\|u..rx..zy..\|w.}.y...q...d...y...{......S...]..d..i..r..\|...j..j...y...e...k...l..q...y...~...v...y..s..s..m...m...l...n...k...t...l..........................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\Graphics\SysReqMet.ico

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	5.038533294442847
Encrypted:	false
SSDEEP:	24:MuoBP5lj49s9NRDe4LakKcTM8cv99uGzMN:MlFH3/Ri4LaN3q
MD5:	661CBD315E9B23BA1CA19EDAB978F478
SHA1:	605685C25D486C89F872296583E1DC2F20465A2B
SHA-256:	8BFC77C6D0F27F3D0625A884E0714698ACC0094A92ADCB6DE46990735AE8F14D
SHA-512:	802CC019F07FD3B78FCEFDC8404B3BEB5D17BFC31BDED90D42325A138762CC9F9EBFD1B170EC4BBCCCF9B99773BD6C8916F2C799C54B22FF6D5EDD9F388A67C6
Malicious:	false
Preview:	............ .h.......(....... ..... .....@..........................................M...........S...........................................q.......................z...................................;........q.c.P.K.\|.}............C....................................;.!......................................................Ry,.*w..!.............-.........................................6b..8v................ .+.@............#....................4u..;a..............H.<.........=.C.............................&y..x.e.................$}......................................<.).........\.A............}..................................[.R.}.n.Z.C.y.Y.k.L............. q..............................t.s............r...k.........]{G..............................................y.`.z.h.a.N.e.P...............................................~.q._.J...............................8....................t.p..................?..................................................

C:\5d17b88cf41ba603370ca60cf86c\Graphics\SysReqNotMet.ico

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	5.854644771288791
Encrypted:	false
SSDEEP:	24:u2iVNINssNQhYMEyfCHWZZ7rTRrbWjcyuE:uDW871fdZ1lbWjME
MD5:	EE2C05CC9D14C29F586D40EB90C610A9
SHA1:	E571D82E81BD61B8FE4C9ECD08869A07918AC00B
SHA-256:	3C9C71950857DDB82BAAB83ED70C496DEE8F20F3BC3216583DC1DDDA68AEFC73
SHA-512:	0F38FE9C97F2518186D5147D2C4A786B352FCECA234410A94CC9D120974FC4BE873E39956E10374DA6E8E546AEA5689E7FA0BEED025687547C430E6CEFFABFFB
Malicious:	false
Preview:	............ .h.......(....... ..... .....@....................................../..F..........!....n....d..................................;.............,+..AB..UV..XZ...1.....S......................U.....................EE..\[..rr......NP.....^..............<s.....................!.$)..AC..jj..ww..{{..57.....4........01.................H..........N?8;..[[..ba..`_..TU....L.......bj]^..QP.........:..........)N#&..>=..GG..HI..IJ..EE..!#......24..mm..hh..,.............+N........)(..-.....{-...-,........ SPS..zy..qr....qq......0NCE..33..%%........ZJ...."$..0/../1....?qRU............W}..)A]^..rr..qq..Y[...._z........CE..RQ..AC....8`79.........SU..ab......\|\|..ef....ey...........QZ[..ZZ..=?.....(...d....................pr.....H............IK..jj..fg..,..........]_..................[y.......(..:VQS..{z..ut..ab....'H...........?................\|\|..ef..jk..................$%d....................W....................................*,n.............................HI......................WY

C:\5d17b88cf41ba603370ca60cf86c\Graphics\stop.ico

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 6 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	10134
Entropy (8bit):	6.016582854640062
Encrypted:	false
SSDEEP:	96:uC1kqWje1S/f1AXa0w+2ZM4xD02EuZkULqcA0zjrpthQ2Ngms9+LmODclhpjdfLt:JkqAFqroMS9lD9Ngr9+m7bxpXHT5ToYR
MD5:	5DFA8D3ABCF4962D9EC41CFC7C0F75E3
SHA1:	4196B0878C6C66B6FA260AB765A0E79F7AEC0D24
SHA-256:	B499E1B21091B539D4906E45B6FDF490D5445256B72871AECE2F5B2562C11793
SHA-512:	69A13D4348384F134BA93C9A846C6760B342E3A7A2E9DF9C7062088105AC0B77B8A524F179EFB1724C0CE168E01BA8BB46F2D6FAE39CABE32CAB9A34FC293E4A
Malicious:	false
Preview:	...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@......................................................................................................wwx...........w....w.........x....x.........x.y.......................p..............x.........q.......p.........q.................xy...........q.......................p.............y..................x.y..............y.y.............yyy.........S........x..........yy.............x.yyyx......................Q.8.........x..............y....qy.p...y.....x.....p........y....9.....y....yy..yx.......y..yyyw..p.....y.yyyyy................x.p........y.yy..........x...x............x.................wwx.....................?...................................................................................................?............(....... ..................................................................................................ww.....w..........xx..x........x....p........xy

C:\5d17b88cf41ba603370ca60cf86c\Graphics\warn.ico

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 6 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	10134
Entropy (8bit):	4.3821301214809045
Encrypted:	false
SSDEEP:	192:USAk9ODMuYKFfmiMyT4dvsZQl+g8DnPUmXtDV3EgTtc:r9wM7pyEBlcgssmXpVUgJc
MD5:	B2B1D79591FCA103959806A4BF27D036
SHA1:	481FD13A0B58299C41B3E705CB085C533038CAF5
SHA-256:	FE4D06C318701BF0842D4B87D1BAD284C553BAF7A40987A7451338099D840A11
SHA-512:	5FE232415A39E0055ABB5250B120CCDCD565AB102AA602A3083D4A4705AC6775D45E1EF0C2B787B3252232E9D4673FC3A77AAB19EC79A3FF8B13C4D7094530D2
Malicious:	false
Preview:	...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@................................................................................................................................................................wwwww.....wwww...................3333333333338...{....3s.....x...{....0G;.............0.;...7.........33....8.....{...33..............0....7...............8.......{....;.............0.;.............0...8...........4...............wu;.............ww;.............ww;?...........;ww;.............7w................................8.............{...................................................................................................................................................................?...?..................................................?...?.........(....... ........................................................................................................333333;...............8.........;........

C:\5d17b88cf41ba603370ca60cf86c\ParameterInfo.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	272046
Entropy (8bit):	3.4004643852090877
Encrypted:	false
SSDEEP:	384:EYSROAGiYNVrkT+8TodTBltw11VTvcL1wCiUj78leRqmH9Hej2iXWKYP4JUaGMLi:EFROYoVQTLTQTDFdhaaot6PcbrIl
MD5:	7213DA83E0F0B8AE4FEA44AE1CB7F62B
SHA1:	F2E3FCC77A1AD4D042253BD2E0010BCB40B68ED3
SHA-256:	59E67E4FB46E5490EEE63D8B725324F1372720ADE7345C74C6138C4A76EA73D9
SHA-512:	86186AB0F2CB38E520DD1284042ECED157F96874846EB9061BE9CF56B84A1CAB5901A4879E105A8B04B336BBC43B03F4BDF198D43AF868BE188602347DB829E0
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .S.e.t.u.p.V.e.r.s.i.o.n.=.".1...0.".>..... . .<.U.I. .D.l.l.=.".S.e.t.u.p.U.i...d.l.l.". .N.a.m.e.=.".M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. .4. .S.e.t.u.p.". .V.e.r.s.i.o.n.=.".4...0...3.0.3.1.9.". ./.>..... . .<.C.o.n.f.i.g.u.r.a.t.i.o.n.>..... . . . .<.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . . . .<.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h. .N.a.m.e.=.".c.r.e.a.t.e.l.a.y.o.u.t.". ./.>..... . . . .<./.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . .<.U.s.e.r.E.x.p.e.r.i.e.n.c.e.D.a.t.a.C.o.l.l.e.c.t.i.o.n. .P.o.l.i.c.y.=.".O.S.C.o.n.t.r.o.l.l.e.d.". ./.>..... . . . .<.B.l.o.c.k.i.n.g.M.u.t.e.x. .N.a.m.e.=.".N.e.

C:\5d17b88cf41ba603370ca60cf86c\RGB9RAST_x64.msi

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.2, MSI Installer, Code page: 1252, Create Time/Date: Fri Jul 30 09:00:00 1999, Name of Creating Application: Windows Installer, Title: RGB9Rast Installation Database, Subject: Recommended Sequence Tables for Windows Installer 1.1, Author: Microsoft Corporation, Comments: Note that actions in the UI sequence tables that end in "Dialog" are authored dialogs and not stardard actions., Last Saved By: paulble, Revision Number: {03C9DE4B-2618-4EDA-9C8B-8CD66AC8C15B}, Last Saved Time/Date: Fri Jan 13 19:09:38 2006, Number of Pages: 200, Number of Words: 0, Security: 0, Template: AMD64;1033
Category:	dropped
Size (bytes):	184832
Entropy (8bit):	7.87268869519203
Encrypted:	false
SSDEEP:	3072:SMZbdgC73Q5H0Un0li+G9A7Kve3Hg5BszizUVQzB7m09g47aEqPNWZKq5uXp0:SMddgq38l1A7Km3Hg5CzizuE99gVEqi0
MD5:	4C424650C4187ADDA4C24F946099B437
SHA1:	56BAC80D1384204A270CBEC915222B0D9F590C93
SHA-256:	9B4C00CA561FF1DEBA57C34FEF5C8610708E78774C2207411C593109C046FB3F
SHA-512:	0C5239E5D6F8F42E21904E199EE6409B0B40FFC74034B82F6B69CCCE24962B95BAE1B1E5591AEFC8C3CDC0AB6B43CD470B9BF90C8D227EB0AA2943DFE6E3D64F
Malicious:	false
Preview:	......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\5d17b88cf41ba603370ca60cf86c\RGB9Rast_x86.msi

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Code page: 1252, Create Time/Date: Fri Jul 30 09:00:00 1999, Name of Creating Application: Windows Installer, Title: RGB9Rast Installation Database, Subject: Recommended Sequence Tables for Windows Installer 1.1, Author: Microsoft Corporation, Comments: Note that actions in the UI sequence tables that end in "Dialog" are authored dialogs and not stardard actions., Template: Intel;, Last Saved By: paulble, Revision Number: {03C9DE4B-2618-4EDA-9C8B-8CD66AC8C15B}, Last Saved Time/Date: Fri Jan 13 19:09:38 2006, Number of Pages: 200, Number of Words: 0, Security: 0
Category:	dropped
Size (bytes):	94720
Entropy (8bit):	7.682694326916969
Encrypted:	false
SSDEEP:	1536:upZdWM41picgCjX3QAoHwDHL0fWi0lrmsIjyG9heHApNR3YHaeAHaeee:ugZbdgC73Q5H0Un0li+G9AsxqQ
MD5:	674353068D0290B0884B35B3B925DFE2
SHA1:	8226215B301026BCDCD2E7038D8E090E81DAA18E
SHA-256:	62F384BF20E669180CBB45EFC0E9E3EE59FE18E58DE75DEB8FDCFD3DD9AC7073
SHA-512:	402ED710E941DF0E4BFD39FBA8F39BB4475E047243BE508A4C831CA171D2F21ADFE85BB847A827CE4B27E43E47AA2FA4DF9A53398DD1C97DB17636E740C38F59
Malicious:	false
Preview:	......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\5d17b88cf41ba603370ca60cf86c\Setup.exe

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	78152
Entropy (8bit):	6.011592088917562
Encrypted:	false
SSDEEP:	1536:sYNItbBL5NWiiESc0exWZnqxMQP8ZOs0JD9rHUq:sYNAB9NWTZctc/gBJ9oq
MD5:	006F8A615020A4A17F5E63801485DF46
SHA1:	78C82A80EBF9C8BF0C996DD8BC26087679F77FEA
SHA-256:	D273460AA4D42F0B5764383E2AB852AB9AF6FECB3ED866F1783869F2F155D8BE
SHA-512:	C603ED6F3611EB7049A43A190ED223445A9F7BD5651100A825917198B50C70011E950FA968D3019439AFA0A416752517B1C181EE9445E02DA3904F4E4B73CE76
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.................j.}.....].v.....h.w.....\.H...v.e.\|.......B.....h.~.....Y.\|.....].~.....m.~.....l.~.....k.~...Rich............PE..L......K.........."......f...........+............@..........................P............@...... ..................pu..x...Tp..<.......................H....@...... ................................(..@............................................text....e.......f.................. ..`.data................j..............@....rsrc................v..............@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\SetupEngine.dll

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	807256
Entropy (8bit):	6.357664904941565
Encrypted:	false
SSDEEP:	24576:GS62nlYAqK/AitUgiuVQk/oifPNJIkjbSTzR8NmsBJj:GS62nlYAltBjPNJIkHST18QsBJ
MD5:	84C1DAF5F30FF99895ECAB3A55354BCF
SHA1:	7E25BA36BCC7DEED89F3C9568016DDB3156C9C5A
SHA-256:	7A0D281FA802D615EA1207BD2E9EBB98F3B74F9833BBA3CB964BA7C7E0FB67FD
SHA-512:	E4FB7E4D39F094463FDCDC4895AB2EA500EB51A32B6909CEC80A526BBF34D5C0EB98F47EE256C0F0865BF3169374937F047BF5C4D6762779C8CA3332B4103BE3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................&......&.......R.....z.....O.....{......B...........O.....~.....J.....K.....L....Rich...........................PE..L......K.........."!................Y...............................................;.....@.....................................h....................:..X...............................................@............................................text............................... ..`.data...8...........................@....rsrc................f..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\SetupUi.dll

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	295248
Entropy (8bit):	6.262127887617593
Encrypted:	false
SSDEEP:	3072:/LTVUK59JN+C0iy4Ww8oBcPFIOrvHvr8QDZHAAKWiIHT6llN1QkvQZaiionv5y/y:HOoMFrz8ygAKWiiIyKf73w
MD5:	EB881E3DDDC84B20BD92ABCEC444455F
SHA1:	E2C32B1C86D4F70E39DE65E9EBC4F361B24FF4A1
SHA-256:	11565D97287C01D22AD2E46C78D8A822FA3E6524561D4C02DFC87E8D346C44E7
SHA-512:	5750CEC73B36A3F19BFB055F880F3B6498A7AE589017333F6272D26F1C72C6F475A3308826268A098372BBB096B43FBD1E06E93EECC0A81046668228BC179A75
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............I...I...I..bI...I..WI...I..cI..I..ZI...I...IG..I..WI...I..fI...I..RI...I..SI...I..TI...IRich...I................PE..L......K.........."!................................................................yq....@..........................................P...............j..P....`..0?..................................`z..@............................................text............................... ..`.data....Q.......4..................@....rsrc........P......................@..@.reloc...T...`...V..................@..B........................................................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\SetupUi.xsd

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	30120
Entropy (8bit):	4.990211039591874
Encrypted:	false
SSDEEP:	768:hlzLm8eYhsPs05F8/ET/chT+cxcW8G2P4oeTMC:1wchT+cxcDm
MD5:	2FADD9E618EFF8175F2A6E8B95C0CACC
SHA1:	9AB1710A217D15B192188B19467932D947B0A4F8
SHA-256:	222211E8F512EDF97D78BC93E1F271C922D5E91FA899E092B4A096776A704093
SHA-512:	A3A934A8572FF9208D38CF381649BD83DE227C44B735489FD2A9DC5A636EAD9BB62459C9460EE53F61F0587A494877CD3A3C2611997BE563F3137F8236FFC4CA
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema".. xmlns="http://schemas.microsoft.com/SetupUI/2008/01/imui".. xmlns:imui="http://schemas.microsoft.com/SetupUI/2008/01/imui".. targetNamespace="http://schemas.microsoft.com/SetupUI/2008/01/imui".. elementFormDefault="qualified"..attributeFormDefault="unqualified"..>.... <xs:annotation>.. <xs:documentation>.. Copyright (c) Microsoft Corporation. All rights reserved... Schema for describing DevDiv "Setup UI Info".. </xs:documentation>.. </xs:annotation>.... <xs:element name="SetupUI">.. <xs:annotation>.. <xs:documentation>specifies UI dll, and lists of MSIs MSPs and EXEs</xs:documentation>.. </xs:annotation>.. <xs:complexType>.. <xs:sequence>.. <xs:choice>.. <xs:element ref="UI" minOccurs="1" maxOccurs="1"></xs:element>.. <xs:element ref="Strings" minOccurs="1" maxOccurs="1"></xs:element>..

C:\5d17b88cf41ba603370ca60cf86c\SetupUtility.exe

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	96088
Entropy (8bit):	6.292361456158864
Encrypted:	false
SSDEEP:	1536:L+59IKI1N74oszIepIJqwlAno0dwRXPuY6zcVcE7OgkT9vs6M4raUZrH9rHUA:L+59hI1NktIemJllRXGYRKEaVM4raUZh
MD5:	8DFBB95989AF28058C7431704CE7CD66
SHA1:	78A5927D6B65D177F537FC671ED6BE4A77F20353
SHA-256:	589B4F04ED38A35D29C4A16FCCB489C3FBA6505F5DA399C1A2AF0CA966486059
SHA-512:	51FFB1B20006BB1C2F396C84EF19D7D47AD421D0A3196919B4ABC26405326BF15DDB989EDF815CBEDEEA8DEDC0454C0CC22A3987492E9BC1646A42A31151E1AF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ux`.1...1...1...8a..0...^o......^o..!...^o..@...8a..:...1...T...Vo..0...Vo..;...Vo..0...Vo..0...Vo..0...Vo..0...Rich1...........................PE..L......K.........."......0...L.......^.......@....@..................................u....@...... ..................`>.......5..x....p...............`..X............................................K..@...............\|............................text............0.................. ..`.data........@.......4..............@....rsrc........p.......D..............@..@.reloc..f............H..............@..B................................................................................................................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\SplashScreen.bmp

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PC bitmap, Windows 3.x format, 200 x 200 x 8
Category:	dropped
Size (bytes):	41080
Entropy (8bit):	6.9955557349183595
Encrypted:	false
SSDEEP:	384:G1o2kgxmJGEsU3pP28+Qq1ms68/tUqHUlHGwM7bwv3ETbFrS:kkpoapTbimsqHGI
MD5:	0966FCD5A4AB0DDF71F46C01EFF3CDD5
SHA1:	8F4554F079EDAD23BCD1096E6501A61CF1F8EC34
SHA-256:	31C13ECFC0EB27F34036FB65CC0E735CD444EEC75376EEA2642F926AC162DCB3
SHA-512:	A9E70A2FB5A9899ACF086474D71D0E180E2234C40E68BCADB9BF4FE145774680CB55584B39FE53CC75DE445C6BF5741FC9B15B18385CBBE20FC595FE0FF86FCE
Malicious:	false
Preview:	BMx.......6...(...................B.......................{7...>...h?..D...N...K..........xE..._#..q..T...X...Q...[..._...c...j....>.!....f...v...r...."..v....0....... ..........4..I.........[...}..............j.............................................................................................................i......................@>1.......................................................o...u...u...z...z...~............................................................................................................................................................................{...~.................................................................................................................yw`......................................................................................................................................................//'...........................................

C:\5d17b88cf41ba603370ca60cf86c\Strings.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	14084
Entropy (8bit):	3.701412990655975
Encrypted:	false
SSDEEP:	384:VqZo71GHY3vqaqMnYfHHVXIHjfBHwnwXCa+F:VqB
MD5:	8A28B474F4849BEE7354BA4C74087CEA
SHA1:	C17514DFC33DD14F57FF8660EB7B75AF9B2B37B0
SHA-256:	2A7A44FB25476886617A1EC294A20A37552FD0824907F5284FADE3E496ED609B
SHA-512:	A7927700D8050623BC5C761B215A97534C2C260FCAB68469B7A61C85E2DFF22ED9CF57E7CB5A6C8886422ABE7AC89B5C71E569741DB74DAA2DCB4152F14C2369
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". ..... . . . . . . . . .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.S.t.r.i.n.g.s.>..... . . . .<.!.-.-. .R.e.f.l.e.c.t.i.v.e. .p.r.o.p.e.r.t.y. .p.a.g.e. .-.-.>..... . . . .<.I.D.S._.I.S._.R.E.A.L.L.Y._.C.A.N.C.E.L.>.#.(.l.o.c...i.d.s._.i.s._.r.e.a.l.l.y._.c.a.n.c.e.l.).<./.I.D.S._.I.S._.R.E.A.L.L.Y._.C.A.N.C.E.L.>......... . . . .<.!.-.-. .S.y.s.t.e.m. .R.e.q.u.i.r.e.m.e.n.t.s. .p.a.g.e. .-.-.>..... . . . .<.S.Y.S.R.E.Q.P.A.G.E._.R.E.Q.U.I.R.E.D._.A.N.D._.A.V.A.I.L.A.B.L.E._.D.I.S.K._.S.P.A.C.E.>.#.(.l.o.c...s.y.s.r.e.q.p.a.g.e._.r.e.q.u.i.r.e.d._.a.n.d._.a.v.a.i.l.a.b.l.e._.d.i.s.k._.s.p.a.c.e.).<./.S.Y.S.R.E.Q.P.A.G.E._.R.E.Q.U.I.R.E.D._.A.N.D._.A.V.A.I.L.A.B.L.E._.D.I.S.K._.S.

C:\5d17b88cf41ba603370ca60cf86c\UiInfo.xml

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	38898
Entropy (8bit):	3.1042370213993578
Encrypted:	false
SSDEEP:	768:24UR0d5vssgP7ZgZ/vSguJQvFQXvDINJh6Fmhvk71sO0Nep3UL9Eu+dOtOcOdOjY:24UR0d5vsTPuZXQYQLIN/6Fmhvk71sOR
MD5:	8B8B0A935DC591799A0C6D52FDC33460
SHA1:	CE2748BD469AAD6E90B06D98531084D00611FB89
SHA-256:	57A9CCB84CAE42E0D8D1A29CFE170AC3F27BDCAE829D979CDDFD5E757519B159
SHA-512:	93009B3045939B65A0C1D25E30A07A772BD73DDA518529462F9CE1227A311A4D6FD7595F10B4255CC0B352E09C02026E89300A641492F14DF908AD256A3C9D76
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.U.I.>......... . . . .<.R.e.s.o.u.r.c.e.D.l.l.>.S.e.t.u.p.R.e.s.o.u.r.c.e.s...d.l.l.<./.R.e.s.o.u.r.c.e.D.l.l.>..... . . . .<.!.-.-..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.H.i.d.e./.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . .-.-.>..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.F.i.l.e.N.a.m.e.>.S.p.l.a.s.h.S.c.r.e.e.n...b.m.p.<./.F.i.l.e.N.a.m.e.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>......... . . . .<.L.C.I.D.H.i.n.t.s.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . . . . .<.R.e.g.K.e.y.>.H.K.C.U.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.V.i.s.u.a.l.S.t.u.d.i.o.\.9...0.\.G.e.n.e.r.a.l.<./.

C:\5d17b88cf41ba603370ca60cf86c\Windows6.0-KB956250-v6001-x64.msu

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Microsoft Cabinet archive data, 5192107 bytes, 2 files
Category:	dropped
Size (bytes):	5198099
Entropy (8bit):	6.736010382988102
Encrypted:	false
SSDEEP:	98304:huEAUjX57BkOKxUKnat45mFe4H5+Ju4JKUYc93iKlOKJhln:F3ZBkOK2Knq45mY4H5OMKkKzln
MD5:	0008DCAB034696F6DEAFAA9D4CAE3AB0
SHA1:	6C0E146B93468AB0819C696F3A668EFA4AFA4A0B
SHA-256:	454DC7A6D227D10729C08F33AF2E0A6B2D31933A7D684A6C0811753B6E292D46
SHA-512:	BEA86BC7ACEC85D5214EBB74B5281FFB762A331D7575FD9CBF6BD1760FACB6DC84DEFB5F7519BF34E20CAEF1DDCF58ACCDF5624CF86D29977C9EF4AFEEA4545A
Malicious:	false
Preview:	MSCF.....9O.....D............................9O.h...................&.L.......r<.Z .Windows6.0-KB956250-x64.cab..t..&.L...r<.[ .WSUSSCAN.cab.07......MSCF.....L.....D...........$................L.`...........J.......@.........h;A^ .amd64_microsoft-windows-n..-deployment-netfx20_31bf3856ad364e35_6.1.6001.18242_none_9a9688d69ecbe764.manifest.n...@.....h;A^ .amd64_microsoft-windows-n..4-shared-deployment_31bf3856ad364e35_6.1.6001.18242_none_61e0e2c7e840a2a4.manifest...........h;A^ .amd64_microsoft-windows-n..loyment-netfx30-wpf_31bf3856ad364e35_6.1.6001.18242_none_a6a0652ef5fe7831.manifest..G..[.....h;E^ .amd64_netfx-dfshim_dll_31bf3856ad364e35_6.1.6001.18242_none_9ca423e8b4415204.manifest..%..B`....h;E^ .amd64_netfx-fw_netfxperf_dll_31bf3856ad364e35_6.1.6001.18242_none_b8b7d5fad28075e7.manifest..........h;E^ .amd64_netfx-mscorees_dll_31bf3856ad364e35_6.1.6001.18242_none_3d7db7b9e274d6c8.manifest..r........h;E^ .amd64_netfx-mscoree_dll_31bf3856ad364e35_6.1.6001.18242_none_d984299dad710f

C:\5d17b88cf41ba603370ca60cf86c\Windows6.0-KB956250-v6001-x86.msu

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Microsoft Cabinet archive data, 2186680 bytes, 2 files
Category:	dropped
Size (bytes):	2192672
Entropy (8bit):	6.9829541702941835
Encrypted:	false
SSDEEP:	49152:d7Ti7TD7TH784x7Tb7T6YV4YaG7T2DumT1r7AdXZy9KU2KUYxs35DKZ3OIKxWh0h:2V4YakTo1PAdXZzKUYxs3pKZnKxfem
MD5:	6A73CEBEB4D84811550327DAE08CF8BF
SHA1:	84BD7293DA81E71EAB10110B0C25BFDE4E9467DC
SHA-256:	5AC30D2F8B1A478DF43CDB8982D316127ABD69830B6E8C1C268A817F9DC6E750
SHA-512:	E81DDEDCD216384361C2120B480389AC66FC60DEBACF81E7CDA3AC366264B61D81B1D1189FB5E81946F4CB5972A19873EE8CC8BE916C8828D6D313A73D7894AB
Malicious:	false
Preview:	MSCF.....]!.....D............................]!.h...............C.............r<.P .Windows6.0-KB956250-x86.cab.Lt........r<OQ .WSUSSCAN.cab...44....MSCF....g.......D...........................g...`...............>....1........h;.] .update.cat......1....h;.] .update.mum.4....A....h;.] .x86_microsoft-windows-n..-deployment-netfx20_31bf3856ad364e35_6.1.6001.18242_none_3e77ed52e66e762e.manifest......J....h;.] .x86_microsoft-windows-n..4-shared-deployment_31bf3856ad364e35_6.1.6001.18242_none_05c247442fe3316e.manifest.....`P....h;.] .x86_microsoft-windows-n..loyment-netfx30-wpf_31bf3856ad364e35_6.1.6001.18242_none_4a81c9ab3da106fb.manifest..G...W....h;.] .x86_netfx-dfshim_dll_31bf3856ad364e35_6.1.6001.18242_none_40858864fbe3e0ce.manifest..%.......h;.] .x86_netfx-fw_netfxperf_dll_31bf3856ad364e35_6.1.6001.18242_none_5c993a771a2304b1.manifest...........h;.] .x86_netfx-mscorees_dll_31bf3856ad364e35_6.1.6001.18242_none_e15f1c362a176592.manifest..r..<.....h;.] .x86_netfx-mscoree_dll_31bf3856ad3

C:\5d17b88cf41ba603370ca60cf86c\Windows6.1-KB958488-v6001-x64.msu

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Microsoft Cabinet archive data, 5085798 bytes, 4 files
Category:	dropped
Size (bytes):	5091790
Entropy (8bit):	6.7130741075427345
Encrypted:	false
SSDEEP:	98304:MQf0pKy/aBHTKYzKXH54UuFe1kBpHua/KUKcs3DKVDK6rCZ:57BBHTK8KXZ4UuY1kB1iKFKma
MD5:	843E85AE98FDE6E76A3DC9228058C44F
SHA1:	A137E4F328F01146DFA75D7B5A576090DEE948DC
SHA-256:	A5F4243CE8B07C9222284FD8FF6F7E742D934C57C89DE9CAB5D88C74402264E3
SHA-512:	A08B4F8E5A83D16B1DBD20EE18EABE88481CB43E5AA6E0080EC11B25938E99C1DBC3283D708EE15511168BD31B4FE5594DFE87881879007609317FB905183D87
Malicious:	false
Preview:	MSCF....f.M.....D...........................f.M.h...................m.........<<.} .Windows6.1-KB958488-x64-pkgProperties.txt...K.m.....r<.b .Windows6.1-KB958488-x64.cab..... .K...<<.} .Windows6.1-KB958488-x64.xml..s... K...r<.b .WSUSSCAN.cab.\..D....Applies to="Windows 6.1"..Build Date="2010/1/28"..Company="Microsoft Corporation"..File Version="1"..Installation Type="FULL"..Installer Engine="WUSA.EXE"..Installer Version="N/A"..KB Article Number="958488"..Language="ALL"..Package Type="Update"..Processor Architecture="amd64"..Product Name="Windows 6.1"..Support Link="http://support.microsoft.com?kbid=958488"..MSCF....S.K.....D...........%...............S.K.`................... .........<<Y. .amd64_microsoft-windows-n..-deployment-netfx20_31bf3856ad364e35_6.2.7600.16513_none_9adfccf5ffc9e41e.manifest.N... .....<<Y. .amd64_microsoft-windows-n..4-shared-deployment_31bf3856ad364e35_6.2.7600.16513_none_622a26e7493e9f5e.manifest.....n.....<<Y. .amd64_microsoft-windows-n..loyment-netfx30-wpf_3

C:\5d17b88cf41ba603370ca60cf86c\Windows6.1-KB958488-v6001-x86.msu

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Microsoft Cabinet archive data, 2135441 bytes, 4 files
Category:	dropped
Size (bytes):	2141433
Entropy (8bit):	6.966562890391342
Encrypted:	false
SSDEEP:	49152:Z7uUU7N37NM7u6/7uUj7uU6cP4UJ6EeaDuv7GuMRau8yuXQFKUYcs3HVKf3rhKzl:zP4UJneDGnRau84KUYcs31KfFKzdN5
MD5:	7550EE95E70E80800E394ED45BC7053C
SHA1:	C4F8FCA1279B823894CA6B19A05F420DA26979FA
SHA-256:	08A66C14B8E42EDC4CA72EDC28C9323FF3B23E18C83A8F9D3DD7F08D4D908ED7
SHA-512:	BF778DCD71DD9A97406B6EE1626269AF8CEFB531814A3303DDFA1B3651F00AC2B2B7F283E6470863FEE670E8819A24616A931B21F2CDE377A226620DB8897CE7
Malicious:	false
Preview:	MSCF...... .....D............................. .h...............B...k.........<<o} .Windows6.1-KB958488-x86-pkgProperties.txt..%..k.....r<.` .Windows6.1-KB958488-x86.cab.....-'....<<o} .Windows6.1-KB958488-x86.xml..i...)....r<Z` .WSUSSCAN.cab........Applies to="Windows 6.1"..Build Date="2010/1/28"..Company="Microsoft Corporation"..File Version="1"..Installation Type="FULL"..Installer Engine="WUSA.EXE"..Installer Version="N/A"..KB Article Number="958488"..Language="ALL"..Package Type="Update"..Processor Architecture="x86"..Product Name="Windows 6.1"..Support Link="http://support.microsoft.com?kbid=958488"..MSCF....b.......D...........................b...`...........6...=....;........<<. .update.cat......;....<<. .update.mum......A....<<. .x86_microsoft-windows-n..-deployment-netfx20_31bf3856ad364e35_6.2.7600.16513_none_3ec13172476c72e8.manifest.r....J....<<. .x86_microsoft-windows-n..4-shared-deployment_31bf3856ad364e35_6.2.7600.16513_none_060b8b6390e12e28.manifest.....RP....<<. .

C:\5d17b88cf41ba603370ca60cf86c\header.bmp

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PC bitmap, Windows 3.x format, 49 x 49 x 8
Category:	dropped
Size (bytes):	3628
Entropy (8bit):	4.8382652865388724
Encrypted:	false
SSDEEP:	48:f0sO8Kdwc6o5NF5ghwwpnMOccFpscGqfkemvIQpQK/xHiggTfGRgVC0q:cMa1krnrJmdQ+EgyfG3
MD5:	514BFCD8DA66722A9639EB41ED3988B7
SHA1:	CF11618E3A3C790CD5239EE749A5AE513B4205CD
SHA-256:	6B8201ED10CE18FFADE072B77C6D1FCACCF1D29ACB47D86F553D9BEEBD991290
SHA-512:	89F01C3361BA874015325007EA24E83AE6E73700996D0912695A4E7CB3F8A611494BA9D63F004DCD4F358821E756BE114BCF0137ED9B130776A6E26A95382C7B
Malicious:	false
Preview:	BM,.......6...(...1...1................................iI.\|4..{3...8...:...qI..oH..hH......8...9...<...A...>..}<...@...F...C..t:...A...D...qG..C...E..m:...L...K...H...G...L...N..yB...L..........N...S...Z...S..vC...J...U......V...S...R...Y...V...Y...Y...M...Z...h...x8..\|<...i......]...\...Y...]...V...^...^...e...c...o...l...c...a..._..._...b...X...j...^...d...k...j...q...u...p...x+..p.....h...g...d...j...b...u...u...n...t...t...s...m...r...u...s...{"...4...i..r...m...m...w...u...q...t...}...K...N..U..l..........r.......x...{....!...#...)..@..N..V...............$...#...'...,..4..5..:..C..T..u......................... ...'...*..,.....<..B..V..\..e..p..............)..,..2..4..5..9..<..<..R..\..d...y........................................................ ..)..3..8..:..B..L..O..n......................................................4..^....................O...b...\|.........................................................

C:\5d17b88cf41ba603370ca60cf86c\netfx_Core.mzz

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Microsoft Cabinet archive data, 181477643 bytes, 539 files
Category:	dropped
Size (bytes):	181483595
Entropy (8bit):	6.302023019513652
Encrypted:	false
SSDEEP:	3145728:50cvEXiCiitmPnUxMYaPxmnjl4L4JeF3Y0WkSEo:iX
MD5:	78A7BE275E1C86E5847B36F3E6858F16
SHA1:	6D770AA288E426B706191BF8DC6882F0407FBACA
SHA-256:	2DB8044459098D36A812B3C333B406DE4A30FD3C8BD11D789F534741F36B5E43
SHA-512:	BF9689BD89C9C93A2ED220325FBCC27DAA5CAB8223A67590AED747602B6476A035A35077EF346D39A744C53460E2DB9F0048196AC489FF3B4659537069D6184A
Malicious:	false
Preview:	MSCF.....!...................................!..@............a......w................~......\|.......P.......w...............J........}...............a.......d.......+.......3.......Y'......\'......g)......j).....Y}+.......+.....b.+.......-......32.....8Q2......]8.....<.;.....dd9.......:.C...d.\......-\.2...[.t......,..............Cx..........2...z.......1...^...?3.......................t..............h............... {..............ye......Y.'......~2.......5.......9......6F.......G.....u.M......"W......................r......................;.F......I......!L.....{oS.....#gV..............s...............e......................c4..............<.......................Td.......$.......J......,o...............^..............D...................}...V.H.....V[R......"S.....9gS...... U......&].%...Awo......Tq.-..........AC..............y..........)....v......A<......._...............y..............).......................v...............H......q... ....J........6.....i.6.....A.<.....y...

C:\5d17b88cf41ba603370ca60cf86c\netfx_Core_x64.msi

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Framework 4 Client Profile, Author: Microsoft Corporation, Keywords: Install,MSI,Framework, Comments: Microsoft .NET Framework 4 Client Profile; Copyright (C) Microsoft Corporation, All rights reserved., Template: x64;0, Revision Number: {12051853-CF96-4588-AED7-926AA73006BF}, Create Time/Date: Thu Mar 18 21:29:46 2010, Last Saved Time/Date: Thu Mar 18 21:29:46 2010, Number of Pages: 300, Name of Creating Application: Windows Installer XML (3.5.0626.0), Security: 0, Number of Words: 0
Category:	dropped
Size (bytes):	1901056
Entropy (8bit):	6.461226431661216
Encrypted:	false
SSDEEP:	24576:f/zZ6tsNrQpc+BQbPyxbs4rONSnfiPBC6xahsovoMfjhOGxZWxw0:V6tuQpcxisfQf2M6FGoML
MD5:	7FA435DC3ED0B5C0D95456C32D775F1A
SHA1:	CE9CC73365C768727523F91272A2164E55E8D0BF
SHA-256:	2B7A95AFFB391D6197BFC394C6E559488DCB9D4C34012C029D830FAE6F11E516
SHA-512:	9D5293048A5CA7787C42198596E6FC6EA9AA1136A33666D53B3A767A795704E626DFC8D338E51574AC4AA64D1B78B975B6313BCE95840DFEC650BEDB6907D403
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................:...............................!................................................................................... ...!.......#...$...%...&...'...0...)...*...+...,...-......./..."...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\5d17b88cf41ba603370ca60cf86c\netfx_Core_x86.msi

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Framework 4 Client Profile, Author: Microsoft Corporation, Keywords: Install,MSI,Framework, Comments: Microsoft .NET Framework 4 Client Profile; Copyright (C) Microsoft Corporation, All rights reserved., Template: Intel;0, Revision Number: {F3592794-C7C9-495D-8985-EDD0D19ECD10}, Create Time/Date: Thu Mar 18 20:19:02 2010, Last Saved Time/Date: Thu Mar 18 20:19:02 2010, Number of Pages: 300, Name of Creating Application: Windows Installer XML (3.5.0626.0), Security: 0, Number of Words: 0
Category:	dropped
Size (bytes):	1163264
Entropy (8bit):	6.501190522452734
Encrypted:	false
SSDEEP:	24576:Df6szx1u6dsNbQXcUwabPx9bswH/fd6pxr:DfhzxI6d+QXcWDsK1
MD5:	50D6022791EFDE93CAFD864014DED84C
SHA1:	A0A84AD332A9AB217E94089038A9544B4F53878B
SHA-256:	BC7B6B32157ED65023BB251E177F78480490EC1FA53EB54EC4441E8A44F33F36
SHA-512:	B64D32C6E36F0F5EEA35F4EC1FA8F6EF873E5BFCE849358725E9704BEFAC369C8D1B06374E6E56E6EBD81CDF4D812A47899CCA2CBA79542805CFA6B3CE1ACAF7
Malicious:	false
Preview:	......................>...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................1.......(...!..."...#...$...%...&...'.......)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\5d17b88cf41ba603370ca60cf86c\netfx_Extended.mzz

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Microsoft Cabinet archive data, 43125631 bytes, 590 files
Category:	dropped
Size (bytes):	43131591
Entropy (8bit):	5.929087637532983
Encrypted:	false
SSDEEP:	393216:/XL2q6NTwgZNtNr2OmDQva6gcYQqWZYsp4Ut6:/buZNtB2OgQvafvF
MD5:	D8F8D21682DBF213F370839EE5721E22
SHA1:	CC64364CE73A1DFCCB18C106AD7E4FDB09BFF7E3
SHA-256:	DF57836EE8D6762A4C95E00823A0D635E8B4048A0C2A3BD7C3F047DC57921CA0
SHA-512:	516546FE22EAC972875E7D5044B53E52334EA7F9AF66B6863D6803D955807BAE8D81A8AF83F63A4D18D3F1F3AA6FD41717FD9DBCA769AED4DAED077C81CC750D
Malicious:	false
Preview:	MSCF............,...........N...................H............n..4....U......xW......................9.......................Z.......@+...............<......9B...............b......=5 ......9!.....7T!......./.-.....F.....K.F.......G......eO.....z.O......O......O.....s.O.......O......HZ.....z.\.......\.......\.....Q.\.....\.\.......].......].....3#]......C].....#D]....../^.....Fc^.....[n^.....`.^.......^......^......._.......`.......`.......`.......`......$`.......a.......a.....!.a.....j#b.....>0b......yc.....7.c.......c.....W.c.....#.c......-j......1j......Gj.....xPj.....jxj......xj......yj.....szj......{j.....L.j.......j.....9.j.......j......j.....D.j.....^.j.......j.......j.......j.......t.......t.......t.......u.....6.u.......v.....S=w.......w.......x.......x.....B.y.......y.......y.......z......4z.....qbz.....K~z.......z.......z.....v.z.......z.......{.....^!{......v{.....{.{.....t.{.......{.......{.......{.....w.\|.....\*\|......3}.)....x.......`......D...!....D......l..........

C:\5d17b88cf41ba603370ca60cf86c\netfx_Extended_x64.msi

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Framework 4 Extended, Author: Microsoft Corporation, Keywords: Install,MSI,Framework, Comments: Microsoft .NET Framework 4 Extended; Copyright (C) Microsoft Corporation, All rights reserved., Template: x64;0, Revision Number: {276A40EA-DCA8-426C-883E-A50A46E70736}, Create Time/Date: Fri Mar 19 00:23:04 2010, Last Saved Time/Date: Fri Mar 19 00:23:04 2010, Number of Pages: 300, Name of Creating Application: Windows Installer XML (3.5.0626.0), Security: 0, Number of Words: 0
Category:	dropped
Size (bytes):	872448
Entropy (8bit):	6.345407948123054
Encrypted:	false
SSDEEP:	24576:E/J96doNrQlcqGRpOQSpKiPBD6txBkkkkk5SV:W6dKQlc4Fc216XmS
MD5:	EADB43461CA9172AAA530AEC509C4082
SHA1:	7C9B9BC04F814E0FE113A4376B8DFA56B407FC5C
SHA-256:	070CEA34E4D275393DB78AB7683819DA98F59911B6436CC1DA34F50A37E610C8
SHA-512:	EC21D0D6D5B7E5C9ABB5F3EFF1E35A3D36A3F0A6D2D3AFB474BB1CCE37AAB8DFD2D7469A7E25E6229A9572F680AB34375F30F12A59986EA15B2F209C6840F4E0
Malicious:	false
Preview:	......................>...............................................................................................z.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................V...........=.......................&....... ...!..."...#...$...%.......'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\5d17b88cf41ba603370ca60cf86c\netfx_Extended_x86.msi

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Framework 4 Extended, Author: Microsoft Corporation, Keywords: Install,MSI,Framework, Comments: Microsoft .NET Framework 4 Extended; Copyright (C) Microsoft Corporation, All rights reserved., Template: Intel;0, Revision Number: {6049F8E7-4CD1-48EC-92A9-039B68CD82B3}, Create Time/Date: Thu Mar 18 23:47:22 2010, Last Saved Time/Date: Thu Mar 18 23:47:22 2010, Number of Pages: 300, Name of Creating Application: Windows Installer XML (3.5.0626.0), Security: 0, Number of Words: 0
Category:	dropped
Size (bytes):	495616
Entropy (8bit):	6.419160692432259
Encrypted:	false
SSDEEP:	6144:DRHfepsrxRrGh/JD6sAOiOk05c+Q+OjUIsLQUIcFxZSBVv+lYjsm6FBQ0ssT5H:dHfepsrx1GX6sEsNz7QXcFxZ+VhjEr
MD5:	A9EB4FCEFB05A5054009919042482AEC
SHA1:	B220E5406668F958D19CCCC52B0E66E66BD18F7C
SHA-256:	AFF90540E38BA99EFC5CA086F84C9F3C54754D5C6C2AC0F953D7316FAE59432D
SHA-512:	6D0FF3236FD487EB20A16581874A9043F1B8E8912F87C987DFA33A041BB04288D067C1787606950AD9A2900005E122F22F7693DD4761B3FFC1B8F10BF27839B2
Malicious:	false
Preview:	......................>..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."....................... ...!.......#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\5d17b88cf41ba603370ca60cf86c\sqmapi.dll

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	144416
Entropy (8bit):	6.7404750879679485
Encrypted:	false
SSDEEP:	3072:uochw/MFWrJjKOMxRSepuBaqn/NlnBh2Lx0JVzx1wWobn1ek8F7HncO5hK9YSHlN:zDFB47UhXBh2yJ5HcOSSSHZqG
MD5:	3F0363B40376047EFF6A9B97D633B750
SHA1:	4EAF6650ECA5CE931EE771181B04263C536A948B
SHA-256:	BD6395A58F55A8B1F4063E813CE7438F695B9B086BB965D8AC44E7A97D35A93C
SHA-512:	537BE86E2F171E0B2B9F462AC7F62C4342BEB5D00B68451228F28677D26A525014758672466AD15ED1FD073BE38142DAE478DF67718908EAE9E6266359E1F9E8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................................................Rich...................PE..L....IE...........!.........$.....................l.........................@......R.....@.........................D.......$...d....................... (... ......P...8............................\..@.......t.......D............................text............................... ..`.data...............................@....rsrc...............................@..@.reloc....... ......................@..Ba.IE8....IEC....IEP....IEZ.....IEe....IEP...........msvcrt.dll.ADVAPI32.dll.ntdll.DLL.USER32.dll.KERNEL32.dll...............................................................................................................................................................................................................................................

C:\5d17b88cf41ba603370ca60cf86c\watermark.bmp

Download File

Process:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
File Type:	PC bitmap, Windows 3.x format, 164 x 628 x 8
Category:	dropped
Size (bytes):	104072
Entropy (8bit):	7.2628723112196
Encrypted:	false
SSDEEP:	768:QKUpOeBmAj72KbvEvffvCv7cTIMUHuRzHA8X9H51T9ho4xw7CgB1:QKULmAfbvEv47cIHzE9vo4SuU1
MD5:	B0075CEE80173D764C0237E840BA5879
SHA1:	B4CF45CD5BB036F4F210DFCBA6AC16665A7C56A8
SHA-256:	AB18374B3AAB10E5979E080D0410579F9771DB888BA1B80A5D81BA8896E2D33A
SHA-512:	71A748C82CC8B0B42EF5A823BAC4819D290DA2EDDBB042646682BCCC7EB7AB320AFDCFDFE08B1D9EEBE149792B1259982E619F8E33845E33EEC808C546E5C829
Malicious:	false
Preview:	BM........6...(.......t...........R...................};.......F.......T...c....H..b...t...m...z...d...a..._...f...f....&..x...j...w...o...k...r....+..........\|...u...\|...q...v...w...\|...2..~...z.......x...........{.................................................................... ...#..:..P..e................................#..#..&..(..+..+..-........EDA................$..,../..4..2..6..;...........................$..'..,..0..:..?..E......................6..5..>...D...I...K...Q...j...................=...D...L...P...U...V...\...r.....................Y...\...`...d...b...f...j...l...{..................................`...g...o...u...\|....................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\HFIF32.tmp.html

Download File

Process:	C:\5d17b88cf41ba603370ca60cf86c\Setup.exe
File Type:	HTML document, Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	16118
Entropy (8bit):	3.6434775915277604
Encrypted:	false
SSDEEP:	192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjT:fdsOT01KcBUFJFEWUxFzvHH
MD5:	CD131D41791A543CC6F6ED1EA5BD257C
SHA1:	F42A2708A0B42A13530D26515274D1FCDBFE8490
SHA-256:	E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
SHA-512:	A6EE9AF8F8C2C7ACD58DD3C42B8D70C55202B382FFC5A93772AF7BF7D7740C1162BB6D38A4307B1802294A18EB52032D410E128072AF7D4F9D54F415BE020C9A
Malicious:	false
Preview:	..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

C:\Users\user\AppData\Local\Temp\Microsoft .NET Framework 4 Setup_20220809_105445969.html (copy)

Download File

Process:	C:\5d17b88cf41ba603370ca60cf86c\Setup.exe
File Type:	HTML document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	53784
Entropy (8bit):	3.705939230696985
Encrypted:	false
SSDEEP:	192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjRhJk7C62K:fdsOT01KcBUFJFEWUxFzvHtvk7C62K
MD5:	6EE0756E214718DDBE817BB349D7FE6C
SHA1:	58E395556576EF9BFFE4A2FE5AF964BF8432C930
SHA-256:	287270C1AC16EAB65F8F6C9323B6E80C7366D5719AF8B681A0E6AF1E121CFA4C
SHA-512:	47DCDD9EE3484176FC40193CA404BE6FC5F7FB2B10BE398216D585D2B3A5147CA9DED66E164AFEA3BBEF8C2A52A334049F8F9591F91C62893CF030213892D5A9
Malicious:	false
Preview:	..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

C:\Users\user\AppData\Local\Temp\Setup_20220809_105429922.html

Download File

Process:	C:\5d17b88cf41ba603370ca60cf86c\Setup.exe
File Type:	HTML document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	53784
Entropy (8bit):	3.705939230696985
Encrypted:	false
SSDEEP:	192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjRhJk7C62K:fdsOT01KcBUFJFEWUxFzvHtvk7C62K
MD5:	6EE0756E214718DDBE817BB349D7FE6C
SHA1:	58E395556576EF9BFFE4A2FE5AF964BF8432C930
SHA-256:	287270C1AC16EAB65F8F6C9323B6E80C7366D5719AF8B681A0E6AF1E121CFA4C
SHA-512:	47DCDD9EE3484176FC40193CA404BE6FC5F7FB2B10BE398216D585D2B3A5147CA9DED66E164AFEA3BBEF8C2A52A334049F8F9591F91C62893CF030213892D5A9
Malicious:	false
Preview:	..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.99985787893901
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	dotNetFx40_Full_x86_x64.exe
File size:	50449456
MD5:	a67cf67f2c63eb833a0059bfa3b87541
SHA1:	971203f435fc295141f8ab53edfb360de393af05
SHA256:	c157266c22151be6b4c7e83cf58e1dbb7f1788677a06e7a07e29e31ed97774ae
SHA512:	1476d89508a39b608f62d88651f888ad46b5f73535f3bb327d81ba47cd15d887c38d4e5cee680688566d5cd4651d327637fd142a17bb61b0bd95ba126cddd6e8
SSDEEP:	1572864:iAVBjIQSzQe3cf7xOCHKYrLn+XxdjrALIjOqWY99:LVBIbzQe3u7KYrCDS9299
TLSH:	7EB733E571D48830CDA32ABA07D976B54FF66D6B1BBCA9EB7C8487E1910095293B1F00
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}...}...}...,...}.......}.......}...//..}.../...}.../...}.......}...}...}...,+..}...,/..}...,...}...,...}...,...}..Rich.}.

File Icon


Icon Hash:	c1d1d8c592a4a6c6

Static PE Info

General

Entrypoint:	0x4191c6
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x4ACF8EA6 [Fri Oct 9 19:27:34 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	02483cd76378259a50b7b66146b45f06

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
call 00007FA838CF584Eh
jmp 00007FA838CF3BE9h
int3
int3
int3
int3
int3
cmp ecx, dword ptr [0042A050h]
jne 00007FA838CF3D64h
rep ret
jmp 00007FA838CF58D5h
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov edx, eax
mov cx, word ptr [eax]
add eax, 02h
test cx, cx
jne 00007FA838CF3D57h
mov cx, word ptr [ebp+0Ch]
sub eax, 02h
cmp eax, edx
je 00007FA838CF3D67h
cmp word ptr [eax], cx
jne 00007FA838CF3D56h
cmp word ptr [eax], cx
je 00007FA838CF3D64h
xor eax, eax
pop ebp
ret
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
push esi
mov esi, dword ptr [ebp+08h]
push edi
test esi, esi
je 00007FA838CF3D69h
mov edi, dword ptr [ebp+0Ch]
test edi, edi
jne 00007FA838CF3D77h
call 00007FA838CF5B88h
push 00000016h
pop esi
mov dword ptr [eax], esi
call 00007FA838CF5B22h
mov eax, esi
pop edi
pop esi
pop ebp
ret
mov eax, dword ptr [ebp+10h]
test eax, eax
jne 00007FA838CF3D67h
mov word ptr [esi], ax
jmp 00007FA838CF3D41h
mov edx, esi
sub edx, eax
movzx ecx, word ptr [eax]
mov word ptr [edx+eax], cx
add eax, 02h
test cx, cx
je 00007FA838CF3D65h
dec edi
jne 00007FA838CF3D50h
xor eax, eax
test edi, edi
jne 00007FA838CF3D36h
mov word ptr [esi], ax
call 00007FA838CF5B48h
push 00000022h
pop ecx
mov dword ptr [eax], ecx
mov esi, ecx
jmp 00007FA838CF3D1Eh
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
lea eax, dword ptr [ebp+14h]
push eax

Rich Headers

Programming Language:

[ C ] VS2005 build 50727
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x29440	0x9a	.text
IMAGE_DIRECTORY_ENTRY_IMPORT	0x28544	0xdc	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2f000	0x1d8c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x301b4c0	0x1770	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x31000	0x196c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x12e0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x56a8	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x29c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x284da	0x28600	False	0.5292424535603715	data	6.556200941112108	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x2a000	0x3700	0x1400	False	0.2107421875	data	2.408617438994403	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.boxld01	0x2e000	0xac	0x200	False	0.236328125	data	1.578411254189467	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2f000	0x1d8c	0x1e00	False	0.331640625	data	4.098868586843778	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x31000	0x2ff1000	0x2ff0e30	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2f298	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 1332115454, next used block 32888	English	United States
RT_ICON	0x2f580	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x2f6a8	0x10c	data	English	United States
RT_DIALOG	0x2f7b4	0x170	data	English	United States
RT_STRING	0x2f924	0x582	data	English	United States
RT_STRING	0x2fea8	0xb4	data	English	United States
RT_STRING	0x2ff5c	0x40	data	English	United States
RT_GROUP_ICON	0x2ff9c	0x22	data	English	United States
RT_VERSION	0x2ffc0	0x620	data
RT_VERSION	0x305e0	0x364	data	English	United States
RT_MANIFEST	0x30944	0x445	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	CryptGenRandom, CryptReleaseContext, DecryptFileW, CryptAcquireContextA
KERNEL32.dll	Sleep, WaitForSingleObject, GetExitCodeProcess, CloseHandle, SetFileAttributesW, InitializeCriticalSection, CreateEventA, CreateThread, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, SetEvent, GetCommandLineW, CreateProcessW, CompareStringW, LocalFree, QueryDosDeviceW, GetLogicalDriveStringsW, GetDiskFreeSpaceExW, GetDriveTypeW, CreateFileW, DeviceIoControl, SetErrorMode, CreateDirectoryW, RemoveDirectoryW, MoveFileExW, LoadLibraryW, GetProcAddress, GetSystemDirectoryW, GetVersion, GetLastError, SetEnvironmentVariableW, ExitThread, GetTickCount, GetEnvironmentVariableW, GetModuleHandleW, lstrlenW, WaitForMultipleObjects, ResetEvent, GetSystemInfo, FileTimeToSystemTime, FileTimeToLocalFileTime, FileTimeToDosDateTime, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, SetEndOfFile, DuplicateHandle, ReadFile, SetFilePointerEx, GlobalFree, GlobalAlloc, GetCommandLineA, HeapSetInformation, GetStartupInfoW, SetUnhandledExceptionFilter, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameW, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, HeapCreate, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, HeapFree, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapAlloc, LCMapStringW, RtlUnwind, SetFilePointer, GetConsoleCP, GetConsoleMode, MultiByteToWideChar, GetStringTypeW, HeapSize, HeapReAlloc, IsProcessorFeaturePresent, SetStdHandle, WriteConsoleW, FlushFileBuffers, CreateFileA, GetLocalTime, GetComputerNameW, lstrlenA, FormatMessageW, GetSystemTime, GetTimeZoneInformation, SystemTimeToTzSpecificLocalTime, DeleteFileW, GetFileAttributesW, FindFirstFileW, FindNextFileW, FindClose, GetCurrentDirectoryW, SetCurrentDirectoryW, ExpandEnvironmentStringsW, GetProcessHeap, RaiseException
COMCTL32.dll
RPCRT4.dll	UuidToStringW, RpcStringFreeW, UuidCreate
SHELL32.dll	CommandLineToArgvW, SHBrowseForFolderW, SHGetPathFromIDListW
SHLWAPI.dll	PathRemoveExtensionW
USER32.dll	MessageBoxW, GetTopWindow, GetWindowThreadProcessId, GetWindow, SendMessageA, PostMessageW, SendMessageW, DialogBoxParamA, GetDlgItem, SetWindowTextW, EndDialog, PostQuitMessage, DialogBoxParamW, SetWindowLongW, GetWindowLongW, LoadStringW, CharUpperW
Cabinet.dll
OLEAUT32.dll	SysAllocString, VariantClear
VERSION.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW

Exports

Name	Ordinal	Address
?dwPlaceholder@@3PAEA	1	0x42e000
_DecodePointerInternal@4	2	0x40b51b
_EncodePointerInternal@4	3	0x40b4f9

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: dotNetFx40_Full_x86_x64.exePID: 5584, Parent PID: 5592

General

Target ID:	0
Start time:	10:52:45
Start date:	09/08/2022
Path:	C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\dotNetFx40_Full_x86_x64.exe"
Imagebase:	0x1070000
File size:	50449456 bytes
MD5 hash:	A67CF67F2C63EB833A0059BFA3B87541
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: Setup.exePID: 5352, Parent PID: 5584

General

Target ID:	20
Start time:	10:54:28
Start date:	09/08/2022
Path:	C:\5d17b88cf41ba603370ca60cf86c\Setup.exe
Wow64 process (32bit):	true
Commandline:	C:\5d17b88cf41ba603370ca60cf86c\\Setup.exe /x86 /x64
Imagebase:	0xc10000
File size:	78152 bytes
MD5 hash:	006F8A615020A4A17F5E63801485DF46
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Setup.exePID: 5352, Parent PID: 5584COMMON

Execution Graph

Execution Coverage:	15.4%
Dynamic/Decrypted Code Coverage:	19.2%
Signature Coverage:	3.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	60

Executed Functions

Function 6D2C6525 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 199
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E6D2C6525(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t85;
				intOrPtr _t89;
				intOrPtr _t95;
				void* _t96;
				intOrPtr* _t108;
				intOrPtr* _t110;
				intOrPtr* _t117;
				void* _t124;
				intOrPtr* _t126;
				intOrPtr* _t130;
				intOrPtr* _t131;
				intOrPtr* _t132;
				intOrPtr* _t170;
				intOrPtr* _t177;
				void* _t178;
				intOrPtr* _t179;
				void* _t180;

				_t180 = __eflags;
				E6D2D2693(0x6d2d7cf2, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t178 - 0x2c)) = 0;
				E6D2BE8E8(L"threw exception", 0, _t180);
				 *((intOrPtr*)(_t178 - 4)) = 1;
				_t85 = E6D2BE93B("IronMan::UiDataT<class IronMan::CCmdLineSwitches>::CreateUiDataT", 0, _t180);
				 *((char*)(_t178 - 4)) = 2;
				 *((intOrPtr*)(_t178 - 0x44)) = _t178 - 0x18;
				_t89 = E6D2C83FD( *_t85 - 0x10) + 0x10;
				 *((intOrPtr*)(_t178 - 0x40)) = _t89;
				 *((char*)(_t178 - 4)) = 3;
				_t170 =  *((intOrPtr*)(_t178 + 0x14));
				 *((intOrPtr*)(_t178 - 0x3c)) = _t170;
				 *((intOrPtr*)( *_t170 + 8))(L"Entering Function", _t89, _t178 - 0x28, _t178 - 0x18, 0x5c);
				E6D2C8460( *((intOrPtr*)(_t178 - 0x28)) + 0xfffffff0,  *_t170);
				__imp__CoInitialize(0); // executed
				 *((char*)(_t178 - 4)) = 7;
				E6D2C697A(__ebx, _t170,  *_t170, _t170, 0, _t180, _t170); // executed
				 *((intOrPtr*)(_t178 - 0x1c)) = 0;
				_t95 = _t178 - 0x1c;
				 *((char*)(_t178 - 4)) = 8;
				__imp__CoCreateInstance(0x6d2a7930, 0, 0x17, 0x6d2a7970, _t95); // executed
				if(_t95 < 0) {
					L19:
					 *((intOrPtr*)(_t178 - 0x34)) = _t95;
					 *((intOrPtr*)(_t178 - 0x38)) = 0x6d2a6e14;
					_push(0x6d2d82d8);
					_t96 = _t178 - 0x38;
					L18:
					_push(_t96);
					_t95 = E6D2CDBDB();
					goto L19;
				}
				_t157 =  *((intOrPtr*)(_t178 - 0x1c));
				_t151 = _t178 - 0x20;
				_push(_t178 - 0x20);
				_push( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0xc)))));
				 *((intOrPtr*)(_t178 - 0x20)) = 0;
				_t166 =  *_t157;
				_push(_t157); // executed
				if( *((intOrPtr*)( *_t157 + 0x104))() != 0 ||  *((short*)(_t178 - 0x20)) != 0xffff) {
					L17:
					_push(_t178 + 0x10);
					E6D2BE8E8(L"UIInfo.xml", 0, __eflags);
					_push(_t178 + 0xc);
					 *((char*)(_t178 - 4)) = 0xe;
					E6D2BE8E8(L"Xml Document load failure", 0, __eflags);
					_push(_t178 + 0x10);
					_push(_t178 + 0xc);
					_push(_t178 - 0x68);
					 *((char*)(_t178 - 4)) = 0xf;
					E6D2ACA39(_t151, _t157, _t166, L"Xml Document load failure", 0, __eflags);
					_push(0x6d2d82a0);
					_t96 = _t178 - 0x68;
					goto L18;
				} else {
					 *((intOrPtr*)(_t178 + 0xc)) = 0;
					 *((char*)(_t178 - 4)) = 9;
					_t108 =  *((intOrPtr*)(_t178 - 0x1c));
					_t157 =  *_t108;
					_t166 = _t178 + 0xc;
					_push(_t178 + 0xc);
					_push(_t108);
					if( *((intOrPtr*)(_t157 + 0xb4))() != 0) {
						 *((char*)(_t178 - 4)) = 8;
						_t110 =  *((intOrPtr*)(_t178 + 0xc));
						__eflags = _t110;
						if(__eflags != 0) {
							_t157 =  *_t110;
							 *((intOrPtr*)( *_t110 + 8))(_t110);
						}
						goto L17;
					}
					_t153 = E6D2C8199(L"succeeded");
					E6D2C811C(_t178 - 0x18, _t113, _t157, L"succeeded");
					_push(_t170);
					_push( *((intOrPtr*)(_t178 + 0x10)));
					_push(_t157);
					_t158 =  *((intOrPtr*)(_t178 + 0xc));
					 *_t179 =  *((intOrPtr*)(_t178 + 0xc));
					_t117 =  *((intOrPtr*)(_t178 + 0xc));
					 *((intOrPtr*)(_t178 - 0x24)) = _t179;
					_t185 = _t117;
					if(_t117 != 0) {
						_t158 =  *_t117;
						 *((intOrPtr*)( *_t117 + 4))(_t117);
					}
					E6D2AD214(_t178 - 0x50);
					_push(_t178 - 0x24);
					 *((char*)(_t178 - 4)) = 0xa;
					E6D2BE8E8(L"UI", _t178 - 0x50, _t185);
					 *((char*)(_t178 - 4)) = 0xb;
					_t124 = E6D2AD65F(_t178 - 0x50, _t153, _t178 - 0x5c, _t178 - 0x24);
					 *((char*)(_t178 - 4)) = 0xc;
					_t177 =  *((intOrPtr*)(_t178 + 0x14));
					_push(_t177);
					_push( *((intOrPtr*)(_t178 + 0x10)));
					_push(_t124);
					_push( *((intOrPtr*)(_t178 + 8)));
					E6D2C6EE2(_t153, _t158, _t166, L"UI", _t177, _t185); // executed
					 *((char*)(_t178 - 4)) = 0xb;
					_t126 =  *((intOrPtr*)(_t178 - 0x5c));
					 *((intOrPtr*)(_t178 - 0x2c)) = 1;
					if(_t126 != 0) {
						 *((intOrPtr*)( *_t126 + 8))(_t126);
					}
					E6D2C8460( *((intOrPtr*)(_t178 - 0x24)) + 0xfffffff0, _t166);
					 *((char*)(_t178 - 4)) = 9;
					_t130 =  *((intOrPtr*)(_t178 - 0x50));
					if(_t130 != 0) {
						 *((intOrPtr*)( *_t130 + 8))(_t130);
					}
					 *((char*)(_t178 - 4)) = 8;
					_t131 =  *((intOrPtr*)(_t178 + 0xc));
					if(_t131 != 0) {
						 *((intOrPtr*)( *_t131 + 8))(_t131);
					}
					 *((char*)(_t178 - 4)) = 7;
					_t132 =  *((intOrPtr*)(_t178 - 0x1c));
					if(_t132 != 0) {
						 *((intOrPtr*)( *_t132 + 8))(_t132);
					}
					__imp__CoUninitialize(); // executed
					 *((char*)(_t178 - 4)) = 0xd;
					 *((intOrPtr*)( *_t177 + 4))(4, L" exiting function/method");
					 *((intOrPtr*)( *_t177 + 0xc))( *((intOrPtr*)(_t178 - 0x18)));
					E6D2C8460( *((intOrPtr*)(_t178 - 0x40)) + 0xfffffff0, _t166);
					E6D2C8460( *((intOrPtr*)(_t178 - 0x18)) + 0xfffffff0, _t166);
					return E6D2D2709( *((intOrPtr*)(_t178 + 8)));
				}
			}

0x6d2c6525
0x6d2c652c
0x6d2c653c
0x6d2c653f
0x6d2c654d
0x6d2c6554
0x6d2c6559
0x6d2c6565
0x6d2c656d
0x6d2c6570
0x6d2c6573
0x6d2c6577
0x6d2c6584
0x6d2c6587
0x6d2c6590
0x6d2c6596
0x6d2c659d
0x6d2c65a1
0x6d2c65a6
0x6d2c65a9
0x6d2c65ba
0x6d2c65be
0x6d2c65c6
0x6d2c6778
0x6d2c6778
0x6d2c677b
0x6d2c6782
0x6d2c6787
0x6d2c6772
0x6d2c6772
0x6d2c6773
0x00000000
0x6d2c6773
0x6d2c65d1
0x6d2c65d4
0x6d2c65d7
0x6d2c65d8
0x6d2c65d9
0x6d2c65dc
0x6d2c65de
0x6d2c65e7
0x6d2c6735
0x6d2c6738
0x6d2c673e
0x6d2c6746
0x6d2c674c
0x6d2c6750
0x6d2c6758
0x6d2c675c
0x6d2c6760
0x6d2c6761
0x6d2c6765
0x6d2c676a
0x6d2c676f
0x00000000
0x6d2c65f8
0x6d2c65f8
0x6d2c65fb
0x6d2c65ff
0x6d2c6602
0x6d2c6604
0x6d2c6607
0x6d2c6608
0x6d2c6611
0x6d2c6724
0x6d2c6728
0x6d2c672b
0x6d2c672d
0x6d2c672f
0x6d2c6732
0x6d2c6732
0x00000000
0x6d2c672d
0x6d2c6624
0x6d2c6629
0x6d2c662e
0x6d2c662f
0x6d2c6632
0x6d2c6633
0x6d2c6638
0x6d2c663a
0x6d2c663d
0x6d2c6640
0x6d2c6642
0x6d2c6644
0x6d2c6647
0x6d2c6647
0x6d2c664d
0x6d2c6655
0x6d2c665b
0x6d2c665f
0x6d2c666e
0x6d2c6672
0x6d2c6677
0x6d2c667b
0x6d2c667e
0x6d2c667f
0x6d2c6682
0x6d2c6683
0x6d2c6686
0x6d2c668b
0x6d2c668f
0x6d2c6692
0x6d2c669b
0x6d2c66a0
0x6d2c66a0
0x6d2c66a9
0x6d2c66ae
0x6d2c66b2
0x6d2c66b7
0x6d2c66bc
0x6d2c66bc
0x6d2c66bf
0x6d2c66c3
0x6d2c66c8
0x6d2c66cd
0x6d2c66cd
0x6d2c66d0
0x6d2c66d4
0x6d2c66d9
0x6d2c66de
0x6d2c66de
0x6d2c66e1
0x6d2c66ec
0x6d2c66f6
0x6d2c6700
0x6d2c6709
0x6d2c6714
0x6d2c6721
0x6d2c6721

APIs

__EH_prolog3_catch.LIBCMT ref: 6D2C652C

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2BE93B: __EH_prolog3.LIBCMT ref: 6D2BE942

CoInitialize.OLE32(00000000), ref: 6D2C6596

Part of subcall function 6D2C697A: __EH_prolog3.LIBCMT ref: 6D2C6981
Part of subcall function 6D2C697A: CoCreateInstance.OLE32(6D2A7980,00000000,00000017,6D2A7970,?,?,00000068,6D2C65A6,?,?,?,?,6D2C2A30,?,00000000,?), ref: 6D2C69AC

CoCreateInstance.OLE32(6D2A7930,00000000,00000017,6D2A7970,00000001,?,?,?,?,6D2C2A30,?,00000000,?,00000000,00000000,?), ref: 6D2C65BE
CoUninitialize.OLE32(?,00000000,00000000,?,?,succeeded,?,?,?,6D2C2A30,?,00000000,?,00000000,00000000,?), ref: 6D2C66E1
__CxxThrowException@8.LIBCMT ref: 6D2C6773

Strings

UIInfo.xml, xrefs: 6D2C6739
threw exception, xrefs: 6D2C6537
IronMan::UiDataT<class IronMan::CCmdLineSwitches>::CreateUiDataT, xrefs: 6D2C6548
Xml Document load failure, xrefs: 6D2C6747
exiting function/method, xrefs: 6D2C66E7
succeeded, xrefs: 6D2C6617, 6D2C6623
Entering Function, xrefs: 6D2C657D

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$CreateInstance$Exception@8H_prolog3_catchInitializeThrowUninitialize
String ID: exiting function/method$Entering Function$IronMan::UiDataT<class IronMan::CCmdLineSwitches>::CreateUiDataT$UIInfo.xml$Xml Document load failure$succeeded$threw exception
API String ID: 4239111664-3845428783
Opcode ID: 74f836c395693f315e1c85c16f30e9e81870b3b452859cebf576617af3fec1ae
Instruction ID: 18821ebb5b791d23e0431890a1bbfac427592594be253c1a9b28874f7703ca12
Opcode Fuzzy Hash: 74f836c395693f315e1c85c16f30e9e81870b3b452859cebf576617af3fec1ae
Instruction Fuzzy Hash: D0818F7194414DEFDB01CFE8C884AAEBBB8EF09318F188169E514EB251C774DE05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C681A Relevance: 10.5, APIs: 7, Instructions: 34windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2C6821
GetLastError.KERNEL32(00000008,6D2C50A0,?,00000000,00000000,?,?,6D2B8DC8,?,%1!I64u!,?,?), ref: 6D2C6834
SetLastError.KERNEL32(00000000,?,6D2B8DC8,?,%1!I64u!,?,?), ref: 6D2C6840
FormatMessageW.KERNEL32(00000500,00000000,00000000,00000000,7DCDEE72,00000000,7DCDEE72,?,6D2B8DC8,?,%1!I64u!,?,?), ref: 6D2C6854
GetLastError.KERNEL32(?,6D2B8DC8,?,%1!I64u!,?,?), ref: 6D2C685A
SetLastError.KERNEL32(?,?,6D2B8DC8,?,%1!I64u!,?,?), ref: 6D2C6868
LocalFree.KERNEL32(7DCDEE72,?,7DCDEE72,?,6D2B8DC8,?,%1!I64u!,?,?), ref: 6D2C6878

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: ErrorLast$FormatFreeH_prolog3LocalMessage
String ID:
API String ID: 69132360-0
Opcode ID: 142ea167da1f0ebf5dbefb644757fadce0641e18244e62512c57fe7e3fa7be1c
Instruction ID: 77abdd0f6f155b5bd0c7f3270bad573918eccbe3cf79d4cabb676eb00444fe6e
Opcode Fuzzy Hash: 142ea167da1f0ebf5dbefb644757fadce0641e18244e62512c57fe7e3fa7be1c
Instruction Fuzzy Hash: 5AF0497184015EEBDF519FA5CD48EAFBA78FF91745B00402AE610A2060CBB08D11CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BCBE6 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Item$MessageSend$CallbackDispatcherParentTextUserWindow
String ID:
API String ID: 2000255171-0
Opcode ID: 217186706c4305c210bb0ffa98a2068a286477b0776f69c341d4d28fc4e28a3a
Instruction ID: 52776dadb2aa747fdb7b387fc26502f17dde04287c77c3255ee7a6bb192e52b8
Opcode Fuzzy Hash: 217186706c4305c210bb0ffa98a2068a286477b0776f69c341d4d28fc4e28a3a
Instruction Fuzzy Hash: 5EC1A07169420F9FCB14CF34C480EAA7BB5FB44B48F10852AE96697240D7B0E962DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C697A Relevance: 47.7, APIs: 16, Strings: 11, Instructions: 457
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E6D2C697A(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				int _t191;
				intOrPtr* _t192;
				intOrPtr* _t194;
				intOrPtr* _t196;
				int _t202;
				int _t210;
				intOrPtr* _t215;
				intOrPtr* _t217;
				intOrPtr _t219;
				WCHAR* _t222;
				WCHAR* _t224;
				WCHAR* _t226;
				WCHAR* _t228;
				intOrPtr* _t233;
				void* _t247;
				void* _t250;
				short _t252;
				int _t253;
				intOrPtr* _t254;
				intOrPtr* _t258;
				int _t260;
				int _t262;
				int _t266;
				intOrPtr* _t272;
				int _t283;
				intOrPtr _t285;
				intOrPtr* _t289;
				int _t301;
				int _t312;
				intOrPtr* _t323;
				int _t329;
				intOrPtr* _t336;
				intOrPtr _t347;
				intOrPtr* _t365;
				void* _t384;
				int _t393;
				WCHAR* _t394;
				void* _t397;
				intOrPtr* _t398;
				int _t400;
				WCHAR* _t401;
				int _t405;
				void* _t408;
				int _t409;
				void* _t411;
				void* _t412;
				void* _t413;
				void* _t417;

				_t417 = __eflags;
				_t382 = __edi;
				_t373 = __edx;
				E6D2D265B(0x6d2d66e6, __ebx, __edi, __esi);
				E6D2B1E75(__ebx, __ecx, __edx, __edi, __esi, _t417);
				 *((intOrPtr*)(_t408 - 4)) = 0;
				 *(_t408 - 0x14) = 0;
				_t191 = _t408 - 0x14;
				 *((char*)(_t408 - 4)) = 1;
				__imp__CoCreateInstance(0x6d2a7980, 0, 0x17, 0x6d2a7970, _t191, _t408 - 0x64, 0x68); // executed
				_t393 = _t191;
				_t418 = _t393;
				if(_t393 >= 0) {
					_t192 =  *(_t408 - 0x14);
					 *((intOrPtr*)( *_t192 + 0xfc))(_t192, 0);
					_t194 =  *(_t408 - 0x14);
					 *((intOrPtr*)( *_t194 + 0x118))(_t194, 0);
					_t196 =  *(_t408 - 0x14);
					_t347 =  *_t196;
					 *((intOrPtr*)(_t347 + 0x110))(_t196, 0xffffffff);
					_push(_t347);
					 *(_t408 - 0x50) = _t409;
					_push(_t409);
					_t383 = L"UiInfo.xml";
					E6D2BE8E8(L"UiInfo.xml", _t393, __eflags);
					_push(_t408 - 0x18);
					E6D2C50FB(0, _t347, __edx, L"UiInfo.xml", _t393, __eflags);
					 *((char*)(_t408 - 4)) = 4;
					_t202 = PathIsRelativeW( *(_t408 - 0x18));
					__eflags = _t202;
					if(_t202 != 0) {
						 *(_t408 - 0x24) = E6D2C83FD( *((intOrPtr*)(_t408 - 0x64)) + 0xfffffff0) + 0x10;
						 *((char*)(_t408 - 4)) = 5;
						E6D2BF21D(_t408 - 0x24,  *(_t408 - 0x18));
						_t394 =  *(_t408 - 0x24);
						_t383 = PathFileExistsW;
						PathFileExistsW(_t394);
						_t210 = PathFileExistsW(_t394);
						__eflags = _t210;
						if(_t210 != 0) {
							_t383 = _t408 - 0x18;
							E6D2BEA8D(_t408 - 0x24, _t408 - 0x18);
						}
						 *((char*)(_t408 - 4)) = 4;
						E6D2C8460(_t394 - 0x10, _t373);
					} else {
						PathFileExistsW( *(_t408 - 0x18)); // executed
					}
					E6D2C7CDC(_t408 - 0x74,  *(_t408 - 0x18));
					 *((char*)(_t408 - 4)) = 6;
					 *((intOrPtr*)(_t408 - 0x30)) = 0;
					E6D2AB93E(0, _t373, _t383,  *((intOrPtr*)(_t408 + 8)), __eflags); // executed
					_t215 =  *(_t408 - 0x14);
					_t374 = _t408 - 0x30;
					_t411 = _t409 + 0xc - 0x10;
					_t384 = _t411;
					_t397 = _t408 - 0x74;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd"); // executed
					__eflags =  *((intOrPtr*)( *_t215 + 0xe8))(_t215, _t408 - 0x30, 4, L"Loading file - %s",  *(_t408 - 0x18));
					if(__eflags < 0) {
						L35:
						 *(_t408 - 0x24) = 0;
						 *((char*)(_t408 - 4)) = 7;
						_t217 =  *(_t408 - 0x14);
						 *((intOrPtr*)( *_t217 + 0xf0))(_t217, _t408 - 0x24);
						_t219 =  *0x6d2dfe10; // 0x6d2a33ec
						 *((intOrPtr*)(_t408 - 0x2c)) =  *((intOrPtr*)(_t219 + 0xc))() + 0x10;
						 *((char*)(_t408 - 4)) = 8;
						_t222 =  *(_t408 - 0x24);
						 *((intOrPtr*)( *_t222 + 0x2c))(_t222, _t408 - 0x44);
						_t224 =  *(_t408 - 0x24);
						 *((intOrPtr*)( *_t224 + 0x30))(_t224, _t408 - 0x40);
						 *((intOrPtr*)(_t408 - 0x3c)) = 0;
						 *((intOrPtr*)(_t408 - 0x38)) = 0;
						 *((char*)(_t408 - 4)) = 0xa;
						_t226 =  *(_t408 - 0x24);
						 *((intOrPtr*)( *_t226 + 0x24))(_t226, _t408 - 0x3c);
						_t228 =  *(_t408 - 0x24);
						_t379 = _t408 - 0x38;
						 *((intOrPtr*)( *_t228 + 0x28))(_t228, _t408 - 0x38);
						_t398 = E6D2BE8E8( *((intOrPtr*)(_t408 - 0x38)), _t397, __eflags);
						 *((char*)(_t408 - 4)) = 0xb;
						_t233 = E6D2BE8E8( *((intOrPtr*)(_t408 - 0x3c)), _t398, __eflags);
						 *((char*)(_t408 - 4)) = 0xc;
						E6D2C80BA(_t408 - 0x2c, L"\nValidation FAILED \n\nErr on line: %d @column: %d\n\nReason:\n%s \n\nSrcText:\n%s",  *((intOrPtr*)(_t408 - 0x44)));
						_t412 = _t411 + 0x18;
						E6D2C8460( *((intOrPtr*)(_t408 - 0x48)) + 0xfffffff0, _t408 - 0x38);
						 *((char*)(_t408 - 4)) = 0xa;
						E6D2C8460( *(_t408 - 0x50) + 0xfffffff0, _t408 - 0x38);
						_t355 =  *((intOrPtr*)(_t408 + 8));
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t408 + 8)))) + 4))(0,  *((intOrPtr*)(_t408 - 0x2c)),  *((intOrPtr*)(_t408 - 0x40)),  *_t233,  *_t398, _t408 - 0x48, _t408 - 0x50);
						_push(_t408 + 8);
						_t387 = L"UIInfo.xml";
						E6D2BE8E8(L"UIInfo.xml", _t398, __eflags);
						_push(_t408 + 8);
						 *((char*)(_t408 - 4)) = 0xd;
						_t247 = _t408 - 0x2c;
						goto L29;
					} else {
						__eflags =  *((short*)(_t408 - 0x30)) - 0xffff;
						if(__eflags != 0) {
							goto L35;
						}
						 *(_t408 - 0x20) = 0;
						_t301 = _t408 - 0x20;
						 *((char*)(_t408 - 4)) = 0xe;
						__imp__CoCreateInstance(0x6d2a7990, 0, 0x17, 0x6d2a79a0, _t301); // executed
						_t400 = _t301;
						__eflags = _t400;
						if(__eflags >= 0) {
							_push(_t408 - 0x1c);
							_t390 = L"SetupUi.xsd";
							E6D2BE8E8(L"SetupUi.xsd", _t400, __eflags);
							 *((char*)(_t408 - 4)) = 0x11;
							__eflags = PathIsRelativeW( *(_t408 - 0x1c));
							if(__eflags != 0) {
								 *(_t408 - 0x24) = E6D2C83FD( *((intOrPtr*)(_t408 - 0x64)) + 0xfffffff0) + 0x10;
								 *((char*)(_t408 - 4)) = 0x12;
								E6D2BF21D(_t408 - 0x24,  *(_t408 - 0x1c));
								_t401 =  *(_t408 - 0x24);
								_t390 = PathFileExistsW;
								PathFileExistsW(_t401); // executed
								_t312 = PathFileExistsW(_t401); // executed
								__eflags = _t312;
								if(_t312 != 0) {
									_t390 = _t408 - 0x1c;
									E6D2BEA8D(_t408 - 0x24, _t408 - 0x1c);
								}
								 *((char*)(_t408 - 4)) = 0x11;
								E6D2C8460(_t401 - 0x10, _t374);
							} else {
								PathFileExistsW( *(_t408 - 0x1c));
							}
							E6D2AB93E(0, _t374, _t390,  *((intOrPtr*)(_t408 + 8)), __eflags); // executed
							E6D2C7CDC(_t408 - 0x5c,  *(_t408 - 0x1c));
							 *((char*)(_t408 - 4)) = 0x13;
							_t365 =  *(_t408 - 0x20);
							_t412 = _t411 + 0xc - 0x10;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd"); // executed
							_t405 =  *((intOrPtr*)( *_t365 + 0x1c))(_t365, L"http://schemas.microsoft.com/SetupUI/2008/01/imui", 4, L"Add to schema collection schema file - %s",  *(_t408 - 0x1c));
							 *((char*)(_t408 - 4)) = 0x11;
							__imp__#9(_t408 - 0x5c);
							__eflags = _t405;
							if(_t405 == 0) {
								L25:
								_t252 = 9;
								 *((short*)(_t408 - 0x5c)) = _t252;
								_t253 =  *(_t408 - 0x20);
								 *(_t408 - 0x54) = _t253;
								__eflags = _t253;
								if(_t253 != 0) {
									 *((intOrPtr*)( *_t253 + 4))(_t253);
								}
								 *((char*)(_t408 - 4)) = 0x14;
								_t254 =  *(_t408 - 0x14);
								_t413 = _t412 - 0x10;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								 *((intOrPtr*)( *_t254 + 0x138))(_t254);
								_t398 = __imp__#9;
								 *_t398(_t408 - 0x5c);
								 *(_t408 - 0x28) = 0;
								 *((char*)(_t408 - 4)) = 0x15;
								_t258 =  *(_t408 - 0x14);
								 *((intOrPtr*)( *_t258 + 0x13c))(_t258, _t408 - 0x28);
								_t260 =  *(_t408 - 0x28);
								_t374 = _t408 - 0x34;
								 *(_t408 - 0x34) = 0;
								 *((intOrPtr*)( *_t260 + 0x1c))(_t260, _t408 - 0x34);
								__eflags =  *(_t408 - 0x34);
								if(__eflags == 0) {
									 *((char*)(_t408 - 4)) = 0x11;
									_t262 =  *(_t408 - 0x28);
									__eflags = _t262;
									if(_t262 != 0) {
										 *((intOrPtr*)( *_t262 + 8))(_t262);
									}
									E6D2C8460( &(( *(_t408 - 0x1c))[0xfffffffffffffff8]), _t374);
									 *((char*)(_t408 - 4)) = 6;
									_t266 =  *(_t408 - 0x20);
									__eflags = _t266;
									if(_t266 != 0) {
										 *((intOrPtr*)( *_t266 + 8))(_t266);
									}
									 *_t398(_t408 - 0x74);
									L16:
									E6D2C8460( &(( *(_t408 - 0x18))[0xfffffffffffffff8]), _t374);
									L2:
									 *((char*)(_t408 - 4)) = 0;
									_t272 =  *(_t408 - 0x14);
									if(_t272 != 0) {
										 *((intOrPtr*)( *_t272 + 8))(_t272);
									}
									E6D2C8460( *((intOrPtr*)(_t408 - 0x60)) + 0xfffffff0, _t374);
									return E6D2D2709(E6D2C8460( *((intOrPtr*)(_t408 - 0x64)) + 0xfffffff0, _t374));
								} else {
									 *((intOrPtr*)(_t408 - 0x2c)) = 0;
									 *((char*)(_t408 - 4)) = 0x16;
									_t283 =  *(_t408 - 0x28);
									_t379 = _t408 - 0x2c;
									 *((intOrPtr*)( *_t283 + 0x24))(_t283, _t408 - 0x2c);
									_t285 =  *0x6d2dfe10; // 0x6d2a33ec
									 *(_t408 - 0x24) =  *((intOrPtr*)(_t285 + 0xc))() + 0x10;
									 *((char*)(_t408 - 4)) = 0x17;
									_t289 = E6D2BE8E8( *((intOrPtr*)(_t408 - 0x2c)), _t398, __eflags);
									 *((char*)(_t408 - 4)) = 0x18;
									E6D2C80BA(_t408 - 0x24, L"\nValidation FAILED \n\n\nReason:\n%s",  *_t289);
									 *((char*)(_t408 - 4)) = 0x17;
									_t412 = _t413 + 0xc;
									__eflags =  *((intOrPtr*)(_t408 - 0x3c)) + 0xfffffff0;
									E6D2C8460( *((intOrPtr*)(_t408 - 0x3c)) + 0xfffffff0, _t408 - 0x2c);
									_t355 =  *((intOrPtr*)(_t408 + 8));
									 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t408 + 8)))) + 4))(0,  *(_t408 - 0x24), _t408 - 0x3c);
									_push(_t408 + 8);
									_t387 = L"UIInfo.xml";
									E6D2BE8E8(L"UIInfo.xml", _t398, __eflags);
									_push(_t408 + 8);
									 *((char*)(_t408 - 4)) = 0x19;
									_t247 = _t408 - 0x24;
									L29:
									_push(_t247);
									_push(_t408 - 0x58);
									E6D2ACA39(0, _t355, _t379, _t387, _t398, __eflags);
									_push(0x6d2d82a0);
									_t250 = _t408 - 0x58;
									goto L24;
								}
							} else {
								 *(_t408 - 0x54) = 0x6d2a6e14;
								 *(_t408 - 0x50) = _t405;
								_push(0x6d2d82d8);
								_t250 = _t408 - 0x54;
								L24:
								_push(_t250);
								E6D2CDBDB();
								goto L25;
							}
						}
						 *(_t408 - 0x54) = 0x6d2a6e14;
						 *(_t408 - 0x50) = _t400;
						 *((char*)(_t408 - 4)) = 0xf;
						_t323 = E6D2AC98C(_t408 - 0x54, _t408 - 0x3c);
						 *((char*)(_t408 - 4)) = 0x10;
						_push( *_t323);
						_push(_t400);
						_push(L"CoCreateInstance of XMLSchemaCache60 failed with hr = 0x%x (%s)");
						_push(4);
						E6D2AB93E(0, _t374, _t384,  *((intOrPtr*)(_t408 + 8)), __eflags);
						 *((char*)(_t408 - 4)) = 0xf;
						E6D2C8460( *((intOrPtr*)(_t408 - 0x3c)) + 0xfffffff0, _t374);
						_push(L"Stopping XML schema validation of UI information and continuing");
						_push(4);
						E6D2AB93E(0, _t374, _t384,  *((intOrPtr*)(_t408 + 8)), __eflags);
						 *((char*)(_t408 - 4)) = 6;
						_t329 =  *(_t408 - 0x20);
						__eflags = _t329;
						if(_t329 != 0) {
							 *((intOrPtr*)( *_t329 + 8))(_t329);
						}
						__imp__#9(_t408 - 0x74);
						goto L16;
					}
				}
				 *(_t408 - 0x54) = 0x6d2a6e14;
				 *(_t408 - 0x50) = _t393;
				 *((char*)(_t408 - 4)) = 2;
				_t336 = E6D2AC98C(_t408 - 0x54, _t408 - 0x3c);
				 *((char*)(_t408 - 4)) = 3;
				_push( *_t336);
				_push(_t393);
				_push(L"CoCreateInstance of DOMDocument60 failed with hr = 0x%x (%s)");
				_push(4);
				E6D2AB93E(0, __edx, __edi,  *((intOrPtr*)(_t408 + 8)), _t418);
				 *((char*)(_t408 - 4)) = 2;
				E6D2C8460( *((intOrPtr*)(_t408 - 0x3c)) + 0xfffffff0, __edx);
				_push(L"Stopping XML schema validation of UI information and continuing");
				_push(4);
				E6D2AB93E(0, _t373, _t382,  *((intOrPtr*)(_t408 + 8)),  *((intOrPtr*)(_t408 - 0x3c)) + 0xfffffff0);
				goto L2;
			}

0x6d2c697a
0x6d2c697a
0x6d2c697a
0x6d2c6981
0x6d2c698a
0x6d2c6991
0x6d2c6994
0x6d2c6997
0x6d2c69a8
0x6d2c69ac
0x6d2c69b2
0x6d2c69b4
0x6d2c69b6
0x6d2c6a36
0x6d2c6a3d
0x6d2c6a43
0x6d2c6a4a
0x6d2c6a50
0x6d2c6a53
0x6d2c6a58
0x6d2c6a5e
0x6d2c6a61
0x6d2c6a64
0x6d2c6a65
0x6d2c6a6a
0x6d2c6a72
0x6d2c6a73
0x6d2c6a78
0x6d2c6a7f
0x6d2c6a85
0x6d2c6a87
0x6d2c6aa2
0x6d2c6aa5
0x6d2c6aaf
0x6d2c6ab4
0x6d2c6ab7
0x6d2c6abe
0x6d2c6ac1
0x6d2c6ac3
0x6d2c6ac5
0x6d2c6aca
0x6d2c6acd
0x6d2c6acd
0x6d2c6ad5
0x6d2c6ad9
0x6d2c6a89
0x6d2c6a8c
0x6d2c6a8c
0x6d2c6ae4
0x6d2c6ae9
0x6d2c6afa
0x6d2c6afd
0x6d2c6b02
0x6d2c6b0a
0x6d2c6b0e
0x6d2c6b11
0x6d2c6b13
0x6d2c6b16
0x6d2c6b17
0x6d2c6b18
0x6d2c6b1a
0x6d2c6b21
0x6d2c6b23
0x6d2c6df0
0x6d2c6df0
0x6d2c6df3
0x6d2c6df7
0x6d2c6e01
0x6d2c6e07
0x6d2c6e17
0x6d2c6e1a
0x6d2c6e1e
0x6d2c6e28
0x6d2c6e2b
0x6d2c6e35
0x6d2c6e38
0x6d2c6e3b
0x6d2c6e3e
0x6d2c6e42
0x6d2c6e4c
0x6d2c6e4f
0x6d2c6e54
0x6d2c6e59
0x6d2c6e68
0x6d2c6e6d
0x6d2c6e75
0x6d2c6e7a
0x6d2c6e91
0x6d2c6e99
0x6d2c6e9f
0x6d2c6ea4
0x6d2c6eae
0x6d2c6eb6
0x6d2c6ebc
0x6d2c6ec2
0x6d2c6ec3
0x6d2c6ec8
0x6d2c6ed0
0x6d2c6ed1
0x6d2c6ed5
0x00000000
0x6d2c6b29
0x6d2c6b29
0x6d2c6b2e
0x00000000
0x00000000
0x6d2c6b34
0x6d2c6b37
0x6d2c6b48
0x6d2c6b4c
0x6d2c6b52
0x6d2c6b54
0x6d2c6b56
0x6d2c6bd6
0x6d2c6bd7
0x6d2c6bdc
0x6d2c6be1
0x6d2c6bee
0x6d2c6bf0
0x6d2c6c0b
0x6d2c6c0e
0x6d2c6c18
0x6d2c6c1d
0x6d2c6c20
0x6d2c6c27
0x6d2c6c2a
0x6d2c6c2c
0x6d2c6c2e
0x6d2c6c33
0x6d2c6c36
0x6d2c6c36
0x6d2c6c3e
0x6d2c6c42
0x6d2c6bf2
0x6d2c6bf5
0x6d2c6bf5
0x6d2c6c54
0x6d2c6c62
0x6d2c6c67
0x6d2c6c6b
0x6d2c6c70
0x6d2c6c77
0x6d2c6c78
0x6d2c6c79
0x6d2c6c80
0x6d2c6c84
0x6d2c6c8a
0x6d2c6c8e
0x6d2c6c94
0x6d2c6c96
0x6d2c6cb0
0x6d2c6cb2
0x6d2c6cb3
0x6d2c6cb7
0x6d2c6cba
0x6d2c6cbd
0x6d2c6cbf
0x6d2c6cc4
0x6d2c6cc4
0x6d2c6cc7
0x6d2c6ccb
0x6d2c6cd0
0x6d2c6cd8
0x6d2c6cd9
0x6d2c6cda
0x6d2c6cdc
0x6d2c6cdd
0x6d2c6ce3
0x6d2c6ced
0x6d2c6cef
0x6d2c6cf2
0x6d2c6cf6
0x6d2c6d00
0x6d2c6d06
0x6d2c6d09
0x6d2c6d0d
0x6d2c6d13
0x6d2c6d16
0x6d2c6d19
0x6d2c6db8
0x6d2c6dbc
0x6d2c6dbf
0x6d2c6dc1
0x6d2c6dc6
0x6d2c6dc6
0x6d2c6dcf
0x6d2c6dd4
0x6d2c6dd8
0x6d2c6ddb
0x6d2c6ddd
0x6d2c6de2
0x6d2c6de2
0x6d2c6de9
0x6d2c6bc3
0x6d2c6bc9
0x6d2c6a08
0x6d2c6a08
0x6d2c6a0b
0x6d2c6a10
0x6d2c6a15
0x6d2c6a15
0x6d2c6a1e
0x6d2c6a33
0x6d2c6d1f
0x6d2c6d1f
0x6d2c6d22
0x6d2c6d26
0x6d2c6d2b
0x6d2c6d30
0x6d2c6d33
0x6d2c6d43
0x6d2c6d49
0x6d2c6d51
0x6d2c6d56
0x6d2c6d65
0x6d2c6d6a
0x6d2c6d71
0x6d2c6d74
0x6d2c6d77
0x6d2c6d7f
0x6d2c6d85
0x6d2c6d8b
0x6d2c6d8c
0x6d2c6d91
0x6d2c6d99
0x6d2c6d9a
0x6d2c6d9e
0x6d2c6da1
0x6d2c6da1
0x6d2c6da5
0x6d2c6da6
0x6d2c6dab
0x6d2c6db0
0x00000000
0x6d2c6db0
0x6d2c6c98
0x6d2c6c98
0x6d2c6c9f
0x6d2c6ca2
0x6d2c6ca7
0x6d2c6caa
0x6d2c6caa
0x6d2c6cab
0x00000000
0x6d2c6cab
0x6d2c6c96
0x6d2c6b58
0x6d2c6b5f
0x6d2c6b69
0x6d2c6b6d
0x6d2c6b72
0x6d2c6b76
0x6d2c6b78
0x6d2c6b7c
0x6d2c6b81
0x6d2c6b83
0x6d2c6b88
0x6d2c6b95
0x6d2c6b9a
0x6d2c6b9f
0x6d2c6ba1
0x6d2c6ba6
0x6d2c6baa
0x6d2c6baf
0x6d2c6bb1
0x6d2c6bb6
0x6d2c6bb6
0x6d2c6bbd
0x00000000
0x6d2c6bbd
0x6d2c6b23
0x6d2c69b8
0x6d2c69bf
0x6d2c69c9
0x6d2c69cd
0x6d2c69d2
0x6d2c69d6
0x6d2c69d8
0x6d2c69dc
0x6d2c69e1
0x6d2c69e3
0x6d2c69e8
0x6d2c69f5
0x6d2c69fa
0x6d2c69ff
0x6d2c6a01
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 6D2C6981

Part of subcall function 6D2B1E75: __EH_prolog3.LIBCMT ref: 6D2B1E7C
Part of subcall function 6D2B1E75: GetThreadLocale.KERNEL32(?,00000004,6D2B6734,LBq+m,0000004C,6D2B7142,?,00000000), ref: 6D2B1E8E

CoCreateInstance.OLE32(6D2A7980,00000000,00000017,6D2A7970,?,?,00000068,6D2C65A6,?,?,?,?,6D2C2A30,?,00000000,?), ref: 6D2C69AC
PathIsRelativeW.SHLWAPI(?,?,?,?,?,?,?,6D2C2A30,?,00000000,?,00000000,00000000,?,?,00000000), ref: 6D2C6A7F
PathFileExistsW.SHLWAPI(?,?,?,?,?,6D2C2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6D2BE271), ref: 6D2C6A8C
PathFileExistsW.SHLWAPI(?,?,?,?,?,?,6D2C2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008), ref: 6D2C6ABE
PathFileExistsW.SHLWAPI(?,?,?,?,?,6D2C2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6D2BE271), ref: 6D2C6AC1
CoCreateInstance.OLE32(6D2A7990,00000000,00000017,6D2A79A0,?), ref: 6D2C6B4C

Part of subcall function 6D2AC98C: GetThreadLocale.KERNEL32 ref: 6D2AC999

Part of subcall function 6D2AB93E: __EH_prolog3.LIBCMT ref: 6D2AB945

Part of subcall function 6D2BF21D: PathAppendW.SHLWAPI(00000000,00000000,?,00000105,?,?,80070057,80070057,6D2AC3AE), ref: 6D2BF241

VariantClear.OLEAUT32(?), ref: 6D2C6BBD

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

PathIsRelativeW.SHLWAPI(?,?), ref: 6D2C6BE8
PathFileExistsW.SHLWAPI(?), ref: 6D2C6BF5
PathFileExistsW.SHLWAPI(?,?), ref: 6D2C6C27
PathFileExistsW.SHLWAPI(?), ref: 6D2C6C2A
VariantClear.OLEAUT32(?), ref: 6D2C6C8E
__CxxThrowException@8.LIBCMT ref: 6D2C6CAB
VariantClear.OLEAUT32(?), ref: 6D2C6CED
VariantClear.OLEAUT32(?), ref: 6D2C6DE9

Part of subcall function 6D2ACA39: __EH_prolog3.LIBCMT ref: 6D2ACA40

Strings

SetupUi.xsd, xrefs: 6D2C6BD7
UIInfo.xml, xrefs: 6D2C6D8C, 6D2C6EC3
Loading file - %s, xrefs: 6D2C6AF3
CoCreateInstance of DOMDocument60 failed with hr = 0x%x (%s), xrefs: 6D2C69DC
Validation FAILED Reason:%s, xrefs: 6D2C6D5F
UiInfo.xml, xrefs: 6D2C6A65
Stopping XML schema validation of UI information and continuing, xrefs: 6D2C69FA, 6D2C6B9A
Validation FAILED Err on line: %d @column: %dReason:%s SrcText:%s, xrefs: 6D2C6E8B
Add to schema collection schema file - %s, xrefs: 6D2C6C4D
http://schemas.microsoft.com/SetupUI/2008/01/imui, xrefs: 6D2C6C7A
CoCreateInstance of XMLSchemaCache60 failed with hr = 0x%x (%s), xrefs: 6D2C6B7C

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Path$ExistsFile$H_prolog3$ClearVariant$CreateInstanceLocaleRelativeThread$AppendException@8Throw
String ID: Validation FAILED Reason:%s$Validation FAILED Err on line: %d @column: %dReason:%s SrcText:%s$Add to schema collection schema file - %s$CoCreateInstance of DOMDocument60 failed with hr = 0x%x (%s)$CoCreateInstance of XMLSchemaCache60 failed with hr = 0x%x (%s)$Loading file - %s$SetupUi.xsd$Stopping XML schema validation of UI information and continuing$UIInfo.xml$UiInfo.xml$http://schemas.microsoft.com/SetupUI/2008/01/imui
API String ID: 3881019808-2332759018
Opcode ID: 31e69075295201f99df3001e54f94098ed22641e7f9128dc0da0587fe5dbaddc
Instruction ID: 234528cf972a5a8a1b1a5830c560f5a3413ef843227e0a70ebcdb1b3c32477e7
Opcode Fuzzy Hash: 31e69075295201f99df3001e54f94098ed22641e7f9128dc0da0587fe5dbaddc
Instruction Fuzzy Hash: AA023871C4414DEFDF00DBE8C988AEEBBB5AF09319F1881A8E510BB251D7359E05DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B2B11 Relevance: 38.9, APIs: 11, Strings: 11, Instructions: 447
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E6D2B2B11(void* __ebx, WCHAR* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t227;
				intOrPtr* _t228;
				intOrPtr* _t233;
				void* _t242;
				intOrPtr* _t243;
				short* _t248;
				void* _t266;
				WCHAR* _t268;
				void* _t278;
				short* _t280;
				void* _t285;
				signed int _t307;
				signed int _t308;
				signed int _t311;
				signed int _t312;
				int _t321;
				int _t322;
				signed int _t325;
				long _t334;
				intOrPtr* _t345;
				intOrPtr* _t352;
				intOrPtr* _t364;
				void* _t372;
				signed int _t382;
				intOrPtr* _t387;
				WCHAR* _t412;
				WCHAR** _t418;
				intOrPtr* _t435;
				void* _t443;
				intOrPtr* _t445;
				void* _t447;
				void* _t448;
				short* _t452;

				_t448 = __eflags;
				_t425 = __edx;
				_push(0x88);
				E6D2D265B(0x6d2d6a61, __ebx, __edi, __esi);
				 *(_t447 - 0x40) =  *(_t447 - 0x40) & 0x00000000;
				_push(_t447 - 0x20);
				E6D2BE8E8(L"WizardImages", __esi, _t448);
				 *(_t447 - 4) =  *(_t447 - 4) & 0x00000000;
				E6D2AD65F( *(_t447 + 0xc), __ebx, _t447 - 0x68, _t447 - 0x20);
				 *(_t447 - 4) = 2;
				E6D2C8460( *(_t447 - 0x20) + 0xfffffff0, __edx);
				_push(_t447 - 0x14);
				E6D2BE8E8(L"HeaderImage", __esi, _t448);
				 *(_t447 - 4) = 3;
				_t227 = E6D2AD65F(_t447 - 0x68, __ebx, _t447 - 0x5c, _t447 - 0x14);
				_t409 = _t447 - 0x24;
				_t438 = _t227;
				 *(_t447 - 4) = 4;
				_t228 = E6D2AD76F(_t447 - 0x24, L"HeaderImage", _t227, _t448);
				 *(_t447 - 4) = 5;
				_push(_t447 - 0x18);
				E6D2BE8E8( *_t228, _t227, _t448);
				E6D2C8460( *((intOrPtr*)(_t447 - 0x24)) + 0xfffffff0, _t425);
				 *(_t447 - 4) = 8;
				_t233 =  *((intOrPtr*)(_t447 - 0x5c));
				_t449 = _t233;
				if(_t233 != 0) {
					 *((intOrPtr*)( *_t233 + 8))(_t233);
				}
				 *(_t447 - 4) = 9;
				E6D2C8460( *((intOrPtr*)(_t447 - 0x14)) + 0xfffffff0, _t425);
				_push(_t447 - 0x48);
				E6D2BE8E8(L"Watermark", _t438, _t449);
				 *(_t447 - 4) = 0xa;
				_t242 = E6D2AD65F(_t447 - 0x68, _t409, _t447 - 0x94, _t447 - 0x48);
				_t410 = _t447 - 0x40;
				_t439 = _t242;
				 *(_t447 - 4) = 0xb;
				_t243 = E6D2AD76F(_t447 - 0x40, L"Watermark", _t242, _t449);
				_t414 = _t447 - 0x1c;
				 *(_t447 - 4) = 0xc;
				_push(_t447 - 0x1c);
				E6D2BE8E8( *_t243, _t242, _t449);
				E6D2C8460( *(_t447 - 0x40) + 0xfffffff0, _t425);
				 *(_t447 - 4) = 0xf;
				_t248 =  *(_t447 - 0x94);
				_t450 = _t248;
				if(_t248 != 0) {
					_t414 =  *_t248;
					 *((intOrPtr*)( *_t248 + 8))(_t248);
				}
				 *(_t447 - 4) = 0x10;
				E6D2C8460( *((intOrPtr*)(_t447 - 0x48)) + 0xfffffff0, _t425);
				_push(_t447 - 0x14);
				E6D2BE8E8(L"Caption", _t439, _t450);
				 *(_t447 - 4) = 0x11;
				E6D2AD65F( *(_t447 + 0xc), _t410, _t447 - 0x5c, _t447 - 0x14);
				 *(_t447 - 4) = 0x13;
				E6D2C8460( *((intOrPtr*)(_t447 - 0x14)) + 0xfffffff0, _t425);
				_push(_t447 + 0xc);
				E6D2BE8E8(L"Default", _t439, _t450);
				 *(_t447 - 4) = 0x14;
				_t266 = E6D2AD6C4(_t447 - 0x5c, _t410, _t414, _t447 - 0x3c, _t447 + 0xc);
				_t411 = _t447 - 0x50;
				 *(_t447 - 4) = 0x15;
				E6D2AD76F(_t447 - 0x50, L"Default", _t266, _t450);
				 *(_t447 - 4) = 0x17;
				_t268 =  *(_t447 - 0x3c);
				_t441 = 0;
				if(_t268 != 0) {
					_t414 =  *_t268;
					 *((intOrPtr*)( *_t268 + 8))(_t268);
				}
				_t452 =  &(( *(_t447 + 0xc))[0xfffffffffffffff8]);
				E6D2C8460( &(( *(_t447 + 0xc))[0xfffffffffffffff8]), _t425);
				 *(_t447 - 0x3c) = _t441;
				 *(_t447 - 0x38) = _t441;
				 *(_t447 - 0x34) = _t441;
				 *(_t447 - 4) = 0x19;
				 *(_t447 - 0x7c) = L"Install";
				 *(_t447 - 0x78) = L"Repair";
				 *(_t447 - 0x74) = L"Uninstall";
				 *(_t447 - 0x70) = L"CreateLayout";
				 *(_t447 - 0x6c) = L"UninstallPatch";
				 *(_t447 + 0xc) = _t441;
				do {
					_t434 =  *((intOrPtr*)(_t447 +  *(_t447 + 0xc) * 4 - 0x7c));
					_push(_t447 - 0x14);
					E6D2BE8E8( *((intOrPtr*)(_t447 +  *(_t447 + 0xc) * 4 - 0x7c)), _t441, _t452);
					 *(_t447 - 4) = 0x1a;
					_t278 = E6D2AD6C4(_t447 - 0x5c, _t411, _t414, _t447 - 0x88, _t447 - 0x14);
					_t411 = _t447 - 0x20;
					 *(_t447 - 4) = 0x1b;
					E6D2AD76F(_t447 - 0x20,  *((intOrPtr*)(_t447 +  *(_t447 + 0xc) * 4 - 0x7c)), _t278, _t452);
					 *(_t447 - 4) = 0x1d;
					_t280 =  *(_t447 - 0x88);
					if(_t280 != 0) {
						_t414 =  *_t280;
						 *((intOrPtr*)( *_t280 + 8))(_t280);
					}
					 *(_t447 - 4) = 0x1e;
					E6D2C8460( *((intOrPtr*)(_t447 - 0x14)) + 0xfffffff0, _t425);
					_t285 = E6D2C8199( *(_t447 - 0x20));
					_t443 = _t447 - 0x20;
					_t454 = _t285;
					if(_t285 <= 0) {
						_t443 = _t447 - 0x50;
					}
					_push(_t447 - 0x24);
					E6D2BE8E8(_t434, _t443, _t454);
					_push(_t443);
					_push(_t447 - 0x24);
					_t441 = _t447 - 0x3c;
					 *(_t447 - 4) = 0x1f;
					E6D2BF5FD(_t411, _t414, _t434, _t447 - 0x3c, _t454); // executed
					E6D2C8460( *((intOrPtr*)(_t447 - 0x24)) + 0xfffffff0, _t425);
					 *(_t447 - 4) = 0x19;
					E6D2C8460( *(_t447 - 0x20) + 0xfffffff0, _t425);
					 *(_t447 + 0xc) =  &(( *(_t447 + 0xc))[0]);
					_t455 =  *(_t447 + 0xc) - 5;
				} while ( *(_t447 + 0xc) < 5);
				_push(_t447 - 0x30);
				E6D2B1E75(_t411, _t414, _t425, _t434, _t441, _t455);
				 *(_t447 - 4) = 0x20;
				if(PathIsRelativeW( *(_t447 - 0x18)) != 0) {
					 *(_t447 + 0xc) = E6D2C83FD( *((intOrPtr*)(_t447 - 0x30)) + 0xfffffff0) + 0x10;
					 *(_t447 - 4) = 0x21;
					E6D2BF21D(_t447 + 0xc,  *((intOrPtr*)(_t447 - 0x2c)));
					E6D2BF21D(_t447 + 0xc,  *(_t447 - 0x18));
					_t411 =  *(_t447 + 0xc);
					_t444 = PathFileExistsW;
					_t307 = PathFileExistsW(_t411); // executed
					__eflags = _t307;
					if(_t307 == 0) {
						_t434 = _t447 + 0xc;
						E6D2BEA8D(_t447 - 0x30, _t447 + 0xc);
						E6D2BF21D(_t447 + 0xc,  *(_t447 - 0x18));
						_t411 =  *(_t447 + 0xc);
					}
					_t308 = PathFileExistsW(_t411); // executed
					__eflags = _t308;
					if(_t308 == 0) {
						_t124 = _t411 - 0x10; // -11
						 *(_t447 - 4) = 0x20;
						E6D2C8460(_t124, _t425);
						_t311 = 0;
						__eflags = 0;
						goto L21;
					} else {
						_t434 = _t447 - 0x18;
						E6D2BEA8D(_t447 + 0xc, _t447 - 0x18);
						_t118 = _t411 - 0x10; // -11
						 *(_t447 - 4) = 0x20;
						E6D2C8460(_t118, _t425);
						goto L18;
					}
				} else {
					_t444 = PathFileExistsW;
					_t311 = PathFileExistsW( *(_t447 - 0x18)) & 0xffffff00 | _t403 != 0x00000000;
					L21:
					_t458 = _t311;
					if(_t311 != 0) {
						L18:
						_t312 = PathIsRelativeW( *(_t447 - 0x1c));
						__eflags = _t312;
						if(_t312 != 0) {
							goto L24;
						} else {
							_t382 = PathFileExistsW( *(_t447 - 0x1c));
							__eflags = _t382;
							_t325 = _t382 & 0xffffff00 | _t382 != 0x00000000;
							goto L31;
						}
					} else {
						E6D2AC9BB(_t411, _t414, _t434, _t444, _t458);
						_t444 = 0x6d2a6e38;
						 *((intOrPtr*)(_t447 - 0x44)) = 0x6d2a6e38;
						 *(_t447 - 4) = 0x22;
						_t387 = E6D2ACB96(_t411, _t447 - 0x44, _t425, _t434, 0x6d2a6e38, _t458);
						 *(_t447 - 4) = 0x23;
						_t425 =  *( *(_t447 + 0x10));
						( *( *(_t447 + 0x10)))[2](0,  *_t387, _t447 + 0xc, _t447 - 0x44, _t447 - 0x18);
						 *(_t447 - 4) = 0x22;
						E6D2C8460( &(( *(_t447 + 0xc))[0xfffffffffffffff8]),  *( *(_t447 + 0x10)));
						_push(_t447 - 0x44);
						_t414 = _t447 - 0x28;
						E6D2AD1B4(_t411, _t447 - 0x28, _t434, 0x6d2a6e38,  &(( *(_t447 + 0xc))[0xfffffffffffffff8]));
						 *(_t447 - 0x28) = 0x6d2a6e38;
						_push(0x6d2d8364);
						_t372 = _t447 - 0x28;
						L23:
						_push(_t372);
						E6D2CDBDB();
						L24:
						 *(_t447 + 0xc) = E6D2C83FD( *((intOrPtr*)(_t447 - 0x30)) + 0xfffffff0) + 0x10;
						 *(_t447 - 4) = 0x24;
						E6D2BF21D(_t447 + 0xc,  *((intOrPtr*)(_t447 - 0x2c)));
						E6D2BF21D(_t447 + 0xc,  *(_t447 - 0x1c));
						_t411 =  *(_t447 + 0xc);
						_t321 = PathFileExistsW(_t411); // executed
						if(_t321 == 0) {
							_t434 = _t447 + 0xc;
							E6D2BEA8D(_t447 - 0x30, _t447 + 0xc);
							E6D2BF21D(_t447 + 0xc,  *(_t447 - 0x1c));
							_t411 =  *(_t447 + 0xc);
						}
						_t322 = PathFileExistsW(_t411); // executed
						if(_t322 == 0) {
							_t172 = _t411 - 0x10; // -11
							 *(_t447 - 4) = 0x20;
							E6D2C8460(_t172, _t425);
							_t325 = 0;
							__eflags = 0;
							L31:
							__eflags = _t325;
							if(__eflags == 0) {
								E6D2AC9BB(_t411, _t414, _t434, _t444, __eflags);
								_t444 = 0x6d2a6e38;
								 *(_t447 - 0x28) = 0x6d2a6e38;
								 *(_t447 - 4) = 0x25;
								_t364 = E6D2ACB96(_t411, _t447 - 0x28, _t425, _t434, 0x6d2a6e38, __eflags);
								 *(_t447 - 4) = 0x26;
								_t425 =  *( *(_t447 + 0x10));
								( *( *(_t447 + 0x10)))[2](0,  *_t364, _t447 + 0xc, _t447 - 0x28, _t447 - 0x1c);
								 *(_t447 - 4) = 0x25;
								E6D2C8460( &(( *(_t447 + 0xc))[0xfffffffffffffff8]),  *( *(_t447 + 0x10)));
								_push(_t447 - 0x28);
								_t414 = _t447 - 0x4c;
								E6D2AD1B4(_t411, _t447 - 0x4c, _t434, 0x6d2a6e38, __eflags);
								 *(_t447 - 0x4c) = 0x6d2a6e38;
								_push(0x6d2d8364);
								_t372 = _t447 - 0x4c;
								goto L23;
							}
						} else {
							E6D2BEA8D(_t447 + 0xc, _t447 - 0x1c);
							_t155 = _t411 - 0x10; // -11
							E6D2C8460(_t155, _t425);
						}
					}
				}
				 *(_t447 - 4) = 0x27;
				_t435 =  *((intOrPtr*)(_t447 + 8));
				 *_t435 = 0x6d2a731c;
				 *((intOrPtr*)(_t435 + 4)) = E6D2C83FD( &(( *(_t447 - 0x1c))[0xfffffffffffffff8])) + 0x10;
				 *(_t447 - 4) = 0x28;
				 *((intOrPtr*)(_t435 + 8)) = E6D2C83FD( &(( *(_t447 - 0x18))[0xfffffffffffffff8])) + 0x10;
				_t445 = _t435 + 0xc;
				_t334 = 0;
				 *_t445 = 0;
				 *((intOrPtr*)(_t445 + 4)) = 0;
				 *((intOrPtr*)(_t445 + 8)) = 0;
				 *(_t447 - 4) = 0x2a;
				 *(_t447 + 0xc) = 0;
				if( *(_t447 - 0x34) <= 0) {
					L37:
					E6D2C8460( *((intOrPtr*)(_t447 - 0x2c)) + 0xfffffff0, _t425);
					E6D2C8460( *((intOrPtr*)(_t447 - 0x30)) + 0xfffffff0, _t425);
					E6D2BF5A3(_t447 - 0x3c);
					E6D2C8460( *(_t447 - 0x50) + 0xfffffff0, _t425);
					 *(_t447 - 4) = 0x10;
					_t345 =  *((intOrPtr*)(_t447 - 0x5c));
					if(_t345 != 0) {
						 *((intOrPtr*)( *_t345 + 8))(_t345);
					}
					E6D2C8460( &(( *(_t447 - 0x1c))[0xfffffffffffffff8]), _t425);
					E6D2C8460( &(( *(_t447 - 0x18))[0xfffffffffffffff8]), _t425);
					 *(_t447 - 4) =  *(_t447 - 4) | 0xffffffff;
					_t352 =  *((intOrPtr*)(_t447 - 0x68));
					if(_t352 != 0) {
						 *((intOrPtr*)( *_t352 + 8))(_t352);
					}
					return E6D2D2709(_t435);
				} else {
					_t412 =  *(_t447 - 0x3c);
					_t418 =  *(_t447 - 0x38) - _t412;
					 *(_t447 + 0x10) = _t418;
					while( *(_t447 + 0xc) >= _t334) {
						_t425 =  *(_t447 + 0xc);
						_t464 =  *(_t447 + 0xc) -  *(_t447 - 0x34);
						if( *(_t447 + 0xc) >=  *(_t447 - 0x34)) {
							break;
						} else {
							_push(_t418 + _t412);
							_push(_t412);
							E6D2BF5FD(_t412, _t418 + _t412, _t435, _t445, _t464);
							 *(_t447 + 0xc) =  &(( *(_t447 + 0xc))[0]);
							_t412 =  &(_t412[2]);
							if( *(_t447 + 0xc) <  *(_t447 - 0x34)) {
								_t418 =  *(_t447 + 0x10);
								_t334 = 0;
								__eflags = 0;
								continue;
							} else {
								goto L37;
							}
						}
						goto L43;
					}
					RaiseException(0xc000008c, 1, _t334, _t334);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					return  &(_t418[1]);
				}
				L43:
			}

0x6d2b2b11
0x6d2b2b11
0x6d2b2b11
0x6d2b2b1b
0x6d2b2b20
0x6d2b2b27
0x6d2b2b2d
0x6d2b2b32
0x6d2b2b41
0x6d2b2b46
0x6d2b2b50
0x6d2b2b58
0x6d2b2b5e
0x6d2b2b6e
0x6d2b2b72
0x6d2b2b77
0x6d2b2b7a
0x6d2b2b7c
0x6d2b2b80
0x6d2b2b88
0x6d2b2b8e
0x6d2b2b8f
0x6d2b2b9a
0x6d2b2b9f
0x6d2b2ba3
0x6d2b2ba6
0x6d2b2ba8
0x6d2b2bad
0x6d2b2bad
0x6d2b2bb0
0x6d2b2bba
0x6d2b2bc2
0x6d2b2bc8
0x6d2b2bdb
0x6d2b2bdf
0x6d2b2be4
0x6d2b2be7
0x6d2b2be9
0x6d2b2bed
0x6d2b2bf2
0x6d2b2bf5
0x6d2b2bfb
0x6d2b2bfc
0x6d2b2c07
0x6d2b2c0c
0x6d2b2c10
0x6d2b2c16
0x6d2b2c18
0x6d2b2c1a
0x6d2b2c1d
0x6d2b2c1d
0x6d2b2c20
0x6d2b2c2a
0x6d2b2c32
0x6d2b2c38
0x6d2b2c44
0x6d2b2c4c
0x6d2b2c51
0x6d2b2c5b
0x6d2b2c63
0x6d2b2c69
0x6d2b2c79
0x6d2b2c7d
0x6d2b2c82
0x6d2b2c87
0x6d2b2c8b
0x6d2b2c90
0x6d2b2c94
0x6d2b2c97
0x6d2b2c9b
0x6d2b2c9d
0x6d2b2ca0
0x6d2b2ca0
0x6d2b2ca6
0x6d2b2ca9
0x6d2b2cae
0x6d2b2cb1
0x6d2b2cb4
0x6d2b2cb7
0x6d2b2cbb
0x6d2b2cc2
0x6d2b2cc9
0x6d2b2cd0
0x6d2b2cd7
0x6d2b2cde
0x6d2b2ce1
0x6d2b2ce4
0x6d2b2ceb
0x6d2b2cec
0x6d2b2cff
0x6d2b2d03
0x6d2b2d08
0x6d2b2d0d
0x6d2b2d11
0x6d2b2d16
0x6d2b2d1a
0x6d2b2d22
0x6d2b2d24
0x6d2b2d27
0x6d2b2d27
0x6d2b2d2a
0x6d2b2d34
0x6d2b2d3c
0x6d2b2d41
0x6d2b2d44
0x6d2b2d46
0x6d2b2d48
0x6d2b2d48
0x6d2b2d4e
0x6d2b2d4f
0x6d2b2d54
0x6d2b2d58
0x6d2b2d59
0x6d2b2d5c
0x6d2b2d60
0x6d2b2d6b
0x6d2b2d70
0x6d2b2d7a
0x6d2b2d7f
0x6d2b2d82
0x6d2b2d82
0x6d2b2d8f
0x6d2b2d90
0x6d2b2d95
0x6d2b2da4
0x6d2b2dc9
0x6d2b2dcc
0x6d2b2dd6
0x6d2b2de1
0x6d2b2de6
0x6d2b2de9
0x6d2b2df0
0x6d2b2df2
0x6d2b2df4
0x6d2b2df9
0x6d2b2dfc
0x6d2b2e06
0x6d2b2e0b
0x6d2b2e0b
0x6d2b2e0f
0x6d2b2e11
0x6d2b2e13
0x6d2b2e4c
0x6d2b2e4f
0x6d2b2e53
0x6d2b2e58
0x6d2b2e58
0x00000000
0x6d2b2e15
0x6d2b2e18
0x6d2b2e1b
0x6d2b2e20
0x6d2b2e23
0x6d2b2e27
0x00000000
0x6d2b2e27
0x6d2b2da6
0x6d2b2da9
0x6d2b2db3
0x6d2b2e5a
0x6d2b2e5a
0x6d2b2e5c
0x6d2b2e2c
0x6d2b2e2f
0x6d2b2e35
0x6d2b2e37
0x00000000
0x6d2b2e3d
0x6d2b2e40
0x6d2b2e42
0x6d2b2e44
0x00000000
0x6d2b2e44
0x6d2b2e5e
0x6d2b2e66
0x6d2b2e6b
0x6d2b2e70
0x6d2b2e7a
0x6d2b2e7e
0x6d2b2e86
0x6d2b2e8c
0x6d2b2e91
0x6d2b2e94
0x6d2b2e9e
0x6d2b2ea6
0x6d2b2ea7
0x6d2b2eaa
0x6d2b2eaf
0x6d2b2eb2
0x6d2b2eb7
0x6d2b2eba
0x6d2b2eba
0x6d2b2ebb
0x6d2b2ec0
0x6d2b2ece
0x6d2b2ed1
0x6d2b2edb
0x6d2b2ee6
0x6d2b2eeb
0x6d2b2eef
0x6d2b2ef3
0x6d2b2ef8
0x6d2b2efb
0x6d2b2f05
0x6d2b2f0a
0x6d2b2f0a
0x6d2b2f0e
0x6d2b2f12
0x6d2b2f84
0x6d2b2f87
0x6d2b2f8b
0x6d2b2f90
0x6d2b2f90
0x6d2b2f92
0x6d2b2f92
0x6d2b2f94
0x6d2b2f9e
0x6d2b2fa3
0x6d2b2fa8
0x6d2b2fb2
0x6d2b2fb6
0x6d2b2fbe
0x6d2b2fc4
0x6d2b2fc9
0x6d2b2fcc
0x6d2b2fd6
0x6d2b2fde
0x6d2b2fdf
0x6d2b2fe2
0x6d2b2fe7
0x6d2b2fea
0x6d2b2fef
0x00000000
0x6d2b2fef
0x6d2b2f14
0x6d2b2f1a
0x6d2b2f1f
0x6d2b2f22
0x6d2b2f22
0x6d2b2f12
0x6d2b2e5c
0x6d2b2f27
0x6d2b2f2e
0x6d2b2f34
0x6d2b2f42
0x6d2b2f45
0x6d2b2f57
0x6d2b2f5a
0x6d2b2f5d
0x6d2b2f5f
0x6d2b2f61
0x6d2b2f64
0x6d2b2f67
0x6d2b2f6b
0x6d2b2f71
0x6d2b3028
0x6d2b302e
0x6d2b3039
0x6d2b3041
0x6d2b304c
0x6d2b3051
0x6d2b3055
0x6d2b305a
0x6d2b305f
0x6d2b305f
0x6d2b3068
0x6d2b3073
0x6d2b3078
0x6d2b307c
0x6d2b3081
0x6d2b3086
0x6d2b3086
0x6d2b3090
0x6d2b2f77
0x6d2b2f77
0x6d2b2f7d
0x6d2b2f7f
0x6d2b2ffc
0x6d2b3005
0x6d2b3008
0x6d2b300b
0x00000000
0x6d2b3011
0x6d2b3013
0x6d2b3014
0x6d2b3015
0x6d2b301a
0x6d2b3020
0x6d2b3026
0x6d2b2ff7
0x6d2b2ffa
0x6d2b2ffa
0x00000000
0x00000000
0x00000000
0x00000000
0x6d2b3026
0x00000000
0x6d2b300b
0x6d2b309c
0x6d2b30a2
0x6d2b30a3
0x6d2b30a4
0x6d2b30a5
0x6d2b30a6
0x6d2b30a7
0x6d2b30ab
0x6d2b30ab
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 6D2B2B1B

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2AD76F: __EH_prolog3.LIBCMT ref: 6D2AD776

Part of subcall function 6D2AD76F: SysFreeString.OLEAUT32(00000000), ref: 6D2AD7CA

PathIsRelativeW.SHLWAPI(?,00000001,?,000000FF,?,?,?,?,00000001,?,?,?,000000FF,00000088,6D2C6F88,?), ref: 6D2B2D9C
PathFileExistsW.SHLWAPI(?,?,?,?,6D2C2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6D2BE271,00000000), ref: 6D2B2DAF
PathFileExistsW.SHLWAPI(00000005,?,?,?,?,?,6D2C2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008), ref: 6D2B2DF0
PathFileExistsW.SHLWAPI(00000005,?,?,?,6D2C2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6D2BE271,00000000), ref: 6D2B2E0F
PathIsRelativeW.SHLWAPI(00000001,?,?,?,6D2C2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6D2BE271,00000000), ref: 6D2B2E2F
PathFileExistsW.SHLWAPI(00000001,?,?,?,6D2C2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6D2BE271,00000000), ref: 6D2B2E40
__CxxThrowException@8.LIBCMT ref: 6D2B2EBB
PathFileExistsW.SHLWAPI(00000005,00000001,?,?,?,?,6D2C2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008), ref: 6D2B2EEF

Part of subcall function 6D2BF21D: PathAppendW.SHLWAPI(00000000,00000000,?,00000105,?,?,80070057,80070057,6D2AC3AE), ref: 6D2BF241

PathFileExistsW.SHLWAPI(00000005,?,?,?,6D2C2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6D2BE271,00000000), ref: 6D2B2F0E

Part of subcall function 6D2C83FD: _memcpy_s.LIBCMT ref: 6D2C844E

RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,?,?,6D2C2A30,?,00000000,?,00000000,00000000,?,?,00000000), ref: 6D2B309C

Strings

WizardImages, xrefs: 6D2B2B28
Default, xrefs: 6D2B2C64
%, xrefs: 6D2B2FCC
Caption, xrefs: 6D2B2C33
CreateLayout, xrefs: 6D2B2CD0
Install, xrefs: 6D2B2CBB
Watermark, xrefs: 6D2B2BC3
Repair, xrefs: 6D2B2CC2
Uninstall, xrefs: 6D2B2CC9
HeaderImage, xrefs: 6D2B2B59
UninstallPatch, xrefs: 6D2B2CD7

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Path$ExistsFile$H_prolog3$Relative$AppendExceptionException@8FreeRaiseStringThrow_memcpy_s
String ID: %$Caption$CreateLayout$Default$HeaderImage$Install$Repair$Uninstall$UninstallPatch$Watermark$WizardImages
API String ID: 2164894574-1575104729
Opcode ID: 881cbbc2eba645932b7530a5b3308f565781a2f18256f7544ca9ef4572480e9e
Instruction ID: f4c3f794854febb0531f41135543fbfb8f43ff62df6af9feae56a3677a63a999
Opcode Fuzzy Hash: 881cbbc2eba645932b7530a5b3308f565781a2f18256f7544ca9ef4572480e9e
Instruction Fuzzy Hash: F9125E7184424DEFDF10DFE8C944ADEBBB8AF09318F1582A5E524EB281D774EA05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6D2ABE03 Relevance: 31.7, APIs: 1, Strings: 17, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E6D2ABE03(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t216;
				void* _t236;
				intOrPtr* _t258;
				void* _t259;
				void* _t260;

				_t260 = __eflags;
				_t236 = __edx;
				_push(4);
				E6D2D265B(0x6d2d5b96, __ebx, __edi, __esi);
				_t216 =  *((intOrPtr*)(_t259 + 8));
				 *_t216 = 0x6d2a6de8;
				_push(_t216 + 8);
				 *((intOrPtr*)(_t216 + 4)) = 0x6d2a6de0;
				E6D2BE8E8(__ecx, __esi, _t260);
				_t258 = _t216 + 0xc;
				 *((intOrPtr*)(_t259 - 4)) = 0;
				 *_t258 = 0;
				 *((intOrPtr*)(_t258 + 4)) = 0;
				 *((intOrPtr*)(_t258 + 8)) = 0;
				 *((char*)(_t259 - 4)) = 1;
				_t261 =  *((intOrPtr*)(_t216 + 0x10));
				if( *((intOrPtr*)(_t216 + 0x10)) == 0) {
					_push(_t259 - 0x10);
					E6D2BE8E8(L"CEIPconsent", _t258, _t261);
					 *((char*)(_t259 - 4)) = 2;
					E6D2BF35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6D2C8460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6D2BE8E8(L"chainingpackage", _t258, _t261);
					 *((char*)(_t259 - 4)) = 3;
					E6D2BF35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6D2C8460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6D2BE8E8(L"createlayout", _t258, _t261);
					 *((char*)(_t259 - 4)) = 4;
					E6D2BF35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6D2C8460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6D2BE8E8(L"lcid", _t258, _t261);
					 *((char*)(_t259 - 4)) = 5;
					E6D2BF35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6D2C8460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6D2BE8E8(L"log", _t258, _t261);
					 *((char*)(_t259 - 4)) = 6;
					E6D2BF35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6D2C8460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6D2BE8E8(L"msioptions", _t258, _t261);
					 *((char*)(_t259 - 4)) = 7;
					E6D2BF35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6D2C8460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6D2BE8E8(L"norestart", _t258, _t261);
					 *((char*)(_t259 - 4)) = 8;
					E6D2BF35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6D2C8460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6D2BE8E8(L"passive", _t258, _t261);
					 *((char*)(_t259 - 4)) = 9;
					E6D2BF35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6D2C8460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6D2BE8E8(L"showfinalerror", _t258, _t261);
					 *((char*)(_t259 - 4)) = 0xa;
					E6D2BF35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6D2C8460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6D2BE8E8(L"pipe", _t258, _t261);
					 *((char*)(_t259 - 4)) = 0xb;
					E6D2BF35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6D2C8460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6D2BE8E8(L"promptrestart", _t258, _t261);
					 *((char*)(_t259 - 4)) = 0xc;
					E6D2BF35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6D2C8460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6D2BE8E8("q", _t258, _t261);
					 *((char*)(_t259 - 4)) = 0xd;
					E6D2BF35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6D2C8460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6D2BE8E8(L"repair", _t258, _t261);
					 *((char*)(_t259 - 4)) = 0xe;
					E6D2BF35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6D2C8460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6D2BE8E8(L"serialdownload", _t258, _t261);
					 *((char*)(_t259 - 4)) = 0xf;
					E6D2BF35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6D2C8460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6D2BE8E8(L"uninstall", _t258, _t261);
					 *((char*)(_t259 - 4)) = 0x10;
					E6D2BF35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6D2C8460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6D2BE8E8(L"parameterfolder", _t258, _t261);
					 *((char*)(_t259 - 4)) = 0x11;
					E6D2BF35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6D2C8460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6D2BE8E8(L"NoSetupVersionCheck", _t258, _t261);
					 *((char*)(_t259 - 4)) = 0x12;
					E6D2BF35E(_t259 - 0x10, _t258); // executed
					 *((char*)(_t259 - 4)) = 1;
					E6D2C8460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6D2BE8E8(L"uninstallpatch", _t258, _t261);
					 *((char*)(_t259 - 4)) = 0x13;
					E6D2BF35E(_t259 - 0x10, _t258);
					E6D2C8460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_t216 =  *((intOrPtr*)(_t259 + 8));
				}
				return E6D2D2709(_t216);
			}

0x6d2abe03
0x6d2abe03
0x6d2abe03
0x6d2abe0a
0x6d2abe0f
0x6d2abe15
0x6d2abe1b
0x6d2abe1e
0x6d2abe25
0x6d2abe2c
0x6d2abe2f
0x6d2abe32
0x6d2abe34
0x6d2abe37
0x6d2abe3a
0x6d2abe3e
0x6d2abe41
0x6d2abe4a
0x6d2abe50
0x6d2abe58
0x6d2abe5c
0x6d2abe61
0x6d2abe6b
0x6d2abe73
0x6d2abe79
0x6d2abe81
0x6d2abe85
0x6d2abe8a
0x6d2abe94
0x6d2abe9c
0x6d2abea2
0x6d2abeaa
0x6d2abeae
0x6d2abeb3
0x6d2abebd
0x6d2abec5
0x6d2abecb
0x6d2abed3
0x6d2abed7
0x6d2abedc
0x6d2abee6
0x6d2abeee
0x6d2abef4
0x6d2abefc
0x6d2abf00
0x6d2abf05
0x6d2abf0f
0x6d2abf17
0x6d2abf1d
0x6d2abf25
0x6d2abf29
0x6d2abf2e
0x6d2abf38
0x6d2abf40
0x6d2abf46
0x6d2abf4e
0x6d2abf52
0x6d2abf57
0x6d2abf61
0x6d2abf69
0x6d2abf6f
0x6d2abf77
0x6d2abf7b
0x6d2abf80
0x6d2abf8a
0x6d2abf92
0x6d2abf98
0x6d2abfa0
0x6d2abfa4
0x6d2abfa9
0x6d2abfb3
0x6d2abfbb
0x6d2abfc1
0x6d2abfc9
0x6d2abfcd
0x6d2abfd2
0x6d2abfdc
0x6d2abfe4
0x6d2abfea
0x6d2abff2
0x6d2abff6
0x6d2abffb
0x6d2ac005
0x6d2ac00d
0x6d2ac013
0x6d2ac01b
0x6d2ac01f
0x6d2ac024
0x6d2ac02e
0x6d2ac036
0x6d2ac03c
0x6d2ac044
0x6d2ac048
0x6d2ac04d
0x6d2ac057
0x6d2ac05f
0x6d2ac065
0x6d2ac06a
0x6d2ac071
0x6d2ac076
0x6d2ac080
0x6d2ac088
0x6d2ac08e
0x6d2ac096
0x6d2ac09a
0x6d2ac09f
0x6d2ac0a9
0x6d2ac0b1
0x6d2ac0b7
0x6d2ac0bf
0x6d2ac0c3
0x6d2ac0c8
0x6d2ac0d2
0x6d2ac0da
0x6d2ac0e0
0x6d2ac0e8
0x6d2ac0ec
0x6d2ac0f1
0x6d2ac0fb
0x6d2ac103
0x6d2ac109
0x6d2ac111
0x6d2ac115
0x6d2ac120
0x6d2ac125
0x6d2ac125
0x6d2ac12f

APIs

__EH_prolog3.LIBCMT ref: 6D2ABE0A

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2BF35E: __EH_prolog3.LIBCMT ref: 6D2BF365
Part of subcall function 6D2BF35E: __recalloc.LIBCMT ref: 6D2BF3A7

Strings

repair, xrefs: 6D2AC037
promptrestart, xrefs: 6D2ABFE5
chainingpackage, xrefs: 6D2ABE74
uninstallpatch, xrefs: 6D2AC104
norestart, xrefs: 6D2ABF41
serialdownload, xrefs: 6D2AC060
uninstall, xrefs: 6D2AC089
log, xrefs: 6D2ABEEF
pipe, xrefs: 6D2ABFBC
CEIPconsent, xrefs: 6D2ABE4B
parameterfolder, xrefs: 6D2AC0B2
showfinalerror, xrefs: 6D2ABF93
NoSetupVersionCheck, xrefs: 6D2AC0DB
lcid, xrefs: 6D2ABEC6
createlayout, xrefs: 6D2ABE9D
passive, xrefs: 6D2ABF6A
msioptions, xrefs: 6D2ABF18

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$__recalloc
String ID: CEIPconsent$NoSetupVersionCheck$chainingpackage$createlayout$lcid$log$msioptions$norestart$parameterfolder$passive$pipe$promptrestart$repair$serialdownload$showfinalerror$uninstall$uninstallpatch
API String ID: 1900422986-634121796
Opcode ID: 1938c92de87deb2c04a5ebce9b06469c5cd7eb8cb4502f724507a749711dad7d
Instruction ID: 9c9d862afc681d0d9cd8e63629ecde5b958ca952251d34f30a67927cb12b2b53
Opcode Fuzzy Hash: 1938c92de87deb2c04a5ebce9b06469c5cd7eb8cb4502f724507a749711dad7d
Instruction Fuzzy Hash: A7A17FB188859D9EDB10D7E8C9407EEF7B4BF0935CF1D45A4E134A3282C7B19A499732

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B6199 Relevance: 30.0, APIs: 11, Strings: 6, Instructions: 265
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E6D2B6199(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t140;
				signed int _t144;
				intOrPtr* _t149;
				signed int _t161;
				void* _t165;
				void* _t166;
				intOrPtr* _t179;
				signed int _t192;
				signed int _t196;
				void* _t199;
				intOrPtr _t209;
				intOrPtr* _t233;
				intOrPtr* _t237;
				intOrPtr* _t238;
				signed int _t254;
				void* _t255;
				intOrPtr* _t258;
				void* _t261;
				signed int _t283;
				intOrPtr* _t288;
				void* _t289;
				void* _t291;
				void* _t296;
				void* _t297;
				intOrPtr* _t298;
				void* _t299;

				_t299 = __eflags;
				_t273 = __edx;
				_t258 = __ecx;
				_push(0x3c);
				E6D2D265B(0x6d2d67f1, __ebx, __edi, __esi);
				_t288 = __ecx;
				_t254 =  *(_t296 + 8);
				 *(_t296 - 4) = 0;
				 *_t254 = 0x6d2a7550;
				 *((intOrPtr*)(_t254 + 4)) = 0;
				 *((intOrPtr*)(_t254 + 8)) = 0;
				 *((intOrPtr*)(_t254 + 0xc)) = 0;
				 *(_t296 - 4) = 1;
				_push(_t296 - 0x14);
				 *((intOrPtr*)(_t254 + 0x10)) = __ecx;
				E6D2BE8E8(L"Strings.xml", __ecx, _t299);
				_push(_t296 - 0x24);
				 *(_t296 - 4) = 2;
				_t278 = E6D2B1E75(_t254, _t258, __edx, L"Strings.xml", _t288, _t299);
				 *(_t296 - 4) = 3;
				if(PathIsRelativeW( *(_t296 - 0x14)) != 0) {
					 *(_t296 - 0x18) = E6D2C83FD( *_t278 - 0x10) + 0x10;
					 *(_t296 - 4) = 4;
					E6D2BF21D(_t296 - 0x18,  *(_t296 - 0x14));
					_t278 = PathFileExistsW; // executed
					PathFileExistsW( *(_t296 - 0x18)); // executed
					_t140 = PathFileExistsW( *(_t296 - 0x18)); // executed
					__eflags = _t140;
					if(_t140 == 0) {
						 *(_t296 - 4) = 3;
						E6D2C8460( &(( *(_t296 - 0x18))[0xfffffffffffffff8]), _t273);
						_t144 = 0;
						__eflags = 0;
						goto L5;
					} else {
						_t278 = _t296 - 0x14;
						E6D2BEA8D(_t296 - 0x18, _t296 - 0x14);
						 *(_t296 - 4) = 3;
						E6D2C8460( &(( *(_t296 - 0x18))[0xfffffffffffffff8]), _t273);
						goto L6;
					}
				} else {
					_t144 = PathFileExistsW( *(_t296 - 0x14)) & 0xffffff00 | _t252 != 0x00000000;
					L5:
					_t302 = _t144;
					if(_t144 == 0) {
						E6D2AC9BB(_t254, _t258, _t278, _t288, __eflags);
						 *(_t296 - 0x1c) = 0x6d2a6e38;
						 *(_t296 - 4) = 5;
						_t149 = E6D2ACB96(_t254, _t296 - 0x1c, _t273, 0x6d2a6e38, _t288, __eflags);
						 *(_t296 - 4) = 6;
						_t274 =  *_t288;
						 *((intOrPtr*)( *_t288 + 4))(0,  *_t149, _t296 + 0xc, _t296 - 0x1c, _t296 - 0x14);
						 *(_t296 - 4) = 5;
						E6D2C8460( *((intOrPtr*)(_t296 + 0xc)) + 0xfffffff0,  *_t288);
						_push(_t296 - 0x1c);
						_t261 = _t296 - 0x2c;
						E6D2AD1B4(_t254, _t261, 0x6d2a6e38, _t288, __eflags);
						 *(_t296 - 0x2c) = 0x6d2a6e38;
						E6D2CDBDB(_t296 - 0x2c, 0x6d2d8364);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x24);
						E6D2D265B(0x6d2d5889, _t254, 0x6d2a6e38, _t288);
						_t255 = _t261;
						_t289 = _t255 + 4;
						_t161 = E6D2BF693(_t289,  *(_t296 + 8));
						__eflags = _t161 - 0xffffffff;
						if(__eflags == 0) {
							L18:
							E6D2BE8E8(L"UIInfo.xml", _t289, __eflags);
							 *(_t296 - 4) =  *(_t296 - 4) & 0x00000000;
							_t165 = E6D2BF143(_t255,  *(_t296 + 8), _t289, __eflags);
							_t282 = _t165;
							 *(_t296 - 4) = 1;
							_t166 = E6D2BF0E8(_t255, _t165, _t289, __eflags);
							 *(_t296 - 4) = 2;
							E6D2ACA39(_t255, _t296 - 0x10, _t274, _t165, _t289, __eflags);
							E6D2C8460( &(( *(_t296 - 0x14))[0xfffffffffffffff8]), _t274);
							E6D2C8460( &(( *(_t296 - 0x18))[0xfffffffffffffff8]), _t274);
							 *(_t296 - 4) = 6;
							E6D2C8460( *((intOrPtr*)(_t296 - 0x10)) + 0xfffffff0, _t274);
							_t179 = E6D2ACAC2(_t255, _t296 - 0x24, _t274, _t165, _t289, __eflags);
							 *(_t296 - 4) = 7;
							_t275 =  *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x10))));
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x10)))) + 4))(0,  *_t179, _t296 + 8, _t296 - 0x24, _t166, _t296 - 0x10, _t296 - 0x14, L"\' was not found in UiInfo.xml", _t296 - 0x18, L"String for StringID \'", _t296 - 0x10);
							 *(_t296 - 4) = 6;
							E6D2C8460( *(_t296 + 8) + 0xfffffff0,  *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x10)))));
							_push(_t296 - 0x24);
							_t266 = _t296 - 0x30;
							E6D2AD170(_t255, _t296 - 0x30, _t165, _t289, __eflags);
							E6D2CDBDB(_t296 - 0x30, 0x6d2d82a0);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(0x20);
							E6D2D265B(0x6d2d653e, _t255, _t282, _t289);
							_push(_t296 - 0x20);
							_t192 = E6D2AD349(_t255, _t266, _t282, _t289, __eflags);
							 *(_t296 - 4) =  *(_t296 - 4) & 0x00000000;
							_t283 =  *(_t296 - 0x20);
							__eflags = _t283;
							if(_t283 != 0) {
								_t196 =  *(_t296 + 8) + 4;
								__eflags = _t196;
								 *(_t296 + 8) = _t196;
								do {
									_t291 = E6D2AD76F(_t296 - 0x14, _t283, _t296 - 0x20, __eflags);
									_push(_t296 - 0x20);
									 *(_t296 - 4) = 1;
									_t199 = E6D2AD2B6(_t296 - 0x10, _t266, _t275, _t283, _t291, __eflags);
									_push(_t291);
									_push(_t199);
									 *(_t296 - 4) = 2;
									E6D2BF5FD(_t296 - 0x10, _t266, _t283,  *(_t296 + 8), __eflags);
									E6D2C8460( *((intOrPtr*)(_t296 - 0x10)) + 0xfffffff0, _t275);
									 *(_t296 - 4) = 0;
									E6D2C8460( &(( *(_t296 - 0x14))[0xfffffffffffffff8]), _t275);
									_push(_t296 - 0x2c);
									_t266 = _t296 - 0x20;
									_t209 =  *((intOrPtr*)(E6D2AD4C5(_t296 - 0x10, _t296 - 0x20, _t283,  *(_t296 + 8), __eflags)));
									__eflags = _t283 - _t209;
									if(_t283 != _t209) {
										E6D2C7D2D(_t209, _t296 - 0x20);
										_t283 =  *(_t296 - 0x20);
									}
									_t192 =  *(_t296 - 0x2c);
									__eflags = _t192;
									if(_t192 != 0) {
										_t266 =  *_t192;
										_t192 =  *((intOrPtr*)( *_t192 + 8))(_t192);
									}
									__eflags = _t283;
								} while (__eflags != 0);
							}
							 *(_t296 - 4) =  *(_t296 - 4) | 0xffffffff;
							__eflags = _t283;
							if(_t283 != 0) {
								_t192 =  *((intOrPtr*)( *_t283 + 8))(_t283);
							}
							return E6D2D2709(_t192);
						} else {
							__eflags = _t161;
							if(__eflags < 0) {
								L17:
								RaiseException(0xc000008c, 1, 0, 0);
								goto L18;
							} else {
								__eflags = _t161 -  *((intOrPtr*)(_t289 + 8));
								if(__eflags >= 0) {
									goto L17;
								} else {
									return E6D2D2709( *((intOrPtr*)(_t289 + 4)) + _t161 * 4);
								}
							}
						}
					} else {
						L6:
						E6D2AB93E(_t254, _t273, _t278, _t288, _t302); // executed
						_t298 = _t297 + 0xc;
						E6D2C8460( *(_t296 - 0x20) + 0xfffffff0, _t273);
						E6D2C8460( *((intOrPtr*)(_t296 - 0x24)) + 0xfffffff0, _t273);
						 *((intOrPtr*)(_t296 - 0x48)) = _t288;
						__imp__CoInitialize(0, 4, L"Successfuly found file %s ",  *(_t296 - 0x14));
						 *((intOrPtr*)(_t296 - 0x40)) = 0;
						 *((intOrPtr*)(_t296 + 0xc)) = _t298;
						 *_t298 = 0;
						E6D2AD214(_t296 - 0x3c, _t258,  *((intOrPtr*)(_t296 + 0xc)), _t288);
						 *(_t296 - 4) = 7;
						_push(_t258);
						 *((intOrPtr*)(_t296 + 0xc)) = _t298;
						 *_t298 = E6D2C83FD( &(( *(_t296 - 0x14))[0xfffffffffffffff8])) + 0x10; // executed
						E6D2ADBFF(_t254, _t296 - 0x48, _t273, 0, _t298, _t302); // executed
						_push(_t296 + 0xc);
						E6D2BE8E8(L"Strings", _t298, _t302);
						 *(_t296 - 4) = 8;
						E6D2AD65F(_t296 - 0x3c, _t254, _t296 - 0x30, _t296 + 0xc);
						_push(_t254);
						 *(_t296 - 4) = 9;
						L19();
						 *(_t296 - 4) = 8;
						_t233 =  *((intOrPtr*)(_t296 - 0x30));
						if(_t233 != 0) {
							 *((intOrPtr*)( *_t233 + 8))(_t233);
						}
						E6D2C8460( *((intOrPtr*)(_t296 + 0xc)) + 0xfffffff0, _t273);
						 *(_t296 - 4) = 2;
						_t237 =  *((intOrPtr*)(_t296 - 0x3c));
						if(_t237 != 0) {
							 *((intOrPtr*)( *_t237 + 8))(_t237);
						}
						_t238 =  *((intOrPtr*)(_t296 - 0x40));
						if(_t238 != 0) {
							 *((intOrPtr*)( *_t238 + 8))(_t238);
						}
						__imp__CoUninitialize();
						E6D2C8460( &(( *(_t296 - 0x14))[0xfffffffffffffff8]), _t273);
						return E6D2D2709(_t254);
					}
				}
			}

0x6d2b6199
0x6d2b6199
0x6d2b6199
0x6d2b6199
0x6d2b61a0
0x6d2b61a5
0x6d2b61a7
0x6d2b61ac
0x6d2b61af
0x6d2b61b5
0x6d2b61b8
0x6d2b61bb
0x6d2b61c1
0x6d2b61c5
0x6d2b61cb
0x6d2b61ce
0x6d2b61d6
0x6d2b61d7
0x6d2b61e0
0x6d2b61e2
0x6d2b61f1
0x6d2b6210
0x6d2b6213
0x6d2b621d
0x6d2b6225
0x6d2b622b
0x6d2b6230
0x6d2b6232
0x6d2b6234
0x6d2b6252
0x6d2b625c
0x6d2b6261
0x6d2b6261
0x00000000
0x6d2b6236
0x6d2b6239
0x6d2b623c
0x6d2b6241
0x6d2b624b
0x00000000
0x6d2b624b
0x6d2b61f3
0x6d2b61fe
0x6d2b6263
0x6d2b6263
0x6d2b6265
0x6d2b6363
0x6d2b636d
0x6d2b6377
0x6d2b637b
0x6d2b6380
0x6d2b6386
0x6d2b638d
0x6d2b6390
0x6d2b639a
0x6d2b63a2
0x6d2b63a3
0x6d2b63a6
0x6d2b63b4
0x6d2b63b7
0x6d2b63bc
0x6d2b63bd
0x6d2b63be
0x6d2b63bf
0x6d2b63c0
0x6d2b63c1
0x6d2b63c2
0x6d2b63c9
0x6d2b63ce
0x6d2b63d3
0x6d2b63d6
0x6d2b63db
0x6d2b63de
0x6d2b6408
0x6d2b6411
0x6d2b6416
0x6d2b6426
0x6d2b6434
0x6d2b6436
0x6d2b643a
0x6d2b6448
0x6d2b644c
0x6d2b6457
0x6d2b6462
0x6d2b6467
0x6d2b6471
0x6d2b647d
0x6d2b6482
0x6d2b648b
0x6d2b6490
0x6d2b6493
0x6d2b649d
0x6d2b64a5
0x6d2b64a6
0x6d2b64a9
0x6d2b64b7
0x6d2b64bc
0x6d2b64bd
0x6d2b64be
0x6d2b64bf
0x6d2b64c0
0x6d2b64c1
0x6d2b64c2
0x6d2b64c9
0x6d2b64d1
0x6d2b64d2
0x6d2b64d7
0x6d2b64db
0x6d2b64de
0x6d2b64e0
0x6d2b64e5
0x6d2b64e5
0x6d2b64e8
0x6d2b64eb
0x6d2b64f6
0x6d2b64fb
0x6d2b64ff
0x6d2b6503
0x6d2b6508
0x6d2b650c
0x6d2b650d
0x6d2b6511
0x6d2b651c
0x6d2b6521
0x6d2b652b
0x6d2b6533
0x6d2b6534
0x6d2b653c
0x6d2b653e
0x6d2b6540
0x6d2b6547
0x6d2b654c
0x6d2b654c
0x6d2b654f
0x6d2b6552
0x6d2b6554
0x6d2b6556
0x6d2b6559
0x6d2b6559
0x6d2b655c
0x6d2b655c
0x6d2b64eb
0x6d2b6560
0x6d2b6564
0x6d2b6566
0x6d2b656b
0x6d2b656b
0x6d2b6573
0x6d2b63e0
0x6d2b63e0
0x6d2b63e2
0x6d2b63f7
0x6d2b6402
0x00000000
0x6d2b63e4
0x6d2b63e4
0x6d2b63e7
0x00000000
0x6d2b63e9
0x6d2b63f4
0x6d2b63f4
0x6d2b63e7
0x6d2b63e2
0x6d2b626b
0x6d2b626b
0x6d2b6275
0x6d2b627d
0x6d2b6283
0x6d2b628e
0x6d2b6296
0x6d2b6299
0x6d2b62a3
0x6d2b62ac
0x6d2b62af
0x6d2b62b1
0x6d2b62b6
0x6d2b62bd
0x6d2b62c1
0x6d2b62d1
0x6d2b62d3
0x6d2b62db
0x6d2b62e1
0x6d2b62f1
0x6d2b62f5
0x6d2b62fa
0x6d2b62fd
0x6d2b6301
0x6d2b6306
0x6d2b630a
0x6d2b630f
0x6d2b6314
0x6d2b6314
0x6d2b631d
0x6d2b6322
0x6d2b6326
0x6d2b632b
0x6d2b6330
0x6d2b6330
0x6d2b6333
0x6d2b6338
0x6d2b633d
0x6d2b633d
0x6d2b6340
0x6d2b634c
0x6d2b6358
0x6d2b6358
0x6d2b6265

APIs

__EH_prolog3.LIBCMT ref: 6D2B61A0

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2B1E75: __EH_prolog3.LIBCMT ref: 6D2B1E7C
Part of subcall function 6D2B1E75: GetThreadLocale.KERNEL32(?,00000004,6D2B6734,LBq+m,0000004C,6D2B7142,?,00000000), ref: 6D2B1E8E

PathIsRelativeW.SHLWAPI(?,?,?,0000003C,6D2C7332,?,?,?,?,?,?,?,00000000,?,?,?), ref: 6D2B61E9
PathFileExistsW.SHLWAPI(?), ref: 6D2B61F6
PathFileExistsW.SHLWAPI(?,?), ref: 6D2B622B
PathFileExistsW.SHLWAPI(?), ref: 6D2B6230
CoInitialize.OLE32(00000000), ref: 6D2B6299
CoUninitialize.OLE32(?,?), ref: 6D2B6340
__CxxThrowException@8.LIBCMT ref: 6D2B63B7
__EH_prolog3.LIBCMT ref: 6D2B63C9

Strings

UIInfo.xml, xrefs: 6D2B640C
Strings, xrefs: 6D2B62DC
String for StringID ', xrefs: 6D2B641D
Strings.xml, xrefs: 6D2B61C6
' was not found in UiInfo.xml, xrefs: 6D2B642B
Successfuly found file %s , xrefs: 6D2B626E

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3Path$ExistsFile$Exception@8InitializeLocaleRelativeThreadThrowUninitialize
String ID: ' was not found in UiInfo.xml$String for StringID '$Strings$Strings.xml$Successfuly found file %s $UIInfo.xml
API String ID: 1923347782-1246989722
Opcode ID: 1e018eca1b990ea432aeb4305455b45dcafc4f21ad36dfc1db98fa2581ead726
Instruction ID: 2d11df50018406ddfdfcab475976c89efb6305c43a4ce7aac00a2d0998e99334
Opcode Fuzzy Hash: 1e018eca1b990ea432aeb4305455b45dcafc4f21ad36dfc1db98fa2581ead726
Instruction Fuzzy Hash: 56A1917194414DDFDB01DFA8C984BEEBBB8EF09318F158265E614EB281DB70DA05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BD149 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 114
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E6D2BD149(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t32;
				void* _t33;
				long _t39;
				char* _t42;
				int _t45;
				long _t50;
				long _t55;
				int _t66;
				void* _t72;
				void* _t73;

				_t72 = __esi;
				E6D2D265B(0x6d2d5da0, __ebx, __edi, __esi);
				_t32 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__esi + 0x24))))))();
				_t69 =  *_t32;
				_t33 =  *((intOrPtr*)( *_t32))(4);
				_t75 = _t33;
				if(_t33 != 0) {
					_push(_t73 - 0x10);
					E6D2AC419(__ebx, _t69, __edi, __esi, _t75);
					 *(_t73 - 4) =  *(_t73 - 4) & 0x00000000;
					E6D2BF21D(_t73 - 0x10, L"graphics\\setup.ico");
					_push(0x10);
					_t66 = 0x20;
					_t39 = LoadImageW(0,  *(_t73 - 0x10), 1, _t66, _t66, ??); // executed
					 *(__esi + 0xa0) = _t39;
					if(_t39 != 0) {
						SendMessageW( *(__esi + 4), 0x80, 1, _t39); // executed
					}
					E6D2BF25E(_t73 - 0x10);
					_t42 = L"stop.ico";
					if( *((char*)(_t72 + 0x8d)) == 0) {
						_t42 = L"warn.ico";
					}
					E6D2BF21D(_t73 - 0x10, _t42);
					_t45 = LoadImageW(0,  *(_t73 - 0x10), 1, _t66, _t66, 0x10); // executed
					 *(_t72 + 0x9c) = _t45;
					if(_t45 != 0) {
						SendMessageW(GetDlgItem( *(_t72 + 4), 0x68), 0x170,  *(_t72 + 0x9c), 0); // executed
					}
					E6D2BF25E(_t73 - 0x10);
					E6D2BF21D(_t73 - 0x10, L"print.ico");
					_t50 = LoadImageW(0,  *(_t73 - 0x10), 1, 0x10, 0x10, 0x10); // executed
					 *(_t72 + 0xa4) = _t50;
					if(_t50 != 0) {
						SendMessageW(GetDlgItem( *(_t72 + 4), 0x69), 0xf7, 1,  *(_t72 + 0xa4));
					}
					E6D2BF25E(_t73 - 0x10);
					E6D2BF21D(_t73 - 0x10, L"save.ico");
					_t55 = LoadImageW(0,  *(_t73 - 0x10), 1, 0x10, 0x10, 0x10); // executed
					 *(_t72 + 0xa8) = _t55;
					if(_t55 != 0) {
						SendMessageW(GetDlgItem( *(_t72 + 4), 0x6a), 0xf7, 1,  *(_t72 + 0xa8));
					}
					_t33 = E6D2C8460( &(( *(_t73 - 0x10))[0xfffffffffffffff8]), _t69);
				}
				return E6D2D2709(_t33);
			}

0x6d2bd149
0x6d2bd150
0x6d2bd15a
0x6d2bd15c
0x6d2bd160
0x6d2bd162
0x6d2bd164
0x6d2bd16d
0x6d2bd16e
0x6d2bd173
0x6d2bd17f
0x6d2bd18a
0x6d2bd18e
0x6d2bd198
0x6d2bd19a
0x6d2bd1a2
0x6d2bd1af
0x6d2bd1af
0x6d2bd1b8
0x6d2bd1c4
0x6d2bd1c9
0x6d2bd1cb
0x6d2bd1cb
0x6d2bd1d4
0x6d2bd1e4
0x6d2bd1e6
0x6d2bd1ee
0x6d2bd209
0x6d2bd209
0x6d2bd212
0x6d2bd21f
0x6d2bd231
0x6d2bd233
0x6d2bd23b
0x6d2bd256
0x6d2bd256
0x6d2bd25f
0x6d2bd26c
0x6d2bd27e
0x6d2bd280
0x6d2bd288
0x6d2bd2a3
0x6d2bd2a3
0x6d2bd2af
0x6d2bd2af
0x6d2bd2b9

APIs

__EH_prolog3.LIBCMT ref: 6D2BD150

Part of subcall function 6D2AC419: __EH_prolog3.LIBCMT ref: 6D2AC420
Part of subcall function 6D2AC419: GetModuleFileNameW.KERNEL32(6D2A0000,00000010,00000104), ref: 6D2AC46D

Part of subcall function 6D2BF21D: PathAppendW.SHLWAPI(00000000,00000000,?,00000105,?,?,80070057,80070057,6D2AC3AE), ref: 6D2BF241

LoadImageW.USER32 ref: 6D2BD198
SendMessageW.USER32(?,00000080,00000001,00000000), ref: 6D2BD1AF
LoadImageW.USER32 ref: 6D2BD1E4
GetDlgItem.USER32 ref: 6D2BD1F5
SendMessageW.USER32(00000000,00000170,?,00000000), ref: 6D2BD209
LoadImageW.USER32 ref: 6D2BD231
GetDlgItem.USER32 ref: 6D2BD242
SendMessageW.USER32(00000000,000000F7,00000001,?), ref: 6D2BD256
LoadImageW.USER32 ref: 6D2BD27E
GetDlgItem.USER32 ref: 6D2BD28F
SendMessageW.USER32(00000000,000000F7,00000001,?), ref: 6D2BD2A3

Strings

warn.ico, xrefs: 6D2BD1CB, 6D2BD1D0
print.ico, xrefs: 6D2BD217
save.ico, xrefs: 6D2BD264
stop.ico, xrefs: 6D2BD1C4
graphics\setup.ico, xrefs: 6D2BD177

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: ImageLoadMessageSend$Item$H_prolog3$AppendFileModuleNamePath
String ID: graphics\setup.ico$print.ico$save.ico$stop.ico$warn.ico
API String ID: 1194837009-3827646805
Opcode ID: f89172e9f6637bf346c6159795d683a90869b8b9bef7fa5c40d52efa8f514b1b
Instruction ID: 0096b180502162c81f087f349b9fd4f523c79cb3d93b89884613f0f98261740d
Opcode Fuzzy Hash: f89172e9f6637bf346c6159795d683a90869b8b9bef7fa5c40d52efa8f514b1b
Instruction Fuzzy Hash: F741327468470EAAEF219B60CC46FAFB7B9FF45749F040825F365A90D1DBF294509B10

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BD353 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 163
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E6D2BD353(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v12;
				char _v16;
				signed int _v20;
				int _v24;
				intOrPtr _v32;
				struct HWND__** _v44;
				int _v48;
				void* _v52;
				struct HWND__** _v56;
				int _v60;
				struct HWND__* _v64;
				char _v68;
				intOrPtr _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t48;
				struct HWND__** _t59;
				intOrPtr* _t76;
				intOrPtr* _t77;
				struct HWND__* _t78;
				intOrPtr* _t87;
				intOrPtr* _t88;
				struct HWND__* _t89;
				struct HWND__** _t104;
				intOrPtr _t128;
				struct HWND__** _t140;
				signed int _t142;
				void* _t145;

				_t145 = __eflags;
				_push(0xffffffff);
				_push(0x6d2d62b5);
				_push( *[fs:0x0]);
				_t48 =  *0x6d2df0a0; // 0x7dcdee72
				_push(_t48 ^ (_t142 & 0xfffffff8) - 0x00000028);
				 *[fs:0x0] =  &_v16;
				_t128 = _a4;
				_t104 = _t128 + 4;
				_v56 = _t104;
				E6D2AE153(_t104, GetParent( *_t104)); // executed
				SetWindowTextW( *_t104,  *( *(_t128 + 0x20))); // executed
				E6D2BD149(_t104, _t128, _t128, _t145); // executed
				E6D2BD073(_t104, _t128, _t128, _t145); // executed
				E6D2B0B11(GetDlgItem( *_t104, 0x66), _t128 + 0x34, _t145);
				_t59 = _t128 + 0x38;
				_v44 = _t59;
				SendMessageW( *_t59, 0x445, 0, 0x4000000);
				E6D2BD86C(_t128);
				SendMessageW( *_v44, 0xcf, 1, 0); // executed
				E6D2BCFA5(_t128, _t128, SendMessageW, _t145); // executed
				_t139 = _t128; // executed
				E6D2BD2BF(_t128, _t128, _t128, _t145); // executed
				if( *((char*)(_t128 + 0x8c)) != 0) {
					L2:
					EnableWindow(GetDlgItem( *_v56, 0xb), 0); // executed
				} else {
					_t147 =  *((char*)(_t128 + 0x8d));
					if( *((char*)(_t128 + 0x8d)) != 0) {
						goto L2;
					}
				}
				_v48 = _t128 + 0xac;
				E6D2B6615( *_v56, _t128 + 0xac);
				E6D2BE8E8(L"IDS_PRINT", _t139, _t147);
				_v12 = _v12 & 0x00000000;
				_t76 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x24)))) + 4))( &_v52);
				_t77 =  *((intOrPtr*)( *_t76))( &_v56);
				_t140 = _v64;
				_t78 = GetDlgItem( *_t140, 0x69);
				E6D2B6655(GetDlgItem, _t78,  *_t77,  *_t77, _t140, _t147); // executed
				_v20 = _v20 | 0xffffffff;
				E6D2C8460(_v64 + 0xfffffff0,  *_t77);
				E6D2BE8E8(L"IDS_SAVE", _t140, _t147);
				_v24 = 1;
				_t87 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x24)))) + 4))( &_v64, _v56);
				_t88 =  *((intOrPtr*)( *_t87))( &_v68);
				_t89 = GetDlgItem( *_t140, 0x6a);
				_push(_v68);
				_t118 = _t89;
				E6D2B6655(GetDlgItem, _t89,  *_t88,  *_t88, _t140, _t147);
				E6D2C8460(_v76 + 0xfffffff0,  *_t88);
				_v64 =  *_t140;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v32 = 2;
				E6D2AFF14( &_v64);
				if(_v60 != 0) {
					E6D2C8E26(_v60);
					_pop(_t118);
				}
				E6D2C0324(0, _t118, _v68, 0);
				PostMessageW( *_t140, 0x6f5, 0, 0); // executed
				 *_a8 = 1;
				 *[fs:0x0] = _v48;
				return 1;
			}

0x6d2bd353
0x6d2bd35b
0x6d2bd35d
0x6d2bd368
0x6d2bd36f
0x6d2bd376
0x6d2bd37b
0x6d2bd381
0x6d2bd384
0x6d2bd389
0x6d2bd397
0x6d2bd3a3
0x6d2bd3ab
0x6d2bd3b0
0x6d2bd3c4
0x6d2bd3d6
0x6d2bd3e0
0x6d2bd3e4
0x6d2bd3e8
0x6d2bd3fc
0x6d2bd3fe
0x6d2bd403
0x6d2bd405
0x6d2bd411
0x6d2bd41c
0x6d2bd42d
0x6d2bd413
0x6d2bd413
0x6d2bd41a
0x00000000
0x00000000
0x6d2bd41a
0x6d2bd43f
0x6d2bd443
0x6d2bd452
0x6d2bd457
0x6d2bd464
0x6d2bd470
0x6d2bd472
0x6d2bd482
0x6d2bd48c
0x6d2bd491
0x6d2bd49d
0x6d2bd4ac
0x6d2bd4b4
0x6d2bd4c1
0x6d2bd4cd
0x6d2bd4d5
0x6d2bd4d7
0x6d2bd4dd
0x6d2bd4df
0x6d2bd4eb
0x6d2bd4f4
0x6d2bd4f8
0x6d2bd4fc
0x6d2bd500
0x6d2bd504
0x6d2bd50c
0x6d2bd514
0x6d2bd51d
0x6d2bd523
0x6d2bd528
0x6d2bd528
0x6d2bd530
0x6d2bd53e
0x6d2bd54a
0x6d2bd550
0x6d2bd55e

APIs

GetParent.USER32(?), ref: 6D2BD38D

Part of subcall function 6D2AE153: GetWindowLongW.USER32(?,000000F0), ref: 6D2AE179
Part of subcall function 6D2AE153: GetParent.USER32 ref: 6D2AE18B
Part of subcall function 6D2AE153: GetWindowRect.USER32 ref: 6D2AE1A5
Part of subcall function 6D2AE153: GetWindowLongW.USER32(?,000000F0), ref: 6D2AE1BB
Part of subcall function 6D2AE153: MonitorFromWindow.USER32(?,00000002), ref: 6D2AE1DA

SetWindowTextW.USER32(?,?), ref: 6D2BD3A3

Part of subcall function 6D2BD149: __EH_prolog3.LIBCMT ref: 6D2BD150
Part of subcall function 6D2BD149: LoadImageW.USER32 ref: 6D2BD198
Part of subcall function 6D2BD149: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 6D2BD1AF
Part of subcall function 6D2BD149: LoadImageW.USER32 ref: 6D2BD1E4
Part of subcall function 6D2BD149: GetDlgItem.USER32 ref: 6D2BD1F5
Part of subcall function 6D2BD149: SendMessageW.USER32(00000000,00000170,?,00000000), ref: 6D2BD209
Part of subcall function 6D2BD149: LoadImageW.USER32 ref: 6D2BD231
Part of subcall function 6D2BD149: GetDlgItem.USER32 ref: 6D2BD242
Part of subcall function 6D2BD149: SendMessageW.USER32(00000000,000000F7,00000001,?), ref: 6D2BD256
Part of subcall function 6D2BD149: LoadImageW.USER32 ref: 6D2BD27E

Part of subcall function 6D2BD073: __EH_prolog3.LIBCMT ref: 6D2BD07A
Part of subcall function 6D2BD073: SetDlgItemTextW.USER32 ref: 6D2BD130

GetDlgItem.USER32 ref: 6D2BD3B9

Part of subcall function 6D2B0B11: SetWindowLongW.USER32(?,000000FC,?), ref: 6D2B0B2D

SendMessageW.USER32(?,00000445,00000000,04000000), ref: 6D2BD3E4

Part of subcall function 6D2BD86C: _memset.LIBCMT ref: 6D2BD8B6
Part of subcall function 6D2BD86C: SendMessageW.USER32(?,0000043A,00000001,?), ref: 6D2BD8D9

SendMessageW.USER32(?,000000CF,00000001,00000000), ref: 6D2BD3FC

Part of subcall function 6D2BCFA5: __EH_prolog3.LIBCMT ref: 6D2BCFAC
Part of subcall function 6D2BCFA5: GetDlgItem.USER32 ref: 6D2BD018
Part of subcall function 6D2BCFA5: SetWindowLongW.USER32(?,000000FC,?), ref: 6D2BD041
Part of subcall function 6D2BCFA5: SetDlgItemTextW.USER32 ref: 6D2BD05A

Part of subcall function 6D2BD2BF: __EH_prolog3.LIBCMT ref: 6D2BD2C6
Part of subcall function 6D2BD2BF: SetDlgItemTextW.USER32 ref: 6D2BD2FC
Part of subcall function 6D2BD2BF: SetDlgItemTextW.USER32 ref: 6D2BD33B

GetDlgItem.USER32 ref: 6D2BD424
KiUserCallbackDispatcher.NTDLL(00000000,00000000), ref: 6D2BD42D
GetDlgItem.USER32 ref: 6D2BD482
GetDlgItem.USER32 ref: 6D2BD4D5
PostMessageW.USER32(?,000006F5,00000000,00000000), ref: 6D2BD53E

Strings

IDS_PRINT, xrefs: 6D2BD44D
IDS_SAVE, xrefs: 6D2BD4A7

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Item$MessageWindow$Send$Text$H_prolog3ImageLoadLong$Parent$CallbackDispatcherFromMonitorPostRectUser_memset
String ID: IDS_PRINT$IDS_SAVE
API String ID: 3208048787-3437764585
Opcode ID: 1ecea842637dc09f21ecee6a5eb010bafc0cc7bd18309eaaa30df7463b6eee72
Instruction ID: b74c30942d55300c7ad405e766f2c8da61e0f5ad260b8995131de3b1b5d651d1
Opcode Fuzzy Hash: 1ecea842637dc09f21ecee6a5eb010bafc0cc7bd18309eaaa30df7463b6eee72
Instruction Fuzzy Hash: E4519D756487099FDB10DF64C888B1ABBF5FF89368F040A29F6559B2A0CB71EC14CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6D2AD923 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 228
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E6D2AD923(void* __ebx, WCHAR* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t85;
				int _t90;
				WCHAR* _t101;
				long _t105;
				void* _t110;
				int _t113;
				void* _t123;
				void* _t132;
				void* _t136;
				WCHAR* _t179;
				WCHAR* _t187;
				void** _t188;
				void** _t189;
				WCHAR* _t190;
				struct _OVERLAPPED* _t192;
				WCHAR* _t194;
				void* _t196;
				void* _t197;
				void* _t198;

				_t198 = __eflags;
				_t179 = __edx;
				E6D2D265B(0x6d2d5a67, __ebx, __edi, __esi);
				_t192 = 0;
				 *(_t196 - 0x30) = 0;
				_t166 = 1;
				 *((intOrPtr*)(_t196 - 4)) = 1;
				_t85 =  *0x6d2dfe10; // 0x6d2a33ec
				_t169 = 0x6d2dfe10;
				 *(_t196 - 0x14) =  *((intOrPtr*)(_t85 + 0xc))(0x30) + 0x10;
				 *((char*)(_t196 - 4)) = 2;
				_push(_t196 - 0x20);
				E6D2BE8E8( *(_t196 + 0xc), 0, _t198);
				_t90 = PathIsRelativeW( *(_t196 - 0x20));
				E6D2C8460( &(( *(_t196 - 0x20))[0xfffffffffffffff8]), _t179);
				if(_t90 == 0) {
					_push(_t196 - 0x20);
					E6D2BE8E8( *(_t196 + 0xc), 0, __eflags);
					 *((char*)(_t196 - 4)) = 5;
					E6D2BEA8D(_t196 - 0x20, _t196 - 0x14);
					__eflags =  &(( *(_t196 - 0x20))[0xfffffffffffffff8]);
					E6D2C8460( &(( *(_t196 - 0x20))[0xfffffffffffffff8]), _t179);
				} else {
					_t136 =  *0x6d2dfe10; // 0x6d2a33ec
					_t11 =  *((intOrPtr*)(_t136 + 0xc))() + 0x10; // 0x10
					_t190 = _t11;
					 *(_t196 - 0x18) = _t190;
					 *((char*)(_t196 - 4)) = 3;
					_t200 =  *((intOrPtr*)(_t190 - 8)) - 0x00000104 | 1 -  *((intOrPtr*)(_t190 - 4));
					if(( *((intOrPtr*)(_t190 - 8)) - 0x00000104 | 1 -  *((intOrPtr*)(_t190 - 4))) < 0) {
						E6D2C827A(0x104, _t196 - 0x18);
						_t190 =  *(_t196 - 0x18);
					}
					L6D2BF1A2(GetModuleFileNameW( *0x6d2e2f90, _t190, 0x104) | 0xffffffff, 0x104, _t196 - 0x18);
					_push(_t196 - 0x20);
					E6D2BE8E8(_t190, _t196 - 0x18, _t200);
					 *((char*)(_t196 - 4)) = 4;
					E6D2BF25E(_t196 - 0x20);
					_t179 =  *(_t196 - 0x14);
					_t194 =  *(_t196 + 0xc);
					 *(_t196 - 0x28) =  *(_t196 - 0x20);
					_t169 = 1 -  *((intOrPtr*)(_t179 - 4));
					if(( *((intOrPtr*)(_t179 - 8)) - 0x00000104 | 1 -  *((intOrPtr*)(_t179 - 4))) < 0) {
						_t169 = _t196 - 0x14;
						E6D2C827A(0x104, _t196 - 0x14);
						_t179 =  *(_t196 - 0x14);
					}
					L6D2BF1A2(PathCombineW(_t179,  *(_t196 - 0x28), _t194) | 0xffffffff, 0x104, _t196 - 0x14);
					E6D2C8460( &(( *(_t196 - 0x20))[0xfffffffffffffff8]), _t179);
					_t33 = _t190 - 0x10; // 0x0
					E6D2C8460(_t33, _t179);
					_t166 = 1;
					_t192 = 0;
				}
				 *(_t196 - 0x2c) = _t192;
				 *(_t196 - 0x28) = _t192;
				 *((char*)(_t196 - 4)) = 6;
				_t101 = E6D2C7F22(_t196 - 0x2c,  *(_t196 - 0x14), 0x80000000, _t166, 3, 0x80, _t192); // executed
				_t187 = _t101;
				_t202 = _t187 - _t192;
				if(_t187 < _t192) {
					_push(_t187);
					_push( *(_t196 - 0x14));
					_push(L"ReadXML failed to open XML file %s, with error %d");
					_push(_t192);
					_t192 =  *(_t196 + 0x10);
					E6D2AB93E(_t166, _t179, _t187, _t192, _t202);
					_t197 = _t197 + 0x10;
					 *((intOrPtr*)(_t196 - 0x24)) = 0x6d2a6e14;
					 *(_t196 - 0x20) = _t187;
					_push(0x6d2d82d8);
					_t132 = _t196 - 0x24;
					L9:
					_push(_t132);
					E6D2CDBDB();
				}
				E6D2C7E56(_t169, _t196 - 0x2c, _t192, _t192, 2); // executed
				 *(_t196 - 0x3c) = _t192;
				 *(_t196 - 0x38) = _t192;
				_t105 = SetFilePointer( *(_t196 - 0x2c), _t192, _t196 - 0x38, _t166); // executed
				 *(_t196 - 0x3c) = _t105;
				E6D2C7E56(_t169, _t196 - 0x2c, 2, _t192, _t192); // executed
				_t110 =  *(_t196 - 0x3c) + 0xfffffffe >> 1;
				if(_t110 < 0) {
					_push(0x80070057);
					L12:
					_t110 = L6D2C83CE(_t169);
				}
				if(_t110 != _t192) {
					__imp__#4(_t192, _t110);
					_t169 =  *(_t196 + 8);
					 *( *(_t196 + 8)) = _t110;
					__eflags = _t110 - _t192;
					if(_t110 != _t192) {
						_t188 =  *(_t196 + 8);
					} else {
						_push(0x8007000e);
						goto L12;
					}
				} else {
					_t188 =  *(_t196 + 8);
					 *_t188 = _t192;
				}
				_t180 = _t196 - 0x34;
				 *(_t196 - 0x30) = _t166;
				 *(_t196 - 0x34) = _t192;
				_t113 = ReadFile( *(_t196 - 0x2c),  *_t188,  *(_t196 - 0x3c) + 0xfffffffe, _t196 - 0x34, _t192); // executed
				if(_t113 != _t192) {
					_t166 = 0;
					__eflags = 0;
				} else {
					_t166 = E6D2C7F08();
				}
				if(_t166 < _t192) {
					_t123 =  *0x6d2dfe10; // 0x6d2a33ec
					 *(_t196 - 0x20) =  *((intOrPtr*)(_t123 + 0xc))() + 0x10;
					 *((char*)(_t196 - 4)) = 7;
					E6D2C80BA(_t196 - 0x20, L"Could not find mandatory data file %s. This is a bad package.",  *(_t196 - 0x14));
					_t189 =  *(_t196 + 0x10);
					_t197 = _t197 + 0xc;
					 *((intOrPtr*)( *_t189 + 4))(_t192,  *(_t196 - 0x20));
					_t169 = _t189;
					 *((intOrPtr*)( *_t189 + 4))(7,  *(_t196 - 0x20));
					 *((intOrPtr*)(_t196 - 0x1c)) = 0x6d2a6e14;
					 *(_t196 - 0x18) = _t166;
					_push(0x6d2d82d8);
					_t132 = _t196 - 0x1c;
					goto L9;
				}
				__eflags =  *(_t196 - 0x2c) - _t192;
				if( *(_t196 - 0x2c) != _t192) {
					FindCloseChangeNotification( *(_t196 - 0x2c)); // executed
				}
				E6D2C8460( &(( *(_t196 - 0x14))[0xfffffffffffffff8]), _t180);
				__eflags =  &(( *(_t196 + 0xc))[0xfffffffffffffff8]);
				E6D2C8460( &(( *(_t196 + 0xc))[0xfffffffffffffff8]), _t180);
				return E6D2D2709(_t188);
			}

0x6d2ad923
0x6d2ad923
0x6d2ad92a
0x6d2ad92f
0x6d2ad931
0x6d2ad936
0x6d2ad937
0x6d2ad93a
0x6d2ad93f
0x6d2ad94a
0x6d2ad950
0x6d2ad957
0x6d2ad958
0x6d2ad960
0x6d2ad96e
0x6d2ad975
0x6d2ada3e
0x6d2ada3f
0x6d2ada4a
0x6d2ada4e
0x6d2ada56
0x6d2ada59
0x6d2ad97b
0x6d2ad97b
0x6d2ad988
0x6d2ad988
0x6d2ad98b
0x6d2ad98e
0x6d2ad9a1
0x6d2ad9a3
0x6d2ad9aa
0x6d2ad9af
0x6d2ad9af
0x6d2ad9c6
0x6d2ad9ce
0x6d2ad9cf
0x6d2ad9d7
0x6d2ad9db
0x6d2ad9e3
0x6d2ad9e6
0x6d2ad9eb
0x6d2ad9f2
0x6d2ad9f9
0x6d2ad9fd
0x6d2ada00
0x6d2ada05
0x6d2ada05
0x6d2ada19
0x6d2ada24
0x6d2ada29
0x6d2ada2c
0x6d2ada33
0x6d2ada34
0x6d2ada34
0x6d2ada5e
0x6d2ada61
0x6d2ada72
0x6d2ada7c
0x6d2ada81
0x6d2ada83
0x6d2ada85
0x6d2ada87
0x6d2ada88
0x6d2ada8b
0x6d2ada90
0x6d2ada91
0x6d2ada94
0x6d2ada99
0x6d2ada9c
0x6d2adaa3
0x6d2adaa6
0x6d2adaab
0x6d2adaae
0x6d2adaae
0x6d2adaaf
0x6d2adaaf
0x6d2adabc
0x6d2adaca
0x6d2adacd
0x6d2adad0
0x6d2adad8
0x6d2adae1
0x6d2adaec
0x6d2adaee
0x6d2adaf0
0x6d2adaf5
0x6d2adaf5
0x6d2adaf5
0x6d2adafc
0x6d2adb07
0x6d2adb0d
0x6d2adb10
0x6d2adb12
0x6d2adb14
0x6d2adb1d
0x6d2adb16
0x6d2adb16
0x00000000
0x6d2adb16
0x6d2adafe
0x6d2adafe
0x6d2adb01
0x6d2adb01
0x6d2adb26
0x6d2adb32
0x6d2adb35
0x6d2adb38
0x6d2adb40
0x6d2adb4b
0x6d2adb4b
0x6d2adb42
0x6d2adb47
0x6d2adb47
0x6d2adb4f
0x6d2adb51
0x6d2adb61
0x6d2adb64
0x6d2adb74
0x6d2adb79
0x6d2adb7e
0x6d2adb87
0x6d2adb91
0x6d2adb93
0x6d2adb96
0x6d2adb9d
0x6d2adba0
0x6d2adba5
0x00000000
0x6d2adba5
0x6d2adbad
0x6d2adbb0
0x6d2adbb5
0x6d2adbb5
0x6d2adbc1
0x6d2adbc9
0x6d2adbcc
0x6d2adbd8

APIs

__EH_prolog3.LIBCMT ref: 6D2AD92A

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

PathIsRelativeW.SHLWAPI(00000000,00000000,?,00000000,00000008,6D2BE271,00000000,?,?,00000DF0,?,?), ref: 6D2AD960
GetModuleFileNameW.KERNEL32(00000010,00000104,?,00000000,00000008,6D2BE271,00000000,?,?,00000DF0,?,?), ref: 6D2AD9BA
PathCombineW.SHLWAPI(?,?,?,00000000,?,00000000,00000008,6D2BE271,00000000,?,?,00000DF0,?,?), ref: 6D2ADA0D
__CxxThrowException@8.LIBCMT ref: 6D2ADAAF
SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,00000000,00000000,00000002,?,80000000,00000001,00000003,00000080,00000000,00000000), ref: 6D2ADAD0
SysAllocStringLen.OLEAUT32(00000000,?), ref: 6D2ADB07
ReadFile.KERNEL32(?,?,?,?,00000000,?,00000000,00000008,6D2BE271,00000000,?,?,00000DF0,?,?), ref: 6D2ADB38
FindCloseChangeNotification.KERNEL32(?,?,00000000,00000008,6D2BE271,00000000,?,?,00000DF0,?,?), ref: 6D2ADBB5

Strings

ReadXML failed to open XML file %s, with error %d, xrefs: 6D2ADA8B
Could not find mandatory data file %s. This is a bad package., xrefs: 6D2ADB6E

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: File$H_prolog3Path$AllocChangeCloseCombineException@8FindModuleNameNotificationPointerReadRelativeStringThrow
String ID: Could not find mandatory data file %s. This is a bad package.$ReadXML failed to open XML file %s, with error %d
API String ID: 1788304661-4172873023
Opcode ID: e589f513ffb8068133c45d4be69c0d6f148076c14f2f43bca26f43d2806b1101
Instruction ID: 11855a140b5f508ffae8e11d221c3cf9a19291159c3044a141e75ae085c18e6b
Opcode Fuzzy Hash: e589f513ffb8068133c45d4be69c0d6f148076c14f2f43bca26f43d2806b1101
Instruction Fuzzy Hash: F9917F7194411DEFCF01CFA8C888ADEBBB5FF49328F158625E620B7291D7709905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C6EE2 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 369
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6D2C6EE9

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2B31A0: __EH_prolog3.LIBCMT ref: 6D2B31A7
Part of subcall function 6D2B31A0: _wcschr.LIBCMT ref: 6D2B31E8
Part of subcall function 6D2B31A0: __CxxThrowException@8.LIBCMT ref: 6D2B32A2
Part of subcall function 6D2B31A0: PathIsRelativeW.SHLWAPI(00000000,?,00000000,00000028,6D2C6F33,?,?,00000000,00000044,6D2C668B,?,00000000,00000000,?,?,succeeded), ref: 6D2B32B9
Part of subcall function 6D2B31A0: PathFileExistsW.SHLWAPI(00000000,?,?,?,6D2C2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6D2BE271,00000000), ref: 6D2B32C6

Part of subcall function 6D2B45DE: __EH_prolog3.LIBCMT ref: 6D2B45E5

Part of subcall function 6D2B60C9: __EH_prolog3.LIBCMT ref: 6D2B60D0

Strings

?, xrefs: 6D2C7311
Windows, xrefs: 6D2C6F56
FinishPage, xrefs: 6D2C717E
ProgressPage, xrefs: 6D2C70EC
EulaPage, xrefs: 6D2C705A
ResourceDll, xrefs: 6D2C6EFC
MaintenanceModePage, xrefs: 6D2C71FF
SystemRequirementsPage, xrefs: 6D2C7291
WelcomePage, xrefs: 6D2C6FAC

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$Path$Exception@8ExistsFileRelativeThrow_wcschr
String ID: ?$EulaPage$FinishPage$MaintenanceModePage$ProgressPage$ResourceDll$SystemRequirementsPage$WelcomePage$Windows
API String ID: 1182493169-944454811
Opcode ID: 596e6299bf02a31b7251b8c10fb75a5ef19cc58f0383d9467481c921d08ba96a
Instruction ID: 11eafbc4ae9ed3b163e91d6533d7e810f723bb56e5dbf476acf06e8b3b342a90
Opcode Fuzzy Hash: 596e6299bf02a31b7251b8c10fb75a5ef19cc58f0383d9467481c921d08ba96a
Instruction Fuzzy Hash: 58F16E7190414DEFDB01DBE8C984BEEBBB8AF09318F1841A9E654E7281DB74DA05D732

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B31A0 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6D2B31A7

Part of subcall function 6D2AD76F: __EH_prolog3.LIBCMT ref: 6D2AD776

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

_wcschr.LIBCMT ref: 6D2B31E8
__CxxThrowException@8.LIBCMT ref: 6D2B32A2

Part of subcall function 6D2CDBDB: RaiseException.KERNEL32(?,?,6D2C9236,?,?,?,?,?,6D2C9236,?,6D2D7F54,6D2E22B4), ref: 6D2CDC1D

PathIsRelativeW.SHLWAPI(00000000,?,00000000,00000028,6D2C6F33,?,?,00000000,00000044,6D2C668B,?,00000000,00000000,?,?,succeeded), ref: 6D2B32B9
PathFileExistsW.SHLWAPI(00000000,?,?,?,6D2C2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6D2BE271,00000000), ref: 6D2B32C6
PathFileExistsW.SHLWAPI(?,00000000,?,?,?,?,6D2C2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008), ref: 6D2B3307
PathFileExistsW.SHLWAPI(?,?,?,?,6D2C2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6D2BE271,00000000), ref: 6D2B330A

Part of subcall function 6D2ACA39: __EH_prolog3.LIBCMT ref: 6D2ACA40

Part of subcall function 6D2ACAC2: __EH_prolog3.LIBCMT ref: 6D2ACAC9

Part of subcall function 6D2AD170: __EH_prolog3.LIBCMT ref: 6D2AD177

Strings

UIInfo.xml, xrefs: 6D2B3234
UiInfo.xml has INVALID ResourceDLLName %s, xrefs: 6D2B3222
Successfuly found file %s , xrefs: 6D2B3341

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$Path$ExistsFile$ExceptionException@8RaiseRelativeThrow_wcschr
String ID: Successfuly found file %s $UIInfo.xml$UiInfo.xml has INVALID ResourceDLLName %s
API String ID: 1926448744-2896109536
Opcode ID: 1818d04319d138fb3a74bebc4394f58fe2ffca0e022cc2227c1f758f3b93844a
Instruction ID: 86d12107e6f69b2411f5b61d064e4e1edef7c29d1447e384b6417ee3259d08be
Opcode Fuzzy Hash: 1818d04319d138fb3a74bebc4394f58fe2ffca0e022cc2227c1f758f3b93844a
Instruction Fuzzy Hash: 7C71927184414DEFDF00DBE8C944AEEBBB8FF05318F158265E620B7291DB74AA04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D2ADBFF Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 174
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6D2ADC06

Part of subcall function 6D2AD923: __EH_prolog3.LIBCMT ref: 6D2AD92A
Part of subcall function 6D2AD923: PathIsRelativeW.SHLWAPI(00000000,00000000,?,00000000,00000008,6D2BE271,00000000,?,?,00000DF0,?,?), ref: 6D2AD960
Part of subcall function 6D2AD923: GetModuleFileNameW.KERNEL32(00000010,00000104,?,00000000,00000008,6D2BE271,00000000,?,?,00000DF0,?,?), ref: 6D2AD9BA
Part of subcall function 6D2AD923: PathCombineW.SHLWAPI(?,?,?,00000000,?,00000000,00000008,6D2BE271,00000000,?,?,00000DF0,?,?), ref: 6D2ADA0D

CoCreateInstance.OLE32(6D2A7930,00000000,00000017,6D2A7970,?,?,?,?,00000030,6D2B62D8), ref: 6D2ADC48
SysFreeString.OLEAUT32(?), ref: 6D2ADC69

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2ADE1D: __EH_prolog3.LIBCMT ref: 6D2ADE24
Part of subcall function 6D2ADE1D: SysFreeString.OLEAUT32(00000000), ref: 6D2ADE6B

Part of subcall function 6D2ACA39: __EH_prolog3.LIBCMT ref: 6D2ACA40

Part of subcall function 6D2ACAC2: __EH_prolog3.LIBCMT ref: 6D2ACAC9

__CxxThrowException@8.LIBCMT ref: 6D2ADD4B
SysFreeString.OLEAUT32(?), ref: 6D2ADD87

Part of subcall function 6D2AB93E: __EH_prolog3.LIBCMT ref: 6D2AB945

Strings

m_spDoc->get_documentElement() failed. Parse error is: %s, xrefs: 6D2ADD19
m_spDoc->loadXML() failed. Parse error is: %s, xrefs: 6D2ADDFE
CoCreateInstance(__uuidof(DOMDocument30)) failed with hr=%d, xrefs: 6D2ADC58

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$FreeString$Path$CombineCreateException@8FileInstanceModuleNameRelativeThrow
String ID: CoCreateInstance(__uuidof(DOMDocument30)) failed with hr=%d$m_spDoc->get_documentElement() failed. Parse error is: %s$m_spDoc->loadXML() failed. Parse error is: %s
API String ID: 3627190661-2525052916
Opcode ID: e3437d66592f27c49ed0a8c87c4e8aa6925b8d5b05256fcdee63ed6562284337
Instruction ID: 218d621798c03007bab80c999356d3268e8def06e12b7ccbfcddd8d2ec15165e
Opcode Fuzzy Hash: e3437d66592f27c49ed0a8c87c4e8aa6925b8d5b05256fcdee63ed6562284337
Instruction Fuzzy Hash: 0A61827284410EEFCB01DFE8C984AEEB7B8EF49308F1941A9F650A7291D7359E45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6D2CA311 Relevance: 13.7, APIs: 9, Instructions: 196
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoW.KERNEL32(6D2A14A0,6D2C91D6), ref: 6D2CA31E
__calloc_crt.LIBCMT ref: 6D2CA32A

Part of subcall function 6D2C9F70: Sleep.KERNEL32(00000000,?,6D2C91D6,?), ref: 6D2C9F98

__calloc_crt.LIBCMT ref: 6D2CA3CA
GetFileType.KERNEL32(74C08559,00000001,6D2C91D6), ref: 6D2CA451

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: __calloc_crt$FileInfoSleepStartupType
String ID:
API String ID: 591920814-0
Opcode ID: 4cc470683b30f901d156eff8ad1cec07ae4061b57bab330a2f614c410b3bf4a9
Instruction ID: 12bea1b4e55de0fa7bace9f7b335246bf1058bb890e4cb8e0835e9348089b453
Opcode Fuzzy Hash: 4cc470683b30f901d156eff8ad1cec07ae4061b57bab330a2f614c410b3bf4a9
Instruction Fuzzy Hash: 6761EF7298870A8BD7518B68C88CF2A77B4BF46329F158768D6668B2D1D730DC41CB02

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B4B2A Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6D2B4B31

Part of subcall function 6D2B3AD4: __EH_prolog3.LIBCMT ref: 6D2B3ADB

Part of subcall function 6D2B396A: __EH_prolog3.LIBCMT ref: 6D2B3971

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2B434E: __EH_prolog3.LIBCMT ref: 6D2B4355

Part of subcall function 6D2B1F81: __EH_prolog3.LIBCMT ref: 6D2B1F88

Strings

ServiceStatusIcon, xrefs: 6D2B4C10
ProcessStatusIcon, xrefs: 6D2B4BBD
ServiceListBox, xrefs: 6D2B4CB6
ProcessListBox, xrefs: 6D2B4C63
RefreshButton, xrefs: 6D2B4B67
DiskSpaceInfo, xrefs: 6D2B4D09

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: DiskSpaceInfo$ProcessListBox$ProcessStatusIcon$RefreshButton$ServiceListBox$ServiceStatusIcon
API String ID: 431132790-2340012964
Opcode ID: 4c96d6f8a609d4fd50dd91381fb08416d70b14e4d469d2f57d2c11d884c66340
Instruction ID: df8656c06ec7d93176916bd964a9cd4ddf2425e3a8360cb1bc165b8c86d97106
Opcode Fuzzy Hash: 4c96d6f8a609d4fd50dd91381fb08416d70b14e4d469d2f57d2c11d884c66340
Instruction Fuzzy Hash: 6A71627194414DEFDB00DBE8C844BDEB7E8AF18318F1981A8E568E7281DB74DA09D732

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B3AD4 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6D2B3ADB

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2AD76F: __EH_prolog3.LIBCMT ref: 6D2AD776

Part of subcall function 6D2B381C: __EH_prolog3.LIBCMT ref: 6D2B3823

Strings

SysLink, xrefs: 6D2B3BEA
Static, xrefs: 6D2B3B87
SubTitle, xrefs: 6D2B3B34
Hide, xrefs: 6D2B3C9C
Title, xrefs: 6D2B3AE4
File, xrefs: 6D2B3C48

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: File$Hide$Static$SubTitle$SysLink$Title
API String ID: 431132790-4216723965
Opcode ID: cf3a5b2781e123356dfddcc18e1fe14a3eca7b2237851ab58e2bbfae6ebaa4aa
Instruction ID: d01a35931db949fd1dad6870e74038dd72d11736ed08273fe532ca7dc39519bb
Opcode Fuzzy Hash: cf3a5b2781e123356dfddcc18e1fe14a3eca7b2237851ab58e2bbfae6ebaa4aa
Instruction Fuzzy Hash: 2F61497194424DEFDF00DBA8C944BDEB7B8AF09318F1985A8E514EB281D774EA05DB32

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B30B1 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6D2C6041: __EH_prolog3.LIBCMT ref: 6D2C6048
Part of subcall function 6D2C6041: GetCommandLineW.KERNEL32(0000001C,6D2B30C2,?), ref: 6D2C604D

RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,?,?), ref: 6D2B3136

Strings

CreateLayout, xrefs: 6D2B30DA
Install, xrefs: 6D2B30EF
Repair, xrefs: 6D2B30E1
Uninstall, xrefs: 6D2B30E8
UninstallPatch, xrefs: 6D2B30D3

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: CommandExceptionH_prolog3LineRaise
String ID: CreateLayout$Install$Repair$Uninstall$UninstallPatch
API String ID: 683617612-791770018
Opcode ID: 0783c3f943d83c96836461742c8c396db5a410ec426e67a0e6d0124e947c63c0
Instruction ID: 08ff9126322a4741cfa369622bcd8b430654f16e970ccbdc6e64310dd70f424c
Opcode Fuzzy Hash: 0783c3f943d83c96836461742c8c396db5a410ec426e67a0e6d0124e947c63c0
Instruction Fuzzy Hash: 170128325E855EA7CA209758C941F56B699FF813ECF1AC831EB54CB141CBB2E8428252

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B33F3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41libraryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B33FA
LoadLibraryW.KERNEL32(?,00000008,6D2B3377,?), ref: 6D2B3427
GetLastError.KERNEL32 ref: 6D2B3437

Part of subcall function 6D2AB93E: __EH_prolog3.LIBCMT ref: 6D2AB945

GetLastError.KERNEL32 ref: 6D2B344B
__CxxThrowException@8.LIBCMT ref: 6D2B346E

Strings

::LoadLibrary(%s) failed with error %d, xrefs: 6D2B343C

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: ErrorH_prolog3Last$Exception@8LibraryLoadThrow
String ID: ::LoadLibrary(%s) failed with error %d
API String ID: 3804648058-20907036
Opcode ID: d51b1991a0a7da89f7a7666e471a01cf2df828aa9f974f4a3e714857faa4d665
Instruction ID: cb1ab4d7e9596d4c938557d7b957ad0a22810f1aaa327099291d484fcca1f91d
Opcode Fuzzy Hash: d51b1991a0a7da89f7a7666e471a01cf2df828aa9f974f4a3e714857faa4d665
Instruction Fuzzy Hash: CA018FB198850EDFDB41DF68C944B2EBAB0FF41314F198274E508DB244DB759912CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 6D2CD763 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6D2CD771

Part of subcall function 6D2C8FCB: __FF_MSGBANNER.LIBCMT ref: 6D2C8FE4
Part of subcall function 6D2C8FCB: __NMSG_WRITE.LIBCMT ref: 6D2C8FEB
Part of subcall function 6D2C8FCB: RtlAllocateHeap.NTDLL(00000000,00000001,00000000,?,?,?,6D2C91D6,?), ref: 6D2C9010

Strings

Q~-m, xrefs: 6D2CD765

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID: Q~-m
API String ID: 501242067-531871115
Opcode ID: bfe92ef2dd40edab292505edba7b30240edc5435b395143b633e80c566923a93
Instruction ID: 37bde69003cfe1cb712443c50e2e44437c150cb1518abdd8c1c7dd4c5c6997b4
Opcode Fuzzy Hash: bfe92ef2dd40edab292505edba7b30240edc5435b395143b633e80c566923a93
Instruction Fuzzy Hash: 5811EB32ADC51FABCBA21B34980465A37A4EFC13B5B154735F944AB690DB30CC81C793

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BD073 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2BD07A
SetDlgItemTextW.USER32 ref: 6D2BD130

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Strings

IDS_INSTALL_WARNING_DESCRIPTION_FORMAT, xrefs: 6D2BD0F4
IDS_SUCCESS_BLOCKERS_DESCRIPTION_TEXT, xrefs: 6D2BD0A3
IDS_INSTALL_ABORTED_DESCRIPTION_FORMAT_1S, xrefs: 6D2BD0BF

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$ItemText
String ID: IDS_INSTALL_ABORTED_DESCRIPTION_FORMAT_1S$IDS_INSTALL_WARNING_DESCRIPTION_FORMAT$IDS_SUCCESS_BLOCKERS_DESCRIPTION_TEXT
API String ID: 2878149499-3033223209
Opcode ID: f0867c00afb4296513b5fd834d1dcc98912729e4de5fc12acbd906a83884738f
Instruction ID: 6f73b3ec6f66eb1f086f3ce30384a1a5a8837ffe6464894393cefcfaa4d70551
Opcode Fuzzy Hash: f0867c00afb4296513b5fd834d1dcc98912729e4de5fc12acbd906a83884738f
Instruction Fuzzy Hash: 7F21C47194454EDFCB00DBB4C548AAEB7F1FF4A308F1945A8E162EB291DB71A904CB12

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BCFA5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2BCFAC

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

GetDlgItem.USER32 ref: 6D2BD018

Part of subcall function 6D2AE2E1: GetCurrentProcess.KERNEL32(00000000,0000000D,?,?,6D2BDFD0,00000000), ref: 6D2AE319
Part of subcall function 6D2AE2E1: FlushInstructionCache.KERNEL32(00000000,?,?,6D2BDFD0,00000000), ref: 6D2AE320

SetWindowLongW.USER32(?,000000FC,?), ref: 6D2BD041
SetDlgItemTextW.USER32 ref: 6D2BD05A

Strings

IDS_BLOCK_DIALOGS_SYSLINK_TEXT, xrefs: 6D2BCFB5

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3Item$CacheCurrentFlushInstructionLongProcessTextWindow
String ID: IDS_BLOCK_DIALOGS_SYSLINK_TEXT
API String ID: 2244164258-355004722
Opcode ID: 3f431c8a5931ccc72244d5593cf31bbbcd745e9322450a14d110236782722e60
Instruction ID: b5211f41d8589fff7970609286382cd1c9ddfe31dd4bb937692755e649f82a1c
Opcode Fuzzy Hash: 3f431c8a5931ccc72244d5593cf31bbbcd745e9322450a14d110236782722e60
Instruction Fuzzy Hash: 2121D07190021ADFCF10DFA4C848AAEBBF5FF49318B194668E965EB2A1C730D905CF11

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BD2BF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2BD2C6

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

SetDlgItemTextW.USER32 ref: 6D2BD2FC
SetDlgItemTextW.USER32 ref: 6D2BD33B

Strings

IDS_CLOSE, xrefs: 6D2BD311
IDS_CONTINUE, xrefs: 6D2BD2CF

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3ItemText
String ID: IDS_CLOSE$IDS_CONTINUE
API String ID: 2008326593-3637486705
Opcode ID: 94b6e539096fee07775648ecae30828abfbadace58a9af64881046c4ade2869b
Instruction ID: 1443e70eeef1b28ef2dbed179e5e5cee0babb7fd715cd8645a7823e5367fd0b6
Opcode Fuzzy Hash: 94b6e539096fee07775648ecae30828abfbadace58a9af64881046c4ade2869b
Instruction Fuzzy Hash: 3C115E71540509DFCB10DFA8C988A6EB7F5FF49319F1542A8E225EB2E0CB70AD04CB11

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C5EC4 Relevance: 7.6, APIs: 5, Instructions: 94COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 6D2C5F27
GetWindowLongW.USER32(?,000000FC), ref: 6D2C5F3E
CallWindowProcW.USER32(?,?,00000082,?,?), ref: 6D2C5F50
GetWindowLongW.USER32(?,000000FC), ref: 6D2C5F6A
SetWindowLongW.USER32(?,000000FC,?), ref: 6D2C5F79

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Window$Long$CallProc
String ID:
API String ID: 513923721-0
Opcode ID: c28ab6943b27cf022fb5a3a8a7eb68e58429cbc909f1cb34498a4d108faf67c9
Instruction ID: 3dcfb7d31aa3d3ce50e77ecfcff794923d099ba4911035af175bb9f12779c7da
Opcode Fuzzy Hash: c28ab6943b27cf022fb5a3a8a7eb68e58429cbc909f1cb34498a4d108faf67c9
Instruction Fuzzy Hash: B4311735500619EFCB25CF65C8849ABBBF5FF89320B148619F8AA97660D730E950DF90

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B6655 Relevance: 7.6, APIs: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6D2B665C

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2BF35E: __EH_prolog3.LIBCMT ref: 6D2BF365
Part of subcall function 6D2BF35E: __recalloc.LIBCMT ref: 6D2BF3A7

_memset.LIBCMT ref: 6D2B66C3
GetClientRect.USER32 ref: 6D2B66E6
SendMessageW.USER32(00000001,00000432,00000000,?), ref: 6D2B66FC

Part of subcall function 6D2C81DE: _memcpy_s.LIBCMT ref: 6D2C8224

RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,00000040,6D2B730F,?,?,?,?,?,?,?,?,?), ref: 6D2B6713

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$ClientExceptionH_prolog3_MessageRaiseRectSend__recalloc_memcpy_s_memset
String ID:
API String ID: 4097222183-0
Opcode ID: dfda9b4ff4909c869b9fba30b350ffe2df819689fa1a94630188a119e20d0d7c
Instruction ID: 99a270adc8aa75daceef88647424b9e8a702b82860d175c5c895406e8656b051
Opcode Fuzzy Hash: dfda9b4ff4909c869b9fba30b350ffe2df819689fa1a94630188a119e20d0d7c
Instruction Fuzzy Hash: 132138B194060CEFDB21DFA4C888E9EBBB8FF44358F158129F615AB250D771AA42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C91B7 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6D2C91D1

Part of subcall function 6D2C8FCB: __FF_MSGBANNER.LIBCMT ref: 6D2C8FE4
Part of subcall function 6D2C8FCB: __NMSG_WRITE.LIBCMT ref: 6D2C8FEB
Part of subcall function 6D2C8FCB: RtlAllocateHeap.NTDLL(00000000,00000001,00000000,?,?,?,6D2C91D6,?), ref: 6D2C9010

std::exception::exception.LIBCMT ref: 6D2C9206
std::exception::exception.LIBCMT ref: 6D2C9220
__CxxThrowException@8.LIBCMT ref: 6D2C9231

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: 4f3c148c58c71c3dbafd9941d882a22552f4e6b9832e708d9db1a368d9079bbf
Instruction ID: 5eb8366edb9f97003afd1f830fd3b5a3d7d73821650a0402413fa36fed0c6389
Opcode Fuzzy Hash: 4f3c148c58c71c3dbafd9941d882a22552f4e6b9832e708d9db1a368d9079bbf
Instruction Fuzzy Hash: 6FF028758C810F6ADF94DB64CC19AADBEB5AF8132CF510265E921A7180DBB08E50C693

Uniqueness

Uniqueness Score: -1.00%

Function 00C135E5 Relevance: 6.0, APIs: 4, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C135E5() {
				WCHAR* _t2;
				void* _t4;
				void* _t15;
				WCHAR* _t17;

				_t2 = GetEnvironmentStringsW();
				_t17 = _t2;
				if(_t17 != 0) {
					if( *_t17 != 0) {
						goto L3;
						do {
							do {
								L3:
								_t2 =  &(_t2[1]);
							} while ( *_t2 != 0);
							_t2 =  &(_t2[1]);
						} while ( *_t2 != 0);
					}
					_t1 = _t2 - _t17 + 2; // -2
					_t10 = _t1;
					_t4 = E00C14F38(_t1); // executed
					_t15 = _t4;
					if(_t15 != 0) {
						E00C15030(_t15, _t17, _t10);
					}
					FreeEnvironmentStringsW(_t17);
					return _t15;
				} else {
					return 0;
				}
			}

0x00c135e8
0x00c135ee
0x00c135f4
0x00c135fd
0x00000000
0x00c135ff
0x00c135ff
0x00c135ff
0x00c135ff
0x00c13602
0x00c13607
0x00c1360a
0x00c135ff
0x00c13612
0x00c13612
0x00c13617
0x00c1361c
0x00c13621
0x00c13633
0x00c13638
0x00c13624
0x00c1362f
0x00c135f6
0x00c135f9
0x00c135f9

APIs

GetEnvironmentStringsW.KERNEL32(00000000,00C12AE3), ref: 00C135E8
__malloc_crt.LIBCMT ref: 00C13617
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C13624

Memory Dump Source

Source File: 00000014.00000002.712372782.0000000000C11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000014.00000002.712347190.0000000000C10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.712416872.0000000000C18000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.712438921.0000000000C1A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_c10000_Setup.jbxd

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: b4ee9aed78e95c839590dfa39c56332cfe4ab14083450ebb8e39e091ac2309a5
Instruction ID: c12f557a27c5becbd12cb3817443c20ccee7346472522fc62f20cbf45ef0a31d
Opcode Fuzzy Hash: b4ee9aed78e95c839590dfa39c56332cfe4ab14083450ebb8e39e091ac2309a5
Instruction Fuzzy Hash: 07F0E9775110906ACB2167757C469DB2729EAD776831A8056F412C7200F6248FC5A2A1

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BE1AD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104threadCOMMON

Download Yara Rule

APIs

SetThreadLocale.KERNEL32(00000000), ref: 6D2BE1FD

Strings

UiInfo.xml, xrefs: 6D2BE23D

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: LocaleThread
String ID: UiInfo.xml
API String ID: 635194068-3938134364
Opcode ID: cfd49afa963bcf5e4656e0d56d06854474cdcf9bc89b023a9f56645f20133c7f
Instruction ID: c3f7f1722d53888e4b8d16518a7a51890cf2ad6b168a81509c0e6ff0ddcd7dec
Opcode Fuzzy Hash: cfd49afa963bcf5e4656e0d56d06854474cdcf9bc89b023a9f56645f20133c7f
Instruction Fuzzy Hash: F84189706487459FDB10CF68C448B2ABBE4FF49369F004A6EE966C7290CB74E804CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B6615 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 6D2B6636
SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,6D2B72CF), ref: 6D2B6648

Strings

tooltips_class32, xrefs: 6D2B662F

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Window$Create
String ID: tooltips_class32
API String ID: 870168347-1918224756
Opcode ID: 9686f0bf330cab3b4771094d84392ed38aa0501b8e7b5ec9cd9dfa859da85825
Instruction ID: a8edff59e303a36bd8555276fc92b598cb065eb6482c0a2d50ba77fbc432d091
Opcode Fuzzy Hash: 9686f0bf330cab3b4771094d84392ed38aa0501b8e7b5ec9cd9dfa859da85825
Instruction Fuzzy Hash: 35E0E2B1043131BEE6704A6AAC1CFE76EACEF8B3B0F244204792DE2180CA209910C7F0

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BF5FD Relevance: 4.6, APIs: 3, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2BF604
__recalloc.LIBCMT ref: 6D2BF612
__recalloc.LIBCMT ref: 6D2BF62E

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: __recalloc$H_prolog3
String ID:
API String ID: 59120599-0
Opcode ID: b55370a2b5992c1c1ebe5aa75790eb307e081afef4dea7a97424047d05f3bc9f
Instruction ID: 81096832d0efaa28407a7ab2999d5a4f63db3177f779a453b46f186770c26d3d
Opcode Fuzzy Hash: b55370a2b5992c1c1ebe5aa75790eb307e081afef4dea7a97424047d05f3bc9f
Instruction Fuzzy Hash: 12115EB558030A9FE7508F68C980B66B7E0FF14748F118938EAE9CB354D772EC408B40

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BDF19 Relevance: 4.6, APIs: 3, Instructions: 50threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 6D2BDF5E

Part of subcall function 6D2C03F5: MsgWaitForMultipleObjects.USER32 ref: 6D2C0415
Part of subcall function 6D2C03F5: PeekMessageW.USER32 ref: 6D2C042B
Part of subcall function 6D2C03F5: TranslateMessage.USER32(?), ref: 6D2C0435
Part of subcall function 6D2C03F5: DispatchMessageW.USER32 ref: 6D2C043F
Part of subcall function 6D2C03F5: PeekMessageW.USER32 ref: 6D2C044E

GetExitCodeThread.KERNEL32(00000000,000000FF), ref: 6D2BDF77
CloseHandle.KERNEL32(00000000), ref: 6D2BDF7E

Part of subcall function 6D2BCB21: __EH_prolog3.LIBCMT ref: 6D2BCB28
Part of subcall function 6D2BCB21: DestroyIcon.USER32(?,00000004), ref: 6D2BCB50
Part of subcall function 6D2BCB21: DestroyIcon.USER32(?,00000004), ref: 6D2BCB5D
Part of subcall function 6D2BCB21: DestroyIcon.USER32(?,00000004), ref: 6D2BCB6A
Part of subcall function 6D2BCB21: DestroyIcon.USER32(?,00000004), ref: 6D2BCB77

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: DestroyIconMessage$PeekThread$CloseCodeCreateDispatchExitH_prolog3HandleMultipleObjectsTranslateWait
String ID:
API String ID: 1402139836-0
Opcode ID: 4de1b7c9460f9dfcf2c5c7299ab9c3ea0f43b61a84c05c0a954e211e86102bd9
Instruction ID: 995fac6b9eb2a0f0f04afe8cd3539b8adf410af30bbffbc5e8bd115968f208d5
Opcode Fuzzy Hash: 4de1b7c9460f9dfcf2c5c7299ab9c3ea0f43b61a84c05c0a954e211e86102bd9
Instruction Fuzzy Hash: 9B01A132104214AFC701DF64CC08CABBBA9EF85264F058A59F9658B050D731D916CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6D2AFF39 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetWindowPlacement.USER32(?,?), ref: 6D2AFF6A

Part of subcall function 6D2C76EE: _calloc.LIBCMT ref: 6D2C770F

Part of subcall function 6D2C83FD: __CxxThrowException@8.LIBCMT ref: 6D2C83E2

Strings

,, xrefs: 6D2AFF63

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Exception@8PlacementThrowWindow_calloc
String ID: ,
API String ID: 1982324250-3772416878
Opcode ID: 6f64af3a5997fec0d312ca6b95a466daac0db50699ebb90d4ac782c8d214e132
Instruction ID: a90f1c0241aa4afa7e4a47bda9a6110813afdc675817d51c4f1879ebb6c946b1
Opcode Fuzzy Hash: 6f64af3a5997fec0d312ca6b95a466daac0db50699ebb90d4ac782c8d214e132
Instruction Fuzzy Hash: 14115E76A0520DEFDB00DFA8D88099EF7F9FF49314B21852AE959E3240D730B944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B09A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(RICHED20.DLL,?,6D2BCA98,00000000,00000001,?,80070057,6D2A5D9C,?,00000030,80070057), ref: 6D2B09C9

Strings

RICHED20.DLL, xrefs: 6D2B09B5

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: LibraryLoad
String ID: RICHED20.DLL
API String ID: 1029625771-992299850
Opcode ID: ba361d8d8f37ef06ee3bdd25ba1ddfdc4f4fbdaf5695be22bd93ecb308434ea5
Instruction ID: 9ad9b058d82dcbe87af3ec40a6a97ed6d971aca525e61c14449cdb4402d96928
Opcode Fuzzy Hash: ba361d8d8f37ef06ee3bdd25ba1ddfdc4f4fbdaf5695be22bd93ecb308434ea5
Instruction Fuzzy Hash: 2BE07EB1900B10CF83208F6B9544547FAF8FFA97103044A1FD08AC3A24C3B0A141CF84

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BF35E Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2BF365
__recalloc.LIBCMT ref: 6D2BF3A7

Part of subcall function 6D2C83FD: __CxxThrowException@8.LIBCMT ref: 6D2C83E2

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Exception@8H_prolog3Throw__recalloc
String ID:
API String ID: 2968967773-0
Opcode ID: a9e694bb706cffbc13ee9cafd1cb936d66d101cb5bc89522608060ad3295f55b
Instruction ID: f563351e04ef6bc4df163b94cbd053f3a454cf21bd5e3f39c2bbaaafa93b6dcc
Opcode Fuzzy Hash: a9e694bb706cffbc13ee9cafd1cb936d66d101cb5bc89522608060ad3295f55b
Instruction Fuzzy Hash: 1E01883518474A87D3618F28C48072BB3E6EF8175DB6149ACD6A59B244E7F3A811C741

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C0686 Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2C068D
__recalloc.LIBCMT ref: 6D2C06D5

Part of subcall function 6D2C83FD: __CxxThrowException@8.LIBCMT ref: 6D2C83E2

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Exception@8H_prolog3Throw__recalloc
String ID:
API String ID: 2968967773-0
Opcode ID: 11aa9dee60edb8e25ecb756cf79bd772ebdbd2c58525eca663413abe580bf9a1
Instruction ID: 94577b2580f301f6cf678727a8c1bd43aab441e33193c61f558c099ab62e4464
Opcode Fuzzy Hash: 11aa9dee60edb8e25ecb756cf79bd772ebdbd2c58525eca663413abe580bf9a1
Instruction Fuzzy Hash: A301DBF66D470A9BE394CE22C741B16B2E9AFD0748F31C63DD5558B140E730DC41CA82

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BDFAB Relevance: 3.0, APIs: 2, Instructions: 38COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000E,00000000), ref: 6D2BDFD6

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 5910a082523073eddb99d273a3e17fb008aa34236f539a6a1b17c9fec071bbc7
Instruction ID: d911a5172fbb50dd6241366db0dc874a44874f8f3339d61709420e914ac75c76
Opcode Fuzzy Hash: 5910a082523073eddb99d273a3e17fb008aa34236f539a6a1b17c9fec071bbc7
Instruction Fuzzy Hash: 0BF0E9323D83196FE6101669DC49F9777ACEB85768F048921F615F70C1E7B1EC00C654

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C6041 Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2C6048
GetCommandLineW.KERNEL32(0000001C,6D2B30C2,?), ref: 6D2C604D

Part of subcall function 6D2ABE03: __EH_prolog3.LIBCMT ref: 6D2ABE0A

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$CommandLine
String ID:
API String ID: 1384747822-0
Opcode ID: 75d17fcc5e94be1e5e9140875175204491714045fb8ca441656fad940e59886b
Instruction ID: e48593dd8385a8afa3456a3e1c70a96ae6e569c894409bbca2643a6310e47d41
Opcode Fuzzy Hash: 75d17fcc5e94be1e5e9140875175204491714045fb8ca441656fad940e59886b
Instruction Fuzzy Hash: 29F05876A8810DCBDB51DBA8C844BEDB374BF1572DF494224E211AB1C0DB349944CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C29EF Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2C29F6

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2AD923: __EH_prolog3.LIBCMT ref: 6D2AD92A
Part of subcall function 6D2AD923: PathIsRelativeW.SHLWAPI(00000000,00000000,?,00000000,00000008,6D2BE271,00000000,?,?,00000DF0,?,?), ref: 6D2AD960
Part of subcall function 6D2AD923: GetModuleFileNameW.KERNEL32(00000010,00000104,?,00000000,00000008,6D2BE271,00000000,?,?,00000DF0,?,?), ref: 6D2AD9BA
Part of subcall function 6D2AD923: PathCombineW.SHLWAPI(?,?,?,00000000,?,00000000,00000008,6D2BE271,00000000,?,?,00000DF0,?,?), ref: 6D2ADA0D

SysFreeString.OLEAUT32(00000000), ref: 6D2C2A33

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$Path$CombineFileFreeModuleNameRelativeString
String ID:
API String ID: 2530041087-0
Opcode ID: be5130125cc538a839d05d5f8b7487cee65a26e58c42000aed637ad0d4d0da76
Instruction ID: d3772dfe95a1c7bc9a98274fc681882c2dff3c8b0abeb0c5554ecbc5dc417190
Opcode Fuzzy Hash: be5130125cc538a839d05d5f8b7487cee65a26e58c42000aed637ad0d4d0da76
Instruction Fuzzy Hash: 13F0307185821EABDF51DFA4CC04FAE7B78FF04319F158439FA10A6150C7359A15DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C12915 Relevance: 3.0, APIs: 2, Instructions: 8memoryCOMMON

Download Yara Rule

APIs

HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000), ref: 00C1291C
Run.SETUPENGINE ref: 00C12922

Memory Dump Source

Source File: 00000014.00000002.712372782.0000000000C11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000014.00000002.712347190.0000000000C10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.712416872.0000000000C18000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.712438921.0000000000C1A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_c10000_Setup.jbxd

Similarity

API ID: HeapInformation
String ID:
API String ID: 3918721486-0
Opcode ID: e6f3d5389ecb234c06f0725c5f13c527fbac54a39f9f1a26da2719e8b2cc72df
Instruction ID: 76332329f186a582a8d8f1c109ce97f239ba00ef91a43f5215339e57fa761b61
Opcode Fuzzy Hash: e6f3d5389ecb234c06f0725c5f13c527fbac54a39f9f1a26da2719e8b2cc72df
Instruction Fuzzy Hash: 1FB092B09201406EEA0097209C0CFBA261CF705382F048811BE0AC00A4C6A888808520

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C5DEE Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,00000000,00000000), ref: 6D2C5E81

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 2e1d5626f0167d06b8532cbf55fd91c20bb8893a3ec4da1948bcfb8ffee4d086
Instruction ID: 78bf5d506e32244dfb1759945e4b3fdd14cf1d2732b142d75b8c5fd3d9e13349
Opcode Fuzzy Hash: 2e1d5626f0167d06b8532cbf55fd91c20bb8893a3ec4da1948bcfb8ffee4d086
Instruction Fuzzy Hash: 79219C3154070EAFCB61CF14C884AAEBBF5EF88351F20861AE86697251D731ED90CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B25B2 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B25B9

Part of subcall function 6D2AD8A0: __EH_prolog3.LIBCMT ref: 6D2AD8A7

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 053bdb490bbbda40a3236f9614c3e5650a57f47b8a37c21ec68fc4ebf3c16a71
Instruction ID: 5909d72982571967d7d70b2b1eea5910f8b4cbcbbfb1946a85a6d48a1668869d
Opcode Fuzzy Hash: 053bdb490bbbda40a3236f9614c3e5650a57f47b8a37c21ec68fc4ebf3c16a71
Instruction Fuzzy Hash: 08218EB0D4424EDFCB00CFE4C584A9EB7B8BF48308F558469E6599B241C779AA06CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00C161AE Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E00C161AE(signed int _a4, signed int _a8, intOrPtr* _a12) {
				void* _t10;
				intOrPtr* _t12;
				signed int _t13;
				signed int _t17;
				intOrPtr* _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
					}
					goto L5;
					L6:
					_t10 = RtlAllocateHeap( *0xc193a4, 8, _t24); // executed
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					if( *0xc19880 == 0) {
						_t19 = _a12;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						if(E00C14771(_t24) != 0) {
							L5:
							_t10 = 0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E00C147E5())) = 0xc;
						return 0;
					}
				}
				L15:
			}

0x00c161b3
0x00c161b8
0x00c161d5
0x00c161da
0x00c161de
0x00c161e0
0x00c161e0
0x00000000
0x00c161e8
0x00c161f1
0x00c161f9
0x00000000
0x00000000
0x00c1622d
0x00c1622f
0x00000000
0x00c161fb
0x00c16202
0x00c16220
0x00c16225
0x00c16227
0x00c16227
0x00c16204
0x00c1620d
0x00c161e1
0x00c161e1
0x00c161e6
0x00000000
0x00000000
0x00000000
0x00000000
0x00c1620f
0x00c1620f
0x00c16214
0x00c16216
0x00c16216
0x00c1621c
0x00c1621c
0x00c1620d
0x00000000
0x00c161ba
0x00c161be
0x00c161c4
0x00000000
0x00c161c6
0x00c161cb
0x00c161d4
0x00c161d4
0x00c161c4
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00C14F98,?,?,00000000,00000000,00000000,?,00C13A5D,00000001,00000214,?,00C12FA5), ref: 00C161F1

Part of subcall function 00C147E5: __getptd_noexit.LIBCMT ref: 00C147E5

Memory Dump Source

Source File: 00000014.00000002.712372782.0000000000C11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000014.00000002.712347190.0000000000C10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.712416872.0000000000C18000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.712438921.0000000000C1A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_c10000_Setup.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 5ec85822f8148b03f8d60acd76874a73c2ebba74f3908d31b9190b4d97f3c634
Instruction ID: 218ef23ee101cd548f669ec569438dcc9a8c5c3f2fdfcba6d32f4cc16071d301
Opcode Fuzzy Hash: 5ec85822f8148b03f8d60acd76874a73c2ebba74f3908d31b9190b4d97f3c634
Instruction Fuzzy Hash: 1901B135301215AAEB299F65EC18BEE3798AB83761F144629E826CB1D0DB34D980E650

Uniqueness

Uniqueness Score: -1.00%

Function 6D2CD6DC Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6D2C9F86,6D2C91D6,?,00000000,00000000,00000000,?,6D2C9B8D,00000001,00000214,?,6D2CB575), ref: 6D2CD71F

Part of subcall function 6D2CB570: __getptd_noexit.LIBCMT ref: 6D2CB570

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 049fc4e5d2ef146775b3ad31487f7d9d6ebc82767897ee7bbf31d60005a73118
Instruction ID: 48fff3b7392707d9cd07368f213f68bf28eff1234242df83ec54ae0753d48d9d
Opcode Fuzzy Hash: 049fc4e5d2ef146775b3ad31487f7d9d6ebc82767897ee7bbf31d60005a73118
Instruction Fuzzy Hash: C001B5353C521F9AEB598E24C894B7737A8AFC2765F018729E825871D0D730EC06C692

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BF024 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,00000006,6D2E2F8C,00000000,?,6D2BF018,00000000,?,00000000,?,?,?,?,?,6D2BE923), ref: 6D2BF03D

Part of subcall function 6D2C7A10: LoadResource.KERNEL32(?,?,?,?,6D2BF053,?,00000000,?,6D2BF018,00000000,?,00000000,?,?), ref: 6D2C7A1E
Part of subcall function 6D2C7A10: LockResource.KERNEL32(00000000,6D2E2F8C,?,6D2BF053,?,00000000,?,6D2BF018,00000000,?,00000000,?,?), ref: 6D2C7A2A
Part of subcall function 6D2C7A10: SizeofResource.KERNEL32(?,?,?,6D2BF053,?,00000000,?,6D2BF018,00000000,?,00000000,?,?), ref: 6D2C7A3C

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 48b9bee3fbbd6bf0c84caaae9faf32f6540418b7fb9a2d8fecd7684ae90ef9ba
Instruction ID: 30183d841c0e957ac24573b0d6e996916c8de4abb11c468c34d9c58f95b6c879
Opcode Fuzzy Hash: 48b9bee3fbbd6bf0c84caaae9faf32f6540418b7fb9a2d8fecd7684ae90ef9ba
Instruction Fuzzy Hash: 0BF0F6317841097BD7615A299C80D7B77DDDB852A97118532F999D7240FB35CC2183B0

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C81DE Relevance: 1.5, APIs: 1, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 6D2C8224

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: _memcpy_s
String ID:
API String ID: 2001391462-0
Opcode ID: dce7c39d2ff0061ceda5af0b66fd4e8d844d89869e6921c3fbab43541d675196
Instruction ID: 91652db329853bd3e36167c50b473ff45994dcfd9722fa8f17abdd0e1d6f3f9d
Opcode Fuzzy Hash: dce7c39d2ff0061ceda5af0b66fd4e8d844d89869e6921c3fbab43541d675196
Instruction Fuzzy Hash: 8B017876244208AFC710DFA8C884C9AF7B8FF893547118A6AF915CB310DB70ED04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C7F22 Relevance: 1.5, APIs: 1, Instructions: 32fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00002100,00000002,00000000,6D2C7BC3,C0000000,?,00000000,?,?,6D2C7BC3,?,C0000000,00000000,00000002,00002100,?), ref: 6D2C7F5C

Part of subcall function 6D2C7E95: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6D2C7F46,00002100,00000002,00000000,6D2C7BC3,C0000000,?,?,?,6D2C7BC3,?,C0000000,00000000), ref: 6D2C7EA6
Part of subcall function 6D2C7E95: GetProcAddress.KERNEL32(00000000,CreateFileTransactedW), ref: 6D2C7EB6

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: AddressCreateFileHandleModuleProc
String ID:
API String ID: 2580138172-0
Opcode ID: a79d596267a6643bc20bbf9c8f781096348628b702c5e9582994a215fd769ea5
Instruction ID: 828d2f7b15d62e0c9b9ae7307d8ddc9375d649b0f90678bf76daab66db82f8ad
Opcode Fuzzy Hash: a79d596267a6643bc20bbf9c8f781096348628b702c5e9582994a215fd769ea5
Instruction Fuzzy Hash: E4F0AF3389815EBBCF425EA4DC40EDA7F66FF19360F018221FA24561A0C7329871EBD2

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C7E56 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,00000006,?,?,?,?,6D2ADAC1,?,00000000,00000000,00000002,?,80000000,00000001,00000003), ref: 6D2C7E76

Part of subcall function 6D2C7F08: GetLastError.KERNEL32(6D2C7B0B,?,?,?,00000000), ref: 6D2C7F08

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 110c894f7b2a1b845ba081551aee53bba254695f46f68902a043884619c96362
Instruction ID: 56c26d033bb290d7624726af51d3c2c61ad9ab1f1995c0a72e11f7940e596fd0
Opcode Fuzzy Hash: 110c894f7b2a1b845ba081551aee53bba254695f46f68902a043884619c96362
Instruction Fuzzy Hash: 3BE0E572A0024DBF8B45CFA9C88499F7BB9EF49324B104259F925D3290EB70EE50DB61

Uniqueness

Uniqueness Score: -1.00%

Function 6D2AB93E Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2AB945

Part of subcall function 6D2C830D: _vwprintf.LIBCMT ref: 6D2C8353
Part of subcall function 6D2C830D: _vswprintf_s.LIBCMT ref: 6D2C8378

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3_vswprintf_s_vwprintf
String ID:
API String ID: 3682816334-0
Opcode ID: 6eea877cc67a10c52f51cc16d796abc5af8f65629f7e119498e3e2ad3a9c953b
Instruction ID: 63115dd013cce3cb904f2ce58c8820b5b25c95d616f8fbf0654b04e58939f201
Opcode Fuzzy Hash: 6eea877cc67a10c52f51cc16d796abc5af8f65629f7e119498e3e2ad3a9c953b
Instruction Fuzzy Hash: 22F039B064014EDFDF50DFA0C848AAEB7B9FF44319F468828E6249B251DB309A16CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C88C6 Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6D2CA061: __lock.LIBCMT ref: 6D2CA063

__onexit_nolock.LIBCMT ref: 6D2C88DE

Part of subcall function 6D2C87D5: RtlDecodePointer.NTDLL(6D2E22B4,6D2A1418,?,?,?,6D2C88E3,?,6D2D7EF8,0000000C,6D2C8914,?,?,6D2C921B,6D2D7E51,?), ref: 6D2C87EA
Part of subcall function 6D2C87D5: _DecodePointerInternal@4.SETUPUI(?,?,?,6D2C88E3,?,6D2D7EF8,0000000C,6D2C8914,?,?,6D2C921B,6D2D7E51,?), ref: 6D2C87F7
Part of subcall function 6D2C87D5: __realloc_crt.LIBCMT ref: 6D2C8834
Part of subcall function 6D2C87D5: __realloc_crt.LIBCMT ref: 6D2C884A
Part of subcall function 6D2C87D5: _EncodePointerInternal@4.SETUPUI(00000000,?,?,?,6D2C88E3,?,6D2D7EF8,0000000C,6D2C8914,?,?,6D2C921B,6D2D7E51,?), ref: 6D2C885C
Part of subcall function 6D2C87D5: _EncodePointerInternal@4.SETUPUI(?,?,?,?,6D2C88E3,?,6D2D7EF8,0000000C,6D2C8914,?,?,6D2C921B,6D2D7E51,?), ref: 6D2C8870
Part of subcall function 6D2C87D5: _EncodePointerInternal@4.SETUPUI(-00000004,?,?,?,6D2C88E3,?,6D2D7EF8,0000000C,6D2C8914,?,?,6D2C921B,6D2D7E51,?), ref: 6D2C8878

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Pointer$Internal@4$Encode$Decode__realloc_crt$__lock__onexit_nolock
String ID:
API String ID: 2982823084-0
Opcode ID: fc8c9cd877ecde3bab3d1bf397ac2764c0a789962c05d734f84b932f9e1d972a
Instruction ID: 230cfd415948d0390745bbdb9781003b32b1dd78d3b46517a1e8267901746655
Opcode Fuzzy Hash: fc8c9cd877ecde3bab3d1bf397ac2764c0a789962c05d734f84b932f9e1d972a
Instruction Fuzzy Hash: 64D05E31D8920DAACB90ABA8C900B5EF6706F40328F228364A224A74D0DB344E419B06

Uniqueness

Uniqueness Score: -1.00%

Function 6D2AFF14 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32 ref: 6D2AFF21

Part of subcall function 6D2B007B: SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,00000003,?,?), ref: 6D2B00A9
Part of subcall function 6D2B007B: SetWindowPos.USER32(0000000C,?,00000000,00000000,00000000,00000000,00000003,?,?), ref: 6D2B00E6

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Window$ChildEnumWindows
String ID:
API String ID: 1604351572-0
Opcode ID: bbe707caeec10399298d6b48466057732324f3081e9818dcfac3f1caa6039925
Instruction ID: 3d3d7656c33d7a1275da6aa60d6906d7d477629a93dc8aa5bc9266cdbd7b62e1
Opcode Fuzzy Hash: bbe707caeec10399298d6b48466057732324f3081e9818dcfac3f1caa6039925
Instruction Fuzzy Hash: 67C08C3A04A0347646322A316C08CEF3A99DE833A830E0061B240C10148B288C43C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 6D2D1C56 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 6D2D1C63

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5fc21ef2c547fa4f2ad06387d89f3dfb6a538d91d68256f6537115d364a0fb29
Instruction ID: fbf1fbd578d77f69c479685a464f7ca18bb637f0e6a0d09333bcdf58d58e5eff
Opcode Fuzzy Hash: 5fc21ef2c547fa4f2ad06387d89f3dfb6a538d91d68256f6537115d364a0fb29
Instruction Fuzzy Hash: 36C09B36040108B7CB111B41DC09F467F69E7D5764F188011F60805051C773D461E694

Uniqueness

Uniqueness Score: -1.00%

Function 00C138E2 Relevance: 1.5, APIs: 1, Instructions: 3COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,00C12DF0,?,00C12F39,000000FF,?,00C14358,00000011,?,?,00C139C3,0000000D,?,00C12FA5,00000003), ref: 00C138E4

Memory Dump Source

Source File: 00000014.00000002.712372782.0000000000C11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000014.00000002.712347190.0000000000C10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.712416872.0000000000C18000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.712438921.0000000000C1A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_c10000_Setup.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: d82488c7cfd548c745c04da6412346d2db6ede60054e730690b06b7bef160ad2
Instruction ID: f79598d6ea0c65d026fb6d86d5156b54cf1a61728f6addea997d41ba77e78dcf
Opcode Fuzzy Hash: d82488c7cfd548c745c04da6412346d2db6ede60054e730690b06b7bef160ad2
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C9A12 Relevance: 1.5, APIs: 1, Instructions: 3COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,6D2D042F,6D2E2758,00000314,00000000,?,?,?,?,?,6D2CD97D,6D2E2758,Microsoft Visual C++ Runtime Library,00012010), ref: 6D2C9A14

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 449158613e6df30d445c22c9b146ad6071dc128cd9e3a1f62a0d8dae92b791c4
Instruction ID: 7c79d860034c4584f18bf95fe67b538a6ca42a6bd32c63b8d6e7b812348f88e9
Opcode Fuzzy Hash: 449158613e6df30d445c22c9b146ad6071dc128cd9e3a1f62a0d8dae92b791c4
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6D2BF6DE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6D2BF6E8
_memset.LIBCMT ref: 6D2BF714
_memset.LIBCMT ref: 6D2BF741
GetVersionExW.KERNEL32 ref: 6D2BF75A

Strings

rtf, xrefs: 6D2BF79E
Z, xrefs: 6D2BF776

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: _memset$H_prolog3_Version
String ID: Z$rtf
API String ID: 3297208538-589749439
Opcode ID: 3b1c12be925c3e66184480164caee9e0b04e61a913a31d553290431736b3a0b3
Instruction ID: 57a63f7be8011e24455f88f03acc2bf67c86fde8e1e6fddb058e681a2e906dd2
Opcode Fuzzy Hash: 3b1c12be925c3e66184480164caee9e0b04e61a913a31d553290431736b3a0b3
Instruction Fuzzy Hash: CC313AB09407198FDB71CF24C8446ABB7F4FF0C708F004AAED69A96640E771AA94CF95

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C87C1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6D2CAEFE
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6D2CAF13
UnhandledExceptionFilter.KERNEL32( $.mx$.mr), ref: 6D2CAF1E
GetCurrentProcess.KERNEL32(C0000409), ref: 6D2CAF3A
TerminateProcess.KERNEL32(00000000), ref: 6D2CAF41

Strings

$.mx$.mr, xrefs: 6D2CAF19

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: $.mx$.mr
API String ID: 2579439406-2287294867
Opcode ID: 427488ed63702d7d81c74b9f40b684e5f8e89dffa39c2808519117b72dab9138
Instruction ID: 97145f4e2c2a2e1de3e230cb7f86b835c34a1766788760fac6a332548d80aa01
Opcode Fuzzy Hash: 427488ed63702d7d81c74b9f40b684e5f8e89dffa39c2808519117b72dab9138
Instruction Fuzzy Hash: 3821EFF980530A9FCB2ADF24D66CB463BB4FF0A31DF005119E50A83240E7B04A80CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00C12BA5 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00C12BA5(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0xc18050; // 0xb6401835
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0xc194b0 = _t6;
				 *0xc194ac = _t22;
				 *0xc194a8 = _t25;
				 *0xc194a4 = _t21;
				 *0xc194a0 = _t27;
				 *0xc1949c = _t26;
				 *0xc194c8 = ss;
				 *0xc194bc = cs;
				 *0xc19498 = ds;
				 *0xc19494 = es;
				 *0xc19490 = fs;
				 *0xc1948c = gs;
				asm("pushfd");
				_pop( *0xc194c0);
				 *0xc194b4 =  *_t31;
				 *0xc194b8 = _v0;
				 *0xc194c4 =  &_a4;
				 *0xc19400 = 0x10001;
				_t11 =  *0xc194b8; // 0x0
				 *0xc193b4 = _t11;
				 *0xc193a8 = 0xc0000409;
				 *0xc193ac = 1;
				_t12 =  *0xc18050; // 0xb6401835
				_v812 = _t12;
				_t13 =  *0xc18054; // 0x49bfe7ca
				_v808 = _t13;
				 *0xc193f8 = IsDebuggerPresent();
				_push(1);
				E00C15FD7(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0xc11c60);
				if( *0xc193f8 == 0) {
					_push(1);
					E00C15FD7(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00c12ba5
0x00c12ba5
0x00c12ba5
0x00c12ba5
0x00c12ba5
0x00c12ba5
0x00c12ba5
0x00c12bab
0x00c12bad
0x00c12bad
0x00c1404f
0x00c14054
0x00c1405a
0x00c14060
0x00c14066
0x00c1406c
0x00c14072
0x00c14079
0x00c14080
0x00c14087
0x00c1408e
0x00c14095
0x00c1409c
0x00c1409d
0x00c140a6
0x00c140ae
0x00c140b6
0x00c140c1
0x00c140cb
0x00c140d0
0x00c140d5
0x00c140df
0x00c140e9
0x00c140ee
0x00c140f4
0x00c140f9
0x00c14105
0x00c1410a
0x00c1410c
0x00c14114
0x00c1411f
0x00c1412c
0x00c1412e
0x00c14130
0x00c14135
0x00c14149

APIs

IsDebuggerPresent.KERNEL32 ref: 00C140FF
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C14114
UnhandledExceptionFilter.KERNEL32(00C11C60), ref: 00C1411F
GetCurrentProcess.KERNEL32(C0000409), ref: 00C1413B
TerminateProcess.KERNEL32(00000000), ref: 00C14142

Memory Dump Source

Source File: 00000014.00000002.712372782.0000000000C11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000014.00000002.712347190.0000000000C10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.712416872.0000000000C18000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.712438921.0000000000C1A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_c10000_Setup.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 190020647af674f7079337f8b538da6cc83fa9f670644f29b39c0716a286b266
Instruction ID: ea1accc46481cb180bf8570a25d51293abaa27d4cba00423e129682b7ce8e8d7
Opcode Fuzzy Hash: 190020647af674f7079337f8b538da6cc83fa9f670644f29b39c0716a286b266
Instruction Fuzzy Hash: 7221FEB4804204DFDB00DF24E9A57CC7BB4FB0B715F50801AEA1A873A0E775598ACF1A

Uniqueness

Uniqueness Score: -1.00%

Function 6D2AEFE2 Relevance: 7.5, APIs: 5, Instructions: 49processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6D2AEFFE
_memset.LIBCMT ref: 6D2AF018
Process32FirstW.KERNEL32(00000000,?), ref: 6D2AF032
Process32NextW.KERNEL32(00000000,0000022C), ref: 6D2AF04D
CloseHandle.KERNEL32(00000000), ref: 6D2AF061

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memset
String ID:
API String ID: 2526126748-0
Opcode ID: b2598e7b15293d8a3fd229981a1adf4c2bcd2c6721b5a8247904dbab9a43b388
Instruction ID: 9a33ed807fd93ad125493c187ae5e63f73aacb64ca1c329b302b7d4fe2d5bdd8
Opcode Fuzzy Hash: b2598e7b15293d8a3fd229981a1adf4c2bcd2c6721b5a8247904dbab9a43b388
Instruction Fuzzy Hash: 2F01C03194103CAFC7109A64D85CEAF7778EB86325F0841A5F914D3180DB749E85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C1360 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,Action,6D2DFE10,?,?,?,7DCDEE72,Action,?,00000000), ref: 6D2C1395
GetLastError.KERNEL32(?,?,?,7DCDEE72,Action,?,00000000), ref: 6D2C13A5

Part of subcall function 6D2AC71B: __EH_prolog3.LIBCMT ref: 6D2AC722

Strings

GetDiskFreeSpaceEx, xrefs: 6D2C13AB
Action, xrefs: 6D2C1369

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: DiskErrorFreeH_prolog3LastSpace
String ID: Action$GetDiskFreeSpaceEx
API String ID: 3776785849-3943406023
Opcode ID: 904a3916cd8dc6e5227d8ada03fddb6ce6e5df4d8916626431d828eec86709e7
Instruction ID: 7a0884f6ead1c9fd0b9fb56adc44ad3ee3c9135a4b65480cdc089468e8b0da6a
Opcode Fuzzy Hash: 904a3916cd8dc6e5227d8ada03fddb6ce6e5df4d8916626431d828eec86709e7
Instruction Fuzzy Hash: D9014BB6D00229AB8B01DF99C8458EFBBB9EB88710B00845AE911F3204D770A749CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C7A10 Relevance: 4.5, APIs: 3, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

LoadResource.KERNEL32(?,?,?,?,6D2BF053,?,00000000,?,6D2BF018,00000000,?,00000000,?,?), ref: 6D2C7A1E
LockResource.KERNEL32(00000000,6D2E2F8C,?,6D2BF053,?,00000000,?,6D2BF018,00000000,?,00000000,?,?), ref: 6D2C7A2A
SizeofResource.KERNEL32(?,?,?,6D2BF053,?,00000000,?,6D2BF018,00000000,?,00000000,?,?), ref: 6D2C7A3C

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 560a84bd4133083851919b3c6a1936626dc9f53d0c342c8d3650d86f4eeff273
Instruction ID: 18d7d6b7e5f464422fd75dfd546e51daa7d640dadb2c9ef3cd5fd4b5e592bb79
Opcode Fuzzy Hash: 560a84bd4133083851919b3c6a1936626dc9f53d0c342c8d3650d86f4eeff273
Instruction Fuzzy Hash: 86F0FC33A5042B678F420B35CC1497A7B7AEAC17A27058572FC18D3100D731CE60D261

Uniqueness

Uniqueness Score: -1.00%

Function 6D2D20C8 Relevance: 4.5, APIs: 3, Instructions: 17memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,6D2D2179,?,?,6D2AE352,?), ref: 6D2D20DC
HeapFree.KERNEL32(00000000,?,6D2D2179,?,?,6D2AE352,?), ref: 6D2D20E3
InterlockedPushEntrySList.KERNEL32(00A14B00,?,?,6D2D2179,?,?,6D2AE352,?), ref: 6D2D20EC

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Heap$EntryFreeInterlockedListProcessPush
String ID:
API String ID: 1982578398-0
Opcode ID: d6467371716ebb4bb7f9fad9804a841a8006f566cad003178bc4846f5c846c5a
Instruction ID: d10b75ff8c6685bf1071d258dd510925763d1fc7406e2450e98c51d3579b57ad
Opcode Fuzzy Hash: d6467371716ebb4bb7f9fad9804a841a8006f566cad003178bc4846f5c846c5a
Instruction Fuzzy Hash: 7DD09272544209ABCF115BA5D91DB9FBBBDEB8A62AF084444F10D82840CB72E491DA50

Uniqueness

Uniqueness Score: -1.00%

Function 6D2AF665 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 473
memoryCOMMON

Download Yara Rule

C-Code - Quality: 15%

			E6D2AF665(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				char _v16;
				signed int _v28;
				intOrPtr _v36;
				char _v44;
				char _v68;
				void* _v72;
				void* _v84;
				void* _v88;
				void* _v96;
				void* _v104;
				void* _v108;
				void* _v120;
				char _v128;
				char _v132;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				void* _v156;
				char _v164;
				char _v168;
				char _v180;
				intOrPtr* _v184;
				char _v188;
				char _v200;
				char _v208;
				char _v220;
				char _v228;
				char _v232;
				char _v236;
				char _v244;
				char _v248;
				char _v252;
				char _v264;
				char _v272;
				char _v276;
				void* _v280;
				intOrPtr* _v284;
				signed int _v288;
				char _v292;
				intOrPtr* _v308;
				void* _v312;
				signed int _v316;
				intOrPtr _v320;
				signed int _v324;
				intOrPtr* _v328;
				signed int _v332;
				signed int _v340;
				signed int _v344;
				char _v348;
				void* _v352;
				char _v356;
				char _v364;
				char _v368;
				void* _v372;
				void* _v384;
				signed int _v388;
				char _v392;
				char _v396;
				intOrPtr* _v400;
				signed int _v404;
				intOrPtr _v408;
				signed int _v412;
				intOrPtr* _v416;
				signed int _v420;
				char _v424;
				intOrPtr _v428;
				intOrPtr* _v432;
				void* _v436;
				signed int _v444;
				intOrPtr _v448;
				void* _v452;
				char _v460;
				void* _v464;
				intOrPtr _v488;
				void* _v492;
				char _v520;
				void* _v524;
				void* _v532;
				void* _v540;
				intOrPtr _v552;
				void* _v556;
				void* _v568;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t186;
				intOrPtr* _t191;
				intOrPtr* _t202;
				intOrPtr _t203;
				intOrPtr* _t211;
				intOrPtr _t213;
				intOrPtr _t214;
				intOrPtr* _t215;
				intOrPtr* _t221;
				intOrPtr* _t223;
				intOrPtr* _t225;
				intOrPtr* _t227;
				signed int _t229;
				intOrPtr* _t231;
				intOrPtr* _t233;
				intOrPtr* _t235;
				intOrPtr* _t237;
				intOrPtr* _t239;
				intOrPtr* _t241;
				intOrPtr _t242;
				intOrPtr* _t243;
				intOrPtr _t246;
				char _t247;
				intOrPtr _t249;
				char* _t252;
				intOrPtr _t253;
				intOrPtr _t255;
				intOrPtr* _t264;
				intOrPtr* _t266;
				intOrPtr _t267;
				void* _t272;
				intOrPtr* _t274;
				intOrPtr* _t275;
				void* _t276;
				void* _t304;
				intOrPtr* _t314;
				void* _t320;
				intOrPtr _t321;
				intOrPtr* _t330;
				signed int _t338;
				signed int _t340;
				void* _t344;

				_t340 = (_t338 & 0xfffffff8) - 0xa8;
				_t186 =  *0x6d2df0a0; // 0x7dcdee72
				 *[fs:0x0] =  &_v16;
				_v164 = 0;
				_v8 = 0;
				_t321 =  *((intOrPtr*)( *_a4 + 4))(0x6d2a7940, 0, 1, 0x6d2a7950,  &_v164, _t186 ^ _t340, _t304, _t320, _t272,  *[fs:0x0], 0x6d2d3871, 0xffffffff);
				if(_t321 < 0) {
					L52:
					_v28 = _v28 | 0xffffffff;
					_t191 = _v184;
					if(_t191 != 0) {
						 *((intOrPtr*)( *_t191 + 8))(_t191);
					}
					 *[fs:0x0] = _v36;
					return _t321;
				}
				_t274 = __imp__#8;
				 *_t274( &_v152);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t274( &_v140);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t274( &_v128);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t274( &_v68);
				_v44 = 4;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t202 = _v200;
				asm("movsd");
				asm("movsd");
				_t281 =  *_t202;
				asm("movsd");
				asm("movsd");
				_t344 = _t340 - 0xffffffffffffffe0;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t203 =  *((intOrPtr*)( *_t202 + 0x28))(_t202);
				_t275 = __imp__#9;
				_t321 = _t203;
				 *_t275( &_v140);
				 *_t275( &_v208);
				 *_t275( &_v228);
				_t211 =  *_t275( &_v248);
				if(_t321 < 0) {
					goto L52;
				}
				_v288 = _v288 & 0x00000000;
				_v128 = 5;
				_t330 = _v284;
				__imp__#2("\\");
				_t314 = _t211;
				_v284 = _t314;
				if(_t314 != 0) {
					L4:
					_t281 =  &_v292;
					_v132 = 6;
					_t213 =  *((intOrPtr*)( *_t330 + 0x1c))(_t330, _t314,  &_v292);
					_v144 = 5;
					_t314 = __imp__#6;
					_t321 = _t213;
					_t214 =  *_t314(_t314);
					if(_t321 < 0) {
						L50:
						_v148 = 0;
						_t215 = _v308;
						if(_t215 != 0) {
							 *((intOrPtr*)( *_t215 + 8))(_t215);
						}
						goto L52;
					}
					_t330 = _v308;
					if(_a8 != 0) {
						__imp__#2(_a8);
						_v320 = _t214;
						if(_t214 == 0) {
							goto L3;
						}
						goto L8;
					} else {
						_v316 = _v316 & 0x00000000;
						L8:
						_v152 = 7;
						 *((intOrPtr*)( *_t330 + 0x3c))(_t330, _v320, 0);
						 *_t314(_v332);
						_v332 = _v332 & 0x00000000;
						_v168 = 8;
						_t221 = _v324;
						_t321 =  *((intOrPtr*)( *_t221 + 0x24))(_t221, 0,  &_v332);
						if(_t321 < 0) {
							L48:
							_v180 = 5;
							_t223 = _v344;
							if(_t223 != 0) {
								 *((intOrPtr*)( *_t223 + 8))(_t223);
							}
							goto L50;
						}
						_v324 = _v324 & 0x00000000;
						_v180 = 9;
						_t225 = _v344;
						_t321 =  *((intOrPtr*)( *_t225 + 0x24))(_t225,  &_v324);
						if(_t321 < 0) {
							L46:
							_v188 = 8;
							_t227 = _v332;
							if(_t227 != 0) {
								 *((intOrPtr*)( *_t227 + 8))(_t227);
							}
							goto L48;
						}
						_v316 = _v316 & 0x00000000;
						_v188 = 0xa;
						_t229 = _v332;
						_t321 =  *((intOrPtr*)( *_t229 + 0x28))(_t229, 7,  &_v316);
						if(_t321 < 0) {
							L44:
							_v200 = 9;
							_t231 = _v328;
							if(_t231 != 0) {
								 *((intOrPtr*)( *_t231 + 8))(_t231);
							}
							goto L46;
						}
						_v340 = _v340 & 0x00000000;
						_v200 = 0xb;
						_t233 = _v364;
						_t321 =  *((intOrPtr*)( *_t233 + 0x44))(_t233,  &_v340);
						if(_t321 < 0) {
							L42:
							_v208 = 0xa;
							_t235 = _v348;
							if(_t235 != 0) {
								 *((intOrPtr*)( *_t235 + 8))(_t235);
							}
							goto L44;
						}
						_v344 = _v344 & 0x00000000;
						_v208 = 0xc;
						_t237 = _v348;
						_t321 =  *((intOrPtr*)( *_t237 + 0x30))(_t237, 0,  &_v344);
						if(_t321 < 0) {
							L40:
							_v220 = 0xb;
							_t239 = _v356;
							if(_t239 != 0) {
								 *((intOrPtr*)( *_t239 + 8))(_t239);
							}
							goto L42;
						}
						_v388 = _v388 & 0x00000000;
						_v220 = 0xd;
						_t241 = _v356;
						_t281 =  *_t241;
						_t242 =  *((intOrPtr*)( *_t241))(_t241, 0x6d2a7960,  &_v388);
						_t321 = _t242;
						if(_t321 < 0) {
							L38:
							_v232 = 0xc;
							_t243 = _v400;
							if(_t243 != 0) {
								 *((intOrPtr*)( *_t243 + 8))(_t243);
							}
							goto L40;
						}
						_t330 = _v400;
						if(_a12 != 0) {
							__imp__#2(_a12);
							_v408 = _t242;
							if(_t242 == 0) {
								goto L3;
							}
							goto L17;
						} else {
							_v404 = _v404 & 0x00000000;
							L17:
							_v236 = 0xe;
							_t246 =  *((intOrPtr*)( *_t330 + 0x2c))(_t330, _v408);
							_v244 = 0xd;
							_t321 = _t246;
							_t247 =  *_t314(_v416);
							if(_t321 < 0) {
								goto L38;
							}
							_t330 = _v416;
							if(_a16 != 0) {
								__imp__#2(_a16);
								_v424 = _t247;
								if(_t247 == 0) {
									goto L3;
								}
								goto L21;
							} else {
								_v420 = _v420 & 0x00000000;
								L21:
								_v252 = 0xf;
								_t249 =  *((intOrPtr*)( *_t330 + 0x34))(_t330, _v424);
								_t321 = _t249;
								 *_t314(_v432);
								if(_t321 < 0) {
									goto L38;
								}
								_v412 = _v412 & 0x00000000;
								_v264 = 0x10;
								E6D2C7CDC( &_v356, 0x6d2a79e4);
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t252 =  &_v392;
								asm("movsd");
								__imp__#8(_t252);
								_v272 = 0x12;
								_t330 =  &_v396;
								_t314 =  &_v332;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								__imp__#2(L"S-1-5-32-545");
								_v408 = _t252;
								if(_t252 == 0) {
									goto L3;
								}
								_v272 = 0x13;
								_t253 = E6D2C7C87( &_v404, _t344 + 0x54);
								_v272 = 0x14;
								_t314 =  &_v348;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t330 = _v432;
								_v424 = _t330;
								if(_a8 != 0) {
									__imp__#2(_a8);
									_v448 = _t253;
									if(_t253 == 0) {
										goto L3;
									}
									goto L26;
								} else {
									_v444 = _v444 & 0x00000000;
									L26:
									_v276 = 0x15;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									_t344 = _t344 - 0xfffffffffffffff0;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									_t255 =  *((intOrPtr*)( *_t330 + 0x44))(_v428, _v448,  *((intOrPtr*)(_t344 + 0x58)), 2, 4,  &_v424);
									_t314 = __imp__#6;
									_t321 = _t255;
									 *_t314(_v520);
									 *_t275( &_v460);
									 *_t314(_v488);
									 *_t275(_t344 + 0x44);
									_v364 = 0x10;
									 *_t275(_t344 + 0x64);
									if(_t321 < 0) {
										L36:
										_v368 = 0xd;
										_t264 =  *((intOrPtr*)(_t344 + 0x2c));
										if(_t264 != 0) {
											 *((intOrPtr*)( *_t264 + 8))(_t264);
										}
										goto L38;
									} else {
										_t276 = 0;
										while(1) {
											_t266 =  *((intOrPtr*)(_t344 + 0x2c));
											_t281 =  *_t266;
											_t267 =  *((intOrPtr*)( *_t266 + 0x24))(_t266,  &_v520);
											if( *((intOrPtr*)(_t344 + 0x28)) == 4) {
												break;
											}
											_t281 = _a4;
											_t267 =  *((intOrPtr*)( *_a4 + 8))(0x64);
											_t276 = _t276 + 1;
											if(_t276 < 0x64) {
												continue;
											}
											break;
										}
										if(_t276 == 0x64) {
											_t330 = 0x8004130b;
										}
										_t275 =  *((intOrPtr*)(_t344 + 0x20));
										if(_a8 != 0) {
											__imp__#2(_a8);
											_v552 = _t267;
											if(_t267 == 0) {
												goto L3;
											}
											goto L35;
										} else {
											 *(_t344 + 0x14) =  *(_t344 + 0x14) & 0x00000000;
											L35:
											 *((char*)(_t344 + 0xc4)) = 0x16;
											 *((intOrPtr*)( *_t275 + 0x3c))(_t275, _v552, 0);
											 *_t314( *(_t344 + 0x14));
											goto L36;
										}
									}
								}
							}
						}
					}
				}
				L3:
				L6D2C83CE(_t281, 0x8007000e);
				goto L4;
			}

0x6d2af67b
0x6d2af684
0x6d2af693
0x6d2af69b
0x6d2af6af
0x6d2af6c0
0x6d2af6c4
0x6d2afc16
0x6d2afc16
0x6d2afc1e
0x6d2afc24
0x6d2afc29
0x6d2afc29
0x6d2afc35
0x6d2afc43
0x6d2afc43
0x6d2af6ca
0x6d2af6d5
0x6d2af6df
0x6d2af6e0
0x6d2af6e1
0x6d2af6e7
0x6d2af6e8
0x6d2af6f5
0x6d2af6f6
0x6d2af6f7
0x6d2af6fd
0x6d2af6fe
0x6d2af70b
0x6d2af70c
0x6d2af70d
0x6d2af716
0x6d2af717
0x6d2af719
0x6d2af72d
0x6d2af72e
0x6d2af72f
0x6d2af730
0x6d2af73d
0x6d2af73e
0x6d2af73f
0x6d2af740
0x6d2af746
0x6d2af751
0x6d2af752
0x6d2af753
0x6d2af755
0x6d2af756
0x6d2af757
0x6d2af763
0x6d2af764
0x6d2af765
0x6d2af767
0x6d2af768
0x6d2af76b
0x6d2af771
0x6d2af77b
0x6d2af782
0x6d2af789
0x6d2af790
0x6d2af794
0x00000000
0x00000000
0x6d2af79a
0x6d2af79f
0x6d2af7a7
0x6d2af7b0
0x6d2af7b6
0x6d2af7b8
0x6d2af7be
0x6d2af7ca
0x6d2af7ca
0x6d2af7d0
0x6d2af7db
0x6d2af7de
0x6d2af7e7
0x6d2af7ed
0x6d2af7ef
0x6d2af7f3
0x6d2afc00
0x6d2afc00
0x6d2afc08
0x6d2afc0e
0x6d2afc13
0x6d2afc13
0x00000000
0x6d2afc0e
0x6d2af7fd
0x6d2af801
0x6d2af80d
0x6d2af813
0x6d2af819
0x00000000
0x00000000
0x00000000
0x6d2af803
0x6d2af803
0x6d2af81b
0x6d2af81d
0x6d2af82c
0x6d2af833
0x6d2af835
0x6d2af83f
0x6d2af847
0x6d2af853
0x6d2af857
0x6d2afbea
0x6d2afbea
0x6d2afbf2
0x6d2afbf8
0x6d2afbfd
0x6d2afbfd
0x00000000
0x6d2afbf8
0x6d2af85d
0x6d2af862
0x6d2af86a
0x6d2af879
0x6d2af87d
0x6d2afbd4
0x6d2afbd4
0x6d2afbdc
0x6d2afbe2
0x6d2afbe7
0x6d2afbe7
0x00000000
0x6d2afbe2
0x6d2af883
0x6d2af88d
0x6d2af895
0x6d2af8a1
0x6d2af8a5
0x6d2afbbe
0x6d2afbbe
0x6d2afbc6
0x6d2afbcc
0x6d2afbd1
0x6d2afbd1
0x00000000
0x6d2afbcc
0x6d2af8ab
0x6d2af8b0
0x6d2af8b8
0x6d2af8c7
0x6d2af8cb
0x6d2afba8
0x6d2afba8
0x6d2afbb0
0x6d2afbb6
0x6d2afbbb
0x6d2afbbb
0x00000000
0x6d2afbb6
0x6d2af8d1
0x6d2af8db
0x6d2af8e3
0x6d2af8ef
0x6d2af8f3
0x6d2afb92
0x6d2afb92
0x6d2afb9a
0x6d2afba0
0x6d2afba5
0x6d2afba5
0x00000000
0x6d2afba0
0x6d2af8f9
0x6d2af903
0x6d2af90b
0x6d2af90f
0x6d2af917
0x6d2af919
0x6d2af91d
0x6d2afb7c
0x6d2afb7c
0x6d2afb84
0x6d2afb8a
0x6d2afb8f
0x6d2afb8f
0x00000000
0x6d2afb8a
0x6d2af927
0x6d2af92b
0x6d2af937
0x6d2af93d
0x6d2af943
0x00000000
0x00000000
0x00000000
0x6d2af92d
0x6d2af92d
0x6d2af949
0x6d2af949
0x6d2af958
0x6d2af95b
0x6d2af967
0x6d2af969
0x6d2af96d
0x00000000
0x00000000
0x6d2af977
0x6d2af97b
0x6d2af987
0x6d2af98d
0x6d2af993
0x00000000
0x00000000
0x00000000
0x6d2af97d
0x6d2af97d
0x6d2af999
0x6d2af999
0x6d2af9a8
0x6d2af9af
0x6d2af9b1
0x6d2af9b5
0x00000000
0x00000000
0x6d2af9bb
0x6d2af9c9
0x6d2af9d1
0x6d2af9df
0x6d2af9e0
0x6d2af9e1
0x6d2af9e2
0x6d2af9e7
0x6d2af9e8
0x6d2af9ee
0x6d2af9f6
0x6d2af9fa
0x6d2afa01
0x6d2afa02
0x6d2afa03
0x6d2afa09
0x6d2afa0a
0x6d2afa10
0x6d2afa16
0x00000000
0x00000000
0x6d2afa24
0x6d2afa2c
0x6d2afa35
0x6d2afa3f
0x6d2afa43
0x6d2afa44
0x6d2afa45
0x6d2afa46
0x6d2afa47
0x6d2afa4b
0x6d2afa4f
0x6d2afa5b
0x6d2afa61
0x6d2afa67
0x00000000
0x00000000
0x00000000
0x6d2afa51
0x6d2afa51
0x6d2afa6d
0x6d2afa6d
0x6d2afa88
0x6d2afa89
0x6d2afa8a
0x6d2afa8b
0x6d2afa9a
0x6d2afa9b
0x6d2afa9c
0x6d2afa9d
0x6d2afaa0
0x6d2afaaa
0x6d2afab1
0x6d2afab6
0x6d2afabb
0x6d2afabc
0x6d2afac3
0x6d2afac9
0x6d2afacb
0x6d2afad2
0x6d2afad8
0x6d2afadf
0x6d2afae6
0x6d2afaee
0x6d2afaf2
0x6d2afb66
0x6d2afb66
0x6d2afb6e
0x6d2afb74
0x6d2afb79
0x6d2afb79
0x00000000
0x6d2afaf4
0x6d2afaf4
0x6d2afaf6
0x6d2afaf6
0x6d2afafa
0x6d2afb02
0x6d2afb0a
0x00000000
0x00000000
0x6d2afb0c
0x6d2afb13
0x6d2afb16
0x6d2afb1a
0x00000000
0x00000000
0x00000000
0x6d2afb1a
0x6d2afb1f
0x6d2afb21
0x6d2afb21
0x6d2afb2a
0x6d2afb2e
0x6d2afb3a
0x6d2afb40
0x6d2afb46
0x00000000
0x00000000
0x00000000
0x6d2afb30
0x6d2afb30
0x6d2afb4c
0x6d2afb4e
0x6d2afb5d
0x6d2afb64
0x00000000
0x6d2afb64
0x6d2afb2e
0x6d2afaf2
0x6d2afa4f
0x6d2af97b
0x6d2af92b
0x6d2af801
0x6d2af7c0
0x6d2af7c5
0x00000000

APIs

VariantInit.OLEAUT32(?), ref: 6D2AF6D5
VariantInit.OLEAUT32(?), ref: 6D2AF6E8
VariantInit.OLEAUT32(?), ref: 6D2AF6FE
VariantInit.OLEAUT32(?), ref: 6D2AF717
VariantClear.OLEAUT32(?), ref: 6D2AF77B
VariantClear.OLEAUT32(?), ref: 6D2AF782
VariantClear.OLEAUT32(?), ref: 6D2AF789
VariantClear.OLEAUT32(?), ref: 6D2AF790
SysAllocString.OLEAUT32(6D2A375C), ref: 6D2AF7B0
SysFreeString.OLEAUT32(00000000), ref: 6D2AF7EF
SysAllocString.OLEAUT32(00000000), ref: 6D2AF80D
SysFreeString.OLEAUT32(?), ref: 6D2AF833

Part of subcall function 6D2C83FD: __CxxThrowException@8.LIBCMT ref: 6D2C83E2

SysAllocString.OLEAUT32(00000000), ref: 6D2AF937
SysFreeString.OLEAUT32(?), ref: 6D2AF969
SysAllocString.OLEAUT32(00000000), ref: 6D2AF987
SysFreeString.OLEAUT32(?), ref: 6D2AF9B1
VariantInit.OLEAUT32(?), ref: 6D2AF9E8
SysAllocString.OLEAUT32(S-1-5-32-545), ref: 6D2AFA0A
SysAllocString.OLEAUT32(00000000), ref: 6D2AFA5B
SysFreeString.OLEAUT32(?), ref: 6D2AFACB
VariantClear.OLEAUT32(?), ref: 6D2AFAD2
SysFreeString.OLEAUT32(?), ref: 6D2AFAD8
VariantClear.OLEAUT32(?), ref: 6D2AFADF
VariantClear.OLEAUT32 ref: 6D2AFAEE
SysAllocString.OLEAUT32(00000000), ref: 6D2AFB3A
SysFreeString.OLEAUT32(?), ref: 6D2AFB64

Strings

S-1-5-32-545, xrefs: 6D2AFA04

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: String$Variant$AllocClearFree$Init$Exception@8Throw
String ID: S-1-5-32-545
API String ID: 3415528432-782171229
Opcode ID: c025a9dccf004feb800697bcd8cd86e4250e8dca7131ab57e13ae2e7354fab05
Instruction ID: aa04b3df44d51c0f83759d5030a429cb39cfbaeaf98bbb3e02934880414bcdec
Opcode Fuzzy Hash: c025a9dccf004feb800697bcd8cd86e4250e8dca7131ab57e13ae2e7354fab05
Instruction Fuzzy Hash: 7E0276324087469FE721DF64C848B9BBBE5FF8A715F080A4DF9849B250C775D809CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B04F9 Relevance: 42.2, APIs: 28, Instructions: 157
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E6D2B04F9(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t47;
				intOrPtr* _t53;
				void* _t56;
				void* _t65;
				int _t92;
				intOrPtr* _t101;
				void* _t110;
				void* _t114;
				intOrPtr _t117;
				void* _t119;
				intOrPtr* _t120;
				void* _t121;

				_t121 = __eflags;
				_t110 = __edx;
				E6D2D265B(0x6d2d598d, __ebx, __edi, __esi);
				_t117 =  *((intOrPtr*)(_t119 + 8));
				_t101 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t117 + 0x74)))) + 0x1c))(0x2c);
				_t47 =  *((intOrPtr*)( *_t101 + 0x18))();
				 *((intOrPtr*)(_t119 - 0x10)) = _t120;
				 *_t120 = E6D2C83FD( *_t47 - 0x10) + 0x10;
				 *(_t119 - 4) =  *(_t119 - 4) & 0x00000000;
				_t53 =  *((intOrPtr*)( *_t101 + 0x14))(_t101);
				_push(_t101);
				 *((intOrPtr*)(_t119 - 0x14)) = _t120;
				_t56 = E6D2C83FD( *_t53 - 0x10);
				 *(_t119 - 4) =  *(_t119 - 4) | 0xffffffff;
				 *_t120 = _t56 + 0x10;
				E6D2BFB4F(_t101, _t110, _t120, _t117, _t121);
				_t114 = GetDlgItem;
				if(IsWindowEnabled(GetDlgItem( *(_t117 + 4), 0x65)) == 0 && IsDlgButtonChecked( *(_t117 + 4), 0x65) != 0 && IsWindowEnabled(GetDlgItem( *(_t117 + 4), 0x66)) != 0) {
					CheckDlgButton( *(_t117 + 4), 0x65, 0);
					CheckDlgButton( *(_t117 + 4), 0x66, 1);
				}
				if(IsWindowEnabled(GetDlgItem( *(_t117 + 4), 0x66)) == 0 && IsDlgButtonChecked( *(_t117 + 4), 0x66) != 0) {
					_t92 = IsWindowEnabled(GetDlgItem( *(_t117 + 4), 0x65));
					_t127 = _t92;
					if(_t92 != 0) {
						CheckDlgButton( *(_t117 + 4), 0x66, 0);
						CheckDlgButton( *(_t117 + 4), 0x65, 1);
					}
				}
				_t65 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t119 + 8)) + 0x74)))) + 4))();
				_push(_t101);
				_push(_t119 - 0x38);
				E6D2AF2BE(_t65, _t110, _t114, _t117, _t127);
				 *(_t119 - 4) = 1;
				E6D2AF415(_t119 - 0x38, GetParent( *(_t117 + 4)));
				if(IsWindowEnabled(GetDlgItem( *(_t117 + 4), 0x65)) != 0 || IsWindowEnabled(GetDlgItem( *(_t117 + 4), 0x66)) != 0) {
					E6D2AE389(_t117 + 4, 2);
				} else {
					E6D2AF4D6(_t119 - 0x38, GetParent( *(_t117 + 4)));
					EnableWindow(GetDlgItem(GetParent( *(_t117 + 4)),  *(_t119 - 0x28)), 1);
				}
				SetWindowLongW( *(_t117 + 4), 0xfffffff4, 0x6b);
				SetWindowTextW(GetParent( *(_t117 + 4)),  *( *((intOrPtr*)(_t119 + 8)) + 0x58));
				PostMessageW( *(_t117 + 4), 0x6f5, 0, 0);
				E6D2B0913(_t110, _t119 - 0x38);
				return E6D2D2709(1);
			}

0x6d2b04f9
0x6d2b04f9
0x6d2b0500
0x6d2b0505
0x6d2b0510
0x6d2b0516
0x6d2b051f
0x6d2b052c
0x6d2b052e
0x6d2b0536
0x6d2b053b
0x6d2b053f
0x6d2b0544
0x6d2b0549
0x6d2b0550
0x6d2b0552
0x6d2b0557
0x6d2b056d
0x6d2b0597
0x6d2b05a4
0x6d2b05a4
0x6d2b05ba
0x6d2b05d3
0x6d2b05d9
0x6d2b05db
0x6d2b05e4
0x6d2b05f1
0x6d2b05f1
0x6d2b05db
0x6d2b05ff
0x6d2b0602
0x6d2b0606
0x6d2b0609
0x6d2b060e
0x6d2b0622
0x6d2b0639
0x6d2b067a
0x6d2b0649
0x6d2b0656
0x6d2b066d
0x6d2b066d
0x6d2b0686
0x6d2b069d
0x6d2b06af
0x6d2b06b8
0x6d2b06c5

APIs

__EH_prolog3.LIBCMT ref: 6D2B0500

Part of subcall function 6D2C83FD: _memcpy_s.LIBCMT ref: 6D2C844E

Part of subcall function 6D2BFB4F: __EH_prolog3.LIBCMT ref: 6D2BFB56
Part of subcall function 6D2BFB4F: GetParent.USER32(00000001), ref: 6D2BFB6B
Part of subcall function 6D2BFB4F: SendMessageW.USER32(00000000,00000481,00000001,00000000), ref: 6D2BFB78
Part of subcall function 6D2BFB4F: GetParent.USER32(00000001), ref: 6D2BFBB5
Part of subcall function 6D2BFB4F: SendMessageW.USER32(00000000,0000047E,?,?), ref: 6D2BFBC1
Part of subcall function 6D2BFB4F: GetParent.USER32(00000001), ref: 6D2BFBD3
Part of subcall function 6D2BFB4F: SendMessageW.USER32(00000000,00000480,?,?), ref: 6D2BFBDF

GetDlgItem.USER32 ref: 6D2B0562
IsWindowEnabled.USER32(00000000), ref: 6D2B0565
IsDlgButtonChecked.USER32(000000FF,00000065), ref: 6D2B0574
GetDlgItem.USER32 ref: 6D2B0583
IsWindowEnabled.USER32(00000000), ref: 6D2B0586
CheckDlgButton.USER32(000000FF,00000065,00000000), ref: 6D2B0597
CheckDlgButton.USER32(000000FF,00000066,00000001), ref: 6D2B05A4
GetDlgItem.USER32 ref: 6D2B05AF
IsWindowEnabled.USER32(00000000), ref: 6D2B05B2
IsDlgButtonChecked.USER32(000000FF,00000066), ref: 6D2B05C1
GetDlgItem.USER32 ref: 6D2B05D0
IsWindowEnabled.USER32(00000000), ref: 6D2B05D3
CheckDlgButton.USER32(000000FF,00000066,00000000), ref: 6D2B05E4
CheckDlgButton.USER32(000000FF,00000065,00000001), ref: 6D2B05F1
GetParent.USER32(00000001), ref: 6D2B0618
GetDlgItem.USER32 ref: 6D2B062C
IsWindowEnabled.USER32(00000000), ref: 6D2B0635
GetDlgItem.USER32 ref: 6D2B0640
IsWindowEnabled.USER32(00000000), ref: 6D2B0643
GetParent.USER32(00000001), ref: 6D2B064C
GetParent.USER32(00000001), ref: 6D2B065E
GetDlgItem.USER32 ref: 6D2B0668
EnableWindow.USER32(00000000,00000001), ref: 6D2B066D
SetWindowLongW.USER32(00000001,000000F4,0000006B), ref: 6D2B0686
GetParent.USER32(00000001), ref: 6D2B0695
SetWindowTextW.USER32(00000000,?), ref: 6D2B069D
PostMessageW.USER32(00000001,000006F5,00000000,00000000), ref: 6D2B06AF

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Window$ItemParent$ButtonEnabled$CheckMessage$Send$CheckedH_prolog3$EnableLongPostText_memcpy_s
String ID:
API String ID: 1237731162-0
Opcode ID: ce7f0cd4c2aa07ad2900781e49953b46383adb2822d609afd73a5ed153fdd104
Instruction ID: dfc6c32c07be6d8db702d0e0814a80aa81cfbf9bb4033a1de700258e3efc83e6
Opcode Fuzzy Hash: ce7f0cd4c2aa07ad2900781e49953b46383adb2822d609afd73a5ed153fdd104
Instruction Fuzzy Hash: A1514634680A05ABDF22AF71CE1EF4F7BB5EF05B59F044428F252A65A0DB71E850CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00C13C03 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00C13C03(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t35;
				intOrPtr* _t36;
				void* _t39;
				intOrPtr* _t41;
				void* _t42;

				_t30 = __ebx;
				_t35 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t35 != 0) {
					 *0xc19394 = GetProcAddress(_t35, "FlsAlloc");
					 *0xc19398 = GetProcAddress(_t35, "FlsGetValue");
					 *0xc1939c = GetProcAddress(_t35, "FlsSetValue");
					_t7 = GetProcAddress(_t35, "FlsFree");
					__eflags =  *0xc19394;
					_t39 = TlsSetValue;
					 *0xc193a0 = _t7;
					if( *0xc19394 == 0) {
						L6:
						 *0xc19398 = TlsGetValue;
						 *0xc19394 = E00C138F0;
						 *0xc1939c = _t39;
						 *0xc193a0 = TlsFree;
					} else {
						__eflags =  *0xc19398;
						if( *0xc19398 == 0) {
							goto L6;
						} else {
							__eflags =  *0xc1939c;
							if( *0xc1939c == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0xc1804c = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0xc19398);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E00C12C7C();
							_t41 =  *0xc11144;
							_t14 =  *_t41( *0xc19394);
							 *0xc19394 = _t14;
							_t15 =  *_t41( *0xc19398);
							 *0xc19398 = _t15;
							_t16 =  *_t41( *0xc1939c);
							 *0xc1939c = _t16;
							 *0xc193a0 =  *_t41( *0xc193a0);
							_t18 = E00C141A3();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E00C13937();
								goto L15;
							} else {
								_t36 =  *0xc11140;
								_t21 =  *((intOrPtr*)( *_t36()))( *0xc19394, E00C13ACF);
								 *0xc18048 = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E00C14F82(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										__eflags =  *((intOrPtr*)( *_t36()))( *0xc1939c,  *0xc18048, _t42);
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E00C13979(_t30, _t36, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E00C13937();
					return 0;
				}
			}

0x00c13c03
0x00c13c11
0x00c13c15
0x00c13c35
0x00c13c42
0x00c13c4f
0x00c13c54
0x00c13c56
0x00c13c5d
0x00c13c63
0x00c13c68
0x00c13c80
0x00c13c85
0x00c13c8f
0x00c13c99
0x00c13c9f
0x00c13c6a
0x00c13c6a
0x00c13c71
0x00000000
0x00c13c73
0x00c13c73
0x00c13c7a
0x00000000
0x00c13c7c
0x00c13c7c
0x00c13c7e
0x00000000
0x00000000
0x00c13c7e
0x00c13c7a
0x00c13c71
0x00c13ca4
0x00c13caa
0x00c13caf
0x00c13cb2
0x00c13d79
0x00c13d79
0x00c13d79
0x00c13cb8
0x00c13cbf
0x00c13cc1
0x00c13cc3
0x00000000
0x00c13cc9
0x00c13cc9
0x00c13cd4
0x00c13cda
0x00c13ce2
0x00c13ce7
0x00c13cef
0x00c13cf4
0x00c13cfc
0x00c13d03
0x00c13d08
0x00c13d0d
0x00c13d0f
0x00c13d74
0x00c13d74
0x00000000
0x00c13d11
0x00c13d11
0x00c13d24
0x00c13d26
0x00c13d2b
0x00c13d2e
0x00000000
0x00c13d30
0x00c13d3c
0x00c13d40
0x00c13d42
0x00000000
0x00c13d44
0x00c13d55
0x00c13d57
0x00000000
0x00c13d59
0x00c13d59
0x00c13d5b
0x00c13d5c
0x00c13d63
0x00c13d69
0x00c13d6d
0x00c13d71
0x00c13d71
0x00c13d57
0x00c13d42
0x00c13d2e
0x00c13d0f
0x00c13cc3
0x00c13d7d
0x00c13c17
0x00c13c17
0x00c13c1f
0x00c13c1f

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00C12AAE), ref: 00C13C0B
__mtterm.LIBCMT ref: 00C13C17

Part of subcall function 00C13937: _DecodePointerInternal@4.SETUP(00000006,00C13D79,?,00C12AAE), ref: 00C13948
Part of subcall function 00C13937: TlsFree.KERNEL32(00000026,00C13D79,?,00C12AAE), ref: 00C13962
Part of subcall function 00C13937: DeleteCriticalSection.KERNEL32(00000000,00000000,00C12976,?,00C13D79,?,00C12AAE), ref: 00C1420F
Part of subcall function 00C13937: _free.LIBCMT ref: 00C14212
Part of subcall function 00C13937: DeleteCriticalSection.KERNEL32(00000026,00C12976,?,00C13D79,?,00C12AAE), ref: 00C14239

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00C13C2D
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00C13C3A
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00C13C47
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00C13C54
TlsAlloc.KERNEL32(?,00C12AAE), ref: 00C13CA4
TlsSetValue.KERNEL32(00000000,?,00C12AAE), ref: 00C13CBF
__init_pointers.LIBCMT ref: 00C13CC9
_EncodePointerInternal@4.SETUP(?,00C12AAE), ref: 00C13CDA
_EncodePointerInternal@4.SETUP(?,00C12AAE), ref: 00C13CE7
_EncodePointerInternal@4.SETUP(?,00C12AAE), ref: 00C13CF4
_EncodePointerInternal@4.SETUP(?,00C12AAE), ref: 00C13D01
_DecodePointerInternal@4.SETUP(00C13ACF,?,00C12AAE), ref: 00C13D22
__calloc_crt.LIBCMT ref: 00C13D37
_DecodePointerInternal@4.SETUP(00000000,?,00C12AAE), ref: 00C13D51
GetCurrentThreadId.KERNEL32 ref: 00C13D63

Strings

FlsAlloc, xrefs: 00C13C27
FlsFree, xrefs: 00C13C49
FlsGetValue, xrefs: 00C13C2F
FlsSetValue, xrefs: 00C13C3C
KERNEL32.DLL, xrefs: 00C13C06

Memory Dump Source

Source File: 00000014.00000002.712372782.0000000000C11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000014.00000002.712347190.0000000000C10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.712416872.0000000000C18000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.712438921.0000000000C1A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_c10000_Setup.jbxd

Similarity

API ID: Internal@4Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 1131704290-3819984048
Opcode ID: 9cbe944a4ae36a2c2bd5063e1d8fcb04c815729e3a0fd9c2869384f56b7facd7
Instruction ID: f7c8f55e729f9b074145be0d5f2e04674f368b010353387534c57f3c7b90424f
Opcode Fuzzy Hash: 9cbe944a4ae36a2c2bd5063e1d8fcb04c815729e3a0fd9c2869384f56b7facd7
Instruction Fuzzy Hash: E931A2319103909EDB11AF75BC197CD7EA4FB47768B54852AE928D22F0DB3486C0EF80

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C9DA6 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109
libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 62%

			E6D2C9DA6(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t35;
				intOrPtr* _t36;
				void* _t39;
				intOrPtr* _t41;
				void* _t42;

				_t30 = __ebx;
				_t35 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t35 != 0) {
					 *0x6d2e22c4 = GetProcAddress(_t35, "FlsAlloc");
					 *0x6d2e22c8 = GetProcAddress(_t35, "FlsGetValue");
					 *0x6d2e22cc = GetProcAddress(_t35, "FlsSetValue");
					_t7 = GetProcAddress(_t35, "FlsFree");
					__eflags =  *0x6d2e22c4;
					_t39 = TlsSetValue;
					 *0x6d2e22d0 = _t7;
					if( *0x6d2e22c4 == 0) {
						L6:
						 *0x6d2e22c8 = TlsGetValue;
						 *0x6d2e22c4 = 0x6d2c9a20;
						 *0x6d2e22cc = _t39;
						 *0x6d2e22d0 = TlsFree;
					} else {
						__eflags =  *0x6d2e22c8;
						if( *0x6d2e22c8 == 0) {
							goto L6;
						} else {
							__eflags =  *0x6d2e22cc;
							if( *0x6d2e22cc == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0x6d2df054 = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x6d2e22c8);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E6D2CA07D();
							_t41 =  *0x6d2a1404;
							_t14 =  *_t41( *0x6d2e22c4);
							 *0x6d2e22c4 = _t14;
							_t15 =  *_t41( *0x6d2e22c8);
							 *0x6d2e22c8 = _t15;
							_t16 =  *_t41( *0x6d2e22cc);
							 *0x6d2e22cc = _t16;
							 *0x6d2e22d0 =  *_t41( *0x6d2e22d0);
							_t18 = E6D2CE872();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E6D2C9A67();
								goto L15;
							} else {
								_t36 =  *0x6d2a1400;
								_t21 =  *((intOrPtr*)( *_t36()))( *0x6d2e22c4, E6D2C9BFF);
								 *0x6d2df050 = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E6D2C9F70(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										__eflags =  *((intOrPtr*)( *_t36()))( *0x6d2e22cc,  *0x6d2df050, _t42);
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E6D2C9AA9(_t30, _t36, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E6D2C9A67();
					return 0;
				}
			}

0x6d2c9da6
0x6d2c9db4
0x6d2c9db8
0x6d2c9dd8
0x6d2c9de5
0x6d2c9df2
0x6d2c9df7
0x6d2c9df9
0x6d2c9e00
0x6d2c9e06
0x6d2c9e0b
0x6d2c9e23
0x6d2c9e28
0x6d2c9e32
0x6d2c9e3c
0x6d2c9e42
0x6d2c9e0d
0x6d2c9e0d
0x6d2c9e14
0x00000000
0x6d2c9e16
0x6d2c9e16
0x6d2c9e1d
0x00000000
0x6d2c9e1f
0x6d2c9e1f
0x6d2c9e21
0x00000000
0x00000000
0x6d2c9e21
0x6d2c9e1d
0x6d2c9e14
0x6d2c9e47
0x6d2c9e4d
0x6d2c9e52
0x6d2c9e55
0x6d2c9f1c
0x6d2c9f1c
0x6d2c9f1c
0x6d2c9e5b
0x6d2c9e62
0x6d2c9e64
0x6d2c9e66
0x00000000
0x6d2c9e6c
0x6d2c9e6c
0x6d2c9e77
0x6d2c9e7d
0x6d2c9e85
0x6d2c9e8a
0x6d2c9e92
0x6d2c9e97
0x6d2c9e9f
0x6d2c9ea6
0x6d2c9eab
0x6d2c9eb0
0x6d2c9eb2
0x6d2c9f17
0x6d2c9f17
0x00000000
0x6d2c9eb4
0x6d2c9eb4
0x6d2c9ec7
0x6d2c9ec9
0x6d2c9ece
0x6d2c9ed1
0x00000000
0x6d2c9ed3
0x6d2c9edf
0x6d2c9ee3
0x6d2c9ee5
0x00000000
0x6d2c9ee7
0x6d2c9ef8
0x6d2c9efa
0x00000000
0x6d2c9efc
0x6d2c9efc
0x6d2c9efe
0x6d2c9eff
0x6d2c9f06
0x6d2c9f0c
0x6d2c9f10
0x6d2c9f14
0x6d2c9f14
0x6d2c9efa
0x6d2c9ee5
0x6d2c9ed1
0x6d2c9eb2
0x6d2c9e66
0x6d2c9f20
0x6d2c9dba
0x6d2c9dba
0x6d2c9dc2
0x6d2c9dc2

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,6D2C854E,6D2D7EB8,00000008,6D2C86E7,?,?,?,6D2D7ED8,0000000C,6D2C87A7,?), ref: 6D2C9DAE
__mtterm.LIBCMT ref: 6D2C9DBA

Part of subcall function 6D2C9A67: _DecodePointerInternal@4.SETUPUI(00000009,6D2C8611,6D2C85F7,6D2D7EB8,00000008,6D2C86E7,?,?,?,6D2D7ED8,0000000C,6D2C87A7,?), ref: 6D2C9A78
Part of subcall function 6D2C9A67: TlsFree.KERNEL32(0000002F,6D2C8611,6D2C85F7,6D2D7EB8,00000008,6D2C86E7,?,?,?,6D2D7ED8,0000000C,6D2C87A7,?), ref: 6D2C9A92
Part of subcall function 6D2C9A67: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,6D2C8611,6D2C85F7,6D2D7EB8,00000008,6D2C86E7,?,?,?,6D2D7ED8,0000000C,6D2C87A7,?), ref: 6D2CE8DE
Part of subcall function 6D2C9A67: DeleteCriticalSection.KERNEL32(0000002F,?,?,6D2C8611,6D2C85F7,6D2D7EB8,00000008,6D2C86E7,?,?,?,6D2D7ED8,0000000C,6D2C87A7,?), ref: 6D2CE908

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6D2C9DD0
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6D2C9DDD
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6D2C9DEA
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6D2C9DF7
TlsAlloc.KERNEL32(?,?,6D2C854E,6D2D7EB8,00000008,6D2C86E7,?,?,?,6D2D7ED8,0000000C,6D2C87A7,?), ref: 6D2C9E47
TlsSetValue.KERNEL32(00000000,?,?,6D2C854E,6D2D7EB8,00000008,6D2C86E7,?,?,?,6D2D7ED8,0000000C,6D2C87A7,?), ref: 6D2C9E62
__init_pointers.LIBCMT ref: 6D2C9E6C
_EncodePointerInternal@4.SETUPUI(?,?,6D2C854E,6D2D7EB8,00000008,6D2C86E7,?,?,?,6D2D7ED8,0000000C,6D2C87A7,?), ref: 6D2C9E7D
_EncodePointerInternal@4.SETUPUI(?,?,6D2C854E,6D2D7EB8,00000008,6D2C86E7,?,?,?,6D2D7ED8,0000000C,6D2C87A7,?), ref: 6D2C9E8A
_EncodePointerInternal@4.SETUPUI(?,?,6D2C854E,6D2D7EB8,00000008,6D2C86E7,?,?,?,6D2D7ED8,0000000C,6D2C87A7,?), ref: 6D2C9E97
_EncodePointerInternal@4.SETUPUI(?,?,6D2C854E,6D2D7EB8,00000008,6D2C86E7,?,?,?,6D2D7ED8,0000000C,6D2C87A7,?), ref: 6D2C9EA4
_DecodePointerInternal@4.SETUPUI(Function_00029BFF,?,?,6D2C854E,6D2D7EB8,00000008,6D2C86E7,?,?,?,6D2D7ED8,0000000C,6D2C87A7,?), ref: 6D2C9EC5
__calloc_crt.LIBCMT ref: 6D2C9EDA
_DecodePointerInternal@4.SETUPUI(00000000,?,?,6D2C854E,6D2D7EB8,00000008,6D2C86E7,?,?,?,6D2D7ED8,0000000C,6D2C87A7,?), ref: 6D2C9EF4
GetCurrentThreadId.KERNEL32 ref: 6D2C9F06

Strings

FlsAlloc, xrefs: 6D2C9DCA
FlsFree, xrefs: 6D2C9DEC
KERNEL32.DLL, xrefs: 6D2C9DA9
FlsGetValue, xrefs: 6D2C9DD2
FlsSetValue, xrefs: 6D2C9DDF

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Internal@4Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 1778039572-3819984048
Opcode ID: b83eb95236cb1c2d66d104f6fbd49e72e42a1480b36670564ba8171bc61d8435
Instruction ID: 81ecc49a875f53bd60f795154b4c8f1881664d423c8e6d27963ac55ebf5a4478
Opcode Fuzzy Hash: b83eb95236cb1c2d66d104f6fbd49e72e42a1480b36670564ba8171bc61d8435
Instruction Fuzzy Hash: AB3193B484421B9ACF625B75CC0DB6F3EB4FF4676EB494626E411D3290DB308851CF62

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BBCBB Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 111
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E6D2BBCBB(void* __ebx, void* __ecx, void* __edx, void* __edi, long __esi, void* __eflags) {
				long _t82;
				void* _t83;
				void* _t84;

				_t84 = __eflags;
				_t82 = __esi;
				_push(0xc);
				E6D2D265B(0x6d2d5dd0, __ebx, __edi, __esi);
				if(E6D2C1DCD(__ebx, __edx, __edi, __esi, _t84) == 0) {
					SetWindowLongW( *(__esi + 8), 0xfffffff0, GetWindowLongW( *(__esi + 8), 0xfffffff0) | 0x00020000);
					 *(_t83 - 0x10) = GetSystemMenu( *(__esi + 8), 0);
					_push(_t83 - 0x14);
					E6D2BE8E8(L"IDS_RESTORE", __esi, __eflags);
					 *(_t83 - 4) = 0;
					_push(_t83 - 0x14);
					InsertMenuW( *(_t83 - 0x10), 0, 0x400, 0xf120,  *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__esi + 0x8fc))))))()));
					 *(_t83 - 4) =  *(_t83 - 4) | 0xffffffff;
					E6D2C8460( *((intOrPtr*)(_t83 - 0x14)) + 0xfffffff0, _t83 - 0x14);
					_push(_t83 - 0x18);
					E6D2BE8E8(L"IDS_MINIMIZE", __esi, __eflags);
					 *(_t83 - 4) = 1;
					_push(_t83 - 0x18);
					InsertMenuW( *(_t83 - 0x10), 2, 0x400, 0xf020,  *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__esi + 0x8fc))))))()));
					__eflags =  *((intOrPtr*)(_t83 - 0x18)) + 0xfffffff0;
					E6D2C8460( *((intOrPtr*)(_t83 - 0x18)) + 0xfffffff0, _t83 - 0x18);
					InsertMenuW( *(_t83 - 0x10), 3, 0x400, 0xf00f, 0);
					SetMenuItemBitmaps( *(_t83 - 0x10), 0xf120, 0, 2, 2);
					SetMenuItemBitmaps( *(_t83 - 0x10), 0xf020, 0, 3, 3);
					DrawMenuBar( *(__esi + 8));
				} else {
					SendMessageW( *(__esi + 8), 0x46b, 0, 0);
					EnableMenuItem(GetSystemMenu( *(__esi + 8), 0), 0xf060, 1);
				}
				 *( *(_t82 + 0x8f4)) =  *(_t82 + 8);
				 *((intOrPtr*)(_t82 + 0x900)) = SetWindowLongW( *(_t82 + 8), 0xfffffffc, E6D2BBF84);
				return E6D2D2709(SetWindowLongW( *(_t82 + 8), 0xffffffeb, _t82));
			}

0x6d2bbcbb
0x6d2bbcbb
0x6d2bbcbb
0x6d2bbcc2
0x6d2bbcce
0x6d2bbd15
0x6d2bbd27
0x6d2bbd2d
0x6d2bbd33
0x6d2bbd38
0x6d2bbd46
0x6d2bbd5f
0x6d2bbd61
0x6d2bbd6b
0x6d2bbd73
0x6d2bbd79
0x6d2bbd7e
0x6d2bbd90
0x6d2bbda5
0x6d2bbdaa
0x6d2bbdad
0x6d2bbdc3
0x6d2bbdd9
0x6d2bbde5
0x6d2bbdea
0x6d2bbcd0
0x6d2bbcdc
0x6d2bbcf4
0x6d2bbcf4
0x6d2bbe04
0x6d2bbe14
0x6d2bbe21

APIs

__EH_prolog3.LIBCMT ref: 6D2BBCC2

Part of subcall function 6D2C1DCD: __EH_prolog3.LIBCMT ref: 6D2C1DD4
Part of subcall function 6D2C1DCD: GetCommandLineW.KERNEL32(00000018,6D2BB178,00000000,?,?,6D2BAC46,?), ref: 6D2C1DD9

SendMessageW.USER32(?,0000046B,00000000,00000000), ref: 6D2BBCDC
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 6D2BBCED
EnableMenuItem.USER32 ref: 6D2BBCF4
GetWindowLongW.USER32(?,000000F0), ref: 6D2BBD04
SetWindowLongW.USER32(?,000000F0,00000000), ref: 6D2BBD15
GetSystemMenu.USER32(?,00000000), ref: 6D2BBD21
InsertMenuW.USER32(?,00000000,00000400,0000F120,00000000), ref: 6D2BBD5F
InsertMenuW.USER32(?,00000002,00000400,0000F020,00000000), ref: 6D2BBDA5
InsertMenuW.USER32(?,00000003,00000400,0000F00F,00000000), ref: 6D2BBDC3
SetMenuItemBitmaps.USER32(?,0000F120,00000000,00000002,00000002), ref: 6D2BBDD9
SetMenuItemBitmaps.USER32(?,0000F020,00000000,00000003,00000003), ref: 6D2BBDE5
DrawMenuBar.USER32(?), ref: 6D2BBDEA
SetWindowLongW.USER32(?,000000FC,6D2BBF84), ref: 6D2BBE0C
SetWindowLongW.USER32(?,000000EB,00000000), ref: 6D2BBE1A

Strings

IDS_RESTORE, xrefs: 6D2BBD2E
IDS_MINIMIZE, xrefs: 6D2BBD74

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Menu$LongWindow$InsertItem$BitmapsH_prolog3System$CommandDrawEnableLineMessageSend
String ID: IDS_MINIMIZE$IDS_RESTORE
API String ID: 1833405235-4171729070
Opcode ID: 6f14873a3bbe676e28da59ace39ce86d1cd20840c1f96968eb0f5601d161f623
Instruction ID: 519b2836c062d43569e481f1704e1ca0fe3ca3f29859980827cf5e17cbfc0db9
Opcode Fuzzy Hash: 6f14873a3bbe676e28da59ace39ce86d1cd20840c1f96968eb0f5601d161f623
Instruction Fuzzy Hash: 8E416D7058071AAFDB219FA4CC49F6FBBB5FF89728F144624F225AA1E0C771A940DB14

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BA80E Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 201
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E6D2BA80E(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				WCHAR** _t67;
				WCHAR** _t73;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t90;
				intOrPtr* _t96;
				void* _t105;
				signed int _t110;
				long _t117;
				intOrPtr* _t122;
				void* _t135;
				long _t139;
				intOrPtr* _t140;
				intOrPtr* _t148;
				void* _t162;
				void* _t165;
				intOrPtr* _t170;
				struct HWND__** _t174;
				struct HWND__** _t179;
				void* _t182;
				signed int _t183;

				_t162 = __edx;
				E6D2D265B(0x6d2d6cc0, __ebx, __edi, __esi);
				_t165 = __ecx;
				_t170 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x1ac)))) + 0x4c))();
				_t148 = _t170;
				_t135 =  *((intOrPtr*)( *_t170))(0x38);
				if(_t135 <= 0) {
					L5:
					 *((char*)(_t165 + 0x1bc)) = 1;
					L6:
					_t67 = E6D2B9A1E(_t165 + 0x1b8, _t165, _t182 - 0x10, _t189);
					SetWindowTextW(GetDlgItem( *(_t165 + 4), 0x65),  *_t67);
					E6D2C8460( *(_t182 - 0x10) + 0xfffffff0, _t162);
					_t73 = E6D2B9B4C(_t182 - 0x10, _t148, _t162, _t165, _t165 + 0x1c0, _t189);
					_t174 = _t165 + 4;
					SetWindowTextW(GetDlgItem( *_t174, 0x69),  *_t73);
					E6D2C8460( *(_t182 - 0x10) + 0xfffffff0, _t162);
					if( *((char*)(_t165 + 0x1b4)) != 0) {
						_t139 = 0;
						 *((intOrPtr*)(_t182 - 0x20)) = 0;
						 *((intOrPtr*)(_t182 - 0x1c)) = 0;
						 *((intOrPtr*)(_t182 - 0x18)) = 0;
						 *((intOrPtr*)(_t182 - 4)) = 0;
						_t80 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x1ac)))) + 0x48))();
						_t163 =  *_t80;
						 *(_t182 - 0x10) =  *((intOrPtr*)( *_t80))();
						_t83 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x1ac))))))();
						__eflags = _t83 - 4;
						if(_t83 == 4) {
							L13:
							 *( *((intOrPtr*)(_t165 + 0x68)) + 4) = 0x6a;
							_t140 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x198)))) + 0x14))( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x1ac))))))());
							_t90 =  *((intOrPtr*)( *_t140 + 0x18))();
							 *(_t182 - 0x10) = _t183;
							 *_t183 = E6D2C83FD( *_t90 - 0x10) + 0x10;
							 *((char*)(_t182 - 4)) = 1;
							_t96 =  *((intOrPtr*)( *_t140 + 0x14))(_t140);
							 *(_t182 - 0x14) = _t183;
							 *_t183 = E6D2C83FD( *_t96 - 0x10) + 0x10;
							 *((char*)(_t182 - 4)) = 0;
							E6D2BFB4F(_t140, _t163, _t165, _t165, __eflags);
							E6D2AE389(_t165 + 4, 0);
							_t105 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x198)))) + 4))(_t140);
							_push(_t140);
							_push(_t182 - 0x44);
							E6D2AF2BE(_t105, _t163, _t165, _t165, __eflags);
							 *((char*)(_t182 - 4)) = 2;
							_t179 = _t165 + 4;
							E6D2AF415(_t182 - 0x44, GetParent( *_t179));
							_t110 = E6D2C1DCD(GetParent, _t163, _t165, _t179, __eflags);
							__eflags = _t110;
							if(_t110 != 0) {
								E6D2AF4D6(_t182 - 0x44, GetParent( *_t179));
								_t122 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x1ac)))) + 0x10))();
								_t163 =  *_t122;
								 *((intOrPtr*)( *_t122 + 4))(4, L"All buttons hidden in passive mode");
							}
							SetWindowLongW( *_t179, 0xfffffff4, 0x6a);
							SetWindowTextW(GetParent( *_t179),  *(_t165 + 0x58));
							PostMessageW( *_t179, 0x6f5, 0, 0);
							E6D2B0913(_t163, _t182 - 0x44);
							_t139 = 1;
							L12:
							E6D2BF3EC(_t182 - 0x20);
							_t117 = _t139;
							L8:
							return E6D2D2709(_t117);
						}
						__eflags =  *(_t182 - 0x10);
						if( *(_t182 - 0x10) != 0) {
							goto L13;
						}
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x74)))) + 0xc))(0x77777777);
						PostMessageW( *_t174, 0x691, 0x77777777, 0);
						goto L12;
					}
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x74)))) + 0xc))(0x80004005);
					PostMessageW( *_t174, 0x691, 0x80004005, 0);
					_t117 = 0;
					goto L8;
				}
				 *(_t182 - 0x10) =  *(_t182 - 0x10) & 0x00000000;
				if(_t135 <= 0) {
					goto L5;
				} else {
					goto L2;
				}
				do {
					L2:
					_push( *(_t182 - 0x10));
					_t148 = _t170;
					if( *((intOrPtr*)( *_t170 + 0x14))() != 0) {
						goto L4;
					}
					_push( *(_t182 - 0x10));
					_t148 = _t170;
					if( *((intOrPtr*)( *_t170 + 0x10))() == 0) {
						goto L6;
					}
					L4:
					 *(_t182 - 0x10) =  *(_t182 - 0x10) + 1;
					_t189 =  *(_t182 - 0x10) - _t135;
				} while ( *(_t182 - 0x10) < _t135);
				goto L5;
			}

0x6d2ba80e
0x6d2ba815
0x6d2ba81a
0x6d2ba827
0x6d2ba82b
0x6d2ba82f
0x6d2ba833
0x6d2ba861
0x6d2ba861
0x6d2ba868
0x6d2ba871
0x6d2ba885
0x6d2ba891
0x6d2ba89f
0x6d2ba8a8
0x6d2ba8b5
0x6d2ba8c1
0x6d2ba8cd
0x6d2ba8f7
0x6d2ba8f9
0x6d2ba8fc
0x6d2ba8ff
0x6d2ba902
0x6d2ba90d
0x6d2ba910
0x6d2ba91c
0x6d2ba921
0x6d2ba923
0x6d2ba926
0x6d2ba956
0x6d2ba959
0x6d2ba97c
0x6d2ba982
0x6d2ba98b
0x6d2ba998
0x6d2ba99a
0x6d2ba9a2
0x6d2ba9ab
0x6d2ba9b8
0x6d2ba9bc
0x6d2ba9c0
0x6d2ba9ca
0x6d2ba9d7
0x6d2ba9da
0x6d2ba9de
0x6d2ba9e1
0x6d2ba9e6
0x6d2ba9f0
0x6d2ba9fb
0x6d2baa00
0x6d2baa05
0x6d2baa07
0x6d2baa11
0x6d2baa1e
0x6d2baa21
0x6d2baa2c
0x6d2baa2c
0x6d2baa35
0x6d2baa48
0x6d2baa59
0x6d2baa62
0x6d2baa69
0x6d2ba94a
0x6d2ba94d
0x6d2ba952
0x6d2ba8f1
0x6d2ba8f6
0x6d2ba8f6
0x6d2ba928
0x6d2ba92b
0x00000000
0x00000000
0x6d2ba938
0x6d2ba944
0x00000000
0x6d2ba944
0x6d2ba8dc
0x6d2ba8e9
0x6d2ba8ef
0x00000000
0x6d2ba8ef
0x6d2ba835
0x6d2ba83b
0x00000000
0x00000000
0x00000000
0x00000000
0x6d2ba83d
0x6d2ba83d
0x6d2ba83d
0x6d2ba842
0x6d2ba849
0x00000000
0x00000000
0x6d2ba84b
0x6d2ba850
0x6d2ba857
0x00000000
0x00000000
0x6d2ba859
0x6d2ba859
0x6d2ba85c
0x6d2ba85c
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 6D2BA815
GetDlgItem.USER32 ref: 6D2BA87D
SetWindowTextW.USER32(00000000,?), ref: 6D2BA885
GetDlgItem.USER32 ref: 6D2BA8AD
SetWindowTextW.USER32(00000000,?), ref: 6D2BA8B5
PostMessageW.USER32(?,00000691,80004005,00000000), ref: 6D2BA8E9
PostMessageW.USER32(?,00000691,77777777,00000000), ref: 6D2BA944
GetParent.USER32(00000002), ref: 6D2BA9F5
GetParent.USER32(00000002), ref: 6D2BAA0B
SetWindowLongW.USER32(00000002,000000F4,0000006A), ref: 6D2BAA35
GetParent.USER32(00000002), ref: 6D2BAA40
SetWindowTextW.USER32(00000000,?), ref: 6D2BAA48
PostMessageW.USER32(00000002,000006F5,00000000,00000000), ref: 6D2BAA59

Strings

All buttons hidden in passive mode, xrefs: 6D2BAA23
wwww, xrefs: 6D2BA932

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Window$MessageParentPostText$Item$H_prolog3Long
String ID: All buttons hidden in passive mode$wwww
API String ID: 3938074132-3958308462
Opcode ID: d58294b1ee64e7d6fa4dd44fc1ffdd9e42ac85004f639e77cebd87bfc8a9f2e8
Instruction ID: 702c1cc2374f7b16a6da797fa9e81345a8ad9e0d091581a3c643e47afca8a1af
Opcode Fuzzy Hash: d58294b1ee64e7d6fa4dd44fc1ffdd9e42ac85004f639e77cebd87bfc8a9f2e8
Instruction Fuzzy Hash: 0781DF74A4060ADFDB01CFA4C888F9DBBB4FF0A319F150168E655AB360CB71AC15CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6D2AE153 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 163
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E6D2AE153(struct HWND__** __ecx, struct HWND__* __edx) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				void* _v76;
				struct tagMONITORINFO _v96;
				struct HWND__** _v100;
				signed int _v104;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t42;
				signed int _t44;
				struct HMONITOR__* _t46;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t69;
				struct HWND__* _t76;
				struct HWND__* _t77;
				void* _t82;
				void* _t88;
				struct HWND__* _t89;
				int _t93;
				signed int _t99;

				_t87 = __edx;
				_t42 =  *0x6d2df0a0; // 0x7dcdee72
				_v8 = _t42 ^ _t99;
				_t88 = GetWindowLongW;
				_t93 = __ecx;
				_v100 = __ecx;
				_t77 = __edx;
				_t44 = GetWindowLongW( *__ecx, 0xfffffff0);
				_v104 = _t44;
				if(_t77 == 0) {
					if((_t44 & 0x40000000) == 0) {
						_t76 = GetWindow( *_t93, 4);
					} else {
						_t76 = GetParent( *_t93);
					}
					_t77 = _t76;
				}
				_t46 = GetWindowRect( *_t93,  &_v56);
				if((_v104 & 0x40000000) != 0) {
					_t89 = GetParent( *_t93);
					GetClientRect(_t89,  &_v40);
					GetClientRect(_t77,  &_v24);
					MapWindowPoints(_t77, _t89,  &_v24, 2);
					goto L20;
				} else {
					if(_t77 == 0) {
						L12:
						_push(2);
						_push( *_t93);
						L13:
						__imp__MonitorFromWindow();
						if(_t46 != 0) {
							_v96.cbSize = 0x28;
							if(GetMonitorInfoW(_t46,  &_v96) == 0) {
								goto L14;
							}
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							if(_t77 != 0) {
								GetWindowRect(_t77,  &_v24);
							} else {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
							}
							L20:
							_t82 = _v56.right - _v56.left;
							asm("cdq");
							_t88 = _v56.bottom - _v56.top;
							asm("cdq");
							_t93 = (_v24.left + _v24.right - _t87 >> 1) - (_t82 - _t87 >> 1);
							asm("cdq");
							asm("cdq");
							_t77 = (_v24.top + _v24.bottom - _t87 >> 1) - (_t88 - _t87 >> 1);
							_t66 = _v40.right;
							_t87 = _t93 + _t82;
							if(_t93 + _t82 > _t66) {
								_t93 = _t66 - _t82;
							}
							if(_t93 < _v40.left) {
								_t93 = _v40.left;
							}
							_t67 = _v40.bottom;
							if(_t77 + _t88 > _t67) {
								_t77 = _t67 - _t88;
							}
							if(_t77 < _v40.top) {
								_t77 = _v40.top;
							}
							_t69 = SetWindowPos( *_v100, 0, _t93, _t77, 0xffffffff, 0xffffffff, 0x15);
							L29:
							return E6D2C87C1(_t69, _t77, _v8 ^ _t99, _t87, _t88, _t93);
						}
						L14:
						_t69 = 0;
						goto L29;
					}
					_t46 = GetWindowLongW(_t77, 0xfffffff0);
					if((_t46 & 0x10000000) == 0 || (_t46 & 0x20000000) != 0) {
						_t77 = 0;
					}
					if(_t77 == 0) {
						goto L12;
					} else {
						_push(2);
						_push(_t77);
						goto L13;
					}
				}
			}

0x6d2ae153
0x6d2ae15b
0x6d2ae162
0x6d2ae168
0x6d2ae16e
0x6d2ae174
0x6d2ae177
0x6d2ae179
0x6d2ae17b
0x6d2ae180
0x6d2ae187
0x6d2ae197
0x6d2ae189
0x6d2ae18b
0x6d2ae18b
0x6d2ae19d
0x6d2ae19d
0x6d2ae1a5
0x6d2ae1b2
0x6d2ae236
0x6d2ae23d
0x6d2ae244
0x6d2ae24e
0x00000000
0x6d2ae1b4
0x6d2ae1b6
0x6d2ae1d6
0x6d2ae1d6
0x6d2ae1d8
0x6d2ae1da
0x6d2ae1da
0x6d2ae1e2
0x6d2ae1f0
0x6d2ae1ff
0x00000000
0x00000000
0x6d2ae207
0x6d2ae208
0x6d2ae209
0x6d2ae20a
0x6d2ae20d
0x6d2ae220
0x6d2ae20f
0x6d2ae215
0x6d2ae216
0x6d2ae217
0x6d2ae218
0x6d2ae218
0x6d2ae254
0x6d2ae25d
0x6d2ae260
0x6d2ae266
0x6d2ae26d
0x6d2ae274
0x6d2ae27c
0x6d2ae283
0x6d2ae28a
0x6d2ae28c
0x6d2ae28f
0x6d2ae294
0x6d2ae298
0x6d2ae298
0x6d2ae29d
0x6d2ae29f
0x6d2ae29f
0x6d2ae2a2
0x6d2ae2aa
0x6d2ae2ae
0x6d2ae2ae
0x6d2ae2b3
0x6d2ae2b5
0x6d2ae2b5
0x6d2ae2c7
0x6d2ae2cd
0x6d2ae2db
0x6d2ae2db
0x6d2ae1e4
0x6d2ae1e4
0x00000000
0x6d2ae1e4
0x6d2ae1bb
0x6d2ae1c2
0x6d2ae1cb
0x6d2ae1cb
0x6d2ae1cf
0x00000000
0x6d2ae1d1
0x6d2ae1d1
0x6d2ae1d3
0x00000000
0x6d2ae1d3
0x6d2ae1cf

APIs

GetWindowLongW.USER32(?,000000F0), ref: 6D2AE179
GetParent.USER32 ref: 6D2AE18B
GetWindow.USER32(?,00000004), ref: 6D2AE197
GetWindowRect.USER32 ref: 6D2AE1A5
GetWindowLongW.USER32(?,000000F0), ref: 6D2AE1BB
MonitorFromWindow.USER32(?,00000002), ref: 6D2AE1DA
GetMonitorInfoW.USER32 ref: 6D2AE1F7
GetWindowRect.USER32 ref: 6D2AE220
SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015,?,00000000,?,00000002,?,?,?,?,?), ref: 6D2AE2C7

Strings

(, xrefs: 6D2AE1F0

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Window$LongMonitorRect$FromInfoParent
String ID: (
API String ID: 1468510684-3887548279
Opcode ID: ce54ea653db1da0d1a76fd255564eb9040bdb288275fa1afeef3a52ce024f0d9
Instruction ID: 1b2ffcfaaa609ae3b3ee29f9eaecb0b669747cba3318cbb62e2d8b10df8da4bf
Opcode Fuzzy Hash: ce54ea653db1da0d1a76fd255564eb9040bdb288275fa1afeef3a52ce024f0d9
Instruction Fuzzy Hash: 8A516E75B4061A9FDB01CEA8CD88BAEBBB9FF89355F184124F901F7294D760AD05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B671F Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 196
windowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E6D2B671F() {
				int _t88;
				signed int _t92;
				intOrPtr* _t96;
				void* _t104;
				int _t113;
				void* _t124;
				void* _t128;
				intOrPtr* _t138;
				void* _t152;
				intOrPtr _t153;
				WCHAR** _t154;
				void* _t163;
				void* _t166;
				intOrPtr* _t167;
				signed int _t171;
				void* _t176;
				intOrPtr* _t177;
				intOrPtr _t178;
				void* _t181;
				void* _t184;

				_push(0x4c);
				E6D2D265B(0x6d2d6506, _t152, _t166, _t176);
				_t1 = _t181 - 0x34; // 0x4c
				_t167 = E6D2B1E75(_t152, _t157, _t163, _t166, _t176, _t184);
				 *(_t181 - 4) =  *(_t181 - 4) & 0x00000000;
				_t153 =  *((intOrPtr*)(_t181 + 8));
				_t177 =  *((intOrPtr*)(_t153 + 0x34));
				_t154 = _t153 + 0x30;
				if(PathIsRelativeW( *_t154) != 0) {
					 *(_t181 - 0x14) = E6D2C83FD( *_t167 - 0x10) + 0x10;
					 *(_t181 - 4) = 1;
					E6D2BF21D(_t181 - 0x14,  *((intOrPtr*)(_t167 + 4)));
					E6D2BF21D(_t181 - 0x14,  *_t154);
					_t167 = PathFileExistsW;
					PathFileExistsW( *(_t181 - 0x14));
					_t88 = PathFileExistsW( *(_t181 - 0x14));
					__eflags = _t88;
					if(_t88 == 0) {
						 *(_t181 - 4) = 0;
						E6D2C8460( &(( *(_t181 - 0x14))[0xfffffffffffffff8]), _t163);
						_t92 = 0;
						__eflags = 0;
						goto L5;
					} else {
						E6D2BEA8D(_t181 - 0x14, _t154);
						 *(_t181 - 4) = 0;
						E6D2C8460( &(( *(_t181 - 0x14))[0xfffffffffffffff8]), _t163);
						goto L6;
					}
				} else {
					_t92 = PathFileExistsW( *_t154) & 0xffffff00 | _t151 != 0x00000000;
					L5:
					_t187 = _t92;
					if(_t92 == 0) {
						E6D2AC9BB(_t154, _t157, _t167, _t177, __eflags);
						 *((intOrPtr*)(_t181 - 0x20)) = 0x6d2a6e38;
						 *(_t181 - 4) = 2;
						_t96 = E6D2ACB96(_t154, _t181 - 0x20, _t163, 0x6d2a6e38, _t177, __eflags);
						 *(_t181 - 4) = 3;
						 *((intOrPtr*)( *_t177 + 4))(0,  *_t96, _t181 + 8, _t181 - 0x20, _t154);
						 *(_t181 - 4) = 2;
						E6D2C8460( *((intOrPtr*)(_t181 + 8)) + 0xfffffff0,  *_t177);
						_push(_t181 - 0x20);
						_t157 = _t181 - 0x18;
						E6D2AD1B4(_t154, _t181 - 0x18, 0x6d2a6e38, _t177, __eflags);
						 *((intOrPtr*)(_t181 - 0x18)) = 0x6d2a6e38;
						_push(0x6d2d8364);
						_t104 = _t181 - 0x18;
						goto L8;
					} else {
						L6:
						_push( *_t154);
						_push(L"Successfuly found file %s ");
						_t171 = 4;
						_push(_t171);
						E6D2AB93E(_t154, _t163, _t171, _t177, _t187);
						E6D2C8460( *((intOrPtr*)(_t181 - 0x30)) + 0xfffffff0, _t163);
						E6D2C8460( *((intOrPtr*)(_t181 - 0x34)) + 0xfffffff0, _t163);
						 *(_t181 - 0x2c) = 0;
						 *((intOrPtr*)(_t181 - 0x28)) = 0;
						 *(_t181 - 4) = _t171;
						_t124 = E6D2C7F22(_t181 - 0x2c,  *_t154, 0x80000000, 1, 3, 0x80, 0);
						_t188 = _t124;
						if(_t124 < 0) {
							 *((intOrPtr*)(_t181 + 0xc)) = E6D2BE8E8(L"ParameterInfo.xml", 0, _t188);
							 *(_t181 - 4) = 5;
							_t128 = E6D2BF143(_t154, _t154, 0, _t188);
							 *(_t181 - 4) = 6;
							E6D2ACA39(_t154, _t157, _t163, _t154, 0, _t188);
							E6D2C8460( &(( *(_t181 - 0x14))[0xfffffffffffffff8]), _t163);
							 *(_t181 - 4) = 9;
							E6D2C8460( *((intOrPtr*)(_t181 - 0x1c)) + 0xfffffff0, _t163);
							_t138 = E6D2ACAC2(_t154, _t181 - 0x4c, _t163, _t154, 0, _t188);
							 *(_t181 - 4) = 0xa;
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t181 + 8)) + 0x34)))) + 4))(0,  *_t138, _t181 + 0xc, _t181 - 0x4c, _t128,  *((intOrPtr*)(_t181 + 0xc)), _t181 - 0x14, L"can\'t open EULA file: ", _t181 - 0x1c);
							 *(_t181 - 4) = 9;
							_t189 =  *((intOrPtr*)(_t181 + 0xc)) + 0xfffffff0;
							E6D2C8460( *((intOrPtr*)(_t181 + 0xc)) + 0xfffffff0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t181 + 8)) + 0x34)))));
							_push(_t181 - 0x4c);
							_t157 = _t181 - 0x58;
							E6D2AD170(_t154, _t181 - 0x58, _t154, 0,  *((intOrPtr*)(_t181 + 0xc)) + 0xfffffff0);
							_push(0x6d2d82a0);
							_t104 = _t181 - 0x58;
							L8:
							_push(_t104);
							E6D2CDBDB();
						}
					}
				}
				_t178 =  *((intOrPtr*)(_t181 + 8));
				E6D2B0B11( *((intOrPtr*)(_t181 + 0xc)), _t178, _t189);
				 *((intOrPtr*)(_t181 - 0x24)) = _t181 - 0x2c;
				asm("stosd");
				asm("stosd");
				 *(_t181 - 0x40) = _t181 - 0x24;
				_t179 = _t178 + 4;
				 *((intOrPtr*)(_t181 - 0x38)) = E6D2B698A;
				SendMessageW( *(_t178 + 4), 0x449, 2, _t181 - 0x40);
				if( *(_t181 - 0x2c) != 0) {
					CloseHandle( *(_t181 - 0x2c));
					 *(_t181 - 0x2c) = 0;
				}
				_t113 = E6D2C0324(0, _t157, _t179, 0);
				if( *(_t181 - 0x2c) != 0) {
					_t113 = CloseHandle( *(_t181 - 0x2c));
				}
				return E6D2D2709(_t113);
			}

0x6d2b671f
0x6d2b6726
0x6d2b672b
0x6d2b6734
0x6d2b6736
0x6d2b673a
0x6d2b673d
0x6d2b6740
0x6d2b674d
0x6d2b676b
0x6d2b676e
0x6d2b6778
0x6d2b6782
0x6d2b678a
0x6d2b6790
0x6d2b6795
0x6d2b6797
0x6d2b6799
0x6d2b67b6
0x6d2b67c0
0x6d2b67c5
0x6d2b67c5
0x00000000
0x6d2b679b
0x6d2b67a0
0x6d2b67a5
0x6d2b67af
0x00000000
0x6d2b67af
0x6d2b674f
0x6d2b6759
0x6d2b67c7
0x6d2b67c7
0x6d2b67c9
0x6d2b692d
0x6d2b6937
0x6d2b6941
0x6d2b6945
0x6d2b694a
0x6d2b6957
0x6d2b695a
0x6d2b6964
0x6d2b696c
0x6d2b696d
0x6d2b6970
0x6d2b6975
0x6d2b6978
0x6d2b697d
0x00000000
0x6d2b67cf
0x6d2b67cf
0x6d2b67cf
0x6d2b67d1
0x6d2b67d8
0x6d2b67d9
0x6d2b67da
0x6d2b67e8
0x6d2b67f3
0x6d2b67fa
0x6d2b67fd
0x6d2b680a
0x6d2b6818
0x6d2b681d
0x6d2b681f
0x6d2b6833
0x6d2b6841
0x6d2b6845
0x6d2b684a
0x6d2b6856
0x6d2b6861
0x6d2b6866
0x6d2b6870
0x6d2b687c
0x6d2b6881
0x6d2b6891
0x6d2b6894
0x6d2b689b
0x6d2b689e
0x6d2b68a6
0x6d2b68a7
0x6d2b68aa
0x6d2b68af
0x6d2b68b4
0x6d2b68b7
0x6d2b68b7
0x6d2b68b8
0x6d2b68b8
0x6d2b681f
0x6d2b67c9
0x6d2b68c0
0x6d2b68c3
0x6d2b68cb
0x6d2b68d3
0x6d2b68d4
0x6d2b68d8
0x6d2b68e6
0x6d2b68eb
0x6d2b68f2
0x6d2b6903
0x6d2b6908
0x6d2b690a
0x6d2b690a
0x6d2b6911
0x6d2b6919
0x6d2b691e
0x6d2b691e
0x6d2b6925

APIs

__EH_prolog3.LIBCMT ref: 6D2B6726

Part of subcall function 6D2B1E75: __EH_prolog3.LIBCMT ref: 6D2B1E7C
Part of subcall function 6D2B1E75: GetThreadLocale.KERNEL32(?,00000004,6D2B6734,LBq+m,0000004C,6D2B7142,?,00000000), ref: 6D2B1E8E

PathIsRelativeW.SHLWAPI(?,LBq+m,0000004C,6D2B7142,?,00000000), ref: 6D2B6745
PathFileExistsW.SHLWAPI(?), ref: 6D2B6751
PathFileExistsW.SHLWAPI(?,?,?), ref: 6D2B6790
PathFileExistsW.SHLWAPI(?), ref: 6D2B6795
__CxxThrowException@8.LIBCMT ref: 6D2B68B8
SendMessageW.USER32(?,00000449), ref: 6D2B68F2
CloseHandle.KERNEL32(6D2D8364), ref: 6D2B6908
CloseHandle.KERNEL32(6D2D8364,?,00000000), ref: 6D2B691E

Strings

LBq+m, xrefs: 6D2B672B, 6D2B672E
ParameterInfo.xml, xrefs: 6D2B6829
Successfuly found file %s , xrefs: 6D2B67D1
can't open EULA file: , xrefs: 6D2B6836

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Path$ExistsFile$CloseH_prolog3Handle$Exception@8LocaleMessageRelativeSendThreadThrow
String ID: LBq+m$ParameterInfo.xml$Successfuly found file %s $can't open EULA file:
API String ID: 4048475142-1204338051
Opcode ID: b4b616e7e59c2e4db9cceb117ceb9631d5947a581d17728d2e42f6f009a08fdd
Instruction ID: 28e45dfd2066bc1e1e39c1134b28a77d030f3984576cf7df7a1d547ed20aa457
Opcode Fuzzy Hash: b4b616e7e59c2e4db9cceb117ceb9631d5947a581d17728d2e42f6f009a08fdd
Instruction Fuzzy Hash: AD717C7194410DEFDF01DFA8C980BEEBBB8EF09318F158265E610BB291D7719A05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B70F9 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 215
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E6D2B70F9(void* __ecx, void* __eflags) {
				char _v16;
				signed int _v32;
				intOrPtr _v40;
				char _v44;
				char _v52;
				char _v56;
				void* _v60;
				signed int _v64;
				void* _v72;
				void* _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t66;
				intOrPtr _t78;
				intOrPtr* _t83;
				intOrPtr* _t90;
				void* _t106;
				void* _t115;
				intOrPtr* _t124;
				intOrPtr* _t125;
				struct HWND__* _t126;
				intOrPtr* _t134;
				intOrPtr* _t135;
				struct HWND__* _t136;
				void* _t140;
				intOrPtr* _t142;
				intOrPtr* _t150;
				struct HWND__** _t152;
				struct HWND__** _t196;
				void* _t207;
				signed int _t211;
				signed int _t213;
				void* _t214;

				_t214 = __eflags;
				_push(0xffffffff);
				_push(0x6d2d677e);
				_push( *[fs:0x0]);
				_t213 = (_t211 & 0xfffffff8) - 0x18;
				_t66 =  *0x6d2df0a0; // 0x7dcdee72
				_push(_t66 ^ _t213);
				 *[fs:0x0] =  &_v16;
				_t207 = __ecx;
				_t196 = __ecx + 4;
				_push(GetDlgItem( *_t196, 0x65));
				_push(_t207 + 0x78);
				E6D2B671F();
				GetDlgItem( *_t196, 0x68);
				E6D2AEDAE(_t207 + 0xb0, _t214);
				GetDlgItem( *_t196, 0x69);
				_v40 = _t207 + 0xdc;
				E6D2AEDAE(_t207 + 0xdc, _t214);
				_t78 = _v40;
				_t215 =  *((char*)(_t78 + 0x28));
				if( *((char*)(_t78 + 0x28)) == 0) {
					ShowWindow( *(_t78 + 4), 0);
				}
				_t150 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t207 + 0x74)))) + 0x10))();
				 *(_t213 + 0x14) =  *_t196;
				_t83 =  *((intOrPtr*)( *_t150 + 0x2c))();
				 *((intOrPtr*)(_t213 + 0x20)) = _t83;
				SetDlgItemTextW( *_t196, 0x68,  *( *((intOrPtr*)( *_t83 + 0x14))()));
				E6D2AEDE8( *((intOrPtr*)(_t213 + 0x24)), _t213 + 0x18,  *((intOrPtr*)(_t207 + 0xb4)));
				_t90 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t150 + 0x30))()))))();
				_v32 = _t90;
				SetDlgItemTextW( *_t196, 0x69,  *( *((intOrPtr*)( *_t90 + 0x14))()));
				E6D2AEDE8(_v32,  &_v44,  *(_t207 + 0xe0));
				E6D2B6ABD(_t207 + 0x10c, _t150,  *((intOrPtr*)( *_t150 + 0x24))(), _t215, _t196);
				E6D2B6ABD(_t207 + 0x13c, _t207 + 4,  *((intOrPtr*)( *_t150 + 0x28))(), _t215, _t207 + 4);
				_t106 =  *((intOrPtr*)( *_t150 + 0x34))( *((intOrPtr*)( *_t150 + 0x38))());
				_t189 = _t106;
				E6D2C09E0(_t150, _t207 + 0x1a0, _t106,  *(_t207 + 4), _t207, _t215);
				asm("sbb eax, eax");
				_t200 =  *( ~_v64 & _t207 + 0x000000e0);
				SetWindowLongW(_t200, 0xfffffff0, GetWindowLongW(_t200, 0xfffffff0) | 0x00002400);
				_t115 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t207 + 0x108)))) + 0x3c))( *(_t207 + 4));
				_t216 = _t115 - 1;
				if(_t115 == 1) {
					_t142 =  *((intOrPtr*)( *_t150 + 0x30))();
					_t200 =  *(_t207 + 4);
					_t189 =  *((intOrPtr*)( *_t142 + 4))();
					E6D2C0E5C(_t207 + 0x1a0, _t143,  *(_t207 + 4));
				}
				E6D2BF532( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t207 + 0x108)))) + 0x14))(3), _t189, _t200, _t207, _t216);
				_t152 = _t207 + 4;
				 *(_t213 + 0x14) = _t207 + 0x1bc;
				E6D2B6615( *_t152, _t207 + 0x1bc);
				E6D2BE8E8(L"IDS_PRINT", _t207, _t216);
				 *(_t213 + 0x30) =  *(_t213 + 0x30) & 0x00000000;
				_t124 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t207 + 0x74)))) + 4))( &_v44);
				_t125 =  *((intOrPtr*)( *_t124))(_t213 + 0x18);
				_t126 = GetDlgItem( *_t152, 0x66);
				E6D2B6655(_t152, _t126,  *_t125,  *_t125, _t207, _t216);
				_v32 = _v32 | 0xffffffff;
				E6D2C8460(_v56 + 0xfffffff0,  *_t125);
				E6D2BE8E8(L"IDS_SAVE", _t207, _t216);
				 *(_t213 + 0x30) = 1;
				_t134 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t207 + 0x74)))) + 4))( &_v52, _v56);
				_t135 =  *((intOrPtr*)( *_t134))( &_v56);
				_t136 = GetDlgItem( *_t152, 0x67);
				_push( *(_t213 + 0x14));
				E6D2B6655(_t152, _t136,  *_t135, L"IDS_SAVE",  *_t135, _t216);
				_t140 = E6D2C8460(_v64 + 0xfffffff0,  *_t135);
				 *[fs:0x0] = _v52;
				return _t140;
			}

0x6d2b70f9
0x6d2b7101
0x6d2b7103
0x6d2b710e
0x6d2b710f
0x6d2b7115
0x6d2b711c
0x6d2b7121
0x6d2b7127
0x6d2b7131
0x6d2b7138
0x6d2b713c
0x6d2b713d
0x6d2b7146
0x6d2b7150
0x6d2b7159
0x6d2b7169
0x6d2b716d
0x6d2b7172
0x6d2b7176
0x6d2b717a
0x6d2b7181
0x6d2b7181
0x6d2b718f
0x6d2b7193
0x6d2b719b
0x6d2b71a2
0x6d2b71af
0x6d2b71c4
0x6d2b71d4
0x6d2b71da
0x6d2b71e7
0x6d2b71fc
0x6d2b7211
0x6d2b7229
0x6d2b723d
0x6d2b7241
0x6d2b7249
0x6d2b7254
0x6d2b725e
0x6d2b7272
0x6d2b7280
0x6d2b7283
0x6d2b7286
0x6d2b728c
0x6d2b7291
0x6d2b729a
0x6d2b72a2
0x6d2b72a2
0x6d2b72b6
0x6d2b72bb
0x6d2b72c6
0x6d2b72ca
0x6d2b72d9
0x6d2b72de
0x6d2b72e8
0x6d2b72f4
0x6d2b72fc
0x6d2b730a
0x6d2b730f
0x6d2b731b
0x6d2b732a
0x6d2b732f
0x6d2b733e
0x6d2b734a
0x6d2b7352
0x6d2b7358
0x6d2b7360
0x6d2b736c
0x6d2b7375
0x6d2b7383

APIs

GetDlgItem.USER32 ref: 6D2B7136

Part of subcall function 6D2B671F: __EH_prolog3.LIBCMT ref: 6D2B6726
Part of subcall function 6D2B671F: PathIsRelativeW.SHLWAPI(?,LBq+m,0000004C,6D2B7142,?,00000000), ref: 6D2B6745
Part of subcall function 6D2B671F: PathFileExistsW.SHLWAPI(?), ref: 6D2B6751
Part of subcall function 6D2B671F: __CxxThrowException@8.LIBCMT ref: 6D2B68B8

GetDlgItem.USER32 ref: 6D2B7146

Part of subcall function 6D2AEDAE: SetWindowTextW.USER32(?,?), ref: 6D2AEDC5

GetDlgItem.USER32 ref: 6D2B7159
ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?,?,6D2D677E,000000FF), ref: 6D2B7181

Part of subcall function 6D2BF532: __EH_prolog3.LIBCMT ref: 6D2BF539
Part of subcall function 6D2BF532: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,6D2D677E,000000FF), ref: 6D2BF555

Part of subcall function 6D2B6615: CreateWindowExW.USER32 ref: 6D2B6636
Part of subcall function 6D2B6615: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,6D2B72CF), ref: 6D2B6648

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

SetDlgItemTextW.USER32 ref: 6D2B71AF
SetDlgItemTextW.USER32 ref: 6D2B71E7
GetWindowLongW.USER32(?,000000F0), ref: 6D2B7263
SetWindowLongW.USER32(?,000000F0,00000000), ref: 6D2B7272
GetDlgItem.USER32 ref: 6D2B72FC

Part of subcall function 6D2B6655: __EH_prolog3_GS.LIBCMT ref: 6D2B665C
Part of subcall function 6D2B6655: _memset.LIBCMT ref: 6D2B66C3
Part of subcall function 6D2B6655: GetClientRect.USER32 ref: 6D2B66E6
Part of subcall function 6D2B6655: SendMessageW.USER32(00000001,00000432,00000000,?), ref: 6D2B66FC

GetDlgItem.USER32 ref: 6D2B7352

Part of subcall function 6D2B6655: RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,00000040,6D2B730F,?,?,?,?,?,?,?,?,?), ref: 6D2B6713

Strings

IDS_PRINT, xrefs: 6D2B72D4
IDS_SAVE, xrefs: 6D2B7325

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Item$Window$H_prolog3Text$LongPath$ClientCreateErrorExceptionException@8ExistsFileH_prolog3_LastMessageRaiseRectRelativeSendShowThrow_memset
String ID: IDS_PRINT$IDS_SAVE
API String ID: 3758966775-3437764585
Opcode ID: 3f02a49138220d2febd26a56647bf857796a6b4de4cd6f5d54ade6511bdb803b
Instruction ID: e911f8726f59def0f74cd9b5dee9b6e8fa4595dabbaf258d634fe956a783664b
Opcode Fuzzy Hash: 3f02a49138220d2febd26a56647bf857796a6b4de4cd6f5d54ade6511bdb803b
Instruction Fuzzy Hash: 318178352046059FCB01DF64C898E5ABBF6FF89319F154A68F256DB3A1CB70E845CB42

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B02E2 Relevance: 21.2, APIs: 14, Instructions: 184
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E6D2B02E2(void* __ecx, void* __eflags) {
				struct HWND__* _v8;
				intOrPtr* _v12;
				void* _t64;
				void* _t66;
				intOrPtr* _t70;
				intOrPtr* _t79;
				intOrPtr* _t89;
				void* _t99;
				void* _t101;
				intOrPtr _t117;
				intOrPtr* _t118;
				signed int _t155;
				struct HWND__* _t158;
				void* _t163;
				void* _t165;

				_t165 = __eflags;
				_push(__ecx);
				_push(__ecx);
				_t163 = __ecx;
				GetDlgItem( *(__ecx + 4), 0x65);
				E6D2AEDAE(_t163 + 0x7c, _t165);
				GetDlgItem( *(_t163 + 4), 0x66);
				E6D2AEDAE(_t163 + 0xa8, _t165);
				GetDlgItem( *(_t163 + 4), 0x69);
				_t155 = _t163 + 0xd4;
				E6D2AEDAE(_t155, _t165);
				if( *((char*)(_t155 + 0x28)) == 0) {
					ShowWindow( *(_t155 + 4), 0);
				}
				_t64 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t163 + 0x104))))))();
				_t117 = 3;
				if(_t64 != _t117) {
					_t66 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t163 + 0x104))))))();
					_t117 = 2;
					__eflags = _t66 - _t117;
					if(_t66 == _t117) {
						SendMessageW( *(_t163 + 0xac), 0xf5, 0, 0);
						goto L6;
					}
				} else {
					SendMessageW( *(_t163 + 0x80), 0xf5, 0, 0);
					L6:
					 *((intOrPtr*)(_t163 + 0x100)) = _t117;
				}
				_t118 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t163 + 0x74)))) + 0x1c))();
				_t70 =  *((intOrPtr*)( *_t118 + 0x24))();
				_v8 =  *(_t163 + 4);
				_v12 = _t70;
				SetWindowTextW( *(_t163 + 0x80),  *( *((intOrPtr*)( *_t70))()));
				E6D2AEDE8(_v12 + 4,  &_v8, GetDlgItem(_v8, 0x65));
				if( *((intOrPtr*)( *_v12 + 8))() == 0) {
					EnableWindow( *(_t163 + 0x80), 0);
				}
				_t79 =  *((intOrPtr*)( *_t118 + 0x28))();
				_v12 = _t79;
				SetWindowTextW( *(_t163 + 0xac),  *( *((intOrPtr*)( *_t79))()));
				E6D2AEDE8(_v12 + 4,  &_v8, GetDlgItem(_v8, 0x66));
				if( *((intOrPtr*)( *_v12 + 8))() == 0) {
					EnableWindow( *(_t163 + 0xac), 0);
				}
				_t89 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t118 + 0x2c))()))))();
				_v12 = _t89;
				SetDlgItemTextW( *(_t163 + 4), 0x69,  *( *((intOrPtr*)( *_t89 + 0x14))()));
				E6D2AEDE8(_v12,  &_v8,  *(_t163 + 0xd8));
				asm("sbb edi, edi");
				_t158 =  *( ~_t155 & _t163 + 0x000000d8);
				SetWindowLongW(_t158, 0xfffffff0, GetWindowLongW(_t158, 0xfffffff0) | 0x00002400);
				_t99 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t163 + 0x104)))) + 0x3c))();
				_t170 = _t99 - 1;
				if(_t99 == 1) {
					E6D2C017C(_t163 + 0x110,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t118 + 0x2c))())) + 4))(),  *(_t163 + 4));
				}
				_t101 =  *((intOrPtr*)( *_t118 + 0x20))();
				return E6D2BFC53(_t163 + 0x110,  *((intOrPtr*)( *_t118 + 0x1c))(), _t170,  *(_t163 + 4), _t101);
			}

0x6d2b02e2
0x6d2b02e7
0x6d2b02e8
0x6d2b02f2
0x6d2b02f9
0x6d2b0300
0x6d2b030a
0x6d2b0314
0x6d2b031e
0x6d2b0320
0x6d2b032a
0x6d2b0333
0x6d2b033a
0x6d2b033a
0x6d2b0348
0x6d2b034c
0x6d2b034f
0x6d2b036a
0x6d2b036e
0x6d2b036f
0x6d2b0371
0x6d2b0382
0x00000000
0x6d2b0382
0x6d2b0351
0x6d2b0382
0x6d2b0382
0x6d2b0388
0x6d2b0388
0x6d2b0396
0x6d2b039c
0x6d2b03a4
0x6d2b03a9
0x6d2b03b6
0x6d2b03d2
0x6d2b03e1
0x6d2b03eb
0x6d2b03eb
0x6d2b03f5
0x6d2b03fc
0x6d2b0409
0x6d2b0425
0x6d2b0434
0x6d2b043e
0x6d2b043e
0x6d2b044f
0x6d2b0455
0x6d2b0462
0x6d2b0475
0x6d2b047c
0x6d2b0486
0x6d2b049a
0x6d2b04a8
0x6d2b04ab
0x6d2b04ae
0x6d2b04ca
0x6d2b04ca
0x6d2b04d6
0x6d2b04f3

APIs

GetDlgItem.USER32 ref: 6D2B02F9

Part of subcall function 6D2AEDAE: SetWindowTextW.USER32(?,?), ref: 6D2AEDC5

GetDlgItem.USER32 ref: 6D2B030A
GetDlgItem.USER32 ref: 6D2B031E
ShowWindow.USER32(?,00000000), ref: 6D2B033A
SendMessageW.USER32(?,000000F5,00000000,00000000), ref: 6D2B0382
SetWindowTextW.USER32(?,00000000), ref: 6D2B03B6
GetDlgItem.USER32 ref: 6D2B03C1
EnableWindow.USER32(?,00000000), ref: 6D2B03EB
SetWindowTextW.USER32(?,00000000), ref: 6D2B0409
GetDlgItem.USER32 ref: 6D2B0414
EnableWindow.USER32(?,00000000), ref: 6D2B043E
SetDlgItemTextW.USER32 ref: 6D2B0462
GetWindowLongW.USER32(?,000000F0), ref: 6D2B048B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 6D2B049A

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Window$Item$Text$EnableLong$MessageSendShow
String ID:
API String ID: 3359463025-0
Opcode ID: 0cb6730a6515021ab715d780a0148481b0a4fbd940bc9a415d534b2472471026
Instruction ID: 6580c325c1a6d0cfe68cc104916e980fd860b2e81715d210ac2286ec06afe406
Opcode Fuzzy Hash: 0cb6730a6515021ab715d780a0148481b0a4fbd940bc9a415d534b2472471026
Instruction Fuzzy Hash: A7615C38640604AFCB119F64C998F9EBBF6FF8A715F1445A9E657DB2A0CB71A844CB00

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B757C Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 149
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E6D2B757C(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t56;
				intOrPtr* _t58;
				intOrPtr* _t68;
				intOrPtr* _t74;
				void* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t88;
				intOrPtr* _t105;
				intOrPtr* _t117;
				intOrPtr* _t123;
				intOrPtr* _t124;
				void* _t129;
				int _t137;
				void* _t143;
				WCHAR* _t144;

				_t129 = __edx;
				_push(0x18);
				E6D2D265B(0x6d2d4a61, __ebx, __edi, __esi);
				_t117 = __ecx;
				_t136 =  *((intOrPtr*)(__ecx + 0x174));
				if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x174)) + 0x30)) != 0) {
					E6D2B12AB(_t136);
				}
				_t119 =  *((intOrPtr*)(_t117 + 0x108));
				_t56 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t117 + 0x108)))) + 4))();
				_t147 = _t56;
				if(_t56 == 0) {
					E6D2BE8E8(L"Failed to initialize items information. engineDataProvider.InitializeItems() returned false", _t136, _t147);
					 *(_t143 - 4) =  *(_t143 - 4) & 0x00000000;
					E6D2AC9BB(_t117, _t119, L"Failed to initialize items information. engineDataProvider.InitializeItems() returned false", _t136, _t147);
					 *(_t143 - 4) = 2;
					E6D2C8460( &(( *(_t143 - 0x10))[0xfffffffffffffff8]), _t129);
					_t105 = E6D2AC9F6(_t143 - 0x1c, _t143 - 0x14);
					 *(_t143 - 4) = 3;
					_t117 =  *((intOrPtr*)(_t117 + 0x1b8));
					 *((intOrPtr*)( *_t117 + 4))(0,  *_t105, _t143 - 0x1c, _t143 - 0x10, _t143 - 0x10);
					 *(_t143 - 4) = 2;
					E6D2C8460( &(( *(_t143 - 0x14))[0xfffffffffffffff8]),  *_t117);
					_push(_t143 - 0x1c);
					E6D2AD1B4(_t117, _t143 - 0x24, L"Failed to initialize items information. engineDataProvider.InitializeItems() returned false", _t136,  &(( *(_t143 - 0x14))[0xfffffffffffffff8]));
					E6D2CDBDB(_t143 - 0x24, 0x6d2d8328);
				}
				_t58 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t117 + 0x108)))) + 0x48))();
				_t130 =  *_t58;
				_t137 =  *((intOrPtr*)( *_t58))();
				if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t117 + 0x108))))))() == 4 || _t137 != 0) {
					E6D2AF415(_t117 + 0x17c, GetParent( *(_t117 + 4)));
					 *( *((intOrPtr*)(_t117 + 0x68)) + 4) = 0x66;
					E6D2B77A9(_t117);
					_t123 =  *((intOrPtr*)(_t117 + 0x178));
					_t68 =  *((intOrPtr*)( *_t123 + 0x1c))();
					 *(_t143 - 0x14) = _t144;
					 *_t144 = E6D2C83FD( *_t68 - 0x10) + 0x10;
					 *(_t143 - 4) = 4;
					_t124 =  *((intOrPtr*)(_t117 + 0x178));
					_t74 =  *((intOrPtr*)( *_t124 + 0x18))(_t123);
					_push(_t124);
					 *(_t143 - 0x10) = _t144;
					_t77 = E6D2C83FD( *_t74 - 0x10);
					 *(_t143 - 4) =  *(_t143 - 4) | 0xffffffff;
					 *_t144 = _t77 + 0x10;
					E6D2BFB4F(_t117, _t130, GetParent, _t117, __eflags);
					_t80 = SendMessageW( *(_t117 + 0xb4), 0xf0, 0, 0);
					__eflags = _t80;
					_t81 = _t80 & 0xffffff00 | _t80 != 0x00000000;
					__eflags =  *((char*)(_t117 + 0x104));
					if( *((char*)(_t117 + 0x104)) != 0) {
						EnableWindow( *(_t117 + 0xe0), _t81 & 0x000000ff);
					}
					SetWindowLongW( *(_t117 + 4), 0xfffffff4, 0x66);
					 *(_t143 - 0x14) =  *(_t117 + 0x58);
					SetWindowTextW(GetParent( *(_t117 + 4)),  *(_t143 - 0x14));
					PostMessageW( *(_t117 + 4), 0x6f5, 0, 0);
					_t88 = 1;
					__eflags = 1;
				} else {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t117 + 0x170)))) + 0xc))(0x77777777);
					SendMessageW(GetParent( *(_t117 + 4)), 0x472, _t137, 0x69);
					_t88 = 0;
				}
				return E6D2D2709(_t88);
			}

0x6d2b757c
0x6d2b757c
0x6d2b7583
0x6d2b7588
0x6d2b758a
0x6d2b7595
0x6d2b7597
0x6d2b7597
0x6d2b759c
0x6d2b75a4
0x6d2b75a7
0x6d2b75a9
0x6d2b75b4
0x6d2b75b9
0x6d2b75c5
0x6d2b75ca
0x6d2b75d4
0x6d2b75e0
0x6d2b75e5
0x6d2b75eb
0x6d2b75f8
0x6d2b75fb
0x6d2b7605
0x6d2b760d
0x6d2b7611
0x6d2b761f
0x6d2b761f
0x6d2b762c
0x6d2b762f
0x6d2b763b
0x6d2b7644
0x6d2b768b
0x6d2b7695
0x6d2b769c
0x6d2b76a1
0x6d2b76a9
0x6d2b76b2
0x6d2b76bf
0x6d2b76c1
0x6d2b76c8
0x6d2b76d0
0x6d2b76d5
0x6d2b76d9
0x6d2b76de
0x6d2b76e3
0x6d2b76ea
0x6d2b76ee
0x6d2b7702
0x6d2b7708
0x6d2b770a
0x6d2b770d
0x6d2b7714
0x6d2b7720
0x6d2b7720
0x6d2b772d
0x6d2b7739
0x6d2b7742
0x6d2b7752
0x6d2b775a
0x6d2b775a
0x6d2b764a
0x6d2b7657
0x6d2b766c
0x6d2b7672
0x6d2b7672
0x6d2b7760

APIs

__EH_prolog3.LIBCMT ref: 6D2B7583
__CxxThrowException@8.LIBCMT ref: 6D2B761F
GetParent.USER32(?), ref: 6D2B765D
SendMessageW.USER32(00000000,00000472,00000000,00000069), ref: 6D2B766C

Part of subcall function 6D2B12AB: CloseHandle.KERNEL32(?,?,6D2BBB96), ref: 6D2B12BC

GetParent.USER32(?), ref: 6D2B7682

Part of subcall function 6D2AF415: GetDlgItem.USER32 ref: 6D2AF479
Part of subcall function 6D2AF415: GetWindowLongW.USER32(00000000,000000EB), ref: 6D2AF484
Part of subcall function 6D2AF415: SetWindowLongW.USER32(00000000,000000EB,00000001), ref: 6D2AF4C4

Part of subcall function 6D2B77A9: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 6D2B77CF

Part of subcall function 6D2C83FD: _memcpy_s.LIBCMT ref: 6D2C844E

Part of subcall function 6D2BFB4F: __EH_prolog3.LIBCMT ref: 6D2BFB56
Part of subcall function 6D2BFB4F: GetParent.USER32(00000001), ref: 6D2BFB6B
Part of subcall function 6D2BFB4F: SendMessageW.USER32(00000000,00000481,00000001,00000000), ref: 6D2BFB78
Part of subcall function 6D2BFB4F: GetParent.USER32(00000001), ref: 6D2BFBB5
Part of subcall function 6D2BFB4F: SendMessageW.USER32(00000000,0000047E,?,?), ref: 6D2BFBC1
Part of subcall function 6D2BFB4F: GetParent.USER32(00000001), ref: 6D2BFBD3
Part of subcall function 6D2BFB4F: SendMessageW.USER32(00000000,00000480,?,?), ref: 6D2BFBDF

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 6D2B7702
EnableWindow.USER32(?,?), ref: 6D2B7720
SetWindowLongW.USER32(000000FF,000000F4,00000066), ref: 6D2B772D
GetParent.USER32(000000FF), ref: 6D2B773C
SetWindowTextW.USER32(00000000,?), ref: 6D2B7742
PostMessageW.USER32(000000FF,000006F5,00000000,00000000), ref: 6D2B7752

Strings

Failed to initialize items information. engineDataProvider.InitializeItems() returned false, xrefs: 6D2B75AF

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Message$ParentSend$Window$Long$H_prolog3$CloseEnableException@8HandleItemPostTextThrow_memcpy_s
String ID: Failed to initialize items information. engineDataProvider.InitializeItems() returned false
API String ID: 3564908371-1354499266
Opcode ID: 1ad0e48b540933a48747db8a369df0951ed552a3f9db750619740c2ca0038998
Instruction ID: 60485db12e9c27eecac45c56a7f7e29036514d45233ee61c9ccb3c0115febabd
Opcode Fuzzy Hash: 1ad0e48b540933a48747db8a369df0951ed552a3f9db750619740c2ca0038998
Instruction Fuzzy Hash: B5519075944209DFCB01DFA4C988BAE7BB4FF09328F0941A4E9559F2A1CB719D40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C5A85 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6D2C5A85(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t47;
				long _t48;
				intOrPtr _t53;
				WCHAR* _t71;
				signed int _t79;
				long _t87;
				signed int _t95;
				long _t98;
				void* _t119;
				WCHAR** _t126;
				void* _t127;

				_t119 = __edx;
				E6D2D2693(0x6d2d5c58, __ebx, __edi, __esi);
				_t126 =  *(_t127 + 8);
				 *((intOrPtr*)(_t127 - 0x14)) = 0;
				E6D2C83B4(_t126);
				 *((intOrPtr*)(_t127 - 4)) = 0;
				_t103 = 1;
				 *((intOrPtr*)(_t127 - 0x14)) = 1;
				_t47 =  *(_t127 + 0x14)(0x410, 0,  *((intOrPtr*)(_t127 + 0xc)), 0x24);
				 *(_t127 + 0x14) = _t47;
				if(_t47 == 0) {
					_t48 = GetLastError();
					_push(L"OpenProcess");
					_push(5);
					E6D2AC71B( *((intOrPtr*)(_t127 + 0x10)), _t48, _t119, 0, _t126, __eflags);
				} else {
					_push(_t127 - 0x1c);
					_push(4);
					_push(_t127 - 0x18);
					_push(_t47);
					if( *((intOrPtr*)(_t127 + 0x18))() == 0) {
						_t53 =  *0x6d2dfe10; // 0x6d2a33ec
						 *((intOrPtr*)(_t127 + 0xc)) =  *((intOrPtr*)(_t53 + 0xc))() + 0x10;
						 *((intOrPtr*)(_t127 - 4)) = 1;
						E6D2C80BA(_t127 + 0xc, L"EnumProcessModules failed with error %u, will try GetProcessImageFileName", GetLastError());
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t127 + 0x10)))) + 4))(5,  *((intOrPtr*)(_t127 + 0xc)));
						_push(_t127 + 0x18);
						 *((char*)(_t127 - 4)) = 2;
						E6D2BE8E8(L"psapi.dll", _t126, __eflags);
						_push(_t127 + 0x18);
						_push(_t127 - 0x30);
						 *((char*)(_t127 - 4)) = 3;
						E6D2AEE95(1,  *((intOrPtr*)(_t127 + 0x10)), L"psapi.dll", _t126, __eflags);
						E6D2C8460( *((intOrPtr*)(_t127 + 0x18)) + 0xfffffff0, _t119);
						_push(_t127 - 0x30);
						 *((char*)(_t127 - 4)) = 6;
						 *((intOrPtr*)(_t127 + 0x1c)) = E6D2C75EA(1,  *((intOrPtr*)(_t127 + 0x10)), _t119, L"psapi.dll", _t126, __eflags);
						_t71 =  *_t126;
						_t112 = 1 -  *((intOrPtr*)(_t71 - 4));
						__eflags =  *((intOrPtr*)(_t71 - 8)) - 0x00000104 | 1 -  *((intOrPtr*)(_t71 - 4));
						if(( *((intOrPtr*)(_t71 - 8)) - 0x00000104 | 1 -  *((intOrPtr*)(_t71 - 4))) < 0) {
							_t112 = _t126;
							E6D2C827A(0x104, _t126);
						}
						__eflags =  *((intOrPtr*)(_t127 + 0x1c))( *(_t127 + 0x14),  *_t126, 0x104);
						if(__eflags != 0) {
							L6D2BF1A2(_t76 | 0xffffffff, _t103, _t126);
							_t79 =  *_t126;
							__eflags =  *((intOrPtr*)(_t79 - 4)) - _t103;
							if( *((intOrPtr*)(_t79 - 4)) > _t103) {
								_t79 = E6D2C81DE(_t112, _t126,  *((intOrPtr*)(_t79 - 0xc)));
							}
							PathStripPathW( *_t126);
						} else {
							_t87 = GetLastError();
							_t103 =  *((intOrPtr*)(_t127 + 0x10));
							_push(L"GetProcessImageFileName");
							_push(5);
							_t79 = E6D2AC71B( *((intOrPtr*)(_t127 + 0x10)), _t87, _t119, 0x104, _t126, __eflags);
						}
						L6D2BF1A2(_t79 | 0xffffffff, _t103, _t126);
						E6D2AEF49(_t127 - 0x30, _t119);
						__eflags =  *((intOrPtr*)(_t127 + 0xc)) + 0xfffffff0;
						E6D2C8460( *((intOrPtr*)(_t127 + 0xc)) + 0xfffffff0, _t119);
					} else {
						if(( *((intOrPtr*)( *_t126 - 8)) - 0x00000104 | 1 -  *((intOrPtr*)( *_t126 - 4))) < 0) {
							E6D2C827A(0x104, _t126);
						}
						_t95 =  *((intOrPtr*)(_t127 + 0x1c))( *(_t127 + 0x14),  *((intOrPtr*)(_t127 - 0x18)),  *_t126, 0x104);
						_t134 = _t95;
						if(_t95 == 0) {
							_t98 = GetLastError();
							_t103 =  *((intOrPtr*)(_t127 + 0x10));
							_push(L"GetModuleBaseName");
							_push(5);
							_t95 = E6D2AC71B( *((intOrPtr*)(_t127 + 0x10)), _t98, _t119, 0x104, _t126, _t134);
						}
						L6D2BF1A2(_t95 | 0xffffffff, _t103, _t126);
					}
					CloseHandle( *(_t127 + 0x14));
				}
				return E6D2D2709(_t126);
			}

0x6d2c5a85
0x6d2c5a8c
0x6d2c5a91
0x6d2c5a96
0x6d2c5a99
0x6d2c5a9e
0x6d2c5aa7
0x6d2c5aad
0x6d2c5ab0
0x6d2c5ab3
0x6d2c5ab8
0x6d2c5c8d
0x6d2c5c96
0x6d2c5c9b
0x6d2c5c9f
0x6d2c5abe
0x6d2c5ac1
0x6d2c5ac2
0x6d2c5ac7
0x6d2c5ac8
0x6d2c5ace
0x6d2c5b23
0x6d2c5b33
0x6d2c5b36
0x6d2c5b49
0x6d2c5b5b
0x6d2c5b61
0x6d2c5b67
0x6d2c5b6b
0x6d2c5b73
0x6d2c5b77
0x6d2c5b78
0x6d2c5b7c
0x6d2c5b87
0x6d2c5b8f
0x6d2c5b90
0x6d2c5b99
0x6d2c5b9c
0x6d2c5ba0
0x6d2c5bad
0x6d2c5baf
0x6d2c5bb3
0x6d2c5bb5
0x6d2c5bb5
0x6d2c5bc4
0x6d2c5bc6
0x6d2c5be4
0x6d2c5be9
0x6d2c5beb
0x6d2c5bee
0x6d2c5bf4
0x6d2c5bf4
0x6d2c5bfb
0x6d2c5bc8
0x6d2c5bc8
0x6d2c5bce
0x6d2c5bd1
0x6d2c5bd6
0x6d2c5bda
0x6d2c5bda
0x6d2c5c04
0x6d2c5c3f
0x6d2c5c7a
0x6d2c5c7d
0x6d2c5ad0
0x6d2c5ae3
0x6d2c5ae9
0x6d2c5ae9
0x6d2c5af8
0x6d2c5afb
0x6d2c5afd
0x6d2c5aff
0x6d2c5b05
0x6d2c5b08
0x6d2c5b0d
0x6d2c5b11
0x6d2c5b11
0x6d2c5b19
0x6d2c5b19
0x6d2c5c85
0x6d2c5c85
0x6d2c5cab

APIs

__EH_prolog3_catch.LIBCMT ref: 6D2C5A8C
GetLastError.KERNEL32 ref: 6D2C5AFF

Part of subcall function 6D2BF21D: _wcsnlen.LIBCMT ref: 6D2BF1B2

GetLastError.KERNEL32 ref: 6D2C5B39
GetLastError.KERNEL32 ref: 6D2C5BC8
PathStripPathW.SHLWAPI(?), ref: 6D2C5BFB

Part of subcall function 6D2C81DE: _memcpy_s.LIBCMT ref: 6D2C8224

CloseHandle.KERNEL32(?), ref: 6D2C5C85
GetLastError.KERNEL32 ref: 6D2C5C8D

Strings

OpenProcess, xrefs: 6D2C5C96
psapi.dll, xrefs: 6D2C5B62
EnumProcessModules failed with error %u, will try GetProcessImageFileName, xrefs: 6D2C5B43
GetModuleBaseName, xrefs: 6D2C5B08
GetProcessImageFileName, xrefs: 6D2C5BD1

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: ErrorLast$Path$CloseH_prolog3_catchHandleStrip_memcpy_s_wcsnlen
String ID: EnumProcessModules failed with error %u, will try GetProcessImageFileName$GetModuleBaseName$GetProcessImageFileName$OpenProcess$psapi.dll
API String ID: 747609879-952504876
Opcode ID: 906593a3872be2f4184bb931668d30f160c67c1b50f5be37a1baaa9b7d0320a1
Instruction ID: 7cf18668515371f084e0978184c4522226ee80b5c1e9a349b93ccbdd21a60f74
Opcode Fuzzy Hash: 906593a3872be2f4184bb931668d30f160c67c1b50f5be37a1baaa9b7d0320a1
Instruction Fuzzy Hash: 05519E7068414D9FDB41DFA8C848AAFBBB5EF44319F058628F621D7290CB70DE11CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C528B Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 125
registryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E6D2C528B(void* _a4, intOrPtr* _a8) {
				void _v52;
				void _v100;
				intOrPtr _v104;
				wchar_t* _v108;
				void* __ebx;
				void* __esi;
				signed int _t46;
				WCHAR* _t48;
				struct HINSTANCE__* _t54;
				int _t57;
				signed int _t59;
				void* _t70;
				signed int _t74;
				signed int _t80;
				wchar_t* _t98;
				signed int _t101;
				void* _t103;

				_t103 = (_t101 & 0xfffffff8) - 0x6c;
				_t70 = _a4;
				_t94 = 0;
				if(_t70 == 0 || _a8 == 0) {
					L8:
					_t46 = 0;
					goto L9;
				} else {
					if( *(_t70 + 0x40) != 0) {
						L19:
						if( *(_t70 + 0x30) != _t94) {
							 *_a8 =  *((intOrPtr*)(_t70 + 0x34));
						}
						_t46 =  *(_t70 + 0x40);
						L9:
						return _t46;
					}
					EnterCriticalSection(0x6d2e2fc8);
					if( *(_t70 + 0x40) != 0) {
						L18:
						LeaveCriticalSection(0x6d2e2fc8);
						_t94 = 0;
						goto L19;
					}
					_t48 =  *(_t70 + 0x30);
					if(_t48 == 0) {
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t70 + 0x1c)) = LoadCursorW( !( ~( *(_t70 + 0x3c))) &  *0x6d2e2f94,  *(_t70 + 0x38));
						L12:
						_t54 =  *0x6d2e2f90; // 0x6d2a0000
						 *(_t70 + 4) =  *(_t70 + 4) & 0xffffbfff;
						 *(_t70 + 0x14) = _t54;
						if( *(_t70 + 0x28) == 0) {
							_t98 = _t70 + 0x42;
							swprintf(_t98, 0x25, L"ATL:%p", _t70);
							_t103 = _t103 + 0x10;
							 *(_t70 + 0x28) = _t98;
						}
						_t74 = 0xc;
						_t57 = GetClassInfoExW( *(_t70 + 0x14), memcpy( &_v52, _t70, _t74 << 2),  &_v52);
						 *(_t70 + 0x40) = _t57;
						if(_t57 == 0) {
							_t59 = RegisterClassExW(_t70) & 0x0000ffff;
							_v108 = _t59;
							if(_t59 != 0) {
								E6D2BE876( &_v108, 0x6d2e2fe4);
								_t59 = _v108;
								_t70 = _a4;
							}
							 *(_t70 + 0x40) = _t59;
						}
						goto L18;
					}
					_v108 =  *(_t70 + 0x28);
					_v104 =  *((intOrPtr*)(_t70 + 8));
					_v100 = 0x30;
					if(GetClassInfoExW(0, _t48,  &_v100) != 0 || GetClassInfoExW( *0x6d2e2f90,  *(_t70 + 0x30),  &_v100) != 0) {
						_t80 = 0xc;
						memcpy(_t70,  &_v100, _t80 << 2);
						_t103 = _t103 + 0xc;
						 *((intOrPtr*)(_t70 + 0x34)) =  *((intOrPtr*)(_t70 + 8));
						 *(_t70 + 0x28) = _v108;
						 *((intOrPtr*)(_t70 + 8)) = _v104;
						goto L12;
					} else {
						LeaveCriticalSection(0x6d2e2fc8);
						goto L8;
					}
				}
			}

0x6d2c5293
0x6d2c5297
0x6d2c529b
0x6d2c52a0
0x6d2c5313
0x6d2c5313
0x00000000
0x6d2c52a7
0x6d2c52ab
0x6d2c53e7
0x6d2c53ea
0x6d2c53f2
0x6d2c53f2
0x6d2c53f4
0x6d2c5315
0x6d2c531b
0x6d2c531b
0x6d2c52b7
0x6d2c52c1
0x6d2c53da
0x6d2c53df
0x6d2c53e5
0x00000000
0x6d2c53e5
0x6d2c52c7
0x6d2c52cc
0x6d2c5347
0x6d2c5358
0x6d2c535b
0x6d2c535b
0x6d2c5360
0x6d2c536b
0x6d2c536e
0x6d2c5376
0x6d2c537c
0x6d2c5381
0x6d2c5384
0x6d2c5384
0x6d2c538c
0x6d2c539f
0x6d2c53a5
0x6d2c53ac
0x6d2c53b5
0x6d2c53b8
0x6d2c53bf
0x6d2c53ca
0x6d2c53cf
0x6d2c53d3
0x6d2c53d3
0x6d2c53d6
0x6d2c53d6
0x00000000
0x6d2c53ac
0x6d2c52d1
0x6d2c52d8
0x6d2c52e9
0x6d2c52f5
0x6d2c5320
0x6d2c5327
0x6d2c5327
0x6d2c532c
0x6d2c5333
0x6d2c533a
0x00000000
0x6d2c530c
0x6d2c530d
0x00000000
0x6d2c530d
0x6d2c52f5

APIs

EnterCriticalSection.KERNEL32(6D2E2FC8,00000000,?,00000000), ref: 6D2C52B7
GetClassInfoExW.USER32 ref: 6D2C52F1
GetClassInfoExW.USER32 ref: 6D2C5306
LeaveCriticalSection.KERNEL32(6D2E2FC8), ref: 6D2C530D
LoadCursorW.USER32(?,?), ref: 6D2C5352
swprintf.LIBCMT ref: 6D2C537C
GetClassInfoExW.USER32 ref: 6D2C539F
RegisterClassExW.USER32 ref: 6D2C53AF
LeaveCriticalSection.KERNEL32(6D2E2FC8), ref: 6D2C53DF

Strings

ATL:%p, xrefs: 6D2C5371
0, xrefs: 6D2C52E9
/.m, xrefs: 6D2C53C5

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Class$CriticalInfoSection$Leave$CursorEnterLoadRegisterswprintf
String ID: 0$ATL:%p$/.m
API String ID: 1053483253-4246018883
Opcode ID: af983d5d1d6e74b9b9939b1db13ad67958cd3d0daea33b31a735e31968311a3e
Instruction ID: 750a5d3ce623f533eac7856ac45c625a8fff43c4142471789a07a4f9841723c1
Opcode Fuzzy Hash: af983d5d1d6e74b9b9939b1db13ad67958cd3d0daea33b31a735e31968311a3e
Instruction Fuzzy Hash: 564199B655421ADBCB51CF64C884A6B7BB4FF48361B400A5AFD458B245E7B0DC81CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B9D5D Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E6D2B9D5D(char* __ebx, void* __ecx, intOrPtr __edx, intOrPtr* __edi, void* __esi, void* __eflags) {
				signed int _v4;
				signed int _v16;
				char _v20;
				char _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				char* _v56;
				char _t56;
				signed int _t58;
				signed int _t67;
				intOrPtr* _t69;
				intOrPtr _t70;
				signed int _t76;
				intOrPtr* _t80;
				signed int _t84;
				struct HINSTANCE__* _t87;
				void* _t90;
				void* _t91;

				_t91 = __eflags;
				_t80 = __edi;
				_t79 = __edx;
				_t73 = __ebx;
				_push(0x2c);
				E6D2D265B(0x6d2d5df8, __ebx, __edi, __esi);
				_push( &_v20);
				_v56 = L"Rotate1.ico";
				_v52 = L"Rotate2.ico";
				_v48 = L"Rotate3.ico";
				_v44 = L"Rotate4.ico";
				_v40 = L"Rotate5.ico";
				_v36 = L"Rotate6.ico";
				_v32 = L"Rotate7.ico";
				_v28 = L"Rotate8.ico";
				E6D2AC419(__ebx, __edx, __edi, __esi, _t91);
				_v4 = _v4 & 0x00000000;
				E6D2BF21D( &_v20, L"graphics");
				_v16 = _v16 & 0x00000000;
				do {
					E6D2BF21D( &_v20,  *((intOrPtr*)(_t87 + _v16 * 4 - 0x38)));
					_t56 =  *((intOrPtr*)( *_t80))(0, _v20, 1, 0x10, 0x10, 0x10);
					_v24 = _t56;
					if(_t56 == 0) {
						_t58 = _v16 + 1;
						__eflags = _t58;
						_push(_t58);
						_push(L"LoadImage failed for rotation icon %d");
						_push(1);
						E6D2AB93E(_t73, _t79, _t80,  *((intOrPtr*)(_t80 + 0x20)), _t58);
						_t90 = _t90 + 0xc;
					} else {
						_t76 =  *(_t80 + 8);
						_t67 =  *(_t80 + 0xc);
						if(_t76 != _t67) {
							L11:
							_t69 =  *((intOrPtr*)(_t80 + 4)) +  *(_t80 + 8) * 4;
							if(_t69 != 0) {
								 *_t69 = _v24;
							}
							 *(_t80 + 8) =  *(_t80 + 8) + 1;
						} else {
							_t79 =  *((intOrPtr*)(_t80 + 4));
							if( &_v24 >= _t79) {
								_t73 =  &_v24;
								if( &_v24 < _t79 + _t67 * 4) {
									L6D2C83CE(_t76, 0x80004005);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									return LoadImageW(_t87, ??, ??, ??, ??, ??);
								}
							}
							if(_t67 != 0) {
								_t84 = _t76 + _t76;
								__eflags = _t84;
								if(_t84 >= 0) {
									__eflags = _t84 - 0x1fffffff;
									if(_t84 <= 0x1fffffff) {
										goto L9;
									}
								}
							} else {
								_t84 = 1;
								L9:
								_t70 = E6D2C8EAA(_t79, _t84, 4);
								_t90 = _t90 + 0xc;
								if(_t70 != 0) {
									 *(_t80 + 0xc) = _t84;
									 *((intOrPtr*)(_t80 + 4)) = _t70;
									goto L11;
								}
							}
						}
					}
					E6D2BF25E( &_v20);
					_v16 = _v16 + 1;
				} while (_v16 < 8);
				E6D2C8460(_v20 + 0xfffffff0, _t79);
				return E6D2D2709(1);
			}

0x6d2b9d5d
0x6d2b9d5d
0x6d2b9d5d
0x6d2b9d5d
0x6d2b9d5d
0x6d2b9d64
0x6d2b9d6c
0x6d2b9d6d
0x6d2b9d74
0x6d2b9d7b
0x6d2b9d82
0x6d2b9d89
0x6d2b9d90
0x6d2b9d97
0x6d2b9d9e
0x6d2b9da5
0x6d2b9daa
0x6d2b9db6
0x6d2b9dbb
0x6d2b9dbf
0x6d2b9dc9
0x6d2b9ddf
0x6d2b9de1
0x6d2b9de6
0x6d2b9e55
0x6d2b9e55
0x6d2b9e56
0x6d2b9e57
0x6d2b9e5c
0x6d2b9e5e
0x6d2b9e63
0x6d2b9de8
0x6d2b9de8
0x6d2b9deb
0x6d2b9df0
0x6d2b9e38
0x6d2b9e3e
0x6d2b9e43
0x6d2b9e48
0x6d2b9e48
0x6d2b9e4a
0x6d2b9df2
0x6d2b9df2
0x6d2b9dfa
0x6d2b9dff
0x6d2b9e04
0x6d2b9e93
0x6d2b9e98
0x6d2b9e99
0x6d2b9e9a
0x6d2b9e9b
0x6d2b9e9c
0x6d2b9e9d
0x6d2b9ea4
0x6d2b9ea4
0x6d2b9e04
0x6d2b9e0c
0x6d2b9e13
0x6d2b9e16
0x6d2b9e18
0x6d2b9e1a
0x6d2b9e20
0x00000000
0x00000000
0x6d2b9e20
0x6d2b9e0e
0x6d2b9e10
0x6d2b9e22
0x6d2b9e26
0x6d2b9e2b
0x6d2b9e30
0x6d2b9e32
0x6d2b9e35
0x00000000
0x6d2b9e35
0x6d2b9e30
0x6d2b9e0c
0x6d2b9df0
0x6d2b9e69
0x6d2b9e6e
0x6d2b9e71
0x6d2b9e81
0x6d2b9e8d

APIs

__EH_prolog3.LIBCMT ref: 6D2B9D64

Part of subcall function 6D2AC419: __EH_prolog3.LIBCMT ref: 6D2AC420
Part of subcall function 6D2AC419: GetModuleFileNameW.KERNEL32(6D2A0000,00000010,00000104), ref: 6D2AC46D

Part of subcall function 6D2BF21D: PathAppendW.SHLWAPI(00000000,00000000,?,00000105,?,?,80070057,80070057,6D2AC3AE), ref: 6D2BF241

__recalloc.LIBCMT ref: 6D2B9E26

Strings

Rotate2.ico, xrefs: 6D2B9D74
Rotate7.ico, xrefs: 6D2B9D97
LoadImage failed for rotation icon %d, xrefs: 6D2B9E57
Rotate1.ico, xrefs: 6D2B9D6D
Rotate6.ico, xrefs: 6D2B9D90
Rotate8.ico, xrefs: 6D2B9D9E
graphics, xrefs: 6D2B9DAE
Rotate3.ico, xrefs: 6D2B9D7B
Rotate5.ico, xrefs: 6D2B9D89
Rotate4.ico, xrefs: 6D2B9D82

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$AppendFileModuleNamePath__recalloc
String ID: LoadImage failed for rotation icon %d$Rotate1.ico$Rotate2.ico$Rotate3.ico$Rotate4.ico$Rotate5.ico$Rotate6.ico$Rotate7.ico$Rotate8.ico$graphics
API String ID: 2299973880-2721559919
Opcode ID: 921a23e30d9d43586cd25d6d70782f8774ad4b1aa706a337aabb6f2dcc284130
Instruction ID: f15c5e645e1bf4224fd869edaf0d59db794ff876a433539e36ba6d89ca0704a6
Opcode Fuzzy Hash: 921a23e30d9d43586cd25d6d70782f8774ad4b1aa706a337aabb6f2dcc284130
Instruction Fuzzy Hash: 03418A7098021EDBDB10CF94C881BBEF775FF05759F254129DA20AB281D7B1AA61CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D2AC4DC Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 191COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6D2AC4E3

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D2AC626
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D2AC649
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D2AC65C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D2AC678
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D2AC68C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D2AC6BC

Strings

%I64d, xrefs: 6D2AC555
(Elapsed time: %D %H:%M:%S)., xrefs: 6D2AC4F1
`:*m, xrefs: 6D2AC600, 6D2AC5A8, 6D2AC5BD, 6D2AC5F8
%02ld, xrefs: 6D2AC51C

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$H_prolog3H_prolog3_
String ID: (Elapsed time: %D %H:%M:%S).$%02ld$%I64d$`:*m
API String ID: 1979320550-3246324870
Opcode ID: 3e4522eab8e9ea0f8d31681824ce00b7f47dc9bd51baa7a6777ba95e8943896d
Instruction ID: 66d0ec8eb2ca66537a5373249abcc6e448221378264f5ad719c91872bd4bfa34
Opcode Fuzzy Hash: 3e4522eab8e9ea0f8d31681824ce00b7f47dc9bd51baa7a6777ba95e8943896d
Instruction Fuzzy Hash: F36106B5C8411DEBDB14DBA8C940FADB7B8EF89B14F198069F610FB280C77099019B61

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BAAC2 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 128COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 6D2BAAF3
IsWindow.USER32(?), ref: 6D2BAB3B
GetDlgItem.USER32 ref: 6D2BABA3
SetWindowTextW.USER32(00000000,?), ref: 6D2BABAB
EnterCriticalSection.KERNEL32(?), ref: 6D2BABC6
LeaveCriticalSection.KERNEL32(?), ref: 6D2BABF2
EnterCriticalSection.KERNEL32(?), ref: 6D2BABF5
LeaveCriticalSection.KERNEL32(6D2BA159,?), ref: 6D2BAC04
IsWindow.USER32(?), ref: 6D2BAC32

Strings

Download failed. No performer will be called., xrefs: 6D2BAB21
Launching Install operation. Download operation is completed., xrefs: 6D2BAB70

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: CriticalSectionWindow$EnterLeave$ItemShowText
String ID: Download failed. No performer will be called.$Launching Install operation. Download operation is completed.
API String ID: 1766897411-1922595129
Opcode ID: da18e6e19d9810118e97f1fe17a1fbd1868f80cde87eda25a63ea2352f773e91
Instruction ID: 8ca4c797f326a6a4d3c3327fa2ccdf9fdbeda8905fff1e50e8e81ab7307f309b
Opcode Fuzzy Hash: da18e6e19d9810118e97f1fe17a1fbd1868f80cde87eda25a63ea2352f773e91
Instruction Fuzzy Hash: 62518F34144709AFDB11DF34C888FAA7BB5FF45359F058598E9668B261CBB1E844CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BA6A1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 121timeCOMMON

Download Yara Rule

APIs

Part of subcall function 6D2BA214: __CxxThrowException@8.LIBCMT ref: 6D2BA228

GetDlgItem.USER32 ref: 6D2BA6E2
SetPropW.USER32(00000000,RotatingIconDisplayTHIS,?), ref: 6D2BA6F1
SetTimer.USER32(?,00000002,000003E8,Function_0001A051), ref: 6D2BA70B
GetDlgItem.USER32 ref: 6D2BA721
SetPropW.USER32(00000000,RotatingIconDisplayTHIS,?), ref: 6D2BA730
GetDlgItem.USER32 ref: 6D2BA740
GetDlgItem.USER32 ref: 6D2BA751

Strings

RotatingIconDisplayTHIS, xrefs: 6D2BA6EB, 6D2BA72A
Item(s) availability state is "Error". Exiting setup., xrefs: 6D2BA7E2
Launching Download operation. Install operation will follow after download is complete., xrefs: 6D2BA7D8
Launching Download and Install operations simultaneously., xrefs: 6D2BA7C2

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Item$Prop$Exception@8ThrowTimer
String ID: Item(s) availability state is "Error". Exiting setup.$Launching Download and Install operations simultaneously.$Launching Download operation. Install operation will follow after download is complete.$RotatingIconDisplayTHIS
API String ID: 3010864479-2919304341
Opcode ID: cfa5f836c11062340bcda73fc40c531615aa9697134370d40301c445fc2b2ab4
Instruction ID: 496f2cac93e23bbb12ae4e0d27d0fffbfb5175aeea3ff67704a6da4c326eed43
Opcode Fuzzy Hash: cfa5f836c11062340bcda73fc40c531615aa9697134370d40301c445fc2b2ab4
Instruction Fuzzy Hash: BA41AF34344606AFDB049F74C888FAAF7B5FF4A349F004558E656DB261CBB1E850CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BBF84 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 80windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 6D2BBF93
GetForegroundWindow.USER32 ref: 6D2BBFBB
SetForegroundWindow.USER32(?), ref: 6D2BBFF4
IsWindowVisible.USER32(?), ref: 6D2BBFD3

Part of subcall function 6D2AB93E: __EH_prolog3.LIBCMT ref: 6D2AB945

_memset.LIBCMT ref: 6D2BC021
GetSystemMenu.USER32(?,00000000,0000F060,00000000,?), ref: 6D2BC043
GetMenuItemInfoW.USER32(00000000), ref: 6D2BC04A
PostMessageW.USER32(?,0000067C,00000000,00000000), ref: 6D2BC080

Strings

WM_ACTIVATEAPP: Focus stealer's windows was NOT visible, taking back focus, xrefs: 6D2BBFE3
WM_ACTIVATEAPP: Focus stealer's windows WAS visible, NOT taking back focus, xrefs: 6D2BBFFF
0, xrefs: 6D2BC035

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Window$ForegroundMenu$H_prolog3InfoItemLongMessagePostSystemVisible_memset
String ID: 0$WM_ACTIVATEAPP: Focus stealer's windows WAS visible, NOT taking back focus$WM_ACTIVATEAPP: Focus stealer's windows was NOT visible, taking back focus
API String ID: 105400089-2282623533
Opcode ID: c2183036587d50b94088d45b229add9c15711a295ba08fd8e92e4628afb8eef0
Instruction ID: e5a8f539d520eb10cf644f7ebae0d752c7a5ce6de770e00065bea07e2fd79d51
Opcode Fuzzy Hash: c2183036587d50b94088d45b229add9c15711a295ba08fd8e92e4628afb8eef0
Instruction Fuzzy Hash: A6215C3158821EBBEF115F70CC09FAE3B74EB04BA9F058424FA55A90D1D7B19590EBA8

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C09E0 Relevance: 16.9, APIs: 11, Instructions: 430windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6D2C09E7
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 6D2C0A02

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

MapDialogRect.USER32(?,00000000), ref: 6D2C0AEE
ShowWindow.USER32(00000000,00000001,00000000,?,?,?,40000000,?,?,00000000), ref: 6D2C0B68
SendMessageW.USER32(00000000,00000030,?,00000001), ref: 6D2C0B78

Part of subcall function 6D2AF589: SendMessageW.USER32(?,00000031,00000000,00000000), ref: 6D2AF5AC
Part of subcall function 6D2AF589: GetObjectW.GDI32(00000000,0000005C,?), ref: 6D2AF5B5
Part of subcall function 6D2AF589: CreateFontIndirectW.GDI32(?), ref: 6D2AF600
Part of subcall function 6D2AF589: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 6D2AF610

LoadImageW.USER32 ref: 6D2C0C2A
SendMessageW.USER32(00000000,00000170,?,00000000), ref: 6D2C0C70
LoadImageW.USER32 ref: 6D2C0CA3

Part of subcall function 6D2BF933: SendMessageW.USER32(?,00000172,00000000,?), ref: 6D2BF944

MapDialogRect.USER32(?,00000000), ref: 6D2C0DAB
SendMessageW.USER32(?,00000030,?,00000001), ref: 6D2C0E0A
ShowWindow.USER32(?,00000001,?,00000000,?,?,?,?,?,?,?,?,?,6D2D677E,000000FF), ref: 6D2C0E15

Part of subcall function 6D2BF8DE: CreateWindowExW.USER32 ref: 6D2BF91E

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: MessageSend$Window$CreateDialogImageLoadRectShow$FontH_prolog3H_prolog3_IndirectObject
String ID:
API String ID: 2777900791-0
Opcode ID: eea507b850cea12cfcc090eb7101269f15a4d3f856ba15b08684a17e819d39d7
Instruction ID: dc010d754d446ae908725db17bf2e216e8fe61111559cbccce4f717548b7a65f
Opcode Fuzzy Hash: eea507b850cea12cfcc090eb7101269f15a4d3f856ba15b08684a17e819d39d7
Instruction Fuzzy Hash: 25021475A00208AFCB05DFA8C998A9DBBF2FF4D311B148169F506AB360CB35AD41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B8A1A Relevance: 16.7, APIs: 11, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B8A21
GetTickCount.KERNEL32 ref: 6D2B8A38

Part of subcall function 6D2B8C2A: __EH_prolog3.LIBCMT ref: 6D2B8C31

GetTickCount.KERNEL32 ref: 6D2B8A52
SetWindowTextW.USER32(?,?), ref: 6D2B8A99
GetDlgItem.USER32 ref: 6D2B8AC3
GetDlgItem.USER32 ref: 6D2B8AE5

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: CountH_prolog3ItemTick$TextWindow
String ID:
API String ID: 3171788341-0
Opcode ID: 5a7bdcd556b6bc0caf2404f9ee93dc0461d899eb0fc2f0247dad04ea1d62eefc
Instruction ID: 071ddb7a73618afc1461791827d80109badd116d372550dce88704c8c2a0a137
Opcode Fuzzy Hash: 5a7bdcd556b6bc0caf2404f9ee93dc0461d899eb0fc2f0247dad04ea1d62eefc
Instruction Fuzzy Hash: 46613B75A0061ADFDF05DFB4C998AAEBBB5FF09304F140968E216E73A0DB34A905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B7389 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 162COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B7390

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2AC9BB: __EH_prolog3.LIBCMT ref: 6D2AC9C2

Part of subcall function 6D2AD1B4: __EH_prolog3.LIBCMT ref: 6D2AD1BB

__CxxThrowException@8.LIBCMT ref: 6D2B7420

Part of subcall function 6D2CDBDB: RaiseException.KERNEL32(?,?,6D2C9236,?,?,?,?,?,6D2C9236,?,6D2D7F54,6D2E22B4), ref: 6D2CDC1D

Part of subcall function 6D2BEB56: __wcsicoll.LIBCMT ref: 6D2BEB74

__aulldiv.LIBCMT ref: 6D2B74F1
__aulldiv.LIBCMT ref: 6D2B74FD

Strings

$$DownloadTimeOverDialup$$, xrefs: 6D2B7523
Setup engine failed to initialize. engineDataProvider.InitializeItems() returned false, xrefs: 6D2B73B2
%I64u, xrefs: 6D2B748A
$$DownloadTimeOverBroadband$$, xrefs: 6D2B74B8
$$DownloadSizeEstimate$$, xrefs: 6D2B7436

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$__aulldiv$ExceptionException@8RaiseThrow__wcsicoll
String ID: $$DownloadSizeEstimate$$$$$DownloadTimeOverBroadband$$$$$DownloadTimeOverDialup$$$%I64u$Setup engine failed to initialize. engineDataProvider.InitializeItems() returned false
API String ID: 1088788417-581573194
Opcode ID: 6e1b4ca0dc01233061bdfd5e776f58966c8b83edb8bb0f76c26a76a73b00bd1b
Instruction ID: 7f08689366dc7472819ee9809b81e8820632c8944d62939722e6a528c8cc8de8
Opcode Fuzzy Hash: 6e1b4ca0dc01233061bdfd5e776f58966c8b83edb8bb0f76c26a76a73b00bd1b
Instruction Fuzzy Hash: 6D510372D8420D9FDB10CBA4C844BAFBBB8EF45359F158565E615EB281CB709E01CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6D2AC78F Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 139COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 6D2AC7FD
__time64.LIBCMT ref: 6D2AC8B6

Part of subcall function 6D2AC280: __EH_prolog3.LIBCMT ref: 6D2AC287
Part of subcall function 6D2AC280: OutputDebugStringW.KERNEL32(?,?,?,00000008,6D2AC856), ref: 6D2AC2A8

SysFreeString.OLEAUT32(?), ref: 6D2AC894

Strings

Final Result: Installation completed successfully with success code: (0x%08lX), "%s", xrefs: 6D2AC818
Final Result: Installation completed successfully with success code: (0x%08lX), xrefs: 6D2AC80C
Final Result: Installation failed with error code: (0x%08lX), "%s", xrefs: 6D2AC87E
Final Result: Installation aborted, xrefs: 6D2AC827, 6D2AC835
Final Result: Installation failed with error code: (0x%08lX), xrefs: 6D2AC869

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: String$DebugFreeH_prolog3Output__time64
String ID: Final Result: Installation aborted$Final Result: Installation completed successfully with success code: (0x%08lX)$Final Result: Installation completed successfully with success code: (0x%08lX), "%s"$Final Result: Installation failed with error code: (0x%08lX)$Final Result: Installation failed with error code: (0x%08lX), "%s"
API String ID: 1943088043-1330816492
Opcode ID: cc7cca34185cc6db9c75f13fad46de4fda254b00246d0a224643b692ff8ee1af
Instruction ID: bc866f804c7c0c41900a5695686d2da581cca4c0b79999fd90206ee4369f183b
Opcode Fuzzy Hash: cc7cca34185cc6db9c75f13fad46de4fda254b00246d0a224643b692ff8ee1af
Instruction Fuzzy Hash: 7B518E7554C34A9FC301DF68C844A5BBBE4FF85B18F084A2DF59197251D730D80897A3

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B795B Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 115COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B7962

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

EnumWindows.USER32(6D2B7C3F,?), ref: 6D2B79BF

Part of subcall function 6D2B7BC5: _calloc.LIBCMT ref: 6D2B7BE6

Part of subcall function 6D2B7AC7: __EH_prolog3.LIBCMT ref: 6D2B7ACE

RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 6D2B7ABB

Strings

Enumerating incompatible processes, xrefs: 6D2B798E
Blocking Processes, xrefs: 6D2B7A2A
No Blocking Processes, xrefs: 6D2B79EE
[ProcessID] [ImageName] [WindowTitle] [WindowVisible], xrefs: 6D2B7A49
complete, xrefs: 6D2B796B
Action, xrefs: 6D2B797D, 6D2B799B

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$EnumExceptionRaiseWindows_calloc
String ID: complete$Action$Blocking Processes$Enumerating incompatible processes$No Blocking Processes$[ProcessID] [ImageName] [WindowTitle] [WindowVisible]
API String ID: 3326300193-1989790735
Opcode ID: 260bf2ab4e11278cca45817630310f3232d0dac9dec9d7daa3d32ecb1aa8a7fb
Instruction ID: b6d345be2809a956fe05d0016f994b1bf8a1887ff31f86f640e40db136c76628
Opcode Fuzzy Hash: 260bf2ab4e11278cca45817630310f3232d0dac9dec9d7daa3d32ecb1aa8a7fb
Instruction Fuzzy Hash: D741B47198420DEFDB41DFA4C848FADBBB5FF44359F158065E604EB281C7B09A41CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BC626 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2BC62D
SetWindowTextW.USER32(?,?), ref: 6D2BC63D

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

SetDlgItemTextW.USER32 ref: 6D2BC666
SetDlgItemTextW.USER32 ref: 6D2BC6A1
SetDlgItemTextW.USER32 ref: 6D2BC6DC
GetParent.USER32(?), ref: 6D2BC6EF

Part of subcall function 6D2AE153: GetWindowLongW.USER32(?,000000F0), ref: 6D2AE179
Part of subcall function 6D2AE153: GetParent.USER32 ref: 6D2AE18B
Part of subcall function 6D2AE153: GetWindowRect.USER32 ref: 6D2AE1A5
Part of subcall function 6D2AE153: GetWindowLongW.USER32(?,000000F0), ref: 6D2AE1BB
Part of subcall function 6D2AE153: MonitorFromWindow.USER32(?,00000002), ref: 6D2AE1DA

Strings

IDS_REBOOT_REQUIRED, xrefs: 6D2BC647
IDS_RESTART_NOW, xrefs: 6D2BC67F
IDS_RESTART_LATER, xrefs: 6D2BC6BA

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Window$Text$Item$H_prolog3LongParent$FromMonitorRect
String ID: IDS_REBOOT_REQUIRED$IDS_RESTART_LATER$IDS_RESTART_NOW
API String ID: 1194771093-931079857
Opcode ID: 5bd32ffb5742210482bd140818181034a8843047d231149b348b04e165ebbcf3
Instruction ID: 87a535cd5ce1b3a66e09c3cc4c2ba1baf390930d860a2cfe8a44c83643f0055b
Opcode Fuzzy Hash: 5bd32ffb5742210482bd140818181034a8843047d231149b348b04e165ebbcf3
Instruction Fuzzy Hash: CE31B671940609DFCF10DFA8C848A6EB7B5FF49329F2446A8F151EB2A4C7719901DF11

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C1601 Relevance: 15.5, APIs: 10, Instructions: 459windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000031,00000000,00000000), ref: 6D2C1656

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

MapDialogRect.USER32(?,00000000), ref: 6D2C175E
ShowWindow.USER32(00000001,00000001,?,?,?,?,40000000,?,?,00000000), ref: 6D2C17E3
SendMessageW.USER32(?,00000030,?,00000001), ref: 6D2C17F5

Part of subcall function 6D2AF589: SendMessageW.USER32(?,00000031,00000000,00000000), ref: 6D2AF5AC
Part of subcall function 6D2AF589: GetObjectW.GDI32(00000000,0000005C,?), ref: 6D2AF5B5
Part of subcall function 6D2AF589: CreateFontIndirectW.GDI32(?), ref: 6D2AF600
Part of subcall function 6D2AF589: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 6D2AF610

LoadImageW.USER32 ref: 6D2C18AD
SendMessageW.USER32(?,00000170,?,00000000), ref: 6D2C18FA
LoadImageW.USER32 ref: 6D2C1931

Part of subcall function 6D2BF933: SendMessageW.USER32(?,00000172,00000000,?), ref: 6D2BF944

MapDialogRect.USER32(?,00000000), ref: 6D2C1A58
SendMessageW.USER32(?,00000030,?,00000001), ref: 6D2C1ABD
ShowWindow.USER32(?,00000001,?,00000000), ref: 6D2C1AC8

Part of subcall function 6D2BF8DE: CreateWindowExW.USER32 ref: 6D2BF91E

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: MessageSend$Window$CreateDialogImageLoadRectShow$FontH_prolog3IndirectObject
String ID:
API String ID: 727718542-0
Opcode ID: 317276bd0ecc35c8f0804bccf8dd7e04bb436128053aecf34d389e8230f54a8a
Instruction ID: 403f0736bd7a4064c219456d88dafcc51c6380c8620f4d6aa5e8d5d378354390
Opcode Fuzzy Hash: 317276bd0ecc35c8f0804bccf8dd7e04bb436128053aecf34d389e8230f54a8a
Instruction Fuzzy Hash: AC0202756087019FCB05DF68C888A1ABBF6FF8D705F048A69F5868B360DB71D845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BFC53 Relevance: 15.5, APIs: 10, Instructions: 458windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000031,00000000,00000000), ref: 6D2BFCA4

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

MapDialogRect.USER32(?,00000000), ref: 6D2BFDAC
ShowWindow.USER32(?,00000001,?,?,?,?,40000000,?,?,?,00000000), ref: 6D2BFE32
SendMessageW.USER32(?,00000030,?,00000001), ref: 6D2BFE44

Part of subcall function 6D2AF589: SendMessageW.USER32(?,00000031,00000000,00000000), ref: 6D2AF5AC
Part of subcall function 6D2AF589: GetObjectW.GDI32(00000000,0000005C,?), ref: 6D2AF5B5
Part of subcall function 6D2AF589: CreateFontIndirectW.GDI32(?), ref: 6D2AF600
Part of subcall function 6D2AF589: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 6D2AF610

LoadImageW.USER32 ref: 6D2BFF02
SendMessageW.USER32(?,00000170,?,00000000), ref: 6D2BFF4F
LoadImageW.USER32 ref: 6D2BFF83

Part of subcall function 6D2BF933: SendMessageW.USER32(?,00000172,00000000,?), ref: 6D2BF944

MapDialogRect.USER32(?,00000000), ref: 6D2C00A6
SendMessageW.USER32(?,00000030,?,00000001), ref: 6D2C010B
ShowWindow.USER32(?,00000001,?,00000000), ref: 6D2C0116

Part of subcall function 6D2BF8DE: CreateWindowExW.USER32 ref: 6D2BF91E

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: MessageSend$Window$CreateDialogImageLoadRectShow$FontH_prolog3IndirectObject
String ID:
API String ID: 727718542-0
Opcode ID: 57f8c7d63eb491fc95e978cb09657ca7d9b94c46ded1775054eb779a09eb0568
Instruction ID: 0afe9baf740b5540beafa54f01a57e61ba668a71ff122afbd9756d08a5069286
Opcode Fuzzy Hash: 57f8c7d63eb491fc95e978cb09657ca7d9b94c46ded1775054eb779a09eb0568
Instruction Fuzzy Hash: A90202756083019FCB05DF68C888A1ABBF6FF89345F04896DF5968B361DB31E845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C210E Relevance: 15.5, APIs: 10, Instructions: 457windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000031,00000000,00000000), ref: 6D2C215F

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

MapDialogRect.USER32(?,00000000), ref: 6D2C2267
ShowWindow.USER32(?,00000001,?,?,?,?,40000000,?,?,00000000), ref: 6D2C22ED
SendMessageW.USER32(?,00000030,?,00000001), ref: 6D2C22FF

Part of subcall function 6D2AF589: SendMessageW.USER32(?,00000031,00000000,00000000), ref: 6D2AF5AC
Part of subcall function 6D2AF589: GetObjectW.GDI32(00000000,0000005C,?), ref: 6D2AF5B5
Part of subcall function 6D2AF589: CreateFontIndirectW.GDI32(?), ref: 6D2AF600
Part of subcall function 6D2AF589: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 6D2AF610

LoadImageW.USER32 ref: 6D2C23BB
SendMessageW.USER32(?,00000170,?,00000000), ref: 6D2C2408
LoadImageW.USER32 ref: 6D2C243C

Part of subcall function 6D2BF933: SendMessageW.USER32(?,00000172,00000000,?), ref: 6D2BF944

MapDialogRect.USER32(?,00000000), ref: 6D2C255F
SendMessageW.USER32(?,00000030,?,00000001), ref: 6D2C25C4
ShowWindow.USER32(?,00000001,?,00000000), ref: 6D2C25CF

Part of subcall function 6D2BF8DE: CreateWindowExW.USER32 ref: 6D2BF91E

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: MessageSend$Window$CreateDialogImageLoadRectShow$FontH_prolog3IndirectObject
String ID:
API String ID: 727718542-0
Opcode ID: 81d67caebb52f0b27af194364eff7a4910a962efdadb140509f53dd397339525
Instruction ID: 4c3ba54baa09e4c292e9944778c3e34aefe680f313ed66afb0669f50f2e1fae9
Opcode Fuzzy Hash: 81d67caebb52f0b27af194364eff7a4910a962efdadb140509f53dd397339525
Instruction Fuzzy Hash: B40212756083019FCB05DF68C898A1ABBF6FF89355F048969F5868B361DB30E845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B8FA4 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 310COMMON

Download Yara Rule

APIs

Part of subcall function 6D2C1169: __EH_prolog3.LIBCMT ref: 6D2C1170
Part of subcall function 6D2C1169: GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 6D2C11B1

Part of subcall function 6D2C10EB: __EH_prolog3_GS.LIBCMT ref: 6D2C10F5
Part of subcall function 6D2C10EB: _memset.LIBCMT ref: 6D2C1121
Part of subcall function 6D2C10EB: GetTempPathW.KERNEL32(00000104,?,Action,?,00000000), ref: 6D2C1135

Part of subcall function 6D2BE98E: __EH_prolog3_GS.LIBCMT ref: 6D2BE995
Part of subcall function 6D2BE98E: _wmemcpy_s.LIBCMT ref: 6D2BEA2A

Part of subcall function 6D2BF0E8: __EH_prolog3.LIBCMT ref: 6D2BF0EF

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2B7FE0: __EH_prolog3.LIBCMT ref: 6D2B7FE7
Part of subcall function 6D2B7FE0: PathGetDriveNumberW.SHLWAPI(?,?,?,00000014,6D2B9180,?,?,?,?,?,?,?,?), ref: 6D2B8015
Part of subcall function 6D2B7FE0: PathGetDriveNumberW.SHLWAPI(?), ref: 6D2B801C
Part of subcall function 6D2B7FE0: PathGetDriveNumberW.SHLWAPI(?,?,?,?), ref: 6D2B8064
Part of subcall function 6D2B7FE0: PathGetDriveNumberW.SHLWAPI(?), ref: 6D2B806B
Part of subcall function 6D2B7FE0: PathGetDriveNumberW.SHLWAPI(00000001,00000001,?,?), ref: 6D2B80B3
Part of subcall function 6D2B7FE0: PathGetDriveNumberW.SHLWAPI(?), ref: 6D2B80BA

Part of subcall function 6D2B8ECA: __EH_prolog3.LIBCMT ref: 6D2B8ED1
Part of subcall function 6D2B8ECA: GetDlgItem.USER32 ref: 6D2B8F73
Part of subcall function 6D2B8ECA: GetDlgItem.USER32 ref: 6D2B8F88

Part of subcall function 6D2B8CD7: __EH_prolog3.LIBCMT ref: 6D2B8CDE

Part of subcall function 6D2BF42A: __EH_prolog3.LIBCMT ref: 6D2BF431

ShowWindow.USER32(?,00000000,?,?,?,?,?,?,00000065,00000067), ref: 6D2B929E
ShowWindow.USER32(7DCDEE72,00000000,?,?,?,?,?,?,00000065,00000067), ref: 6D2B92B0
ShowWindow.USER32(?,00000000,?,00000066,00000068,?,?,?,?,?,?,?,?,?,?,?), ref: 6D2B9335
ShowWindow.USER32(00000012,00000000,?,00000066,00000068,?,?,?,?,?,?,?,?,?,?,?), ref: 6D2B9347

Strings

System Drive, xrefs: 6D2B91ED
Product Drive, xrefs: 6D2B92E4
Download Drive, xrefs: 6D2B924B
Action, xrefs: 6D2B8FBF

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3Path$DriveNumber$ShowWindow$H_prolog3_Item$DirectorySystemTemp_memset_wmemcpy_s
String ID: Action$Download Drive$Product Drive$System Drive
API String ID: 1601511689-2973646315
Opcode ID: 39945be97cb9d9cb8c9243dcfb05dc0435b956c83c41d8bb191b07607a721ddb
Instruction ID: 120d7211c1a176a0ccc4502517348c951b39bcc66002b4563ea7618e1dc8d84c
Opcode Fuzzy Hash: 39945be97cb9d9cb8c9243dcfb05dc0435b956c83c41d8bb191b07607a721ddb
Instruction Fuzzy Hash: 37C16C715486489FC720DB78C884B5FB7E8FF89718F054A69F698DB291CB71D804CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B21B8 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 199COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B21BF

Part of subcall function 6D2B1F81: __EH_prolog3.LIBCMT ref: 6D2B1F88

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2AD76F: __EH_prolog3.LIBCMT ref: 6D2AD776

Part of subcall function 6D2ACA39: __EH_prolog3.LIBCMT ref: 6D2ACA40

Part of subcall function 6D2ACAC2: __EH_prolog3.LIBCMT ref: 6D2ACAC9

Part of subcall function 6D2AD170: __EH_prolog3.LIBCMT ref: 6D2AD177

__CxxThrowException@8.LIBCMT ref: 6D2B2425

Part of subcall function 6D2CDBDB: RaiseException.KERNEL32(?,?,6D2C9236,?,?,?,?,?,6D2C9236,?,6D2D7F54,6D2E22B4), ref: 6D2CDC1D

Strings

UIInfo.xml, xrefs: 6D2B2399
Font, xrefs: 6D2B2320
Text, xrefs: 6D2B21E3
UiInfo element 'Static' should have one of Text, Icon or Bitmap elements!, xrefs: 6D2B23A7
Bitmap, xrefs: 6D2B22B3
Icon, xrefs: 6D2B2243

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$ExceptionException@8RaiseThrow
String ID: Bitmap$Font$Icon$Text$UIInfo.xml$UiInfo element 'Static' should have one of Text, Icon or Bitmap elements!
API String ID: 1412866469-225342085
Opcode ID: 5e334d7c3911f1daf8e1117fcc880f719416b25af110fe71c433e13ee11a42b9
Instruction ID: 0ae72dba6ff55d2a6534269388659453c936bda7204f2a97950c7796094f3a16
Opcode Fuzzy Hash: 5e334d7c3911f1daf8e1117fcc880f719416b25af110fe71c433e13ee11a42b9
Instruction Fuzzy Hash: 5481827184424CEFDB01DBE8C944BDEB7B8AF09318F2981A4E524EB291D774EE05DB21

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B9584 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B958B

Part of subcall function 6D2B7F0A: __EH_prolog3.LIBCMT ref: 6D2B7F11

RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,00000000), ref: 6D2B96FB

Part of subcall function 6D2BF42A: __EH_prolog3.LIBCMT ref: 6D2BF431

Part of subcall function 6D2C5002: _vwprintf.LIBCMT ref: 6D2C502C
Part of subcall function 6D2C5002: _vswprintf_s.LIBCMT ref: 6D2C5059

SendDlgItemMessageW.USER32 ref: 6D2B9714
SetWindowTextW.USER32(?,00000001), ref: 6D2B9723
EnableWindow.USER32(?,00000001), ref: 6D2B9737
EnableWindow.USER32(?,00000000), ref: 6D2B9748
ShowWindow.USER32(?,00000000), ref: 6D2B9755

Strings

%s, xrefs: 6D2B95F7, 6D2B9674, 6D2B96B8

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Window$H_prolog3$Enable$ExceptionItemMessageRaiseSendShowText_vswprintf_s_vwprintf
String ID: %s
API String ID: 508372071-3043279178
Opcode ID: ace2d5ff23792a7754ceca4c08307929d315fc18d20d6c143bdf5f0e9c1f23c2
Instruction ID: 5a4d1512c963d1f6763c86790ce4a05bbdebd954493ab21b4f18807812962d69
Opcode Fuzzy Hash: ace2d5ff23792a7754ceca4c08307929d315fc18d20d6c143bdf5f0e9c1f23c2
Instruction Fuzzy Hash: 14515B70E4424AEFDF11DFA8C888BDDFBB0BF09318F1541A4E254A7291C7B56954CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B93BE Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B93C5

Part of subcall function 6D2B795B: __EH_prolog3.LIBCMT ref: 6D2B7962
Part of subcall function 6D2B795B: EnumWindows.USER32(6D2B7C3F,?), ref: 6D2B79BF

RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,00000000), ref: 6D2B94F0

Part of subcall function 6D2BF42A: __EH_prolog3.LIBCMT ref: 6D2BF431

SendDlgItemMessageW.USER32 ref: 6D2B9509
SetWindowTextW.USER32(?,?), ref: 6D2B9518
EnableWindow.USER32(?,00000001), ref: 6D2B952C
EnableWindow.USER32(?,00000000), ref: 6D2B953D
ShowWindow.USER32(?,00000000), ref: 6D2B954A

Strings

%s, xrefs: 6D2B94B8

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Window$H_prolog3$Enable$EnumExceptionItemMessageRaiseSendShowTextWindows
String ID: %s
API String ID: 3119945384-3043279178
Opcode ID: aaef5c44e693afaa97dd5e37360511993b4cae9dc5a5cdeff6c19d214d97b61f
Instruction ID: 44c170e607395826948d667f2a26234a69a38631ea21cd5cdf24439422f2b5db
Opcode Fuzzy Hash: aaef5c44e693afaa97dd5e37360511993b4cae9dc5a5cdeff6c19d214d97b61f
Instruction Fuzzy Hash: FA51C330984649EFDB01CFA8C888BDEFFB0FF09359F144198E618A7281C7705950CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C75EA Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 74libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2C75F1
GetProcAddress.KERNEL32(00000006,GetProcessImageFileNameW), ref: 6D2C7602
GetLastError.KERNEL32 ref: 6D2C7610

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2BE93B: __EH_prolog3.LIBCMT ref: 6D2BE942

Part of subcall function 6D2BF092: __EH_prolog3.LIBCMT ref: 6D2BF099

Part of subcall function 6D2C383E: _wcsnlen.LIBCMT ref: 6D2C3871
Part of subcall function 6D2C383E: _memcpy_s.LIBCMT ref: 6D2C38A7

__CxxThrowException@8.LIBCMT ref: 6D2C76DC

Part of subcall function 6D2CDBDB: RaiseException.KERNEL32(?,?,6D2C9236,?,?,?,?,?,6D2C9236,?,6D2D7F54,6D2E22B4), ref: 6D2CDC1D

Strings

GetProcAddress looking for , xrefs: 6D2C761C
Dn*m, xrefs: 6D2C76D4, 6D2C76D7
in , xrefs: 6D2C762E
GetProcessImageFileNameW, xrefs: 6D2C75F9, 6D2C75FE

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$AddressErrorExceptionException@8LastProcRaiseThrow_memcpy_s_wcsnlen
String ID: in $Dn*m$GetProcAddress looking for $GetProcessImageFileNameW
API String ID: 1153917472-4051047106
Opcode ID: 06c1e9308fb665c4bf17ed32c918abe5f2be399952287d1c253f9b32c7ac7925
Instruction ID: 11a6856b3a81c0b884b7d8f912f425942e19299346e288f027f4dcd8ee357423
Opcode Fuzzy Hash: 06c1e9308fb665c4bf17ed32c918abe5f2be399952287d1c253f9b32c7ac7925
Instruction Fuzzy Hash: E3318E7284444C9FCB40DBFCC944BDEBBB4EF08329F194264E224E7281DB709A04CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6D2AFCC3 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55synchronizationthreadCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6D2AFCCA
LoadCursorW.USER32(00000000,00007F02), ref: 6D2AFCD9
SetCursor.USER32(00000000,?,6D2BCF69,?), ref: 6D2AFCE3
CreateThread.KERNEL32 ref: 6D2AFCFD
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,00000000,?,6D2BCF69,?), ref: 6D2AFD0C
CloseHandle.KERNEL32(00000000,?,00000000,00000000,?,6D2BCF69,?), ref: 6D2AFD13
SetCursor.USER32(00000001,?,00000000,00000000,?,6D2BCF69,?), ref: 6D2AFD5F

Strings

open, xrefs: 6D2AFD38

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Cursor$CloseCreateH_prolog3_catchHandleLoadObjectSingleThreadWait
String ID: open
API String ID: 3568249301-2758837156
Opcode ID: ff81001cfda8fd207d3c343ba358fcc28b639de4133a58b8c889a2ce5484fba3
Instruction ID: 66bce140da0e82b6028da59bcc5d2978bbd3ec245babfedbcf588880335f5b7c
Opcode Fuzzy Hash: ff81001cfda8fd207d3c343ba358fcc28b639de4133a58b8c889a2ce5484fba3
Instruction Fuzzy Hash: 4711CEB084424EAFDB129BB4CC8CEAFBAB8EB05318F144168F101A7281CB798C40CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BD86C Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 214windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6D2C0324: SendMessageW.USER32(?,00000437,00000000,?), ref: 6D2C0344

_memset.LIBCMT ref: 6D2BD8B6
SendMessageW.USER32(?,0000043A,00000001,?), ref: 6D2BD8D9

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2BD81A: __EH_prolog3.LIBCMT ref: 6D2BD821

Part of subcall function 6D2C0353: GetWindowTextLengthW.USER32(?), ref: 6D2C035B
Part of subcall function 6D2C0353: SendMessageW.USER32(?,000000C2,?,00000000), ref: 6D2C0377

Part of subcall function 6D2B0D3D: _memset.LIBCMT ref: 6D2B0D6A
Part of subcall function 6D2B0D3D: SendMessageW.USER32(?,00000444,00000001,?), ref: 6D2B0D93

Part of subcall function 6D2B0E35: _memset.LIBCMT ref: 6D2B0E62
Part of subcall function 6D2B0E35: SendMessageW.USER32(?,00000444,00000001,00000074), ref: 6D2B0E92

Strings

t, xrefs: 6D2BD8CB
, xrefs: 6D2BD942, 6D2BD9E7, 6D2BDAA5
IDS_SUCCESS_BLOCKERS_LIST_HEADER, xrefs: 6D2BD90B
IDS_PRE_INSTALLATION_WARNINGS, xrefs: 6D2BDA6F
IDS_INSTALLATION_BLOCKERS, xrefs: 6D2BD9B0

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: MessageSend$_memset$H_prolog3$LengthTextWindow
String ID: $IDS_INSTALLATION_BLOCKERS$IDS_PRE_INSTALLATION_WARNINGS$IDS_SUCCESS_BLOCKERS_LIST_HEADER$t
API String ID: 808874516-693864943
Opcode ID: 28852f7e18e80eba45338f4533b494ec38157ca9e7c7d011c61417a6f5d85b43
Instruction ID: aeae9f8595f91247f7494a3e0766de15c080198059e96a8013df711bbb5ce10f
Opcode Fuzzy Hash: 28852f7e18e80eba45338f4533b494ec38157ca9e7c7d011c61417a6f5d85b43
Instruction Fuzzy Hash: 2C71D072984518ABCB219F25CD45F8E7778EF46718F1282A4F218FB2D0DB70AA81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C3BC0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6D2C3BCA
GetCurrentDirectoryW.KERNEL32(00000104,?,00000698,6D2C03E4,00000000), ref: 6D2C3BE0

Part of subcall function 6D2BF6DE: __EH_prolog3_GS.LIBCMT ref: 6D2BF6E8
Part of subcall function 6D2BF6DE: _memset.LIBCMT ref: 6D2BF714
Part of subcall function 6D2BF6DE: _memset.LIBCMT ref: 6D2BF741
Part of subcall function 6D2BF6DE: GetVersionExW.KERNEL32 ref: 6D2BF75A

GetOpenFileNameW.COMDLG32(?), ref: 6D2C3C44
GetSaveFileNameW.COMDLG32(?), ref: 6D2C3C4C
SetCurrentDirectoryW.KERNEL32(?), ref: 6D2C3C73
_memcpy_s.LIBCMT ref: 6D2C3CE8

Strings

o*m, xrefs: 6D2C3C23

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: CurrentDirectoryFileH_prolog3_Name_memset$OpenSaveVersion_memcpy_s
String ID: o*m
API String ID: 133044998-2660576754
Opcode ID: 6e78b793848551699cba26e2efef59ce539d6f2dc959f09fd7761ae404edb383
Instruction ID: aff21ef905736b35260b6845ba42a49bc2c1f6959b2c58fc96d43279fbeb8b0b
Opcode Fuzzy Hash: 6e78b793848551699cba26e2efef59ce539d6f2dc959f09fd7761ae404edb383
Instruction Fuzzy Hash: DB41C07184422DDFDBA0DB20CC48B9EB7B9BF45319F1186E9E118A3150CB325E91CF62

Uniqueness

Uniqueness Score: -1.00%

Function 6D2AEE95 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49libraryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2AEE9C
FreeLibrary.KERNEL32(00000000,0000000C,6D2C5B81,?,?,?), ref: 6D2AEED4
LoadLibraryW.KERNEL32(?,0000000C,6D2C5B81,?,?,?), ref: 6D2AEEE8
GetLastError.KERNEL32(00000000), ref: 6D2AEF03
__CxxThrowException@8.LIBCMT ref: 6D2AEF35

Strings

Dn*m, xrefs: 6D2AEF2D, 6D2AEF30
LoadLibrary, xrefs: 6D2AEEF9

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Library$ErrorException@8FreeH_prolog3LastLoadThrow
String ID: Dn*m$LoadLibrary
API String ID: 3026435860-3830760823
Opcode ID: 8f63d067d6fcf3039099da721bdaf71737e7805bb801477156e140403a0d5e00
Instruction ID: f20e50ba5e26c2f7edb0fc06634421de2e616ea204acdba25b7484ccecf31af1
Opcode Fuzzy Hash: 8f63d067d6fcf3039099da721bdaf71737e7805bb801477156e140403a0d5e00
Instruction Fuzzy Hash: FD116D7194420EDBDB41DF68C58879DBBB4EF04329F0981A4E928DF245C774D905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B9B4C Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B9B53

Part of subcall function 6D2AC3BC: __EH_prolog3.LIBCMT ref: 6D2AC3C3
Part of subcall function 6D2AC3BC: GetCommandLineW.KERNEL32(0000001C,6D2B9B69,?,00000008,6D2BA8A4), ref: 6D2AC3C8

Strings

IDS_CREATE_LAYOUT_PROGRESS_BAR_HEADER, xrefs: 6D2B9B87
IDS_INSTALL_PROGRESS_BAR_HEADER, xrefs: 6D2B9B5F
IDS_UNINSTALLPATCH_PROGRESS_BAR_HEADER, xrefs: 6D2B9B80
IDS_UNINSTALL_PROGRESS_BAR_HEADER, xrefs: 6D2B9B95
IDS_ROLLBACK_PROGRESS_BAR_HEADER, xrefs: 6D2B9B9C
IDS_REPAIR_PROGRESS_BAR_HEADER, xrefs: 6D2B9B8E

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$CommandLine
String ID: IDS_CREATE_LAYOUT_PROGRESS_BAR_HEADER$IDS_INSTALL_PROGRESS_BAR_HEADER$IDS_REPAIR_PROGRESS_BAR_HEADER$IDS_ROLLBACK_PROGRESS_BAR_HEADER$IDS_UNINSTALLPATCH_PROGRESS_BAR_HEADER$IDS_UNINSTALL_PROGRESS_BAR_HEADER
API String ID: 1384747822-3246460586
Opcode ID: 03d46737016ddfb9ef0fd51fb7b0bece56a5a4ff28e24da3d28d6cde7f6838ac
Instruction ID: 572cd81947168f6df90ab6269a070022f338e36dec2fdba51d1390066d2b0626
Opcode Fuzzy Hash: 03d46737016ddfb9ef0fd51fb7b0bece56a5a4ff28e24da3d28d6cde7f6838ac
Instruction Fuzzy Hash: B801D8720F410F8BDB51DB78C544A39B661FFA536FF598524D224DB254CFB1D4118B12

Uniqueness

Uniqueness Score: -1.00%

Function 6D2AE9B3 Relevance: 12.1, APIs: 8, Instructions: 109COMMON

Download Yara Rule

APIs

CallNextHookEx.USER32 ref: 6D2AE9CF
UnhookWindowsHookEx.USER32(?), ref: 6D2AE9FD

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Hook$CallNextUnhookWindows
String ID:
API String ID: 969045306-0
Opcode ID: a568878aad68628bf07bf058f44c1c14bca4ae4e4c0930b23a77a2d47f8962d2
Instruction ID: ac739a446b30ac4c5b3fb49f57846ec0e6ad28a13f3df2dafbd356a5a8296da7
Opcode Fuzzy Hash: a568878aad68628bf07bf058f44c1c14bca4ae4e4c0930b23a77a2d47f8962d2
Instruction Fuzzy Hash: 5C415871B80A0EEFCB11DF18C888EAA77B5FB4172AF188564F565DA5A1D331E985CB00

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B0B43 Relevance: 12.1, APIs: 8, Instructions: 77windowkeyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 6D2B0B58
GetParent.USER32 ref: 6D2B0B79
GetParent.USER32 ref: 6D2B0B8C
SendMessageW.USER32(00000000,000006DB,00000000,00000000), ref: 6D2B0B9E
GetParent.USER32(?), ref: 6D2B0BDB
SendMessageW.USER32(00000000,000006DA,00000000,00000000), ref: 6D2B0BEF
GetParent.USER32(000000FF), ref: 6D2B0BFA
SendMessageW.USER32(00000000,000006DD,000000FF,000000FF), ref: 6D2B0C08

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Parent$MessageSend$State
String ID:
API String ID: 1493399426-0
Opcode ID: d913b2aa3eecd930be800d10d79fb0cadda37e6469f3d3650574e133fee5b9a7
Instruction ID: 308850a23582ef0f8b3939ebca086b853c03c6d3f21b9919cbced453d7b4fc85
Opcode Fuzzy Hash: d913b2aa3eecd930be800d10d79fb0cadda37e6469f3d3650574e133fee5b9a7
Instruction Fuzzy Hash: 23219F34D4020DBFDF129BA5CA49FAEBFB4EB023A9F108255F161A60D0D7B49A41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6D2AF4D6 Relevance: 12.0, APIs: 8, Instructions: 35COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 6D2AF4E8
EnableWindow.USER32(00000000,00000000), ref: 6D2AF4F3
GetDlgItem.USER32 ref: 6D2AF4FB
EnableWindow.USER32(00000000,00000000), ref: 6D2AF500
GetDlgItem.USER32 ref: 6D2AF508
EnableWindow.USER32(00000000,00000000), ref: 6D2AF50D
GetDlgItem.USER32 ref: 6D2AF515
EnableWindow.USER32(00000000,00000000), ref: 6D2AF51A

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: EnableItemWindow
String ID:
API String ID: 3833022359-0
Opcode ID: 9abb2ce76794c8cf1146178fbde81b1eff27ed26d6c254b713b9aebb675424ad
Instruction ID: c5e5328df4eb3e2c0046270cf93c72b48c3c30a4cec5c3266b10771e180b3400
Opcode Fuzzy Hash: 9abb2ce76794c8cf1146178fbde81b1eff27ed26d6c254b713b9aebb675424ad
Instruction Fuzzy Hash: 36F09E7254025877CF212FA6CC09F4B7E29EFC5760F154462F6049A060C771D861DFE4

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B48B6 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 180COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B48BD

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2AD76F: __EH_prolog3.LIBCMT ref: 6D2AD776

Part of subcall function 6D2B1F81: __EH_prolog3.LIBCMT ref: 6D2B1F88

Strings

Text, xrefs: 6D2B48CD
Drive2, xrefs: 6D2B49B8
Drive1, xrefs: 6D2B4923
Drive3, xrefs: 6D2B4A45
Placement, xrefs: 6D2B4930

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Drive1$Drive2$Drive3$Placement$Text
API String ID: 431132790-3260609399
Opcode ID: 8165f8ea3148f56631ff80d0da0734bb3eeb809e37621070258ded42b0f5ac99
Instruction ID: 6f042c88f334ec9dc7b55a89122c47483524f3b0cca52c871afed158d5227b60
Opcode Fuzzy Hash: 8165f8ea3148f56631ff80d0da0734bb3eeb809e37621070258ded42b0f5ac99
Instruction Fuzzy Hash: C971517194414DDFDB00DBE8C544BEEBBB8AF19318F1941A8E614E7281DB74EA05D722

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B7FE0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B7FE7

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

PathGetDriveNumberW.SHLWAPI(?,?,?,00000014,6D2B9180,?,?,?,?,?,?,?,?), ref: 6D2B8015
PathGetDriveNumberW.SHLWAPI(?), ref: 6D2B801C
PathGetDriveNumberW.SHLWAPI(?,?,?,?), ref: 6D2B8064
PathGetDriveNumberW.SHLWAPI(?), ref: 6D2B806B
PathGetDriveNumberW.SHLWAPI(00000001,00000001,?,?), ref: 6D2B80B3
PathGetDriveNumberW.SHLWAPI(?), ref: 6D2B80BA

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: DriveNumberPath$H_prolog3
String ID:
API String ID: 2285536258-0
Opcode ID: fe980a9c49441ac68acc03f46462799ae234fb1ce7d73b6db22f4022c799df1f
Instruction ID: 814b7782fa71663ddcafea8ac8ba0ea3989bda61b91068a9fb783ddd8b00ac2e
Opcode Fuzzy Hash: fe980a9c49441ac68acc03f46462799ae234fb1ce7d73b6db22f4022c799df1f
Instruction Fuzzy Hash: 42812975904609DFCB14CF68C48095DFBB1FF48368B29C5A9E968AB3A1C731E941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B4E46 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 170COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B4E4D

Part of subcall function 6D2B396A: __EH_prolog3.LIBCMT ref: 6D2B3971

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2B3AD4: __EH_prolog3.LIBCMT ref: 6D2B3ADB

Strings

CreateLayout, xrefs: 6D2B4F61
Install, xrefs: 6D2B4E68
Repair, xrefs: 6D2B4EBA
Uninstall, xrefs: 6D2B4F0C
UninstallPatch, xrefs: 6D2B4FB6

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: CreateLayout$Install$Repair$Uninstall$UninstallPatch
API String ID: 431132790-791770018
Opcode ID: e6f8e4c89a1a981a199d424ab1a4149a2cf2582477d7ce5759ca8e4f8211b226
Instruction ID: f8339fd31bcad15d9a6ec6dedb5d8b52469bbfe77df77a257c7a2f92913f69e5
Opcode Fuzzy Hash: e6f8e4c89a1a981a199d424ab1a4149a2cf2582477d7ce5759ca8e4f8211b226
Instruction Fuzzy Hash: 32715C7194464DDFDB10DBA8C944BDEFBF8BF08308F1485A9E269E7241DB70AA05DB21

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B1C23 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,6D2A79E4), ref: 6D2B1C97
__EH_prolog3.LIBCMT ref: 6D2B1C2A

Part of subcall function 6D2C4870: __EH_prolog3.LIBCMT ref: 6D2C4877

Strings

%1., xrefs: 6D2B1CD6
IDS_PLEASE_WAIT, xrefs: 6D2B1D13
User Cancelled!, xrefs: 6D2B1C82
IDS_CANCELLING, xrefs: 6D2B1CB4

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$TextWindow
String ID: %1.$IDS_CANCELLING$IDS_PLEASE_WAIT$User Cancelled!
API String ID: 1938513527-756668064
Opcode ID: 6f929fd4a8cb2a71af756d05e5f17fbee221ddfa8d6f0e546a92bc440e8d02e0
Instruction ID: 0ba27876d1aa26f47c972724b46f55ff603989555decf11c295a6bad0daae812
Opcode Fuzzy Hash: 6f929fd4a8cb2a71af756d05e5f17fbee221ddfa8d6f0e546a92bc440e8d02e0
Instruction Fuzzy Hash: A2418E7188424D9FCF41DFA4C880BEEB7B4AF45358F1941A0EA14AF266CBB19D45CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B1B63 Relevance: 10.6, APIs: 7, Instructions: 62windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B1B6A
GetParent.USER32(00000065), ref: 6D2B1B80

Part of subcall function 6D2AF415: GetDlgItem.USER32 ref: 6D2AF479
Part of subcall function 6D2AF415: GetWindowLongW.USER32(00000000,000000EB), ref: 6D2AF484
Part of subcall function 6D2AF415: SetWindowLongW.USER32(00000000,000000EB,00000001), ref: 6D2AF4C4

PostMessageW.USER32(00000065,00000028,00000000,00000000), ref: 6D2B1BDF
SetWindowLongW.USER32(00000065,000000F4,00000065), ref: 6D2B1BE7
GetParent.USER32(00000065), ref: 6D2B1BF2
SetWindowTextW.USER32(00000000,?), ref: 6D2B1BFA
PostMessageW.USER32(00000065,000006F5,00000000,00000000), ref: 6D2B1C0B

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Window$Long$MessageParentPost$H_prolog3ItemText
String ID:
API String ID: 870142269-0
Opcode ID: 68f82d8a34283fb798f293b0e4de20ab0011bed8ecb7425bb3cca6ffc5cb060f
Instruction ID: e1c9cedbd7cfb6c3287b96d1b1ce2c80e34714cd4a74d8605b223088d4d9465d
Opcode Fuzzy Hash: 68f82d8a34283fb798f293b0e4de20ab0011bed8ecb7425bb3cca6ffc5cb060f
Instruction Fuzzy Hash: E6219D75A4060AEFDB128FA4CC88FAAB7B8FF05748F140428F251E7190DB71A855CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BFB4F Relevance: 10.6, APIs: 7, Instructions: 53windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2BFB56
GetParent.USER32(00000001), ref: 6D2BFB6B
SendMessageW.USER32(00000000,00000481,00000001,00000000), ref: 6D2BFB78
GetParent.USER32(00000001), ref: 6D2BFBB5
SendMessageW.USER32(00000000,0000047E,?,?), ref: 6D2BFBC1
GetParent.USER32(00000001), ref: 6D2BFBD3
SendMessageW.USER32(00000000,00000480,?,?), ref: 6D2BFBDF

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: MessageParentSend$H_prolog3
String ID:
API String ID: 1482283565-0
Opcode ID: 507a42afad79a96311a03e9bda7b579a09a1e57104110b8d3d2b0bc3a4857f3f
Instruction ID: 2bd050f650f7b1ea9d42f8b0d1b6f3a6384c4de5e9f20e4c5a9ebb9ef277611b
Opcode Fuzzy Hash: 507a42afad79a96311a03e9bda7b579a09a1e57104110b8d3d2b0bc3a4857f3f
Instruction Fuzzy Hash: 9D11347444070EAFDB219F60C848BAEB7B5FF0475DF048924F265AA6A0C7B4A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BB6A5 Relevance: 10.5, APIs: 7, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6D2AE389: GetParent.USER32 ref: 6D2AE390
Part of subcall function 6D2AE389: PostMessageW.USER32(00000000,00000470,00000000,?), ref: 6D2AE3A1

Part of subcall function 6D2AE36B: GetParent.USER32(?), ref: 6D2AE36D
Part of subcall function 6D2AE36B: SendMessageW.USER32(00000000,0000046B,00000000,00000000), ref: 6D2AE37D

GetParent.USER32(00000069), ref: 6D2BB6D1
GetSystemMenu.USER32(00000000,00000000,0000F060,00000000,?,?,00000000,6D2C20A8,00000001,?,6D2C2023,?,000006F5,?,?,?), ref: 6D2BB6DD
EnableMenuItem.USER32 ref: 6D2BB6E4
SetWindowLongW.USER32(00000069,000000F4,00000069), ref: 6D2BB6F0
GetParent.USER32(00000069), ref: 6D2BB6FB
SetWindowTextW.USER32(00000000,?), ref: 6D2BB6FF
PostMessageW.USER32(00000069,000006F5,00000000,00000000), ref: 6D2BB710

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Parent$Message$MenuPostWindow$EnableItemLongSendSystemText
String ID:
API String ID: 2729316450-0
Opcode ID: 1c82705c0edaf390bcf3aecda724fb9fecfe132ed227289ac8bb9ab83c811bf3
Instruction ID: e201107d49c1c5aa1f2329022d2d9ce163fd793bcf863313756c976fb65602b4
Opcode Fuzzy Hash: 1c82705c0edaf390bcf3aecda724fb9fecfe132ed227289ac8bb9ab83c811bf3
Instruction Fuzzy Hash: 27016975240610BFEB215FA5CC4DF5A7BB9EB89B79F280410F351D7590CBB2A861CB88

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C4ECE Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2C4ED5

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Strings

SystemRequirement, xrefs: 6D2C4F21
None, xrefs: 6D2C4EE3
Progress Page, xrefs: 6D2C4F1A
Eula, xrefs: 6D2C4F28, 6D2C4F3D
Welcome, xrefs: 6D2C4F2F

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Eula$None$Progress Page$SystemRequirement$Welcome
API String ID: 431132790-1170989405
Opcode ID: 37f7018df0a70ccc6dc713b83079bd52371021820430006bd7126227f5f8ffb0
Instruction ID: 4eba2b790c17713a57cf5138341cd24a062f4a77dab0c0202dcdf22f4d0a2987
Opcode Fuzzy Hash: 37f7018df0a70ccc6dc713b83079bd52371021820430006bd7126227f5f8ffb0
Instruction Fuzzy Hash: 9C01F4B2AD554E879BA1DB58498053EF1A1FF8962A76A4222E624CB210C770DD03C7C3

Uniqueness

Uniqueness Score: -1.00%

Function 00C13979 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E00C13979(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t26;
				intOrPtr _t30;
				void* _t35;
				intOrPtr _t40;
				void* _t41;

				_t31 = __ebx;
				_push(8);
				_push(0xc16f08);
				E00C13DB0(__ebx, __edi, __esi);
				GetModuleHandleW(L"KERNEL32.DLL");
				_t40 =  *((intOrPtr*)(_t41 + 8));
				 *((intOrPtr*)(_t40 + 0x5c)) = 0xc11b90;
				 *(_t40 + 8) =  *(_t40 + 8) & 0x00000000;
				 *((intOrPtr*)(_t40 + 0x14)) = 1;
				 *((intOrPtr*)(_t40 + 0x70)) = 1;
				 *((char*)(_t40 + 0xc8)) = 0x43;
				 *((char*)(_t40 + 0x14b)) = 0x43;
				 *(_t40 + 0x68) = 0xc18560;
				E00C14331(__ebx, _t35, 1, 0xd);
				 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
				InterlockedIncrement( *(_t40 + 0x68));
				 *(_t41 - 4) = 0xfffffffe;
				E00C13A1B();
				E00C14331(_t31, _t35, 1, 0xc);
				 *(_t41 - 4) = 1;
				_t26 =  *((intOrPtr*)(_t41 + 0xc));
				 *((intOrPtr*)(_t40 + 0x6c)) = _t26;
				if(_t26 == 0) {
					_t30 =  *0xc18558; // 0xc18480
					 *((intOrPtr*)(_t40 + 0x6c)) = _t30;
				}
				E00C15396( *((intOrPtr*)(_t40 + 0x6c)));
				 *(_t41 - 4) = 0xfffffffe;
				return E00C13DF5(E00C13A24());
			}

0x00c13979
0x00c13979
0x00c1397b
0x00c13980
0x00c1398a
0x00c13990
0x00c13993
0x00c1399a
0x00c139a1
0x00c139a4
0x00c139a7
0x00c139ae
0x00c139b5
0x00c139be
0x00c139c4
0x00c139cb
0x00c139d1
0x00c139d8
0x00c139df
0x00c139e5
0x00c139e8
0x00c139eb
0x00c139f0
0x00c139f2
0x00c139f7
0x00c139f7
0x00c139fd
0x00c13a03
0x00c13a14

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,00C16F08,00000008,00C13A86,00000000,00000000,?,00C12FA5,00000003), ref: 00C1398A
__lock.LIBCMT ref: 00C139BE

Part of subcall function 00C14331: __mtinitlocknum.LIBCMT ref: 00C14347
Part of subcall function 00C14331: __amsg_exit.LIBCMT ref: 00C14353
Part of subcall function 00C14331: EnterCriticalSection.KERNEL32(?,?,?,00C139C3,0000000D,?,00C12FA5,00000003), ref: 00C1435B

InterlockedIncrement.KERNEL32(00C18560), ref: 00C139CB
__lock.LIBCMT ref: 00C139DF
___addlocaleref.LIBCMT ref: 00C139FD

Strings

KERNEL32.DLL, xrefs: 00C13985

Memory Dump Source

Source File: 00000014.00000002.712372782.0000000000C11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000014.00000002.712347190.0000000000C10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.712416872.0000000000C18000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.712438921.0000000000C1A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_c10000_Setup.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: c3d885d5ada1a77c3368479cedc53c4ef28a91db0f4605429c2b012453cabbfc
Instruction ID: 66a269387fa07a144db668a2b2313f09e619685c1e65561a0016c5ebe1988d2b
Opcode Fuzzy Hash: c3d885d5ada1a77c3368479cedc53c4ef28a91db0f4605429c2b012453cabbfc
Instruction Fuzzy Hash: 50015EB1404B40DFD720AF65D8067CDFBF0AF42315F108949E5D5566A1CBB4A685FB10

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C9AA9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6D2D7FA8,00000008,6D2C9BB6,00000000,00000000,?,6D2CB575,6D2C9054,?,?,6D2C91D6,?), ref: 6D2C9ABA
__lock.LIBCMT ref: 6D2C9AEE

Part of subcall function 6D2CEA00: __mtinitlocknum.LIBCMT ref: 6D2CEA16
Part of subcall function 6D2CEA00: __amsg_exit.LIBCMT ref: 6D2CEA22
Part of subcall function 6D2CEA00: EnterCriticalSection.KERNEL32(6D2C91D6,6D2C91D6,?,6D2C9AF3,0000000D), ref: 6D2CEA2A

InterlockedIncrement.KERNEL32(83EC8B55), ref: 6D2C9AFB
__lock.LIBCMT ref: 6D2C9B0F
___addlocaleref.LIBCMT ref: 6D2C9B2D

Strings

KERNEL32.DLL, xrefs: 6D2C9AB5

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: 48602adea52cd2a1fbb3370234964d0a8c4a7f0b78a8400d4227391d99ed91c0
Instruction ID: fbf3ab494e682fbca96acad4f5a13c64fd9df599daedc965d091b94988f01f7e
Opcode Fuzzy Hash: 48602adea52cd2a1fbb3370234964d0a8c4a7f0b78a8400d4227391d99ed91c0
Instruction Fuzzy Hash: D201C471888B09EFD760CF65C40974AFBF0EF40329F118A5DD196932D0CB70A940DB16

Uniqueness

Uniqueness Score: -1.00%

Function 6D2D288F Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6D2D28B0

Part of subcall function 6D2C9BE0: __getptd_noexit.LIBCMT ref: 6D2C9BE3
Part of subcall function 6D2C9BE0: __amsg_exit.LIBCMT ref: 6D2C9BF0

__getptd.LIBCMT ref: 6D2D28C1
__getptd.LIBCMT ref: 6D2D28CF

Strings

RCC, xrefs: 6D2D289B
csm, xrefs: 6D2D28A9
MOC, xrefs: 6D2D28A2

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: c95cb452513ca19a93679836afc226ef36163cfd16b51e0311ae908c2184dada
Instruction ID: 98d43c384f1451bb852e54f76cb93fac5c53c2e989111416da1454b062523b1a
Opcode Fuzzy Hash: c95cb452513ca19a93679836afc226ef36163cfd16b51e0311ae908c2184dada
Instruction Fuzzy Hash: 12E0ED7419C10D9EC7609764C095B687398FF8431AF6655E1D50CC7222C724A8909A63

Uniqueness

Uniqueness Score: -1.00%

Function 00C12930 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 17
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C12930() {
				void* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t4;

				if( *0xc19888 == 0) {
					_t2 = LoadLibraryW(L"kernel32.dll");
					 *0xc19888 = _t2;
					 *0xc1988c = GetProcAddress(_t2, "EncodePointer");
					_t4 = GetProcAddress( *0xc19888, "DecodePointer");
					 *0xc19890 = _t4;
					return _t4;
				}
				return _t1;
			}

0x00c12937
0x00c1293f
0x00c12951
0x00c12963
0x00c12968
0x00c1296a
0x00000000
0x00c1296f
0x00c12970

APIs

LoadLibraryW.KERNEL32(kernel32.dll,?,00C12980), ref: 00C1293F
GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00C12956
GetProcAddress.KERNEL32(DecodePointer), ref: 00C12968

Strings

kernel32.dll, xrefs: 00C1293A
EncodePointer, xrefs: 00C1294B
DecodePointer, xrefs: 00C12958

Memory Dump Source

Source File: 00000014.00000002.712372782.0000000000C11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000014.00000002.712347190.0000000000C10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.712416872.0000000000C18000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.712438921.0000000000C1A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_c10000_Setup.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: DecodePointer$EncodePointer$kernel32.dll
API String ID: 2238633743-1525541703
Opcode ID: bfba3a6d8fd5c168e769655be224b1ee3b99c99475029246990a2d4089bcc669
Instruction ID: 7f43c46024c5312f7dd7257866f1eecc46a01ba23138b7a6e51e6ace4d9aa779
Opcode Fuzzy Hash: bfba3a6d8fd5c168e769655be224b1ee3b99c99475029246990a2d4089bcc669
Instruction Fuzzy Hash: E4E0E27AC10210AEEB04AF65BC29BCA3FE4F78B361F008026A514922E0D27444E1EF61

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C849B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 17libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(kernel32.dll,?,6D2C84EB), ref: 6D2C84AA
GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 6D2C84C1
GetProcAddress.KERNEL32(DecodePointer), ref: 6D2C84D3

Strings

kernel32.dll, xrefs: 6D2C84A5
DecodePointer, xrefs: 6D2C84C3
EncodePointer, xrefs: 6D2C84B6

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: DecodePointer$EncodePointer$kernel32.dll
API String ID: 2238633743-1525541703
Opcode ID: 669ee3732caa36b635881d35eadca9eada83e1fa49c4193583ef556e2c277c90
Instruction ID: 16b2ca52a114e100e06f0316e887666a704ada8d1fe7239ba9986c1b6bfefc35
Opcode Fuzzy Hash: 669ee3732caa36b635881d35eadca9eada83e1fa49c4193583ef556e2c277c90
Instruction Fuzzy Hash: 7AE0ECB4C5422BEEDF21DFA6D80CB977E74EB0A329B054596E41293145D3301580EF94

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B7C58 Relevance: 9.1, APIs: 6, Instructions: 140threadwindowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B7C5F
GetWindowThreadProcessId.USER32(?,00000000), ref: 6D2B7C71
GetCurrentProcessId.KERNEL32 ref: 6D2B7C77
GetWindowTextW.USER32 ref: 6D2B7CF6
IsWindowVisible.USER32(?), ref: 6D2B7D1D
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,?,?,?,?), ref: 6D2B7DF3

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Window$Process$CurrentExceptionH_prolog3RaiseTextThreadVisible
String ID:
API String ID: 905677211-0
Opcode ID: 2d52c75f58457fa8acd937e3172cf2a9c2b21f8ca177aeb7268c1a7552860434
Instruction ID: f6f8e635571bd9f49ffe63aa49bfae5afeb6553e9f3d8e743b76fb91a470a2f6
Opcode Fuzzy Hash: 2d52c75f58457fa8acd937e3172cf2a9c2b21f8ca177aeb7268c1a7552860434
Instruction Fuzzy Hash: C4517971D4421EEFCF00CFA4C888AAEBB74FF0439DF158169EA15AB150D7719A85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C3D2E Relevance: 9.0, APIs: 6, Instructions: 49windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2C3D35
SetWindowLongW.USER32(?,000000F4,00000065), ref: 6D2C3D49

Part of subcall function 6D2AFF14: EnumChildWindows.USER32 ref: 6D2AFF21

GetParent.USER32(?), ref: 6D2C3D85
SendMessageW.USER32(00000000,00000485,00000000,00000065), ref: 6D2C3D90
GetParent.USER32(?), ref: 6D2C3D9D
GetDesktopWindow.USER32 ref: 6D2C3DA2

Part of subcall function 6D2C8E26: HeapFree.KERNEL32(00000000,00000000,?,6D2C9BCC,00000000,?,6D2CB575,6D2C9054), ref: 6D2C8E3C
Part of subcall function 6D2C8E26: GetLastError.KERNEL32(00000000,?,6D2C9BCC,00000000,?,6D2CB575,6D2C9054), ref: 6D2C8E4E

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: ParentWindow$ChildDesktopEnumErrorFreeH_prolog3HeapLastLongMessageSendWindows
String ID:
API String ID: 1093383602-0
Opcode ID: 9cf3349de55a234441952e2bec42bb76683da1dd1de4c6bdb7e70f11e3c1b454
Instruction ID: 660d4b3790302bbe7158d733627aa4bf460bcd726eda21a3b546d46e3110d2e2
Opcode Fuzzy Hash: 9cf3349de55a234441952e2bec42bb76683da1dd1de4c6bdb7e70f11e3c1b454
Instruction Fuzzy Hash: B9115A74A406089BCB119FA4C848A9EFBF4FF89704B10452AE225E7290EB759900CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C3FCE Relevance: 9.0, APIs: 6, Instructions: 49windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2C3FD5
SetWindowLongW.USER32(?,000000F4,00000067), ref: 6D2C3FE9

Part of subcall function 6D2AFF14: EnumChildWindows.USER32 ref: 6D2AFF21

GetParent.USER32(?), ref: 6D2C4025
SendMessageW.USER32(00000000,00000485,00000000,00000067), ref: 6D2C4030
GetParent.USER32(?), ref: 6D2C403D
GetDesktopWindow.USER32 ref: 6D2C4042

Part of subcall function 6D2C8E26: HeapFree.KERNEL32(00000000,00000000,?,6D2C9BCC,00000000,?,6D2CB575,6D2C9054), ref: 6D2C8E3C
Part of subcall function 6D2C8E26: GetLastError.KERNEL32(00000000,?,6D2C9BCC,00000000,?,6D2CB575,6D2C9054), ref: 6D2C8E4E

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: ParentWindow$ChildDesktopEnumErrorFreeH_prolog3HeapLastLongMessageSendWindows
String ID:
API String ID: 1093383602-0
Opcode ID: 33b71f45593073ee9e951d86fef9a1f51d5c927626b6f1a1f0f9371d32f8b391
Instruction ID: 9a68c21b9c209c85a598b9a6278fe41da2dc1d99e3fd15a17e6d64f19acbf0d7
Opcode Fuzzy Hash: 33b71f45593073ee9e951d86fef9a1f51d5c927626b6f1a1f0f9371d32f8b391
Instruction Fuzzy Hash: B4115A74A44608DBCB119FA4C848AAFFBF4FF88704B10452AE225E7290DB749901CB54

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C3E60 Relevance: 9.0, APIs: 6, Instructions: 49windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2C3E67
SetWindowLongW.USER32(?,000000F4,00000066), ref: 6D2C3E7B

Part of subcall function 6D2AFF14: EnumChildWindows.USER32 ref: 6D2AFF21

GetParent.USER32(?), ref: 6D2C3EB7
SendMessageW.USER32(00000000,00000485,00000000,00000066), ref: 6D2C3EC2
GetParent.USER32(?), ref: 6D2C3ECF
GetDesktopWindow.USER32 ref: 6D2C3ED4

Part of subcall function 6D2C8E26: HeapFree.KERNEL32(00000000,00000000,?,6D2C9BCC,00000000,?,6D2CB575,6D2C9054), ref: 6D2C8E3C
Part of subcall function 6D2C8E26: GetLastError.KERNEL32(00000000,?,6D2C9BCC,00000000,?,6D2CB575,6D2C9054), ref: 6D2C8E4E

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: ParentWindow$ChildDesktopEnumErrorFreeH_prolog3HeapLastLongMessageSendWindows
String ID:
API String ID: 1093383602-0
Opcode ID: 611f3de9cb58cce2b92d4ecfec2bbfe54c9086a0bc7c0d9cce062916fc84eade
Instruction ID: a6a23def2129ffaad73318e5fa7f74553a994ff51e1f6947b2a596b98d8d4817
Opcode Fuzzy Hash: 611f3de9cb58cce2b92d4ecfec2bbfe54c9086a0bc7c0d9cce062916fc84eade
Instruction Fuzzy Hash: F0115A74E406089BCB11DFA4C94899FFBF4FF88704B10452AE125E7290DB759900CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C4100 Relevance: 9.0, APIs: 6, Instructions: 49windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2C4107
SetWindowLongW.USER32(?,000000F4,0000006A), ref: 6D2C411B

Part of subcall function 6D2AFF14: EnumChildWindows.USER32 ref: 6D2AFF21

GetParent.USER32(?), ref: 6D2C4157
SendMessageW.USER32(00000000,00000485,00000000,0000006A), ref: 6D2C4162
GetParent.USER32(?), ref: 6D2C416F
GetDesktopWindow.USER32 ref: 6D2C4174

Part of subcall function 6D2C8E26: HeapFree.KERNEL32(00000000,00000000,?,6D2C9BCC,00000000,?,6D2CB575,6D2C9054), ref: 6D2C8E3C
Part of subcall function 6D2C8E26: GetLastError.KERNEL32(00000000,?,6D2C9BCC,00000000,?,6D2CB575,6D2C9054), ref: 6D2C8E4E

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: ParentWindow$ChildDesktopEnumErrorFreeH_prolog3HeapLastLongMessageSendWindows
String ID:
API String ID: 1093383602-0
Opcode ID: d53a5bcb4689bbdbd5fed2bc02f7d27825df0e4aeab68103230c94c9cb72f7bd
Instruction ID: e1254078ce2bce9851b69c28dfcfba7c20562f2ff9b93c40e345cd2974d3664f
Opcode Fuzzy Hash: d53a5bcb4689bbdbd5fed2bc02f7d27825df0e4aeab68103230c94c9cb72f7bd
Instruction Fuzzy Hash: 09115AB4A406189BCB119FA4C948A9EFBF4FF99704B10452AE126E7290DB749901CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6D2D2B64 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 6D2D2B8C

Part of subcall function 6D2D2542: __getptd.LIBCMT ref: 6D2D2550
Part of subcall function 6D2D2542: __getptd.LIBCMT ref: 6D2D255E

__getptd.LIBCMT ref: 6D2D2B96

Part of subcall function 6D2C9BE0: __getptd_noexit.LIBCMT ref: 6D2C9BE3
Part of subcall function 6D2C9BE0: __amsg_exit.LIBCMT ref: 6D2C9BF0

__getptd.LIBCMT ref: 6D2D2BA4
__getptd.LIBCMT ref: 6D2D2BB2
__getptd.LIBCMT ref: 6D2D2BBD
_CallCatchBlock2.LIBCMT ref: 6D2D2BE3

Part of subcall function 6D2D25F6: __CallSettingFrame@12.LIBCMT ref: 6D2D2642

Part of subcall function 6D2D2C8A: __getptd.LIBCMT ref: 6D2D2C99
Part of subcall function 6D2D2C8A: __getptd.LIBCMT ref: 6D2D2CA7

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 81008c4c63ebf60ad53604ef715eee43caa769d2ea4b029cb9925590b6d17ce1
Instruction ID: 24deeaac3485c58c5adcafd3934019b77287b7e1b6cc2c878aaa16a91a253891
Opcode Fuzzy Hash: 81008c4c63ebf60ad53604ef715eee43caa769d2ea4b029cb9925590b6d17ce1
Instruction Fuzzy Hash: 6B11E9B5C4824DEFDB40DFA4C544BAEBBB4FF04319F118169E914A7250DB389A11DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C3A76 Relevance: 9.0, APIs: 6, Instructions: 49windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2C3A7D
SetWindowLongW.USER32(?,000000F4,0000006B), ref: 6D2C3A91

Part of subcall function 6D2AFF14: EnumChildWindows.USER32 ref: 6D2AFF21

GetParent.USER32(?), ref: 6D2C3ACD
SendMessageW.USER32(00000000,00000485,00000000,0000006B), ref: 6D2C3AD8
GetParent.USER32(?), ref: 6D2C3AE5
GetDesktopWindow.USER32 ref: 6D2C3AEA

Part of subcall function 6D2C8E26: HeapFree.KERNEL32(00000000,00000000,?,6D2C9BCC,00000000,?,6D2CB575,6D2C9054), ref: 6D2C8E3C
Part of subcall function 6D2C8E26: GetLastError.KERNEL32(00000000,?,6D2C9BCC,00000000,?,6D2CB575,6D2C9054), ref: 6D2C8E4E

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: ParentWindow$ChildDesktopEnumErrorFreeH_prolog3HeapLastLongMessageSendWindows
String ID:
API String ID: 1093383602-0
Opcode ID: ebfc03f3db120a2a8c2207e0d287bec10666cceca2b993ed694b9dbed7791014
Instruction ID: 543dbe77052604972829ee7352f45168b4df44bcad7015da3498142c9f45b7bf
Opcode Fuzzy Hash: ebfc03f3db120a2a8c2207e0d287bec10666cceca2b993ed694b9dbed7791014
Instruction Fuzzy Hash: 6A115AB4A406099FCB11DFA8C848A9EFBF4FF88705B10492AE126E7290DB759900CB54

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C424A Relevance: 9.0, APIs: 6, Instructions: 49windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2C4251
SetWindowLongW.USER32(?,000000F4,00000069), ref: 6D2C4265

Part of subcall function 6D2AFF14: EnumChildWindows.USER32 ref: 6D2AFF21

GetParent.USER32(?), ref: 6D2C42A1
SendMessageW.USER32(00000000,00000485,00000000,00000069), ref: 6D2C42AC
GetParent.USER32(?), ref: 6D2C42B9
GetDesktopWindow.USER32 ref: 6D2C42BE

Part of subcall function 6D2C8E26: HeapFree.KERNEL32(00000000,00000000,?,6D2C9BCC,00000000,?,6D2CB575,6D2C9054), ref: 6D2C8E3C
Part of subcall function 6D2C8E26: GetLastError.KERNEL32(00000000,?,6D2C9BCC,00000000,?,6D2CB575,6D2C9054), ref: 6D2C8E4E

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: ParentWindow$ChildDesktopEnumErrorFreeH_prolog3HeapLastLongMessageSendWindows
String ID:
API String ID: 1093383602-0
Opcode ID: 4e8b5749bc056c8d972e4c2305be2a07709de2d47a027615264c08a4f52fb8b1
Instruction ID: 9da25c938565e8133347e1d1c447d81336d983ab5a97859370408144c5193c8b
Opcode Fuzzy Hash: 4e8b5749bc056c8d972e4c2305be2a07709de2d47a027615264c08a4f52fb8b1
Instruction Fuzzy Hash: D51157B4A406189FCB119FA8C948A9EFBF4FF88714B10462AE225E72A0DB749901CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C1591A Relevance: 9.0, APIs: 6, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E00C1591A(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;

				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0xc17018);
				E00C13DB0(__ebx, __edi, __esi);
				_t31 = E00C13AB0();
				_t15 =  *0xc18aec; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00C14331(_t25, _t29, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0xc18988; // 0x2520fd0
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0xc18560;
								if(_t33 != 0xc18560) {
									E00C14EF9(_t33);
								}
							}
						}
						_t21 =  *0xc18988; // 0x2520fd0
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0xc18988; // 0x2520fd0
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00C159B5();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					_push(0x20);
					E00C12F1C();
				}
				return E00C13DF5(_t33);
			}

0x00c1591a
0x00c1591a
0x00c1591a
0x00c1591c
0x00c15921
0x00c1592b
0x00c1592d
0x00c15935
0x00c15956
0x00c1595c
0x00c15960
0x00c15963
0x00c15966
0x00c1596c
0x00c1596e
0x00c15970
0x00c15973
0x00c15979
0x00c1597b
0x00c1597d
0x00c15983
0x00c15986
0x00c1598b
0x00c15983
0x00c1597b
0x00c1598c
0x00c15991
0x00c15994
0x00c1599a
0x00c1599e
0x00c1599e
0x00c159a4
0x00c159ab
0x00c1593d
0x00c1593d
0x00c1593d
0x00c15942
0x00c15944
0x00c15946
0x00c1594b
0x00c15953

APIs

__getptd.LIBCMT ref: 00C15926

Part of subcall function 00C13AB0: __getptd_noexit.LIBCMT ref: 00C13AB3
Part of subcall function 00C13AB0: __amsg_exit.LIBCMT ref: 00C13AC0

__amsg_exit.LIBCMT ref: 00C15946
__lock.LIBCMT ref: 00C15956
InterlockedDecrement.KERNEL32(?), ref: 00C15973
_free.LIBCMT ref: 00C15986
InterlockedIncrement.KERNEL32(02520FD0), ref: 00C1599E

Memory Dump Source

Source File: 00000014.00000002.712372782.0000000000C11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000014.00000002.712347190.0000000000C10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.712416872.0000000000C18000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.712438921.0000000000C1A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_c10000_Setup.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 42d711756bebf30eca81dbb43600c7f9753a1ea6c158b57c4555909037f71f1a
Instruction ID: 9bee5730d4fe6800b20a5c0372a71d2062c3879dd92539084c69a143f8c17831
Opcode Fuzzy Hash: 42d711756bebf30eca81dbb43600c7f9753a1ea6c158b57c4555909037f71f1a
Instruction Fuzzy Hash: 3901AD31901A25DBCB10EB68A8057EEB760BF47730F484105E8206B295CB345AD6FBD2

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B8CD7 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 154windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B8CDE

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2C127A: __EH_prolog3.LIBCMT ref: 6D2C1281

Part of subcall function 6D2C1360: GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,Action,6D2DFE10,?,?,?,7DCDEE72,Action,?,00000000), ref: 6D2C1395
Part of subcall function 6D2C1360: GetLastError.KERNEL32(?,?,?,7DCDEE72,Action,?,00000000), ref: 6D2C13A5

SendMessageW.USER32(00000006,00000170,?,00000000), ref: 6D2B8E7C
SetWindowTextW.USER32(?,?), ref: 6D2B8E8E

Strings

%1!I64u!, xrefs: 6D2B8DBD, 6D2B8E03
< 1, xrefs: 6D2B8DCD, 6D2B8DD9

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$DiskErrorFreeLastMessageSendSpaceTextWindow
String ID: %1!I64u!$< 1
API String ID: 3840077912-3199623825
Opcode ID: 18f004d45b11d39c148650ca8b5f65b4f5dcffd471b571c09c2c872637d91b56
Instruction ID: 99b563e50619156cdebf244b82f9f0e2c6f8d9d53c3dd9f7bea50b3d965af712
Opcode Fuzzy Hash: 18f004d45b11d39c148650ca8b5f65b4f5dcffd471b571c09c2c872637d91b56
Instruction Fuzzy Hash: 6A51507194424E9FDF01DFA8C844BEFB7B4AF09318F194164E624AB292C770EE14CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B45DE Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 153COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B45E5

Part of subcall function 6D2B3AD4: __EH_prolog3.LIBCMT ref: 6D2B3ADB

Part of subcall function 6D2B396A: __EH_prolog3.LIBCMT ref: 6D2B3971

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2B40EA: __EH_prolog3.LIBCMT ref: 6D2B40F1

Strings

SaveButton, xrefs: 6D2B4669
UserExperienceDataCollection, xrefs: 6D2B4755
LicenseTermsCheckbox, xrefs: 6D2B46E1
PrintButton, xrefs: 6D2B4614

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: LicenseTermsCheckbox$PrintButton$SaveButton$UserExperienceDataCollection
API String ID: 431132790-2575726183
Opcode ID: 3bdd672c2ad7315d71f94cc5e9e7fe3104a6009822fd75ddd252a5ec116d0d0b
Instruction ID: 6a847ae30a68f9907a27a7a7252cfa903818891da2498c6fcf24cae5665ffa1f
Opcode Fuzzy Hash: 3bdd672c2ad7315d71f94cc5e9e7fe3104a6009822fd75ddd252a5ec116d0d0b
Instruction Fuzzy Hash: 3D51717184424DDFDB00DBE8C980BDEB7B8AF0931CF1984A9E664E7241C774EA05D721

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B396A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 118COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B3971

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2B3654: __EH_prolog3.LIBCMT ref: 6D2B365B

Strings

NextButton, xrefs: 6D2B39CB
BackButton, xrefs: 6D2B397F
CancelButton, xrefs: 6D2B3A1A
FinishButton, xrefs: 6D2B3A69

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: BackButton$CancelButton$FinishButton$NextButton
API String ID: 431132790-22014311
Opcode ID: ee60c5fc60878c913b7888bc2250a0c2cc4eaacade90a30ccf28f271b8739e8d
Instruction ID: d9b55d739c7f35e40be9c4917f3b58dcb4067192ac5647ef132042c2b55a3d40
Opcode Fuzzy Hash: ee60c5fc60878c913b7888bc2250a0c2cc4eaacade90a30ccf28f271b8739e8d
Instruction Fuzzy Hash: 38414CB294414DEFDB40DBE8C984BDEB7ACAF09208F1941A5E214E7281DB74DA05C732

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C1B2E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2C1B35
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,00000004,6D2B85F7,00000000,6D2B98A4), ref: 6D2C1B89
__EH_prolog3.LIBCMT ref: 6D2C1B9C
_memset.LIBCMT ref: 6D2C1BB9

Strings

IDS_IS_REALLY_CANCEL, xrefs: 6D2C1C52

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$ExceptionRaise_memset
String ID: IDS_IS_REALLY_CANCEL
API String ID: 1117901877-1805271499
Opcode ID: 376c072ea903da619583f10a65c13d3d95f2bc8622bd1793b5156af5c0b9c1ac
Instruction ID: ac604b099dd4b39ae46cfc80af077a6e4bdf5b24063b177a18f9c9c3b11823a5
Opcode Fuzzy Hash: 376c072ea903da619583f10a65c13d3d95f2bc8622bd1793b5156af5c0b9c1ac
Instruction Fuzzy Hash: 1B4116B1640709CFDB61CF68C54974ABBF0FF08704F114A69E6869B750DB71E905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B5ECE Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 112COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B5ED5

Part of subcall function 6D2B3AD4: __EH_prolog3.LIBCMT ref: 6D2B3ADB

Part of subcall function 6D2B396A: __EH_prolog3.LIBCMT ref: 6D2B3971

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2B434E: __EH_prolog3.LIBCMT ref: 6D2B4355

Strings

UserExperienceDataCollection, xrefs: 6D2B5FBE
RepairRadioButton, xrefs: 6D2B5F04
Qr,m, xrefs: 6D2B5F68, 6D2B5F8D, 6D2B5FCC, 6D2B6008, 6D2B5F6B, 6D2B5F96, 6D2B5FCF, 6D2B6011
UninstallRadioButton, xrefs: 6D2B5F5A

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Qr,m$RepairRadioButton$UninstallRadioButton$UserExperienceDataCollection
API String ID: 431132790-1139675932
Opcode ID: 9155484a9660d6c15f6e8be08f88497ceb606877a05e2ac4937832827e9e76d8
Instruction ID: e0fcb64a6cc202f5da0dbc48c1d166c713a0eab1d96cbe609a7375ed6f772daf
Opcode Fuzzy Hash: 9155484a9660d6c15f6e8be08f88497ceb606877a05e2ac4937832827e9e76d8
Instruction Fuzzy Hash: B14184B154468DEFDB00DBA8C884BDEB7B8AF0931CF584468E659E7241DB74EA09C731

Uniqueness

Uniqueness Score: -1.00%

Function 6D2AF2BE Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2AF2C5

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2AF20C: __EH_prolog3.LIBCMT ref: 6D2AF213

Part of subcall function 6D2C83FD: _memcpy_s.LIBCMT ref: 6D2C844E

Strings

IDS_IS_FINISH, xrefs: 6D2AF3B8
IDS_IS_NEXT, xrefs: 6D2AF31B
IDS_IS_CANCEL, xrefs: 6D2AF36B
IDS_IS_BACK, xrefs: 6D2AF2CE

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$_memcpy_s
String ID: IDS_IS_BACK$IDS_IS_CANCEL$IDS_IS_FINISH$IDS_IS_NEXT
API String ID: 1663610674-2063768433
Opcode ID: c4f496eb0f2d95ee183d2dc24e738439ba60c7de8025bef57418dafe53a55ae4
Instruction ID: 2b9c9533a162cd29ea2c1c6240053a277c31e3f43d472c33df098d26033cdf87
Opcode Fuzzy Hash: c4f496eb0f2d95ee183d2dc24e738439ba60c7de8025bef57418dafe53a55ae4
Instruction Fuzzy Hash: 4641B4B294451D9FDB40DFACC94475EB7B4EF58318F5906A8F654EB381CB309E008BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BB4CC Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 89COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2BB4D3

Part of subcall function 6D2BEB56: __wcsicoll.LIBCMT ref: 6D2BEB74

Part of subcall function 6D2C7FA1: __EH_prolog3.LIBCMT ref: 6D2C7FA8
Part of subcall function 6D2C7FA1: FormatMessageW.KERNEL32(00001300,00000000,?,?,?,00000000,00000000,00000008,6D2AC9AE,?,00000000,?), ref: 6D2C7FDB

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2BF092: __EH_prolog3.LIBCMT ref: 6D2BF099

Strings

$$FailureReason$$, xrefs: 6D2BB4DD
HRESULT, xrefs: 6D2BB503
IDS_DOWNLOAD_ERROR_MESSAGE, xrefs: 6D2BB55A
0x%x, xrefs: 6D2BB548

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$FormatMessage__wcsicoll
String ID: $$FailureReason$$$0x%x$HRESULT$IDS_DOWNLOAD_ERROR_MESSAGE
API String ID: 3776434076-2273825792
Opcode ID: c92db5f5cdeaf2453ea718f7c85f94058114cc2eaddd011f11ab33dcf0586abc
Instruction ID: 6779b85404752ee931fa7b997ab878d4d4f240fa51bb161afde298f184b215f5
Opcode Fuzzy Hash: c92db5f5cdeaf2453ea718f7c85f94058114cc2eaddd011f11ab33dcf0586abc
Instruction Fuzzy Hash: 6331887194410E9FCF50DBB8C844BAE77B4AF0532CF158664E664EB386D77099448BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C73D5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6D2C73DC
GetLastError.KERNEL32 ref: 6D2C73F9
GetLastError.KERNEL32 ref: 6D2C746A

Strings

OpenService failed with error: %u, xrefs: 6D2C7438
QueryServiceStatus failed with error: %u, xrefs: 6D2C749F

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: ErrorLast$H_prolog3_
String ID: OpenService failed with error: %u$QueryServiceStatus failed with error: %u
API String ID: 3339191932-3526490536
Opcode ID: 4256e4b9d5125f7686a3a4c83e3b69c82251296534ad66086733f609ac06757a
Instruction ID: 19912d358a222e9bb1ca360c224e9784db00fde8d606918f941a549928ad6d32
Opcode Fuzzy Hash: 4256e4b9d5125f7686a3a4c83e3b69c82251296534ad66086733f609ac06757a
Instruction Fuzzy Hash: D731C572E9060A9FE7608F64C888B6E7BB1FF44325F158538E615DB241CB75DC008A66

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B2661 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B2668
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,00000008,6D2B50B8,?,?,?,00000000,6D2B5C04,?,?,?,00000048,?), ref: 6D2B2744

Part of subcall function 6D2C0686: __EH_prolog3.LIBCMT ref: 6D2C068D
Part of subcall function 6D2C0686: __recalloc.LIBCMT ref: 6D2C06D5

Strings

0]}-m, xrefs: 6D2B2724
0, xrefs: 6D2B26BD
0]}-m, xrefs: 6D2B2709

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$ExceptionRaise__recalloc
String ID: 0$0]}-m$0]}-m
API String ID: 3369754026-3040864062
Opcode ID: 4a8a15082c7da6640f80db68b891037a7d138e0262051159a1e232f391134fcc
Instruction ID: eb7e1fb8aa0f72b63aa4e1cb39fbb366376824c16d63a60ccdcf5bd0b62713eb
Opcode Fuzzy Hash: 4a8a15082c7da6640f80db68b891037a7d138e0262051159a1e232f391134fcc
Instruction Fuzzy Hash: 1A31B2B494460AEFCB10CF55C9C099EF7B0FF04358B64C929EA699B601C370E992CF95

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B1310 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B1317
__CxxThrowException@8.LIBCMT ref: 6D2B13B0

Strings

NotStarted, xrefs: 6D2B133E
Completed, xrefs: 6D2B1348, 6D2B134D
Unexpected behavior: AffectedProducts::ComputeAffectedProductsList() method called when computation state is %s, xrefs: 6D2B1351

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID: Completed$NotStarted$Unexpected behavior: AffectedProducts::ComputeAffectedProductsList() method called when computation state is %s
API String ID: 3670251406-2979706164
Opcode ID: e8f42c5e7a403bdd40dc1424855f73a04704d5c0e0be5aedd85fcc0296e5221f
Instruction ID: d787961465a53e5fa621b2991f5c538b27c32a63f75d190f15db7e9ba3c6b73f
Opcode Fuzzy Hash: e8f42c5e7a403bdd40dc1424855f73a04704d5c0e0be5aedd85fcc0296e5221f
Instruction Fuzzy Hash: D531B071580209CFCB11CFA4C444AAAF7F4FF09308B04466EE6469B261DB75E985CF52

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C7FA1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2C7FA8
FormatMessageW.KERNEL32(00001300,00000000,?,?,?,00000000,00000000,00000008,6D2AC9AE,?,00000000,?), ref: 6D2C7FDB
LocalFree.KERNEL32(?,?,?), ref: 6D2C8004

Part of subcall function 6D2C83FD: __CxxThrowException@8.LIBCMT ref: 6D2C83E2

SysFreeString.OLEAUT32(00000000), ref: 6D2C806E

Strings

HRESULT 0x%8.8x, xrefs: 6D2C7FE8

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Free$Exception@8FormatH_prolog3LocalMessageStringThrow
String ID: HRESULT 0x%8.8x
API String ID: 3624661282-2887418326
Opcode ID: 25bc34ee2fe3715bb8b1ef962c75ee3ddd8bf1eaa85aba0d25c2fc809fd85fbc
Instruction ID: 5b183eed5fbcc704455b649d3c09788301fadcdd18d917f24a6ed1f3d7bad28b
Opcode Fuzzy Hash: 25bc34ee2fe3715bb8b1ef962c75ee3ddd8bf1eaa85aba0d25c2fc809fd85fbc
Instruction Fuzzy Hash: 92219D7198810FABCF618F54CC84EAEFBB5FF86315F11C62AE915AB250CB318D01CA12

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C127A Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2C1281

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2C1360: GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,Action,6D2DFE10,?,?,?,7DCDEE72,Action,?,00000000), ref: 6D2C1395
Part of subcall function 6D2C1360: GetLastError.KERNEL32(?,?,?,7DCDEE72,Action,?,00000000), ref: 6D2C13A5

Strings

Disk space check for items being downloaded, xrefs: 6D2C12AF
complete, xrefs: 6D2C128C
Action, xrefs: 6D2C129E, 6D2C12BC
Drive:[%s] Bytes Needed:[%I64u] Bytes Available:[%I64u], xrefs: 6D2C12F9

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$DiskErrorFreeLastSpace
String ID: complete$Action$Disk space check for items being downloaded$Drive:[%s] Bytes Needed:[%I64u] Bytes Available:[%I64u]
API String ID: 2933164920-3673225344
Opcode ID: 70ee7c17d89f90d8a515e9237b8a7c5cca905b0fbd3a2df22bc5f623524211be
Instruction ID: 89c15827f734a1ce6c7bb4d4cec0c4520a4636ff5303df6801da674fdc1d9edb
Opcode Fuzzy Hash: 70ee7c17d89f90d8a515e9237b8a7c5cca905b0fbd3a2df22bc5f623524211be
Instruction Fuzzy Hash: 9521AD7198014D9FCF41EFA8C845BEEBBB9BF09318F594168E124AB242C7708A04DB62

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C7E95 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43libraryfileloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6D2C7F46,00002100,00000002,00000000,6D2C7BC3,C0000000,?,?,?,6D2C7BC3,?,C0000000,00000000), ref: 6D2C7EA6
GetProcAddress.KERNEL32(00000000,CreateFileTransactedW), ref: 6D2C7EB6
CreateFileW.KERNEL32(00002100,00000002,00000000,C0000000,?,6D2C7BC3,00000000,?,?,6D2C7F46,00002100,00000002,00000000,6D2C7BC3,C0000000,?), ref: 6D2C7EF3

Strings

CreateFileTransactedW, xrefs: 6D2C7EB0
kernel32.dll, xrefs: 6D2C7EA1

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: AddressCreateFileHandleModuleProc
String ID: CreateFileTransactedW$kernel32.dll
API String ID: 2580138172-2053874626
Opcode ID: 36bcb672ad8803152edee8f18cf9f5530553511ae92deddb8a28aabee03fd21f
Instruction ID: f65fcb497c3593a9d3c94f1a731e27788c971d6a446ce63a1abb1d078ece9470
Opcode Fuzzy Hash: 36bcb672ad8803152edee8f18cf9f5530553511ae92deddb8a28aabee03fd21f
Instruction Fuzzy Hash: BA01E83244454FBBCF121E95CC08CAB3F36FBC5761B148A15FA7481860C73389A1EB61

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B9AD4 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 36COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B9ADB

Strings

IDS_FILE_VERIFICATION_PROGRESS_STATUS, xrefs: 6D2B9AF7
IDS_DOWNLOAD_PROGRESS_STATUS, xrefs: 6D2B9B09
IDS_FILE_VERIFICATION_SUCCESS, xrefs: 6D2B9AF0
IDS_DOWNLOAD_SUCCESS, xrefs: 6D2B9B02

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: IDS_DOWNLOAD_PROGRESS_STATUS$IDS_DOWNLOAD_SUCCESS$IDS_FILE_VERIFICATION_PROGRESS_STATUS$IDS_FILE_VERIFICATION_SUCCESS
API String ID: 431132790-1342741052
Opcode ID: d767bd778efdc7cea65bb4db5840f28b496a04b2471478a7a24b5ea6cf71c0f4
Instruction ID: 3cf6a21dab47caca8e91e0c1b9a34e8a0418f9744238d101b3b15c047ee41b0f
Opcode Fuzzy Hash: d767bd778efdc7cea65bb4db5840f28b496a04b2471478a7a24b5ea6cf71c0f4
Instruction Fuzzy Hash: 1701F9B248821D8FDB21CBB8C544B6EB6E0FF5531DF1A8568D2558B394C7B4D805D742

Uniqueness

Uniqueness Score: -1.00%

Function 6D2AD086 Relevance: 7.6, APIs: 5, Instructions: 88memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2AD08D
VariantInit.OLEAUT32(?), ref: 6D2AD09E
SysFreeString.OLEAUT32(?), ref: 6D2AD0D4
VariantClear.OLEAUT32(?), ref: 6D2AD0F7
SysAllocString.OLEAUT32(?), ref: 6D2AD119

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: StringVariant$AllocClearFreeH_prolog3Init
String ID:
API String ID: 1692324188-0
Opcode ID: e376ed9576cfe3f1d70816e93f333599e17304f9653305c9c11a547885f5710f
Instruction ID: 6d93f9c9f7b12ae68292f7acfefa6e0ab5c5546a068eb4ae88716efc19ae63cc
Opcode Fuzzy Hash: e376ed9576cfe3f1d70816e93f333599e17304f9653305c9c11a547885f5710f
Instruction Fuzzy Hash: 7031C37494021EEFCF00DFA4C848AAEB7B8EF84315F188159F855E7240D735DA41CB20

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C269C Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

DestroyPropertySheetPage.COMCTL32(?,00000000), ref: 6D2C26C1
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,00000000), ref: 6D2C26FE
CreatePropertySheetPageW.COMCTL32(?,00000000,00000000), ref: 6D2C2716
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 6D2C2735
DestroyPropertySheetPage.COMCTL32(00000000), ref: 6D2C2751

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: PagePropertySheet$Destroy$CreateExceptionMessageRaiseSend
String ID:
API String ID: 1284076499-0
Opcode ID: e4c98e519d477c51524401fd0c07408b5d9b92b0e1b9ee8dfe8e93e72ca54424
Instruction ID: 61f42681a22e6ffb80524410add074aadff948956210fd1007bfa53575876394
Opcode Fuzzy Hash: e4c98e519d477c51524401fd0c07408b5d9b92b0e1b9ee8dfe8e93e72ca54424
Instruction Fuzzy Hash: E721F5B264065A9BCB318E59C8C8E5BB7F9EF853657114539FA45D3600CF30EC81CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BC1B2 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,?), ref: 6D2BC1C2
GetDlgItem.USER32 ref: 6D2BC1CD
SendMessageW.USER32(?,00000180,00000000,?), ref: 6D2BC1F7
GetParent.USER32(?), ref: 6D2BC206
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,?,?,6D2BC10E,00000110), ref: 6D2BC22D

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: ExceptionItemMessageParentRaiseSendTextWindow
String ID:
API String ID: 3396959766-0
Opcode ID: 63a1e5d650a0c56b3f1bfa573c3cd5027c9b66c2b8d51bf1d3974393a5478c4a
Instruction ID: 1d0805ffa4210d9f29c1b7d37b8819edd04f824264c3000584d6072cf9c02ef1
Opcode Fuzzy Hash: 63a1e5d650a0c56b3f1bfa573c3cd5027c9b66c2b8d51bf1d3974393a5478c4a
Instruction Fuzzy Hash: CB110431144608AFC7119FB4CC88E1BBBF8EF49BA8B144439F646C6510CBB1E851DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C16235 Relevance: 7.6, APIs: 5, Instructions: 68
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 92%

			E00C16235(void* __edx, void* __edi, void* __esi, void* _a4, long _a8) {
				void* _t6;
				void* _t7;
				intOrPtr* _t8;
				intOrPtr* _t12;
				void* _t27;
				long _t30;

				if(_a4 != 0) {
					_push(__esi);
					_t30 = _a8;
					if(_t30 != 0) {
						_push(__edi);
						while(_t30 <= 0xffffffe0) {
							if(_t30 == 0) {
								_t30 = _t30 + 1;
							}
							_t6 = HeapReAlloc( *0xc193a4, 0, _a4, _t30);
							_t27 = _t6;
							if(_t27 != 0) {
								L17:
								_t7 = _t27;
							} else {
								if( *0xc19880 == _t6) {
									_t8 = E00C147E5();
									 *_t8 = E00C1479E(GetLastError());
									goto L17;
								} else {
									if(E00C14771(_t30) == 0) {
										_t12 = E00C147E5();
										 *_t12 = E00C1479E(GetLastError());
										L12:
										_t7 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00C14771(_t30);
						 *((intOrPtr*)(E00C147E5())) = 0xc;
						goto L12;
					} else {
						E00C14EF9(_a4);
						_t7 = 0;
					}
					L14:
					return _t7;
				} else {
					return E00C16115(__edx, __edi, __esi, _a8);
				}
			}

0x00c1623e
0x00c1624b
0x00c1624c
0x00c16251
0x00c16260
0x00c16293
0x00c16265
0x00c16267
0x00c16267
0x00c16274
0x00c1627a
0x00c1627e
0x00c162de
0x00c162de
0x00c16280
0x00c16286
0x00c162c8
0x00c162dc
0x00000000
0x00c16288
0x00c16291
0x00c162b0
0x00c162c4
0x00c162aa
0x00c162aa
0x00000000
0x00000000
0x00000000
0x00c16291
0x00c16286
0x00000000
0x00c162ac
0x00c16299
0x00c162a4
0x00000000
0x00c16253
0x00c16256
0x00c1625c
0x00c1625c
0x00c162ad
0x00c162af
0x00c16240
0x00c1624a
0x00c1624a

APIs

_malloc.LIBCMT ref: 00C16243

Part of subcall function 00C16115: __FF_MSGBANNER.LIBCMT ref: 00C1612E
Part of subcall function 00C16115: __NMSG_WRITE.LIBCMT ref: 00C16135
Part of subcall function 00C16115: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00C14F49,?,00000001,?,?,00C142B7,00000018,00C16F78,0000000C,00C1434C), ref: 00C1615A

_free.LIBCMT ref: 00C16256

Memory Dump Source

Source File: 00000014.00000002.712372782.0000000000C11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000014.00000002.712347190.0000000000C10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.712416872.0000000000C18000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.712438921.0000000000C1A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_c10000_Setup.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: bbba1bdd4b89dbabe94c464f4d92a5b53f12f14856f46a4a135d66730ac21fdb
Instruction ID: 7f17b5b5efbbd432006e759a5304b819d77964fe9a2a7782ab8be20b428f0dce
Opcode Fuzzy Hash: bbba1bdd4b89dbabe94c464f4d92a5b53f12f14856f46a4a135d66730ac21fdb
Instruction Fuzzy Hash: DD11A336904215ABCB252F74EC05BDD3B94AF47371B258525F8589B2D1EF3489C1F7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BCB21 Relevance: 7.6, APIs: 5, Instructions: 56windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2BCB28
DestroyIcon.USER32(?,00000004), ref: 6D2BCB50
DestroyIcon.USER32(?,00000004), ref: 6D2BCB5D
DestroyIcon.USER32(?,00000004), ref: 6D2BCB6A
DestroyIcon.USER32(?,00000004), ref: 6D2BCB77

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: DestroyIcon$H_prolog3
String ID:
API String ID: 1886938828-0
Opcode ID: b6e7c48697df0294d2524ba58d1559dfe7801308ea7cffa06d79dd4c461d0fd6
Instruction ID: 2ee180bf91e14569ba2f44ae6eda3a4d839f699d6d38d6f15da44b52e88c4cc1
Opcode Fuzzy Hash: b6e7c48697df0294d2524ba58d1559dfe7801308ea7cffa06d79dd4c461d0fd6
Instruction Fuzzy Hash: 31118670B8470BABEB04DF74C944B6EF7A8BF01B59F010119D528D7141CBB4E820DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C03F5 Relevance: 7.6, APIs: 5, Instructions: 50windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32 ref: 6D2C0415
PeekMessageW.USER32 ref: 6D2C042B
TranslateMessage.USER32(?), ref: 6D2C0435
DispatchMessageW.USER32 ref: 6D2C043F
PeekMessageW.USER32 ref: 6D2C044E

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsTranslateWait
String ID:
API String ID: 2015114452-0
Opcode ID: e2922a7429921f44c323f0ecffe401fc61857890b45bcb1e06463eb6bb577980
Instruction ID: f8d233fc9fc816ecffa727659754e0f52571c75ff5433b80386d0079766f375e
Opcode Fuzzy Hash: e2922a7429921f44c323f0ecffe401fc61857890b45bcb1e06463eb6bb577980
Instruction Fuzzy Hash: 4F0171B284123ABADF2096A2CD0CEEF7E7CEF8A769F040125F614E2080D674D645C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 6D2CDE5E Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6D2CDE6A

Part of subcall function 6D2C9BE0: __getptd_noexit.LIBCMT ref: 6D2C9BE3
Part of subcall function 6D2C9BE0: __amsg_exit.LIBCMT ref: 6D2C9BF0

__amsg_exit.LIBCMT ref: 6D2CDE8A
__lock.LIBCMT ref: 6D2CDE9A
InterlockedDecrement.KERNEL32(?), ref: 6D2CDEB7
InterlockedIncrement.KERNEL32(03A416E0), ref: 6D2CDEE2

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 2be0e732e9b5e5cc86b2005602c80b6f0b82a50a17768741b95351835dd16ef7
Instruction ID: 151c2f4de8deb0342625864d4ddd98c76e3d65f608d366af15b1fca77370a1f7
Opcode Fuzzy Hash: 2be0e732e9b5e5cc86b2005602c80b6f0b82a50a17768741b95351835dd16ef7
Instruction Fuzzy Hash: F9016132DC961BABDB819B65844875FB770AF4572AF054215E420A7680CB38AC80CBDB

Uniqueness

Uniqueness Score: -1.00%

Function 6D2AF24C Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 6D2AF257
SetWindowTextW.USER32(00000000,?), ref: 6D2AF286
ShowWindow.USER32(00000000,00000005), ref: 6D2AF28F
ShowWindow.USER32(00000000,00000000), ref: 6D2AF2A5
EnableWindow.USER32(00000000,00000000), ref: 6D2AF2AE

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Window$Show$EnableItemText
String ID:
API String ID: 3475434280-0
Opcode ID: aa8a7bc3a8fd58ba40066a090fdbbef9bffc96e9f03d501d732f378d2a405dfc
Instruction ID: 359d67b06c4f9ee30386180c4c1db4c2ba819ac7f486341a577e933fe52932e4
Opcode Fuzzy Hash: aa8a7bc3a8fd58ba40066a090fdbbef9bffc96e9f03d501d732f378d2a405dfc
Instruction Fuzzy Hash: AF012838240605AFDB12AF64C89CF2EBBB9FF4D766F144445F6428B2A1CB399851CF94

Uniqueness

Uniqueness Score: -1.00%

Function 6D2AC280 Relevance: 7.5, APIs: 5, Instructions: 41windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2AC287

Part of subcall function 6D2AC224: __EH_prolog3.LIBCMT ref: 6D2AC22B

OutputDebugStringW.KERNEL32(?,?,?,00000008,6D2AC856), ref: 6D2AC2A8

Part of subcall function 6D2C807A: SysFreeString.OLEAUT32(00000000), ref: 6D2C8087
Part of subcall function 6D2C807A: SysAllocString.OLEAUT32(00000000), ref: 6D2C8096

FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,00000008,6D2AC856), ref: 6D2AC2CF
OutputDebugStringW.KERNEL32(?), ref: 6D2AC2DC
LocalFree.KERNEL32(?,?), ref: 6D2AC2ED

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: String$DebugFreeH_prolog3Output$AllocFormatLocalMessage
String ID:
API String ID: 3239379132-0
Opcode ID: 81c183125ff1cf912119523df7e72abc9f251149b1ae8b4ae3187623dee577c1
Instruction ID: 7d17a53ea798bfdc24f2d2fc1dac6978d06597aeff88ce3b3409d93f06714439
Opcode Fuzzy Hash: 81c183125ff1cf912119523df7e72abc9f251149b1ae8b4ae3187623dee577c1
Instruction Fuzzy Hash: E5017C7498010EEFDF519BE0CC08ABEBA78FF0570AF188525F611B5190DB714910DB21

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C7BEC Relevance: 7.5, APIs: 5, Instructions: 37fileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,00000000,?,6D2B0FC5,7DCDEE72), ref: 6D2C7BFB
DeleteFileW.KERNEL32(?,00000000,?,6D2B0FC5,7DCDEE72), ref: 6D2C7C0E
DeleteFileW.KERNEL32(00000000,00000000,?,6D2B0FC5,7DCDEE72), ref: 6D2C7C1E
GetLastError.KERNEL32(?,6D2B0FC5,7DCDEE72), ref: 6D2C7C28
MoveFileW.KERNEL32(?,00000000), ref: 6D2C7C41

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: File$Delete$CloseErrorHandleLastMove
String ID:
API String ID: 4022683281-0
Opcode ID: 8bfaa96a275ffce519f5a9b29b8ebf4802ac5ce65a4f25bd4d28aa70231f539e
Instruction ID: f529975aa48ccf0785d404493a0791d7feee9a6e0a770ce3be19b2ba9908b2bf
Opcode Fuzzy Hash: 8bfaa96a275ffce519f5a9b29b8ebf4802ac5ce65a4f25bd4d28aa70231f539e
Instruction Fuzzy Hash: 29F0F431D9411B6BDB521F65CC08B9E36A9EF6236BB054625E949D2100E7348ED0C6B7

Uniqueness

Uniqueness Score: -1.00%

Function 00C1566A Relevance: 7.5, APIs: 5, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 69%

			E00C1566A(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t12;
				void* _t25;
				void* _t28;
				intOrPtr _t29;
				void* _t30;

				_t26 = __edi;
				_t25 = __edx;
				_t20 = __ebx;
				_push(0xc);
				_push(0xc16ff8);
				E00C13DB0(__ebx, __edi, __esi);
				_t28 = E00C13AB0();
				_t12 =  *0xc18aec; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t12) == 0 ||  *((intOrPtr*)(_t28 + 0x6c)) == 0) {
					E00C14331(_t20, _t25, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t29 = _t28 + 0x6c;
					 *((intOrPtr*)(_t30 - 0x1c)) = E00C15618(_t29,  *0xc18558);
					 *(_t30 - 4) = 0xfffffffe;
					E00C156D7();
				} else {
					_t29 =  *((intOrPtr*)(E00C13AB0() + 0x6c));
				}
				if(_t29 == 0) {
					_push(0x20);
					E00C12F1C();
				}
				return E00C13DF5(_t29);
			}

0x00c1566a
0x00c1566a
0x00c1566a
0x00c1566a
0x00c1566c
0x00c15671
0x00c1567b
0x00c1567d
0x00c15685
0x00c156ab
0x00c156b1
0x00c156bb
0x00c156c6
0x00c156c9
0x00c156d0
0x00c1568d
0x00c15692
0x00c15692
0x00c15697
0x00c15699
0x00c1569b
0x00c156a0
0x00c156a8

APIs

__getptd.LIBCMT ref: 00C15676

Part of subcall function 00C13AB0: __getptd_noexit.LIBCMT ref: 00C13AB3
Part of subcall function 00C13AB0: __amsg_exit.LIBCMT ref: 00C13AC0

__getptd.LIBCMT ref: 00C1568D
__amsg_exit.LIBCMT ref: 00C1569B
__lock.LIBCMT ref: 00C156AB
__updatetlocinfoEx_nolock.LIBCMT ref: 00C156BF

Memory Dump Source

Source File: 00000014.00000002.712372782.0000000000C11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000014.00000002.712347190.0000000000C10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.712416872.0000000000C18000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.712438921.0000000000C1A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_c10000_Setup.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 58ad070a21dd38391789615c2ceff3758bc872e6a7e94f68e658bb27d422fd6c
Instruction ID: 21746be719e43d13252b6bdf30cf67373b0780d94b2dd7ee53f429f130566dea
Opcode Fuzzy Hash: 58ad070a21dd38391789615c2ceff3758bc872e6a7e94f68e658bb27d422fd6c
Instruction Fuzzy Hash: B5F09032984B10DBD620BBA898037CE33A06F43724FA44549F150AB3D2CF244AC1BAD6

Uniqueness

Uniqueness Score: -1.00%

Function 6D2CE60F Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6D2CE61B

Part of subcall function 6D2C9BE0: __getptd_noexit.LIBCMT ref: 6D2C9BE3
Part of subcall function 6D2C9BE0: __amsg_exit.LIBCMT ref: 6D2C9BF0

__getptd.LIBCMT ref: 6D2CE632
__amsg_exit.LIBCMT ref: 6D2CE640
__lock.LIBCMT ref: 6D2CE650
__updatetlocinfoEx_nolock.LIBCMT ref: 6D2CE664

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 4be950a0163f67433c4a0ac3accc4fecdc55289045ad90707735ecc85c75387e
Instruction ID: 37fbd13d59d70865e8138d4fe2c7c39ef0ab0c890b69689028186b2893ef2f32
Opcode Fuzzy Hash: 4be950a0163f67433c4a0ac3accc4fecdc55289045ad90707735ecc85c75387e
Instruction Fuzzy Hash: C9F09032DDC619ABD7D1DB648806B5E72A06F0436EF228369D614EB1C0CB245D40CA9B

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B3E14 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 233COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B3E1B

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Strings

Hide, xrefs: 6D2B3E38
Height, xrefs: 6D2B3F26
Width, xrefs: 6D2B3F34

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Height$Hide$Width
API String ID: 431132790-1313002608
Opcode ID: 31af296959f15873974d72b5e81b4544bfe1f7609d9593565fa90f24dc62492e
Instruction ID: c8d0dc356778ee6ae496d0b013a47a24eb0fc3c3a13763d7bff903febaa63dba
Opcode Fuzzy Hash: 31af296959f15873974d72b5e81b4544bfe1f7609d9593565fa90f24dc62492e
Instruction Fuzzy Hash: 51A16E7184420DDFDB10CFE8C984B9EFBF8AF48318F258265E524EB291D774AA05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C60A8 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 233COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2C60AF

Part of subcall function 6D2C7341: __EH_prolog3.LIBCMT ref: 6D2C7348
Part of subcall function 6D2C7341: GetLastError.KERNEL32 ref: 6D2C7364

RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 6D2C62D8

Part of subcall function 6D2BEB56: __wcsicoll.LIBCMT ref: 6D2BEB74

Strings

No Blocking Services, xrefs: 6D2C62C0
Blocking Services, xrefs: 6D2C62ED

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$ErrorExceptionLastRaise__wcsicoll
String ID: Blocking Services$No Blocking Services
API String ID: 1137283054-2473106011
Opcode ID: 23e00e89cae9373e80e3a30c0e487189d883ada63dbc1a1852d9e3005fd960b4
Instruction ID: 4ccfa7ddb7836b94015b257401af5335546fed2b659706978ec86dc69eef7138
Opcode Fuzzy Hash: 23e00e89cae9373e80e3a30c0e487189d883ada63dbc1a1852d9e3005fd960b4
Instruction Fuzzy Hash: 63915C7094420E9FDB50CF68C9C4BAEB7B0FF04315F118268E955AB291D730ED15CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BC7AB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 212COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2BC7B2

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

GetStringTypeExW.KERNEL32(00000000,00000001,?,00000001,?,6D2A5D9C,?,00000030,80070057), ref: 6D2BC86B

Part of subcall function 6D2C81DE: _memcpy_s.LIBCMT ref: 6D2C8224

Part of subcall function 6D2BECE8: _wcschr.LIBCMT ref: 6D2BECFF

Strings

href, xrefs: 6D2BC8AE
</a, xrefs: 6D2BC9CA

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$StringType_memcpy_s_wcschr
String ID: </a$href
API String ID: 3166021290-1826667848
Opcode ID: 721fdb75170f1100750788aa932a54920d6b5442fdfc2be47f21d2ed9bddb3fa
Instruction ID: 39f5b3ac47568fd9a346ca0e54f1e9e89743da4365f009b60e5e37662f3ee8d6
Opcode Fuzzy Hash: 721fdb75170f1100750788aa932a54920d6b5442fdfc2be47f21d2ed9bddb3fa
Instruction Fuzzy Hash: F7718171D8121F8FCF10DFA4C4949BEBB78EF04B9CF1581A9DA11A7290D7B4A946DB80

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B883F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 146COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B8846

Part of subcall function 6D2C1169: __EH_prolog3.LIBCMT ref: 6D2C1170
Part of subcall function 6D2C1169: GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 6D2C11B1

Part of subcall function 6D2BEB56: __wcsicoll.LIBCMT ref: 6D2BEB74

Part of subcall function 6D2C1360: GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,Action,6D2DFE10,?,?,?,7DCDEE72,Action,?,00000000), ref: 6D2C1395
Part of subcall function 6D2C1360: GetLastError.KERNEL32(?,?,?,7DCDEE72,Action,?,00000000), ref: 6D2C13A5

Strings

$$AvailableSpaceOnSystemDrive$$, xrefs: 6D2B897E
$$RequiredSpaceOnSystemDrive$$, xrefs: 6D2B88FB
$$SystemDrive$$, xrefs: 6D2B8895

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$DirectoryDiskErrorFreeLastSpaceSystem__wcsicoll
String ID: $$AvailableSpaceOnSystemDrive$$$$$RequiredSpaceOnSystemDrive$$$$$SystemDrive$$
API String ID: 2351290856-2773778658
Opcode ID: 746fff1b8951f13fe8d0e3028e9384c10c29691f668ffa0627ff6d6b18039257
Instruction ID: 1078e73b6b49d86680805157a119f6359282271f3d4afeb90129d7db4e999034
Opcode Fuzzy Hash: 746fff1b8951f13fe8d0e3028e9384c10c29691f668ffa0627ff6d6b18039257
Instruction Fuzzy Hash: 86516F7294420D9FCB40CBB8C885BDEBBF4AF09318F0946A5EA54EB352D77499448B91

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B1003 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2C7ACF: GetTempPathW.KERNEL32(00000100,?,?,00000000), ref: 6D2C7AFC

Part of subcall function 6D2B0ECA: SendMessageW.USER32(00000000,0000044A,00000002,?), ref: 6D2B0F06

PathFileExistsW.SHLWAPI(?,?,7DCDEE72), ref: 6D2B1126
ShellExecuteW.SHELL32(00000001,print,?,00000000,00000000,00000000), ref: 6D2B116E

Strings

print, xrefs: 6D2B1166
%s\BlockersInfo%d.rtf, xrefs: 6D2B10C5, 6D2B10CE, 6D2B110A

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Path$ExecuteExistsFileH_prolog3MessageSendShellTemp
String ID: %s\BlockersInfo%d.rtf$print
API String ID: 2742019059-575943144
Opcode ID: 6d52501a2faa7eb5d480208123eae9b54fb797d28ee196267ba8e6f7f8a24262
Instruction ID: c1a219533b37310770b5a399448cbac9819ea1dd2bad7dc9bfc7eb732c23e8e2
Opcode Fuzzy Hash: 6d52501a2faa7eb5d480208123eae9b54fb797d28ee196267ba8e6f7f8a24262
Instruction Fuzzy Hash: F7415B725482499FC711DF68C844A5FFBE8FF8972CF054A29F598A3251D730D9098B63

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B381C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B3823

Part of subcall function 6D2AD76F: __EH_prolog3.LIBCMT ref: 6D2AD776

Strings

Type, xrefs: 6D2B38B0
RTF, xrefs: 6D2B38CE
HTML, xrefs: 6D2B38E1

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: HTML$RTF$Type
API String ID: 431132790-2981198847
Opcode ID: 1b51cefafd11068ca5d6e12d99ec46f3ecdcc7dfe06e44b483657f2bd9f855ca
Instruction ID: 91a7acae6f5d024119f9231f78efce86d5003de320181cc615ad3a5395802aad
Opcode Fuzzy Hash: 1b51cefafd11068ca5d6e12d99ec46f3ecdcc7dfe06e44b483657f2bd9f855ca
Instruction Fuzzy Hash: 1931C37188860E9FDB10DFB8C9407AEB7B4BF0536CF1942A9E524E72C1D7B09A45C752

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C74DC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2C74E3
GetLastError.KERNEL32 ref: 6D2C7529
GetLastError.KERNEL32 ref: 6D2C757A

Strings

GetServiceDisplayName failed with error: %u, xrefs: 6D2C757D

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: ErrorLast$H_prolog3
String ID: GetServiceDisplayName failed with error: %u
API String ID: 3502553090-3718371905
Opcode ID: f5f1ab8e1d3c176a7e0beb71b8d3560cbbf3c268e0a8bda5a170fb3296373cd6
Instruction ID: 18af7af808d4be4925e056959bd7deacba8d698365a4e300671819f89a57b188
Opcode Fuzzy Hash: f5f1ab8e1d3c176a7e0beb71b8d3560cbbf3c268e0a8bda5a170fb3296373cd6
Instruction Fuzzy Hash: BC21A17194424AAFDB44DFA8C849B6EBB75FF04319F158628E524E7281DB30EE50CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B60C9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B60D0

Part of subcall function 6D2B396A: __EH_prolog3.LIBCMT ref: 6D2B3971

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2B5ECE: __EH_prolog3.LIBCMT ref: 6D2B5ED5

Strings

Qr,m, xrefs: 6D2B614A, 6D2B6172, 6D2B614D, 6D2B617B
Uninstall, xrefs: 6D2B60E9
UninstallPatch, xrefs: 6D2B613C

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Qr,m$Uninstall$UninstallPatch
API String ID: 431132790-2832975370
Opcode ID: afd4622a2fc22fa9e2f277a47af0f8090c5dd4f9b2e7caa3f2ed4b31eb0ae6a2
Instruction ID: f399c02c9b7c05a84e8f51134720c51c9a39f0a4b0f321904ec8e0cdd02f6221
Opcode Fuzzy Hash: afd4622a2fc22fa9e2f277a47af0f8090c5dd4f9b2e7caa3f2ed4b31eb0ae6a2
Instruction Fuzzy Hash: B9215EB194424DEFDB01DBE8C944BDEB7B8AF08318F1484A5E614E7241CB74DA04C731

Uniqueness

Uniqueness Score: -1.00%

Function 6D2AEDE8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetWindowPlacement.USER32(?,?), ref: 6D2AEE4B
MapDialogRect.USER32(?,?), ref: 6D2AEE6C
SetWindowPlacement.USER32(?,0000002C), ref: 6D2AEE79

Strings

,, xrefs: 6D2AEE44

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: PlacementWindow$DialogRect
String ID: ,
API String ID: 3865709247-3772416878
Opcode ID: 6fd5c79caf1ae442b23fda09af9da58abd25186e393553e81dc863ff69bd879f
Instruction ID: 3420f2099fd90e1441a8aea2c444542976cd210f02fc6afe358529b87f370c64
Opcode Fuzzy Hash: 6fd5c79caf1ae442b23fda09af9da58abd25186e393553e81dc863ff69bd879f
Instruction Fuzzy Hash: 2421D375A00218EFCB00DFA8D98899EBBF5FF48324B14456AF955E3360DB30AA05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B8C2A Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B8C31

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2B93BE: __EH_prolog3.LIBCMT ref: 6D2B93C5
Part of subcall function 6D2B93BE: SendDlgItemMessageW.USER32 ref: 6D2B9509
Part of subcall function 6D2B93BE: SetWindowTextW.USER32(?,?), ref: 6D2B9518
Part of subcall function 6D2B93BE: EnableWindow.USER32(?,00000001), ref: 6D2B952C
Part of subcall function 6D2B93BE: ShowWindow.USER32(?,00000000), ref: 6D2B954A

Part of subcall function 6D2B9584: __EH_prolog3.LIBCMT ref: 6D2B958B
Part of subcall function 6D2B9584: SendDlgItemMessageW.USER32 ref: 6D2B9714
Part of subcall function 6D2B9584: SetWindowTextW.USER32(?,00000001), ref: 6D2B9723

Strings

System Requirement Checks, xrefs: 6D2B8C6A
complete, xrefs: 6D2B8C3A
Action, xrefs: 6D2B8C59, 6D2B8C77

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3Window$ItemMessageSendText$EnableShow
String ID: complete$Action$System Requirement Checks
API String ID: 1922407589-3507766184
Opcode ID: cd2b739e818c0688f1a9dea32b3a3d8fa98e32dee601f418c78fe8422d5953d3
Instruction ID: 3489a63db20c8787858ce49485a12bf990df27fec46174a3567f42b4f117d7ed
Opcode Fuzzy Hash: cd2b739e818c0688f1a9dea32b3a3d8fa98e32dee601f418c78fe8422d5953d3
Instruction Fuzzy Hash: 1F11027198420C9FD740EBB8C840BFEB7F8AF09308F590479D265D7280CBB09A05C762

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C7341 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2C7348
GetLastError.KERNEL32 ref: 6D2C7364

Strings

ServicesActive, xrefs: 6D2C7354
OpenSCManager failed with error: %u, xrefs: 6D2C7396

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: ErrorH_prolog3Last
String ID: OpenSCManager failed with error: %u$ServicesActive
API String ID: 685212868-337506387
Opcode ID: 3006617bcff428b86c118aecafc525b8d8101c03b1e8f92181b85331fdd9297f
Instruction ID: 700945ec2138b1475791a970eb9bac2a10fb96a250c3552a7ca621c4c4d697b4
Opcode Fuzzy Hash: 3006617bcff428b86c118aecafc525b8d8101c03b1e8f92181b85331fdd9297f
Instruction Fuzzy Hash: 4001FC71AC470A8FE7608BA4CC44B2A77B1FF44325F25053CE615DB281DB70DC048796

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B7F0A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B7F11

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2C60A8: __EH_prolog3.LIBCMT ref: 6D2C60AF

Part of subcall function 6D2AB8EF: __EH_prolog3.LIBCMT ref: 6D2AB8F6

Strings

complete, xrefs: 6D2B7F1C
Enumerating incompatible services, xrefs: 6D2B7F3F
Action, xrefs: 6D2B7F2E, 6D2B7F4C

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: complete$Action$Enumerating incompatible services
API String ID: 431132790-2452571594
Opcode ID: 0a60c4cd2f1024af03956c6872bc3b56213962b55293247c17dab95c7d0f3e93
Instruction ID: 1ab47901f3b467b33cfb5e548988005382fbc67b3856fed967895022bcdf20c3
Opcode Fuzzy Hash: 0a60c4cd2f1024af03956c6872bc3b56213962b55293247c17dab95c7d0f3e93
Instruction Fuzzy Hash: 74118B7284405CEFCF52DBD8C904BAFBBB5FF09328F198065E610A7250C7744A49EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B78D5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B78DC

Part of subcall function 6D2C83FD: _memcpy_s.LIBCMT ref: 6D2C844E

Strings

Visible, xrefs: 6D2B7929
Not Visible, xrefs: 6D2B7930, 6D2B7935
[%u] [%s] [%s] [%s], xrefs: 6D2B793E

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3_memcpy_s
String ID: Not Visible$Visible$[%u] [%s] [%s] [%s]
API String ID: 1212206098-88040887
Opcode ID: e363e0524e04c5f9dc1e5fa61d6e88538d1429336b3a38f7754b04655cdaf048
Instruction ID: bd5ee4f0dceed700121f595ae34abe053d7bdd1aa92b89ad6c02b11f0b920022
Opcode Fuzzy Hash: e363e0524e04c5f9dc1e5fa61d6e88538d1429336b3a38f7754b04655cdaf048
Instruction Fuzzy Hash: 4E017CB154464AAFDB41CF68C404B6EFBB0FF05304F04C260EA589B301D734E8258BD2

Uniqueness

Uniqueness Score: -1.00%

Function 00C129CB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00C129CB(void* __eax) {
				_Unknown_base(*)()* _t4;

				if(__eax < 6) {
					_t4 = GetProcAddress(GetModuleHandleW(L"KERNEL32.DLL"), "SetProcessDEPPolicy");
					if(_t4 != 0) {
						 *_t4(1);
					}
				}
				return 0;
			}

0x00c129cd
0x00c129e0
0x00c129e8
0x00c129ec
0x00c129ec
0x00c129e8
0x00c129f0

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00C129D4
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00C129E0

Strings

SetProcessDEPPolicy, xrefs: 00C129DA
KERNEL32.DLL, xrefs: 00C129CF

Memory Dump Source

Source File: 00000014.00000002.712372782.0000000000C11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000014.00000002.712347190.0000000000C10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.712416872.0000000000C18000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000014.00000002.712438921.0000000000C1A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_c10000_Setup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: KERNEL32.DLL$SetProcessDEPPolicy
API String ID: 1646373207-1809394400
Opcode ID: f416c1a5b1f4e5fedcd9f12c8cab06405081c6d0293df6c0ad4fcafc60174079
Instruction ID: d75277da3a609793371e58eafc026a29c211c7de37cb6c6b6f9cdc85c23d9afb
Opcode Fuzzy Hash: f416c1a5b1f4e5fedcd9f12c8cab06405081c6d0293df6c0ad4fcafc60174079
Instruction Fuzzy Hash: 16C01238A80204ABCB801BF40D0ABCD221A2B4BB52F088420BB42E0080DAA8C5C1B120

Uniqueness

Uniqueness Score: -1.00%

Function 6D2D0047 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6D2D007B
__isleadbyte_l.LIBCMT ref: 6D2D00AE
MultiByteToWideChar.KERNEL32(00000080,00000009,6D2C8AB5,?,00000000,00000000,?,?,?,?,6D2C8AB5,00000000), ref: 6D2D00DF
MultiByteToWideChar.KERNEL32(00000080,00000009,6D2C8AB5,00000001,00000000,00000000,?,?,?,?,6D2C8AB5,00000000), ref: 6D2D014D

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 9514c21597a2bc0829ac9208c11fe2747de211a962cfd5bdc09cc2cbacb6e133
Instruction ID: 4404fa094c3827c20e4c340a5fffd050a12bc0ed3bf8854eb4bddd893c264f87
Opcode Fuzzy Hash: 9514c21597a2bc0829ac9208c11fe2747de211a962cfd5bdc09cc2cbacb6e133
Instruction Fuzzy Hash: E531CC30A9429FFFDB51CF6AC980EBE3BB5BF41312B058569E4608B0A1E731D980CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C0E5C Relevance: 6.1, APIs: 4, Instructions: 100windowCOMMON

Download Yara Rule

APIs

MapDialogRect.USER32(?,00000000), ref: 6D2C0EC4

Part of subcall function 6D2C91B7: _malloc.LIBCMT ref: 6D2C91D1

SendMessageW.USER32(?,00000031,00000000,00000000), ref: 6D2C0F1D
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 6D2C0F27
ShowWindow.USER32(?,00000001,?,00000000,?,00000000), ref: 6D2C0F2E

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: MessageSend$DialogRectShowWindow_malloc
String ID:
API String ID: 929715566-0
Opcode ID: fec906eec39dd55a59b1653448a1a4f6cd73755c743ff579a7ad8d0e6ed3b4d0
Instruction ID: f4b319c93d37a67650694e9b095b93c69e0c0fa865ff7dfb1df589a13eb96a8e
Opcode Fuzzy Hash: fec906eec39dd55a59b1653448a1a4f6cd73755c743ff579a7ad8d0e6ed3b4d0
Instruction Fuzzy Hash: 45317A75A00209AFCB159F68C849AAEBBF5FF8C350F114129F605EB360CB71AD01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C017C Relevance: 6.1, APIs: 4, Instructions: 100windowCOMMON

Download Yara Rule

APIs

MapDialogRect.USER32(?,00000000), ref: 6D2C01E4

Part of subcall function 6D2C91B7: _malloc.LIBCMT ref: 6D2C91D1

SendMessageW.USER32(?,00000031,00000000,00000000), ref: 6D2C023D
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 6D2C0247
ShowWindow.USER32(?,00000001,?,00000000,?,00000000), ref: 6D2C024E

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: MessageSend$DialogRectShowWindow_malloc
String ID:
API String ID: 929715566-0
Opcode ID: 476f8ef7700a41366fb7987545fdd187d0546b7ad57c1a56f4810001682a311f
Instruction ID: be2dcebd04de22e16033bc9f63e1fb30e9672bbb57c40679438a92e5da473568
Opcode Fuzzy Hash: 476f8ef7700a41366fb7987545fdd187d0546b7ad57c1a56f4810001682a311f
Instruction Fuzzy Hash: B3315C75A00209AFCB159F68C849BAEBBF5EF88354F158129F605EB350CB71AE01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6D2AF589 Relevance: 6.1, APIs: 4, Instructions: 62windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000031,00000000,00000000), ref: 6D2AF5AC
GetObjectW.GDI32(00000000,0000005C,?), ref: 6D2AF5B5
CreateFontIndirectW.GDI32(?), ref: 6D2AF600
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 6D2AF610

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: MessageSend$CreateFontIndirectObject
String ID:
API String ID: 2018999545-0
Opcode ID: cc8cb44799886bfc2e5a27f70178f4dcb32d0f0c24bf79e8791a4149bf2ae3fd
Instruction ID: ecd330d2f7827bef6f12fb4800c962e452de5c07ba180adc40aa3d4bf964459d
Opcode Fuzzy Hash: cc8cb44799886bfc2e5a27f70178f4dcb32d0f0c24bf79e8791a4149bf2ae3fd
Instruction Fuzzy Hash: 8711D071A4420DABDF118FA4CC09BAF7BB9EB45718F084125FA01DB1C0DBB4EA44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C4870 Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2C4877

Part of subcall function 6D2AEB19: GetCurrentThreadId.KERNEL32 ref: 6D2AEB3A
Part of subcall function 6D2AEB19: SetWindowsHookExW.USER32(00000005,Function_0000EAF4,00000000,00000000), ref: 6D2AEB4A
Part of subcall function 6D2AEB19: MessageBoxW.USER32(?,?,?), ref: 6D2AEB5D
Part of subcall function 6D2AEB19: UnhookWindowsHookEx.USER32(?), ref: 6D2AEB6D

GetParent.USER32(?), ref: 6D2C48A6
GetSystemMenu.USER32(00000000,00000000,0000F060,00000001,?,6D2C158F,?,000006F5,?,?,?,00000000,?,00000001), ref: 6D2C48B6
EnableMenuItem.USER32 ref: 6D2C48BD

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: HookMenuWindows$CurrentEnableH_prolog3ItemMessageParentSystemThreadUnhook
String ID:
API String ID: 267827553-0
Opcode ID: 1f3d85d388a8fc32f4d1e97a06d235f67757a51ec4a874ab6951e842ca3f074e
Instruction ID: 33093438f6c93663b03d0e550b5ac4288093af1e118f126180ec48e064fe03ea
Opcode Fuzzy Hash: 1f3d85d388a8fc32f4d1e97a06d235f67757a51ec4a874ab6951e842ca3f074e
Instruction Fuzzy Hash: AC115EB46847499FD7619BB4CD48F6B73E8EF09709F014A24E652C7690C7B4E841C721

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B6ABD Relevance: 6.0, APIs: 4, Instructions: 44windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 6D2B6ACE
ShowWindow.USER32(00000000,00000000), ref: 6D2B6AE8
EnableWindow.USER32(00000000,00000000), ref: 6D2B6AF1
SendMessageW.USER32(00000000,000000F7,00000001,?), ref: 6D2B6B1E

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Window$EnableItemMessageSendShow
String ID:
API String ID: 1246583984-0
Opcode ID: 27276bd49015ac844d8d396cfa92a39bdddaa88ea0e6733c67817139b81f9faa
Instruction ID: 0691245e7f20a6465eb5fdf77a4194a066b084d94b92420e619679de2d71e19d
Opcode Fuzzy Hash: 27276bd49015ac844d8d396cfa92a39bdddaa88ea0e6733c67817139b81f9faa
Instruction Fuzzy Hash: EC016D76240619AFDB119F64CCC8FAA7BB8FF097A9F044051FA06AB650CB71E850CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6D2D1EFE Relevance: 6.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6D2E2FA0,6D2E2F8C,?,?,6D2BEFB9,00000000,?,?,?,?,?,6D2BE923,?,-00000010), ref: 6D2D1F0B
LeaveCriticalSection.KERNEL32(6D2E2FA0,?,6D2BEFB9,00000000,?,?,?,?,?,6D2BE923,?,-00000010), ref: 6D2D1F27
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,6D2BEFB9,00000000,?,?,?,?,?,6D2BE923,?,-00000010), ref: 6D2D1F46
LeaveCriticalSection.KERNEL32(6D2E2FA0,?,6D2BEFB9,00000000,?,?,?,?,?,6D2BE923,?,-00000010), ref: 6D2D1F4D

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: CriticalSection$Leave$EnterExceptionRaise
String ID:
API String ID: 799838862-0
Opcode ID: a79b951802514eec3e0a6c2d0bf6e015566b1b923933333f3d7324bb91ceb666
Instruction ID: 0e319b175c989526a43ffbb57d68a96370e4e0181311a66f335bd4be94b6ca10
Opcode Fuzzy Hash: a79b951802514eec3e0a6c2d0bf6e015566b1b923933333f3d7324bb91ceb666
Instruction Fuzzy Hash: 8EF0F636294715EFE7224A54DC48F6B7775FB86721F044019FE06D7900C760B882C750

Uniqueness

Uniqueness Score: -1.00%

Function 6D2AEB19 Relevance: 6.0, APIs: 4, Instructions: 38threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 6D2AE7D4: GetThreadLocale.KERNEL32(?,?,6D2AEB27), ref: 6D2AE7DE
Part of subcall function 6D2AE7D4: GetThreadLocale.KERNEL32(?,?,6D2AEB27), ref: 6D2AE7ED

GetCurrentThreadId.KERNEL32 ref: 6D2AEB3A
SetWindowsHookExW.USER32(00000005,Function_0000EAF4,00000000,00000000), ref: 6D2AEB4A
MessageBoxW.USER32(?,?,?), ref: 6D2AEB5D
UnhookWindowsHookEx.USER32(?), ref: 6D2AEB6D

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Thread$HookLocaleWindows$CurrentMessageUnhook
String ID:
API String ID: 3998944487-0
Opcode ID: 8e86203ac641f189b1b7bce66b008dc4b6a40bcf8a89501baa8c26482b3f1a12
Instruction ID: 3b46aa2dc591bbb723958570821cb4e9138597c49737e42daae38390e5195888
Opcode Fuzzy Hash: 8e86203ac641f189b1b7bce66b008dc4b6a40bcf8a89501baa8c26482b3f1a12
Instruction Fuzzy Hash: A5F0C232240316ABDB115F61CC0CB2F7BE9EF857A6F094429FA59C3140C731C412CB20

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C7DD2 Relevance: 6.0, APIs: 4, Instructions: 29threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6D2C7DDD
EnterCriticalSection.KERNEL32(6D2E2FC8), ref: 6D2C7DEC
LeaveCriticalSection.KERNEL32(6D2E2FC8), ref: 6D2C7E01
RaiseException.KERNEL32(C0000005,00000001,00000000,00000000,6D2BDFEA,00000000), ref: 6D2C7E14

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: CriticalSection$CurrentEnterExceptionLeaveRaiseThread
String ID:
API String ID: 2662421713-0
Opcode ID: 2f818d2257eb8fa534301fac8d08d1da7cfb6b0bedda27fb10fddf2057d5b510
Instruction ID: 280e915ab80858c7232c9adeabf78624a9c4dd2eac9d48a80cabf2719a395dc9
Opcode Fuzzy Hash: 2f818d2257eb8fa534301fac8d08d1da7cfb6b0bedda27fb10fddf2057d5b510
Instruction Fuzzy Hash: 17E06DB4940A23DBDB224F24990CB5BFAB8EF42B66F01451EFD26D3284D7B08480CA50

Uniqueness

Uniqueness Score: -1.00%

Function 6D2ACCD2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2ACCD9
__CxxThrowException@8.LIBCMT ref: 6D2ACE8C

Strings

schema validation failure: child element not found - , xrefs: 6D2ACE0B

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID: schema validation failure: child element not found -
API String ID: 3670251406-3859288074
Opcode ID: 9a7d4e325fbb2d4ee2aceb70f9768dbf372fcbc0bfbfe2c465748885700f07bd
Instruction ID: 1144aee4c1d3783501a2f5935214857886ae5759a253810a242103ca1b649577
Opcode Fuzzy Hash: 9a7d4e325fbb2d4ee2aceb70f9768dbf372fcbc0bfbfe2c465748885700f07bd
Instruction Fuzzy Hash: AE718D7594424EDFCB01CFA4C884AEEBBB8FF49704F284595E511AB251C771AE04DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B200C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B2013

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2AD76F: __EH_prolog3.LIBCMT ref: 6D2AD776

Strings

Name, xrefs: 6D2B2027
Size, xrefs: 6D2B207D

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Name$Size
API String ID: 431132790-481755742
Opcode ID: d3ee51d96d830c69d1499c5ef720b8c3dfd04d7e1f33863456b94cf1701ee3a6
Instruction ID: 4488fe31dbcf2c4d95070fd62f0536820a4c01a6835f70acb6f1fc08e18fd054
Opcode Fuzzy Hash: d3ee51d96d830c69d1499c5ef720b8c3dfd04d7e1f33863456b94cf1701ee3a6
Instruction Fuzzy Hash: 8441C0B184424EDFDF11CBE4C8447EEBBB8AF09318F148694E664A7281D7B49A05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BC282 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000E,00000000), ref: 6D2BC360

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2BF35E: __EH_prolog3.LIBCMT ref: 6D2BF365
Part of subcall function 6D2BF35E: __recalloc.LIBCMT ref: 6D2BF3A7

DialogBoxParamW.USER32 ref: 6D2BC38A

Strings

x*m, xrefs: 6D2BC36B, 6D2BC3A7

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$DialogErrorLastParam__recalloc
String ID: x*m
API String ID: 412378828-2281478151
Opcode ID: 5d8f16579953bc0cd2dfef1660822e4d90c9af6e7fa97846ceb038c4ef123c46
Instruction ID: d39d2c0af5a729d6eba18bd8de33db35b457ab5c51c9338823fa3cb0023b3b02
Opcode Fuzzy Hash: 5d8f16579953bc0cd2dfef1660822e4d90c9af6e7fa97846ceb038c4ef123c46
Instruction Fuzzy Hash: 8E418D7154C38A9FC300CF68C884A5BFBE4FB89768F504A2EF5A497290D3B1E845CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C7ACF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000100,?,?,00000000), ref: 6D2C7AFC

Part of subcall function 6D2C7F08: GetLastError.KERNEL32(6D2C7B0B,?,?,?,00000000), ref: 6D2C7F08

GetTempFileNameW.KERNEL32(?,TFR,00000000,?,?,?,?,00000000), ref: 6D2C7B54

Strings

TFR, xrefs: 6D2C7B48

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Temp$ErrorFileLastNamePath
String ID: TFR
API String ID: 3373471080-3081930533
Opcode ID: 79685e8f76685b76e921d9870e84605251c9375f19bcc854f05cf7c39c76a72c
Instruction ID: c006296dd62fe8669c32ccf1fef41d496d1f40f1aceb523578d2756e1f398ce0
Opcode Fuzzy Hash: 79685e8f76685b76e921d9870e84605251c9375f19bcc854f05cf7c39c76a72c
Instruction Fuzzy Hash: AD21A4B1E8421D6ADB50CB54CC44FDAB3ACAB05718F5047A5E714D31C1DB709E848BA6

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B443D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B4444

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2B27EE: __EH_prolog3.LIBCMT ref: 6D2B27F5

Strings

SysLink, xrefs: 6D2B4464
SQMPermissionCheckbox, xrefs: 6D2B44B4

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: SQMPermissionCheckbox$SysLink
API String ID: 431132790-2543308372
Opcode ID: 1667f016eb3adce25ff558b6431f5c88b4e397fcd5fdb1bef4c9ff6db110e7a6
Instruction ID: aee7cd2ca9868ae44fe4e0a2cddcf5c8361c26af349b7d75c5b46d2c7340a32b
Opcode Fuzzy Hash: 1667f016eb3adce25ff558b6431f5c88b4e397fcd5fdb1bef4c9ff6db110e7a6
Instruction Fuzzy Hash: FE313E7194414DEFDB00DBE8C984BDEB7B8AF0931CF198165E614E7281C7749A06D772

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B3654 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B365B

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

Part of subcall function 6D2AD76F: __EH_prolog3.LIBCMT ref: 6D2AD776

Strings

Text, xrefs: 6D2B366B
Hide, xrefs: 6D2B36CC

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Hide$Text
API String ID: 431132790-3852183071
Opcode ID: 386a051300a56343b5a52b14391d506c15b8a801a3410b46fdf0ddb4107a4761
Instruction ID: f9a90e04ef6fc4993e4afe4b7d509b58368bc8bf8d5d7158e98b3d68c35cb0d9
Opcode Fuzzy Hash: 386a051300a56343b5a52b14391d506c15b8a801a3410b46fdf0ddb4107a4761
Instruction Fuzzy Hash: 53218E7194424DDFDF00DBA8C944BDEB7B8AF19318F1980A5E554EB381D770EA05CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C383E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_wcsnlen.LIBCMT ref: 6D2C3871
_memcpy_s.LIBCMT ref: 6D2C38A7

Part of subcall function 6D2C83FD: __CxxThrowException@8.LIBCMT ref: 6D2C83E2

Strings

GetProcessImageFileNameW, xrefs: 6D2C3845

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: Exception@8Throw_memcpy_s_wcsnlen
String ID: GetProcessImageFileNameW
API String ID: 31407445-2183627785
Opcode ID: f69042cb5065aab90b70ea73ccbcd24f53ec27dbe078f6d65869e4859daa79e5
Instruction ID: 32ba4ba61001736201f8fa58e910522d4eb1ff40f3bdb8ded7dbc688c38c32d5
Opcode Fuzzy Hash: f69042cb5065aab90b70ea73ccbcd24f53ec27dbe078f6d65869e4859daa79e5
Instruction Fuzzy Hash: 9C016532904108AFDB549F69C84889D77A9EB84364712873EF51597250EA309E51CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6D2AF0C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55fileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2AF0CF

Part of subcall function 6D2BF21D: _wcsnlen.LIBCMT ref: 6D2BF1B2

DeleteFileW.KERNEL32(00000000,00000010,HFI,00000000,00000000,6D2A79E4,00000004,6D2C57E2,?,?,?,?,?,?,00000024,6D2AF18B), ref: 6D2AF14B

Strings

HFI, xrefs: 6D2AF128

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: DeleteFileH_prolog3_wcsnlen
String ID: HFI
API String ID: 1332513528-686494941
Opcode ID: af01f8e6e5a6aa3a9c2d2c52c80535ee15cf444c379bbea5a077d2eba7671568
Instruction ID: f0340604da9d820ea21fa90431cf8ab3fcdaf83cefc92878979bdd3bb5f23bf9
Opcode Fuzzy Hash: af01f8e6e5a6aa3a9c2d2c52c80535ee15cf444c379bbea5a077d2eba7671568
Instruction Fuzzy Hash: 6211E07128810C8FCB909F78C84466EF3A4EF4431DF068375E620AB294D7709D0587A2

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B372E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B3735

Strings

Enable, xrefs: 6D2B3749
false, xrefs: 6D2B379E

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Enable$false
API String ID: 431132790-2988405606
Opcode ID: 116479645a31a57726fe8bad5a90c0a7ecf21181d951f528d36ec43995fdc691
Instruction ID: a48da270dee514f4e3966a6752278924efddf452f93e01bb2efc1caa4a67c103
Opcode Fuzzy Hash: 116479645a31a57726fe8bad5a90c0a7ecf21181d951f528d36ec43995fdc691
Instruction Fuzzy Hash: 991182B598414ECFDB10CBE4C980BEDB3B4BF0435DF150164D220E7281D7B49A09DB61

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C5002 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

_vwprintf.LIBCMT ref: 6D2C502C
_vswprintf_s.LIBCMT ref: 6D2C5059

Strings

`:*m, xrefs: 6D2C5050

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: _vswprintf_s_vwprintf
String ID: `:*m
API String ID: 2206667278-1878432148
Opcode ID: e03ee935fd8f580482c5d0c1b8018582b21d5f2b121f51e825a5208909ec97bc
Instruction ID: 2d5023c9929300b9a22fabe452284d1566904010d61e610c4bfbed1d16068a66
Opcode Fuzzy Hash: e03ee935fd8f580482c5d0c1b8018582b21d5f2b121f51e825a5208909ec97bc
Instruction Fuzzy Hash: 8201677154810DBF9B55DBD9DC84D9EB7ACDF44258711826AF604E7100FB71EE008BE6

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BF491 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2BF498
GetLastError.KERNEL32(?,?,?,6D2C158F,?,000006F5,?,?,?,00000000,?,00000001,?,?,?,6D2B86E6), ref: 6D2BF4C9

Strings

Failed to record Customize, xrefs: 6D2BF4FF

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: ErrorH_prolog3Last
String ID: Failed to record Customize
API String ID: 685212868-512773136
Opcode ID: 1bff4aa158badb1b71cb7725dec7458f196b62935ebdca8852beda2f6f35a70f
Instruction ID: 2789dab239ba8c0623616da37c63a7ecfc13467956b381a9609ad87fc328408a
Opcode Fuzzy Hash: 1bff4aa158badb1b71cb7725dec7458f196b62935ebdca8852beda2f6f35a70f
Instruction Fuzzy Hash: D311E57258420DDBC720DF64C944B9EBB74BF00779F118320EA24AB2D0D7709E018B91

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B0E35 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6D2C0324: SendMessageW.USER32(?,00000437,00000000,?), ref: 6D2C0344

_memset.LIBCMT ref: 6D2B0E62
SendMessageW.USER32(?,00000444,00000001,00000074), ref: 6D2B0E92

Strings

t, xrefs: 6D2B0E7B

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: MessageSend$_memset
String ID: t
API String ID: 1515505866-2238339752
Opcode ID: 71bb49df30db70d6d276ce05db1b863edc5073a160912fc56a9acec19f4a2417
Instruction ID: 7466c43488ddd5e3d66a4cf403e5898580162f1efbd9a63a6ae863b04e4d7013
Opcode Fuzzy Hash: 71bb49df30db70d6d276ce05db1b863edc5073a160912fc56a9acec19f4a2417
Instruction Fuzzy Hash: 1A018B71A4420CABDF10CFB4C801BCE7BF4AF09708F204129FA14A7281D735AA14CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6D2ACAC2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2ACAC9

Part of subcall function 6D2BF143: __EH_prolog3.LIBCMT ref: 6D2BF14A

Part of subcall function 6D2BF0E8: __EH_prolog3.LIBCMT ref: 6D2BF0EF

Part of subcall function 6D2BF092: __EH_prolog3.LIBCMT ref: 6D2BF099

Strings

Invalid XML, xrefs: 6D2ACAE3
.Parse error:, xrefs: 6D2ACAF4

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: .Parse error:$Invalid XML
API String ID: 431132790-1700598720
Opcode ID: 4ca992a8fb2438fb7c34d4b0102e01e9a1cdab0475c816f903b08ad90a3ff612
Instruction ID: deefd38dc321075dba14980225ec20829004b128b773b93b1540b3ba88602be6
Opcode Fuzzy Hash: 4ca992a8fb2438fb7c34d4b0102e01e9a1cdab0475c816f903b08ad90a3ff612
Instruction Fuzzy Hash: 0A01627298810D9BDB10D7F8C841BEEB7B4AF0432CF158624E314F7285D7749A4987A6

Uniqueness

Uniqueness Score: -1.00%

Function 6D2D2C8A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6D2D259F: __getptd.LIBCMT ref: 6D2D25A5
Part of subcall function 6D2D259F: __getptd.LIBCMT ref: 6D2D25B5

__getptd.LIBCMT ref: 6D2D2C99

Part of subcall function 6D2C9BE0: __getptd_noexit.LIBCMT ref: 6D2C9BE3
Part of subcall function 6D2C9BE0: __amsg_exit.LIBCMT ref: 6D2C9BF0

__getptd.LIBCMT ref: 6D2D2CA7

Strings

csm, xrefs: 6D2D2CB5

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 40a763ddbc5ae7bd5608cdcd701207f89940e9ad0a743e3e5e4b39aced2a5921
Instruction ID: c803f513bb164a34b1254f6e86c9e351d3f0953b2d8ef3da870d60fcea7697cb
Opcode Fuzzy Hash: 40a763ddbc5ae7bd5608cdcd701207f89940e9ad0a743e3e5e4b39aced2a5921
Instruction Fuzzy Hash: 28016DB488920F9ECFB4CF20C550AADB7B9EF04216F22442ED850562D4CF308E90EB61

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C1169 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2C1170

Part of subcall function 6D2BE8E8: __EH_prolog3.LIBCMT ref: 6D2BE8EF

GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 6D2C11B1

Strings

C:\, xrefs: 6D2C117D

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$DirectorySystem
String ID: C:\
API String ID: 105093994-3404278061
Opcode ID: 49205b2dd7790d553afa9408524a47877dc80a3238edf913da01d0c5126a6a39
Instruction ID: feac9b87e81a9023ec7edd67084dfef073297b2624106a4bb3148e2eb29fc375
Opcode Fuzzy Hash: 49205b2dd7790d553afa9408524a47877dc80a3238edf913da01d0c5126a6a39
Instruction Fuzzy Hash: D901ADB199052D8BDB00EBA4CC08AAEB774FF44328F064634E621A72D0CB709D01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B0D3D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6D2C0324: SendMessageW.USER32(?,00000437,00000000,?), ref: 6D2C0344

_memset.LIBCMT ref: 6D2B0D6A
SendMessageW.USER32(?,00000444,00000001,?), ref: 6D2B0D93

Strings

t, xrefs: 6D2B0D85

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: MessageSend$_memset
String ID: t
API String ID: 1515505866-2238339752
Opcode ID: 39b9d907987907b483a80196531d6b5eac24be939a1a0ea926dca6b97feb51c1
Instruction ID: 0a87b75e16a36eac5ce6baa20c8febb997fa17550a8573811f837df26849ef83
Opcode Fuzzy Hash: 39b9d907987907b483a80196531d6b5eac24be939a1a0ea926dca6b97feb51c1
Instruction Fuzzy Hash: B6F04F71A4420CABDF10DFA4C845FCE7BB8EF09708F614129FA15AB281D775AA14CF96

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BF532 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2BF539
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,6D2D677E,000000FF), ref: 6D2BF555

Strings

Failed to record current state name, xrefs: 6D2BF573

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: ErrorH_prolog3Last
String ID: Failed to record current state name
API String ID: 685212868-828805506
Opcode ID: 491d12b0c0c03503c3a161c5b22e5ae0de9dc69ddf6175a13cc92d689a9cd691
Instruction ID: 723008d9b6fd298996bd6f3ce46369a7d6589f9c684f5687d1681dc169266b94
Opcode Fuzzy Hash: 491d12b0c0c03503c3a161c5b22e5ae0de9dc69ddf6175a13cc92d689a9cd691
Instruction Fuzzy Hash: 21F0F0B6988109ABC7608F74C800B8A7B68BF007AAF158130FA14DA190C7B1CA418792

Uniqueness

Uniqueness Score: -1.00%

Function 6D2AF527 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetWindowPlacement.USER32(00000000,?,00000000), ref: 6D2AF550
SetWindowPlacement.USER32(00000000,0000002C), ref: 6D2AF561

Strings

,, xrefs: 6D2AF549

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: PlacementWindow
String ID: ,
API String ID: 2154376794-3772416878
Opcode ID: 93e259de4a9b4dc8f4103105ae8d4961600fa19419d2d6d8b8506c9cbc992394
Instruction ID: ae3266b169a477fe0ac1d6127b6f0d58e604d23d320e9d9377bf94bfb4ec4c46
Opcode Fuzzy Hash: 93e259de4a9b4dc8f4103105ae8d4961600fa19419d2d6d8b8506c9cbc992394
Instruction Fuzzy Hash: B5F05E31A1021CABDB00DFA4C848DEFB7B8FB85318F10456AE501A2140DB705905CA55

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B9A1E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B9A25

Strings

IDS_DOWNLOAD_PROGRESS_BAR_HEADER, xrefs: 6D2B9A39
IDS_FILE_VERIFICATION_PROGRESS_BAR_HEADER, xrefs: 6D2B9A32

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: IDS_DOWNLOAD_PROGRESS_BAR_HEADER$IDS_FILE_VERIFICATION_PROGRESS_BAR_HEADER
API String ID: 431132790-2780475424
Opcode ID: ac71e9d3f7963dc7f7e6628e1d880b8d553c9f7c45a4045863b85083f22660a8
Instruction ID: 873a8619cd43967361c1c9357c5c2fd944d91a9826678f428b1aafcabc56d747
Opcode Fuzzy Hash: ac71e9d3f7963dc7f7e6628e1d880b8d553c9f7c45a4045863b85083f22660a8
Instruction Fuzzy Hash: C5F082B194810E8FDB50DBF8C948B6DB7B0FF05719F5949A8D210DB398C774D9058B42

Uniqueness

Uniqueness Score: -1.00%

Function 6D2B1F81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2B1F88

Part of subcall function 6D2B1EB5: __EH_prolog3.LIBCMT ref: 6D2B1EBC

Strings

Width, xrefs: 6D2B1FB5
Height, xrefs: 6D2B1FC4

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Height$Width
API String ID: 431132790-1965321196
Opcode ID: c66981d81a4e53018697c0906ce8145f0b791f6e88475ddd8ecbafd4608852d6
Instruction ID: f7c7350985063792f7bcfd919a785d3bd7637d85488f31bd298697858301d138
Opcode Fuzzy Hash: c66981d81a4e53018697c0906ce8145f0b791f6e88475ddd8ecbafd4608852d6
Instruction Fuzzy Hash: 4FF01CA0F847488BC6219F75845420AF6E29FD6708B19853AC2698F748DFB4E8428B82

Uniqueness

Uniqueness Score: -1.00%

Function 6D2AC224 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2AC22B

Strings

A StopBlock was hit or a System Requirement was not met., xrefs: 6D2AC25B
An internal or user error was encountered., xrefs: 6D2AC254, 6D2AC269

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: A StopBlock was hit or a System Requirement was not met.$An internal or user error was encountered.
API String ID: 431132790-2578323181
Opcode ID: 58987b4814e3917ca85937f9b6b53ba053331e0bd04fce2aa35e43ea1941ebbb
Instruction ID: b90c4027ad07a2f2ed889aecd6ec5e7b8fc91bcfa13ed22d2c8836046979470d
Opcode Fuzzy Hash: 58987b4814e3917ca85937f9b6b53ba053331e0bd04fce2aa35e43ea1941ebbb
Instruction Fuzzy Hash: F8E065B52C810D97D7819AD8C94037DB160FF50B19F1E4121D6149F340C7B48D0197CA

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C1DCD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2C1DD4
GetCommandLineW.KERNEL32(00000018,6D2BB178,00000000,?,?,6D2BAC46,?), ref: 6D2C1DD9

Part of subcall function 6D2ABE03: __EH_prolog3.LIBCMT ref: 6D2ABE0A

Part of subcall function 6D2AB9A7: __EH_prolog3.LIBCMT ref: 6D2AB9AE

Strings

passive, xrefs: 6D2C1DF4

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$CommandLine
String ID: passive
API String ID: 1384747822-1995439567
Opcode ID: fd0ee41a9d7e581be6d43abfcbfbd944fd38fa14553a1c48fba1e3f2a76e27d4
Instruction ID: ebd573a4bff0d91e4dcab4ebbec2d65b97683931254dba4c67037050bf15842d
Opcode Fuzzy Hash: fd0ee41a9d7e581be6d43abfcbfbd944fd38fa14553a1c48fba1e3f2a76e27d4
Instruction Fuzzy Hash: B5E086B5AC810C56DF4497A4CA147DC72E0EF5A70DF960068D201772C0DF145A09DB62

Uniqueness

Uniqueness Score: -1.00%

Function 6D2C1E15 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6D2C1E1C
GetCommandLineW.KERNEL32(00000018,6D2BB187,00000000,?,?,6D2BAC46,?), ref: 6D2C1E21

Part of subcall function 6D2ABE03: __EH_prolog3.LIBCMT ref: 6D2ABE0A

Part of subcall function 6D2AB9A7: __EH_prolog3.LIBCMT ref: 6D2AB9AE

Strings

showfinalerror, xrefs: 6D2C1E3C

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: H_prolog3$CommandLine
String ID: showfinalerror
API String ID: 1384747822-3200933950
Opcode ID: c22929b8d7334657fc1cffd480eb3102e3221d53da1d5e74167b4e4bd6d4d692
Instruction ID: 659fdb9c16cdb25b97f0c1d093a6514b7ce04cb4d4473cf6e7015fc45e316ff2
Opcode Fuzzy Hash: c22929b8d7334657fc1cffd480eb3102e3221d53da1d5e74167b4e4bd6d4d692
Instruction Fuzzy Hash: EEE086B4AC810C56DF44D7A4C9147DC72E0EF5A70DF9A0068D201772C0DF145A09DB62

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BA051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20windowCOMMON

Download Yara Rule

APIs

GetPropW.USER32(?,RotatingIconDisplayTHIS), ref: 6D2BA05F

Part of subcall function 6D2B9CD5: GetTickCount.KERNEL32 ref: 6D2B9CDC

SendMessageW.USER32(00000000,00000172,00000001,00000000), ref: 6D2BA07E

Strings

RotatingIconDisplayTHIS, xrefs: 6D2BA057

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: CountMessagePropSendTick
String ID: RotatingIconDisplayTHIS
API String ID: 85587915-353257254
Opcode ID: affdc04d04bb6361046ae563d855e46110bfaf611adf82d5bedfb8dd050d9dc0
Instruction ID: e6ac98487dba6b270f7e71fae5722e87d199c2036e1ac573477bc0e21f62d558
Opcode Fuzzy Hash: affdc04d04bb6361046ae563d855e46110bfaf611adf82d5bedfb8dd050d9dc0
Instruction Fuzzy Hash: 5EE0C231044619BBCB221B14CC0DF9B7FA5EF42BB9F040020F5A99A160CBB2DC10D680

Uniqueness

Uniqueness Score: -1.00%

Function 6D2BA027 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(00000125,00000002), ref: 6D2BA031
RemovePropW.USER32 ref: 6D2BA03E

Strings

RotatingIconDisplayTHIS, xrefs: 6D2BA037

Memory Dump Source

Source File: 00000014.00000002.715242027.000000006D2A1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6D2A0000, based on PE: true

Associated: 00000014.00000002.715214914.000000006D2A0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715673586.000000006D2DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715687918.000000006D2E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715704711.000000006D2E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.715719196.000000006D2E5000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6d2a0000_Setup.jbxd

Similarity

API ID: KillPropRemoveTimer
String ID: RotatingIconDisplayTHIS
API String ID: 3686338637-353257254
Opcode ID: 000f221c8adb2040158aae6d23a63ab32eb3b1a059f466721b1644deee23c896
Instruction ID: 95faa1b97f49dede98662b702e4481f8a37b84438bcce69c0ae6482d7688d975
Opcode Fuzzy Hash: 000f221c8adb2040158aae6d23a63ab32eb3b1a059f466721b1644deee23c896
Instruction Fuzzy Hash: E0D01238040605DFEB211F00C81CF16FAB0FF1579AF98C85CF0D1504A0C7B64494DB00

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report dotNetFx40_Full_x86_x64.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\5d17b88cf41ba603370ca60cf86c\1025\LocalizedData.xml

C:\5d17b88cf41ba603370ca60cf86c\1025\SetupResources.dll

C:\5d17b88cf41ba603370ca60cf86c\1025\eula.rtf

C:\5d17b88cf41ba603370ca60cf86c\1028\LocalizedData.xml

C:\5d17b88cf41ba603370ca60cf86c\1028\SetupResources.dll

C:\5d17b88cf41ba603370ca60cf86c\1028\eula.rtf

C:\5d17b88cf41ba603370ca60cf86c\1029\LocalizedData.xml

C:\5d17b88cf41ba603370ca60cf86c\1029\SetupResources.dll

C:\5d17b88cf41ba603370ca60cf86c\1029\eula.rtf

C:\5d17b88cf41ba603370ca60cf86c\1030\LocalizedData.xml

C:\5d17b88cf41ba603370ca60cf86c\1030\SetupResources.dll

C:\5d17b88cf41ba603370ca60cf86c\1030\eula.rtf

C:\5d17b88cf41ba603370ca60cf86c\1031\LocalizedData.xml

C:\5d17b88cf41ba603370ca60cf86c\1031\SetupResources.dll

C:\5d17b88cf41ba603370ca60cf86c\1031\eula.rtf

C:\5d17b88cf41ba603370ca60cf86c\1032\LocalizedData.xml

C:\5d17b88cf41ba603370ca60cf86c\1032\SetupResources.dll

C:\5d17b88cf41ba603370ca60cf86c\1032\eula.rtf

C:\5d17b88cf41ba603370ca60cf86c\1033\LocalizedData.xml

C:\5d17b88cf41ba603370ca60cf86c\1033\SetupResources.dll

C:\5d17b88cf41ba603370ca60cf86c\1033\eula.rtf

C:\5d17b88cf41ba603370ca60cf86c\1035\LocalizedData.xml

C:\5d17b88cf41ba603370ca60cf86c\1035\SetupResources.dll

C:\5d17b88cf41ba603370ca60cf86c\1035\eula.rtf

C:\5d17b88cf41ba603370ca60cf86c\1036\LocalizedData.xml

C:\5d17b88cf41ba603370ca60cf86c\1036\SetupResources.dll

Windows Analysis Report
dotNetFx40_Full_x86_x64.exe